The Hacker News Logo
Subscribe to Newsletter

The Hacker News - Cybersecurity News and Analysis: software update

Microsoft Issues Patches for In-the-Wild 0-day and 55 Others Windows Bugs

Microsoft Issues Patches for In-the-Wild 0-day and 55 Others Windows Bugs
February 09, 2021Ravie Lakshmanan
Microsoft on Tuesday  issued fixes for 56 flaws , including a critical vulnerability that's known to be actively exploited in the wild. In all, 11 are listed as Critical, 43 are listed as Important, and two are listed as Moderate in severity — six of which are previously disclosed vulnerabilities. The updates cover .NET Framework, Azure IoT, Microsoft Dynamics, Microsoft Edge for Android, Microsoft Exchange Server, Microsoft Office, Microsoft Windows Codecs Library, Skype for Business, Visual Studio, Windows Defender, and other core components such as Kernel, TCP/IP, Print Spooler, and Remote Procedure Call (RPC). A Windows Win32k Privilege Escalation Vulnerability The most critical of the flaws is a Windows Win32k privilege escalation vulnerability (CVE-2021-1732, CVSS score 7.8) that allows attackers with access to a target system to run malicious code with elevated permissions. Microsoft credited JinQuan, MaDongZe, TuXiaoYi, and LiHao of DBAPPSecurity for discovering and re

Multiple Botnets Exploiting Critical Oracle WebLogic Bug — PATCH NOW

Multiple Botnets Exploiting Critical Oracle WebLogic Bug — PATCH NOW
December 02, 2020Ravie Lakshmanan
Multiple botnets are targeting thousands of publicly exposed and still unpatched Oracle WebLogic servers to deploy crypto miners and steal sensitive information from infected systems. The attacks are taking aim at a recently patched WebLogic Server vulnerability, which was released by Oracle as part of its  October 2020 Critical Patch Update  and subsequently again in November ( CVE-2020-14750 ) in the form of an out-of-band security patch. As of writing, about 3,000 Oracle WebLogic servers are accessible on the Internet-based on stats from the Shodan search engine. Oracle  WebLogic  is a platform for developing, deploying, and running enterprise Java applications in any cloud environment as well as on-premises. The flaw, which is tracked as CVE-2020-14882, has a CVSS score of 9.8 out of a maximum rating of 10 and affects WebLogic Server versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, and 14.1.1.0.0. Although the issue has been addressed, the release of  proof-of-concep

Researcher Discloses Critical RCE Flaws In Cisco Security Manager

Researcher Discloses Critical RCE Flaws In Cisco Security Manager
November 16, 2020Ravie Lakshmanan
Cisco has published multiple security advisories concerning critical flaws in Cisco Security Manager (CSM) a week after the networking equipment maker quietly released patches with version 4.22 of the platform. The development comes after Code White researcher Florian Hauser (frycos) yesterday publicly disclosed proof-of-concept ( PoC ) code for as many as 12 security vulnerabilities affecting the  web interface of CSM  that makes it possible for an unauthenticated attacker to achieve remote code execution (RCE) attacks. The flaws were responsibly reported to Cisco's Product Security Incident Response Team (PSIRT) three months ago, on July 13. "Since Cisco PSIRT became unresponsive and the published release 4.22 still doesn't mention any of the vulnerabilities,"  claimed frycos  in a tweet, citing the reasons for going public with the PoCs yesterday. Cisco Security Manager  is an end-to-end enterprise solution that allows organizations to enforce access policies

Two New Chrome 0-Days Under Active Attacks – Update Your Browser

Two New Chrome 0-Days Under Active Attacks – Update Your Browser
November 11, 2020Ravie Lakshmanan
Google has patched two more zero-day flaws in the Chrome web browser for desktop, making it the fourth and fifth actively exploited vulnerabilities addressed by the search giant in recent weeks. The company released  86.0.4240.198  for Windows, Mac, and Linux, which it said will be rolling out over the coming days/weeks to all users. Tracked as CVE-2020-16013 and CVE-2020-16017, the flaws were discovered and reported to Google by "anonymous" sources, unlike previous cases, which were uncovered by the company's Project Zero elite security team. Google acknowledged that exploits for both the vulnerabilities exist in the wild but stopped short of sharing more specifics to allow a majority of users to install the fixes. According to the release notes, the two flaws are: CVE-2020-16013:  An "inappropriate implementation" of its V8 JavaScript rendering engine was reported on November 9. CVE-2020-16017:  An  use-after-free  memory corruption issue in Chrome

