Security News

After the inadvertent leaking of details about a wormable Windows SMBv3 RCE flaw on Tuesday, Microsoft has rushed to release a patch. The flaw affects Windows 10 and Windows Server installations, so admins who have those in their care are urged to implement the security updates right away.

"To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it." Unlike the Microsoft Windows SMB Server flaws used by the EternalBlue and EternalRomance exploits, which were leveraged for the 2017 WannaCry and NotPetya outbreaks, CVE-2020-0796 only affects SMBv3 and does not affect Windows 7 and Windows Server 2008 R2 systems.

A critical vulnerability in a WordPress plugin known as "ThemeREX Addons" could open the door for remote code execution in tens of thousands of websites. The plugin, which is installed on approximately 44,000 sites, is used to apply various "Skins" that govern the look and feel of web destinations, including theme-enhancing features and widgets.

Less than a month after the patching of a critical RCE flaw in OpenSMTPD, OpenBSD's mail server, comes another call to upgrade to the latest version, as two additional security holes have been plugged. CVE-2020-8794 is an out-of-bounds read flaw introduced in December 2015 and can - depending on the vulnerable OpenSMTPD version - lead to the execution of arbitrary shell commands either as root or as any non-root user.

OpenSMTPD has been found vulnerable to yet another critical vulnerability that could allow remote attackers to take complete control over email servers running BSD or Linux operating systems. OpenSMTPD, also known as OpenBSD SMTP Server, is an open-source implementation of the Simple Mail Transfer Protocol to deliver messages on a local machine or to relay them to other SMTP servers.

The patched version of Mozilla's browser, launched on Tuesday, is Firefox 73 and Firefox ESR 68.5. One of the vulnerabilities, tracked as CVE-2020-6800, was fixed in a previous release of Firefox 72 and the current Firefox ESR 68.5 update on Tuesday.

A critical vulnerability in the Bluetooth implementation on Android devices could allow attackers to launch remote code execution attacks - without any user interaction. Researchers on Thursday revealed further details behind the critical Android flaw, which was patched earlier this week as part of Google's February Android Security Bulletin.

About one in five of the 80,000 companies affected by a critical bug in the Citrix Application Delivery Controller and Citrix Gateway are still at risk from a trivial attack on their internal operations. "The critical information about applications accessible by Citrix can be leaked," he explained.

Security researchers have identified a JavaScript vulnerability in the WhatsApp desktop platform that could allow cybercriminals to spread malware, phishing or ransomware campaigns through notification messages that appear completely normal to unsuspecting users. "Exploiting the vulnerability requires the victim to click a link preview from a specially crafted text message."

Qualys researchers have discovered a critical vulnerability in OpenBSD's OpenSMTPD mail server, which can allow attackers to execute arbitrary shell commands on the underlying system as root. OpenSMTPD is an open source implementation of the Simple Mail Transfer Protocol.