Security News

Microsoft Office security updates fix critical SharePoint RCE bugs
2020-12-11 12:39

Microsoft has addressed critical remote code execution vulnerabilities in multiple SharePoint versions with this month's Office security updates. Redmond also issued the December 2020 Patch Tuesday security updates, with security updates for 58 vulnerabilities, nine of them rated as Critical.

The patch that wasn't: Cisco emits fresh fixes for NTLM hash-spilling vuln and XSS-RCE combo in Jabber app
2020-12-10 17:30

A previous patch for Cisco's Jabber chat product did not in fact fix four vulnerabilities - including one remote code execution flaw that would allow malicious people to hijack targeted devices by sending a carefully crafted message. Watchcom added: "The patch released in September only patched the specific injection points that Watchcom had identified. The underlying issue was not addressed. We were therefore able to find new injection points that could be used to exploit the vulnerabilities."

Zero-Click Wormable RCE Vulnerability in Cisco Jabber Gets Fixed, Again
2020-12-10 16:09

The bug impacts Cisco Jabber for Windows, Jabber for MacOS and the Jabber for mobile platforms. The most serious of the bugs, a cross-site scripting flaw, impacts Cisco Jabber for Windows and Cisco Jabber for MacOS. The flaw allow an authenticated, remote attacker to execute programs on a targeted system.

Zero-Click Wormable RCE Vulnerability Reported in Microsoft Teams
2020-12-08 04:09

A zero-click remote code execution bug in Microsoft Teams desktop apps could have allowed an adversary to execute arbitrary code by merely sending a specially-crafted chat message and compromise a target's system. Microsoft did not assign a CVE to this vulnerability, stating "It's currently Microsoft's policy to not issue CVEs on products that automatically updates without user's interaction."

When is a remote-code-execution bug in Teams not an RCE? When Microsoft says it isn't, flaw finder discovers
2020-12-07 21:58

At some point since August, Microsoft quietly fixed a cross-site scripting bug in its Teams web app that opened the door to a serious remote-code-execution vulnerability in the Linux, macOS, and Windows desktop versions of its Teams collaboration app. The security researcher who identified the issue suggests Microsoft should have done more to acknowledge the risk, noting that Microsoft didn't bother to publish details or obtain Common Vulnerabilities and Exposures identifiers for the flaws because Teams gets automatically updated.

Critical MobileIron RCE Flaw Under Active Attack
2020-11-25 16:55

Separately, the Cybersecurity and Infrastructure Security Agency in October warned that APT groups are exploiting the MobileIron flaw in combination with the severe Microsoft Windows Netlogon/Zerologon vulnerability. The flaw, first reported to MobileIron by Orange Tsai from DEVCORE, could allow an attacker to execute remote exploits without authentication.

UK urges orgs to patch critical MobileIron CVE-2020-15505 RCE bug
2020-11-24 14:31

The UK National Cyber Security Centre issued an alert yesterday, prompting all organizations to patch the critical CVE-2020-15505 remote code execution vulnerability in MobileIron mobile device management systems. NCSC is warning that they are aware of hacking groups actively using the MobileIron CVE-2020-1550 vulnerability to compromise the networks in the healthcare, local government, logistics, and legal sectors.

German COVID-19 Contact-Tracing Vulnerability Allowed RCE
2020-11-19 21:34

A security vulnerability in the infrastructure underlying Germany's official COVID-19 contact-tracing app, called the Corona-Warn-App, would have allowed pre-authenticated remote code execution. Researcher Alvaro Muñoz wrote in a report this week that he and his team at GitHub Security Lab was chasing down RCE vulnerabilities on the platform and found one in the infrastructure supporting CWA for Android and OS. The team said it worked with SAP to mitigate the issue, adding as a server-side issue, the mobile apps themselves were not impacted, and that no data was collected beyond a device's IP address.

Widespread Scans Underway for RCE Bugs in WordPress Websites
2020-11-18 21:53

Millions of malicious scans are rolling across the internet, looking for known vulnerabilities in the Epsilon Framework for building WordPress themes, according to researchers. "The security flaws on WordPress websites in themes using the Epsilon Framework are just another example of this content management system's inherent security risks," said Ameet Naik, security evangelist at PerimeterX, via email.

Researcher Discloses Critical RCE Flaws In Cisco Security Manager
2020-11-17 08:09

Cisco has published multiple security advisories concerning critical flaws in Cisco Security Manager a week after the networking equipment maker quietly released patches with version 4.22 of the platform. The flaws were responsibly reported to Cisco's Product Security Incident Response Team three months ago, on July 13.