Security News

Apple in early 2021 quietly patched an iOS vulnerability that could lead to remote code execution when connecting to a Wi-Fi access point that had a specially crafted SSID. The issue was initially brought to light last month, when reverse engineer Carl Schou discovered that the Wi-Fi functionality on his iPhone would completely crash when connecting to a hotspot that had the SSID "%p%s%s%s%s%n. The issue, which impacts all iOS devices running iOS 14.0 to 14.6, was deemed to be a format string bug, where iOS is considering the characters that follow "%" as string-format specifiers, meaning that they are processed as commands, rather than text.

Cloudflare has fixed a critical vulnerability in its free and open-source CDNJS potentially impacting 12.7% of all websites on the internet. CDNJS serves millions of websites with over 4,000 JavaScript and CSS libraries stored publicly on GitHub, making it the second-largest JavaScript CDN. The vulnerability exploits comprised publishing packages to Cloudflare's CDNJS using GitHub and npm, to trigger a Path Traversal vulnerability, and eventually remote code execution.

Armis security researchers have warned of severe and unpatched remote code execution vulnerabilities in Schneider Electric's programmable logic controllers, allowing attackers to take control of a variety of industrial systems. The vulnerability itself, dubbed "ModiPwn," chains on two previously disclosed issues, discovered by security firm Talos in 2018 and 2019 respectively, which Schneider Electric claimed to have patched.

NET Core remote code execution vulnerability in PowerShell 7 caused by how text encoding is performed in. PowerShell provides a command-line shell, a framework, and a scripting language focused on automation for processing PowerShell cmdlets.

The Zephyr real-time operating system for embedded devices received an update earlier this month that fixes multiple vulnerabilities that can cause a denial-of-service condition and potentially lead to remote code execution. Matias Karhumaa, a senior software engineer at Synopsys, an American electronic design automation company, found eight vulnerabilities in Zephyr after testing the lowest layers of the operating system's Bluetooth LE stack.

Lexmark printers - those ubiquitous, inky office workhorses that fill homes and offices, and are found all the way on up to the federal government - have an unpatched vulnerability that could lead to serious, easy-to-execute attacks that require neither privileges nor user interaction and which can lead to arbitrary code execution. Beyond known security vulnerabilities, Lexmark printers have in the past been prone to a trivial hack thanks to what researchers have called "Gross negligence" on the part of users.

Researchers from three universities in Germany have identified a new TLS attack method that can allow a man-in-the-middle attacker to extract user data or execute arbitrary code. The new attack, dubbed ALPACA, has been described as an "Application layer protocol content confusion attack."

Microsoft today will release a patch for a vulnerability affecting the Microsoft Office MSGraph component, responsible for displaying graphics and charts, that could be exploited to execute code on a target machine. According to the researchers, the issue is in a MSGraph file parsing function, which "Is commonly used across multiple different Microsoft Office products, such as Excel, Office Online Server and Excel for OSX.".

Siemens on Tuesday released an advisory to inform customers about several high-severity vulnerabilities affecting its Solid Edge product. The vulnerabilities were discovered in Siemens Solid Edge last year by security researcher Andrea Micalizzi, who has identified many vulnerabilities in industrial systems over the past years.

A Checkbox Survey vulnerability that could allow a remote attacker to execute arbitrary code without authentication is being exploited in the wild, the CERT Coordination Center at Carnegie Mellon University warns. A flexible online survey tool written in ASP.NET, Checkbox Survey helps organizations create professional surveys that can be easily accessed from either desktop computers or mobile devices.