Security News

Microsoft's May 2020 security updates patch 111 vulnerabilities, including 16 rated critical, but none of them has been exploited in attacks or disclosed before fixes were released. "For the past three months, Microsoft has been issuing very large Patch Tuesday releases, with March fixing 115 vulnerabilities, April with 113, and now May with 111. This shows their commitment to resolving vulnerabilities in their software, and their continued engagement with the security community."

Adobe has patched a total of 36 vulnerabilities in its Acrobat and Reader products and the DNG software development kit. Several researchers have been credited by Adobe for reporting the Acrobat and Reader vulnerabilities.

Two high-severity vulnerabilities addressed recently in SiteOrigin's Page Builder WordPress plugin could allow an attacker to execute code in a website administrator's browser. A page creation plugin, Page Builder by SiteOrigin helps users create column-based content that can adapt to mobile devices, and also provides them with support for the most common widgets.

VMware is working on patches for its vRealize Operations Manager product to fix two recently disclosed Salt vulnerabilities that have already been exploited to hack organizations. Researchers discovered recently that the configuration management and orchestration system Salt is affected by serious vulnerabilities that can be exploited for authentication bypass and directory traversal.

SaltStack Salt vulnerabilities actively exploited by attackers, patch ASAP!Two vulnerabilities in SaltStack Salt, an open-source remote task and configuration management framework, are being actively exploited by attackers, CISA warns. The US Department of Homeland Security and the UK National Cyber Security Centre issued a joint advisory in early April, warning about this increasing activity.

Threat actors are actively targeting a vulnerability in the Elementor Pro plugin for WordPress to compromise websites, WordPress security company Defiant warned this week. With an estimated install base of over 1 million websites, Elementor Pro is the paid version of the free Elementor plugin, a drag and drop page builder.

GitHub has made available two new security features for open and private repositories: code scanning and secret scanning. The code scanning feature, available for set up in every GitHub repository, is powered by CodeQL, a semantic code analysis engine that GitHub has made available last year.

Cisco this week released security updates to address more than 30 vulnerabilities in various products, including 12 high severity flaws impacting Adaptive Security Appliance and Firepower Threat Defense. The most important of these issues is tracked as CVE-2020-3187 and could be exploited to conduct directory traversal attacks and then read or delete sensitive files on a vulnerable system.

Even with a 30% decline, web applications are still at risk and new scan targets have more vulnerabilities than others, according to a new Acunetix report. While applications protected by web vulnerability scanning are becoming more secure, "relatively new targets have more vulnerabilities, according to the 2020 Acunetix Web Vulnerability Report.

A couple of Salt vulnerabilities addressed last week were abused over the weekend to hack Algolia's infrastructure, the search-as-a-service startup revealed. An open-source configuration tool designed for monitoring and updating the state of servers deployed in datacenters and in the cloud, Salt was recently found to be impacted by two issues that could allow attackers to execute arbitrary commands.