Security News

Mozilla just pushed out an update for its Firefox browser to patch a security hole that was already being exploited in the wild. Given that the bug needed patching in both the latest and the ESR versions, we can assume either that the vulnerability has been in the Firefox codebase at least since version 68 first appeared, which was back in July 2019, or that it was introduced as a side effect of a security fix that came out after version 68.0 showed up.0, so the ESR is popular with IT departments who want to avoid frequent feature updates that might require changes in company workflow, but don't want to lag behind on security patches.

A patch has been released for a Linux kernel vulnerability that a researcher used at the recent Pwn2Own 2020 hacking competition to escalate privileges to root on Ubuntu Desktop. He leveraged an improper input validation bug in the Linux kernel to escalate privileges to root.

A researcher has stumbled on a big security flaw affecting OpenWrt, an open source operating system used by millions of home and small business routers and embedded devices. OpenWrt has become a popular Linux alternative to the stock software that vendors ship with home routers.

Proton Technologies, the company behind the privacy-focused ProtonMail and ProtonVPN services, this week disclosed the existence of a vulnerability in Apple's iOS mobile operating system that prevents VPN applications from encrypting all traffic. When a VPN is used, the device's operating system should close all existing internet connections and reestablish them through a VPN tunnel to protect the user's data and privacy.

VMware has released an update for the macOS version of Fusion to fix a privilege escalation vulnerability for which it initially released an incomplete patch. VMware told customers on March 17 that Fusion, Remote Console and Horizon Client for Mac are impacted by a high-severity privilege escalation vulnerability tracked as CVE-2020-3950.

Hackers are commandeering victims' Windows PCs by exploiting at least one remote-code-execution flaw in the Adobe Type Manager Library included with the Microsoft operating system. Redmond today warned of two flaws, not yet assigned CVE numbers, present in the font parser - and at least one has been exploited in a "Limited number of attacks" to hijack vulnerable computers.

The developers of the Drupal content management system announced on Wednesday that updates for versions 8.8.x and 8.7.x address a couple of vulnerabilities affecting the CKEditor library. Drupal uses CKEditor and it has decided to update it to version 4.14, which patches two cross-site scripting vulnerabilities affecting earlier versions of the library.

The patch released recently by VMware for a privilege escalation vulnerability affecting Fusion for Mac have been found to be incomplete. VMware informed customers on March 17 that Fusion, Remote Console and Horizon Client for Mac are affected by a high-severity privilege escalation vulnerability caused by the improper use of setuid binaries.

Adobe failed to release security updates on March 2020 Patch Tuesday, but has pushed them out this Tuesday, for Acrobat and Reader, Photoshop, ColdFusion, Experience Manager, Bridge, and Genuine Integrity Service. The heftiest updates are those for Photoshop and Acrobat and Reader for Windows and macOS. The Photoshop updates fix 16 vulnerabilities that could be exploited for arbitrary code execution in the context of the current user and 6 that could lead to disclosure of information.

Organizations have fallen behind with the patching of a Microsoft Exchange Server vulnerability addressed with Microsoft's February 2020 Patch Day updates and already targeted in attacks. The issue, which exists because keys created at installation are not unique, is tracked as CVE-2020-0688 and impacts Microsoft Exchange 2010, 2013, 2016, and 2019.