Patch News, Articles and Updates

Schneider Electric patches XML External Entity vulnerability

Schneider Electric patched a vulnerability (CVE-2018-7783) in its SoMachine Basic that could result in the disclosure or retrieval of data during an out-of-band attack.

As world awaits patches, researchers divulge details of new Spectre Variants 3a and 4

The next-generation of Spectre speculative execution vulnerabilities in CPUs from AMD, ARM, and Intel has arrived in the form of Variants 3a and 4, following highly anticipated public disclosures from Google's Project Zero and Microsoft Corporation [1, 2].

Google may contractually require OEMs to perform regular patching

Google is looking into the possibility of requiring device manufacturers to regularly patch their devices, by incorporating such a provision into future OEM agreements, Google head of Android security David Kleidermacher announced in a presentation at the Google I/O Developer Conference last week.

Oracle WebLogic vulnerability exploited for cryptominers for second time this year

Cryptominers targeting Oracle's patched WebLogic vulnerability from 2017 have caused a spike in malicious traffic targeting Port 7001.

Adobe releases more updates following Patch Tuesday fixes

After patching a confusion flaw in Flash last week, Adobe announced new security updates for Adobe Acrobat and Reader for Windows and MacOS.

Chrome update for desktop operating systems repairs critical sandbox escape bug

Google's latest stable channel update for the Windows, Mac and Linux versions of Chrome fixes four vulnerabilities, including a critical bug that can lead to sandbox escape.

LG patches RCE bug in smartphone keyboards

LG on Monday released a security update fixing a high-severity remote code execution vulnerability found in the default keyboards of all its mainstream smartphone models.

Confusion over chipmakers' debug exception instructions prompts patching by OS developers

Multiple major operating systems and hypervisors contain a serious CPU chipset bug that could allow authenticated attackers to read sensitive data in memory and control certain low-level functions, prompting their developers to issue security updates patching this flaw.

Sierra Wireless patches router vulnerabilities

Sierra Wireless patched two vulnerabilities in several of its AirLink routers that if exploited could allow the execution of arbitrary code or gain full control of a system.

Patch Tuesday: Microsoft mends RCE bug reportedly exploited by cyber espionage group

Microsoft Corporation's Patch Tuesday release today fixed 67 bugs, including two that have been actively exploited in zero-day attacks, and another two whose details became public.

Four versions of PHP programming language updated to fix multiple bugs

The developer of the PHP (Hypertext Preprocessor) server-side scripting language has issued a series of updates that fix 40 vulnerabilities spread across four different versions -- the most serious of which was severe enough to allow an attacker to execute arbitrary code within the context of an affected application.

Drupal releases patch for a code-execution bug actively being exploited

Drupal announced its third critical website bug found in the last month and has issued an unscheduled security update.

Apple updates fix code execution, privilege escalation and spoofing issues

Apple on Tuesday released security updates for the Safari browser and its MacOS and iOS operating systems, fixing a total of four vulnerabilities.

Juniper patched multiple vulnerabilities

Juniper Networks released more than a dozen security updates to patch a wide range of issues including two denial-of-service vulnerabilities and one for remote code execution.

SirenJack flaw exposes problems in emergency alert system

Security researchers have found a flaw in the emergency alert warning siren system used by many local authorities - could be sounded by hackers, research finds.

Adobe Patch Tuesday includes ColdFusion updates

Adobe's April 10, 2018 Patch Tuesday addressed 14 security issues including 6 in Flash Player.

Natus reportedly updates EEG device software to squash RCE, DoS bugs

Health care device manufacturer Natus Medical Incorporated has reportedly updated the software used in its Xltek EEG products, which monitor brain activity, after a researcher discovered five vulnerabilities that a remote, unauthenticated attacker could exploit to trigger code execution of a denial of service condition.

Microsoft pushes update for critical RCE bug in Malware Protection Engine

Microsoft Corporation on Tuesday announced an emergency patch for a memory corruption vulnerability in its Microsoft Malware Protection Engine (MMPE) that remote attackers can exploit to execute arbitrary code in the security context of the highly privileged LocalSystem account.

Newest Apple releases squash bugs in iOS, macOS, Safari, various apps

Apple addressed a bevy of security bugs late last week, after issuing updated versions of its current operating systems, Safari browser and other core products, as well as security enhancements for two older OS offerings.

Microsoft issues update to fix flaw in earlier Meltdown patch

Microsoft has issued an update that will fix a flaw, CVE-2018-1038, in a previous patch that was designed to protect Windows 7 x64 or Windows Server 2008 R2 x64 systems from Meltdown.

Github announces 4 million vulnerabilities patched in half a million repositories

Github announced the discovery of more than 4 million vulnerabilities in more than half a million repositories.

Drupal advises be on lookout for highly critical release

Drupal is calling its users to be on standby for the announcement of a highly critical release on March 28 that will address issues in Drupal 7 and 8.

Citrix doles out hotfixes for host compromise and DoS bugs in XenServer

Citrix Systems on Wednesday issued hotfixes for its XenServer hypervisor product, fixing vulnerabilities that attackers could exploit to remotely compromise a host compromise or cause a denial of service condition.

Microsoft remote assistance tool threat patched, danger remains

Microsoft has just patched a vulnerability in the primary tool the company uses to help provide remote assistance to its users, but until all devices are updated there is still some danger.

Microsoft launches $250,000 bug bounty for Spectre/Meltdown-like flaws

Microsoft has kicked off a bug bounty program that could bring in between $25,000 and $250,000 to anyone able to find vulnerabilities similar to the now infamous Spectre and Meltdown.

Patch Tuesday: Microsoft patches Remote Desktop Protocol exploit

This month's Microsoft patch Tuesday included more than 70 patches 15 of which were marked as critical.

Patch Tuesday: Adobe patches 7 critical flaws

Patch Tuesday Adobe updates included patches for Adobe Flash Player, Adobe Connect, and Adobe Dreamweaver including 7 critical vulnerabilities.

Spring break vulnerability jeopardizes Pivotal Spring projects

A remote code execution flaw, dubbed Spring Break, affects various Pivotal Spring could allow an attacker to run arbitrary commands.

Old version of HPE Lights-Out server management tech contains DoS vulnerability

Hewlett Packard Enterprise has disclosed the discovery of a serious vulnerability in a previous version of its Lights-Out 3 embedded server management technology, which could be remotely exploited to trigger a denial of service condition.