Vulnerabilities News, Articles and Updates

PHP exploit flaw puts WordPress and other CMS sites at risk of remote code execution

A severe PHP exploit proof-of-concept attack could allow remote code execution attacks on several content management platforms including Typo3 and WordPress.

Philips cardiovascular software found to contain privilege escalation, code execution bugs

Multiple versions of cardiovascular imaging and information management software from Philips have been found to contain vulnerabilities that could lead to escalated privileges and arbitrary code execution.

MadIoT PoC attacks leverage IoT devices to take out power grids

Cybercriminals may soon be able to target entire power grids without using Stuxnet like malware to infiltrate critical infrastructure.

Security updates issued for VMware, Samba, Internet Key Exchange, and Linux

US-Cert announced updates and patch releases for VMware, Samba, Internet Key Exchange, and Linux kernel, respectively, to address a host of vulnerabilities.

Def Con presenter: 'Synthetic clicks' exploit can help attackers install malware on Macs

A presentation at Def Con 2018 last week revealed an unpatched vulnerability in macOS devices that can allow malware to bypass certain security checks using a technique that fakes user mouse clicks.

Man-in-the-Disk attacks leave Android users exposed to data manipulation

Check Point researchers discovered a new attack surface for Android applications that leverages external storage, dubbed Man-in-the-Disk attacks.

Patch Tuesday August 2018: Adobe mends two critical bugs in Acrobat and Reader

Adobe today issued patched updates for Acrobat and Reader, Flash Player, Experience Manager, and the Cloud Desktop Application, collectively fixing 11 vulnerabilities, two of them critical.

U.S. Marines add bug bounty program to boost cyber defenses

The U.S. Marine Corps, in conjunction with HackerOne, kicked off its bug bounty program at Black Hat last week with 100 hackers participating in a nine-hour hackathon against various public-facing Marine Corps websites.

Kid hackers make child's play of state voting systems in Def Con Voting Village

Hacking some voting equipment is evidently child's play, at least that was the result of a program run during Def Con's Voting Village when 35 kids were able to access replicas of six secretary of state websites, one within just 10 minutes.

Def Con voter hacking village stirs backlash from states, vendors

Harsh words were expressed last week by the organizers of the Def Con Voting Village to one of the primary election voting machine manufacturers and the National Association of Secretaries of State (NASS) as the former group had eager show attendees spend time attempting to find flaws in 30 actively used voting machines.

VMware repairs out-of-bounds read bug in three Horizon products

VMware this week updated its Horizon 6, Horizon 7 and Horizon Client for Windows solutions to fix an important out-of-bounds read vulnerability in the Message Framework library.

Black Hat USA 2018: Google, Microsoft and Red Hat dish on the Meltdown/Spectre backstory

Some of the biggest players who worked behind the scenes during the run-up to the Jan. 3 disclosure of Meltdown and Spectre came together at Black Hat 2018 to discuss what their companies, and others, did after the vulnerabilities first became known.

Hackers could spoof WhatsApp messages, sender names

Hackers could exploit the very things -- encryption and digital certificates -- that ensure privacy and provide authentication between devices, apps, and clouds.

Health care software OpenEMR patched after discovery of bugs threatening patient records

A team of researchers yesterday disclosed 22 vulnerabilities in OpenEMR, a widely used medical practice management software program that supports electronic medical records, including a portal authentication bypass flaw that could have allowed users to access random patient records.

Mozilla patches critical Thunderbird bugs that can cause exploitable crashes

The Mozilla Foundation has released the latest version of its Thunderbird email client, fixing 14 security vulnerabilities along the way, including five critical ones, three of which can result in a potentially exploitable crash.

Monero bug that doubled coin transfer amounts allowed attackers to steal from

A vulnerability report posted last Wednesday on the HackerOne bug bounty platform reveals that code from Monero's cryptocurrency wallet contained a critical flaw that attackers could exploit to steal directly from digital coin exchanges.

Bug in Mingw-w64 Windows app development environment results in exploitable executables

Mingw-w64, a 2005 update of the open-source MinGW software development environment for Windows applications, has been found to produce executables that are incompatible with ASLR, a technology that reduces the effectiveness of malicious shellcode.

HP to launch first printer bug bounty

The program is private and those who have been invited to participate have been instructed to focus on firmware-level vulnerabilities.

Spectre: the vulnerability that just keeps on giving

Students from Graz University of Technology have shown a proof of concept for an attack called NetSpectre, which is based on a Spectre variant 1 attack, but can be executed remotely with no local code execution on the target system. However, industry insiders believe this particular attack is too impractical to pull off.

LifeLock unsubscribe error unlocks customers' email address info

Symantec's ID theft prevention subsidiary LifeLock suffered from some embarrassing optics on Wednesday after it was reported that an error in its e-marketing unsubscribe process left the email addresses of its customers exposed to potential data theft and tampering.

Bluetooth vulnerability could allow man in the middle attacks

U.S. CERT issued an advisory note warning Bluetooth firmware or operating system software drivers are missing a required cryptographic step enabling man in the middle attacks to take place.

Dasan and D-Link routers targeted by apparent botnet in new wave of exploit attacks

An apparent botnet comprised of more than 3,000 separate source IPs generated a large, sudden spike in exploit attacks on July 19, targeting D-Link 2750B and certain Dasan GPON (Gigabit Passive Optical Network) small and home office routers.