Security News

Proof-of-concept exploit code has been published for critical flaws impacting the Cisco Data Center Network Manager tool for managing network platforms and switches. The three critical vulnerabilities in question impact DCNM, a platform for managing Cisco data centers that run Cisco's NX-OS - the network operating system used by Cisco's Nexus-series Ethernet switches and MDS-series Fibre Channel storage area network switches.

Two WordPress plugins, InfiniteWP Client and WP Time Capsule, suffer from the same critical authorization bypass bug that allows adversaries to access a site's backend with no password. All an attacker needs is the admin username for the WordPress plugins and they are in, according to researchers from WebArx who created proof-of-concept attacks to exploit the vulnerability.

Q4: What role does a 'private key' play here anyway, if not that in Q3? Q5: If one doesn't simply learn the original private key off of knowing the public key, is one simply able to create a new digital certificate this way, as opposed to, having learned the private key of an existing digital certificate? Did I understand this more correctly now? Q6: Could the fake private key, simply be a number like 1, something that can be guessed by anyone? Or, equally bad, any other number, that you then can use to decipher data because someone would ofc know the private key?

The CryptoAPI cryptographic bug that Microsoft reported in its Patch Tuesday release yesterday was so big that it warranted its own story. Among the most serious bugs were remote code execution flaws affecting the Windows Remote Desktop Gateway, which is a Microsoft service that lets authorised remote users connect to resources on a network via the Remote Desktop Connection client.

In light of recent ransomware and other cyberattacks against vendors serving numerous healthcare organizations, it's critical to develop and deploy comprehensive vendor risk management programs, says John Farley managing director of the cyber practice at Arthur J. Gallagher & Co., a provider of cyber insurance and risk management consulting. "It's very common that it's the vendor that gets hacked, and therefore you're going down. You're not the direct target of the cyberattack; it's your vendor," Farley says in an interview with Information Security Media Group.

Google Project Zero security researchers have published technical details on an iMessage vulnerability addressed last year, which could be exploited remotely to achieve arbitrary code execution. Tracked as CVE-2019-8641, the vulnerability is considered Critical, featuring a CVSS score of 9.8, and was discovered by Google Project Zero security researchers Samuel Groß and Natalie Silvanovich.

Adobe has released patches for five critical vulnerabilities in Adobe Illustrator CC, its popular vector graphics editor tool, which if exploited could enable arbitrary code execution. Overall Adobe patched nine vulnerabilities as part of its regularly-scheduled updates on Tuesday, including five critical ones in Adobe Illustrator CC, and four "Important" and "Moderate" flaws in Adobe Experience Manager, its platform for integrated online marketing and web analytics.

What's so special about the latest Patch Tuesday is that one of the updates fixes a serious flaw in the core cryptographic component of widely used Windows 10, Server 2016 and 2019 editions that was discovered and reported to the company by the National Security Agency of the United States. What's more interesting is that this is the first security flaw in Windows OS that the NSA reported responsibly to Microsoft, unlike the Eternalblue SMB flaw that the agency kept secret for at least five years and then was leaked to the public by a mysterious group, which caused WannaCry menace in 2017.

Nearly a month has passed since Citrix released mitigation measures for CVE-2019-19781, a critical vulnerability affecting Citrix Application Delivery Controller and Citrix Gateway, which could lead to remote code execution. Citrix Gateway is a secure remote access network gateway solution that is offered as a cloud service or an on-premises solution.

Attention! Are you using Firefox as your web browsing software on your Windows, Linux, or Mac systems? If yes, you should immediately update your free and open-source Firefox web browser to the latest version available on Mozilla's website.