Vulnerabilities & Flaws | SC Media

Vulnerabilities & Flaws


Researchers find Telegram bot chatter is actually Windows malware commands


Decrypted Telegram bot chatter was found to actually be a new Windows malware, dubbed GoodSender, which uses the messenger platform to listen and wait for commands. Forcepoint researchers discovered what it described as a “fairly simple” year old malware that creates a new administrator account that enables remote desktop once it infects a victim’s device.…

Bluehost and other popular web hosting sites found to be full of flaws


The web-hosting platform Bluehost was found to contain multiple account takeover and information leak vulnerabilities. Independent researcher and bug-hunter Paulos Yibelo has identified four vulnerabilities, one of which is a “High” severity information leak through CORS misconfigurations that could allow attackers to steal personally identifiable information, partial payment details and tokens that can give access…


Schneider Electric car charging station vulnerabilities allowed stolen cables, halted charging


Positive Technologies researchers have released details concerning the vulnerabilities patched last month in the Schneider Electric car charging stations. One of the vulnerabilities, (CVE-2018-7800) enables access with maximum privileges to the charging station and could allow an attacker to stop the charging process and switch the device to the reservation mode making it inaccessible to…

Cisco patches 18 vulnerabilities including a critical memory corruption DoS bug


Cisco issued 18 fixes for vulnerabilities spanning its product line including a critical flaw which could be triggered by a malicious email and another flaw which could enable a permanent DoS condition forcing the affected device to stop scanning and forwarding messages. The critical flaw is the result of a memory corruption denial of service…

ICEPick-3PC malware compromises third-party tools to steal Android IPs


A new malware dubbed ICEPick-3PC is stealing device IP addresses en masse since at least spring 2018. The malware executes after its authors hijack a website’s third‐party tools which are often pre-loaded onto client platforms by self-service agencies and are designed to incorporate interactive web content, such as animation via HTML5, The Media Trust said…

Fiat Chrysler Automobiles logos

U.S. Supreme Court declines to hear Fiat Chrysler appeal in car hacking case


The U.S. Supreme court Monday declined to hear Fiat Chrysler’s appeal in a class action lawsuit claiming the automaker knew its vehicles were vulnerable to cyberattacks as early as 2011. The case stems from three car owners who sued the Samsung Electronics Co subsidiary Harman International Industries which manufactures the vehicle’s Uconnect infotainment system, and…

Multiple privilege escalation vulnerabilities in CleanMyMacX


Several privilege escalation vulnerabilities were found in MacPaw’s CleanMyMac X software, all of which will allow an attacker with local access to the victim’s machine to modify the file system as root. Cisco Talos researchers spotted 13 CVE vulnerabilities in the Mac cleanup application designed to free up extra space on a user’s machine by…

European Union announces bug bounty program


The European Union is launching bug bounty programs for 14 out of 15 open source projects on which EU institutions rely. Beginning this month, researchers will be invited to submit bugs and vulnerabilities in various projects that were previously identified as candidates in the inventories and a public survey, according to a Dec. 12, 2018…

Guardzilla IoT Video Camera contains critical credential vulnerability


A hard-coded credentials vulnerability in Guardzilla IoT video cameras could grant a moderately skilled attacker unlimited access to all S3 buckets provisioned for the account. The vulnerability (CVE-2018-5560) was discovered during the 0DAYALLDAY Research Event on Sept. 29, 2018 and was publicly disclosed on Dec. 27, 2018 after researchers disclosed the issue to Rapid7 for coordinated…

Safe car

Critical vulnerability patched in Schneider Electric car charging stations


Schneider Electric is warning users of multiple vulnerabilities in the EVLink Parking product including a “critical” vulnerability. The critical vulnerability is caused by hard-coded credentials that allows an attacker to gain access to the device, according to a Dec. 20 security notification issued by the firm. Schneider Electric also patched a “High” rated code Injection vulnerability which…

Next post in News