Security News

Vulnerabilities that Videolabs recently addressed in its libmicrodns library could lead to denial of service and arbitrary code execution, Cisco Talos' security researchers warn. The libmicrodns mDNS resolver cross-platform library is used in the VLC media player for mDNS service discovery.

Cybercrime groups have been exploiting vulnerabilities in digital video recorders made by Taiwan-based surveillance solutions provider LILIN to increase the size of their botnets. The vendor released firmware updates that should patch the exploited flaws on February 14, but the vulnerabilities had a zero-day status until this date.

Cisco has fixed five security vulnerabilities in its Software-Defined WAN Solution, two of which could allow an authenticated, local attacker to either gain root privileges on the underlying operating system or to inject arbitrary commands that are executed with root privileges. While there is no indication that these flaw are being actively exploited, no workarounds addressing the vulnerabilities exist so upgrading to the Cisco SD-WAN Solution software release 19.2.2.

Cisco has issued a series of security updates for its SD-WAN and Webex software, just when they're most needed. The five CVE-listed bugs are down to what Cisco calls "Insufficient input validation," and the avenues to exploit it range from SQL to HTTP requests.

The developers of the Drupal content management system announced on Wednesday that updates for versions 8.8.x and 8.7.x address a couple of vulnerabilities affecting the CKEditor library. Drupal uses CKEditor and it has decided to update it to version 4.14, which patches two cross-site scripting vulnerabilities affecting earlier versions of the library.

Cisco on Wednesday announced that it has patched a total of five vulnerabilities in its SD-WAN solution, including three that have been assigned a "High severity" rating. The high-severity vulnerabilities - all of them reported to Cisco by Orange Group - are caused by insufficient input validation.

Trend Micro has patched several serious vulnerabilities in its Worry-Free Business Security, Apex One and OfficeScan products, including a couple of flaws that have been exploited in the wild. The exploited vulnerabilities were identified by Trend Micro's own researchers, but no information has been released about the attacks.

Among the report's key findings, total framework vulnerabilities in 2019 went down but the weaponization rate went up, WordPress and Apache Struts had the most weaponized vulnerabilities, and input validation surpassed cross-site scripting as the most weaponized weakness in the frameworks examined. "Even if best application development practices are used, framework vulnerabilities can expose organizations to security breaches. Meanwhile, upgrading frameworks can be risky because changes can affect the behavior, appearance, or inherent security of applications," said Srinivas Mukkamala, CEO of RiskSense.

The number of disclosed open source software vulnerabilities in 2019 reached over 6000, up from just over 4,000 in 2018, a new WhiteSource report says. "This can be attributed to the rise in awareness to open source security following the widespread adoption of open source components and the massive growth of the open source community over the past few years, along with the media attention directed at recent data breaches," the company noted.

The number of vulnerabilities in open source projects surged almost 50 per cent in 2019, according to security biz WhiteSource, which can be seen as good news in the sense that you don't find what you're not looking for. "The problem with open source vulnerabilities is that, like everything in the open source community, once something is reported all the information is public and every beginner hacker can learn the vulnerability and it's exploitation and then execute it on a large number of applications."