Security News

To mark the occasion, Microsoft has released fixes for 99 vulnerabilities - 12 critical, one of which is being exploited in the wild - and Adobe 42, most of which are critical and none actively exploited. Microsoft fixed nearly 100 vulnerabilities this Tuesday, interspersed through a number of products: Windows, Edge, IE, SQL Server, Exchange Server, Office, and more.

Microsoft disclosed the existence of the Internet Explorer zero-day on January 17, when it promised to release patches and provided a workaround. Microsoft has credited Google's Threat Analysis Group and Chinese cybersecurity firm Qihoo 360 for reporting the vulnerability.

Adobe's February 2020 Patch Tuesday updates fix a total of 42 vulnerabilities across the company's Framemaker, Acrobat and Reader, Flash Player, Digital Editions and Experience Manager products. While the vulnerabilities have been classified as critical, Adobe believes they are unlikely to be exploited in attacks any time soon.

Which ten software vulnerabilities should you patch as soon as possible? Recorded Future researchers have analyzed code repositories, underground forum postings, dark web sites, closed source reports and data sets comprising of submissions to popular malware repositories to compile a list of the ten most exploited vulnerabilities by cybercriminals in 2019.

If you have Cisco equipment in your enterprise network - and chances are good that you have - you should check immediately which feature the newly revealed CDPwn vulnerabilities in Cisco' proprietary device discovery protocol and implement patches as soon as possible. "Different models of devices that run Cisco FXOS Software, Cisco IP Camera Firmware, Cisco IP Phone Firmware, Cisco NX-OS Software, Cisco IOS-XR, and Cisco UCS Fabric Interconnects are affected by one or more of these vulnerabilities," a Cisco spokesman told Help Net Security.

Google this week released the February 2020 set of security updates for the Android operating system, which address a total of 25 vulnerabilities, including 2 rated critical severity. Tracked as CVE-2020-0022, the first of these bugs is a remote code execution vulnerability that is considered critical only on Android 8.0, 8.1, and 9 devices.

Vulnerabilities recently patched in Mini-SNMPD could be abused for denial-of-service attacks or to obtain sensitive information, Cisco Talos' security researchers report. It works on both x86 and ARM platforms running Ubuntu, Alpine Linux, and FreeBSD. Talos' researchers discovered a total of three vulnerabilities in Mini-SNMPD, including two out-of-bounds read bugs and one stack overflow.

An update announced last week by Trend Micro for its Anti-Threat Toolkit addresses some additional attack methods related to a vulnerability initially patched in October 2019. Researcher Stefan Kanthak has also analyzed the vulnerability and discovered that Trend Micro has failed to patch it completely.

A researcher has discovered more than 60 vulnerabilities across 20 physical security products, including critical flaws that can be exploited remotely to take complete control of a device. The DHS's Cybersecurity and Infrastructure Security Agency recently published an advisory to warn users of Honeywell's MAXPRO video management system and network video recorder products that Austria-based researcher Joachim Kerschbaumer had identified two serious vulnerabilities that could allow hackers to take control of affected systems.

Microsoft on Thursday announced the launch of an Xbox bug bounty program with rewards of up to $20,000 for critical remote code execution vulnerabilities. The company is hoping to receive reports describing XSS, CSRF, IDOR, insecure deserialization, injection, server-side code execution, security misconfigurations, and the use of components with known vulnerabilities.