Security News

Adobe-owned Magento has plugged multiple critical vulnerabilities in its eponymous content management system, the most severe of which could be exploited by attackers to achieve arbitrary code execution. According to the newest Magento-themed security bulletin, three of the six fixed flaws are critical and three are important.

Magento 2.3.4 was released this week with patches for six vulnerabilities, including three that are considered critical. Another critical flaw that could allow for the execution of arbitrary code is CVE-2020-3718, which Adobe describes as a security bypass issue.

Apple this week released software updates to address tens of security flaws in iOS, iPadOS, macOS Catalina, and other products. A total of 23 vulnerabilities were addressed in iOS 13.3.1 and iPadOS 13.3.1, now rolling out for iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch 7th generation.

The U.S. National Security Agency has published advice on mitigating cloud vulnerabilities. The document provides four basic sections: an overview of the basic components usually delivered by cloud service providers; an explanation of the concept of shared responsibility; an analysis of the primary cloud threat actors; and an analysis and description of the main cloud vulnerabilities and their mitigations.

Federal regulators are warning healthcare providers about six vulnerabilities in some of GE Healthcare's medical device systems that could allow attackers to remotely take control of the gear. The GE Healthcare product vulnerabilities are the latest example of the medical device cybersecurity challenges the healthcare sector faces.

Researchers have discovered six critical and high-risk vulnerabilities - collectively dubbed MDhex - affecting a number of patient monitoring devices manufactured by GE Healthcare. The flaws may, according to GE Healthcare, allow an attacker to make changes at the device's OS level that may render the device unusable or interfere with its function, make changes to alarm settings on connected patient monitors, and utilize services used for remote viewing and control of multiple devices on the network to access the clinical user interface and make changes to device settings and alarm limits, which could lead to missed, unnecessary, or silenced alarms.

Several potentially serious vulnerabilities have been found in patient monitoring products made by GE Healthcare, the DHS's Cybersecurity and Infrastructure Security Agency and healthcare cybersecurity firm CyberMDX revealed on Thursday. GE Healthcare has also inadvertently exposed SSH private keys, making it possible for hackers to remotely connect to devices and execute malicious code.

Some of Honeywell's MAXPRO video surveillance systems are affected by serious vulnerabilities that can be exploited by hackers to take complete control of the system, a researcher has discovered. Researcher Joachim Kerschbaumer told SecurityWeek that he reported his findings to Honeywell in September 2019 and the vendor released patches after roughly 2 months, which he says is a fast response time compared to other physical security systems manufacturers he has contacted to report flaws.

Security vulnerabilities in some AMD ATI Radeon graphics cards could allow attackers to remotely execute code or cause a denial of service condition, researchers from Cisco Talos have warned. A total of four security flaws were disclosed, all of them impacting the AMD ATIDXX64.

A total of 146 valid vulnerabilities were reported as part of the second Hack the Army bug bounty program, and more than $275,000 were paid in rewards. The second Army bug bounty program saw participation from 52 hackers from the U.S., Canada, Romania, Portugal, the Netherlands, and Germany.