Experts urged users to prioritize patches for Microsoft Exchange and Excel, those favorite platforms so frequently targeted by cybercriminals and nation-state actors.
Threatpost
Posts tagged "fixes"
Google Emergency Update Fixes Two Chrome Zero Days
This is the second pair of zero days that Google’s fixed this month, all four of which have been actively exploited in the wild.
Threatpost
Cisco Issues Critical Fixes for High-End Nexus Gear
Networking giant issues two critical patches and six high-severity patches.
Threatpost
HPE Fixes Critical Zero-Day in Server Management Software
The bug in HPE SIM makes it easy as pie for attackers to remotely trigger code, no user interaction necessary.
Threatpost
India fixes surge pricing limits for Uber and Ola drives
Following the Covid-19 led lockdown, cab hailing services in India are facing tough times and this move is likely to further add to their woes.
Cisco fixes major security flaws in Webex on Windows and Mac
Cisco has addressed two high severity vulnerabilities in its Webex video conferencing software that could have allowed unprivileged attackers to run programs and code on vulnerable systems.
The two vulnerabilities, tracked as CVE-2020-3263 and CVE-2020-3342, affect Cisco Webex Meetings Desktop App releases earlier than version 39.5.12. and all Webex users should update their software to the latest version to avoid falling victim to any potential exploits.
In an advisory concerning the arbitrary program execution flaw affecting Webex's Windows client, Cisco provided more details on the vulnerability and explained what an attacker could do to a user's system following a successful exploit, saying:
- Cisco is making Webex even smarter with AI
- Cisco Webex triples capacity and doubles down on security
- Billions will be spent on video conferencing in 2020
“The vulnerability is due to improper validation of input that is supplied to application URLs. The attacker could exploit this vulnerability by persuading a user to follow a malicious URL. A successful exploit could allow the attacker to cause the application to execute other programs that are already present on the end-user system. If malicious files are planted on the system or on an accessible network file path, the attacker could execute arbitrary code on the affected system.”
Webex vulnerabilities
Cisco also patched a remote code execution vulnerability in Webex's Mac client that was caused by improper certificate validation on software update files downloaded by the software.
The vulnerability could allow an unauthenticated attacker to remotely execute arbitrary code with the same privileges of the logged in user on macOS. In a separate advisory, Cisco explained how an attacker could exploit the vulnerability, saying:
“An attacker could exploit this vulnerability by persuading a user to go to a website that returns files to the client that are similar to files that are returned from a valid Webex website. The client may fail to properly validate the cryptographic protections of the provided files before executing them as part of an update.”
Cisco has since fixed both of these vulnerabilities with the release of version 40.1.0 of Webex for Windows and version 39.5.11 of Webex for Mac. Windows and Mac users can update their Cisco Webex clients by following these instructions while admins can update both versions of the client by following this guide.
- We've also highlighted the best video conferencing software
Via BleepingComputer