The Hacker News - Cybersecurity News and Analysis: patch update

For the first patch Tuesday of 2021, Microsoft released  security updates  addressing a total of 83 flaws spanning as many as 11 products and services, including an actively exploited zero-day vulnerability. The latest security patches cover Microsoft Windows, Edge browser, ChakraCore, Office and Microsoft Office Services, and Web Apps, Visual Studio, Microsoft Malware Protection Engine, .NET Core, ASP .NET, and Azure. Of these 83 bugs, 10 are listed as Critical, and 73 are listed as Important in severity. The most severe of the issues is a remote code execution (RCE) flaw in Microsoft Defender ( CVE-2021-1647 ) that could allow attackers to infect targeted systems with arbitrary code. Microsoft Malware Protection Engine (mpengine.dll) provides the scanning, detection, and cleaning capabilities for Microsoft Defender antivirus and antispyware software. The last version of the software affected by the flaw is 1.1.17600.5, before it was addressed in version 1.1.17700.4. The bug is

Google's Project Zero team has made public details of an improperly patched zero-day security vulnerability in Windows print spooler API that could be leveraged by a bad actor to execute arbitrary code. Details of the unpatched flaw were revealed publicly after Microsoft failed to rectify it within 90 days of responsible disclosure on September 24. Originally tracked as  CVE-2020-0986 , the flaw concerns an elevation of privilege exploit in the GDI Print /  Print Spooler  API ("splwow64.exe") that was reported to Microsoft by an anonymous user working with Trend Micro's Zero Day Initiative (ZDI) back in late December 2019. But with no patch in sight for about six months, ZDI ended up posting a public  advisory  as a zero-day on May 19 earlier this year, after which it was  exploited  in the wild in a campaign dubbed " Operation PowerFall " against an unnamed South Korean company. "splwow64.exe" is a Windows core system binary that allows 32-b

Multiple botnets are targeting thousands of publicly exposed and still unpatched Oracle WebLogic servers to deploy crypto miners and steal sensitive information from infected systems. The attacks are taking aim at a recently patched WebLogic Server vulnerability, which was released by Oracle as part of its  October 2020 Critical Patch Update  and subsequently again in November ( CVE-2020-14750 ) in the form of an out-of-band security patch. As of writing, about 3,000 Oracle WebLogic servers are accessible on the Internet-based on stats from the Shodan search engine. Oracle  WebLogic  is a platform for developing, deploying, and running enterprise Java applications in any cloud environment as well as on-premises. The flaw, which is tracked as CVE-2020-14882, has a CVSS score of 9.8 out of a maximum rating of 10 and affects WebLogic Server versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0. Although the issue has been addressed, the release of  proof-of-concep

Cisco has published multiple security advisories concerning critical flaws in Cisco Security Manager (CSM) a week after the networking equipment maker quietly released patches with version 4.22 of the platform. The development comes after Code White researcher Florian Hauser (frycos) yesterday publicly disclosed proof-of-concept ( PoC ) code for as many as 12 security vulnerabilities affecting the  web interface of CSM  that makes it possible for an unauthenticated attacker to achieve remote code execution (RCE) attacks. The flaws were responsibly reported to Cisco's Product Security Incident Response Team (PSIRT) three months ago, on July 13. "Since Cisco PSIRT became unresponsive and the published release 4.22 still doesn't mention any of the vulnerabilities,"  claimed frycos  in a tweet, citing the reasons for going public with the PoCs yesterday. Cisco Security Manager  is an end-to-end enterprise solution that allows organizations to enforce access policies

Google has patched two more zero-day flaws in the Chrome web browser for desktop, making it the fourth and fifth actively exploited vulnerabilities addressed by the search giant in recent weeks. The company released  86.0.4240.198  for Windows, Mac, and Linux, which it said will be rolling out over the coming days/weeks to all users. Tracked as CVE-2020-16013 and CVE-2020-16017, the flaws were discovered and reported to Google by "anonymous" sources, unlike previous cases, which were uncovered by the company's Project Zero elite security team. Google acknowledged that exploits for both the vulnerabilities exist in the wild but stopped short of sharing more specifics to allow a majority of users to install the fixes. According to the release notes, the two flaws are: CVE-2020-16013:  An "inappropriate implementation" of its V8 JavaScript rendering engine was reported on November 9. CVE-2020-16017:  An  use-after-free  memory corruption issue in Chrome

