On November 11, 2020, Google Chrome issued an update announcement for the browser across all platforms. Google confirmed that the “stable channel” desktop Chrome browser is being updated to version 86.0.4240.198 across Windows, Mac, and Linux platforms. As per Google’s official sources, this urgent update will start rolling out over the coming few days or weeks. About … Continue reading “Two Zero-days in Google Chrome”
Apple Devices Critical Vulnerabilities (CVE-2020-27930, CVE-2020-27950, CVE-2020-27932)
Overview On November 5th, 2020, three iOS zero-day vulnerabilities were patched by Apple, which were exploited in the wild affecting Apple devices such as iPhone, iPad, and iPod. Ben Hawkes from Google Project Zero discovered these flaws that were affecting variants of Apple devices. CVE-2020-27930 (RCE) – An RCE in FontParser library that was triggered … Continue reading “Apple Devices Critical Vulnerabilities (CVE-2020-27930, CVE-2020-27950, CVE-2020-27932)”
Git Large File Storage Remote Code Execution Vulnerability on Windows systems (CVE-2020-27955)
Overview Git is a free and open-source distributed version control system designed to handle everything from small to very large projects with speed and efficiency. A critical vulnerability was reported in the Git framework in Git Large File Storage (LFS). With this vulnerability, Windows-system victims are tricked into cloning the attacker’s malicious repository using a … Continue reading “Git Large File Storage Remote Code Execution Vulnerability on Windows systems (CVE-2020-27955)”
SaltStack Framework Critical Vulnerabilities (CVE-2020-16846, CVE-2020-17490, CVE-2020-25592)
Overview Recently, SaltStack announced three severely critical bugs and has recommended users to prioritize and immediately apply the appropriate patches. Let’s understand all three bugs one by one: CVE-2020-16846 – If SSH client is enabled, sending crafted requests to Salt API results in shell injection. Thus, a client with network access to SaltStack Salt API … Continue reading “SaltStack Framework Critical Vulnerabilities (CVE-2020-16846, CVE-2020-17490, CVE-2020-25592)”
Oracle Solaris Buffer Overflow Vulnerability (CVE-2020-14871)
Overview A critical buffer overflow vulnerability (CVE-2020-14871) was addressed in Oracle Critical Patch Update (CPU) released in October 2020. This vulnerability was present in the Pluggable authentication module, which is a component of Oracle Systems. Successful exploitation of this flaw could result in taking complete control over vulnerable systems with network access. FireEye security researchers … Continue reading “Oracle Solaris Buffer Overflow Vulnerability (CVE-2020-14871)”
Oracle WebLogic Server Unauthenticated Remote Code Execution Vulnerability (CVE-2020-14750)
Overview Recently, Oracle released its critical October update to patch CVE-2020-14882. Oracle WebLogic Server has now observed that attackers can now bypass this patch exposing an unauthenticated Remote Code Execution (RCE) vulnerability (CVE-2020-14750). As per CVE-2020-14750, unauthorized attackers can continue to bypass the WebLogic background login restrictions and control the server even after WebLogic is … Continue reading “Oracle WebLogic Server Unauthenticated Remote Code Execution Vulnerability (CVE-2020-14750)”
Google Fixes Second Chrome Zero Day
Google released an update today for its Chrome web browser that patches ten security bugs. Google confirmed that the “stable channel” desktop Chrome browser is being updated to version 86.0.4240.183 across Windows, Mac, and Linux platforms. About the security bugs The Chrome team has issued updates for several security fixes. Among these security bugs, 7 … Continue reading “Google Fixes Second Chrome Zero Day”
Microsoft Windows Kernel Zero-Day Vulnerability Alert
Security researchers from Google’s Project Zero have disclosed a zero-day vulnerability yesterday (tracked as CVE-2020-17087) in the Windows operating system which is currently being exploited in the wild. According to Google’s Project Zero security researchers Mateusz Jurczyk and Sergei Glazunov, the bug allows an attacker to escalate their privileges in Windows. Attackers are abusing the … Continue reading “Microsoft Windows Kernel Zero-Day Vulnerability Alert”
Oracle WebLogic Server Remote Code Execution Vulnerability (CVE-2020-14882)
Overview Recently, Oracle released the Critical Patch Update (CPU) for the critical RCE vulnerability (CVE-2020-14882). This vulnerability is discovered in the console component of WebLogic Server which is a product of Oracle Fusion Middleware. Successful exploitation of this flaw could result in taking complete control over vulnerable systems having network access. In this patch, two … Continue reading “Oracle WebLogic Server Remote Code Execution Vulnerability (CVE-2020-14882)”
Pulse Connect Secure Remote Code Execution via Uncontrolled Gzip Extraction (CVE-2020-8260)
On Oct 26th, 2020, Pulse issued a security advisory addressing multiple vulnerabilities of high severity in Pulse appliances. Among the multiple vulnerabilities, CVE-2020-8260 was identified as a Remote Code Execution vulnerability via Uncontrolled Gzip Extraction with a CVSSv3 base score of 7.2. Vulnerability Details: Security researchers Richard Warren and David Cash of NCC Group Research … Continue reading “Pulse Connect Secure Remote Code Execution via Uncontrolled Gzip Extraction (CVE-2020-8260)”