The Hacker News Logo
Subscribe to Newsletter

The Hacker News - Cybersecurity News and Analysis: Vulnerability

Microsoft Releases Patch for Actively Exploited Windows Zero-Day Vulnerability

Microsoft Releases Patch for Actively Exploited Windows Zero-Day Vulnerability

September 14, 2021Ravie Lakshmanan
A day after  Apple  and  Google  rolled out urgent security updates, Microsoft has  pushed software fixes  as part of its monthly Patch Tuesday release cycle to plug 66 security holes affecting Windows and other components such as Azure, Office, BitLocker, and Visual Studio, including an  actively exploited zero-day  in its MSHTML Platform that came to light last week.  Of the 66 flaws, three are rated Critical, 62 are rated Important, and one is rated Moderate in severity. This is aside from the  20 vulnerabilities  in the Chromium-based Microsoft Edge browser that the company addressed since the start of the month. The most important of the updates concerns a patch for  CVE-2021-40444  (CVSS score: 8.8), an actively exploited remote code execution vulnerability in MSHTML that leverages malware-laced Microsoft Office documents, with EXPMON researchers noting "the exploit uses logical flaws so the exploitation is perfectly reliable." Also addressed is a publicly disclose
Microsoft Warns of Cross-Account Takeover Bug in Azure Container Instances

Microsoft Warns of Cross-Account Takeover Bug in Azure Container Instances

September 09, 2021Ravie Lakshmanan
Microsoft on Wednesday said it remediated a vulnerability in its Azure Container Instances ( ACI ) services that could have been weaponized by a malicious actor "to access other customers' information" in what the researchers described as the "first cross-account container takeover in the public cloud." An attacker exploiting the weakness could execute malicious commands on other users' containers, steal customer secrets and images deployed to the platform. The Windows maker did not share any additional specifics related to the flaw, save that  affected customers  "revoke any privileged credentials that were deployed to the platform before August 31, 2021." Azure Container Instances is a managed service that allows users to run Docker  containers  directly in a serverless cloud environment, without requiring the use of virtual machines, clusters, or orchestrators. Palo Alto Networks' Unit 42 threat intelligence team dubbed the vulnerabilit
WhatsApp Photo Filter Bug Could Have Exposed Your Data to Remote Attackers

WhatsApp Photo Filter Bug Could Have Exposed Your Data to Remote Attackers

September 02, 2021Ravie Lakshmanan
A now-patched high-severity security vulnerability in WhatApp's image filter feature could have been abused to send a malicious image over the messaging app to read sensitive information from the app's memory. Tracked as  CVE-2020-1910  (CVSS score: 7.8), the flaw concerns an out-of-bounds read/write and stems from applying specific image filters to a rogue image and sending the altered image to an unwitting recipient, thereby enabling an attacker to access valuable data stored the app's memory. "A missing bounds check in WhatsApp for Android prior to v2.21.1.13 and WhatsApp Business for Android prior to v2.21.1.13 could have allowed out-of-bounds read and write if a user applied specific image filters to a specially-crafted image and sent the resulting image," WhatsApp  noted  in its advisory published in February 2021. Cybersecurity firm Check Point Research, which disclosed the issue to the Facebook-owned platform on November 10, 2020, said it was able to
Linphone SIP Stack Bug Could Let Attackers Remotely Crash Client Devices

Linphone SIP Stack Bug Could Let Attackers Remotely Crash Client Devices

September 01, 2021Ravie Lakshmanan
Cybersecurity researchers on Tuesday disclosed details about a zero-click security vulnerability in the Linphone Session Initiation Protocol ( SIP ) stack that could be remotely exploited without any action from a victim to crash the SIP client and cause a denial-of-service (DoS) condition. Tracked as  CVE-2021-33056  (CVSS score: 7.5), the issue concerns a NULL pointer dereference vulnerability in the " belle-sip " component, a C-language library used to implement SIP transport, transaction, and dialog layers, with all versions prior to  4.5.20  affected by the flaw. The weakness was discovered and reported by industrial cybersecurity company Claroty. Linphone is an open-source and cross-platform SIP client with support for voice and video calls, end-to-end encrypted messaging, and audio conference calls, among others. SIP, on the other hand, is a signaling protocol used for initiating, maintaining, and terminating real-time multimedia communication sessions for voice, v
New Microsoft Exchange 'ProxyToken' Flaw Lets Attackers Reconfigure Mailboxes

