Security News

While the infosec industry is used to reading FUD about software vulnerabilities, eye-catching research suggests about 500 vulns were exploited in 2019 - despite 18,000 new CVEs being created. Kenna Security, a US infosec firm, reckons that despite thousands of vulnerabilities being assigned a Common Vulnerabilities and Exploitations tracking number in the year, just 473 of those were actively being exploited in ways likely to impact enterprises.

The OpenSSL Project on Tuesday announced the availability of patches for three vulnerabilities, including two that can be exploited for denial-of-service attacks and one related to incorrect SSLv2 rollback protection. The flaw was reported to OpenSSL developers by Google Project Zero researcher Tavis Ormandy and it has been patched with the release of OpenSSL 1.1.1j. Versions 1.1.1i and earlier are impacted.

NIST logged more than 18,000 vulnerabilities in 2020, over 10,000 of which were critical or high severity - an all-time high. CVEs in 2020 More security vulnerabilities were disclosed in 2020 than in any other year to date - at an average rate of 50 CVEs per day.

Researchers have discovered several vulnerabilities in the SHAREit Android application, including flaws that could expose sensitive user data and allow remote code execution. SHAREit, originally made by Chinese tech giant Lenovo, is a popular cross-platform file sharing app currently developed by Smart Media4U Technology.

In September 2019, another similar vulnerability was found being exploited by the same hacking group. More discoveries in November 2019, January 2020, and April 2020 added up to at least five zero-day vulnerabilities being exploited from the same bug class in short order.

Improperly generated ISNs in nine TCP/IP stacks could be abused to hijack connections to vulnerable devices, according to new research from Forescout. TCP/IP stacks are critical components that provide basic network connectivity for a broad range of devices, IoT and OT included, and which process all incoming frames and packets.

Intel addressed 57 security vulnerabilities during this month's Patch Tuesday, including high severity ones impacting Intel Graphics Drivers. The security bugs are detailed in the 19 security advisories published by Intel on its Product Security Center, with security and functional updates being delivered to users through the Intel Platform Update process.

Forescout researchers have discovered nine vulnerabilities affecting nine different TCP/IP stacks widely used in IoT and OT devices. The vulnerabilities are due to weak Initial Sequence Number generation, and could be exploited to mount limited DoS attacks against the vulnerable devices, to inject malicious data on a device, or to bypass authentication.

Siemens this week released nine new security advisories describing vulnerabilities affecting the company's products. These products are made by Siemens Digital Industries Software, which specializes in product lifecycle management solutions.

Hands On. Google has big ambitions for its new Open Source Vulnerabilities database, but getting started requires a Google Cloud Platform account and there are other obstacles that may add friction to adoption. The company wants to see more discipline and checks in critical open-source software, and revealed that it maintains its own private repositories for many projects to guard against compromised code or newly committed vulnerabilities.