Security News

NIST logged more than 18,000 vulnerabilities in 2020, over 10,000 of which were critical or high severity - an all-time high. CVEs in 2020 More security vulnerabilities were disclosed in 2020 than in any other year to date - at an average rate of 50 CVEs per day.

Cybersecurity spending in critical infrastructure has been little impacted by the COVID-19 pandemic, save for some reshuffling on where that spend is most needed. Most of the cybersecurity spending announced by governments has not changed significantly however, with most maintaining similar funding planned in previous years, with an average Year-on-Year growth rate between 5% and 10%. According to a report by ABI Research, cybersecurity spending for critical infrastructure will increase by $9 billion over the next year to reach $105.99 billion in 2021.

SAP is warning of a critical vulnerability in its SAP Commerce platform for e-commerce businesses. Drools is an engine that makes up the rules engine for SAP Commerce.

SAP has released seven new security notes on February 2021 Security Patch Day, including a Hot News note that addresses a critical flaw in SAP Commerce. Tracked as CVE-2021-21477 and featuring a CVSS score of 9.9, the critical issue could be abused for remote code execution, SAP explains in its advisory.

Adobe is warning of a critical vulnerability that has been exploited in the wild to target Adobe Reader users on Windows. "Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS," said Adobe on Tuesday.

Microsoft has urged customers today to install security updates for three Windows TCP/IP vulnerabilities rated as critical and high severity as soon as possible. The three TCP/IP security vulnerabilities impact computers running Windows client and server versions starting with Windows 7 and higher.

Adobe has released security updates that address an actively exploited vulnerability in Adobe Reader and other critical bugs in Adobe Acrobat, Magento, Photoshop, Animate, Illustrator, and Dreamweaver. In total, the company addressed fifty security vulnerabilities affecting seven products, with many of them rated as critical as they allow local arbitrary code execution.

An update released last week by Mozilla for Firefox 85 patches a critical information disclosure vulnerability that can be chained with other security flaws to achieve arbitrary code execution. In its advisory for the vulnerability - the bug currently does not have a CVE identifier - Mozilla described it as a "Buffer overflow in depth pitch calculations for compressed textures." The issue, reported by researchers Abraruddin Khan and Omair through Trend Micro's Zero Day Initiative, apparently only impacts Firefox running on Windows - other operating systems are not affected.

Researchers are urging WordPress websites that utilize the NextGen Gallery plugin to apply a patch addressing critical and high-severity flaws. Researchers discovered two cross-site request forgery flaws - one critical and one high-severity - in the plugin.

NextGen Gallery, a WordPress plugin used for creating image galleries, currently has over 800,000 active installs, making this security update a top priority for all site owners that have it installed. Both of them are Cross-Site Request Forgery bugs which, in the case of the critical vulnerability tracked as CVE-2020-35942, can lead to Reflected Cross-Site Scripting and remote code execution attacks via file upload or Local File Inclusion.