Microsoft Releases September 2020 Security Patches For 129 Flaws

Microsoft Releases September 2020 Security Patches For 129 Flaws
September 08, 2020Swati Khandelwal
As part of this month's Patch Tuesday, Microsoft today released a fresh batch of security updates to fix a total of 129 newly discovered security vulnerabilities affecting various versions of its Windows operating systems and related software. Of the 129 bugs spanning its various products — Microsoft Windows, Edge browser, Internet Explorer, ChakraCore, SQL Server, Exchange Server, Office, ASP.NET, OneDrive, Azure DevOps, Visual Studio, and Microsoft Dynamics — that received new patches, 23 are listed as critical, 105 are important, and one is moderate in severity. Unlike the past few months, none of the security vulnerabilities the tech giant patched in September are listed as being publicly known or under active attack at the time of release or at least not in knowledge of Microsoft. A memory corruption vulnerability ( CVE-2020-16875 ) in Microsoft Exchange software is worth highlighting all the critical flaws. The exploitation of this flaw could allow an attacker to run

Critical Patch Released for 'Wormable' SMBv3 Vulnerability — Install It ASAP!

Critical Patch Released for 'Wormable' SMBv3 Vulnerability — Install It ASAP!
March 12, 2020Mohit Kumar
Microsoft today finally released an emergency software update to patch the recently disclosed very dangerous vulnerability in SMBv3 protocol that could let attackers launch wormable malware , which can propagate itself from one vulnerable computer to another automatically. The vulnerability, tracked as CVE-2020-0796 , in question is a remote code execution flaw that impacts Windows 10 version 1903 and 1909, and Windows Server version 1903 and 1909. Server Message Block (SMB), which runs over TCP port 445, is a network protocol that has been designed to enable file sharing, network browsing, printing services, and interprocess communication over a network. The latest vulnerability, for which a patch update ( KB4551762 ) is now available on the Microsoft website, exists in the way SMBv3 protocol handles requests with compression headers, making it possible for unauthenticated remote attackers to execute malicious code on target servers or clients with SYSTEM privileges. Compre

Microsoft Issues March 2020 Updates to Patch 115 Security Flaws

Microsoft Issues March 2020 Updates to Patch 115 Security Flaws
March 11, 2020Ravie Lakshmanan
Microsoft today released security updates to fix a total of 115 new security vulnerabilities in various versions of its Windows operating system and related software—making March 2020 edition the biggest ever Patch Tuesday in the company's history. Of the 115 bugs spanning its various products — Microsoft Windows, Edge browser, Internet Explorer, Exchange Server, Office, Azure, Windows Defender, and Visual Studio — that received new patches, 26 have been rated as critical, 88 received a severity of important, and one is moderate in severity. However, unlike last month , none of the vulnerabilities the tech giant patched this month are listed as being publicly known or under active attack at the time of release. It's worth highlighting that the patch addresses critical flaws that could be potentially exploited by bad actors to execute malicious code by specially crafted LNK files and word documents. Titled "LNK Remote Code Execution Vulnerability" ( CVE-2020

Adobe Patches Critical Bugs Affecting Media Encoder and After Effects

Adobe Patches Critical Bugs Affecting Media Encoder and After Effects
February 20, 2020Wang Wei
Adobe today released out-of-band software updates for After Effects and Media Encoder applications that patch a total of two new critical vulnerabilities. Both critical vulnerabilities exist due to out-of-bounds write memory corruption issues and can be exploited to execute arbitrary code on targeted systems by tricking victims into opening a specially crafted file using the affected software. The bug ( CVE-2020-3765 ) in Adobe After Effects, an application for creating motion graphics and special effects used in the video, was discovered by security researcher Matt Powell and reported to Adobe via Trend Micro Zero Day Initiative project. Whereas, the second issue ( CVE-2020-3764 ) affecting Adobe Media Encoder, software for encoding and compressing audio or video files, was discovered by Canadian security researcher Francis Provencher. None of the security vulnerabilities fixed in this batch of Adobe updates were publicly disclosed or found being exploited in the wild, as th

