Security News

Apple has reportedly patched a pair of critical vulnerabilities in iOS that are being exploited by what appears to be government-backed hackers to spy on high-value targets. Most importantly, the researchers said, in iOS 13, the attack can be performed when Mail automatically downloads messages in the background, meaning no user interaction is needed: the data is fetched, parsed, and the bugs exploited immediately.

A security researcher says IBM has told him that it would not be patching several vulnerabilities found in its Data Risk Manager product, despite demonstrating that they can be exploited by a remote, unauthenticated attacker to execute arbitrary code with root privileges. Pedro Ribeiro of Agile Information Security has disclosed technical information for a total of four zero-day vulnerabilities affecting IBM Data Risk Manager, an enterprise security solution that "Provides executives and their teams a business-consumable data risk control center that helps to uncover, analyze, and visualize data-related business risks so they can take action to protect their business."

A DLL side-loading vulnerability related to the Microsoft Terminal Services Client can be exploited to bypass security controls, but Microsoft says it will not be releasing a patch due to exploitation requiring elevated privileges. This allows an attacker who can replace the legitimate DLL to bypass security controls such as AppLocker, which is designed to help users control which apps and files can be run.

The COVID-19 pandemic might be causing delays to software schedules, but it's not managed to stop Microsoft's April Patch Tuesday update arriving on time this week. In total, the Windows 10, Windows 8.1, Windows 7 and Windows Server haul includes 113 CVE-level flaws, 19 of which are labelled critical.

SAP this week released its latest set of security patches, which brings a total of 23 Security Notes, including five that address Hot News vulnerabilities. Another Hot News Security Note released as part of the April 2020 SAP Security Patch Day addresses a directory traversal vulnerability in SAP NetWeaver.

Oracle this week released its April 2020 collection of security patches, which includes a total of 397 fixes for vulnerabilities affecting two dozen products. Roughly 60 of the newly addressed vulnerabilities are considered critical severity, with more than 55 of them featuring a CVSS score of 9.8.

Microsoft today released updates to fix 113 security vulnerabilities in its various Windows operating systems and related software. Many security news sites are reporting that Microsoft addressed a total of four zero-day flaws this month, but it appears the advisory for a critical Internet Explorer flaw has been revised to indicate Microsoft has not yet received reports of it being used in active attacks.

Microsoft has released its April 2020 Patch Tuesday security updates, its first big patch update released since the work-from-home era truly got underway. "The primary way would be to socially engineer a user into visiting a website containing the malicious code, whether owned by the attacker, or a compromised website with the malicious code injected into it. An attacker could also socially engineer the user into opening a malicious Microsoft Office document that embeds the malicious code."

For the April 2020 Patch Tuesday, Adobe plugs 5 flaws and Microsoft 113, three of which are currently being exploited by attackers. One of the patches fixes CVE-2020-0968, a RCE in Internet Explorer 11 and 9, which Microsoft initially flagged as being exploited in the wild.

VMware has fixed a critical vulnerability affecting vCenter Server, which can be exploited to extract highly sensitive information that could be used to compromise vCenter Server or other services which depend on the VMware Directory Service for authentication. vCenter Server is server management software for controlling VMware vSphere environments.