Cybersecurity Vulnerabilities news & analysis | SC Media

Vulnerabilities News and Analyis

Flaw in Alaris medical devices exposes infusion pumps to possible sabotage

Medical tech company Becton, Dickinson and Company (BD) has advised users of its Alaris Gateway Workstation – a smart connectivity and integration solution for infusion pump devices – to update their firmware, following the discovery of a highly critical remote code execution vulnerability. CyberMDX researcher Elad Luz found that multiple versions of the workstation –…

Mozilla, Google patch security issues in Thunderbird and Chrome

The Mozilla Foundation and Google released “high” rated security updates for Thunderbird and Chrome, respectively. The high-rated Thunderbird vulnerabilities patched in version 60.7.1 are CVE-2019-11703 and CVE-2017-11704 concern a heep buffer overflow in icalparser.c and another in Icalfvalue.c. The former flaw can cause a flaw in Thunderbird’s implementation of iCal causes a heap buffer overflow…

Unpatched bug in Windows SymCrypt library could cause DoS condition, warns researcher

Google’s Project Zero vulnerability hunting team has publicly disclosed an unpatched bug in the SymCrypt cryptography library for Windows, which could create a denial of service condition when the user initiates any function that requires cryptography. Project Zero researcher Tavis Ormandy said in a June 11 tweet that even though the problem is of “relatively…

Intel joins Patch Tuesday with 11 security updates

Intel rolled out 11 software, firmware and hardware security updates on Jun 11, several of which could lead to an escalation of privilege situation if exploited. The three most critical patches, all rated “high”, cover three product categories, Intel Accelerated Storage Manager in Intel Rapid Storage Technology Enterprise, Intel NUC PC and Intel Raid Web…

Vim and Neovim developers fix RCE flaw caused by failed sandbox check

Text editor programs Vim and Neovim both received security updates late last month after was was found to contain a remote code execution vulnerability. Designated CVE-2019-12735, the flaw was discovered by security researcher Armin Razmjou and assigned an 8.6 HIGH CVSS base score. According to an analysis of the vulnerability that was published last week,…

Microsoft patches 22 critical flaws, four zero days on June Patch Tuesday

Microsoft’s June Patch Tuesday release covered 88 CVE, including 22 rated as critical and four that covered previously announced zero-day vulnerabilities. The zero-day issues, all are elevation of privilege issues, were tagged as top priority patches of the month by several cybersecurity executives, although the good news is none of the zero days, or other…

Patch Tuesday

Adobe Patch Tuesday: Critical issues across Flash Player, ColdFusion and Campaign

Adobe June’s Patch Tuesday included patches for critical-rated arbitrary code execution flaws in Flash Player, ColdFusion and Campaign. The Flash Player vulnerability, CVE-2019-7845, affects Windows, macOS, Linux and Chrome OS and if exploited could lead to arbitrary code execution in the context of the current user.  The issue can be fixed by updating to the latest version…

Monero crypto-currency (Cryptonic.net)

Adversaries exploit WebLogic bug to deliver cryptominer, use .cer files for obfuscation

Cybercriminals have been using a recently discovered critical vulnerability in the Oracle WebLogic server to deliver a Monero cryptomining program, while using certificate files to obfuscate malicious code. Caused by a deserialization error, the flaw, CVE-2019-2725, was patched in an April 26 out-of-band security update. The SANS ISC InfoSec forums originally hosted reports of malicious actors exploiting…

Cisco updates include fixes for ‘high’ rated RCE, DoS flaws

Cisco released security updates to address vulnerabilities in multiple Cisco products including flaws that could allow a remote attacker could exploit to take control of an affected system. The updates included fixes for a remote code execution (RCE) flaw, a series denial of service (DoS) vulnerability, information disclosure vulnerability and several cross-site scripting (XSS) vulnerabilities,…

Next post in Vulnerabilities