Latest Microsoft Update Patches New Windows 0-Day Under Active Attack

Latest Microsoft Update Patches New Windows 0-Day Under Active Attack
December 10, 2019Swati Khandelwal
With its latest and last Patch Tuesday for 2019, Microsoft is warning billions of its users of a new Windows zero-day vulnerability that attackers are actively exploiting in the wild in combination with a Chrome exploit to take remote control over vulnerable computers. Microsoft's December security updates include patches for a total of 36 vulnerabilities, where 7 are critical, 27 important, 1 moderate, and one is low in severity—brief information on which you can find later in this article. Tracked as CVE-2019-1458 and rated as Important, the newly patched zero-day Win32k privilege escalation vulnerability, reported by Kaspersky, was used in Operation WizardOpium attacks to gain higher privileges on targeted systems by escaping the Chrome sandbox. Although Google addressed the flaw in Chrome 78.0.3904.87 with the release of an emergency update last month after Kaspersky disclosed it to the tech giant, hackers are still targeting users who are using vulnerable versions of th

Adobe Releases Patches for 'Likely Exploitable' Critical Vulnerabilities

Adobe Releases Patches for 'Likely Exploitable' Critical Vulnerabilities
December 10, 2019Mohit Kumar
The last Patch Tuesday of 2019 is finally here. Adobe today released updates for four of its widely used software—including Adobe Acrobat and Reader, Photoshop CC, ColdFusion, and Brackets—to patch a total of 25 new security vulnerabilities. Seventeen of these flaws have been rated as critical in severity, with most of them carrying high priority patches, indicating that the vulnerabilities are more likely to be used in real-world attacks, but there are currently no known exploits in the wild. The software update for Adobe Acrobat and Reader for Windows and macOS operating systems addresses a total of 21 security vulnerabilities, 14 of which are critical, and rest are important in severity. Upon successful exploitation, all critical vulnerabilities in Adobe Acrobat and Reader software lead to arbitrary code execution attacks, allowing attackers to take complete control of targeted systems. Adobe Photoshop CC for Windows and macOS contains patches for two critical arbitrary

Microsoft Releases October 2019 Patch Tuesday Updates

Microsoft Releases October 2019 Patch Tuesday Updates
October 08, 2019Swati Khandelwal
Microsoft today rolling out its October 2019 Patch Tuesday security updates to fix a total of 59 vulnerabilities in Windows operating systems and related software, 9 of which are rated as critical, 49 are important, and one is moderate in severity. What's good about this month's patch update is that after a very long time, none of the security vulnerabilities patched by the tech giant this month is being listed as publicly known or under active attack. Moreover, there is no roll-up patch for Adobe Flash Player bundled in Windows update for this month. Besides this, Microsoft has also put up a notice as a reminder for Windows 7 and Windows Server 2008 R2 users, warning them that the extended support for these two operating systems is about to end in the next two months and that they will no longer receive updates as of January 14, 2020. Two of the critical vulnerabilities patched this month are remote code execution flaws in the VBScript engine, and both exist in the way VBS

Firefox Releases Critical Patch Update to Stop Ongoing Zero-Day Attacks

Firefox Releases Critical Patch Update to Stop Ongoing Zero-Day Attacks
June 18, 2019Mohit Kumar
Important Update [21 June 2019] — Mozilla on Thursday released another update Firefox version 67.0.4 to patch a second zero-day vulnerability. If you use the Firefox web browser, you need to update it right now. Mozilla earlier today released Firefox 67.0.3 and Firefox ESR 60.7.1 versions to patch a critical zero-day vulnerability in the browsing software that hackers have been found exploiting in the wild. Discovered and reported by Samuel Groß, a cybersecurity researcher at Google Project Zero, the vulnerability could allow attackers to remotely execute arbitrary code on machines running vulnerable Firefox versions and take full control of them. The vulnerability, identified as CVE-2019-11707 , affects anyone who uses Firefox on desktop (Windows, macOS, and Linux) — whereas, Firefox for Android, iOS, and Amazon Fire TV are not affected. According to an advisory , the flaw has been labeled as a type confusion vulnerability in Firefox that can result in an exploitable cras

