Vulnerability News, Articles and Updates

Microsoft issues update to fix flaw in earlier Meltdown patch

Microsoft has issued an update that will fix a flaw, CVE-2018-1038, in a previous patch that was designed to protect Windows 7 x64 or Windows Server 2008 R2 x64 systems from Meltdown.

Amazon to fix security issue for Key after researcher claims hack

Amazon is issuing a security patch for its Key services shortly after a researchers posted a video demonstration of them claiming to hack the Amazon device.

Over 100 in-the-wild malware samples found searching for machines prone to Spectre and Meltdown

It hasn't taken long for cybercriminals to craft malware specifically designed to exploit the recently disclosed Spectre and Meltdown speculative execution bugs found in computer chips.

Lenovo patches 14-year-old vulnerability

Lenovo released a patch for a vulnerability introduced 14 years ago via a firmware update by the now-defunct Nortel Networks.

Patch Tuesday: Adobe issues lone patch for Flash Player

The first patch Tuesday of 2018 has Adobe issuing its first patch for the new year, a lone entry for Flash Player rated as "important".

Apple issues Spectre patches for macOS High Sierra, Safari and iOS

Apple followed up on its promise last week and rolled out updates for macOS High Sierra, Safari and iOS to patch the Spectre vulnerabilities CVE-2017-5753 and CVE-2017-5715 in Intel's processor family.

Spectre and Meltdown patches flow, hit flood stage

Patches have been flowing out fast and furiously to repair the kernel-level flaws found in Intel, and to a lesser extend in AMD and ARM processors, that could allow for remote code execution and access kernel level memory.

macOS Zero Day details exposed by researcher

An independent security researcher that goes by the handle Siguza revealed a local privilege escalation Zero Day in macOS that can be exploited by any unprivileged user.

Adobe Patch Tuesday: Lone Flash Player security flaw noted

Adobe had a minimal Patch Tuesday offering for December listing just one vulnerability for Flash Player.

Two keyless entry door locks vulnerable to unauthenticated requests

A vulnerability found in two keyless entry door locks enables local attackers to lock and unlock doors.

Flaw in macOS High Sierra allows easy access

By typing "root" into the name field, anyone can crack High Sierra security.

US CERT issues warning on ASLR vulnerability in Windows

US CERT has issued a warning on a vulnerability in Windows Address Space Layout Randomization (ASLR) that affects Windows 8, Windows 8.1, and Windows 10 which could an attacker to take control of an affected system.

Cisco: Critical vulnerability in 12 types of Voice OS-based products

Cisco is warning users of a critical flaw in its Voice-OS which could allow an unauthenticated, remote hacker to gain elevated access to 12 types of its products.

Microsoft issues warning on Dynamic Data Exchange vulnerability

With APT28 now using Microsoft's Dynamic Data Exchange (DDE) as an attack point, the company has issued an official advisory concerning the practice, along with possible mitigation methods.

Tor patches flaw that could expose MacOS and Linux IP addresses

The Tor Project released a patch fixing an issue that could reveal the correct IP address of MacOS and Linux users accessing the Tor browser.

WordPress issues patch to eliminate SQL injection vulnerability

WordPress has issued a new update, version 4.8.3, that researchers and the organization itself said could lead to a SQL injection and strongly recommend users update to the latest version.

UK to open second investigation into Equifax breach

The UK Financial Conduct Authority (FCA) has opened an investigation into the massive Equifax data breach that exposed almost 700,000 British citizens and 145.5 million worldwide.

Cybersecurity pros targeted in latest attack by Group 74

The threat actor known as Group 74 has initiated a new campaign that uses a malicious Visual Basic for Applications (VBA) macro embedded in a document advertising the Cyber Conflict U.S. Conference (CYCON) to target people interested in cybersecurity issues.

APT28 joins BlackOasis in exploiting latest Adobe Flash vulnerability

APT28 is now also being named as one of the cyber gangs attempting to take advantage of Adobe Flash vulnerability CVE-2017-11292.

Adobe Patch Tuesday: Nothing

In what Adobe believes may be a first, the company did not issue any security updates for its product line this month.

Dirty Cow malware swipes payments, installs backdoor into Android devices

Malware called ZNIU that is based on CVE-2016-5195, aka Dirty COW, has been found in more than 1,200 malicious Android apps affecting 5,000 users in 40 countries more than a year after the vulnerability first became known.

Oracle patches 7 Apache Struts 2 vulnerabilities

Oracle issued seven security updates to handle vulnerabilities found in Apache Struts 2.

Verizon data found on open AWS S3 server

Security researchers have found another publicly accessible Amazon S3 server that in this case hosted about 100MB of Verizon Wireless data that was allegedly operated by a Verizon employee.

Zerodium offers up $1 million bounty for Tor zero day

Zero-day-acquisition firm Zerodium reported it will a total of $1 million for zero day exploits found for the Tor browser on Tails Linux and Windows.

Study, Fuzz test averages reveal more vulnerabilities spotted sooner in IoT protocols

The study also found a common protocol used in IoT devices was using significantly more vulnerable than more mature protocols used by online shopping and banking industry.

Russian hacker extorts gambling company after cracking poker machines

A Russian programmer attempted to extort an Australian gambling company after cracking the spin sequence on several of the firm's poker machines.

Microsoft Patch Tuesday, 19 critical vulnerabilities addressed

Microsoft's July Patch Tuesday news covered 55 flaws with 19 being rated critical with all the latter issues leading to remote code execution if left unpatched.