Security News

If you have CentOS servers in your data center, you'll want to make sure to patch them against BootHole. I ran two different updates on two different CentOS machines and neither updated the necessary packages.

Calling a patch for the flaw a "Fail" and "Inadequate in blocking exploitation," Austin-based security researcher Amir Etemadieh published details and examples of exploit code on three developer platforms- Bash, Python and Ruby-for the patch in a post published Sunday night. The key problem with the patch issued for the zero day is related to how the vBulletin template system is structured and how it uses PHP, he wrote in the post.

How can security leaders maximize security budgets during a time of budget cuts?While some security programs have become bloated, many don't necessarily deserve to be cut. Given the gravity of today's situation, it's time for security leaders to step in and do what they can to justify spending that bolsters their company's overall security posture.

The operational lifespan of an operating system version is shrinking, and the model has changed as Microsoft moved to the software-as-a-service model for Windows 10. Double check your applications to ensure compatibility as you make the operating system upgrades on these systems - you only have 2-3 months left!

Could organizations recoup their share of more than $1 billion per quarter by moving away from legacy solutions to cloud-native patch management and endpoint hardening? A new report from Sedulo Group says yes. The 2020 TCO Study of Microsoft WSUS & SCCM report shows organizations using Microsoft endpoint management for patching and hardening spend nearly 2x as much as organizations using SaaS-based patch management platforms.

Adding insult to injury, researchers have recently discovered a workaround for a previous patch issued for Microsoft Teams, that would allow a malicious actor to use the service's updater function to download any binary or malicious payload. Essentially, bad actors could hide in Microsoft Teams updater traffic, which has lately been voluminous. While Microsoft tried to cut off this vector as a conduit for remote code execution by restricting the ability to update Teams via a URL, it was not a complete fix, the researcher explained.

UPDATE. Netgear will not patch 45 router models that are vulnerable to a high-severity remote code execution flaw, the router company revealed last week. The company says that routers that won't receive updates are outdated or have reached EOL. The remote code execution vulnerability in question, which was disclosed June 15, allows network-adjacent attackers to bypass authentication on vulnerable Netgear routers - sans authentication.

Netgear has quietly decided not to patch more than 40 home routers to plug a remote code execution vulnerability - despite security researchers having published proof-of-concept exploit code. Keen-eyed Reg readers noticed that Netgear quietly declared 45 of the affected products as "Outside the security support period" - meaning those items won't be updated to protect them against the vuln.

Well, 28 July 2020 is a Blue Firefox Update event - the second major security fix of the month, given that Mozilla now uses an every-four-weeks-on-Tuesday rhythm, and Firefox 78.0 came out on the first day of the month. Microsoft and Adobe follow a process of "Once each month on the second Tuesday"; Oracle has a system than delivers "Four times a year on the Tuesday closest to the 17th day of the first month of each calendar quarter", and Apple favours the "When security fixes are ready they arrive, and we deliberately don't say exactly when for security reasons" approach.

The under-attack bug is CVE-2020-3452, a path-traversal flaw in Switchzilla's Adaptive Security Appliance and Firepower Threat Defense software that can be used to "Read sensitive files on a targeted system." While there was no publicly available exploit code for the high-severity bug when first publicized, a day after issuing its advisory, Cisco said the flaw was being targeted in the wild. The vulnerabilities lie within the Treck IP stack used in Cisco gear, and, if exploited, allow complete takeover of a vulnerable device.