Security News

Microsoft has addressed a vulnerability in the Azure Automation service that could have allowed attackers to take complete control over other Azure customers' data.Microsoft Azure Automation Service provides process automation, configuration management, and update management features, with each scheduled job running inside isolated sandboxes for each Azure customer.

Cisco this week shipped patches to address a new round of critical security vulnerabilities affecting Expressway Series and Cisco TelePresence Video Communication Server that could be exploited by an attacker to gain elevated privileges and execute arbitrary code. "These vulnerabilities were found during internal security testing by Jason Crowder of the Cisco Advanced Security Initiatives Group," the company noted in its advisory published Wednesday.

The U.S. Senate unanimously passed the "Strengthening American Cybersecurity Act" on Tuesday in an attempt to bolster the cybersecurity of critical infrastructure owners in the country. The new bipartisan legislation, among other things, stipulates entities that experience a cyber incident to report the attacks within 72 hours to the U.S. Cybersecurity and Infrastructure Security Agency, in addition to alerting the agency about ransomware payments within 24 hours.

Data collected from more than 200,000 network-connected medical infusion pumps used to deliver medication and fluids to patients shows that 75% of them are running with known security issues that attackers could exploit. Using data collected from customers, researchers at Palo Alto Networks analyzed the security state of over 200,000 infusion pumps and found that between 30,000 and at least 100,000 of them are vulnerable to critical security issues.

Critical security vulnerabilities have been uncovered in VoIPmonitor software that, if successfully exploited, could allow unauthenticated attackers to escalate privileges to the administrator level and execute arbitrary commands. "[F]ix critical vulnerabilities - new SQL injects for unauthenticated users allowing gaining admin privileges," the maintainers of VoIPmonitor noted in the change log.

"Buffers used in PJSIP typically have limited sizes, especially the ones allocated in the stack or supplied by the application, however in several places, we do not check if our usage can exceed the sizes," PJSIP's developer Sauw Ming noted in an advisory posted on GitHub last month, a scenario that could result in buffer overflows. CVE-2021-43299 - Stack overflow in PJSUA API when calling pjsua player create().

The Russian government on Thursday warned of cyber attacks aimed at domestic critical infrastructure operators, as the country's full-blown invasion of Ukraine enters the second day. The agency didn't share more specifics on the nature of the attacks or their provenance.

CISA urged leaders of U.S. critical infrastructure organizations on Friday to increase their orgs' resilience against a growing risk of being targeted by foreign influence operations using misinformation, disinformation, and malformation tactics. "Multiple influence operations coordinated by foreign actors had an impact on US critical services and functions across critical sectors," according to the cybersecurity agency.

Patches have been issued to contain a "Severe" security vulnerability in UpdraftPlus, a WordPress plugin with over three million installations, that can be weaponized to download the site's private data using an account on the vulnerable sites. "All versions of UpdraftPlus from March 2019 onwards have contained a vulnerability caused by a missing permissions-level check, allowing untrusted users access to backups," the maintainers of the plugin said in an advisory published this week.

Adobe on Thursday updated its advisory for an actively exploited zero-day affecting Adobe Commerce and Magento Open Source to patch a newly discovered flaw that could be weaponized to achieve arbitrary code execution. "We have discovered additional security protections necessary for CVE-2022-24086 and have released an update to address them," the company said in a revised bulletin.