The Hacker News Logo
Subscribe to Newsletter

The Hacker News - Cybersecurity News and Analysis: patch update

Update Your Chrome Browser to Patch 2 New In-the-Wild 0-Day Exploits

Update Your Chrome Browser to Patch 2 New In-the-Wild 0-Day Exploits

April 13, 2021Ravie Lakshmanan
Google on Tuesday released a new version of Chrome web-browsing software for Windows, Mac, and Linux with patches for two newly discovered security vulnerabilities for both of which it says exploits exist in the wild, allowing attackers to engage in active exploitation. One of the two flaws concerns an insufficient validation of untrusted input in its V8 JavaScript rendering engine (CVE-2021-21220), which was demonstrated by Dataflow Security's Bruno Keith and Niklas Baumstark at the  Pwn2Own 2021  hacking contest last week. While Google moved to fix the flaw quickly, security researcher Rajvardhan Agarwal published a  working exploit  over the weekend by reverse-engineering the patch that the Chromium team pushed to the open-source component, a factor that may have played a crucial role in the release. UPDATE:   Agarwal, in an email to The Hacker News, confirmed that there's one more vulnerability affecting Chromium-based browsers that has been patched in the latest vers
Critical Auth Bypass Bug Found in VMware Data Center Security Product

Critical Auth Bypass Bug Found in VMware Data Center Security Product

April 07, 2021Ravie Lakshmanan
A critical vulnerability in the VMware Carbon Black Cloud Workload appliance could be exploited to bypass authentication and take control of vulnerable systems. Tracked as CVE-2021-21982, the flaw is rated 9.1 out of a maximum of 10 in the CVSS scoring system and affects all versions of the product prior to 1.0.1.  Carbon Black Cloud Workload is a data center security product from VMware that aims to protect critical servers and workloads hosted on vSphere, the company's cloud-computing virtualization platform. "A URL on the administrative interface of the VMware Carbon Black Cloud Workload appliance can be manipulated to bypass authentication," VMware  said  in its advisory, thereby allowing an adversary with network access to the interface to gain access to the administration API of the appliance. Armed with the access, a malicious actor can then view and alter  administrative configuration settings , the company added. In addition to releasing a fix for CVE-2021
Apple Issues Urgent Patch Update for Another Zero‑Day Under Attack

Apple Issues Urgent Patch Update for Another Zero‑Day Under Attack

March 26, 2021Ravie Lakshmanan
Merely weeks after releasing out-of-band patches for iOS, iPadOS, macOS and watchOS, Apple has issued yet another security update for iPhone, iPad, and Apple Watch to fix a critical zero-day weakness that it says is being actively exploited in the wild. Tracked as CVE-2021-1879 , the vulnerability relates to a WebKit flaw that could enable adversaries to process maliciously crafted web content that may result in universal cross-site scripting attacks. "This issue was addressed by improved management of object lifetimes," the iPhone maker noted. Apple has credited Clement Lecigne and Billy Leonard of Google's Threat Analysis Group for discovering and reporting the issue. While details of the flaw have not been disclosed, the company said it's aware of reports that CVE-2021-1879 may have been actively exploited. Updates are available for the following devices: iOS 12.5.2  - Phone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6t
Use This One-Click Mitigation Tool from Microsoft to Prevent Exchange Attacks

Use This One-Click Mitigation Tool from Microsoft to Prevent Exchange Attacks

March 15, 2021Ravie Lakshmanan
Microsoft on Monday released a one-click mitigation software that applies all the necessary countermeasures to secure vulnerable environments against the ongoing widespread  ProxyLogon Exchange Server  cyberattacks. Called Exchange On-premises Mitigation Tool ( EOMT ), the PowerShell-based script serves to mitigate against current known attacks using CVE-2021-26855, scan the Exchange Server using the  Microsoft Safety Scanner  for any deployed web shells, and attempt to remediate the detected compromises. "This new tool is designed as an interim mitigation for customers who are unfamiliar with the patch/update process or who have not yet applied the on-premises Exchange security update," Microsoft  said . The development comes in the wake of indiscriminate attacks against unpatched Exchange Servers across the world by more than ten advanced persistent threat actors — most of the government-backed cyberespionage groups — to plant backdoors, coin miners, and  ransomware ,
Microsoft Issues Patches for Defender Zero-Day and 82 Other Windows Flaws

