Security News

An update released last week by VMware for the macOS version of Fusion attempts to fix a serious privilege escalation vulnerability introduced by a previous patch. VMware informed customers in mid-March that it had patched a high-severity privilege escalation vulnerability in Fusion, Remote Console and Horizon Client for Mac.

Over the first quarter of 2020, the number of security bugs disclosed by software makers fell 20 per cent though not for any of the right reasons, it seems. Analysts at Risk Based Security cited both internal data and public reports from vendors in putting the number of security vulnerabilities reported over the first three months of the year at 4,968, down from 6,198 over the same period in 2019.

Over the first quarter of 2020, the number of security bugs disclosed by software makers fell 20 per cent though not for any of the right reasons, it seems. Analysts at Risk Based Security cited both internal data and public reports from vendors in putting the number of security vulnerabilities reported over the first three months of the year at 4,968, down from 6,198 over the same period in 2019.

Apple has alerted users about a bunch of security fixes for its software on supported versions of macOS that you ought to install as soon as you can. The SSLab trio also found CVE-2020-9801 in Safari that can be exploited by malware already running on a Mac to force the browser to open another application.

Apple has alerted users about a bunch of security fixes for its software on supported versions of macOS that you ought to install as soon as you can. The SSLab trio also found CVE-2020-9801 in Safari that can be exploited by malware already running on a Mac to force the browser to open another application.

Docker has fixed a vulnerability that could have allowed an attacker to gain control of a Windows system using its service. The bug, discovered by Ceri Coburn, a researcher at security consultancy Pen Test Partners, exposed Docker for Windows to privilege elevation.

Adobe just published a foursome of very tight-lipped security notifications about new patches. The bulletin APSB20-26 actually came out last week, on Patch Tuesday, leaving a gap at -25, suggesting that at least the patch in bulletin APSB20-15 was prepared in time for Patch Tuesday but didn't make the final cut, perhaps to give it time for additional testing or tweaking.

This week we discuss a customer who went to Subway for a sandwich and left with a stalker, whether there's a demon in your printer and the things you should patch now. I host the show this week with Sophos experts Mark Stockley, Paul Ducklin and Greg Iddon.

An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly allows arbitrary writing to the file system. What the researchers discovered, very greatly simplified, is that with some simple PowerShell commands, any user can setup a new printer device on Windows, provided that there's already a low-level driver program installed to support the destination printer.

Among the vulnerabilities patched by Microsoft on May 2020 Patch Tuesday is CVE-2020-1048, a "Lowly" privilege escalation vulnerability in the Windows Print Spooler service. CVE-2020-1048, which affects Windows 7, 8.1, and 10 and Windows Server 2008, 2012, 2016, and 2019, arises from the Windows Print Spooler service improperly allowing arbitrary writing to the file system.