Internet Security | SC Media

Internet Security

Critical vulnerability in Apache HTTP Server patched

By

A critical vulnerability in Apache HTTP Server that if exploited could allow an attacker to gain full root control has been patched. The cause, dubbed Carpe Diem by the researcher who discovered it Ambionics engineer Charles Fol, affects Apache HTTP Server versions 2.4.17 to 2.4.38. The vulnerability, CVE-2019-0211, is a privilege escalation issue that happens…

South Korean websites hit with rare waterhole phishing scheme

By

Security researchers have come across a waterholing campaign that have compromised four South Korean websites by injecting fake login forms to steal user credentials. Trend Micro described the campaign, which it named Soula, as a significant threat to enterprises and users and possibly the first step being taken by a cybercriminal group to launch a…

github_1439470

Paper: Leaked authentication secrets rampant across GitHub

By

An academic study of GitHub found that more than 100,000 of the web service’s code repositories contain publicly accessible authentication secrets such as API and cryptographic keys, while thousands of new secrets are leaked each day. North Carolina State University researchers Michael Meli, Matthew McNiece (also from Cisco Systems) and Bradley Reaves detail their findings…

Facebook patches denial-of-service flaw in its open-source Fizz TLS implementation

By

Facebook last month patched a critical denial-of-service vulnerability in Fizz, its open-source implementation for Transport Layer Security protocol TLS 1.3, researchers have reported. Unauthenticated remote attackers could exploit the flaw to create an “infinite loop,” causing the web service to be unavailable for other users and thus disrupting service, according to a March 19 blog…

Mozilla’s latest Firefox releases fix 22 vulnerabilities

By

The Mozilla Foundation yesterday issued version 66 of Firefox and 60.6 of Firefox Extended Support Release (ESR), in the process patching 22 vulnerabilities between them, five of them critical. Four of the five most severe flaws were found in both the standard and ESR versions of the web browser. This includes CVE-2019-9790, a use-after-free vulnerability…

Trolley Talk, RSA 2019 edition: SC’s second annual cable car chats (video)

By

SC Media’s Senior Reporter Bradley Barth once again commutes to Fisherman’s Wharf with several top cybersecurity execs and for the first time a pair of undercover wireless research “workmen” come along for the ride. Back by popular demand, SC Media proudly presents its second annual edition of Trolley Talk, a segment where we interview leading cybersecurity experts while riding the…

Facebook sues app makers over browser extensions that allegedly scraped user data

By

Facebook has filed a lawsuit against two Ukrainian men accused of creating fraudulent quiz applications that tricked users into installing malicious browser extensions. These extensions allegedly scraped information from users’ social media pages and injected unapproved advertisements when users would visit various social networking sites, including Facebook. As reported in The Verge, Facebook filed the…

Malvertising attacks using polyglot images spotted in the wild

By

The malvertising space may be seeing an influx of more advanced threat actors according one research report that found polyglot images now being used to disguise malvertising attacks. Some malvertising attacks now use polyglot images. Polyglot images, which differ from their near cousins steganographic images primarily by not needing an external script to extract the…

Android officially adopts FIDO2 authentication standard as alternative to passwords

By

Google’s Android operating system is now certified to employ the FIDO2 open authentication standard, a development that could help owners of more than a billion Android devices phase out the use of passwords when logging in to online services. As an alternative to potentially insecure passwords, FIDO2 instead offers the option of using fingerprints or…

Drupal software update patches highly critical RCE bug

By

The developers of Drupal this week issued a security advisory urging users to update their software following the discovery of a highly critical remote code execution vulnerability in their open-source content management framework. “Some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases,” the…

Next post in Security News