Security News

Microsoft this week published a reminder for organizations that a February 9 security update will kick off the second phase of patching for the Zerologon vulnerability. Tracked as CVE-2020-1472 and addressed on August 2020 Patch Tuesday, the critical vulnerability was identified in the Microsoft Windows Netlogon Remote Protocol and can be abused to compromise Active Directory domain controllers and gain admin access.

An undisclosed Cross-Site Scripting vulnerability in Apache Velocity Tools can be exploited by unauthenticated attackers to target government sites, including NASA and NOAA. Although 90 days have elapsed since the vulnerability was reported and patched, BleepingComputer is not aware of a formal disclosure made by the project. Govt sites using Apache Velocity Tools vulnerable to XSS. Apache Velocity Tools has an undisclosed XSS vulnerability, which impacts all its versions despite a fix having been published on GitHub months ago.

A vulnerability discovered by a researcher in a BIG-IP product from F5 Networks can be exploited to launch remote denial-of-service attacks. The security flaw was discovered by Nikita Abramov, a researcher at cybersecurity solutions provider Positive Technologies, and it impacts certain versions of BIG-IP Access Policy Manager, a secure access solution that simplifies and centralizes access to applications, APIs and data.

Online surveys and form building software as a service Typeform has patched an information hijacking vulnerability. The flaw which existed in Typeform's Zendesk Sell app integration could let attackers quietly redirect form submissions with potentially sensitive data to themselves.

We'll guide you through the process of using Homebrew package manager to install security tools on macOS to assess vulnerabilities and the security posture of the devices on your network. Some tools may be used to obtain vulnerability information from generic devices, while other tools are suited only to identify specific vulnerabilities related to certain types of applications and services, such as web servers, for example.

A free micropatch fixing a local privilege escalation vulnerability in Microsoft's Windows PsExec management tool is now available through the 0patch platform. This PsExec zero-day is caused by a named pipe hijacking vulnerability which allows attackers to trick PsExec into re-opening a maliciously created named pipe and giving it Local System permissions.

Security researchers have observed the first attempts to compromise Zyxel devices using a recently disclosed vulnerability related to the existence of hardcoded credentials. The attacks, currently small in numbers, target CVE-2020-29583, a vulnerability affecting several Zyxel firewalls and WLAN controllers that was publicly disclosed at the end of December.

An untrusted deserialization vulnerability has been disclosed this week in how Zend Framework can be exploited by attackers to achieve remote code execution on vulnerable PHP sites. "Zend Framework 3.0.0 has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the destruct method of the ZendHttpResponseStream class in Stream.php," states MITRE's advisory for CVE-2021-3007.

Enterprises will take baby steps towards left-shifting their vulnerability remediation programs. As we move into 2021, the good news is we'll learn a lot about left shifting vulnerability remediation programs.

Google Project Zero has disclosed a Windows zero-day vulnerability caused by the improper fix for CVE-2020-0986, a security flaw abused in a campaign dubbed Operation PowerFall. Tracked as CVE-2020-17008, the new vulnerability was reported to Microsoft on September 24.