New Microsoft Exchange 'ProxyToken' Flaw Lets Attackers Reconfigure Mailboxes

August 30, 2021Ravie Lakshmanan
Details have emerged about a now-patched security vulnerability impacting Microsoft Exchange Server that could be weaponized by an unauthenticated attacker to modify server configurations, thus leading to the disclosure of Personally Identifiable Information (PII). The issue, tracked as  CVE-2021-33766  (CVSS score: 7.3) and coined " ProxyToken ," was discovered by Le Xuan Tuyen, a researcher at the Information Security Center of Vietnam Posts and Telecommunications Group (VNPT-ISC), and reported through the Zero-Day Initiative (ZDI) program in March 2021. "With this vulnerability, an unauthenticated attacker can perform configuration actions on mailboxes belonging to arbitrary users," the ZDI  said  Monday. "As an illustration of the impact, this can be used to copy all emails addressed to a target and account and forward them to an account controlled by the attacker." Microsoft addressed the issue as part of its  Patch Tuesday updates  for July 2021
Kaseya Issues Patches for Two New 0-Day Flaws Affecting Unitrends Servers

Kaseya Issues Patches for Two New 0-Day Flaws Affecting Unitrends Servers

August 27, 2021Ravie Lakshmanan
U.S. technology firm Kaseya has  released  security patches to address two zero-day vulnerabilities affecting its Unitrends enterprise backup and continuity solution that could result in privilege escalation and authenticated remote code execution. The two weaknesses are part of a  trio of vulnerabilities  discovered and reported by researchers at the Dutch Institute for Vulnerability Disclosure (DIVD) on July 3, 2021. The IT infrastructure management solution provider has addressed the issues in server software version 10.5.5-2 released on August 12, DIVD said. An as-yet-undisclosed client-side vulnerability in Kaseya Unitrends remains unpatched, but the company has published  firewall rules  that can be applied to filter traffic to and from the client and mitigate any risk associated with the flaw. As an additional precaution, it's  recommended  not to leave the servers accessible over the internet. Although specifics related to the vulnerabilities are sparse, the shortcomin
Critical ThroughTek SDK Bug Could Let Attackers Spy On Millions of IoT Devices

Critical ThroughTek SDK Bug Could Let Attackers Spy On Millions of IoT Devices

August 18, 2021Ravie Lakshmanan
A security vulnerability has been found affecting several versions of ThroughTek Kalay P2P Software Development Kit (SDK), which could be abused by a remote attacker to take control of an affected device and potentially lead to remote code execution. Tracked as CVE-2021-28372 (CVSS score: 9.6) and  discovered  by FireEye Mandiant in late 2020, the weakness concerns an improper access control flaw in ThroughTek point-to-point (P2P) products, successful exploitation of which could result in the "ability to listen to live audio, watch real time video data, and compromise device credentials for further attacks based on exposed device functionality." "Successful exploitation of this vulnerability could permit remote code execution and unauthorized access to sensitive information, such as to camera audio/video feeds," the U.S. Cybersecurity and Infrastructure Security Agency (CISA)  noted  in an advisory. There are believed to be 83 million active devices on the Kala
BadAlloc Flaw Affects BlackBerry QNX Used in Millions of Cars and Medical Devices

BadAlloc Flaw Affects BlackBerry QNX Used in Millions of Cars and Medical Devices

