Security News

March kept us all very busy with the ongoing out-of-band Microsoft updates for Exchange Server and the printing BSODs, which plagued us since last Patch Tuesday. The Forum of Incident Response and Security Teams is an international organization that provides best practices and assistance when dealing with a security incident.

Networking equipment major Cisco Systems has said it does not plan to fix a critical security vulnerability affecting some of its Small Business routers, instead urging users to replace the devices. The bug, tracked as CVE-2021-1459, is rated with a CVSS score of 9.8 out of 10, and affects RV110W VPN firewall and Small Business RV130, RV130W, and RV215W routers, allowing an unauthenticated, remote attacker to execute arbitrary code on an affected appliance.

The widely used npm library netmask has a networking vulnerability arising from how it parses IP addresses with a leading zero, leaving an estimated 278,000 projects at risk. Researchers Victor Viale, Sick Codes, Kelly Kaoudis, John Jackson, and Nick Sahler have disclosed a digital nasty, tracked as CVE-2021-28918, in the hugely widespread netmask npm package.

Apple has issued critical security patches for all supported phones, fondleslabs, and watches after being alerted to multiple possible intrusions by Google. According to Apple, the flaw allows for the creation of "Maliciously crafted web content," which "May lead to universal cross-site scripting." Apple has heard that the code snafu "May have been actively exploited."

Apple has just pushed out an emergency "One-bug" security update for its mobile devices, including iPhones, iPads and Apple Watches. Just like the last emergency Apple patch, this vulnerability affects WebKit, Apple's core web browser code.

Merely weeks after releasing out-of-band patches for iOS, iPadOS, macOS and watchOS, Apple has issued yet another security update for iPhone, iPad, and Apple Watch to fix a critical zero-day weakness that it says is being actively exploited in the wild. Apple has credited Clement Lecigne and Billy Leonard of Google's Threat Analysis Group for discovering and reporting the issue.

The Apache Software Foundation on Friday addressed a high severity vulnerability in Apache OFBiz that could have allowed an unauthenticated adversary to remotely seize control of the open-source enterprise resource planning system. Tracked as CVE-2021-26295, the flaw affects all versions of the software prior to 17.12.06 and employs an "Unsafe deserialization" as an attack vector to permit unauthorized remote attackers to execute arbitrary code on a server directly.

A pair of critical vulnerabilities in a popular bulletin board software called MyBB could have been chained together to achieve remote code execution without the need for prior access to a privileged account. The flaws, which were discovered by independent security researchers Simon Scannell and Carl Smith, were reported to the MyBB Team on February 22, following which it released an update on March 10 addressing the issues.

It's looking like the exploitation of critical Exchange flaws that Microsoft revealed at the start of the month could be much worse than folks first suspected. An analysis by Slovak security shop ESET claims that six advanced criminal hacking groups, thought to have some level of state sponsorship, used the zero days to attack government and industry sites before the flaws were patched.

Veracode announced the launch of the Veracode Hacker Games. The two-week collegiate competition will challenge computer science and cybersecurity student teams from eight leading universities across the U.S. and the U.K., including University of Virginia, Tufts and University of Warwick, to test their secure coding skills and give them the opportunity to win individual prizes, plus $15,000 in charitable donations for the top universities.