Microsoft Issues Patches for Defender Zero-Day and 82 Other Windows Flaws

January 12, 2021Ravie Lakshmanan
For the first patch Tuesday of 2021, Microsoft released  security updates  addressing a total of 83 flaws spanning as many as 11 products and services, including an actively exploited zero-day vulnerability. The latest security patches cover Microsoft Windows, Edge browser, ChakraCore, Office and Microsoft Office Services, and Web Apps, Visual Studio, Microsoft Malware Protection Engine, .NET Core, ASP .NET, and Azure. Of these 83 bugs, 10 are listed as Critical, and 73 are listed as Important in severity. The most severe of the issues is a remote code execution (RCE) flaw in Microsoft Defender ( CVE-2021-1647 ) that could allow attackers to infect targeted systems with arbitrary code. Microsoft Malware Protection Engine (mpengine.dll) provides the scanning, detection, and cleaning capabilities for Microsoft Defender antivirus and antispyware software. The last version of the software affected by the flaw is 1.1.17600.5, before it was addressed in version 1.1.17700.4. The bug is
Google Discloses Poorly-Patched, Now Unpatched, Windows 0-Day Bug

Google Discloses Poorly-Patched, Now Unpatched, Windows 0-Day Bug

December 24, 2020Ravie Lakshmanan
Google's Project Zero team has made public details of an improperly patched zero-day security vulnerability in Windows print spooler API that could be leveraged by a bad actor to execute arbitrary code. Details of the unpatched flaw were revealed publicly after Microsoft failed to rectify it within 90 days of responsible disclosure on September 24. Originally tracked as  CVE-2020-0986 , the flaw concerns an elevation of privilege exploit in the GDI Print /  Print Spooler  API ("splwow64.exe") that was reported to Microsoft by an anonymous user working with Trend Micro's Zero Day Initiative (ZDI) back in late December 2019. But with no patch in sight for about six months, ZDI ended up posting a public  advisory  as a zero-day on May 19 earlier this year, after which it was  exploited  in the wild in a campaign dubbed " Operation PowerFall " against an unnamed South Korean company. "splwow64.exe" is a Windows core system binary that allows 32-b
Multiple Botnets Exploiting Critical Oracle WebLogic Bug — PATCH NOW

Multiple Botnets Exploiting Critical Oracle WebLogic Bug — PATCH NOW

December 02, 2020Ravie Lakshmanan
Multiple botnets are targeting thousands of publicly exposed and still unpatched Oracle WebLogic servers to deploy crypto miners and steal sensitive information from infected systems. The attacks are taking aim at a recently patched WebLogic Server vulnerability, which was released by Oracle as part of its  October 2020 Critical Patch Update  and subsequently again in November ( CVE-2020-14750 ) in the form of an out-of-band security patch. As of writing, about 3,000 Oracle WebLogic servers are accessible on the Internet-based on stats from the Shodan search engine. Oracle  WebLogic  is a platform for developing, deploying, and running enterprise Java applications in any cloud environment as well as on-premises. The flaw, which is tracked as CVE-2020-14882, has a CVSS score of 9.8 out of a maximum rating of 10 and affects WebLogic Server versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0. Although the issue has been addressed, the release of  proof-of-concep
Researcher Discloses Critical RCE Flaws In Cisco Security Manager

Researcher Discloses Critical RCE Flaws In Cisco Security Manager

November 16, 2020Ravie Lakshmanan
Cisco has published multiple security advisories concerning critical flaws in Cisco Security Manager (CSM) a week after the networking equipment maker quietly released patches with version 4.22 of the platform. The development comes after Code White researcher Florian Hauser (frycos) yesterday publicly disclosed proof-of-concept ( PoC ) code for as many as 12 security vulnerabilities affecting the  web interface of CSM  that makes it possible for an unauthenticated attacker to achieve remote code execution (RCE) attacks. The flaws were responsibly reported to Cisco's Product Security Incident Response Team (PSIRT) three months ago, on July 13. "Since Cisco PSIRT became unresponsive and the published release 4.22 still doesn't mention any of the vulnerabilities,"  claimed frycos  in a tweet, citing the reasons for going public with the PoCs yesterday. Cisco Security Manager  is an end-to-end enterprise solution that allows organizations to enforce access policies
Two New Chrome 0-Days Under Active Attacks – Update Your Browser

