Oracle Critical Patch Update for October Contains 180 Fixes

Oracle addresses 180 CVEs across 219 security patches in October’s Critical Patch Update, including a critical vulnerability in Oracle NoSQL Database. On October 15, Oracle released its Critical Patch Update (CPU) for October 2019 as part of its quarterly release of fixes for vulnerabilities. This update contains fixes for 180 CVEs in 219 patches across several Oracle products. The following is … [Read more...]

Critical Zero-Day Pre-authentication Remote Code Execution Exploit Published for 5.x Versions of vBulletin

New critical zero-day pre-auth RCE exploit code published on Full Disclosure mailing list for 5.x versions of vBulletin. Background A preauthentication remote code execution (RCE) zero-day exploit was recently disclosed anonymously for vBulletin 5.x. This zero-day does not seem to have followed ethical disclosure procedures and we have not yet seen a response from vBulletin on this … [Read more...]

No, You Aren’t Being Invited to Win a New Car. That’s Spam on Your Calendar

By abusing the automatic event creation feature of integrated email calendars, spammers are finding ways to send you malicious links that are harder to ignore. Background In June, researchers at Kaspersky wrote a detailed blog post about phishing tactics involving calendar invite spam, wherein a spammer can automatically add events to your personal calendar, with no interaction on your part, … [Read more...]

CVE-2019-15846: Unauthenticated Remote Command Execution Flaw Disclosed for Exim

CVE-2019-15846, a new unauthenticated remote code execution vulnerability in the Exim message transfer agent, has been patched in version 4.92.2. Users are encouraged to upgrade immediately. Background Exim Internet Mailer is a message transfer agent (MTA) for Unix hosts used to manage mail routing services for an organization. Exim is reportedly the most used MTA in the world, and has over 5 … [Read more...]

CVE-2019-15107: Exploit Modules Available for Remote Code Execution Vulnerability in Webmin

The popular Linux/UNIX systems management tool has more than 3 million downloads per year and the vulnerability has been present for at least a year, putting many virtual UNIX management systems at risk. Background On August 17, Webmin version 1.930 was released to address a remote code execution (RCE) vulnerability (CVE-2019-15107) present in Webmin versions 1.882 to 1.921. According to the … [Read more...]

Critical Vulnerabilities Dubbed URGENT/11 Place Devices Running VxWorks at Risk of RCE Attacks

Eleven vulnerabilities, including RCEs, denials of service, information leaks and logical flaws, were recently disclosed, impacting the RTOS VxWorks Background The Armis Research Team has released an advisory for URGENT/11, which contains six critical RCE and five additional vulnerabilities in VxWorks, a Real-Time Operating System (RTOS) found in over 2 billion devices, including critical … [Read more...]

Oracle Critical Patch Update for July Contains 265 Fixes

Oracle fixes 265 vulnerabilities in July’s Critical Patch Update. Background On July 16, Oracle released its Critical Patch Update (CPU) for July 2019 as part of its quarterly release of fixes for vulnerabilities. This update contains fixes for 265 CVEs, according to the Oracle Advisory to CVE Map, across several Oracle products. Analysis Oracle’s July 2019 CPU contains 265 addressed CVEs across … [Read more...]

Unauthorized Call and Webcam Access Vulnerability in Zoom Mac Client (CVE-2019-13450)

A zero-day vulnerability in Zoom could potentially lead to a remote code execution attack. Here’s what you need to know. Background Security researcher Jonathan Leitschuh has disclosed a zero day in the Zoom client for Mac, that allows an attacker to force a user to join a Zoom call with their webcam enabled. The disclosure blog also suggests this could potentially lead to a remote code execution … [Read more...]

Microsoft’s July 2019 Patch Tuesday: What You Need to Know

Microsoft’s July 2019 Security Updates were released on July 9, with nearly 80 vulnerabilities patched in this update, 15 of which are critical. CVE-2019-0865 | SymCrypt Denial of Service Vulnerability A denial of service vulnerability was identified in SymCrypt, the cryptographic library used to handle cryptographic functions on Windows. Using a specially crafted digital signature, an attacker … [Read more...]

Tenable Roundup for Microsoft’s June 2019 Patch Tuesday

The SandboxEscaper privilege escalation bug is among the nearly 90 vulnerabilities patched in Microsoft’s June 2019 Security Updates. Here’s what you need to know. Microsoft’s June 2019 Security Updates have been released, with nearly 90 vulnerabilities patched in this update, 21 of which are critical. SandboxEscaper Privilege Escalation Bugs Patched This month’s release contains fixes for the … [Read more...]