Vulnerabilities News, Articles and Updates

Study finds nearly half of web applications put user data at risk

Tests conducted using automated tools and various black-, gray-, and white-box methods on 23 web applications revealed that attackers could obtain personal data from 44 percent of applications handling that information.

Intel, ICS and Apple post Patch Tuesday alerts and patches

In the wake of June 2018 Patch Tuesday, alerts and patches were issued for another speculative execution vulnerability affecting Intel, a git issue with Apple and a flaw in the BIND open-source DNS software.

Flawed code-signing process could have let attackers pass malware off as Apple-approved

The developers of third-party security products for Macs are issuing patches after researchers realized their software was not properly interacting with Apple's code-signing API. Without the patch, attackers can craft malicious files capable of bypassing the code-signing process, making it look like their code is legit software approved by Apple.

Foscam home security cameras updated to address root access vulnerabilities

Foscam home security issued an update for its home security systems after researchers found several vulnerabilities which if combined, could allow an attacker to gain root access to the cameras (via LAN or internet.

Device makers still shipping products with Android Debug Bridge enabled, despite risks

Mobile and IoT device manufacturers continue to ship products with the Android Debug Bridge feature automatically enabled -- a dangerous default setting that enables potential adversaries to connect to these devices.

Mozilla patches heap buffer overflow in Firefox browsers

The Mozilla Foundation Security has released an advisory to patch critical vulnerabilities in Firefox and Firefox ESR products which could allow a remote attacker to take control of an affected system.

Patched Cisco ACS flaw lets attackers perform MITM attacks, steal admin credentials

Positive Technologies has elaborated on a critical remote code execution vulnerability its researchers discovered in the web interface of Cisco's Access Control Server (ACS), reporting that the bug can be leveraged to perform man-in-the-middle attacks, steal credentials, access network resources and intercept traffic.

Adobe issues critical patch after Flash zero-day bug actively exploited in Middle East

Adobe Systems today issued patches for four software vulnerabilities in Flash Player, including a zero-day flaw that attackers have been exploiting in the wild in targeted attacks against Windows users in the Middle East, possibly in Qatar.

Latest batch of Cisco updates patches 28 bugs, two critical

Cisco Systems yesterday issued 28 security updates that patch vulnerabilities found in a variety of products, including two critical bugs that were assigned a CVSS (Common Vulnerability Scoring System) base score of 9.8.

Researchers warn widespread Google Group misconfigurations are exposing sensitive data

A survey of 2.5 million domains looked for configurations publicly exposed, found 9,637 exposed organizations, then used a random sample of 171 public organizations to determine nearly 3,000 domains were leaking sensitive data.

'Cyber incident' leaves Eventbrite-owned Ticketfly offline, ransom demanded.

The company didn't specify whether or not user information has been compromised but did acknowledge the incident in a tweet.

Major vulnerabilities in the EOS blockchain may push back Mainnet launch

Major vulnerabilities in the EOS blockchain and smart contracts platform may push back the Mainnet launch scheduled for June 2.

DTS bug bounty challenge yields 100 vulnerabilities

The DTS challenge is part of the Defense Department's Hack the Pentagon bug bounty program.

Flaw in Git could result in remote code execution

Vulnerability patched in Git source code versioning software. Security researchers have discovered a number of flaws in Git that could have enabled hackers to run remote code on a victim's PC.

SEVered attack able to defeat AMD SEV

Several German researchers have shown a proof of concept attack indicating virtual machines using AMD's secure encrypted virtualization (SEV) are susceptible to being hacked.

Open ports left over 1,000 SingTel routers vulnerable to cyber-attacks

More than 1,000 owners of Wi-Fi routers were left exposed to potential cyber-attacks after Singapore Telecommunications Limited forgot to secure port 10000 in its Wi-Fi gigabit router devices.

Google fixes 24 bugs in Chrome OS, security pass flaw in reCAPTCHA feature

Google on Tuesday released version 67.0.3396.62 of the Google Chrome operating system for Windows, Mac and Linux to its stable channel, in the process solving 24 vulnerabilities and introducing its "Site Isolation" security feature to additional users.

Open Bug Bounty creates free bug bounty program

Open Bug Bounty has added a new free service that will allow organizations to create their own bug bounty program.

Schneider Electric patches XML External Entity vulnerability

Schneider Electric patched a vulnerability (CVE-2018-7783) in its SoMachine Basic that could result in the disclosure or retrieval of data during an out-of-band attack.

Flaws in smart pet devices, apps could come back to bite owners

The secret lives of pets -- and their owners -- may not be so secret anymore if attackers take advantage of the dozen vulnerabilities that researchers recently observed while analyzing smart devices used to track animals and their activity.

Pen testers break down bank security flaws

While banks have built effective barriers for external attacks, researchers warn they have not done nearly as much work to fight threats on their internal networks.

As world awaits patches, researchers divulge details of new Spectre Variants 3a and 4

The next-generation of Spectre speculative execution vulnerabilities in CPUs from AMD, ARM, and Intel has arrived in the form of Variants 3a and 4, following highly anticipated public disclosures from Google's Project Zero and Microsoft Corporation [1, 2].

Google may contractually require OEMs to perform regular patching

Google is looking into the possibility of requiring device manufacturers to regularly patch their devices, by incorporating such a provision into future OEM agreements, Google head of Android security David Kleidermacher announced in a presentation at the Google I/O Developer Conference last week.

Former CIA software engineer id'ed as suspect in Vault 7 leaks

Joshua Adam Schulte has not yet been charged with leaking classified information but is being held in the Metropolitan Correctional Center in New York after being indicted for possession of child pornography.

Oracle WebLogic vulnerability exploited for cryptominers for second time this year

Cryptominers targeting Oracle's patched WebLogic vulnerability from 2017 have caused a spike in malicious traffic targeting Port 7001.

Third-party software vulnerability results in Mexican bank heist scoring millions

Mexican authorities are investigating suspect a bank hack that siphoned hundreds of millions of pesos out of at least five banks.

Adobe releases more updates following Patch Tuesday fixes

After patching a confusion flaw in Flash last week, Adobe announced new security updates for Adobe Acrobat and Reader for Windows and MacOS.