Two New Chrome 0-Days Under Active Attacks – Update Your Browser

November 11, 2020Ravie Lakshmanan
Google has patched two more zero-day flaws in the Chrome web browser for desktop, making it the fourth and fifth actively exploited vulnerabilities addressed by the search giant in recent weeks. The company released  86.0.4240.198  for Windows, Mac, and Linux, which it said will be rolling out over the coming days/weeks to all users. Tracked as CVE-2020-16013 and CVE-2020-16017, the flaws were discovered and reported to Google by "anonymous" sources, unlike previous cases, which were uncovered by the company's Project Zero elite security team. Google acknowledged that exploits for both the vulnerabilities exist in the wild but stopped short of sharing more specifics to allow a majority of users to install the fixes. According to the release notes, the two flaws are: CVE-2020-16013:  An "inappropriate implementation" of its V8 JavaScript rendering engine was reported on November 9. CVE-2020-16017:  An  use-after-free  memory corruption issue in Chrome
17-Year-Old Critical 'Wormable' RCE Vulnerability Impacts Windows DNS Servers

17-Year-Old Critical 'Wormable' RCE Vulnerability Impacts Windows DNS Servers

July 14, 2020Ravie Lakshmanan
Cybersecurity researchers today disclosed a new highly critical "wormable" vulnerability—carrying a severity score of 10 out of 10 on the CVSS scale—affecting Windows Server versions 2003 to 2019. The 17-year-old remote code execution flaw ( CVE-2020-1350 ), dubbed ' SigRed ' by Check Point, could allow an unauthenticated, remote attacker to gain domain administrator privileges over targeted servers and seize complete control of an organization's IT infrastructure. A threat actor can exploit SigRed vulnerability by sending crafted malicious DNS queries to a Windows DNS server and achieve arbitrary code execution, enabling the hacker to intercept and manipulate users' emails and network traffic, make services unavailable, harvest users' credentials and much more. In a detailed report shared with The Hacker News, Check Point researcher Sagi Tzadik confirmed that the flaw is wormable in nature, allowing attackers to launch an attack that can spread
Oracle E-Business Suite Flaws Let Hackers Hijack Business Operations

Oracle E-Business Suite Flaws Let Hackers Hijack Business Operations

June 16, 2020Ravie Lakshmanan
If your business operations and security of sensitive data rely on Oracle's E-Business Suite (EBS) , make sure you recently updated and are running the latest available version of the software. In a report released by enterprise cybersecurity firm Onapsis and shared with The Hacker News, the firm today disclosed technical details for vulnerabilities it reported in its integrated group of applications designed to automate CRM, ERP, and SCM operations for organizations. The two vulnerabilities, dubbed " BigDebIT " and rated a CVSS score of 9.9, were patched by Oracle in a critical patch update (CPU) pushed out earlier this January. But the company said an estimated 50 percent of Oracle EBS customers have not deployed the patches to date. The security flaws could be exploited by bad actors to target accounting tools such as General Ledger in a bid to steal sensitive information and commit financial fraud. According to the researchers, "an unauthenticated hacker
Critical Security Patches Released for Magento, Adobe Illustrator and Bridge

Critical Security Patches Released for Magento, Adobe Illustrator and Bridge

April 28, 2020Mohit Kumar
It's not 'Patch Tuesday,' but software giant Adobe today released emergency updates for three of its widely used products that patch dozens of newly discovered critical vulnerabilities. The list of affected software includes Adobe Illustrator, Adobe Bridge, and Magento e-commerce platform, containing a total of 35 vulnerabilities where each one of them is affected with multiple critical arbitrary code execution flaws. According to security advisory Adobe released, Illustrator 2020—one of the most popular designing software with millions of users around the globe—contains 5 critical code execution flaw, all existed due to memory corruption bugs in the Windows version of the software. Digital asset management app Adobe Bridge  version 10.0.1 and earlier for Windows operating systems have been found vulnerable to a total of 17 new flaws, 14 of which could lead to code execution attacks and are critical in severity—all discovered by security researcher Mat Powell. Th
Adobe Patches Critical Bugs Affecting Media Encoder and After Effects

