The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two high-severity vulnerabilities to its catalog of known exploited vulnerabilities, as they are being exploited in the wild, which are considered directory traversal vulnerabilities that could enable attackers to install malware on a target system. CISA is expecting federal agencies in the U.S to patch both vulnerabilities by August 30, 2022, from the vendors. The first high-severity, tracked as CVE-2022-34713 (aka DogWalk bug), resides in Windows Support Diagnostic Tool (MSDT), allowing attackers to drop a malicious executable into the Windows Startup folder. For successful exploitation of the DogWalk bug, the hacker requires user interaction, which is easy to overcome through social engineering, especially in emails and web-based attacks. In an email attack scenario, the attacker can exploit the DogWalk bug by sending a specially crafted file to a user and convincing them to open it. In a web-based attack scenario, an attacker can host a website containing a specially crafted file that exploits the DogWalk flaw. Microsoft patched the CVE-2022-34713 vulnerability in its Patch Tuesday August 2022, but before that, an unofficial patch existed since June 2022. The second vulnerability added to CISA's Known Exploited Vulnerability Catalog is tracked as CVE-2022-30333 which is a path traversal bug in the UnRAR utility for Unix and Linux systems. The attacker could exploit this vulnerability to drop a malicious file into a target system by extracting it to an arbitrary location during an unpack operation.
Cisco issued a warning about a state-sponsored hacking group exploiting two zero-day vulnerabilities in Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewal...
Citizen Lab's recent investigation revealed significant security vulnerabilities in various cloud-based pinyin keyboard apps, raising concerns about user privacy risks. Among t...
An unidentified attacker hacked the website of a Czech news service on April 23, 2024, and published a fake story claiming an assassination attempt on Slovakia’s newly elected pr...