Security News

Google has patched a vulnerability in its Android OS that could allow attackers to completely take over someone's device to install programs, steal or change data, or create new accounts with full privileges. The flaw was one of 39 vulnerabilities affecting Android OS builds that use older security profiles and are spread throughout various components of Android that the company fixed in its latest security patch, according to a security bulletin published Monday.

Two severe security flaws have been discovered in the open-source SaltStack Salt configuration framework that could allow an adversary to execute arbitrary code on remote servers deployed in data centers and cloud environments. Built as a utility to monitor and update the state of servers, Salt employs a master-slave architecture that automates the process of pushing out configuration and software updates from a central repository using a "Master" node that deploys the changes to a target group of "Minions" en masse.

Two severe security flaws have been discovered in the open-source SaltStack Salt configuration framework that could allow an adversary to execute arbitrary code on remote servers deployed in data centers and cloud environments. Built as a utility to monitor and update the state of servers, Salt employs a master-slave architecture that automates the process of pushing out configuration and software updates from a central repository using a "Master" node that deploys the changes to a target group of "Minions" en masse.

The open-source Salt management framework contains high-severity security vulnerabilities that allow full remote code execution as root on servers in data centers and cloud environments. "The ClearFuncs class also exposes the method prep auth info(), which returns the root key used to authenticate commands from the local root user on the master server. This root key can then be used to remotely call administrative commands on the master server. This unintentional exposure provides a remote un-authenticated attacker with root-equivalent access to the salt master."

That's according to researchers at Radware, who also said that it's notable how quickly Hoaxcalls operators have moved to weaponize the ZyXel bug, which as of this time of writing, has still not been addressed in a ZyXel advisory. According to the Palo Alto Unit 42 researchers who found it, the original sample featured three DDoS attack vectors: UDP, DNS and HEX floods; and, it was seen infecting devices through two vulnerabilities: A DrayTek Vigor2960 remote code-execution vulnerability and a GrandStream Unified Communications remote SQL injection bug.

A week after the April 2020 Patch Tuesday, Microsoft has released out-of-band security updates for its Office suite, to fix a handful of vulnerabilities that attackers could exploit to achieve remote code execution. At the same time, a security update has also been released for Paint 3D, the company's free app for creating 3D models, because the source of the fixed vulnerabilities is something that both Office and Paint 3D have in common: the Autodesk FBX library.

UPDATED. Four serious security vulnerabilities in the IBM Data Risk Manager have been identified that can lead to unauthenticated remote code execution as root in vulnerable versions, according to analysis - and a proof-of-concept exploit is available. IBM weighed in on the problem this week, after a researcher went public with the bugs, one of which may end up being a zero-day issue - Big Blue is still investigating.

Cisco is warning of a critical flaw in the web server of its IP phones. Cisco issued patches in a Wednesday advisory for the flaw, which affects various versions of its Cisco IP phones for small- to medium-sized businesses.

We'll refer to this one a Fourthytuesday instead, now that Firefox has reduced its update wavelength to four weeks to get important-but-not-zero-day-critical fixes out just that bit more frequently. If your automatic update hasn't happened yet, a manual check will let you "Jump the queue" and get the update a bit sooner.

Google this week released the April 2020 set of security patches for the Android operating system to address over 50 vulnerabilities, including four critical issues in the System component. "The most severe of these issues is a critical security vulnerability in the System component that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process," Google notes in an advisory.