Vulnerabilities & Flaws News, Articles and Updates

Researchers: Security of messaging apps breaks down during group chats

Vulnerabilities in the group communication protocols of three encrypted messaging apps - WhatsApp, Signal, and Threema - could allow attackers to willfully subvert their integrity and confidentiality.

Mobile SCADA application landscape less secure than in 2015

The latest research suggests, within just two years, the security situation for SCADA has got worse to the tune of an average increase of 1.6 vulnerabilities per application tested.

'Locky' ransomware exploits Windows DDE weakness

Microsoft has said it will continue to support and not remove DDE as an Office document feature despite its acting as a highly effective exploit method for cyber-criminals.

Meltdown and Spectre - vulnerabilities to watch (and fix)

Almost all iPhones and Macs are at risk from Spectre chip security flaw according to industry reports.

Time to wake up to API security, the overlooked vulnerability

API vulnerabilities are the sleeping giant of our technology-led world. The threats posed by an exposed API are significant, yet, they remain the most overlooked threat to information security today says Jason Macy

VMware fixes bugs in vCenter Service Appliance, three hypervisors

VMware on Tuesday patched a series of vulnerabilities in its ESXI, Workstation Pro, and Fusion hypervisors, as well as its vCenter Server Appliance.

123 million sensitive PII records exposed, most US households hit

A cloud-based data repository belonging to Alteryx, has publicly exposed datasets from the data analytics firm's partner Experian and the US Census Bureau containing sensitive personal information on 123 million Americans.

Why companies should employ ethical hackers

Hiring a white hat hacker to find your system vulnerabilities and fix them, before the bad guys find and exploit them is a recommended method of strengthening defences says Krishna Rungta.

Retailers still in need of data breach response plan

A recent survey showed that surprisingly, a large percentage of retailers still have no data breach response plan in place.

Market-leading security products broken by Doppelganging attack

New Doppelganging attack process memory attack methodology not only defeats market-leading security products but breathes new life into old threats at the same time.

Security flaw puts 10 million banking app users at risk

Vulnerability could enable hackers to carry out MitM attacks on bank apps - 10 million users at risk

MailSploit bugs let spoofed emails bypass DMARC, spam detectors

A collection of vulnerabilities dubbed Mailsploit, found by German security researcher Sabri Haddouche in 30 types of email client applications - from Apple Mail to Mozilla Thunderbird - lets hackers bypass anti-spoofing mechanisms.

Alleged HBO hacker, two others possibly linked to Iranian APT group

Researchers with ClearSky Cyber Security believe with medium-level confidence that they've linked three individuals to the Iranian advanced persistent threat group Charming Kitten, including the man accused of hacking HBO.

Researchers call bull on Dirty Cow Patch, find flaw

Bindecy security researchers identified a flaw in the original patch code of the Dirty Cow vulnerability which could ultimately lead to a privilege escalation attack.

Cisco patches multiple vulnerabilities in WebEx platforms

Cisco released patches for multiple vulnerabilities in its WebEx Recording Format and Advanced Recoding Format Players to address vulnerabilities.

Firefox tests in-browser breached site notifications

Firefox is testing out a warning system that will notify users when they visit breached sites and offer the option to be notified if a site they previously visited becomes breached in the future.

The role of code signing in securing the Internet of Things

Some IoT devices have no update capability whatsoever so it's important to focus more on software security; developed using best practices, tested for vulnerabilities, and able to ensure the authenticity and integrity of updates.

Apple issues emergency fix for High Sierra root access flaw

A day after a developer revealed a root access flaw in macOS High Sierra version 10.13.1, Apple released an emergency patch, which it plans to push out today.

OWASP vulnerability chart suggests web app devs are not smelling the security coffee

The Open Web Application Security Project (OWASP) has just updated the top ten list of web app vulnerabilities for the first time since 2013. Not much has actually changed.

Symantec patches certificate spoofing flaw in Install Norton product

Symantec patched a certificate spoofing vulnerability in its Install Norton Security product that occurs when downloading Norton for Mac.

Intel Management Engine vulnerabilities expose millions of PCs to attack

Intel researchers identified an elevation of privilege exploits in various product families which could enable a system crash or system instability, among other issues.

US CERT issues warning on ASLR vulnerability in Windows

US CERT has issued a warning on a vulnerability in Windows' Address Space Layout Randomisation (ASLR) that affects Windows 8, Windows 8.1, and Windows 10 which could allow an attacker to take control of an affected system.

The problem with your inherited legacy systems

Most breaches we become aware of are caused by failure to update software components that are known to be vulnerable for months or even years.

Windows, Mac and Linux all at risk from flaws in Excel file reader library

Security researchers have warned over multiple flaws in Libxls that could result in remote code execution using specially crafted XLS files.

Oracle issues emergency patch for JoltandBleed bug in Tuxedo middleware

Oracle Corporation issued a series of emergency patches on Tuesday last week, fixing five vulnerabilities in its Tuxedo middleware platform, including a critical one that has been compared to Heartbleed.

Ethereum - lost cryptocurrency - bug was known about since August

"Post-mortem" revealed Parity Tech was warned over Ethereum bug that froze £212 million of cryptocurrency

ROCA, the role of key generation and decrypting of private keys

Richard Moulds takes a look behind recent crypto vulnerability headlines - the ability to calculate the private key of an RSA keypair purely by knowing the public key - and asks if they are a prelude to a 'cryptoapocalypse'.

Cisco: Critical vulnerability in 12 types of Voice OS-based products

Cisco has patched a critical flaw in its Voice-OS which could allow an unauthenticated, remote hacker to gain elevated access to 12 types of its products.

Adobe Patch Tuesday: 62 vulnerabilities for Acrobat, 5 critical for Flash

Adobe's November Patch Tuesday included 83 patches, including fixes for five critical-rated issues in Flash Player. Reader and Acrobat, by themselves, generated more than five dozen CVEs.

Microsoft Patch Tuesday: 20 critical issues addressed

Microsoft's November Patch Tuesday rollout included patches 53 flaws, 20 rated critical, spread across a variety of products, including Edge, Internet Explorer, Windows and Office.