Please see Security Advisories for the week ending November 6, 2020
- Zero-Day Vulnerability in Oracle Solaris Under Active Exploitation
- Apple Releases Security Updates for Multiple Products
- Cisco Releases Security Updates for Multiple Products
- Adobe Releases Security Updates for Acrobat and Reader
- Google Releases Security Updates for Desktop Chrome Browser, including a Zero-Day Vulnerability Being Exploited in the Wild
________________________________
Zero-Day Vulnerability in Oracle Solaris Under Active Exploitation
Situation
Oracle has found and patched a vulnerability (CVE-2020-14871) in their Pluggable Authentication Module (PAM).
Problem
A vulnerability was found in Oracle Solaris operating system 10 and 11 within its PAM module which if exploited could allow attackers to compromise the operating system and potentially allow full control over the systems.
Implication
Systems left unpatched are vulnerable to attack and compromise of their Oracle Solaris operating systems putting the data in those systems at risk.
Need
Oracle recommends installing all critical security patches as soon as possible to ensure system security
For a brief overview:
For a more detailed overview:
https://www.oracle.com/security-alerts/cpuoct2020.html
________________________________
Apple Releases Security Updates for Multiple Products
Situation
Apple has released multiple patches across their entire operating system line from, IOS,OSX,WatchOS,TVOS.
Problem
Apple has detected multiple vulnerabilities within their Operating Systems, the vulnerabilities could allow a remote attacker to take control over the systems.
Implication
If the systems are unpatched remote attackers could exploit vulnerability’s and possibly take over the devices and access user data.
Need
Apple recommends installing all updates on apple devices to ensure security and functionality.
For a brief overview:
For a more detailed overview:
https://support.apple.com/en-us/HT201222
________________________________
Cisco Releases Security Updates for Multiple Products
Situation
Cisco has discovered and patched multiple vulnerability’s in multiple products that may if exploited allow a remote attacker to obtain sensitive information or compromise a network device or gain remote control of the device.
Problem
Cisco has discovered and patched multiple vulnerabilities in their SD-WAN product lines that could if exploited allow a remote attacker to compromise the devices if left unpatched.
Implication
If the vulnerability is exploited it could allow a remote attacker to obtain sensitive information or compromise a network device or possibly obtain complete remote control of the device.
Need
Cisco recommends installing the latest updates to their products to patch vulnerability’s in the products.
For a brief overview:
For a more detailed overview:
________________________________
Adobe Releases Security Updates for Acrobat and Reader
Situation
Adobe has found and patched security vulnerabilities in its Acrobat and Reader products. The vulnerabilities are reported to if exploited potentially give an attacker control of an affected system.
Problem
Vulnerabilities found in Adobe’s Acrobat and Reader products could allow an attacker to exploit them and take control over an affected system. The Versions affected by the Vulnerability are listed in Adobes security bulletin below.
Implication
Unpatched versions of Adobe’s Acrobat and Reader applications could be exploited and allow an attacker to take control of an affected system.
Need
Adobe recommends installing the latest product updates to patch vulnerabilities.
For a brief overview:
For a more detailed overview:
https://helpx.adobe.com/security/products/acrobat/apsb20-67.html
________________________________
Google Releases Security Updates for Desktop Chrome Browser, including a Zero-Day Vulnerability Being Exploited in the Wild
Situation
Google has released security updates for their Chrome browser for Windows, Mac, and Linux operating systems to addressing multiple vulnerabilities including a zero day, CVE-2020-17087, that allows a remote attacker to exploit Chrome web browsers.
Problem
Google has patched a number of high severity vulnerabilities. With the most notable being CVE-2020-16009 caused by an inappropriate implementation in the V8 JavaScript engine, which can allow a remote attacker to potentially exploit heap corruption via a crafted HTML page. Google is aware of reports that an exploit code for this vulnerability (CVE-2020-16009) exists in the wild. Additionally, attackers can use a malicious HTML page to escape Chrome’s sandbox and run code directly onto Windows (7 to 10).
Implication
Attackers can cause a buffer overflow that can be exploited to gain elevated privileges.
Need
Google strongly recommends users and administrators update their desktop Chrome browser to version 86.0.4240.183 or newer. For additional information please visit the link below.
For a more detailed overview:
https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop.html
