Security News

Siemens' LOGO! programmable logic controllers are affected by critical vulnerabilities that can be exploited remotely to launch denial-of-service attacks and modify the device's configuration. According to Siemens, the vulnerabilities impact all versions of its LOGO!8 BM devices, which are designed for basic control tasks.

Chinese tech giant Tencent announced this week that it's prepared to offer rewards of up to $140,000 for critical vulnerabilities found in its TencentOS tiny and TencentOS Server operating systems. Tencent informed white hat hackers in mid-April that it teamed up with HackerOne for a bug bounty program with rewards of up to $15,000.

Microsoft today released its June 2020 batch of software security updates that patches a total of 129 newly discovered vulnerabilities affecting various versions of Windows operating systems and related products. The 129 bugs in the June 2020 bucket for sysadmins and billions of users include 11 critical vulnerabilities-all leading to remote code execution attacks-and 118 classified as important in severity, mostly leading to privilege escalation and spoofing attacks.

"Microsoft's latest fixes in its June Patch Tuesday update show that when it comes to vulnerabilities, what's old is new again. The same vulnerabilities we've seen appear in Adobe Flash over the past few years, along with common cross-site-scripting issues, were addressed this month. As witnessed within Microsoft Office SharePoint, there were multiple XSS vulnerabilities identified in the same product - this could be the result of a researcher who found one flaw and decided to continue digging, or Microsoft itself going through similar flows of code to try to fix them all." "This month starts with CVE-2020-1281, a remote code execution vulnerability in Microsoft's Object Linking & Embedding. This vulnerability impacts Windows 7 through 10 and Windows Server 2008 through 2019. The vulnerability exists in the way OLE validates user input. An attacker who sent a specially crafted file or program, or convinced a victim to download one, could execute malicious code on the victim's machine. Microsoft assigned this vulnerability a CVSS score of 7.8; a similar vulnerability, CVE-2017-0199, has been widely exploited including by the Lazarus group and APT 34.".

Two critical vulnerabilities patched recently by IBM in its WebSphere Application Server product can be exploited by a remote, unauthenticated attacker to execute arbitrary code with elevated privileges. Two of the flaws have been rated critical and they can be exploited for remote code execution, while the third has been classified as high severity and it can lead to information disclosure.

Total vulnerabilities in OSS more than doubled in 2019 from 421 Common Vulnerabilities and Exposures in 2018 to 968 last year, according to a RiskSense report. The study also revealed that it takes a very long time for OSS vulnerabilities to be added to the National Vulnerability Database, averaging 54 days between public disclosure and inclusion in the NVD. This delay can cause organizations to remain exposed to serious application security risks for almost two months.

Nearly 1,000 vulnerabilities were found in popular open source projects in 2019, more than double compared to the previous year, according to a report published on Monday by risk management company RiskSense. RiskSense has analyzed 54 open source projects in which nearly 2,700 vulnerabilities were reported between 2015 and March 2020.

Security flaws in open source software have increased and can take a long time to be added to the National Vulnerability Database, says RiskSense. A report released Monday by vulnerability management firm RiskSense describes the impact of security vulnerabilities on OSS. For its report "The Dark Reality of Open Source," RiskSense found that the total number of CVEs in OSS are on the rise, more than doubling to 968 in 2019 from 421 in 2018 and 435 in 2017.

Cisco this week announced that it has patched tens of vulnerabilities in its IOS software, including a dozen security flaws that impact the company's industrial routers and switches. A dozen vulnerabilities appear to impact the company's industrial products.

Members of Cisco's Talos threat intelligence and research group have identified two vulnerabilities in the Zoom client application that can allow a remote attacker to write files to the targeted user's system and possibly achieve arbitrary code execution. CVE-2020-6109 is related to the way Zoom processes GIF image files.