Vulnerabilities & Flaws News, Articles and Updates

WordPress patches nine security vulnerabilities

WordPress.org released version 4.8.2 of its content management system that fixes nine security issues, five of which involve cross-site scripting (XSS) vulnerabilities.

iOS 11 and Apple Watch Series 3, the good, the bad, and the unsecure

With the launch of iOS 11 and the Apple Watch, researchers note Apple's iOS 11 update included eight CVEs that patched vulnerabilities in iBooks, Mail MessageUI, Messages, MobileBackup, Safari, and Webkit.

Apache Struts vulnerability led to earlier breach at Equifax

Equifax said a breach it discovered in March was not related to the second in September though the hackers were reportedly the same, and the same vulnerability in Apache Struts was exploited in both incidents.

QEMU flaw forces sandbox tool to classify malware as benign

By triggering the recently discovered CVE-2017-12809 vulnerability in QEMU before malicious behaviour occurs, an attacker can force security products to classify malicious files as benign.

Hackers can bypass new protections in MacOS High Sierra

MacOS High Sierra protections can be bypassed, but will make security researchers and companies work more difficult

BlueBorne shows Bluetooth protocol's security inadequately researched

Bluetooth technology is overlooked by security experts and bug hunters in comparison to other protocols. The highly eclectic and fragmented nature of devices relying on Bluetooth means that some may never issue secure updates.

Bashware hacking could put 400 million Windows systems at risk

The Bashware vulnerability allows attackers to take advantage of built-in Linux shell to bypass security software.

Adobe Patch Tuesday: Flash Player with two critical updates

Adobe issued a light load of Patch Tuesday security updates today releasing only eight, with five rated critical with two of these affecting Flash Player.

Microsoft Patch Tuesday: 21 critical updates listed, one zero day fixed

Patch Tuesday security updates includes a fix for a zero-day flaw found in the wild and used to target Russian speakers along with the details on the BlueBorne vulnerability that potentially impacts five billion Bluetooth devices.

Apache Struts bugs: Cisco products vulnerable to remote code execution

Cisco Systems has issued a pair of advisories warning users that several of its products have been affected by vulnerabilities recently discovered in the Apache Struts 2 open-source web application framework.

Email server vulnerability detection - a best practice checklist

By following best practices and incorporating security measures when setting up an email server, you will be able to protect yourself from the most frequent and dangerous scenarios says Marcell Gogan.

All pre-8.0 Androids vulnerable to overlay attack; mitigations toasted

A new vulnerability has been discovered affecting older versions of the Google Android Platform.It can be used to easily enable an "overlay attack", tricking the user into unwittingly installing malware onto the device.

Flaw in Windows kernel hinders identification of potentially dangerous files

A programming error in the Microsoft Windows kernel might inhibit security software vendors and kernel developers from properly identifying modules loaded during runtime.

Web App vulnerability enables Equifax breach affecting up to 143m in US

Cyber-criminals gained unauthorised access to Equifax files in a breach that could affect as many as 143 million consumers in the US, the company said Thursday.

Why apps & the rise of shadow IT are posing new threats to organisations

The app-blended lifestyle poses problems for CIOs, CISOs and those responsible for keeping an organisation safe and secure. Mike Hemes, says shadow IT is a real issue and one we can only see increasing over time.

Apache Struts alters API code, patch critical remote code execution flaw

The Apache Struts Software Foundation has released an update to its open-source web application framework to fix a critical remote code execution vulnerability

Ransomworms on the rise: yet another wake up call for the enterprise

90 percent of enterprises still recording exploits for vulnerabilities that are more than three years old, and 60 percent for vulnerabilities more than ten years old says Fortinet report, with twice as many attacks at weekends.

Fuze fixes portal security lapses that could expose sensitive data

Cloud-based unified communications services provider Fuze earlier this year repaired three vulnerabilities in a customer web portal.

Money for old rope? Ropemaker changes your emails AFTER delivery

Your emails can be changed after they have been delivered, corrupting your records and introducing malicious urls using the Ropemaker vulnerability.

ICYMI: UK regs; AI weaponised?; Malwaretech; Mandiant; WiFi weak

In Case You Missed It: UK data protection; Is AI weaponised; Is Malwaretech; innocent?; Mandiant leak; WiFi vulnerabilities

Recently patched Flash Player sandbox leaks Windows credentials

A flaw in Adobe Flash could have allowed hackers to discover Windows user credentials. Hackers can find out user details with this one simple trick.

SMS touch texting app sends data in cleartext

The popular and inexpensive international texting app SMS touch has been found to send critical data in cleartext making the users susceptible to hackers.

Honeypot reveals lack of oversight opened door to WannaCry & NotPetya

If researchers paid more attention to the Shadow Brokers dump of alleged National Security Agency hacking tools back in April, the WannaCry and NotPetya attacks may have never happened.

Fuzz testers taking less time to spot vulnerabilities in IoT protocols

A review of Fuzz Testing results from various industries in 2016 showed the overall average time to first failure (TTFF) was 1.4 hours, meaning testers are taking less time to find vulnerabilities than in 2015.

Russian hacker extorts gambling company after cracking poker machines

A Russian mathematician and programmer attempted to extort an Australian gambling company of £10 million or more after cracking the spin sequence on several of the firm's poker machines.

Solar panel hack could knock out power grid

Cyber-attack on photovoltiac panels could bring down power and have a domino effect on the rest of the electricity supply, both nationally and potentially, continentally.

Microsoft Patch Tuesday addresses nearly 50 flaws

Microsoft had a busy month patching flaws with nearly 50 security issues fixed, many of which have a severity rating of critical" or "important" with remote code execution vulnerabilities.

Most corporate information systems are just two steps away from failure

The level of security of Wi-Fi networks and user awareness regarding information security has fallen significantly; a Positive Technologies security audit says mostly due to common vulnerabilities not needing much skill to implement.