Security News

Chinese drone giant Da Jiang Innovations on Thursday responded to the disclosure of security issues discovered by researchers in one of its Android applications. DJI has always denied these accusations and it has pointed to analysis conducted by the U.S. Department of Homeland Security and Booz Allen Hamilton, which shows that there is no evidence the company's government and professional drones send user data to DJI, China or other third parties.

Cisco this week informed customers that it has patched a high-severity path traversal vulnerability in its firewalls that can be exploited remotely to obtain potentially sensitive files from the targeted system. Cisco has also highlighted that exploiting the vulnerability only allows the attacker to access files on the web services file system, not ASA or FTD system files or files on the underlying operating system.

The number of vulnerabilities disclosed in Q1 2020 has decreased by 19.8% compared to Q1 2019, making this likely the only true dip observed within the last 10 years, Risk Based Security reveals. "Although the pandemic has already brought unprecedented changes to all walks of life, it is difficult to predict precisely how it will impact vulnerability disclosures this year," commented Brian Martin, Vice President of Vulnerability Intelligence at Risk Based Security.

A pair of vulnerabilities in Oracle's iPlanet Web Server have been disclosed that can lead to sensitive data exposure and image injections onto web pages if exploited. The bugs are specifically found in the web administration console of iPlanet version 7, which has reached end-of-life and is no longer supported - hence no patches.

The Forum of Incident Response and Security Teams has released an updated set of coordination principles - Guidelines for Multi-Party Vulnerability Coordination and Disclosure version 1.1. Previous best practices, policy and process for vulnerability disclosure focused on bi-lateral coordination and did not adequately address the current complexities of multi-party vulnerability coordination.

Cometdocs has disputed the severity of the findings and has threatened legal action against reporters if they publish what the company considers to be inaccurate articles. "The Cometdocs applications are transferring files without using encryption, providing bad actors the opportunity to cache and retrieve the files. Moreover, a man-in-the-middle attacker could access the files while 'sniffing' traffic on the same Wi-Fi network as the user. Because the Cometdocs apps do not use encryption when transmitting and storing files on its servers, they are allowing private information to leak into the hands of third-parties monitoring the network," Wandera said.

As Head of Research at CyberMDX, Elad Luz gathers and analyzes information on a variety of connected healthcare devices in order to improve the techniques used to protect them and/or report about their security issues to vendors. Care critical devices that are directly connected to patients like infusion pumps, ventilation, anesthesia, patient monitoring and such obviously represent the most critical endpoints from a security perspective.

Vulnerabilities recently patched in Mini-SNMPD could be abused for denial-of-service attacks or to obtain sensitive information, Cisco Talos' security researchers report. It works on both x86 and ARM platforms running Ubuntu, Alpine Linux, and FreeBSD. Talos' researchers discovered a total of three vulnerabilities in Mini-SNMPD, including two out-of-bounds read bugs and one stack overflow.

Security teams gain snippets of insight from defensive failures through public breach disclosures or the investigative reporting that follows large-scale and brand-name hacks. Upon "Going dark" after a breach detection, the security products vendors used within the compromised environment are similarly shut out - at precisely the time they can potentially add the most value to both the victim and the wider defensive ecosystem.

Cisco this week informed customers that some of its Small Business Switches are affected by high-severity vulnerabilities that can be exploited to obtain sensitive device information and to launch denial-of-service attacks. The information disclosure vulnerability is caused by the lack of proper authentication controls and it can be exploited by sending specially crafted HTTP requests to the user interface of an affected switch.