Here’s a short overview of this week’s most important security vulnerabilities.
Google addressed multiple vulnerabilities in its Chrome browser, four of which have been rated as high-severity issues (CVE-2020-6493, CVE-2020-6494, CVE-2020-6495, CVE-2020-6496) that could allow a remote attacker to compromise the target system, to perform spoofing attacks, or to bypass security restrictions.
Mozilla has also released updates that patch numerous bugs in Firefox, Firefox ESR, and Thunderbird email client. The updates fix several high risk flaws, which could be used by a remote attacker to execute arbitrary code or compromise a vulnerable system.
Apple has released security updates to address a vulnerability (CVE-2020-9859) that had been used to jailbreak iPhones running iOS 13.5. The vulnerability affects the iOS kernel and could allow an application to execute arbitrary code with kernel privileges.
This week reports emerged about a serious vulnerability impacting LG Android smartphones sold over the last seven years. The flaw, tracked as CVE-2020-12753, resides in the bootloader component that ships with LG smartphones.
The vulnerability exists due to improper validation of input in the bootloader and allows an attacker to execute arbitrary code on the system. The attack requires physical access to a device. LG has released a firmware fix in May 2020.
ABB Central Licensing System solution contains a high risk vulnerability that can lead to a data leak. By exploiting this flaw a remote attacker could gain access to sensitive information via a specially crafted XML code sent to the affected application.
Two serious vulnerabilities have been patched in Zoom client application that could allow a remote attacker to write files to the targeted user’s system.
The flaws (CVE-2020-6109 and CVE-2020-6110) are path traversal issues that could lead to arbitrary code execution. One impacts Zoom 4.6.10 and 4.6.11, and one of them only affects 4.6.10 and earlier. Newer versions of the video conferencing app patch the flaws.
Fortinet FortiClient for Windows has a vulnerability that could lead to information disclosure atacks. The flaw stems from the presence of a hard-coded cryptographic key in the default configuration file using which a malicious actor can decrypt the sensitive data on the target system.
Multiple vulnerabilities were fixed in FreeRDP, a free remote desktop protocol client, and Node.js, an open source server environment, including several bugs (CVE-2020-11039, CVE-2020-11038, CVE-2020-11019, and CVE-2020-8174) that could be exploited to achieve a remote code execution or to launch denial-of-service attacks.