Emergency Response

Overview On March 23, local time, Microsoft released an out-of-band security advisory ADV200006 to address two critical 0-day vulnerabilities in Adobe Type Manager Library. A vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a crafted multi-master font, namely, the Adobe Type 1 PostScript format. An attacker could exploit the […]

Vulnerability Description Security researchers from NSFOCUS found a directory traversal vulnerability (CVE-2020-5405) in the Spring Cloud Config component. On February 26, Spring released a security bulletin to announce this vulnerability and also expressed appreciation to NSFOCUS.

Overview On March 11, Beijing time, Microsoft released March 2020 updates to fix vulnerabilities among which is a remote code execution vulnerability in Microsoft Server Message Block 3.1.1 (SMBv3) indicated in a security bulletin released earlier. This vulnerability exists in the way the Microsoft SMBv3 protocol handles certain requests. An attacker could exploit this vulnerability […]

Overview On March 11, Beijing time, Microsoft released March 2020 updates to fix vulnerabilities among which is a remote code execution vulnerability in Microsoft Server Message Block 3.1.1 (SMBv3) indicated in a security bulletin released earlier. Instead of a security patch, Microsoft currently provides a workaround for users to mitigate this vulnerability.

Vulnerability Description On March 6, the United States Computer Emergency Readiness Team (US-CERT) release a security bulletin to announce a 17-year-old remote code execution vulnerability in the PPP daemon (pppd). This vulnerability affects nearly all Linux-based operating systems and network device firmware. This vulnerability is a buffer overflow vulnerability (CVE-2020-8597), with a CVSS score of […]

Vulnerability Description On February 25, security updates were released for Google Chrome and Microsoft Edge. The open-source JavaScript and WebAssembly engines in V8 in Google Chrome before 80.0.3987.122 and Microsoft Edge browser before 80.0.361.62 are prone to a type confusion vulnerability (CVE-2020-6418), which allows attackers to access data in an unauthorized way, thereby executing malicious […]

Overview Recently, two remote code execution vulnerabilities (CVE-2020-9547 and CVE-2020-9548) were fixed in jackson-databind. By using two components (ibatis-sqlmap and anteros-core) to bypass the blacklist restriction, attackers could exploit these vulnerabilities to cause remote code execution on the victim’s machine.

Vulnerability Description On January 15, 2020, Oracle released Critical Patch Update (CPU) for January 2020 that fixes 334 vulnerabilities of different risk levels, including a remote code execution vulnerability (CVE-2020-2555) with the CVSS score of 9.8 in the deserialization by Oracle Coherence deserialization. This vulnerability allows an unauthenticated attacker to launch attacks via a crafted […]

Overview On February 24, local time, researchers from Qualys released a remote code execution vulnerability (CVE-2020-8794) existing in OpenSMTPD. As part of the OpenBSD part, OpenSMTPD (also known as OpenBSD’s mail server) is a free implementation of the server-side SMTP protocol as defined by RFC 5321. CVE-2020-8794 is an out-of-bounds read vulnerability. Attackers could exploit […]

Overview On February 24, local time, Google released updates for fixing multiple vulnerabilities existing in the desktop Chrome browser, including the high-risk CVE-2020-6418 vulnerability that has been exploited by attackers in the wild. CVE-2020-6418 is a type confusion vulnerability in V8, which is Google Chrome’s open-source JavaScript and WebAssembly engine. This vulnerability was discovered and […]