Security News
Apple this week released patches to address numerous vulnerabilities across its products, including five arbitrary code execution issues affecting the audio components used by its operating systems. The five bugs were found to affect macOS Catalina, with four of them also impacting iOS and iPadOS, tvOS, and watchOS. The first two of the flaws are CVE-2020-9884 and CVE-2020-9889, two out-of-bounds write issues, while the remaining three, namely CVE-2020-9888, CVE-2020-9890 and CVE-2020-9891, are out-of-bounds read flaws.
Adobe has released its scheduled July 2020 security updates, covering flaws in five different product areas: Creative Cloud Desktop; Media Encoder; Download Manager; Genuine Service; and ColdFusion. "Updates to both Adobe Download Manager and Media Encoder address critical vulnerabilities that could lead to arbitrary code execution," Justin Knapp, product marketing manager at Automox, told Threatpost.
With world+dog on Zoom these days, news of a zero-day attack against the videoconferencing app would cause a stir, but relax - it's only if you're on Windows 7 or older. An independent researcher told ACROS Security about the flaw that would allow for remote code execution on any Zoom Client for Windows used by Windows 7, even with extended support after the OS was shuttered in January.
With world+dog on Zoom these days, news of a zero-day attack against the videoconferencing app would cause a stir, but relax - it's only if you're on Windows 7 or older. An independent researcher told ACROS Security about the flaw that would allow for remote code execution on any Zoom Client for Windows used by Windows 7, even with extended support after the OS was shuttered in January.
Zoom is working on resolving a remote code execution vulnerability affecting the Windows client, but a third-party fix has been made available for users who don't want to wait for the official patch. On Thursday, ACROS Security announced the availability of a micro-patch for a remote code execution vulnerability in Zoom Client for Windows.
Microsoft on Tuesday published advisories to provide details on two remote code execution vulnerabilities addressed in the Windows Codecs Library. Both of these vulnerabilities are related to the manner in which the affected Windows component handles objects in memory and both feature a CVSS score of 7.3.
NVIDIA this week released patches for a dozen vulnerabilities in GPU display drivers and vGPU software, including multiple issues that could lead to code execution. The most severe of the bugs affecting the GPU drivers include CVE‑2020‑5962, which was found in the NVIDIA GPU display driver, and CVE‑2020‑5963, which resides in the CUDA driver.
VMware informed customers on Tuesday that it addressed a total of 10 vulnerabilities affecting its ESXi, Workstation and Fusion products, including critical and high-severity flaws that can be exploited for code execution on the hypervisor. An attacker who has local access to a virtual machine with 3D graphics enabled can exploit the weakness for arbitrary code execution on the hypervisor from the VM. VMware has pointed out that 3D graphics are enabled by default on Workstation and Fusion, but not on ESXi.
Cisco is warning of three high-severity flaws in its popular Webex web conferencing app, including one that could allow an unauthenticated attacker to remotely execute code on impacted systems. "An attacker could exploit this vulnerability by sending crafted requests to a vulnerable Cisco Webex Meetings or Cisco Webex Meetings Server site," according to Cisco's security update.
Updates released this week by Drupal patch several vulnerabilities, including a flaw that could allow an attacker to execute arbitrary PHP code. The code execution vulnerability, tracked as CVE-2020-13664, can be exploited against Drupal 8 and 9 installations, but only in certain circumstances.