Security News

Three high-impact Unified Extensible Firmware Interface security vulnerabilities have been discovered impacting various Lenovo consumer laptop models, enabling malicious actors to deploy and execute firmware implants on the affected devices. Tracked as CVE-2021-3970, CVE-2021-3971, and CVE-2021-3972, the latter two "Affect firmware drivers originally meant to be used only during the manufacturing process of Lenovo consumer notebooks," ESET researcher Martin Smolár said in a report published today.

Got a Lenovo laptop? You might need to do a swift bit of patching judging by the latest set of vulnerabilities uncovered by security researchers at ESET. Three vulnerabilities were reported today: CVE-2021-3970, CVE-2021-3971, and CVE-2021-3972."UEFI threats can be extremely stealthy and dangerous," said ESET researcher Martin Smolár, who discovered the vulnerabilities.

From an operational risk/maintenance perspective, 85% of the 2,097 codebases contained open source that was more than four years out-of-date. Assessed codebases show open source vulnerabilities are decreasing overall.

CISA adds 8 known security vulnerabilities as priorities to patch. The Cybersecurity & Infrastructure Security Agency, or CISA, maintains a database of known security vulnerabilities.

The updates are in addition to 26 other flaws resolved by Microsoft in its Chromium-based Edge browser since the start of the month. The actively exploited flaw relates to an elevation of privilege vulnerability in the Windows Common Log File System.

Invicti Security released a research which reveals a rise in severe web vulnerabilities and the need for executive leaders to intertwine their application security and digital transformation efforts to reduce risk. The report examines web vulnerabilities from over 939 customers worldwide and was derived from the largest data set yet, with more than 23 billion security checks executed on customer applications uncovering over 282,000 direct-impact vulnerabilities.

VMware has released security updates to patch eight vulnerabilities spanning its products, some of which could be exploited to launch remote code execution attacks. Credited with reporting all the vulnerabilities is Steven Seeley of Qihoo 360 Vulnerability Research Institute.

VMware has warned customers to immediately patch critical vulnerabilities in multiple products that threat actors could use to launch remote code execution attacks. "This critical vulnerability should be patched or mitigated immediately per the instructions in VMSA-2021-0011. The ramifications of this vulnerability are serious," VMware warned on Wednesday.

It's been almost a week since the Spring4Shell vulnerability came to light and since the Spring development team fixed it in new versions of the Spring Framework. We might not have all the facts: The US Cybersecurity and Infrastructure Agency has added Spring4Shell to their Known Exploited Vulnerabilities Catalog on Monday.

Rapid7 announced the release of a report examining the 50 most notable security vulnerabilities and high-impact cyberattacks in 2021. Researchers analyze thousands of vulnerabilities each year to understand root causes, dispel misconceptions, and share information on why certain flaws are more likely to be exploited than others.