IBM is warning infosec pros of a hijacking vulnerability in its DB2 database on Windows.
In a security bulletin issued Thursday, the company said the issue could allow a locally authenticated attacker to execute arbitrary code on the system. The cause is a DLL search order hijacking vulnerability in the Microsoft Windows client.
“By placing a specially crafted file in a compromised folder, an attacker could exploit this vulnerability to execute arbitrary code on the system,” the bulletin says.
IBM says the issue carries a Common Vulnerability Scoring System (CVSS) Base score of 7.8.
All fix pack levels of IBM DB2 including V9.7 (which reached end of life in September 2017), V10.1, V10.5, V11.1, and V11.5 editions on Windows are affected.
Customers running any vulnerable fixpack level of an affected version can download a special build containing the interim fix for this issue from IBM Fix Central. These special builds are available based on the most recent fixpack level for each impacted release. There are no workarounds or mitigations.
Meanwhile, Cisco has issued patches for its Webex Meetings server and client application to close vulnerabilities that allowed a hacker to listen in to meetings without being detected. A so-called ‘ghost’ attendee could have picked up valuable corporate intelligence.
The vulnerabilities, discovered by IBM researchers, allow a person to have full access to audio, video, chat and screen-sharing without being seen on the participant list. In fact they could stay in a Webex meeting and listen in even after being expelled from a session by maintaining the audio connection.
These vulnerabilities work by exploiting the handshake process that Webex uses to establish a connection between meeting participants, IBM explained. Usually, a client system and a server conduct a handshake process by exchanging ‘join’ messages with information about the attendees, client application, meeting ID, meeting room details and more.
A malicious actor can become a ghost by manipulating these messages during the handshake process between the Webex client application and the Webex server back-end to join or stay in a meeting without being seen by others.
The post IBM urges infosec pros to patch DB2 for Windows, Cisco urges patches for Webex Meetings first appeared on IT World Canada.