Security News

Today I'm happy to release new research I've been working on for a while: 0-click RCE via MMS in all modern Samsung phones, due to numerous bugs in a little-known custom "Qmage" image codec supported by Skia on Samsung devices. The patch coincides with Android's monthly release of security fixes: all owners of devices running supported versions of Android will want to check for and install relevant updates in May's patch batch.

The forecast for May is looking light on updates, which will be a relief to many IT professionals busy dealing with increasing threats and the challenges of remote system management. Oracle released their Critical Patch Updates last month which happened to coincide with April Patch Tuesday.

Two vulnerabilities in SaltStack Salt, an open-source remote task and configuration management framework, are being actively exploited by attackers, CISA warns. The vulnerabilities affect all Salt versions prior to 2019.2.4 and 3000.2, which were released last week.

Netsweeper's internet filter has a nasty security vulnerability that can be exploited to hijack the host server and tamper with lists of blocked websites. Rathaus told The Register that, in the worst case scenario, a hacker could exploit the bug to not only take over the host server, but also manipulate how users have their content filtered and delivered by Netsweeper.

The Salt configuration tool has patched two vulnerabilities whose combined effect was to expose Salt installations to complete control by an attacker. Salt is a tool from SaltStack which has both commercial and open source editions.

Well, here's the thing: it seems that the Microsoft Office 2019 and Office 365 ProPlus products from Microsoft include support for FBX files - whether you use FBXes yourself or not - and that the code to process those files comes from Autodesk. As you probably know, an RCE bug that is present when a vulnerable application processes a booby-trapped file often means that simply opening up or previewing that file could allow crooks to implant malware on your computer.

Apple has reportedly patched a pair of critical vulnerabilities in iOS that are being exploited by what appears to be government-backed hackers to spy on high-value targets. Most importantly, the researchers said, in iOS 13, the attack can be performed when Mail automatically downloads messages in the background, meaning no user interaction is needed: the data is fetched, parsed, and the bugs exploited immediately.

A security researcher says IBM has told him that it would not be patching several vulnerabilities found in its Data Risk Manager product, despite demonstrating that they can be exploited by a remote, unauthenticated attacker to execute arbitrary code with root privileges. Pedro Ribeiro of Agile Information Security has disclosed technical information for a total of four zero-day vulnerabilities affecting IBM Data Risk Manager, an enterprise security solution that "Provides executives and their teams a business-consumable data risk control center that helps to uncover, analyze, and visualize data-related business risks so they can take action to protect their business."

A DLL side-loading vulnerability related to the Microsoft Terminal Services Client can be exploited to bypass security controls, but Microsoft says it will not be releasing a patch due to exploitation requiring elevated privileges. This allows an attacker who can replace the legitimate DLL to bypass security controls such as AppLocker, which is designed to help users control which apps and files can be run.

The COVID-19 pandemic might be causing delays to software schedules, but it's not managed to stop Microsoft's April Patch Tuesday update arriving on time this week. In total, the Windows 10, Windows 8.1, Windows 7 and Windows Server haul includes 113 CVE-level flaws, 19 of which are labelled critical.