The new year is upon us, and as such, it is a time to reflect on what worked over the past 12 months, and more importantly, what didn’t work. Organizations all over the world are utilizing applications, operating systems, and IoT devices while their data, and their customer’s data, increasingly lives in the cloud. Organizations should take the beginning of the year as a housekeeping opportunity to assess their systems to set themselves up for success in the new year.
Synopsys Cybersecurity Research Center (CyRC) researchers have discovered CVE-2020-27223, a denial of service vulnerability in Eclipse Jetty, a widely used open source web server and servlet container.
Positive Technologies security researcher Alexander Popov has discovered and fixed five similar issues in the virtual socket implementation of the Linux kernel. These vulnerabilities could be exploited for local privilege escalation, as confirmed by Popov in experiments on Fedora 33 Server. The vulnerabilities, known together as CVE-2021-26708, have received a CVSS v3 base score of 7.0 (high severity).
Positive Technologies expert Egor Dimitrenko discovered a high-severity vulnerability in the VMware vSphere Replication data replication tool. This solution allows organizations to create backups of virtual machines and run them if the main virtual machine reports a failure. The bug could have allowed attackers with access to the VMware vSphere Replication administration web interface to execute arbitrary code on the server with maximum privileges and start lateral movement on the network to seize control of the corporate infrastructure.
SHAREit, an Android application which has been downloaded more than a billion times, contains unpatched security vulnerabilities that the app maker has failed to fix for more than three months, according to a Trend Micro report.
A record number of critical and high severity vulnerabilities were logged to the National Institute of Standards and Technology (NIST) and its National Vulnerability Database (NVD) in 2020. THE NVD is a repository of Common Vulnerabilities and Exposures (CVEs) reported by security professionals, researchers and vendors. It is used by security teams around the world to stay up to date with security vulnerabilities as they are discovered. In January 2021, Redscan performed an analysis of the NVD to examine security and vulnerability trends. Their report focuses on vulnerabilities discovered in 2020, but also highlights wider CVE trends that have emerged since 1989.
After auditing the security of Helpdesk Software solution Deskpro in accordance with the company's Responsible Disclosure Bug Bounty Program, the Checkmarx Security Research Team discovered a severe cross-site scripting (XSS) issue that can be exploited multiple ways.
According to Menlo Security, Google Chrome users don't always take time to relaunch browser updates, and some legacy applications don't support new versions of Chrome.
Menlo Labs discovered that there are 49 different versions of Chrome being used by their customers as of November 17. Nearly two-thirds (61 percent) are running the latest build (.86) while just over a quarter (28 percent) are running one version prior (.85). Out of the customers running .86, a staggering 83 percent are running versions of Chrome that are vulnerable (
Rapid 7 has disclosed a set of address bar spoofing vulnerabilities that affect a number of mobile browsers, ranging from the more common browsers, like Apple Safari and Opera Touch, to the less common, like Bolt Browser and RITS Browser. The announcement is a coordinated vulnerability disclosure publication with security researcher, Rafay Baloch.
