Security News

GitHub this week disclosed the details of an easy-to-exploit Linux vulnerability that can be leveraged to escalate privileges to root on the targeted system. The flaw, classified as high severity and tracked as CVE-2021-3560, impacts polkit, an authorization service that is present by default in many Linux distributions.

Four security vulnerabilities discovered in the Microsoft Office suite, including Excel and Office online, could be potentially abused by bad actors to deliver attack code via Word and Excel documents. "Rooted from legacy code, the vulnerabilities could have granted an attacker the ability to execute code on targets via malicious Office documents, such as Word, Excel and Outlook," researchers from Check Point research said in a report published today.

Microsoft today will release a patch for a vulnerability affecting the Microsoft Office MSGraph component, responsible for displaying graphics and charts, that could be exploited to execute code on a target machine. According to the researchers, the issue is in a MSGraph file parsing function, which "Is commonly used across multiple different Microsoft Office products, such as Excel, Office Online Server and Excel for OSX.".

The U.S. Cybersecurity and Infrastructure Security Agency today announced that it has partnered with the crowdsourced cybersecurity community for the launch of its vulnerability disclosure policy platform. Working in collaboration with bug bounty platform Bugcrowd and government technology contractor Endyna, CISA introduced its VDP platform to help Federal Civilian Executive Branch agencies identify and address vulnerabilities in critical systems.

Code hosting platform GitHub says it has updated its policies regarding vulnerability research, malware, and exploits, to permit dual-use security research. Previously, the policies could be considered hostile toward projects with dual-use content, but the updated guidelines aim to make it clear that GitHub "Enables, welcomes, and encourages" dual-use security research - i.e. research that can be used for both good and bad purposes.

Trend Micro on Thursday disclosed the details of a recently patched privilege escalation vulnerability that has been found to impact macOS, iOS and iPadOS. The flaw, tracked as CVE-2021-30724, was discovered by Trend Micro researcher Mickey Jin, and it was patched by Apple on May 24 with the release of macOS 11.4, iOS 14.6 and iPadOS 14.6. The vulnerability, caused by an out-of-bounds memory access issue, can allow a local attacker to elevate privileges by sending specially crafted requests.

A high-severity vulnerability discovered recently in an open source library named Lasso has been found to impact products from Cisco and Akamai, as well as Linux distributions. The vulnerability, tracked as CVE-2021-28091, was initially reported to Akamai as it was discovered in the company's Enterprise Application Access product, which uses Lasso to verify SAML assertions for applications when a customer configures SAML authentication with third-party identity providers.

The website for the M1racles security vulnerability is an excellent demonstration that not all vulnerabilities are exploitable. Be sure to read the FAQ through to the end. EDITED TO ADD: Wired article.

Gartner's recent Hype Cycle for Application Security report, and Forrester's The State of Application Security 2021 report - both bibles for security experts that undoubtedly help to shape their program and potential product adoption - are almost entirely tools-focused. Security tooling is a must-have, but we need to look wider and restore balance to the people component of security defense.

Researchers at industrial cybersecurity firm Claroty have identified a serious vulnerability that can be exploited by a remote and unauthenticated attacker to hack some of the programmable logic controllers made by Siemens. The vulnerability is tracked as CVE-2020-15782 and it has been described as a high-severity memory protection bypass issue that allows an attacker with network access to TCP port 102 to write or read data in protected memory areas.