Cybersecurity researchers today disclosed a new highly critical "wormable" vulnerability—carrying a severity score of 10 out of 10 on the CVSS scale—affecting Windows Server versions 2003 to 2019. The 17-year-old remote code execution flaw ( CVE-2020-1350 ), dubbed ' SigRed ' by Check Point, could allow an unauthenticated, remote attacker to gain domain administrator privileges over targeted servers and seize complete control of an organization's IT infrastructure. A threat actor can exploit SigRed vulnerability by sending crafted malicious DNS queries to a Windows DNS server and achieve arbitrary code execution, enabling the hacker to intercept and manipulate users' emails and network traffic, make services unavailable, harvest users' credentials and much more. In a detailed report shared with The Hacker News, the Check Point researcher Sagi Tzadik confirmed that the flaw is wormable in nature, allowing attackers to launch an attack that can sp

If your business operations and security of sensitive data rely on Oracle's E-Business Suite (EBS) , make sure you recently updated and are running the latest available version of the software. In a report released by enterprise cybersecurity firm Onapsis and shared with The Hacker News, the firm today disclosed technical details for vulnerabilities it reported in its integrated group of applications designed to automate CRM, ERP, and SCM operations for organizations. The two vulnerabilities, dubbed " BigDebIT " and rated a CVSS score of 9.9, were patched by Oracle in a critical patch update (CPU) pushed out earlier this January. But the company said an estimated 50 percent of Oracle EBS customers have not deployed the patches to date. The security flaws could be exploited by bad actors to target accounting tools such as General Ledger in a bid to steal sensitive information and commit financial fraud. According to the researchers, "an unauthenticated hacker

It's not 'Patch Tuesday,' but software giant Adobe today released emergency updates for three of its widely used products that patch dozens of newly discovered critical vulnerabilities. The list of affected software includes Adobe Illustrator, Adobe Bridge, and Magento e-commerce platform, containing a total of 35 vulnerabilities where each one of them is affected with multiple critical arbitrary code execution flaws. According to security advisory Adobe released, Illustrator 2020—one of the most popular designing software with millions of users around the globe—contains 5 critical code execution flaw, all existed due to memory corruption bugs in the Windows version of the software. Digital asset management app Adobe Bridge  version 10.0.1 and earlier for Windows operating systems have been found vulnerable to a total of 17 new flaws, 14 of which could lead to code execution attacks and are critical in severity—all discovered by security researcher Mat Powell. Th

Adobe today released out-of-band software updates for After Effects and Media Encoder applications that patch a total of two new critical vulnerabilities. Both critical vulnerabilities exist due to out-of-bounds write memory corruption issues and can be exploited to execute arbitrary code on targeted systems by tricking victims into opening a specially crafted file using the affected software. The bug ( CVE-2020-3765 ) in Adobe After Effects, an application for creating motion graphics and special effects used in the video, was discovered by security researcher Matt Powell and reported to Adobe via Trend Micro Zero Day Initiative project. Whereas, the second issue ( CVE-2020-3764 ) affecting Adobe Media Encoder, software for encoding and compressing audio or video files, was discovered by Canadian security researcher Francis Provencher. None of the security vulnerabilities fixed in this batch of Adobe updates were publicly disclosed or found being exploited in the wild, as th

Joe Vennix of Apple security has found another significant vulnerability in sudo utility that under a specific configuration could allow low privileged users or malicious programs to execute arbitrary commands with administrative ('root') privileges on Linux or macOS systems. Sudo is one of the most important, powerful, and commonly used utilities that comes as a core command pre-installed on macOS and almost every UNIX or Linux-based operating system. Sudo has been designed to let users run apps or commands with the privileges of a different user without switching environments. Sudo Vulnerability (CVE-2019-18634) The newly discovered privilege escalation vulnerability, tracked as CVE-2019-18634 , in question stems from a stack-based buffer overflow issue that resides in Sudo versions before 1.8.26. According to Vennix, the flaw can only be exploited when the " pwfeedback " option is enabled in the sudoers configuration file, a feature that provides visua

