Security News

Microsoft has urged customers today to install security updates for three Windows TCP/IP vulnerabilities rated as critical and high severity as soon as possible. The three TCP/IP security vulnerabilities impact computers running Windows client and server versions starting with Windows 7 and higher.

Adobe has released security updates that address an actively exploited vulnerability in Adobe Reader and other critical bugs in Adobe Acrobat, Magento, Photoshop, Animate, Illustrator, and Dreamweaver. In total, the company addressed fifty security vulnerabilities affecting seven products, with many of them rated as critical as they allow local arbitrary code execution.

An update released last week by Mozilla for Firefox 85 patches a critical information disclosure vulnerability that can be chained with other security flaws to achieve arbitrary code execution. In its advisory for the vulnerability - the bug currently does not have a CVE identifier - Mozilla described it as a "Buffer overflow in depth pitch calculations for compressed textures." The issue, reported by researchers Abraruddin Khan and Omair through Trend Micro's Zero Day Initiative, apparently only impacts Firefox running on Windows - other operating systems are not affected.

Researchers are urging WordPress websites that utilize the NextGen Gallery plugin to apply a patch addressing critical and high-severity flaws. Researchers discovered two cross-site request forgery flaws - one critical and one high-severity - in the plugin.

NextGen Gallery, a WordPress plugin used for creating image galleries, currently has over 800,000 active installs, making this security update a top priority for all site owners that have it installed. Both of them are Cross-Site Request Forgery bugs which, in the case of the critical vulnerability tracked as CVE-2020-35942, can lead to Reflected Cross-Site Scripting and remote code execution attacks via file upload or Local File Inclusion.

The vulnerabilities range from Remote Code Execution to SQL Injection, to Denial of Service and impact the FortiProxy SSL VPN and FortiWeb Web Application Firewall products. Multiple advisories published by FortiGuard Labs this month and in January 2021 mention various critical vulnerabilities that Fortinet has been patching in their products.

Cisco has addressed a clutch of critical vulnerabilities in its small business and VPN routers that can be exploited by an unauthenticated, remote attacker to execute arbitrary code as the root user. Some of the affected devices are also Wi-Fi routers, so could well be in everyday use.

Cisco has rolled out fixes for multiple critical vulnerabilities in the web-based management interface of Small Business routers that could potentially allow an unauthenticated, remote attacker to execute arbitrary code as the root user on an affected device. The flaws - tracked from CVE-2021-1289 through CVE-2021-1295 - impact RV160, RV160W, RV260, RV260P, and RV260W VPN routers running a firmware release earlier than Release 1.0.01.02.

Cisco this week released software updates to address multiple vulnerabilities across its product portfolio, including critical severity bugs in several small business VPN routers and SD-WAN products. The company warned that the web-based management interface of small business RV160, RV160W, RV260, RV260P, and RV260W VPN routers is affected by seven severe vulnerabilities that could be abused by unauthenticated, remote attackers to execute arbitrary code as root.

Cisco is rolling out fixes for critical holes in its lineup of small-business VPN routers. The flaws exist in the web-based management interface of Cisco's small-business lineup of VPN routers.