Vulnerabilities | SC Media

Vulnerabilities

Cure worse than disease? Patching riskier under COVID-19 work-from-home policies

Patch management was challenging enough before the world was upended by a rapidly spreading pandemic. But with security teams working remotely, and employee-operated devices dispersed across large distances, quickly prioritizing and fixing critical vulnerabilities has become both more difficult and more important. As the 2017 Equifax breach showed, delays in patching can result in a…

Chrome browser update knocks out eight bugs

Google yesterday issued a stable channel update for the desktop version of its Chrome browser for Windows, Mac and Linux, fixing eight vulnerabilities in the process. The patched bugs included at least three high-level bugs, including two use-after-free flaw in WebAudio (CVE-2020-6450 and CVE-2020-6451), and a head buffer overflow in media (CVE-2020-6452). The two WebAudio…

zero day

Zero-day vulnerabilities used against DrayTek routers and switches

Two zero-day vulnerabilities were being used by two different groups to infiltrate DrayTek Vigor enterprise routers and switch devices, enabling the attackers to access traffic and install backdoors. The invasive action was noticed first on Dec. 4, 2019 by Netlab 360 researchers affecting the Vigor2960 v1.5.1, Vigor300B v1.5.1 and Vigor3900 v1.5.1 routers along with the…

APT10

APT41 activity down during China COVID-19 quarantines; massive campaign undeterred

COVID-19 spreading through parts of China did not entirely deter APT41 from carrying out one of the largest campaigns ever conducted by a Chinese cyberespionage group. The attacks were not directly tied to the Coronavirus outbreak nor did the attackers attempt to leverage the virus in any way, but FireEye noted the group’s activity did…

Pwn2Own contest yields 13 bugs, as virtual format expands talent pool

Research teams at the Pwn2Own 2020 competition successfully exploited 13 software vulnerabilities this past week, including bugs found in products from Adobe, Apple, Microsoft, Oracle and Ubuntu. Participants earned $270,000 over the two-day event — the first Pwn2Own ever to be held virtually, as a measure to combat the rapid spread of the novel coronavirus.…

VMware advisory warns users to patch critical issue in product

VMware squashes critical code execution bug in hypervisors

VMware has updated its Workstation hosted hypervisor and Fusion software hypervisor, fixing a critical vulnerability that could be exploited to trigger arbitrary code execution or a denial of service condition. The virtualization and cloud computing software provider company also fixed two important privilege escalation flaws spread out between four of its products. Designated CVE-2020-3947, the most critical…

Microsoft issues out-of-band fix for leaked ‘EternalDarkness’ bug

Due to an apparent error in the Microsoft vulnerability disclosure process, news of an unpatched, critical Microsoft Server Message Block (SMB) vulnerability leaked to the public this past Patch Tuesday. In response to this occurrence, Microsoft today issued an out-of-band security update fixing the flaw. If exploited, the bug could result in a wormable remote…

Cisco fixes three high-level bugs, but a fourth remains unpatched

Cisco Systems this week issued disclosed a dozen software vulnerabilities, including four high-severity flaws, one of which has not been patched. The flaw with no current fix is CVE-2020-3155: a validation error in the SSL implementation of Cisco Intelligent Proximity, a solution that helps laptops, smartphones and other devices automatically discover and link with Webex…

KrØØk vulnerability could allow crooks to intercept WiFi data packets

ESET researchers revealed during a talk at RSA Conference 2020 a vulnerability found in more than one billion WiFi-enabled devices and access points that could allow an attacker to partially read encrypted data being transmitted. Dubbed KrØØk, CVE-2019-15126 is a previously unknown vulnerability found in WiFi chips from Broadcom and Cypress. These are not only…

Next post in Vulnerabilities