Cybersecurity Vulnerabilities news & analysis | SC Media

Vulnerabilities News and Analyis

Slack logo

Slack patches flaw that could allow attackers to hijack downloaded documents


The developers of the work collaboration app Slack have issued a security update for its desktop client following the discovery of a medium-severity download hijack vulnerability that could let attackers modify the location where downloaded files are stored. Malicious actors could exploit the flaw to steal and spy on users’ documents by uploading them to…

Winnti trojan may help set stage for Skeleton Key attacks, analysts say

Google to replace Titan security keys due to a misconfiguration


Google is replacing its Titan Security Bluetooth keys due to a vulnerability which could allow attackers within range unauthorized access to use someone else’s key. The issue specifically affects Titans Security Keys’ BLE version that can be identified by either a T1 or T2 stamped on the back of the key. A misconfiguration in the…

Microsoft’s May Patch Tuesday covers ZombieLoad, WER vulnerabilities


Microsoft put forth a long list of security updates to cover 79 vulnerabilities, 19 listed as critical, which included four connected to a Microarchitectural Data Sampling (aka ZombieLoad) vulnerability in Intel processors in its May Patch Tuesday release. While CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 grabbed the headlines yesterday, Microsoft also patched CVE-2019-0863 which has been spotted…

Intel, industry scramble to mitigate ZombieLoad side-channel processor vulnerability


Four new CVEs that combine to create a vulnerability called ZombieLoad affecting Intel processors were made public today, which if left unpatched could leave a computer open to a side-channel attack allowing someone to bypass protections to read memory. The flaws, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091, impacted a number of companies with Apple, Google, Microsoft and…

‘Thrangrycat’ flaw in millions of Cisco devices could enable ‘Secure Boot’ bypass


Millions of Cisco devices used by corporate, government and military networks contain a logic vulnerability in their Secure Boot process that could allow local, authenticated actors to bypass and disable critical functionality in the Trust Anchor hardware module (TAm) – the bedrock upon which all other trusted computing mechanisms within the devices are built. The hardware…

DHS reduces deadline for agencies to fix vulnerabilities in their systems


The Department of Homeland Security’s U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday issued a directive that now gives federal agencies a 15-day deadline to remediate critical-level vulnerabilities that are detected on their internet-accessible systems by CISA’s Cyber Hygiene scanning service. Binding Operational Directive 19-02 supersedes BOD 15-01, which when enacted in 2015 gave…

May Patch Tuesday: Adobe posts updates covering 85 vulnerabilities


Adobe had a jumbo-sized May Patch Tuesday that addressed 85 vulnerabilities in just two products, including 49 rated as critical, including a critical patch for Flash Player. The Flash Player advisory covered CVE-2019-7837, a use after free flaw that could lead to arbitrary code execution in Flash Player for Windows, macOS, Linux and ChromeOS. The…

Drupal core patches moderately critical vulnerability


Drupal core released a patch for a  moderately critical vulnerability in third-party libraries that could allow the by-passing of protection of Phar Steam Wrapper Interceptor. The vulnerability occurs when untrusted data is used to abuse the logic of the application, according to, TYPO3-PSA-2019-007: By-passing protection of Phar Stream Wrapper Interceptor. “In order to intercept file…

NVIDIA update fixes three vulnerabilities in GPU Display Driver


Graphics chip manufacturer NVIDIA last week released a security software update for its GPU Display Driver, fixing three vulnerabilities that, if left untreated, could result in denial of service, escalation of privileges, code execution or information disclosure. The most serious of the three bugs is CVE-2019-5675, a high-severity flaw in the kernel mode layer handler…

Next post in Security News