Vulnerabilities | SC Media


Apple releases security updates for iOS, iTunes, more


Apple has released security updates for several of its products to address vulnerabilities that could allow an attacker to take control of an infected system. The vulnerabilities affect  iCloud for Windows, Safari, iTunes, various macOS versions, tvOS and iOS, among other products, according to a Dec. 5 US-CERT advisory. “NCCIC encourages users and administrators to…

Adobe fixes zero-day Flash bug after attackers target Russian clinic with exploit


Adobe Systems today issued an emergency security update for Flash Player following the discovery of a critical vulnerability that attackers were actively exploiting in a Nov. 29 phishing operation targeting a Russian state health care institution. The zero-day arbitrary code execution exploit was specifically employed against Moscow-based “Polyclinic No. 2” of the Administrative Directorate of…

NUUO NVRmini2 Network Video Recorder firmware vulnerability allows arbitrary code


A vulnerability in NUUO NVRmini2 Network Video Recorder firmware.​NVRmini2 firmware version 3.9.1 and prior could allow an unauthenticated remote attacker to execute arbitrary code on the system with root privileges. The product is vulnerable to an unauthenticated remote buffer overflow caused by the improper sanitizations of user-supplied inputs and a lack of length checks on data…

Inspector General’s report documents security flaws at Arizona Medicare MCOs


A recent risk assessment of information systems at two Arizona-based Medicaid managed care organizations turned up 19 vulnerabilities, according to a new report from the Department of Health and Human Services Office of the Inspector General. Collectively, the flaws were related to remote network access (2), password and login controls (2), physical security controls (1), network…

DHS algorithm to assess federal agencies’ cyber posture


Federal agencies are reportedly feeding data into a special algorithm introduced by the  Department of Homeland Security (DHS) in order to assess their cyber posture scores. This Agency-Wide Adaptive Risk Enumeration (AWARE) algorithm should go into full production by fiscal year 2020, news outlet GCN reported yesterday, citing a public presentation yesterday by DHS Continuous…

Schneider’s Modicon Quantum programmable logic controller plagued with vulnerabilities in end life


Multiple vulnerabilities were discovered in Schneider’s Modicon Quantum programmable logic controller affecting all M340, Premium, Quantum PLCs and BMXNOR0200 products. Modicon Quantum products are used for complex process control, safety and infrastructure in industrial settings like manufacturing and were found to contain vulnerabilities that could allow an attacker to change any user’s password including the…

VMware advisory warns users to patch critical issue in product

VMware issues critical security update for Workstation and Fusion products


VMware last week issued a security update for its Workstation and Fusion virtual network devices, patching a critical integer overflow vulnerability that, if exploited, could allow unauthorized guests to execute code on the host. Designated CVE-2018-6983, the hypervisor vulnerability is fixed in versions 14.1.5 and 15.0.2 of Workstation Pro and Workstation Player, and versions 10.1.5 and 11.0.2…

Adobe patches critical type confusion bug in Flash Player


Adobe Systems today released an out-of-band security update that fixes a critical type confusion vulnerability in Flash Player, which if exploited could lead to arbitrary code execution in the context of the current user. Designated CVE-2018-15981, the bug was found in versions and earlier of Flash Player Desktop Runtime, Flash Player for Google Chrome…

Children’s smartwatches once again found vulnerable


China-based company MiSafe is once again making headlines with its unsecured products after a pen tester found that its child tracking smartwatches were found to be highly insecure. MiSafe previously made controversy after firm’s Mi-Cam baby monitors were found to be susceptible to unauthenticated access and hijacking of arbitrary baby monitors. Pen Test Partners researchers…

Privilege escalation bug patched in Accelerated Mobile Pages WordPress plug-in


A WordPress plug-in used to build faster-loading web pages was discovered to contain a privilege escalation vulnerability that allows unauthorized attackers to inject malicious HTML code into the main page. In a company blog post yesterday, researchers at WebARX disclosed the bug, which resides in the “MP for WP – Accelerated Mobile Pages” plug-in. The…

Next post in Mobile Security