vulnerabilities Archives - Page 36 of 63

Google Project Zero Announces 2021 Updates to Vulnerability Disclosure Policy

Issued by: Security Week

Project Zero has announced three major changes to its vulnerability disclosure policy in 2021, compared to 2020. Until now, if Project Zero researchers found a security hole in a product, it was disclosed after exactly 90 days, regardless of when a patch was released or whether a patch was available at all. The impacted vendor…

Vulnerabilities

Exploit for Second Unpatched Chromium Flaw Made Public Just After First Is Patched

Issued by: Security Week

The second exploit was publicly disclosed by a researcher who uses the online moniker Frust and who works for Chinese cybersecurity company Qihoo 360. Frust announced the availability of an exploit for a “zero-day” Chrome vulnerability on Twitter on Wednesday, and a few hours later published a blog post with a technical description of the…

Malware & Threats

Siemens Releases Several Advisories for ‘NAME:WRECK’ Vulnerabilities

Issued by: Security Week

IoT security company Forescout on Tuesday revealed that four popular TCP/IP stacks — specifically FreeBSD, Siemens’ Nucleus, IPnet and NetX — are affected by a total of nine DNS-related flaws that can be exploited for remote code execution (including to take control of targeted devices), DoS attacks, and DNS cache poisoning. The vulnerabilities, collectively tracked…

Vulnerabilities

PoC Exploit Released for Unpatched Flaw Affecting Chromium-Based Browsers

Issued by: Security Week

On April 7, at the Pwn2Own 2021 hacking competition, Bruno Keith and Niklas Baumstark of Dataflow Security earned $100,000 for a remote code execution exploit that works against web browsers that are based on Google’s open source Chromium project. The researchers demonstrated the exploit against both Chrome and Microsoft Edge. Visiting a specially crafted website…

Vulnerabilities

Exploit Released for Critical Vulnerability Affecting QNAP NAS Devices

Issued by: Security Week

The bug, specifically a memory corruption issue, was found to impact QNAP NAS devices running Surveillance Station versions 5.1.5.4.2 and 5.1.5.3.2, and was addressed in February this year. Tracked as CVE-2020-2501, this security hole is a stack-based buffer overflow that could be abused by remote attackers to execute code on an affected system, without authentication….

Vulnerabilities

Pwn2Own 2021 Participants Earn Over $1.2 Million for Their Exploits

Issued by: Security Week

Over the course of three days, participants made 23 attempts, targeting Safari, Chrome, Edge, Windows 10, Ubuntu, Microsoft Teams, Zoom, Parallels, Oracle VirtualBox, and Microsoft Exchange. Oracle VirtualBox was only targeted by one team and their attempt failed. The other products were all hacked by at least one team. Results from Pwn2Own 2021The highest rewards…

Vulnerabilities

Vulnerability in ‘Domain Time II’ Could Lead to Server, Network Compromise

Issued by: Security Week

Developed by Greyware Automation Products, Inc., Domain Time II is a time synchronization software designed to help enterprises ensure accurate time across their networks. The suite of tools provides testing, administration, and auditing capabilities. Domain Time II consists of client and server programs, and both use the same executable to check for updates, namely dttray.exe….

Malware & Threats

Cring Ransomware Targets Industrial Organizations

Issued by: Security Week

At the beginning of 2021, the threat actors behind the Cring ransomware were observed launching numerous attacks on European industrial enterprises, forcing at least one organization to shut down a production site. The initial vector of attack was later identified as CVE-2018-13379, a vulnerability in the FortiOS SSL VPN web portal that could allow unauthenticated…

Vulnerabilities

White Hats Earn $440,000 for Hacking Microsoft Products on First Day of Pwn2Own 2021

Issued by: Security Week

The competition’s organizer, Trend Micro’s Zero Day Initiative (ZDI), said there were seven attempts on the first day and five of them were successful. A team called Devcore earned $200,000 for taking complete control of a Microsoft Exchange server by chaining authentication bypass and local privilege escalation vulnerabilities. A researcher who uses the online moniker…

Malware & Threats

Google Patches Critical Code Execution Vulnerability in Android

Issued by: Security Week

Tracked as CVE-2021-0430 and affecting Android 10 and 11, the code execution vulnerability is deemed critical severity. The bug was patched as part of the 2021-04-01 security patch level. “The most severe of these issues is a critical security vulnerability in the System component that could enable a remote attacker using a specially crafted file…