Security News

Cybersecurity researchers have detailed a recently patched high-severity security vulnerability in the popular Fastjson library that could be potentially exploited to achieve remote code execution. "This vulnerability affects all Java applications that rely on Fastjson versions 1.2.80 or earlier and that pass user-controlled data to either the JSON.parse or JSON.parseObject APIs without specifying a specific class to deserialize," JFrog's Uriya Yavnieli said in a write-up.

Generally, when it comes to identifying and fixing vulnerabilities on your internal network, there are two competing approaches: network-based internal vulnerability scanning and agent-based internal vulnerability scanning. Network-based internal vulnerability scanning is the more traditional approach, running internal network scans on a box known as a scanning 'appliance' that sits on your infrastructure.

A new high-severity vulnerability has been disclosed in the Zimbra email suite that, if successfully exploited, enables an unauthenticated attacker to steal cleartext passwords of users sans any user interaction. "With the consequent access to the victims' mailboxes, attackers can potentially escalate their access to targeted organizations and gain access to various internal services and steal highly sensitive information," SonarSource said in a report shared with The Hacker News.

Microsoft has incorporated additional improvements to address the recently disclosed SynLapse security vulnerability in order to meet comprehensive tenant isolation requirements in Azure Data Factory and Azure Synapse Pipelines. The high-severity issue, tracked as CVE-2022-29972 and disclosed early last month, could have allowed an attacker to perform remote command execution and gain access to another Azure client's cloud environment.

Microsoft officially released fixes to address an actively exploited Windows zero-day vulnerability known as Follina as part of its Patch Tuesday updates. Tracked as CVE-2022-30190, the zero-day bug relates to a remote code execution vulnerability affecting the Windows Support Diagnostic Tool when it's invoked using the "Ms-msdt:" URI protocol scheme from an application such as Word.

This is a new vulnerability against Apple's M1 chip. Researchers from MIT's Computer Science and Artificial Intelligence Laboratory have created a novel hardware attack, which combines memory corruption and speculative execution attacks to sidestep the security feature.

Beating these criminals means staying one step ahead and using the most comprehensive and responsive vulnerability detection support you can. A vulnerability scanner checks your systems for security flaws that can be used to steal data or sensitive information, or generally cause disruption to your business.

Apple's M1 chip has been found to contain a hardware vulnerability that can be abused to disable one of its defense mechanisms against memory corruption exploits, giving such attacks a greater chance of success. MIT CSAIL computer scientists on Friday said they have identified a way to bypass the M1 chip's pointer authentication, a security mechanism that tries to prevent an attacker from modifying memory references without being detected.

An unofficial security patch has been made available for a new Windows zero-day vulnerability in the Microsoft Support Diagnostic Tool, even as the Follina flaw continues to be exploited in the wild. The issue - referenced as DogWalk - relates to a path traversal flaw that can be exploited to stash a malicious executable file to the Windows Startup folder when a potential target opens a specially crafted ".

Google has released the June 2022 security updates for Android devices running OS versions 10, 11, and 12, fixing 41 vulnerabilities, five rated critical. The security update is separated into two levels, released on June 1 and June 5.