Security News

Tenable announced new Tenable Lumin innovations that empower customers to align business objectives with cybersecurity initiatives. The latest enhancements to the Cyber Exposure Management Platform enable organizations to predict which vulnerabilities pose the greatest business risk and act with confidence to effectively reduce risk across their modern, distributed environments.

A new Mirai-based botnet is targeting zero-day vulnerabilities in Tenda routers, according to researchers at 360 Netlab, a unit of Chinese cybersecurity company Qihoo 360. In order to circumvent detection of typical traffic generated by Mirai botnets, Ttint uses the WSS protocol for communication with the command and control server, and also uses encryption.

HP has expanded its Bug Bounty Program to focus specifically on office-class print cartridge security vulnerabilities. As part of this program, HP has engaged with Bugcrowd to conduct a three-month program in which four professional white hat hackers have been challenged to identify vulnerabilities in HP Original print cartridges.

HP announced on Thursday that it has expanded its bug bounty program, inviting several white hat hackers to find vulnerabilities in its office-class ink and toner cartridges. The program is private and only four researchers have been invited to find vulnerabilities in original HP cartridges.

A Chrome 85 update released by Google this week patches several high-severity vulnerabilities, including ones that can be exploited to hack users by convincing them to install malicious extensions. Erceg told SecurityWeek that the vulnerabilities he discovered all target a specific API made available to extensions - he has not named the impacted API due to the fact that Google hasn't mentioned it either in its release notes.

Apple on Thursday informed customers that it patched a total of four vulnerabilities across macOS Catalina, High Sierra and Mojave. Apple says exploitation of the flaw, which involves the processing of a malicious USD file, could lead to arbitrary code execution or a DoS condition.

Cisco on Thursday informed customers that it has patched 34 high-severity vulnerabilities affecting its IOS and IOS XE software, including many that can be exploited remotely without authentication. The company has released a total of 25 advisories as part of the September 2020 semiannual IOS and IOS XE Software Security Advisory Bundled Publication.

Apple has patched nearly a dozen vulnerabilities and it has introduced new privacy features with the release of iOS 14 and iPadOS 14 this week. The issues could result in applications causing a system crash or writing kernel memory, identifying other installed applications, leaking user information, or accessing restricted files; may allow attackers to download malicious content, execute arbitrary code, or view notification contents from the lockscreen; may lead to arbitrary code execution or a cross-site scripting attack; may allow a user to read kernel memory; or could result in the screen lock not engaging after the specified time period.

Several information disclosure and cross-site scripting vulnerabilities, including one rated critical, have been patched this week in the Drupal content management system. The most serious of the flaws is CVE-2020-13668, a critical XSS issue affecting Drupal 8 and 9.

Researchers have disclosed the details of several potentially serious vulnerabilities affecting MobileIron's mobile device management solutions, including a flaw that can be exploited by an unauthenticated attacker for remote code execution on affected servers. The vulnerabilities were identified by researchers at security consulting firm DEVCORE and they were reported to MobileIron in early April.