Security News

SAP this week released its latest set of security patches, which brings a total of 23 Security Notes, including five that address Hot News vulnerabilities. Another Hot News Security Note released as part of the April 2020 SAP Security Patch Day addresses a directory traversal vulnerability in SAP NetWeaver.

For the April 2020 Patch Tuesday, Adobe plugs 5 flaws and Microsoft 113, three of which are currently being exploited by attackers. One of the patches fixes CVE-2020-0968, a RCE in Internet Explorer 11 and 9, which Microsoft initially flagged as being exploited in the wild.

Microsoft's Update Tuesday patches for April 2020 address 113 vulnerabilities, including three Windows flaws that have been exploited in attacks for arbitrary code execution and privilege escalation. Microsoft has patched two actively exploited remote code execution vulnerabilities related to the Adobe Type Manager Library.

Most of the low-severity bugs were insufficient policy enforcements too, complemented by several inappropriate implementations, uninitialized use in WebRTC, and use-after-free in V8. Google says it paid over $26,000 in bug bounty rewards to the reporting security researchers, but the company has yet to disclose the exact amount it awarded for all of the externally reported vulnerabilities. Mozilla, which revisited the previous decision to disable TLS 1.0 and 1.1 in its browser, this week pushed Firefox 75 to the stable channel, packing it with six security patches for the desktop, and two patches targeting vulnerabilities specific to the Android platform.

Several vulnerabilities found by researchers in B&R Automation's Automation Studio software make it easier for malicious actors to launch attacks inside operational technology networks. "The combination of these two vulnerabilities gives an attacker with access to the victim network the ability to conduct an MITM attack and intervene in the software update process," Preminger explained.

The number of identified zero-day vulnerabilities being exploited has increased in 2019, revealing a broadened access to these security flaws, according to security firm FireEye. FireEye research found that more zero-days were exploited last year than in any of the previous three years, while also observing that more tracked actors have gained access to such capabilities.

Google this week released the April 2020 set of security patches for the Android operating system to address over 50 vulnerabilities, including four critical issues in the System component. "The most severe of these issues is a critical security vulnerability in the System component that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process," Google notes in an advisory.

In the U.S and global communities, election security is a large concern.

VMDR continuously assesses these assets for the latest vulnerabilities and applies the latest threat intel analysis to prioritize actively exploitable vulnerabilities. The reason is, if you look at the statistics over the last 10 years, you would see that the total number of vulnerabilities which get discovered in a year, maybe let's say 15,000 to 16,000 of vulnerabilities that are getting discovered, out of those vulnerabilities, only a handful, like 1000 vulnerabilities get exploited.

Mozilla has released critical security updates for Firefox and Firefox ESR on Friday, patching two vulnerabilities that are being actively exploited by attackers. Update ASAP. Home users and enterprise admins are advised to implement the provided updates as soon as possible.