Security News
The day has a 'y' in it, so it must be time for another zero day to drop for a Microsoft product. To be clear, one does need to be logged into a Windows box to elevate one's privileges, and it looks like Edge also needs to be installed - which is hard to avoid in most modern Windows installations these days.
GitHub has fixed a serious vulnerability that would have allowed attackers to publish new, malicious versions of any existing package on the npm registry. "In this architecture, the authorization service was properly validating user authorization to packages based on data passed in request URL paths. However, the service that performs underlying updates to the registry data determined which package to publish based on the contents of the uploaded package file," GitHub's chief security officer Mike Hanley explained.
GitHub said it has fixed a longstanding issue with the NPM JavaScript registry that would allow an attacker to update any package without proper authorisation. "The vulnerability was based on a familiar insecurity pattern, where the system correctly authenticates a user but then allows access beyond what that user's permissions should enable. In this case, the NPM service correctly validated that a user was authorised to update a package, but"the service that performs underlying updates to the registry data determined which package to publish based on the contents of the uploaded package file.
Cybersecurity researchers have disclosed a security flaw in the Linux Kernel's Transparent Inter Process Communication module that could potentially be leveraged both locally as well as remotely to execute arbitrary code within the kernel and take control of vulnerable machines. Tracked as CVE-2021-43267, the heap overflow vulnerability "Can be exploited locally or remotely within a network to gain kernel privileges, and would allow an attacker to compromise the entire system," cybersecurity firm SentinelOne said in a report published today and shared with The Hacker News.
Cybersecurity researchers have disclosed a security flaw in the Linux Kernel's Transparent Inter Process Communication module that could potentially be leveraged both locally as well as remotely to execute arbitrary code within the kernel and take control of vulnerable machines. The heap overflow vulnerability "Can be exploited locally or remotely within a network to gain kernel privileges, and would allow an attacker to compromise the entire system," cybersecurity firm SentinelOne said in a report published today and shared with The Hacker News.
Google has rolled out its monthly security patches for Android with fixes for 39 flaws, including a zero-day vulnerability that it said is being actively exploited in the wild in limited, targeted attacks. Tracked as CVE-2021-1048, the zero-day bug is described as a use-after-free vulnerability in the kernel that can be exploited for local privilege escalation.
Google has rolled out its monthly security patches for Android with fixes for 39 flaws, including a zero-day vulnerability that it said is being actively exploited in the wild in limited, targeted attacks. Tracked as CVE-2021-1048, the zero-day bug is described as a use-after-free vulnerability in the kernel that can be exploited for local privilege escalation.
A security researcher has disclosed technical details for a Windows zero-day privilege elevation vulnerability and a public proof-of-concept exploit that gives SYSTEM privileges under certain conditions. A public proof-of-concept exploit and technical details for an unpatched Windows zero-day privilege elevation vulnerability has been disclosed that allows users to gain SYSTEM privileges under certain conditions.
Much is made of shared responsibility for cloud security. Some of this migration is to public clouds such as Amazon Web Services and Microsoft Azure.
CVE-2021-30663 - Processing maliciously crafted web content may lead to arbitrary code execution. CVE-2021-30665 - Processing maliciously crafted web content may lead to arbitrary code execution.