August 18, 2021Ravie Lakshmanan
A major vulnerability affecting older versions of BlackBerry's QNX Real-Time Operating System (RTOS) could allow malicious actors to cripple and gain control of a variety of products, including cars, medical, and industrial equipment. The shortcoming (CVE-2021-22156, CVSS score: 9.0) is part of a broader collection of flaws, collectively dubbed  BadAlloc , that was originally disclosed by Microsoft in April 2021, which could open a backdoor into many of these devices, allowing attackers to commandeer them or disrupt their operations. "A remote attacker could exploit CVE-2021-22156 to cause a denial-of-service condition or execute arbitrary code on affected devices," the U.S. Cybersecurity and Infrastructure Security Agency (CISA)  said  in a Tuesday bulletin. As of writing, there is no evidence of active exploitation of the vulnerability. BlackBerry QNX technology is  used  worldwide by over 195 million vehicles and embedded systems across a wide range of industries,
Unpatched Remote Hacking Flaw Disclosed in Fortinet's FortiWeb WAF

Unpatched Remote Hacking Flaw Disclosed in Fortinet's FortiWeb WAF

August 17, 2021Ravie Lakshmanan
Details have emerged about a new unpatched security vulnerability in Fortinet's web application firewall (WAF) appliances that could be abused by a remote, authenticated attacker to execute malicious commands on the system. "An OS command injection vulnerability in FortiWeb's management interface (version 6.3.11 and prior) can allow a remote, authenticated attacker to execute arbitrary commands on the system, via the SAML server configuration page," cybersecurity firm Rapid7  said  in an advisory published Tuesday. "This vulnerability appears to be related to  CVE-2021-22123 , which was addressed in  FG-IR-20-120 ." Rapid7 said it discovered and reported the issue in June 2021. Fortinet is expected to release a patch at the end of August with version Fortiweb 6.4.1. The command injection flaw is yet to be assigned a CVE identifier, but it has a severity rating of 8.7 on the CVSS scoring system. Successful exploitation of the vulnerability can allow auth
Microsoft Warns of Another Unpatched Windows Print Spooler RCE Vulnerability

Microsoft Warns of Another Unpatched Windows Print Spooler RCE Vulnerability

August 11, 2021Ravie Lakshmanan
A day after releasing  Patch Tuesday updates , Microsoft acknowledged yet another remote code execution vulnerability in the Windows Print Spooler component, adding that it's working to remediate the issue in an upcoming security update. Tracked as  CVE-2021-36958  (CVSS score: 7.3), the unpatched flaw is the latest to join a  list  of  bugs  collectively known as  PrintNightmare  that have plagued the printer service and come to light in recent months. Victor Mata of FusionX, Accenture Security, who has been credited with reporting the flaw,  said  the issue was disclosed to Microsoft in December 2020. "A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations," the company said in its out-of-band bulletin, echoing the vulnerability details for  CVE-2021-34481 . "An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then
Top 30 Critical Security Vulnerabilities Most Exploited by Hackers

Top 30 Critical Security Vulnerabilities Most Exploited by Hackers

July 29, 2021Ravie Lakshmanan
Intelligence agencies in Australia, the U.K., and the U.S. issued a joint advisory on Wednesday detailing the most exploited vulnerabilities in 2020 and 2021, once again demonstrating how threat actors are able to swiftly weaponize publicly disclosed flaws to their advantage. "Cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations worldwide," the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the United Kingdom's National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI)  noted . "However, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system." The top 30 vulnerabilities span a wide range of software, including remote work, virtual pri
Several Bugs Found in 3 Open-Source Software Used by Several Businesses

Several Bugs Found in 3 Open-Source Software Used by Several Businesses

July 27, 2021Ravie Lakshmanan
Cybersecurity researchers on Tuesday disclosed nine security vulnerabilities affecting three open-source projects —  EspoCRM ,  Pimcore , and  Akaunting  — that are widely used by several small to medium businesses and, if successfully exploited, could provide a pathway to more sophisticated attacks. All the security flaws in question, which impact EspoCRM v6.1.6, Pimcore Customer Data Framework v3.0.0, Pimcore AdminBundle v6.8.0, and Akaunting v2.1.12, were fixed within a day of responsible disclosure, researchers Wiktor Sędkowski of Nokia and Trevor Christiansen of Rapid7  noted. Six of the nine flaws were uncovered in the Akaunting project. EspoCRM is an open-source customer relationship management (CRM) application, while Pimcore is an open-source enterprise software platform for customer data management, digital asset management, content management, and digital commerce. Akaunting, on the other hand, is an open-source and online accounting software designed for invoice and exp
Apple Releases Urgent 0-Day Bug Patch for Mac, iPhone and iPad Devices