Besides rewarding ethical hackers from its pocket for responsibly reporting vulnerabilities in third-party open-source projects, Google today announced financial support for open source developers to help them arrange additional resources, prioritizing the security of their products. The initiative, called " Patch Rewards Program ," was launched nearly 6 years ago, under which Google rewards hackers for reporting severe flaws in many widely used open source software, including OpenSSH, OpenSSL, Linux kernel, Apache, Nginx, jQuery, and OpenVPN. So far, Google has paid hundreds of thousands of dollars as bounty to hackers across the world who helped improve the overall security of many crucial open source software and technologies that power the Internet, operating systems, and networks. The company has now also decided to motivate volunteer work done by the open source community by providing upfront financial help to project teams, using which they can acquire addition

Are you using an Android device? Beware! You should be more careful while playing a video on your smartphone—downloaded anywhere from the Internet or received through email. That's because, a specially crafted innocuous-looking video file can compromise your Android smartphone—thanks to a critical remote code execution vulnerability that affects over 1 billion devices running Android OS between version 7.0 and 9.0 (Nougat, Oreo, or Pie). The critical RCE vulnerability (CVE-2019-2107) in question resides in the Android media framework, which if exploited, could allow a remote attacker to execute arbitrary code on a targeted device. To gain full control of the device, all an attacker needs to do is tricking the user into playing a specially crafted video file with Android's native video player application. Though Google already released a patch earlier this month to address this vulnerability, apparently millions of Android devices are still waiting for the latest A

Microsoft today released its monthly batch of software security updates for the July month to patch a total of 77 vulnerabilities, 14 are rated Critical, 62 are Important, and 1 is rated Moderate in severity. The July 2019 security updates include patches for various supported versions of Windows operating systems and other Microsoft products, including Internet Explorer, Edge, Office, Azure DevOps, Open Source Software, .NET Framework, Azure, SQL Server, ASP.NET, Visual Studio, and Exchange Server. Details of 6 security vulnerabilities, all rated important, were made public before a patch was released, none of which were found being exploited in the wild. However, two new privilege escalation vulnerabilities, one affects all supported versions of the Windows operating system, and the other affects Windows 7 and Server 2008, have been reported as being actively exploited in the wild. Both actively exploited vulnerabilities lead to elevation of privilege, one (CVE-2019-1132)

Update (22 June 2019)  — More technical details and proof-of-concept for the OutLook for Android vulnerability has been released that we have covered in a separate article here. Microsoft today released an updated version of its "Outlook for Android" that patches an important security vulnerability in the popular email app that is currently being used over 100 million users. According to an advisory , Outlook app with versions before 3.0.88 for Android contains a stored cross-site scripting vulnerability ( CVE-2019-1105 ) in the way the app parses incoming email messages. If exploited, remote attackers can execute malicious in-app client-side code on the targeted devices just by sending them emails with a specially crafted message. "The attacker who successfully exploited this vulnerability could then perform cross-site scripting attacks on the affected systems and run scripts in the security context of the current user." According to Microsoft, the fl

In recent years, we have seen how hackers prey on those too lazy or ignorant to install security patches, which, if applied on time, would have prevented some devastating cyber attacks and data breaches that happened in major organisations. The United States Department of Homeland Security (DHS) has ordered government agencies to more swiftly plug the critical security vulnerabilities found on their networks within 15 calendar days since the initial detection, a reduction from 30 days. DHS's Cybersecurity and Infrastructure Security Agency (CISA) this week issued a new Binding Operational Directive (BOD) 19-02 instructing federal agencies and departments to address "critical" rated vulnerabilities within 15 days and "high" severity flaws within 30 days of initial detection. The countdown to patch a security vulnerability will start when it was initially detected during CISA's weekly Cyber Hygiene vulnerability scanning, rather than it was the firs

