Security News

Adobe has released security updates to address critical vulnerabilities affecting ten of its Windows and macOS products that could allow attackers to execute arbitrary code on devices running vulnerable software versions. Adobe has released a security update for Adobe InDesign that fixes an Uncontrolled Search Path vulnerability in the Creative Cloud Desktop Application installer for Windows that could lead to arbitrary code execution.

Azure Defender for IoT - Microsoft's new security solution for discovering unmanaged IoT/OT assets and IoT/OT vulnerabilities - is now in public preview and can be put to the test free of charge. About Azure Defender for IoT. "As industrial and critical infrastructure organizations implement digital transformation, the number of networked IoT and Operational Technology devices has greatly proliferated. Many of these devices lack visibility by IT teams and are often unpatched and misconfigured, making them soft targets for adversaries looking to pivot deeper into corporate networks," Phil Neray, Director of Azure IoT Security Strategy at Microsoft, explained.

Earlier this week SonicWall patched 11 vulnerabilities affecting its Network Security Appliance. The SonicWall NSAs are next-generation firewall appliances, with a sandbox, an intrusion prevention system, SSL/TLS decryption and inspection capabilities, network-based malware protection, and VPN capabilities.

A critical stack-based Buffer Overflow vulnerability has been discovered in SonicWall VPNs. When exploited, it allows unauthenticated remote attackers to execute arbitrary code on the impacted devices. Tracked as CVE-2020-5135, the vulnerability impacts multiple versions of SonicOS ran by hundreds of thousands of active VPNs. Craig Young of Tripwire Vulnerability and Exposure Research Team and Nikita Abramov of Positive Technologies have been credited with discovering and reporting the vulnerability.

A significant number of SonicWall firewalls may be affected by a critical vulnerability that can be exploited for denial-of-service attacks and possibly arbitrary code execution. The vulnerability, identified as CVE-2020-5135, impacts various versions of SonicOS, the operating system powering SonicWall firewalls.

Microsoft on Tuesday issued fixes for 87 newly discovered security vulnerabilities as part of its October 2020 Patch Tuesday, including two critical remote code execution flaws in Windows TCP/IP stack and Microsoft Outlook. Another critical RCE vulnerability in Windows Hyper-V exists due to improper validation of input from an authenticated user on a guest operating system.

Two critical flaws in Magento - Adobe's e-commerce platform that is commonly targeted by attackers like the Magecart threat group - could enable arbitrary code execution on affected systems. Retail is set to boom in the coming months - between this week's Amazon Prime Day and November's Black Friday - which puts pressure on Adobe to rapidly patch up any holes in the popular Magento open-source platform, which powers many online shops.

The updates released by SAP for October 2020 include 15 Security Notes, including one that addresses a critical vulnerability. Featuring a CVSS score of 10, the critical flaw is an OS command injection vulnerability that affects CA Introscope Enterprise Manager version 10.7.0.304 or lower.

NET Core is crawling closer to its November launch with. NET Core, Microsoft is calling the upcoming release plain.

UPDATE. A critical security bug in the SonicWall VPN portal can be used to crash the device and prevent users from connecting to corporate resources. "The most notable aspect of this vulnerability is that the VPN portal can be exploited without knowing a username or password," Young told Threatpost.