Security News

Adobe and Microsoft each issued a bevy of updates today to plug critical security holes in their software. Microsoft also is taking flak for changing its security advisories and limiting the amount of information disclosed about each bug.

Microsoft's November Patch Tuesday roundup of security fixes tackled an unusually large crop of remote code execution bugs. Twelve of Microsoft's 17 critical patches were tied to RCE bugs.

Microsoft has plugged 112 security holes, including an actively exploited one. The most information is available about CVE-2020-17087, a Windows Kernel privilege escalation vulnerability, because it's being actively exploited in the wild and because Google disclosed it on October 29, along with PoC exploit code.

Today is Microsoft's November 2020 Patch Tuesday, and Windows administrators worldwide will be running around putting out fires all day, so be nice to them. With the November 2020 Patch Tuesday security updates release, Microsoft has released fixes for 112 vulnerabilities in Microsoft products.

Git LFS vulnerability allows attackers to compromise targets' Windows systemsA critical vulnerability in Git Large File Storage, an open source Git extension for versioning large files, allows attackers to achieve remote code execution if the Windows-using victim is tricked into cloning the attacker's malicious repository using a vulnerable Git version control tool, security researcher Dawid Golunski has discovered. November 2020 Patch Tuesday forecast: Significant OS changes aheadNovember Patch Tuesday and the end-of-year holidays are rapidly approaching.

The Patch Tuesday updates appear to be light, so things are looking much better as we enter the final stretch for 2020. Yes, you read that correctly - not the 2020 Fall Release or Windows 10 version 2009, but Windows 10 version 20H2. Name changes once again!

Cisco informed customers on Wednesday that it's working on a patch for a code execution vulnerability affecting its AnyConnect product. According to the networking giant, the product is affected by a flaw, tracked as CVE-2020-3556, that can be exploited by a local, authenticated attacker to cause an AnyConnect user to execute a malicious script.

VMware on Wednesday informed customers that it has released new patches for ESXi after learning that a fix made available last month for a critical vulnerability was incomplete. VMware said the attacker needs to be on the management network and have access to port 427 on an ESXi machine in order to exploit the flaw.

Adobe on Tuesday published updated versions of its Acrobat and Reader software to fix fourteen flaws, four of which have been designated "Critical." These updates should be installed as soon as possible to close off their vulnerabilities. Adobe generally issues patches on "Patch Tuesday," a date observed by many tech companies that falls on the second Tuesday of every month.

SaltStack has officially revealed three bugs in its code - two of them seemingly critical - and told users: "We strongly recommend that you prioritize this update." But the biz appears to have known about the bugs for months and quietly patched them over the summer. SaltStack offers open-source, Python-based automation tools.