Security News
GRIMM announced the launch of the company's new Private Vulnerability Disclosure program. This offering allows defenders to get ahead of the attack curve, instead of reacting to unknown threats, by providing previously unknown vulnerabilities.
A vulnerability in the netmask npm package could expose private networks and lead to a variety of attacks, including malware delivery. Because of this bug, netmask would consider private IP addresses as external IP addresses and the other way around, thus opening the door to a wide range of attacks, depending on the manner in which the package is used.
Apple has released security updates to address an iOS zero-day bug actively exploited in the wild and affecting iPhone, iPad, iPod, and Apple Watch devices. The zero-days were addressed by Apple earlier today by improving the management of object lifetimes in iOS 14.4.2, iOS 12.5.2, and watchOS 7.3.3.
Apple has released security updates to address an iOS zero-day bug actively exploited in the wild and affecting iPhone, iPad, iPod, and Apple Watch devices. The zero-days were addressed by Apple earlier today by improving the management of object lifetimes in iOS 14.4.2, iOS 12.5.2, and watchOS 7.3.3.
Microsoft has fixed a vulnerability in the PsExec utility that allows local users to gain elevated privileges on Windows devices. "This local privilege escalation allows a non-admin process to escalate to SYSTEM if PsExec is executed locally or remotely on the target machine. I was able to confirm this works from Windows 10 all the way back to XP and from my investigation, it affects PsExec v2.2 all the way back to v1.72," explained Wells.
AdaptiveMobile Security today publicly disclosed details of a major security flaw in the architecture of 5G network slicing and virtualized network functions. The fundamental vulnerability has the potential to allow data access and denial of service attacks between different network slices on a mobile operator's 5G network, leaving enterprise customers exposed to malicious cyberattack.
Google has warned Android users that a recently patched vulnerability has been exploited in attacks. The vulnerability in question, tracked as CVE-2020-11261, was patched by Google with the Android security updates released in January 2021.
One of the vulnerabilities addressed by the latest update for Apache OFBiz is an unsafe Java deserialization issue that could be exploited to execute code remotely, without authentication. A Java-based web framework, Apache OFBiz is an open source enterprise resource planning system that includes a suite of applications to automate business processes within enterprise environments, and which can be used across any industry.
Google has disclosed that a now-patched vulnerability affecting Android devices that use Qualcomm chipsets is being weaponized by adversaries to launch targeted attacks. "There are indications that CVE-2020-11261 may be under limited, targeted exploitation," the search giant said in an updated January security bulletin on March 18.
Adobe has released out-of-band security updates to address a critical vulnerability impacting ColdFusion versions 2021, 2016, and 2018. Today's emergency updates patch an arbitrary code execution security flaw caused by an Improper Input Validation software vulnerability.