Security News

Hands On. Google has big ambitions for its new Open Source Vulnerabilities database, but getting started requires a Google Cloud Platform account and there are other obstacles that may add friction to adoption. The company wants to see more discipline and checks in critical open-source software, and revealed that it maintains its own private repositories for many projects to guard against compromised code or newly committed vulnerabilities.

Intel on Tuesday announced the release of updates that patch tens of vulnerabilities across many of the company's software and hardware products. The chipmaker's Patch Tuesday updates for February 2021 were described in 19 advisories, including four that cover high-severity vulnerabilities.

Two severe vulnerabilities in the NextGEN Gallery WordPress plugin could have exposed more than 800,000 websites to complete takeover, WordPress security company Defiant reported on Monday. Available for more than a decade, the plugin provides users with a broad range of gallery management capabilities, such as batch upload of photos, metadata import, thumbnail editing, photo and gallery management, and more.

Google last week announced the launch of OSV, which the internet giant has described as a vulnerability database and triage infrastructure for open source projects. OSV should make it easier for the users of open source software to find out which vulnerabilities impact them.

The vulnerabilities range from Remote Code Execution to SQL Injection, to Denial of Service and impact the FortiProxy SSL VPN and FortiWeb Web Application Firewall products. Multiple advisories published by FortiGuard Labs this month and in January 2021 mention various critical vulnerabilities that Fortinet has been patching in their products.

The report also revealed a 25% increase in ICS vulnerabilities disclosed compared to 2019, as well as a 33% increase from 1H 2020. During 2H 2020, 449 vulnerabilities affecting ICS products from 59 vendors were disclosed.

Cybersecurity researchers on Wednesday disclosed three severe security vulnerabilities impacting SolarWinds products, the most severe of which could have been exploited to achieve remote code execution with elevated privileges. Two of the flaws were identified in the SolarWinds Orion Platform, while a third separate weakness was found in the company's Serv-U FTP server for Windows, said cybersecurity firm Trustwave in a technical analysis.

Cisco this week released software updates to address multiple vulnerabilities across its product portfolio, including critical severity bugs in several small business VPN routers and SD-WAN products. The company warned that the web-based management interface of small business RV160, RV160W, RV260, RV260P, and RV260W VPN routers is affected by seven severe vulnerabilities that could be abused by unauthenticated, remote attackers to execute arbitrary code as root.

The number of vulnerabilities discovered in industrial control system products in 2020 increased significantly compared to previous years, according to a report released on Thursday by industrial cybersecurity firm Claroty. According to Claroty, the number of ICS vulnerabilities disclosed in 2020 was nearly 25% higher compared to 2019 and close to 33% higher than in 2018.

Major vulnerabilities in the Realtek RTL8195A Wi-Fi module expose embedded devices used in a myriad of industries to remote attacks, researchers with automated device security platform provider Vdoo reveal. The low-power Wi-Fi module is designed for use in embedded devices, and is being used in a broad range of industries, including automotive, agriculture, energy, healthcare, industrial, and security.