Security News

Recently addressed Microsoft Azure Sphere vulnerabilities could lead to the execution of arbitrary code or to elevation of privileges, Cisco Talos' researchers warn. The cloud-based system on a chip platform was designed for Internet of Things security, and is comprised of a hardware platform, Azure Sphere OS, and the Azure Sphere Security Service.

The Google Chrome web browser has a high-severity vulnerability that could be used to execute arbitrary code, researchers say. The flaw has been fixed in the Chrome 85 stable channel, set to be rolled out to users this week.

Google this week announced that an update for Chrome 84 includes 15 security patches, including for a serious vulnerability for which the tech giant awarded a $10,000 bug bounty. This vulnerability is CVE-2020-6542, a high-severity use-after-free bug in ANGLE, the Chrome component responsible for translating OpenGL ES API calls to hardware-supported APIs available for the operating system.

Critical flaws in Adobe's Magento e-commerce platform - which is commonly targeted by attackers like the Magecart cybergang - could enable arbitrary code execution on affected systems. Adobe on Tuesday released security updates for flaws affecting Magento Commerce 2 and Magento Open Source 2, versions 2.3.5-p1 and earlier.

Adobe informed customers on Tuesday that it has patched several critical code execution vulnerabilities in its Bridge, Photoshop and Prelude products. In the Windows and macOS versions of Bridge, Adobe fixed three critical out-of-bounds read and out-of-bounds write vulnerabilities that can be exploited by an attacker to execute arbitrary code in the context of the targeted user.

Apple this week released patches to address numerous vulnerabilities across its products, including five arbitrary code execution issues affecting the audio components used by its operating systems. The five bugs were found to affect macOS Catalina, with four of them also impacting iOS and iPadOS, tvOS, and watchOS. The first two of the flaws are CVE-2020-9884 and CVE-2020-9889, two out-of-bounds write issues, while the remaining three, namely CVE-2020-9888, CVE-2020-9890 and CVE-2020-9891, are out-of-bounds read flaws.

Adobe has released its scheduled July 2020 security updates, covering flaws in five different product areas: Creative Cloud Desktop; Media Encoder; Download Manager; Genuine Service; and ColdFusion. "Updates to both Adobe Download Manager and Media Encoder address critical vulnerabilities that could lead to arbitrary code execution," Justin Knapp, product marketing manager at Automox, told Threatpost.

With world+dog on Zoom these days, news of a zero-day attack against the videoconferencing app would cause a stir, but relax - it's only if you're on Windows 7 or older. An independent researcher told ACROS Security about the flaw that would allow for remote code execution on any Zoom Client for Windows used by Windows 7, even with extended support after the OS was shuttered in January.

With world+dog on Zoom these days, news of a zero-day attack against the videoconferencing app would cause a stir, but relax - it's only if you're on Windows 7 or older. An independent researcher told ACROS Security about the flaw that would allow for remote code execution on any Zoom Client for Windows used by Windows 7, even with extended support after the OS was shuttered in January.

Zoom is working on resolving a remote code execution vulnerability affecting the Windows client, but a third-party fix has been made available for users who don't want to wait for the official patch. On Thursday, ACROS Security announced the availability of a micro-patch for a remote code execution vulnerability in Zoom Client for Windows.