Patch | SC Media

Patch

Drupal software update patches highly critical RCE bug

By

The developers of Drupal this week issued a security advisory urging users to update their software following the discovery of a highly critical remote code execution vulnerability in their open-source content management framework. “Some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases,” the…

Adobe issues new patch for Acrobat and Reader

By

Adobe released a security update patching a bypass for a critical vulnerability that was fixed in February 2019. The bypass affected CVE-2019-7089 for Adobe Acrobat and Reader for Windows and macOS versions 2019.010.20091, 2017.011.30120 and 2015.006.30475. If left unpatched and successfully exploited it cold lead to sensitive information disclosure in the context of the current…

Xiaomi electric scooter vulnerability allows remote hacks

By

The Xiaomi M365, a popular electric scooter used by several ride-share companies such as BIRD as well as for personal ownership, is vulnerable to remote hacking due to improper password validation. The scooters are enabled with Bluetooth access which allows the user to interact with the scooters for multiple features including its  Anti-Theft System, Cruise-Control,…

Cisco Network Assurance Engine (NAE) contains password vulnerability

By

A default password vulnerability in Network Assurance Engine (NAE) could allow an unauthenticated, local attacker to gain unauthorized access or cause a Denial of Service (DoS) condition on the server. A flaw in NAE’s password management system can be exploited by authenticating with the default administrator password via the CLI of an affected server. Version…

Flaw in runC could allow malicious containers to infect host environment

By

A vulnerability discovered in the runC container management tool has exposed multiple privileged container systems to a potential exploit through which attackers could allow malware to escape a container and compromise an entire host system. Designated CVE-2019-5736, the flaw allows attackers to use a malicious container to overwrite the host runC binary during the execution…

77 updates in Microsoft patch Tuesday

By

Microsoft released 77 updates, 20 of which were classified as critical, in this months patch Tuesday announcement. The updates included fixes for Microsoft Windows, Office, IE, Edge resolving a total of 74 unique CVEs this month including one actively exploited zero day flaw in Internet Explorer, according to its February Patch Tuesday release. The zero…

Apple issues seven updates, fixes more than 40 vulnerabilities in iOS 8, OS 10.9.5

Apple patches two flaws reportedly exploited in zero-day attacks; also nixes FaceTime eavesdropping bug

By

Apple yesterday released security updates for iOS and macOS Mojave, repairing four vulnerabilities, including two that a Google researcher says were exploited in the wild as zero days. The two exploited flaws consisted of memory corruption issues caused by insufficient input validation. The first, CVE-2019-7286, is a privilege escalation vulnerability in the Foundation framework that…

wifi

Marvell Avastar SoCs vulnerable to Wi-Fi attack

By

The Software Engineering Institute CERT/CC has issued an advisory note on a vulnerability (CVE-2019-6496) in Marvell Avastar wireless system on a chip (SoC) models. The affected SoC models – 88W8787, 88W8797, 88W8801, and 88W8897 – can suffer an overflow condition, resulting in overwriting certain block pool data structures due to a block pool memory overflow,…

AppleMalware2

Attorney claims Apple FaceTime eavesdropping glitch “allowed” recording of deposition

By

Houston attorney Larry Williams is suing Apple over the recently disclosed FaceTime bug which allows callers to listen to the audio of the recipient before they answer the phone, claiming it allowed the recording of a private deposition. Williams argued Apple was negligent when it allowed the microphone to be used in this way and…

Next post in Security News