Security News

Cybersecurity researchers from Cisco Talos unveiled today that it discovered two critical vulnerabilities in the Zoom software that could have allowed attackers to hack into the systems of group chat participants or an individual recipient remotely. According to the researchers, successful exploitation of both flaws requires no or very little interaction from targeted chat participants and can be executed just by sending specially crafted messages through the chat feature to an individual or a group.

Google has addressed two critical flaws in its latest monthly Android update that enable remote code execution on Android mobile devices. The critical bugs exist in the Android System area, and would allow a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process.

Google has started rolling out the June 2020 security patches for the Android operating system, which address a total of 43 vulnerabilities, including several rated critical. This is one of the two critical remote code execution issues patched in System, both affecting Android releases 8.0 through 10.

nCipher Security, an Entrust Datacard company, announces its support for new key import method for Azure Key Vault, allowing customers to generate and transfer encryption keys to Azure Key Vault using an on-premises or as a service nShield HSM, giving them complete control over both their keys and their data security. Azure Key Vault helps safeguard cryptographic keys and secrets that cloud applications and services use.

Security researcher Bhavuk Jain has landed a $100,000 payday after he reported a critical flaw in Apple's sign-in system that could be exploited to access countless accounts on sites from Dropbox and Spotify to Airbnb. The security hole affected all third-party apps that use the service - Apple's equivalent of the Facebook and Google sign-in services - and "Could have resulted in a full account takeover of user accounts on that third party application irrespective of a victim having a valid Apple ID or not."

Cybersecurity researchers today disclosed details for a new vulnerability in VMware's Cloud Director platform that could potentially allow an attacker to gain access to sensitive information and control private clouds within an entire infrastructure. VMware Cloud Director is a popular deployment, automation, and management software that's used to operate and manage cloud resources, allowing businesses to data centers distributed across different geographical locations into virtual data centers.

Cybersecurity researchers today disclosed details for a new vulnerability in VMware's Cloud Director platform that could potentially allow an attacker to gain access to sensitive information and control private clouds within an entire infrastructure. VMware Cloud Director is a popular deployment, automation, and management software that's used to operate and manage cloud resources, allowing businesses to data centers distributed across different geographical locations into virtual data centers.

The security researcher, Bhavuk Jain, reported the flaw to Apple via its bug bounty program, and was awarded $100,000 for the find. Threatpost has reached out to Apple for further comment.

In an interview with The Hacker News, Bhavuk Jain revealed that the vulnerability he discovered resided in the way Apple was validating a user on the client-side before initiating a request from Apple's authentication servers. Bhavuk found that though Apple asks users to log in to their Apple account before initiating the request, it was not validating if the same person is requesting JSON Web Token in the next step from its authentication server.

In an interview with The Hacker News, Bhavuk Jain revealed that the vulnerability he discovered resided in the way Apple was validating a user on the client-side before initiating a request from Apple's authentication servers. Bhavuk found that though Apple asks users to log in to their Apple account before initiating the request, it was not validating if the same person is requesting JSON Web Token in the next step from its authentication server.