Adobe users would feel lighter this month, as Adobe has released patches for just two security vulnerability in its March Security Update. The company today released its monthly security updates to address two critical arbitrary code execution vulnerabilities—one in Adobe Photoshop CC and another in Adobe Digital Editions. Upon successful exploitation, both critical vulnerabilities could allow an attacker to achieve arbitrary code execution in the context of the current user and take control of an affected system. However, the good news is that the company found no evidence of any exploits in the wild for these security issues, Adobe said. The vulnerability in Adobe Photoshop CC , discovered by Trend Micro Zero Day Initiative and assigned CVE-2019-7094, is a heap corruption issue which affects Photoshop CC 19.1.7 and earlier 19.x versions as well as Photoshop CC 20.0.2 and earlier 20.x versions for Microsoft Windows and Apple macOS operating systems. Users are recommended

I hope you had biggest, happiest and craziest New Year celebration, but now it's time to come back at work and immediately update your systems to patch new security flaws that could exploit your computer just by opening a PDF file. Adobe has issued an out-of-band security update to patch two critical vulnerabilities in the company's Acrobat and Reader for both the Windows and macOS operating systems. Though the San Jose, California-based software company did not give details about the vulnerabilities, it did classify the security flaws as critical since they allow privilege escalation and arbitrary code execution in the context of the current user. Both the vulnerabilities were reported to Adobe by security researchers--Abdul-Aziz Hariri and Sebastian Apelt—from Trend Micro's Zero Day Initiative (ZDI). Critical Adobe Acrobat and Reader Vulnerabilities The first vulnerability, reported by Apelt and identified as CVE-2018-16011, is a use-after-free bug that can lead

Adobe is closing out this year with its December Patch Tuesday update to address a massive number of security vulnerabilities for just its two PDF apps—more than double the number of what Microsoft patched this month for its several products. Adobe today released patches for 87 vulnerabilities affecting its Acrobat and Reader software products for both macOS and Windows operating systems, of which 39 are rated as critical and 48 important in severity. The security update comes less than a week after Adobe released patches for a critical zero-day vulnerability (CVE-2018-15982) in Flash Player that was actively being exploited in a targeted attack targeting a Russian state health care institution. The critical vulnerabilities addressed today in Acrobat and Reader include three heap-overflow bugs, five out-of-bounds write flaws, two untrusted pointer dereference issues, two buffer errors, and 24 use-after-free bugs. Upon successful exploitation, all of the above critical vulner

It's time to gear up your systems and software for the latest July 2018 Microsoft security patch updates. Microsoft today released security patch updates for 53 vulnerabilities, affecting Windows, Internet Explorer (IE), Edge, ChakraCore, .NET Framework, ASP.NET, PowerShell, Visual Studio, and Microsoft Office and Office Services, and Adobe Flash Player. Out of 53 vulnerabilities, 17 are rated critical, 34 important, one moderate and one as low in severity. This month there is no critical vulnerability patched in Microsoft Windows operating system and surprisingly, none of the flaw patched by the tech giant this month is listed as publicly known or under active attack. Critical Flaws Patched In Microsoft Products Most of the critical issues are memory corruption flaws in IE, Edge browser and Chakra scripting engine, which if successfully exploited, could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system in the context of the cur

Adobe has released security patches for a total 112 vulnerabilities in its products, most of which have a higher risk of being exploited. The vulnerabilities addressed in this month's patch Tuesday affect Adobe Flash Player, Adobe Experience Manager, Adobe Connect, Adobe Acrobat, and Reader. None of the security vulnerabilities patched this month were either publicly disclosed or found being actively exploited in the wild. Adobe Flash Player (For Desktops and Browsers) Security updates include patches for two vulnerabilities in Adobe Flash Player for various platforms and application, as listed below. One of which has been rated critical (CVE-2018-5007), and successful exploitation of this "type confusion" flaw could allow an attacker to execute arbitrary code on the targeted system in the context of the current user. This flaw was discovered and reported to Adobe by willJ of Tencent PC Manager working with Trend Micro's Zero Day Initiative. Withou