Security News

Patch now! Critical flaw found in OpenWrt router software
2020-03-31 14:18

A researcher has stumbled on a big security flaw affecting OpenWrt, an open source operating system used by millions of home and small business routers and embedded devices. OpenWrt has become a popular Linux alternative to the stock software that vendors ship with home routers.

No Patch for VPN Bypass Flaw Discovered in iOS
2020-03-26 19:55

Proton Technologies, the company behind the privacy-focused ProtonMail and ProtonVPN services, this week disclosed the existence of a vulnerability in Apple's iOS mobile operating system that prevents VPN applications from encrypting all traffic. When a VPN is used, the device's operating system should close all existing internet connections and reestablish them through a VPN tunnel to protect the user's data and privacy.

VMware Again Fails to Patch Privilege Escalation Vulnerability in Fusion
2020-03-24 19:57

VMware has released an update for the macOS version of Fusion to fix a privilege escalation vulnerability for which it initially released an incomplete patch. VMware told customers on March 17 that Fusion, Remote Console and Horizon Client for Mac are impacted by a high-severity privilege escalation vulnerability tracked as CVE-2020-3950.

It's 2020 and hackers are still hijacking Windows PCs by exploiting font parser security holes. No patch, either
2020-03-23 20:27

Hackers are commandeering victims' Windows PCs by exploiting at least one remote-code-execution flaw in the Adobe Type Manager Library included with the Microsoft operating system. Redmond today warned of two flaws, not yet assigned CVE numbers, present in the font parser - and at least one has been exploited in a "Limited number of attacks" to hijack vulnerable computers.

Drupal Updates CKEditor to Patch XSS Vulnerabilities
2020-03-19 19:21

The developers of the Drupal content management system announced on Wednesday that updates for versions 8.8.x and 8.7.x address a couple of vulnerabilities affecting the CKEditor library. Drupal uses CKEditor and it has decided to update it to version 4.14, which patches two cross-site scripting vulnerabilities affecting earlier versions of the library.

Patch for Recently Disclosed VMware Fusion Vulnerability Incomplete
2020-03-19 12:36

The patch released recently by VMware for a privilege escalation vulnerability affecting Fusion for Mac have been found to be incomplete. VMware informed customers on March 17 that Fusion, Remote Console and Horizon Client for Mac are affected by a high-severity privilege escalation vulnerability caused by the improper use of setuid binaries.

A week after Patch Tuesday, Adobe drops security fixes for six offerings
2020-03-18 14:21

Adobe failed to release security updates on March 2020 Patch Tuesday, but has pushed them out this Tuesday, for Acrobat and Reader, Photoshop, ColdFusion, Experience Manager, Bridge, and Genuine Integrity Service. The heftiest updates are those for Photoshop and Acrobat and Reader for Windows and macOS. The Photoshop updates fix 16 vulnerabilities that could be exploited for arbitrary code execution in the context of the current user and 6 that could lead to disclosure of information.

Organizations Slow to Patch Targeted Microsoft Exchange Vulnerability
2020-03-16 16:19

Organizations have fallen behind with the patching of a Microsoft Exchange Server vulnerability addressed with Microsoft's February 2020 Patch Day updates and already targeted in attacks. The issue, which exists because keys created at installation are not unique, is tracked as CVE-2020-0688 and impacts Microsoft Exchange 2010, 2013, 2016, and 2019.

Thought you were done after Tuesday's 115-fix day? Not yet: Microsoft emits SMBv3 worm-cure crisis patch
2020-03-12 19:49

Microsoft has released an out-of-band emergency patch for a wormable remote-code execution hole in SMBv3, the Windows network file system protocol. The SMB bug fix was a late addition to Microsoft's March edition of Patch Tuesday - after the security hole was accidentally disclosed by the Cisco Talos research team in a blog post recapping this month's updates: Cisco thought Microsoft had fixed the bug this week as part of March's Patch Tuesday, and alerted the world to the bug's presence to get people to install their updates.

Out-of-Band Windows Updates Patch Wormable SMB Vulnerability
2020-03-12 19:23

Microsoft has released out-of-band updates for Windows to patch a critical remote code execution vulnerability in Server Message Block 3.0 that has been described as "Wormable." The vulnerability, related to the way SMB 3.1.1 handles certain requests, can be exploited by an unauthenticated attacker to execute arbitrary code on SMB servers and clients.