Security News
Well, 28 July 2020 is a Blue Firefox Update event - the second major security fix of the month, given that Mozilla now uses an every-four-weeks-on-Tuesday rhythm, and Firefox 78.0 came out on the first day of the month. Microsoft and Adobe follow a process of "Once each month on the second Tuesday"; Oracle has a system than delivers "Four times a year on the Tuesday closest to the 17th day of the first month of each calendar quarter", and Apple favours the "When security fixes are ready they arrive, and we deliberately don't say exactly when for security reasons" approach.
The under-attack bug is CVE-2020-3452, a path-traversal flaw in Switchzilla's Adaptive Security Appliance and Firepower Threat Defense software that can be used to "Read sensitive files on a targeted system." While there was no publicly available exploit code for the high-severity bug when first publicized, a day after issuing its advisory, Cisco said the flaw was being targeted in the wild. The vulnerabilities lie within the Treck IP stack used in Cisco gear, and, if exploited, allow complete takeover of a vulnerable device.
The under-attack bug is CVE-2020-3452, a path-traversal flaw in Switchzilla's Adaptive Security Appliance and Firepower Threat Defense software that can be used to "Read sensitive files on a targeted system." While there was no publicly available exploit code for the high-severity bug when first publicized, a day after issuing its advisory, Cisco said the flaw was being targeted in the wild. The vulnerabilities lie within the Treck IP stack used in Cisco gear, and, if exploited, allow complete takeover of a vulnerable device.
Some vendors of low-cost devices are responsive to bug reports and publish security fixes promptly, which leads to another problem with the IoT ecosystem, namely that many consumers take a "Set and forget" attitude to these devices. So even if your home router gets updated reguarly with security improvements, when was the last time you went and checked if your device actually has the latest firmware version installed?
A week after July's Patch Tuesday, Adobe has released out-of-band security updates for vulnerabilities in four of its products - and most of them are considered to be critical in severity. The patch batch includes five critical bugs in Photoshop for both Windows and macOS allowing for code execution.
The US Cybersecurity and Infrastructure Security Agency has instructed government agencies to immediately address a vulnerability affecting Windows DNS servers. The flaw, which impacts Windows Server versions released in the past 17 years, allows a remote, unauthenticated attacker to run arbitrary code on affected Windows DNS servers using specially crafted requests.
Cisco has emitted 33 security bug fixes in its latest crop of software updates, five of those deemed critical. Affected devices include multiple RV-series routers, the RV110W series VPN Firewall, and the Cisco Prime License Manager.
Microsoft's desktop email client Outlook has stopped working worldwide for countless users, whether they are using it with an on-premises Exchange server or with the Office 365 cloud. As a workaround, users can utilize Outlook on the web or their mobile clients.
The good news for most of us, at least in terms of patching, is that this vulnerability only affects Windows servers, because the bug is in the Windows DNS server code, not in the Windows DNS client code. DNS servers often need to perform client-like functions, for example by passing on requests that they can't answer themselves to other servers that can, reading in the replies and reformatting them to reply to the original client request that came in.
A critical DNS bug and a publicly known elevation-of-privilege flaw top Microsoft's July Patch Tuesday list of 123 fixes. "A remote, unauthenticated attacker could exploit this vulnerability by sending a malicious request to a vulnerable Windows DNS server. Successful exploitation would allow the attacker to execute arbitrary code under the local system account context," wrote Satnam Narang, staff research engineer at Tenable, in the company's Patch Tuesday analysis.