Microsoft Releases April 2019 Security Updates — Two Flaws Under Active Attack

Microsoft Releases April 2019 Security Updates — Two Flaws Under Active Attack
April 09, 2019Mohit Kumar
Microsoft today released its April 2019 software updates to address a total of 74 CVE-listed vulnerabilities in its Windows operating systems and other products, 13 of which are rated critical and rest are rated Important in severity. April 2019 security updates address flaws in Windows OS, Internet Explorer, Edge, MS Office, and MS Office Services and Web Apps, ChakraCore, Exchange Server, .NET Framework and ASP.NET, Skype for Business, Azure DevOps Server, Open Enclave SDK, Team Foundation Server, and Visual Studio. None of the vulnerabilities addressed this month by the tech giant were disclosed publicly at the time of release, leaving the two recently disclosed zero-day flaws in Internet Explorer and Edge browsers still open for hackers. However, two new privilege escalation vulnerabilities, which affect all supported versions of the Windows operating system, have been reported as being actively exploited in the wild. Both rated as important, the flaws ( CVE-2019-0803

Warning: ASUS Software Update Server Hacked to Distribute Malware

Warning: ASUS Software Update Server Hacked to Distribute Malware
March 25, 2019Swati Khandelwal
Remember the CCleaner hack ? CCleaner hack was one of the largest supply chain attacks that infected more than 2.3 million users with a backdoored version of the software in September 2017. Security researchers today revealed another massive supply chain attack that compromised over 1 million computers manufactured by Taiwan-based tech giant ASUS. A group of state-sponsored hackers last year managed to hijack ASUS Live automatic software update server between June and November 2018 and pushed malicious updates to install backdoors on over one million Windows computers worldwide. According to cybersecurity researchers from Russian firm Kaspersky Lab , who discovered the attack and dubbed it Operation ShadowHammer , Asus was informed about the ongoing supply chain attack on Jan 31, 2019. After analyzing over 200 samples of the malicious updates, researchers learned that hackers did not want to target all users, instead only a specific list of users identified by their uniq

PuTTY Releases Important Software Update to Patch 8 High-Severity Flaws

PuTTY Releases Important Software Update to Patch 8 High-Severity Flaws
March 20, 2019Wang Wei
The popular SSH client program PuTTY has released the latest version of its software that includes security patches for 8 high-severity security vulnerabilities. PuTTY is one of the most popular and widely used open-source client-side programs that allows users to remotely access computers over SSH, Telnet, and Rlogin network protocols. Almost 20 months after releasing the last version of its software, the developers of PuTTY earlier this week released the latest version 0.71 for Windows and Unix operating systems. According to an advisory available on its website, all previous versions of the PuTTY software have been found vulnerable to multiple security vulnerabilities that could allow a malicious server or a compromised server to hijack client's system in different ways. Here below I have listed all 8 vulnerabilities with brief information that PuTTY 0.71 has patched: 1) Authentication Prompt Spoofing — Since PuTTY doesn't have a way to indicate whether a piec

Adobe Issues Emergency Patches for Two Critical Flaws in Acrobat and Reader

Adobe Issues Emergency Patches for Two Critical Flaws in Acrobat and Reader
January 04, 2019Swati Khandelwal
I hope you had biggest, happiest and craziest New Year celebration, but now it's time to come back at work and immediately update your systems to patch new security flaws that could exploit your computer just by opening a PDF file. Adobe has issued an out-of-band security update to patch two critical vulnerabilities in the company's Acrobat and Reader for both the Windows and macOS operating systems. Though the San Jose, California-based software company did not give details about the vulnerabilities, it did classify the security flaws as critical since they allow privilege escalation and arbitrary code execution in the context of the current user. Both the vulnerabilities were reported to Adobe by security researchers--Abdul-Aziz Hariri and Sebastian Apelt—from Trend Micro's Zero Day Initiative (ZDI). Critical Adobe Acrobat and Reader Vulnerabilities The first vulnerability, reported by Apelt and identified as CVE-2018-16011, is a use-after-free bug that can lead

