Security News

Millions of connected devices from over 150 vendors are affected by tens of vulnerabilities found in open source TCP/IP stacks, enterprise IoT security company Forescout revealed this week. The Ripple20 flaws disclosed earlier this year and the URGENT/11 bugs made public in 2019 were revealed to render millions of devices vulnerable to remote attacks.

Adobe has released security updates to address critical severity security bugs affecting Windows and macOS versions of Adobe Lightroom and Adobe Prelude. In total, the company addressed four security vulnerabilities affecting three products, three of them rated as critical and one as an important severity bug in Adobe Experience Manager and the AEM Forms add-on package.

With the December 2020 Patch Tuesday security updates release, Microsoft has released fixes for 58 vulnerabilities and one advisory for Microsoft products. Of the 58 vulnerabilities fixed today, nine are classified as Critical, 48 as Important, and two as Moderate.

Cisco has released security updates to address multiple pre-authentication vulnerabilities with public exploits affecting Cisco Security Manager that could allow for remote code execution after successful exploitation. Cisco Security Manager helps manage security policies on a large assortment of Cisco security and network devices, and it also provides summarized reports and security event troubleshooting capabilities.

Network-attached storage maker QNAP today released security updates to address vulnerabilities that could enable attackers to take control of unpatched NAS devices following successful exploitation. The eight vulnerabilities patched today by QNAP affect all QNAP NAS devices running vulnerable software.

Developers often need years to address some of the vulnerabilities introduced in their software, a new GitHub report reveals. The report, which is based on the analysis of more than 45,000 active repositories, shows that it typically takes 7 years to address vulnerabilities in Ruby, while those in npm are usually patched in five years.

TrickBot has been updated with functionality that allows it to scan the UEFI/BIOS firmware of the targeted system for vulnerabilities, security researchers have discovered. As Eclypsium points out, firmware-level malware has a strategic importance: attackers can make sure their code runs first and is difficult to detect, and can remain hidden for very long periods of time, until the system's firmware or hard drive are replaced.

For its annual State of the Octoverse report, GitHub has analyzed over 45,000 active code directories to provide insight into open source security and developers' practices regarding vulnerability reporting, alerting and remediation. The Microsoft subsidiary found that security vulnerabilities often go undetected for more than four years before being disclosed.

Container security company Prevasio has analyzed 4 million public Docker container images hosted on Docker Hub and found that over half of them had critical vulnerabilities and thousands of images included malicious or potentially harmful elements. The cybersecurity firm used its Prevasio Analyzer service to analyze all the container images on Docker Hub, the largest library and community for container images.

The WebKit browser engine is affected by several vulnerabilities, including ones that can be exploited for remote code execution by convincing the targeted user to visit a malicious website. Cisco's Talos threat intelligence and research group revealed on Monday that one of its researchers identified several high-severity use-after-free vulnerabilities that can be exploited for remote code execution by getting the targeted user to access a specially crafted web page with a browser that uses WebKit.