Security News
Three vulnerabilities in the Amazon Kindle e-reader would have allowed a remote attacker to execute code and run it as root - paving the way for siphoning money from unsuspecting users. Yogev Bar-On, researcher at Realmode Labs, found that it was possible to email malicious e-books to the devices via the "Send to Kindle" feature to start a chain of attack - a discovery that earned him $18,000 from the Amazon bug-bounty program.
Cisco is warning of multiple, critical vulnerabilities in its software-defined networking for wide-area networks solutions for business users. Three critical flaws were found in Cisco smart software manager satellite, which offers businesses real-time visibility and reporting of their Cisco licenses.
Microsoft has plugged 83 CVEs, including a Microsoft Defender zero-day. One of the latter - a zero-day RCE affecting Microsoft Defender antivirus - is being exploited in the wild, but Microsoft didn't reveal more about these attacks.
Versions of the popular developer tool Zend Framework and its successor Laminas Project can be abused by an attacker to execute remote code on PHP-based websites, if they are running web-based applications that are vulnerable to attack. Impacted is Zend Framework version 3.0.0 and Laminas Project laminas-http before 2.14.2, with an estimated "Several million websites" using the framework and possibly impacted.
In September 2020, Cisco patched four Jabber vulnerabilities, but as it turns out, three of four have not been sufficiently mitigated. The incompleteness of the patches was discovered by Watchcom researchers - who discovered and disclosed the batch of vulnerabilities made public in September - after one of their clients requested they verify the effectiveness of Cisco's patches.
Microsoft has addressed critical remote code execution vulnerabilities in multiple SharePoint versions with this month's Office security updates. Redmond also issued the December 2020 Patch Tuesday security updates, with security updates for 58 vulnerabilities, nine of them rated as Critical.
A previous patch for Cisco's Jabber chat product did not in fact fix four vulnerabilities - including one remote code execution flaw that would allow malicious people to hijack targeted devices by sending a carefully crafted message. Watchcom added: "The patch released in September only patched the specific injection points that Watchcom had identified. The underlying issue was not addressed. We were therefore able to find new injection points that could be used to exploit the vulnerabilities."
The bug impacts Cisco Jabber for Windows, Jabber for MacOS and the Jabber for mobile platforms. The most serious of the bugs, a cross-site scripting flaw, impacts Cisco Jabber for Windows and Cisco Jabber for MacOS. The flaw allow an authenticated, remote attacker to execute programs on a targeted system.
A zero-click remote code execution bug in Microsoft Teams desktop apps could have allowed an adversary to execute arbitrary code by merely sending a specially-crafted chat message and compromise a target's system. Microsoft did not assign a CVE to this vulnerability, stating "It's currently Microsoft's policy to not issue CVEs on products that automatically updates without user's interaction."
At some point since August, Microsoft quietly fixed a cross-site scripting bug in its Teams web app that opened the door to a serious remote-code-execution vulnerability in the Linux, macOS, and Windows desktop versions of its Teams collaboration app. The security researcher who identified the issue suggests Microsoft should have done more to acknowledge the risk, noting that Microsoft didn't bother to publish details or obtain Common Vulnerabilities and Exposures identifiers for the flaws because Teams gets automatically updated.