Cybersecurity Vulnerabilities news & analysis | SC Media

Vulnerabilities News and Analyis

Four Iranian nationals indicted in SamSam attacks

By

The Justice Department has indicted two Iranian men behind the SamSam ransomware attacks – that infected the cities of Atlanta, San Diego and Newark, N.J. – as well as two others who converted the ransom into Iranian riyals. Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri, “extorted victims by leaving a ransom note in the…

Cisco Webex flaw patched

By

SecureAuth today reported on a vulnerability it found in a recent Cisco Webex Meetings update that if left unpatched could lead to a code execution. The original issue, CVE-2018-15442, affects Webex Meetings desktop app version 33.6.2.16 does not properly validate user-supplied parameters allowing an unprivileged local attacker to exploit this vulnerability by invoking the update…

Schneider’s Modicon Quantum programmable logic controller plagued with vulnerabilities in end life

By

Multiple vulnerabilities were discovered in Schneider’s Modicon Quantum programmable logic controller affecting all M340, Premium, Quantum PLCs and BMXNOR0200 products. Modicon Quantum products are used for complex process control, safety and infrastructure in industrial settings like manufacturing and were found to contain vulnerabilities that could allow an attacker to change any user’s password including the…

VMware advisory warns users to patch critical issue in product

VMware issues critical security update for Workstation and Fusion products

By

VMware last week issued a security update for its Workstation and Fusion virtual network devices, patching a critical integer overflow vulnerability that, if exploited, could allow unauthorized guests to execute code on the host. Designated CVE-2018-6983, the hypervisor vulnerability is fixed in versions 14.1.5 and 15.0.2 of Workstation Pro and Workstation Player, and versions 10.1.5 and 11.0.2…

USPS fixes ‘Informed Delivery’ flaw that exposed 60M users

By

A couple of weeks after the Secret Service issued an alert that cybercriminals were using the U.S. Postal Service’s Informed Delivery feature for identity theft and other forms of fraud, the USPS has fixed a flaw that exposed the personal details of 60 million users who have usps.com accounts. “Just in time for the holidays, USPS has…

Talos discloses three vulnerabilities in Atlantis Word Processor

By

Cisco Talos disclosed three vulnerabilities in the Atlantis Word Processor (AWP). One, CVE-2018-4038, an exploitable arbitrary write vulnerability in open document format parser, could let attackers corrupt memory resulting in code execution. But the miscreants must first get a victim to “open a specially crafted document,” according to an alert. An exploitable uninitialized pointer vulnerability, CVE-2018-4040,…

Adobe patches critical type confusion bug in Flash Player

By

Adobe Systems today released an out-of-band security update that fixes a critical type confusion vulnerability in Flash Player, which if exploited could lead to arbitrary code execution in the context of the current user. Designated CVE-2018-15981, the bug was found in versions 31.0.0.148 and earlier of Flash Player Desktop Runtime, Flash Player for Google Chrome…

dirty cow

DirtyCOW is back in backdoor attack targeting Drupal Web Servers

By

Threat actors are using the DirtyCOW bug to exploit a backdoor in Drupal Web Servers. Impreva researcher Nadav Avital spotted the attack on Oct. 31 exploiting the Drupalgeddon2 and DirtyCOW, bugs as well as system misconfigurations to persistently infect vulnerable Drupal web servers and take over user machines, according to a Nov. 19 blog post. Researchers noted this…

Samsung updates Smart TV privacy policy to clarify collection of user data

Study finds privacy concerns amidst Black Friday tech deals

By

Consumers may want to think twice before taking advantage of the Black Friday discounts offered on the latest Smart TVs after a recent study found 25 percent of Americans worry their conversations are being monitored through their smart TVs. The study was conducted by Propeller Insights on behalf of ExpressVPN  and surveyed 1,000 U.S. adults, finding that 29…

Children’s smartwatches once again found vulnerable

By

China-based company MiSafe is once again making headlines with its unsecured products after a pen tester found that its child tracking smartwatches were found to be highly insecure. MiSafe previously made controversy after firm’s Mi-Cam baby monitors were found to be susceptible to unauthenticated access and hijacking of arbitrary baby monitors. Pen Test Partners researchers…

Next post in News