remote code execution | Breaking Cybersecurity News | The Hacker News

Earlier this week Dropbox team unveiled details of three critical vulnerabilities in Apple macOS operating system, which altogether could allow a remote attacker to execute malicious code on a targeted Mac computer just by convincing a victim into visiting a malicious web page. The reported vulnerabilities were originally discovered by Syndis , a cybersecurity firm hired by Dropbox to conduct simulated penetration testing attacks as Red Team on the company's IT infrastructure, including Apple software used by Dropbox . The vulnerabilities were discovered and disclosed to Apple security team in February this year, which were then patched by Apple just over one month later with the release of its  March security updates . DropBox applauded Apple for its quick response to its bug report. According to DropBox, the vulnerabilities discovered by Syndis didn't just affect its macOS fleet, but also affected all Safari users running the latest version of the web browser and op

A security researcher has discovered several critical vulnerabilities in one of the most popular embedded real-time operating systems—called FreeRTOS—and its other variants, exposing a wide range of IoT devices and critical infrastructure systems to hackers. What is FreeRTOS (Amazon, WHIS OpenRTOS, SafeRTOS)? FreeRTOS is a leading open source real-time operating system (RTOS) for embedded systems that has been ported to over 40 microcontrollers, which are being used in IoT, aerospace, medical, automotive industries, and more. RTOS has specifically been designed to carefully run applications with very precise timing and a high degree of reliability, every time. A pacemaker is an excellent example of the real-time embedded system that contracts heart muscle at the right time, a process that can't afford delays, to keep a person alive. Since late last year, FreeRTOS project is being managed by Amazon, who created Amazon FreeRTOS (a:FreeRTOS) IoT operating system for mic

The need for vCISO services is growing. SMBs and SMEs are dealing with more third-party risks, tightening regulatory demands and stringent cyber insurance requirements than ever before. However, they often lack the resources and expertise to hire an in-house security executive team. By outsourcing security and compliance leadership to a vCISO, these organizations can more easily obtain cybersecurity expertise specialized for their industry and strengthen their cybersecurity posture. MSPs and MSSPs looking to meet this growing vCISO demand are often faced with the same challenge. The demand for cybersecurity talent far exceeds the supply. This has led to a competitive market where the costs of hiring and retaining skilled professionals can be prohibitive for MSSPs/MSPs as well. The need to maintain expertise of both security and compliance further exacerbates this challenge. Cynomi, the first AI-driven vCISO platform , can help. Cynomi enables you - MSPs, MSSPs and consulting firms

What if just receiving a video call on WhatsApp could hack your smartphone? This sounds filmy, but Google Project Zero security researcher Natalie Silvanovich found a critical vulnerability in WhatsApp messenger that could have allowed hackers to remotely take full control of your WhatsApp just by video calling you over the messaging app. The vulnerability is a memory heap overflow issue which is triggered when a user receives a specially crafted malformed RTP packet via a video call request, which results in the corruption error and crashing the WhatsApp mobile app. Since the vulnerability affect RTP (Real-time Transport Protocol) implementation of Whatsapp, the flaw affects Android and iOS apps, but not WhatsApp Web that relies on WebRTC for video calls. Silvanovich also published a proof-of-concept exploit, along with the instructions for reproducing the WhatsApp attack. Although the proof-of-concept published by Silvanovich only triggers memory corruption, another Go

A security researcher has publicly disclosed an unpatched zero-day vulnerability in all supported versions of Microsoft Windows operating system (including server editions) after the company failed to patch a responsibly disclosed bug within the 120-days deadline. Discovered by Lucas Leong of the Trend Micro Security Research team, the zero-day vulnerability resides in Microsoft Jet Database Engine that could allow an attacker to remotely execute malicious code on any vulnerable Windows computer. The Microsoft JET Database Engine, or simply JET (Joint Engine Technology), is a database engine integrated within several Microsoft products, including Microsoft Access and Visual Basic. According to the an  advisory  released by Zero Day Initiative (ZDI), the vulnerability is due to a problem with the management of indexes in the Jet database engine that, if exploited successfully, can cause an out-out-bounds memory write, leading to remote code execution. An attacker must convi

Adobe has released September 2018 security patch updates for a total of 10 vulnerabilities in Flash Player and ColdFusion, six of which are rated as critical that affected ColdFusion and could allow attackers to remotely execute arbitrary code on a vulnerable server. What's the good news this month for Adobe users? This month Adobe Acrobat and Reader applications did not receive any patch update, while Adobe Flash Player has received an update for just a single privilege escalation vulnerability (CVE-2018-15967) rated as important. Secondly, Adobe said none of the security vulnerabilities patched this month were either publicly disclosed or found being actively exploited in the wild. Total 9 Security Patches for Adobe ColdFusion Adobe has addressed a total of nine security vulnerabilities in its ColdFusion web application development platform, six of which are critical, two important and one moderate. According to the advisory released by Adobe, ColdFusion contain