Adobe released security bulletin APSB19-02 that describes two security updates for critical vulnerabilities in Adobe Acrobat and Reader. In these updates only two vulnerabilities were fixed, but they are classified as Critical because they allow privilege escalation and arbitrary code execution.
The first vulnerability was assigned ID CVE-2018-16011 and is a use after free bug that could allow arbitrary code execution. The second vulnerability was assigned CVE-2018-19725 and allows attackers to execute code at a higher privilege level.
Schneider Electric is warning about a critical vulnerability in its EVLink Parking devices – a line of electric vehicle charging stations. The energy management and automation giant said the vulnerability is tied to a hard-coded credential bug that exists within the device that could enable attackers to gain access to the system.
Affected are EVLink Parking floor-standing units (v3.2.0-12_v1 and earlier). The vulnerability (CVE-2018-7800) is one of three fixes issued by Schneider last week (PDF) impacting the electric charging stations. The company also issued warnings and fixes for a code injection vulnerability (CVE-2018-7801) and SQL injection bug (CVE-2018-7802).
Red Hat has issued a critical Security Advisory and patches for CVE-2018-1002105, a privilege escalation flaw impacting Kubernetes, the most popular cloud container orchestration system. Kubernetes makes it possible to orchestrate containerized applications together, enabling composite services comprised of hundreds, or even thousands, of “simpler” services.
The privilege escalation flaw makes it possible for any user to gain full administrator privileges on any compute node being run in a Kubernetes cluster. Not only can this actor steal sensitive data or inject malicious code, but they can also bring down production applications and services from within an organization’s firewall. All Kubernetes-based services and products are affected.
Read more about the critical Kubernetes flaw on Red Hat.
Adobe released a patch for a critical flaw that leaves its Flash Player vulnerable to arbitrary code execution by an adversary. Affected are versions of the Flash Player running on Windows, macOS, Linux and Chrome OS. In tandem, a Microsoft Security Advisory was also issued for the bug (CVE-2018-15981).
The bug is a type “confusion” vulnerability, which is a common attack technique used against Adobe’s ActionScript Virtual Machine. “Usually, when a piece of code doesn’t verify the type of object that is passed to it, and uses it blindly without type-checking, it leads to type confusion,” according to a Microsoft description of the bug. Israel-based researcher Gil Dabah is credited for identifying the flaw.
Read more about the critical Adobe Flash vulnerability on Threatpost.
If you’re one of the 100,000+ users of AMP for WP, good news – the popular plugin for implementing Accelerated Mobile Pages returned to WordPress.org last week. AMP is a Google technology through which users of publishing partners such as WordPress can create pages that will load faster on mobile devices. Doing that requires a plugin, which is where AMP for WP comes in.
The plugin’s hiatus, which began when it abruptly disappeared on 21 October, was starting to look a little unusual. According to a note from the developer, the reason for the disappearance was an ominous-sounding security flaw that “could be exploited by non-admins of the site.”
Read more about the security flaw affecting AMP for WP on NakedSecurity.
Leading commercial drone maker DJI patched a cross-site scripting bug impacting its forums that could have allowed a hacker to hijack user accounts and gain access to sensitive online data, ranging from flight images, bank card data, flight records and even real time camera images.
The vulnerability is significant given DJI’s estimated 70 percent market share of the commercial and consumer market, according to IDC researchers, who pointed out that “[s]ectors ranging for energy, government and public safety could potentially have their entire drone programs exposed.” Check Point publicly disclosed the bug Thursday. Researchers said they found the flaw in March. DJI said it fixed the forum vulnerability in September.
Online note sharing company Evernote has patched a hole that allowed attackers to infect notes shared via its service. The vulnerability (CVE-2018-18524) could have allowed an attacker to run programs remotely on a victim’s computer simply by sharing a note with them and persuading them to view it. Evernote has patched the vulnerability in Evernote for Windows 6.16.1 beta.
The vulnerability, discovered by TongQing Zhu, a researcher at Chinese cybersecurity company Knownsec, was a form of cross-site scripting (XSS) attack. XSS attacks allow attackers to inject malicious code into websites.
Read more about the critical Evernote flaw for Windows on Naked Security.
The Apache Software Foundation is urging users that run Apache Struts 2.3.x to update the Commons FileUpload library to close a serious vulnerability that could be exploited for remote code execution attacks.
Apache Struts 2 is a widely-used open source web application framework for developing Java EE web applications. The Commons FileUpload library is used to add file upload capabilities to servlets and web applications. The vulnerability (CVE-2016-1000031) is present in Commons FileUpload versions before 1.3.3, and arose due to the inclusion of a Java Object that can be manipulated to write or copy files to disk in arbitrary locations.
Microsoft has quietly fixed a bug in the on-hold Windows 10 October 2018 Update that in earlier versions wasn’t telling users when apps requested permission to access all a user’s files. The bug in the Windows ‘broadFileSystemAccess’ API could have given a malicious developer of Universal Windows Platform (UWP) apps access to all a user’s documents, photos, downloads, and files stored in OneDrive.
Microsoft’s monthly Patch Tuesday came with 49 security fixes and two advisories for Internet Explorer (IE), Microsoft Edge, Windows components, Microsoft Office and Office Services, Exchange, SQL Server, ChakraCore, Hyper-V, and .NET Core.
Twelve of the patched vulnerabilities are deemed Critical, 35 are categorized Important, one is Moderate, and one is considered Low severity. Three were known at the time their patches were released, and one is currently being exploited in active attacks. The bug being abused in attacks is CVE-2018-8453, a Win32k elevation of privilege vulnerability that exists in Windows when the Win32k component doesn’t properly handle objects in memory.
Read more about this month’s Patch Tuesday security fixes on DarkReading.