Security News

Microsoft has released patches for 129 security bugs in its September Patch Tuesday update. Another critical RCE vulnerability that should be prioritized for patching is CVE-2020-1210, which exists in SharePoint due to a failure to check an application package's source markup.

Cisco has patched four vulnerabilities in its Jabber client for Windows, the most critical of which could allow attackers to achieve remote code execution by sending specially crafted chat messages. Cisco Jabber is a video conferencing and instant messaging application that's often used within enterprises for internal communication and collaboration.

Satnam Narang, staff research engineer at Tenable, told Threatpost that researchers can't definitively say how many Magento sites are vulnerable - however, they were able to identify at least 1,500 websites indexed through search engines that use the Magmi plugin. The second, now patched flaw, CVE-2020-5777, is an authentication bypass flaw in Magmi for Magento version 0.7.23 and below.

Have you already updated your Apache Struts 2 to version 2.5.22, released in November 2019? You might want to, and quickly, as information about a potential RCE vulnerability and PoC exploits for it have been published. "We continue to urge developers building upon Struts 2 to not use % syntax referencing unvalidated user modifiable input in tag attributes, since this is the ultimate fix for this class of vulnerabilities," René Gielen, Struts Project Management Committee chair, added.

Adobe has plugged 11 critical security holes in Acrobat and Reader, which if exploited could allow attackers to remotely execute code or sidestep security features in the app. As part of its regularly scheduled security updates, Tuesday, Adobe fixed critical- and important-severity flaws tied to 26 CVEs - all stemming from its popular Acrobat and Reader document-management application - as well as one important-severity CVE in Adobe Lightroom, which is its image manipulation software.

A security researcher earlier today publicly revealed details and proof-of-concept exploit code for an unpatched, critical zero-day remote code execution vulnerability affecting the widely used internet forum software vBulletin that's already under active exploitation in the wild. In September last year, a separate anonymous security researcher publicly disclosed a then-zero-day RCE vulnerability in vBulletin, identified as CVE-2019-16759, and received a critical severity rating of 9.8, allowing attackers to execute malicious commands on the remote server without requiring any authentication to log into the forum.

A critical vulnerability in ManageEngine ADSelfService Plus, an Active Directory password-reset solution, could allow attackers to remotely execute commands with system level privileges on the target Windows host. ManageEngine ADSelfService Plus is developed by ManageEngine, a division of Zoho Corporation, a software development company that focuses on web-based business tools and information technology.

Overall, 54 high-severity flaws were patched as part of Google's August security updates for the Android operating system, released on Monday. The RCE flaw, the most serious of these flaws, exists in the Android Framework, which is a set of APIs - consisting of system tools and user interface design tools - that allow developers to quickly and easily write apps for Android phones.

Adding insult to injury, researchers have recently discovered a workaround for a previous patch issued for Microsoft Teams, that would allow a malicious actor to use the service's updater function to download any binary or malicious payload. Essentially, bad actors could hide in Microsoft Teams updater traffic, which has lately been voluminous. While Microsoft tried to cut off this vector as a conduit for remote code execution by restricting the ability to update Teams via a URL, it was not a complete fix, the researcher explained.

Researchers find critical RCE vulnerabilities in industrial VPN solutionsCritical vulnerabilities in several industrial VPN implementations for remotely accessing operational technology networks could allow attackers to overwrite data, execute malicious code or commands, cause a DoS condition, and more. Lack of training, career development, and planning fuel the cybersecurity profession crisisThe cybersecurity skills crisis continues to worsen for the fourth year in a row and has impacted 70 percent of organizations, as revealed in a global study of cybersecurity professionals by ISSA and ESG. Bug in widely used bootloader opens Windows, Linux devices to persistent compromiseA vulnerability in the widely used GRUB2 bootloader opens most Linux and Windows systems in use today to persistent compromise.