Security News

Adobe on Tuesday announced the release of security updates for its Flash Player, Framemaker and Experience Manager products. In Flash Player, for which Adobe plans on providing security updates only until the end of the year, the company patched a critical use-after-free bug that can allow an attacker to execute arbitrary code in the context of the current user.

Two critical vulnerabilities patched recently by IBM in its WebSphere Application Server product can be exploited by a remote, unauthenticated attacker to execute arbitrary code with elevated privileges. Two of the flaws have been rated critical and they can be exploited for remote code execution, while the third has been classified as high severity and it can lead to information disclosure.

The U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency has warned Windows users that a recently released proof-of-concept exploit for the vulnerability tracked as SMBGhost has been abused to launch attacks. The flaw affects Windows 10 and Windows Server and it can be exploited for denial-of-service attacks, local privilege escalation, and arbitrary code execution.

Cisco has hurried out a fix out for a critical remote code-execution flaw in its customer interaction management solution, Cisco Unified Contact Center Express. Cisco's Unified CCX software is touted as a "Contact center in a box" that allows companies to deploy customer-care applications.

VMware informed customers on Tuesday that it has patched a high-severity remote code execution vulnerability in its Cloud Director product. The vulnerability, tracked as CVE-2020-3956, has been described as a code injection issue that allows an authenticated attacker to send malicious traffic to Cloud Director, which could result in arbitrary code execution.

Cisco's Talos threat intelligence and research group revealed on Wednesday that one of its researchers discovered a critical remote code execution vulnerability in the CODESYS Control SoftPLC industrial controller software. CODESYS Control SoftPLC is a runtime system that converts any PC or embedded device into an IEC 61131-3-compliant industrial controller.

Foxit Software has released patches for dozens of high-severity flaws impacting its PDF reader and editor platforms. Overall, Foxit Software patched flaws tied to 20 CVEs in Foxit Reader and Foxit PhantomPDF for Windows.

Microsoft's Update Tuesday patches for April 2020 address 113 vulnerabilities, including three Windows flaws that have been exploited in attacks for arbitrary code execution and privilege escalation. Microsoft has patched two actively exploited remote code execution vulnerabilities related to the Adobe Type Manager Library.

A critical flaw in a web server for the CODESYS automation software for engineering control systems could allow a remote, unauthenticated attacker to crash a server or execute code. In this case, the bug exists in the CODESYS web server, which is used to display CODESYS system visualization screens in a web browser.

A vulnerability that OpenWrt addressed in its opkg fork could have been exploited for the remote execution of arbitrary code. "Due to the fact that opkg on OpenWrt runs as root and has write access to the entire filesystem, arbitrary code could be injected by the means of forged.ipk packages with malicious payload," OpenWrt notes in an advisory.