Security News

Microsoft today issued software updates to plug at least 111 security holes in Windows and Windows-based programs. May marks the third month in a row that Microsoft has pushed out fixes for more than 110 security flaws in its operating system and related software.

An attacker who successfully exploited either vulnerability could run arbitrary code in kernel mode; thus, an attacker could then install programs; view, change or delete data; or create new accounts with full user rights. In all cases an attack requires user interaction, such as tricking users into clicking a link that takes them to the attacker's site.

For the May 2020 Patch Tuesday, Microsoft has fixed 111 CVE-numbered flaws and Adobe 36, but none are under active attack. The vulnerability is found in most Windows 10 and Windows Server builds and Microsoft deems it "More likely to be exploited."

VMware is working on patches for its vRealize Operations Manager product to fix two recently disclosed Salt vulnerabilities that have already been exploited to hack organizations. Researchers discovered recently that the configuration management and orchestration system Salt is affected by serious vulnerabilities that can be exploited for authentication bypass and directory traversal.

If you are running an online discussion forum based on vBulletin software, make sure it has been updated to install a newly issued security patch that fixes a critical vulnerability. Maintainers of the vBulletin project recently announced an important patch update but didn't reveal any information on the underlying security vulnerability, identified as CVE-2020-12720.

If you are running an online discussion forum based on vBulletin software, make sure it has been updated to install a newly issued security patch that fixes a critical vulnerability. Maintainers of the vBulletin project recently announced an important patch update but didn't reveal any information on the underlying security vulnerability, identified as CVE-2020-12720.

If you're using vBulletin to power your online forum(s), you should implement the newest security patches offered by the developers as soon as possible. The patches fix CVE-2020-12720, a vulnerability affecting versions 5.5.6, 5.6.0 and 5.6.1 with could be exploited without previous authentication.

SaltStack Salt vulnerabilities actively exploited by attackers, patch ASAP!Two vulnerabilities in SaltStack Salt, an open-source remote task and configuration management framework, are being actively exploited by attackers, CISA warns. The US Department of Homeland Security and the UK National Cyber Security Centre issued a joint advisory in early April, warning about this increasing activity.

Today I'm happy to release new research I've been working on for a while: 0-click RCE via MMS in all modern Samsung phones, due to numerous bugs in a little-known custom "Qmage" image codec supported by Skia on Samsung devices. The patch coincides with Android's monthly release of security fixes: all owners of devices running supported versions of Android will want to check for and install relevant updates in May's patch batch.

The forecast for May is looking light on updates, which will be a relief to many IT professionals busy dealing with increasing threats and the challenges of remote system management. Oracle released their Critical Patch Updates last month which happened to coincide with April Patch Tuesday.