Security News

New vulnerabilities in open source packages were down 20% compared to last year suggesting security of open source packages and containers are heading in a positive direction, according to Snyk. Across the six popular ecosystems the report examined, there were fewer new vulnerabilities reported in 2019 than in 2018 - a promising finding - but there are still significant improvements to strive for with slightly less than two thirds of vulnerabilities still taking more than 20 days to remediate.

VMware informed customers on Tuesday that it addressed a total of 10 vulnerabilities affecting its ESXi, Workstation and Fusion products, including critical and high-severity flaws that can be exploited for code execution on the hypervisor. An attacker who has local access to a virtual machine with 3D graphics enabled can exploit the weakness for arbitrary code execution on the hypervisor from the VM. VMware has pointed out that 3D graphics are enabled by default on Workstation and Fusion, but not on ESXi.

This has made it nearly impossible to remediate every vulnerability, rendering the ability to properly prioritize remediation all the more critical, according to WhiteSource and CYR3CON. This research examines the most common methods software development teams use to prioritize software vulnerabilities for remediation, and compares those practices to data gathered from the discussions of hacker communities, including the dark web and deep web. Key research findings Software development teams tend to prioritize based on available data such as vulnerability severity score, ease of remediation, and publication date, but hackers don't target vulnerabilities based on these parameters.

Mitsubishi Electric and its subsidiary ICONICS have released patches for the vulnerabilities disclosed earlier this year at the Pwn2Own Miami hacking competition, which focused on industrial control systems. White hat hackers earned a total of $280,000 for the exploits they demonstrated at the Zero Day Initiative's Pwn2Own contest in January, including $80,000 for vulnerabilities found in ICONICS's Genesis64 HMI/SCADA product.

Drupal's security team has fixed three vulnerabilities in the popular content management system's core, one of which could be exploited to achieve remote code execution. Drupal is a free and open-source web content management system, and over a million sites run on various versions of it.

Cisco announced this week that it has added new security features to Webex and that it has also patched several high-severity vulnerabilities in the conferencing product. At its Cisco Live 2020 event, the networking giant informed customers that it has extended its data loss prevention retention, Legal Hold and eDiscovery features to Webex Meetings.

Two vulnerabilities patched recently by Oracle in its E-Business Suite solution can be exploited by hackers for various purposes, including to tamper with an organization's financial records. Researchers at Onapsis, a company that specializes in protecting business-critical applications, last year discovered several vulnerabilities in Oracle EBS. Some of the flaws were patched by the vendor in April 2019, but two of them, which Onapsis has dubbed "BigDebIT," were only fixed with the critical patch update released by Oracle in January 2020.

HackerOne announced the expansion of its penetration testing solution in Europe. This latest product from HackerOne compliments its existing offerings dedicated to helping organizations find and fix vulnerabilities before they can be exploited.

High impact vulnerabilities in modern communication protocol used by mobile network operators can be exploited to intercept user data and carry out impersonation, fraud, and denial of service attacks, cautions a newly published research. The findings are part of a new Vulnerabilities in LTE and 5G Networks 2020 report published by London-based cybersecurity firm Positive Technologies last week.

Vulnerabilities in the GPRS Tunnelling Protocol expose 4G and 5G cellular networks to a variety of attacks, including denial-of-service, user impersonation, and fraud, Positive Technologies security researchers warn. Some of the attacks may be performed with the simple use of a mobile phone and all of the tested networks were found vulnerable to DoS, impersonation, and fraud, the researchers say.