Security News
A week after July's Patch Tuesday, Adobe has released out-of-band security updates for vulnerabilities in four of its products - and most of them are considered to be critical in severity. The patch batch includes five critical bugs in Photoshop for both Windows and macOS allowing for code execution.
The US Cybersecurity and Infrastructure Security Agency has instructed government agencies to immediately address a vulnerability affecting Windows DNS servers. The flaw, which impacts Windows Server versions released in the past 17 years, allows a remote, unauthenticated attacker to run arbitrary code on affected Windows DNS servers using specially crafted requests.
Cisco has emitted 33 security bug fixes in its latest crop of software updates, five of those deemed critical. Affected devices include multiple RV-series routers, the RV110W series VPN Firewall, and the Cisco Prime License Manager.
Microsoft's desktop email client Outlook has stopped working worldwide for countless users, whether they are using it with an on-premises Exchange server or with the Office 365 cloud. As a workaround, users can utilize Outlook on the web or their mobile clients.
The good news for most of us, at least in terms of patching, is that this vulnerability only affects Windows servers, because the bug is in the Windows DNS server code, not in the Windows DNS client code. DNS servers often need to perform client-like functions, for example by passing on requests that they can't answer themselves to other servers that can, reading in the replies and reformatting them to reply to the original client request that came in.
A critical DNS bug and a publicly known elevation-of-privilege flaw top Microsoft's July Patch Tuesday list of 123 fixes. "A remote, unauthenticated attacker could exploit this vulnerability by sending a malicious request to a vulnerable Windows DNS server. Successful exploitation would allow the attacker to execute arbitrary code under the local system account context," wrote Satnam Narang, staff research engineer at Tenable, in the company's Patch Tuesday analysis.
SAP customers should update their installations to close a security vulnerability that can be exploited to commandeer the software by anyone who can reach it. Dubbed RECON, aka Remotely Exploitable Code On NetWeaver, by its discoverers, security shop Onapsis, the bug in SAP's NetWeaver AS JAVA allows a remote unathenticated hacker to take over a vulnerable NetWeaver-based system by creating admin accounts without any authorization.
Attackers are probing Citrix controllers and gateways through recently patched flawsSANS ISC's Dr. Johannes Ullrich spotted attackers attempting to exploit two of the Citrix vulnerabilities on his F5 BigIP honeypot. Exposing the privacy risks of home security camerasAn international study has used data from a major provider of home IP security cameras to evaluate potential privacy risks for users.
Zoom is working on resolving a remote code execution vulnerability affecting the Windows client, but a third-party fix has been made available for users who don't want to wait for the official patch. On Thursday, ACROS Security announced the availability of a micro-patch for a remote code execution vulnerability in Zoom Client for Windows.
Despite these record CVE numbers, the actual number of updates have been down; we haven't seen Exchange or SQL Server updates in a while. Keep your eyes open on Tuesday to see if these CVEs show up in the cumulative monthly update.