Security News

Eight vulnerabilities discovered in the Drawings software development kit made by Open Design Alliance impact products from Siemens and likely other vendors. Dgn design files, is affected by several vulnerabilities that can be exploited by convincing the targeted user to open a specially crafted file.

A critical vulnerability discovered in a ThroughTek P2P software development kit used by multiple security camera manufacturers can be exploited to gain remote access to camera feeds. The company says its solutions are used by millions of connected devices.

Industrial switches provided by several vendors are affected by the same vulnerabilities due to the fact that they share firmware made by Taiwan-based industrial networking solutions provider Korenix Technology. The firmware developed by Korenix for its JetNet industrial switches is also used by Westermo for PMI-110-F2G and Pepperl+Fuchs for Comtrol RocketLinx industrial switches.

Multiple companies that develop industrial systems are assessing the impact of two new OPC UA vulnerabilities on their products, and German automation technology firm Beckhoff is the first to release a security advisory. NET based OPC UA client/server SDK. The OPC Foundation released a patch in March.

Though most of the EO is aimed at government agencies, vendors and developers will have to design all of their products with a greater focus on security, according to Finite State. With ransomware attacks increasingly impacting businesses, government agencies and critical infrastructure, President Joe Biden last week signed an executive order designed to shore up the nation's cyber security.

Impacted vendors have released security advisories in response to the recently disclosed Wi-Fi vulnerabilities collectively tracked as FragAttacks. A dozen CVE identifiers have been assigned to the FragAttacks flaws discovered last year by researcher Mathy Vanhoef, including three for design flaws and nine for implementation flaws.

Some 73% of companies prefer to purchase from technology providers that are transparent and proactive in helping organizations manage their cybersecurity risk, a study released Monday by Intel finds. "Security doesn't just happen. If you are not finding vulnerabilities, then you are not looking hard enough," said Suzy Greenberg, vice president of Intel product assurance and security, in a statement.

Microsoft and several major cybersecurity companies have responded to a researcher's disclosure of a method for remotely disabling their antivirus products by leveraging the Windows safe mode. Researcher Roberto Franceschetti last week published an advisory, a blog post, a video and proof-of-concept exploits demonstrating a method that could be used by an attacker to disable anti-malware products from Microsoft, Avast, Bitdefender, F-Secure and Kaspersky.

The "State of Third Party Risk Management" report surveyed 154 third-party risk management professionals and found that they assess a median of 50 vendors each year, with most enterprises reporting having a TPRM program for about five to six years. "In the mass outsourcing of systems and services to third parties, enterprises have dramatically increased the scale and complexity of their risk surface. This study reveals that risk professionals widely are of the opinion that questionnaire-based assessments are sufficient for managing third-party risk. The magnitude of risk in the hands of third parties necessitates much better performance visibility than questionnaires can provide," said Kelly White, CEO and co-founder of RiskRecon.

Industrial control system firms Real Time Automation and Paradox both warned of critical vulnerabilities Tuesday that opened systems up to remote attacks by adversaries. RTA, which describes itself as providing industrial control systems for manufacturing and building automation, posted information regarding the vulnerability on Oct. 27.