Apple Releases Urgent 0-Day Bug Patch for Mac, iPhone and iPad Devices

July 27, 2021Ravie Lakshmanan
Apple on Monday rolled out an urgent security update for  iOS, iPadOS , and  macOS  to address a zero-day flaw that it said may have been actively exploited, making it the thirteenth such vulnerability Apple has patched since the start of this year. The updates, which arrive less than a week after the company released iOS 14.7, iPadOS 14.7, and macOS Big Sur 11.5 to the public, fixes a memory corruption issue ( CVE-2021-30807 ) in the IOMobileFrameBuffer component, a kernel extension for managing the screen  framebuffer , that could be abused to execute arbitrary code with kernel privileges. The company said it addressed the issue with improved memory handling, noting it's "aware of a report that this issue may have been actively exploited." As is typically the case, additional details about the flaw have not been disclosed to prevent the weaponization of the vulnerability for additional attacks. Apple credited an anonymous researcher for discovering and reporting the
How to Mitigate Microsoft Windows 10, 11 SeriousSAM Vulnerability

How to Mitigate Microsoft Windows 10, 11 SeriousSAM Vulnerability

July 26, 2021The Hacker News
Microsoft Windows 10 and Windows 11 users are at risk of a new unpatched vulnerability that was recently disclosed publicly. As we reported last week, the vulnerability — SeriousSAM — allows attackers with low-level permissions to access Windows system files to perform a Pass-the-Hash (and potentially Silver Ticket) attack.  Attackers can exploit this vulnerability to obtain hashed passwords stored in the Security Account Manager (SAM) and Registry, and ultimately run arbitrary code with SYSTEM privileges. SeriousSAM vulnerability, tracked as CVE-2021-36934 , exists in the default configuration of Windows 10 and Windows 11, specifically due to a setting that allows 'read' permissions to the built-in user's group that contains all local users. As a result, built-in local users have access to read the SAM files and the Registry, where they can also view the hashes. Once the attacker has 'User' access, they can use a tool such as Mimikatz to gain access to the Re
New Windows and Linux Flaws Give Attackers Highest System Privileges

New Windows and Linux Flaws Give Attackers Highest System Privileges

July 20, 2021Ravie Lakshmanan
Microsoft's Windows 10 and the upcoming Windows 11 versions have been found vulnerable to a new local privilege escalation vulnerability that permits users with low-level permissions access Windows system files, in turn, enabling them to unmask the operating system installation password and even decrypt private keys. The vulnerability has been nicknamed "SeriousSAM." "Starting with Windows 10 build 1809, non-administrative users are granted access to SAM, SYSTEM, and SECURITY registry hive files," CERT Coordination Center (CERT/CC) said in a  vulnerability note  published Monday. "This can allow for local privilege escalation (LPE)." The operating system configuration files in question are as follows - c:\Windows\System32\config\sam c:\Windows\System32\config\system c:\Windows\System32\config\security Microsoft, which is tracking the vulnerability under the identifier  CVE-2021-36934 , acknowledged the issue, but has yet to roll out a patch, o
16-Year-Old Security Bug Affects Millions of HP, Samsung, Xerox Printers

16-Year-Old Security Bug Affects Millions of HP, Samsung, Xerox Printers

July 20, 2021Ravie Lakshmanan
Details have emerged about a high severity security vulnerability affecting a software driver used in HP, Xerox, and Samsung printers that has remained undetected since 2005. Tracked as  CVE-2021-3438  (CVSS score: 8.8), the issue concerns a buffer overflow in a print driver installer package named "SSPORT.SYS" that can enable remote privilege and arbitrary code execution. Hundreds of millions of printers have been released worldwide to date with the vulnerable driver in question. However, there is no evidence that the flaw was abused in real-world attacks. "A potential buffer overflow in the software drivers for certain HP LaserJet products and Samsung product printers could lead to an escalation of privilege," according to an advisory published in May. The issue was reported to HP by threat intelligence researchers from SentinelLabs on February 18, 2021, following which  remedies  have been  published  for the affected printers as of May 19, 2021. Specific
Researcher Uncovers Yet Another Unpatched Windows Printer Spooler Vulnerability