Adobe Patches Critical Bugs Affecting Media Encoder and After Effects

February 20, 2020Wang Wei
Adobe today released out-of-band software updates for After Effects and Media Encoder applications that patch a total of two new critical vulnerabilities. Both critical vulnerabilities exist due to out-of-bounds write memory corruption issues and can be exploited to execute arbitrary code on targeted systems by tricking victims into opening a specially crafted file using the affected software. The bug ( CVE-2020-3765 ) in Adobe After Effects, an application for creating motion graphics and special effects used in the video, was discovered by security researcher Matt Powell and reported to Adobe via Trend Micro Zero Day Initiative project. Whereas, the second issue ( CVE-2020-3764 ) affecting Adobe Media Encoder, software for encoding and compressing audio or video files, was discovered by Canadian security researcher Francis Provencher. None of the security vulnerabilities fixed in this batch of Adobe updates were publicly disclosed or found being exploited in the wild, as th
Sudo Bug Lets Non-Privileged Linux and macOS Users Run Commands as Root

Sudo Bug Lets Non-Privileged Linux and macOS Users Run Commands as Root

February 03, 2020Mohit Kumar
Joe Vennix of Apple security has found another significant vulnerability in sudo utility that under a specific configuration could allow low privileged users or malicious programs to execute arbitrary commands with administrative ('root') privileges on Linux or macOS systems. Sudo is one of the most important, powerful, and commonly used utilities that comes as a core command pre-installed on macOS and almost every UNIX or Linux-based operating system. Sudo has been designed to let users run apps or commands with the privileges of a different user without switching environments. Sudo Vulnerability (CVE-2019-18634) The newly discovered privilege escalation vulnerability, tracked as CVE-2019-18634 , in question stems from a stack-based buffer overflow issue that resides in Sudo versions before 1.8.26. According to Vennix, the flaw can only be exploited when the " pwfeedback " option is enabled in the sudoers configuration file, a feature that provides visua
Google Offers Financial Support to Open Source Projects for Cybersecurity

Google Offers Financial Support to Open Source Projects for Cybersecurity

December 18, 2019Mohit Kumar
Besides rewarding ethical hackers from its pocket for responsibly reporting vulnerabilities in third-party open-source projects, Google today announced financial support for open source developers to help them arrange additional resources, prioritizing the security of their products. The initiative, called " Patch Rewards Program ," was launched nearly 6 years ago, under which Google rewards hackers for reporting severe flaws in many widely used open source software, including OpenSSH, OpenSSL, Linux kernel, Apache, Nginx, jQuery, and OpenVPN. So far, Google has paid hundreds of thousands of dollars as bounty to hackers across the world who helped improve the overall security of many crucial open source software and technologies that power the Internet, operating systems, and networks. The company has now also decided to motivate volunteer work done by the open source community by providing upfront financial help to project teams, using which they can acquire addition
Your Android Phone Can Get Hacked Just By Playing This Video

Your Android Phone Can Get Hacked Just By Playing This Video

July 25, 2019Wang Wei
Are you using an Android device? Beware! You should be more careful while playing a video on your smartphone—downloaded anywhere from the Internet or received through email. That's because, a specially crafted innocuous-looking video file can compromise your Android smartphone—thanks to a critical remote code execution vulnerability that affects over 1 billion devices running Android OS between version 7.0 and 9.0 (Nougat, Oreo, or Pie). The critical RCE vulnerability (CVE-2019-2107) in question resides in the Android media framework, which if exploited, could allow a remote attacker to execute arbitrary code on a targeted device. To gain full control of the device, all an attacker needs to do is tricking the user into playing a specially crafted video file with Android's native video player application. Though Google already released a patch earlier this month to address this vulnerability, apparently millions of Android devices are still waiting for the latest A
Microsoft Releases July 2019 Security Updates, 2 Flaws Under Active Attack