Microsoft Issues Software Updates for 17 Critical Vulnerabilities

Microsoft Issues Software Updates for 17 Critical Vulnerabilities
September 11, 2018Swati Khandelwal
Times to gear up your systems and software. Just a few minutes ago Microsoft released its latest monthly Patch Tuesday update for September 2018, patching a total of 61 security vulnerabilities, 17 of which are rated as critical, 43 are rated Important, and one Moderate in severity. This month's security updates patch vulnerabilities in Microsoft Windows, Edge, Internet Explorer, MS Office, ChakraCore, .NET Framework, Microsoft.Data.OData, ASP.NET, and more. Four of the security vulnerabilities patched by the tech giant this month have been listed as "publicly known" and more likely exploited in the wild at the time of release. CVE-2018-8475: Windows Critical RCE Vulnerability One of the four publicly disclosed vulnerabilities is a critical remote code execution flaw ( CVE-2018-8475 ) in Microsoft Windows and affects all versions Windows operating system, including Windows 10. The Windows RCE vulnerability resides in the way Windows handles specially cra

Cisco Issues Security Patch Updates for 32 Flaws in its Products

Cisco Issues Security Patch Updates for 32 Flaws in its Products
September 06, 2018Swati Khandelwal
Cisco today released thirty security patch advisory to address a total of 32 security vulnerabilities in its products, three of which are rated critical, including the recently disclosed Apache Struts remote code execution vulnerability that is being exploited in the wild. Out of the rest 29 vulnerabilities, fourteen are rated high and 15 medium in severity, addressing security flaws in Cisco Routers, Cisco Webex, Cisco Umbrella, Cisco SD-WAN Solution, Cisco Cloud Services Platform, Cisco Data Center Network, and more products. The three critical security vulnerabilities patched by Cisco address issues in Apache Struts, Cisco Umbrella API, and Cisco RV110W, RV130W and RV215W router's management interface. Apache Struts Remote Code Execution Vulnerability (CVE-2018-11776) The vulnerability, reported late last month by Semmle security researcher Man Yue Mo, resides in the core of Apache Struts and originates due to insufficient validation of user-provided untrusted inputs in

Adobe Issues Emergency Patches for Critical Flaws in Photoshop CC

Adobe Issues Emergency Patches for Critical Flaws in Photoshop CC
August 22, 2018Swati Khandelwal
Adobe released an out-of-band security update earlier today to address two critical remote code execution vulnerabilities impacting Adobe Photoshop CC for Microsoft Windows and Apple macOS machines. According to the security advisory published Wednesday by Adobe, its Photoshop CC software is vulnerable to two critical memory corruption vulnerabilities, which could allow a remote attacker to execute arbitrary code in the context of the targeted user. The vulnerabilities, identified as CVE-2018-12810 and CVE-2018-12811, impact Adobe Photoshop CC 2018 version 19.1.5 and earlier 19.x versions, as well as Adobe Photoshop CC 2017 version 18.1.5 and earlier 18.x versions. The critical security flaws were discovered and reported by Kushal Arvind Shah of Fortinet's FortiGuard Labs, and have now been addressed by Adobe with the release of Photoshop CC versions 19.1.6 and 18.1.6. Also Read: Teen Arrested for Hacking into Apple's Network It should be noted that these RCE vu

Backdoor Found in Popular Server Management Software used by Hundreds of Companies

Backdoor Found in Popular Server Management Software used by Hundreds of Companies
August 16, 2017Swati Khandelwal
Cyber criminals are becoming more adept, innovative, and stealthy with each passing day. They are now adopting more clandestine techniques that come with limitless attack vectors and are harder to detect. Recently, cyber crooks managed to infiltrate the update mechanism for a popular server management software package and altered it to include an advanced backdoor, which lasts for at least 17 days until researchers discovered it. Dubbed ShadowPad , the secret backdoor gave attackers complete control over networks hidden behind legit cryptographically signed software sold by NetSarang —used by hundreds of banks, media firms, energy companies, and pharmaceutical firms, telecommunication providers, transportation and logistics and other industries—for 17 days starting last month. Important Note — If you are using any of the affected product (listed below), we highly recommend you stop using it until you update them. Hacker Injected Backdoor Through Software Update Mechanism
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.