Security News
UPDATE. A zero-day vulnerability has been disclosed in the IT help desk ManageEngine software made by Zoho Corp. The serious vulnerability enables an unauthenticated, remote attacker to launch attacks on affected systems. Zoho has now released a security update addressing the vulnerability.
UPDATE. A zero-day vulnerability has been disclosed in the IT help desk ManageEngine software made by Zoho Corp. The serious vulnerability enables an unauthenticated, remote attacker to launch attacks on affected systems. Zoho has now released a security update addressing the vulnerability.
Business tools development company Zoho says it's working on a patch for a zero-day vulnerability affecting its ManageEngine Desktop Central product. "Since Zoho typically ignores researchers, I figured it was OK to share a ManageEngine Desktop Central zero-day exploit with everyone," Seeley wrote on Twitter.
The vulnerability is the ability to register almost exact lookalike domain names. Simple attacks would attempt to register a domain using similar Latin characters - for example G00GLE.COM to look like GOOGLE.COM. The first example uses zeros rather than the correct letter Os; and a successfully registered lookalike domain would likely be used as a malicious phishing site.
A recently disclosed zero-day vulnerability in Zyxel network-attached storage devices also impacts over twenty of the vendor's firewalls. Earlier this week, Zyxel published an advisory on the vulnerability, revealing that it impacted over a dozen NAS devices, including ten that were no longer supported.
For the third time in a year, Google has fixed a Chrome zero-day that is being actively exploited by attackers in the wild. No details have been shared about the attacks and about the flaw itself, apart from the short description that says it's a type confusion flaw in V8, the JavaScript engine used by the Chrome browser.
Google has issued an update for its widespread Chrome browser to fix three security holes. Google, which is often vociferous about bugs and how they work, especially those found by its own Project Zero and Threat Analysis teams, is playing its cards close to its chest in this case.
Google said Monday it has patched a Chrome web browser zero-day bug being actively exploited in the wild. Google said the flaw impacts versions of Chrome released before version 80.0.3987.122.
Networking devices vendor Zyxel has released patches for several network attached storage devices to address a critical vulnerability that is already being exploited by cybercriminals. "A remote code execution vulnerability was identified in the weblogin.cgi program of Zyxel NAS products running firmware version 5.21 and earlier. Missing authentication for the program could allow attackers to perform remote code execution via OS command injection," Zyxel explains in an advisory.
The fix is part of the February Patch Tuesday update that features a record 99 security vulnerabilities including 12 marked as 'critical' and 87 'important'. The first indication of the IE zero-day, now identified as CVE-2020-0674, appeared when Mozilla fixed a very similar issue in Firefox on 8 January, less than two days after the appearance of version 72.