On Monday, February 13, Apple released fixes for multiple products, including iOS, macOS, Safari, iPadOS, tvOS, and watchOS. Updates for iOS and iPadOS 16.3.1 and macOS 13.2.1 an actively-exploited arbitrary code execution flaw in WebKit/Safari. Note The 0-day vulnerability is part of “WebKit”. WebKit is Apple’s open source browser engine that is included in other …
Vulnerabilities
Toyota has fixed a vulnerability in the Toyota Global Supplier Preparation Information Management System (GSPIMS) Web portal that allowed a security researcher to gain access to corporate and partner accounts, and other sensitive data. GSPIMS is used by Toyota employees and suppliers to coordinate supply chain tasks. The researcher notified Toyota about the backdoor login …
OpenSSH maintainers have released an updated version of the open-source implementation of the SSH protocol to fix three security issues. OpenSSH 9.2/9.2p1 includes a fix for a pre-authentication double-free memory vulnerability that was introduced in OpenSSH 9.1. Note One of the vulnerabilities may allow remote code execution pre-authentication. It will likely be difficult to exploit, …
Both France’s and Italy’s Computer Emergency Response Teams (CERTs) have issued alerts warning “of attack campaigns targeting VMware ESXi hypervisors with the aim of deploying ransomware on them.” The vulnerability (CVE-2021-21974) affects ESXi 7.0, 6.7 and 6.5. Support for ESXi 6.7 and 6.5 ended in October 2022. The flaw was disclosed, and a fix was …
Researchers from SaiFlow have detailed vulnerabilities affecting electric vehicle (EV) charging stations that could be exploited to cause denial-of-service or trick them into charging vehicles without payment. The vulnerabilities lie in the Open Charge Point Protocol (OCPP) standard. Note Electric Vehicle chargers are more than high power electric outlets. The cable connecting the car to …
Researchers at Palo Alto Network Unit 42 say that a vulnerability in RealTek Jungle SDK accounted for 40 percent of attacks they reviewed between August and October 2022. In a post, the researchers write, “As of December 2022, we’ve observed 134 million exploit attempts in total leveraging this vulnerability, and about 97% of these attacks …
QNAP has made firmware updates available for a flaw in QTS and QuTS hero that could be exploited to inject malicious code. The vulnerability affects QNAP network attached storage (NAS) devices running QTS 5.0.1 and QuTS hero 5.0.1. Note Just as a quick reminder: Do not expose your network storage to the internet. No matter …
The Internet Systems Consortium (ISC) has published four advisories to address high severity vulnerabilities in its Berkeley Internet Name Domain (BIND) 9. All of the flaws affect the named BIND9 daemon, which is an authoritative name server and a recursive resolver. Note The fix is to update to the patched version of BIND 9 most …
Researchers from Sonar have detailed three vulnerabilities in the open-source health record and medical practice management software OpenEMR. The flaws – an unauthenticated file read, authenticated local file inclusion, and authenticated reflected XSS – could be exploited to execute arbitrary system commands and steal patient data. All three flaws are fixed in OpenEMR version 7.0.0. …
Google has updated the Stable channel for Chrome to version to 109.0.5414.119 for Mac and Linux and 109.0.5414.119/.120 for Windows. The newest version of the browser includes fixes for six vulnerabilities. Four of the flaws were submitted by external researchers. These include use after free vulnerabilities in WebTransport, WebRTC, and GuestView, and a type confusion …
Researchers from Akamai say that most Windows data centers have not patched systems against a critical spoofing vulnerability in CryptoAPI. The US National Security Agency (NSA) and the UK National Cybersecurity Centre (NCSC) disclosed the vulnerability to Microsoft and the issue was patched in August 2022. In the update guide for the vulnerability (CVE-2022-34689), Microsoft …
VMware has released updates to fix four vulnerabilities in its vRealize Log Insight product. Two of the flaws are critical: a directory traversal vulnerability and a broken access control vulnerability. Both could be exploited to achieve remote code execution. The other fixed flaws are a deserialization vulnerability that could be exploited to create denial of …
Apple released fixes for multiple security issues in iOS and macOS, including a remotely exploitable zero-day flaw in iOS. The type confusion issue in Apple WebKit browser engine was deemed serious enough to prompt Apple to release updates for older versions of iOS. Note Impressive from Apple to release an update for hardware released 10 …
Cisco has released updates to fix an improper user input validation vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME). The vulnerability could be exploited to conduct an SQL injection attack. Note While Cisco is not aware of this being exploited in the wild, it’s …
Vulnerabilities in historian database servers raise concerns as they can provide a connection between an organization’s IT and OT networks. Researchers at Claroty have detailed their findings about a set of vulnerabilities in the GE Proficy Historian. The report notes that “these critical databases not only store data collected from industrial control systems, but they …