Researcher Uncovers Yet Another Unpatched Windows Printer Spooler Vulnerability

July 18, 2021Ravie Lakshmanan
Merely days after Microsoft sounded the alarm on an unpatched security vulnerability in the Windows Print Spooler service, possibly yet another zero-day flaw in the same component has come to light, making it the fourth printer-related shortcoming to be discovered in recent weeks. "Microsoft Windows allows for non-admin users to be able to install printer drivers via Point and Print," CERT Coordination Center's Will Dormann  said  in an advisory published Sunday. "Printers installed via this technique also install queue-specific files, which can be arbitrary libraries to be loaded by the privileged Windows Print Spooler process." An exploit for the vulnerability was disclosed by security researcher and  Mimikatz creator   Benjamin Delpy . #printnightmare - Episode 4 You know what is better than a Legit Kiwi Printer ? 🥝Another Legit Kiwi Printer...👍 No prerequiste at all, you even don't need to sign drivers/package🤪 pic.twitter.com/oInb5jm3tE — 🥝 B
China's New Law Requires Vendors to Report Zero-Day Bugs to Government

China's New Law Requires Vendors to Report Zero-Day Bugs to Government

July 17, 2021Ravie Lakshmanan
The Cyberspace Administration of China (CAC) has issued new stricter vulnerability disclosure regulations that mandate software and networking vendors affected with critical flaws to mandatorily disclose them first-hand to the government authorities within two days of filing a report. The " Regulations on the Management of Network Product Security Vulnerability " are expected to go into effect starting September 1, 2021, and aim to standardize the discovery, reporting, repair, and release of security vulnerabilities and prevent security risks. "No organization or individual may take advantage of network product security vulnerabilities to engage in activities that endanger network security, and shall not illegally collect, sell or publish information on network product security vulnerabilities," Article 4 of the regulation states. In addition to banning sales of previously unknown security weaknesses, the new rules also forbid vulnerabilities from being disclos
Israeli Firm Helped Governments Target Journalists, Activists with 0-Days and Spyware

Israeli Firm Helped Governments Target Journalists, Activists with 0-Days and Spyware

July 16, 2021Ravie Lakshmanan
Two of the zero-day Windows flaws rectified by Microsoft as part of its Patch Tuesday update earlier this week were weaponized by an Israel-based company called Candiru in a series of "precision attacks" to hack more than 100 journalists, academics, activists, and political dissidents globally. The spyware vendor was also formally identified as the commercial surveillance company that Google's Threat Analysis Group (TAG) revealed as exploiting multiple zero-day vulnerabilities in Chrome browser to target victims located in Armenia, according to a report published by the University of Toronto's Citizen Lab. " Candiru 's apparent widespread presence, and the use of its surveillance technology against global civil society, is a potent reminder that the mercenary spyware industry contains many players and is prone to widespread abuse," Citizen Lab researchers  said . "This case demonstrates, yet again, that in the absence of any international safegua
Update Your Chrome Browser to Patch New Zero‑Day Bug Exploited in the Wild

Update Your Chrome Browser to Patch New Zero‑Day Bug Exploited in the Wild

July 15, 2021Ravie Lakshmanan
Google has pushed out a new security update to Chrome browser for Windows, Mac, and Linux with multiple fixes, including a zero-day that it says is being exploited in the wild. The latest patch resolves a total of eight issues, one of which concerns a type confusion issue in its V8 open-source and JavaScript engine ( CVE-2021-30563 ). The search giant credited an anonymous researcher for reporting the flaw on July 12. As is usually the case with actively exploited flaws, the company issued a terse statement acknowledging that "an exploit for CVE-2021-30563 exists in the wild" while refraining from sharing full details about the underlying vulnerability used in the attacks due to its serious nature and the possibility that doing so could lead to further abuse. CVE-2021-30563 also marks the ninth zero-day addressed by Google to combat real-world attacks against Chrome users since the start of the year — CVE-2021-21148  - Heap buffer overflow in V8 CVE-2021-21166  - Obje
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.