Security News

Proof-of-concept exploits for vulnerabilities in Netgear's Orbi 750 series router and extender satellites have been released, with one flaw a critical severity remote command execution bug. The first and most critical flaw is tracked as CVE-2022-37337 and is a remotely exploitable command execution vulnerability in the access control functionality of the Netgear Orbi router.

The U.S. Cybersecurity and Infrastructure Security Agency has released eight Industrial Control Systems advisories on Tuesday, warning of critical flaws affecting equipment from Delta Electronics and Rockwell Automation. "Successful exploitation of these vulnerabilities could allow an unauthenticated attacker to obtain access to files and credentials, escalate privileges, and remotely execute arbitrary code," CISA said.

As many as 55 zero-day vulnerabilities were exploited in the wild in 2022, with most of the flaws discovered in software from Microsoft, Google, and Apple. Of the 55 zero-day bugs, 13 are estimated to have been abused by cyber espionage groups, with four others exploited by financially motivated threat actors for ransomware-related operations.

Google is calling attention to a set of severe security flaws in Samsung's Exynos chips, some of which could be exploited remotely to completely compromise a phone without requiring any user interaction. The 18 zero-day vulnerabilities affect a wide range of Android smartphones from Samsung, Vivo, Google, wearables using the Exynos W920 chipset, and vehicles equipped with the Exynos Auto T5123 chipset.

Project Zero, Google's zero-day bug-hunting team, discovered and reported 18 zero-day vulnerabilities in Samsung's Exynos chipsets used in mobile devices, wearables, and cars. "The baseband software does not properly check the format types of accept-type attribute specified by the SDP, which can lead to a denial of service or code execution in Samsung Baseband Modem," Samsung says in a security advisory describing the CVE-2023-24033 vulnerability.

Software vendor SAP has released security updates for 19 vulnerabilities, five rated as critical, meaning that administrators should apply them as soon as possible to mitigate the associated risks. The flaws fixed this month impact many products, but the critical severity bugs affect SAP Business Objects Business Intelligence Platform and SAP NetWeaver.

Organizations in critical infrastructure sectors whose information systems contain security vulnerabilities associated with ransomware attacks are being notified by the US Cybersecurity and Infrastructure Security Agency and urged to implement a fix. "CISA leverages multiple open-source and internal tools to research and detect vulnerabilities within U.S. critical infrastructure," the agency explained in the formal announcement of its Ransomware Vulnerability Warning Pilot.

The Tenable report categorizes important vulnerability data and analyzes attacker behavior to help organizations inform their security programs and prioritize security efforts to focus on areas of most significant risk and disrupt attack paths, ultimately reducing exposure to cyber incidents. Threat actors continue to find success with known and proven exploitable vulnerabilities that organizations have failed to patch or remediate successfully.

Aruba Networks published a security advisory to inform customers about six critical-severity vulnerabilities impacting multiple versions of ArubaOS, its proprietary network operating system. Aruba Networks is a California-based subsidiary of Hewlett Packard Enterprise, specializing in computer networking and wireless connectivity solutions.

Google Protected Computing: Ensuring privacy and safety of data regardless of locationIn this Help Net Security interview, Royal Hansen, VP of Engineering for Privacy, Safety, and Security at Google, talks about Protected Computing, the impact of data protection regulations, and privacy in general. Researchers find hidden vulnerabilities in hundreds of Docker containersRezilion uncovered the presence of hundreds of Docker container images containing vulnerabilities that are not detected by most standard vulnerability scanners and SCA tools.