Microsoft Releases July 2019 Security Updates, 2 Flaws Under Active Attack

July 09, 2019Swati Khandelwal
Microsoft today released its monthly batch of software security updates for the July month to patch a total of 77 vulnerabilities, 14 are rated Critical, 62 are Important, and 1 is rated Moderate in severity. The July 2019 security updates include patches for various supported versions of Windows operating systems and other Microsoft products, including Internet Explorer, Edge, Office, Azure DevOps, Open Source Software, .NET Framework, Azure, SQL Server, ASP.NET, Visual Studio, and Exchange Server. Details of 6 security vulnerabilities, all rated important, were made public before a patch was released, none of which were found being exploited in the wild. However, two new privilege escalation vulnerabilities, one affects all supported versions of the Windows operating system, and the other affects Windows 7 and Server 2008, have been reported as being actively exploited in the wild. Both actively exploited vulnerabilities lead to elevation of privilege, one (CVE-2019-1132)
Important Flaw in Outlook App for Android Affects Over 100 Millions Users

Important Flaw in Outlook App for Android Affects Over 100 Millions Users

June 20, 2019Swati Khandelwal
Update (22 June 2019)  — More technical details and proof-of-concept for the OutLook for Android vulnerability has been released that we have covered in a separate article here. Microsoft today released an updated version of its "Outlook for Android" that patches an important security vulnerability in the popular email app that is currently being used over 100 million users. According to an advisory , Outlook app with versions before 3.0.88 for Android contains a stored cross-site scripting vulnerability ( CVE-2019-1105 ) in the way the app parses incoming email messages. If exploited, remote attackers can execute malicious in-app client-side code on the targeted devices just by sending them emails with a specially crafted message. "The attacker who successfully exploited this vulnerability could then perform cross-site scripting attacks on the affected systems and run scripts in the security context of the current user." According to Microsoft, the fl
DHS Orders Federal Agencies to Patch Critical Flaws Within 15 Days

DHS Orders Federal Agencies to Patch Critical Flaws Within 15 Days

May 01, 2019Mohit Kumar
In recent years, we have seen how hackers prey on those too lazy or ignorant to install security patches, which, if applied on time, would have prevented some devastating cyber attacks and data breaches that happened in major organisations. The United States Department of Homeland Security (DHS) has ordered government agencies to more swiftly plug the critical security vulnerabilities found on their networks within 15 calendar days since the initial detection, a reduction from 30 days. DHS's Cybersecurity and Infrastructure Security Agency (CISA) this week issued a new Binding Operational Directive (BOD) 19-02 instructing federal agencies and departments to address "critical" rated vulnerabilities within 15 days and "high" severity flaws within 30 days of initial detection. The countdown to patch a security vulnerability will start when it was initially detected during CISA's weekly Cyber Hygiene vulnerability scanning, rather than it was the firs
Adobe Releases Patches for Critical Flaws in Photoshop CC and Digital Edition

Adobe Releases Patches for Critical Flaws in Photoshop CC and Digital Edition

March 12, 2019Swati Khandelwal
Adobe users would feel lighter this month, as Adobe has released patches for just two security vulnerability in its March Security Update. The company today released its monthly security updates to address two critical arbitrary code execution vulnerabilities—one in Adobe Photoshop CC and another in Adobe Digital Editions. Upon successful exploitation, both critical vulnerabilities could allow an attacker to achieve arbitrary code execution in the context of the current user and take control of an affected system. However, the good news is that the company found no evidence of any exploits in the wild for these security issues, Adobe said. The vulnerability in Adobe Photoshop CC , discovered by Trend Micro Zero Day Initiative and assigned CVE-2019-7094, is a heap corruption issue which affects Photoshop CC 19.1.7 and earlier 19.x versions as well as Photoshop CC 20.0.2 and earlier 20.x versions for Microsoft Windows and Apple macOS operating systems. Users are recommended
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.