Security News

Security patches released this week by Apple for many of its products address a variety of vulnerabilities, including multiple issues that could lead to arbitrary code execution on the affected devices. The patched flaws could result in the execution of arbitrary code with system or kernel privileges, leak of kernel memory, privilege escalation, leak of sensitive information, disclosure of restricted memory, or code signing bypass.

Vulnerabilities that Videolabs recently addressed in its libmicrodns library could lead to denial of service and arbitrary code execution, Cisco Talos' security researchers warn. The libmicrodns mDNS resolver cross-platform library is used in the VLC media player for mDNS service discovery.

VMware has patched three serious vulnerabilities in its products, including a critical flaw in Workstation and Fusion that can be exploited to execute arbitrary code on the host from the guest operating system. "Successful exploitation of this issue may lead to code execution on the host from the guest or may allow attackers to create a denial-of-service condition of the vmnetdhcp service running on the host machine," VMware said in an advisory.

Cisco has released patches to address more than a dozen vulnerabilities across various products, including two code execution bugs in Webex Player that could be exploited remotely. Tracked as CVE-2020-3127 and CVE-2020-3128 and rated high severity, the issues reside in the insufficient validation of elements within a Webex recording stored as ARF or WRF. To exploit the bugs, an attacker needs to send a malicious ARF or WRF file and trick the victim into opening the file the local system, which could result in arbitrary code being executed with the privileges of the targeted user.

A researcher has discovered another DLL hijacking vulnerability in Dell SupportAssist that can be used to execute code with elevated privileges, and exploitation only requires low permissions. In an advisory published last week, Dell revealed that Dell SupportAssist for both business and home PCs is affected by an uncontrolled search path vulnerability that allows a local user with low privileges to execute arbitrary code with elevated permissions by getting the SupportAssist binaries to load arbitrary DLLs. The flaw, tracked as CVE-2020-5316 and classified as high severity, has been patched by Dell with the release of SupportAssist for business PCs version 2.1.4 and SupportAssist for home PCs version 3.4.1.

Dell has patched a high-severity flaw in its SupportAssist software that could allow an attacker to execute arbitrary code with administrator privileges on affected computers. The flaw, an uncontrolled search path vulnerability that is being tracked as CVE-2020-5316, could allow a locally authenticated user with low privileges to "Cause the loading of arbitrary DLLs by the SupportAssist binaries, resulting in the privileged execution of arbitrary code," Dell wrote in its explanation of the bug.

Adobe-owned Magento has plugged multiple critical vulnerabilities in its eponymous content management system, the most severe of which could be exploited by attackers to achieve arbitrary code execution. According to the newest Magento-themed security bulletin, three of the six fixed flaws are critical and three are important.

Magento 2.3.4 was released this week with patches for six vulnerabilities, including three that are considered critical. Another critical flaw that could allow for the execution of arbitrary code is CVE-2020-3718, which Adobe describes as a security bypass issue.

Critical vulnerabilities in Adobe's Magento e-commerce platform - a favorite target of the Magecart cybergang - could lead to arbitrary code execution. Out of the flaws, Adobe has fixed three that it rates as critical in severity, meaning that successful exploits could "Allow malicious native code to execute, potentially without a user being aware."

Cisco Systems has fixed two high-severity vulnerabilities in its products, including one in its popular Webex video conferencing platform that could enable a remote attacker to execute commands. The high-severity Webex flaw exists in the web-based management interface of Cisco Webex Video Mesh, a feature that enables on-premises infrastructure for video conferencing, to enhance audio, video and content.