Security News

If you're using vBulletin to power your online forum(s), you should implement the newest security patches offered by the developers as soon as possible. The patches fix CVE-2020-12720, a vulnerability affecting versions 5.5.6, 5.6.0 and 5.6.1 with could be exploited without previous authentication.

SaltStack Salt vulnerabilities actively exploited by attackers, patch ASAP!Two vulnerabilities in SaltStack Salt, an open-source remote task and configuration management framework, are being actively exploited by attackers, CISA warns. The US Department of Homeland Security and the UK National Cyber Security Centre issued a joint advisory in early April, warning about this increasing activity.

Today I'm happy to release new research I've been working on for a while: 0-click RCE via MMS in all modern Samsung phones, due to numerous bugs in a little-known custom "Qmage" image codec supported by Skia on Samsung devices. The patch coincides with Android's monthly release of security fixes: all owners of devices running supported versions of Android will want to check for and install relevant updates in May's patch batch.

The forecast for May is looking light on updates, which will be a relief to many IT professionals busy dealing with increasing threats and the challenges of remote system management. Oracle released their Critical Patch Updates last month which happened to coincide with April Patch Tuesday.

Two vulnerabilities in SaltStack Salt, an open-source remote task and configuration management framework, are being actively exploited by attackers, CISA warns. The vulnerabilities affect all Salt versions prior to 2019.2.4 and 3000.2, which were released last week.

Netsweeper's internet filter has a nasty security vulnerability that can be exploited to hijack the host server and tamper with lists of blocked websites. Rathaus told The Register that, in the worst case scenario, a hacker could exploit the bug to not only take over the host server, but also manipulate how users have their content filtered and delivered by Netsweeper.

The Salt configuration tool has patched two vulnerabilities whose combined effect was to expose Salt installations to complete control by an attacker. Salt is a tool from SaltStack which has both commercial and open source editions.

Well, here's the thing: it seems that the Microsoft Office 2019 and Office 365 ProPlus products from Microsoft include support for FBX files - whether you use FBXes yourself or not - and that the code to process those files comes from Autodesk. As you probably know, an RCE bug that is present when a vulnerable application processes a booby-trapped file often means that simply opening up or previewing that file could allow crooks to implant malware on your computer.

Apple has reportedly patched a pair of critical vulnerabilities in iOS that are being exploited by what appears to be government-backed hackers to spy on high-value targets. Most importantly, the researchers said, in iOS 13, the attack can be performed when Mail automatically downloads messages in the background, meaning no user interaction is needed: the data is fetched, parsed, and the bugs exploited immediately.

A security researcher says IBM has told him that it would not be patching several vulnerabilities found in its Data Risk Manager product, despite demonstrating that they can be exploited by a remote, unauthenticated attacker to execute arbitrary code with root privileges. Pedro Ribeiro of Agile Information Security has disclosed technical information for a total of four zero-day vulnerabilities affecting IBM Data Risk Manager, an enterprise security solution that "Provides executives and their teams a business-consumable data risk control center that helps to uncover, analyze, and visualize data-related business risks so they can take action to protect their business."