Security News

Cybersecurity researchers today uncovered a new critical vulnerability affecting the Server Message Block protocol that could allow attackers to leak kernel memory remotely, and when combined with a previously disclosed "Wormable" bug, the flaw can be exploited to achieve remote code execution attacks. The newly discovered vulnerability impacts Windows 10 versions 1903 and 1909, for which Microsoft today released security patches as part of its monthly Patch Tuesday updates for June.

Adobe on Tuesday announced the release of security updates for its Flash Player, Framemaker and Experience Manager products. In Flash Player, for which Adobe plans on providing security updates only until the end of the year, the company patched a critical use-after-free bug that can allow an attacker to execute arbitrary code in the context of the current user.

Adobe released patches for four critical flaws in Flash Player and in its Framemaker document processor as part of its regularly scheduled updates. In Tuesday's June Adobe security updates, critical flaws tied to three CVEs were patched in Adobe Framemaker, which is Adobe's application designed for writing and editing large or complex documents.

Two critical vulnerabilities patched recently by IBM in its WebSphere Application Server product can be exploited by a remote, unauthenticated attacker to execute arbitrary code with elevated privileges. Two of the flaws have been rated critical and they can be exploited for remote code execution, while the third has been classified as high severity and it can lead to information disclosure.

It turns out that industrial enterprises are much better positioned to defeat most nation-state attacks on power plants, pipelines, and other critical infrastructures than governments are. Government intrusion detection is a little better at detecting attacks than our own systems and presents serious risks to corporate confidentiality.

San Francisco, CA-based attack surface management firm RiskIQ has raised $15 million in a Series D funding round led by National Grid Partners. RiskIQ monitors the attack surface from outside of the firewall, with services including vulnerability management, application security and penetration testing.

A critical vulnerability affecting traffic light controllers made by SWARCO could have been exploited by hackers to disrupt a city's traffic lights. Peter Fröhlich, managing director at ProtectEM, told SecurityWeek that the vulnerability was discovered during a security audit conducted for a city in Germany that hired his company to analyze networked traffic systems.

ASE is used by more than 30,000 organizations globally - including 90 percent of the top banks and security firms worldwide, according to SAP. Researchers disclosed six vulnerabilities that they discovered while conducting security tests for the latest version of the software, ASE 16. While SAP has released patches for both ASE 15.7 and 16.0 in its May 2020 update, researchers disclosed technical details of the flaws on Wednesday, saying "There is no question" that the patches should be applied immediately if they haven't been already.

Does your IT security model take into account things like pacemakers? According to Dr Victoria Baines, speaking at Infosec Europe, "We also perhaps neglect the idea that critical infrastructure might be inside people" as well as merely carried in their pockets. Baines was speaking during a panel webinar about protecting critical national infrastructure.

Cybersecurity researchers from Cisco Talos unveiled today that it discovered two critical vulnerabilities in the Zoom software that could have allowed attackers to hack into the systems of group chat participants or an individual recipient remotely. According to the researchers, successful exploitation of both flaws requires no or very little interaction from targeted chat participants and can be executed just by sending specially crafted messages through the chat feature to an individual or a group.