Security News

Microsoft's final batch of security patches for 2020 shipped today with fixes for at least 58 documented vulnerabilities affecting a wide range of OS and software products. The December security updates include fixes for code execution vulnerabilities in the company's flagship Windows operating system and serious problems in Microsoft Sharepoint, Microsoft Exchange, HyperV, and a Kerberos security feature bypass.

More than 100 medical devices made by GE Healthcare are affected by a potentially serious vulnerability that could allow an attacker to access or modify protected health information, medical cybersecurity company CyberMDX reported on Tuesday. The vulnerability, which is tracked as CVE-2020-25179 with a critical severity rating, has been found to impact CT scan, molecular imaging, PET, X-Ray, ultrasound and mammography devices, as well as workstations and imaging devices used in surgery.

A pair of critical vulnerabilities have been discovered in dozens of GE Healthcare radiological devices popular in hospitals, which could allow an attacker to gain access to sensitive personal health information, alter data and even shut the machine's availability down. GE has confirmed the vulnerability, which impacts the radiological devices as well as certain workstations and imaging devices used in surgery, according to the CyberMDX alert.

Adobe Systems has stomped out critical-severity flaws across its Adobe Prelude, Adobe Experience Manager and Adobe Lightroom applications. This month's Adobe patch roundup included a critical cross-site scripting vulnerability in Adobe Experience Manager, the company's content-management solution for building websites, mobile apps and forms.

Some widely sold D-Link VPN router models have been found vulnerable to three new high-risk security vulnerabilities, leaving millions of home and business networks open to cyberattacks-even if they are secured with a strong password. Discovered by researchers at Digital Defense, the three security shortcomings were responsibly disclosed to D-Link on August 11, which, if exploited, could allow remote attackers to execute arbitrary commands on vulnerable networking devices via specially-crafted requests and even launch denial-of-service attacks.

VMware has patched a zero-day bug that was disclosed in late November - an escalation-of-privileges flaw that impacts Workspace One and other platforms, for both Windows and Linux operating systems. VMware has also revised the CVSS severity rating for the bug to "Important," down from critical.

"Cloud-native is no longer just a bold new idea for most organizations, it's a reality. Enterprises have increasingly adopted cloud-native apps over the past couple years to achieve faster development cycles, greater scalability and less vendor lock-in. But their DevOps and NetOps teams are facing some serious security and networking hurdles they just didn't anticipate," said Mark Weiner, CMO, Volterra. While over half of organizations are using Kubernetes in some capacity, security and networking challenges are preventing them from using Kubernetes widely across business apps, with only 10% of organizations running half or more of their business apps on it.

PagerDuty is one of four Amazon DevOpsGuru Launch Partners, further extending its longstanding relationship with AWS. Through this new integration, PagerDuty will automatically ingest observability data from Amazon DevOps Guru. PagerDuty consolidates these digital health signals and alerts, and uses AIOps to contextualize and filter out the noise so teams can remediate issues in real-time, and customers can ensure critical business services get delivered.

Container security company Prevasio has analyzed 4 million public Docker container images hosted on Docker Hub and found that over half of them had critical vulnerabilities and thousands of images included malicious or potentially harmful elements. The cybersecurity firm used its Prevasio Analyzer service to analyze all the container images on Docker Hub, the largest library and community for container images.

Multiple botnets are targeting thousands of publicly exposed and still unpatched Oracle WebLogic servers to deploy crypto miners and steal sensitive information from infected systems. The attacks are taking aim at a recently patched WebLogic Server vulnerability, which was released by Oracle as part of its October 2020 Critical Patch Update and subsequently again in November in the form of an out-of-band security patch.