Security News
Microsoft has released two out-of-band security updates designed to address remote code execution bugs found to affect the Microsoft Windows Codecs Library and Visual Studio Code. Microsoft patched two similar RCE bugs in June, leading to user confusion because of the ways the security updates were being delivered - via the Microsoft Store instead of the normal Windows Update channel.
NCSC, the cybersecurity arm of the UK's GCHQ intelligence service, urges organizations to make sure that all Microsoft SharePoint products in their environments are patched against CVE-2020-16952 to block takeover attempts. The server-side include vulnerability was reported by information security specialist Steven Seeley of Qihoo 360 Vulcan Team who found that it affects Microsoft SharePoint Enterprise Server 2016, Microsoft SharePoint Foundation 2013 Service Pack 1, and Microsoft SharePoint Server 2019.
UPDATE. A critical security bug in the SonicWall VPN portal can be used to crash the device and prevent users from connecting to corporate resources. "The most notable aspect of this vulnerability is that the VPN portal can be exploited without knowing a username or password," Young told Threatpost.
Microsoft has pushed out fixes for 87 security vulnerabilities in October - 11 of them critical - and one of those is potentially wormable. "Coming in at 53 of the 87 vulnerabilities, patching the OS knocks out 60 percent of the vulnerabilities listed, along with over half of the critical RCE vulnerabilities resolved today."
Microsoft has plugged 87 security holes, including critical ones in the Windows TCP/IP stack and Microsoft Outlook and Microsoft 365 Apps for Enterprise. CVE-2020-16898 - A Windows TCP/IP vulnerability that could be remotely exploited by sending a specially crafted ICMPv6 router advertisement to an affected Windows server or client and could allow code execution.
The flaw stems from a NULL Pointer Dereference error and plagues the Windows, macOS, Linux and ChromeOS versions of Adobe Flash Player. Adobe is warning of a critical vulnerability in its Flash Player application for users on Windows, macOS, Linux and ChromeOS operating systems.
IBM has issued fixes for vulnerabilities in Spectrum Protect Plus, Big Blue's security tool found under the umbrella of its Spectrum data storage software branding. IBM Spectrum Protect Plus is a data-protection solution that provides near-instant recovery, replication, reuse and self-service for virtual machines.
Microsoft has released patches for 129 security bugs in its September Patch Tuesday update. Another critical RCE vulnerability that should be prioritized for patching is CVE-2020-1210, which exists in SharePoint due to a failure to check an application package's source markup.
Cisco has patched four vulnerabilities in its Jabber client for Windows, the most critical of which could allow attackers to achieve remote code execution by sending specially crafted chat messages. Cisco Jabber is a video conferencing and instant messaging application that's often used within enterprises for internal communication and collaboration.
Satnam Narang, staff research engineer at Tenable, told Threatpost that researchers can't definitively say how many Magento sites are vulnerable - however, they were able to identify at least 1,500 websites indexed through search engines that use the Magmi plugin. The second, now patched flaw, CVE-2020-5777, is an authentication bypass flaw in Magmi for Magento version 0.7.23 and below.