TL;DR: The Tenable Research 2020 Threat Landscape Retrospective

Tenable’s Security Response Team takes a look back at the major vulnerability and cybersecurity news of 2020 to develop insight and guidance for defenders. Søren Kierkegaard, the Danish philosopher, once wrote that “life can only be understood backwards” but “it must be lived forwards.” Tenable’s Security Response Team is tasked with looking at the threat landscape on a day-to-day basis and, while … [Read more...]

Microsoft’s January 2021 Patch Tuesday Addresses 83 CVEs

In its first Patch Tuesday of 2021, Microsoft patched 83 CVEs including 10 critical vulnerabilities Microsoft patched 83 CVEs in the January 2021 Patch Tuesday release, including 10 CVEs rated as critical and 73 rated as important. Compared to Microsoft’s January 2020 Patch Tuesday release, which included fixes for 49 CVEs, this represents a 69% increase in CVEs patched. If that’s any indication, … [Read more...]

Microsoft’s December 2020 Patch Tuesday Addresses 58 CVEs including CVE-2020-25705 (SAD DNS)

The final Patch Tuesday of 2020 includes fixes for 58 CVEs, including workaround details for a severe vulnerability in Windows DNS Resolver called SAD DNS. Microsoft patched 58 CVEs in the December 2020 Patch Tuesday release, including 9 CVEs rated as critical. This month's Patch Tuesday release includes fixes for Microsoft Windows, Microsoft Edge (EdgeHTML-based), Microsoft Edge for Android, … [Read more...]

Microsoft’s November 2020 Patch Tuesday Addresses 112 CVEs including CVE-2020-17087

Microsoft addressed over 112 CVEs in its November release, including a zero-day vulnerability in the Windows kernel that was exploited in the wild as part of a targeted attack. Microsoft patched 112 CVEs in the November 2020 Patch Tuesday release, including 17 CVEs rated as critical. This month's Patch Tuesday release includes fixes for Microsoft Windows, Microsoft Office and Microsoft Office … [Read more...]

Government Agencies Warn of State-Sponsored Actors Exploiting Publicly Known Vulnerabilities

State-sponsored actors from Russia and China are leveraging several of the same publicly known vulnerabilities in their attacks, all of which have patches available. On October 20, the National Security Agency (NSA) published a detailed security advisory to inform defenders about Chinese state-sponsored "cyber actors" exploiting known vulnerabilities. The advisory is meant to help network … [Read more...]

Microsoft’s October 2020 Patch Tuesday Addresses 87 CVEs including “Bad Neighbor” Windows TCP/IP Vulnerability (CVE-2020-16898)

For the first time in seven months, Microsoft patches less than 100 CVEs, addressing 87 CVEs in its October release. Microsoft patched 87 CVEs in the October 2020 Patch Tuesday release, including 11 CVEs rated critical. This release follows seven consecutive months of over 100 CVEs patched, in what has been an unusually busy year for Microsoft Patch Tuesday updates. This month's release includes … [Read more...]

Microsoft’s September 2020 Patch Tuesday Addresses 129 CVEs

For the fourth month in a row, Microsoft patches over 120 CVEs, addressing 129 CVEs in its September release. Microsoft patched 129 CVEs in the September 2020 Patch Tuesday release, including 23 CVEs rated critical. This month, several remote code execution (RCE) flaws in Microsoft Office products were patched. Many of these RCEs require a user to open a specially crafted document, making these … [Read more...]

CVE-2020-5776, CVE-2020-5777: Multiple Vulnerabilities in the MAGMI Magento Mass Import Plugin

Tenable Research discovers multiple vulnerabilities in the MAGMI Magento plugin that could lead to remote code execution on a vulnerable Magento site. Background On September 1, we published TRA-2020-51, a Tenable Research Advisory for two vulnerabilities in the Magento Mass Import (MAGMI) plugin. These vulnerabilities were discovered by Enguerran Gillier of the Tenable Web Application Security … [Read more...]