Security News

19 vulnerabilities - some of them allowing remote code execution - have been discovered in a TCP/IP stack/library used in hundreds of millions of IoT and OT devices deployed by organizations in a wide variety of industries and sectors. "The library could be used as-is, configured for a wide range of uses, or incorporated into a larger library. The user could buy the library in source code format and edit it extensively. It can be incorporated into the code and implanted into a wide range of device types," the researchers explained.

Apple quietly pushed out a small but important update for operating systems across all of its devices, including a patch for a zero-day exploit used in an iPhone jailbreak tool released last week. Jailbreak tools take advantage of vulnerabilities in iOS to allow users root access and full control of their device, in order to load programs and code from outside of the Apple walled garden.

Apple on Monday released security patches to address a zero-day vulnerability that had been used to jailbreak iPhones running iOS 13.5. One week later, Apple has released security patches to fix the issue, revealing that the root cause of the bug was memory consumption and that improved memory handling would address it.

Security researchers working with Trend Micro's Zero Day Initiative have published information on five unpatched vulnerabilities in Microsoft Windows, including four considered high risk. Tracked as CVE-2020-0916, CVE-2020-0986, and CVE-2020-0915, and featuring a CVSS score of 7.0, the first three of these zero-day vulnerabilities could allow an attacker to escalate privileges on the affected system.

Attackers have been targeting the Sophos XG Firewall using a zero-day exploit, according to the security firm - with the ultimate goal of dropping the Asnarok malware on vulnerable appliances. Firewalls manually configured to expose a firewall service to the WAN zone that shares the same port as the admin or user portal were also affected," the firm explained.

Aside from plugging the security hole, the hotfix detects if the firewall was hit by attackers and, if it was, stops it from accessing any attacker infrastructure, cleans up remnants from the attack, and notifies administrators about it so that they can perform additional remediation steps. The zero-day affects all versions of XG Firewall firmware on both physical and virtual Sophos firewalls.

Cybersecurity company Sophos informed customers over the weekend that it has patched a zero-day vulnerability that has been exploited to deliver malware to its XG Firewall appliances. An investigation revealed that attackers have been exploiting a previously unknown SQL injection vulnerability to hack exposed physical and virtual firewalls.

It started a couple days ago when a number of researchers and I'm probably gonna mispronounce the name of the security firm, ZecOps or something along those lines -I can never pronounce these names - But anyways, they found two zero days, or what they claimed are two zero days that are very, very troubling when described. Tom: Yeah, well, you know, Apple has gotten some support from the research community.

Apple has pushed back against claims that two zero-day bugs in its iPhone iOS have been exploited for years, saying it's found no evidence to support such activity. Apple officials made the statement in response to a widely disseminated report published Wednesday by ZecOps, which claimed that two Apple iOS zero-day security vulnerabilities affecting its Mail app on iPhones and iPads already had been exploited in the wild since 2018 by an "Advanced threat operator."

Attackers would need a secondary kernel-level vulnerability to get system-level control and thereby to escape from the strictures of the vulnerable app. Of course, email apps typically contain plenty of juicy data all of their own, so a double-vulnerability compromise of the email app alone is still a worthwhile result for any attacker.