Security News

Adobe on Tuesday announced that the latest updates for its Bridge and Illustrator products patch 22 vulnerabilities, including many that have been rated critical. A total of 17 vulnerabilities have been fixed with the release of Adobe Bridge 10.0.4 for Windows and macOS. The critical flaws have been described as stack-based buffer overflow, heap overflow, out-of-bounds write, use-after-free, and other memory corruption issues that can lead to arbitrary code execution.

Apple has confirmed that its Mail application for iOS is affected by some vulnerabilities, but the tech giant has downplayed their impact and disputed claims that the flaws have been exploited in attacks. Cybersecurity automation company ZecOps reported on Wednesday that it had identified a couple of critical zero-day vulnerabilities in the Mail app for iOS. The flaws, which the company says have existed since the release of iOS 6 in 2012, can be exploited to execute arbitrary code in the context of the application by sending a specially crafted email to the targeted user.

Mozilla on Thursday announced some changes to its Firefox bug bounty program, including bigger rewards and its decision to accept duplicate reports in some cases. The organization has been running a bug bounty program since 2004, and between 2017 and 2019 it paid out nearly $1 million for roughly 350 vulnerabilities.

The Mail application in iOS is affected by two critical zero-day vulnerabilities that appear to have been exploited in targeted attacks since at least January 2018, cybersecurity automation company ZecOps reported on Wednesday. The vulnerabilities, described as out-of-bounds write and heap overflow issues, affect the MobileMail application on iOS 12 and maild on iOS 13, and they can be exploited by sending specially crafted emails to the targeted user.

Microsoft issued an out-of-band advisory this week to address Autodesk FBX vulnerabilities in Office, Office 365, and Paint 3D. Multiple bugs that were addressed in the Autodesk FBX software development kit earlier this month could lead to code execution and denial of service conditions. 2020.0 or earlier could be impacted by "Buffer overflow, type confusion, use-after-free, integer overflow, NULL pointer dereference, and heap overflow vulnerabilities," Autodesk explains.

A week after the April 2020 Patch Tuesday, Microsoft has released out-of-band security updates for its Office suite, to fix a handful of vulnerabilities that attackers could exploit to achieve remote code execution. At the same time, a security update has also been released for Paint 3D, the company's free app for creating 3D models, because the source of the fixed vulnerabilities is something that both Office and Paint 3D have in common: the Autodesk FBX library.

With the current heightened requirement for IoT security, we are releasing this compilation of older findings to further advise all owners of the affected devices to apply the latest updates to their devices to increase their security and reduce exposure to outside attacks. "We found that security vulnerabilities in IoT devices are a prevalent issue. Our research also proves that flaws in settings, missing encryption or authentication are not exclusive to low-end cheap devices but are often present in high-end hardware too," says ESET Security and Awareness specialist Ondrej Kubovič.

GitHub has released technical information on six vulnerabilities identified by one of its security researchers in the WebAudio component of Chrome. The researcher started looking for Chrome vulnerabilities while he was working for Semmle, which GitHub acquired last year for its code analysis platform.

The Pentagon's latest bug bounty challenge, Hack the Air Force 4.0, has resulted in the discovery of over 400 vulnerabilities and rewards totaling more than $290,000. As part of the fourth Hack the Air Force program, which ran between October 23 and November 20, 2019, participants were invited to find vulnerabilities in a pool of cloud servers and systems called the Air Force Virtual Data Center.

Among the vulnerabilities fixed are critical flaws affecting a variety of Cisco IP phones and Cisco UCS Director and Cisco UCS Director Express for Big Data, its unified infrastructure management solutions for data center operations. Jacob Baines, a research engineer with Tenable, unearthed two critical flaws affecting the Cisco Wireless IP Phone 8821.