Vulnerabilities & Flaws News, Articles and Updates

ROCA, the role of key generation and decrypting of private keys

Richard Moulds takes a look behind recent crypto vulnerability headlines - the ability to calculate the private key of an RSA keypair purely by knowing the public key - and asks if they are a prelude to a 'cryptoapocalypse'.

Cisco: Critical vulnerability in 12 types of Voice OS-based products

Cisco has patched a critical flaw in its Voice-OS which could allow an unauthenticated, remote hacker to gain elevated access to 12 types of its products.

Adobe Patch Tuesday: 62 vulnerabilities for Acrobat, 5 critical for Flash

Adobe's November Patch Tuesday included 83 patches, including fixes for five critical-rated issues in Flash Player. Reader and Acrobat, by themselves, generated more than five dozen CVEs.

Microsoft Patch Tuesday: 20 critical issues addressed

Microsoft's November Patch Tuesday rollout included patches 53 flaws, 20 rated critical, spread across a variety of products, including Edge, Internet Explorer, Windows and Office.

Eavesdropper flaw leaks millions of private conversations

Developers leave API credentials in applications built on Twilio telephony platform allowing phone call eavesdropping.

ToastAmigo malware uses new twist to attack Toast overlay vulnerability

A new malware uses an updated methodology to abuse the previously patched Android Toast overlay vulnerability, which once installed, can download additional malware as well as use various permissions to access the phone.

Updated with response: Brother printers & devices vulnerable to DoS attack

Trustwave researchers revealed a vulnerability in Brother consumer and business printers and multi-function devices that can allow a denial of service attack. Brother UK responds.

How to avoid opening the door to hackers with misconfiguration errors

Setting standard configurations based on industry best practices, and continuously monitoring for changes from that baseline enable quick identification of a misconfiguration that could be exploited and address it, before the breach.

Smartphone QR code scanners pose new cyber-threat

Apple iOS 11, Apple has QR scanning functionality enabled by default which Elad Ben-Meir says can effectively make anyone scanning the QR code matrices with Apple devices vulnerable to unknowingly uploading malicious code.

Tor patches flaw that could expose MacOS and Linux IP addresses

The Tor Project released a patch fixing an issue that could reveal the correct IP address of MacOS and Linux users using the Tor browser.

Surprising amout of cryptographic mistakes in IEEE standards allow IP theft

Weak cryptography in a standard developed by the IEEE could result in hackers bypassing encryption safeguards to steal intellectual property in plaintext, scientists discover.

From cyber-crime to human error: The rise of software failures

Phil Codd says software failures caused US$ 1.1 tn losses to businesses in 2016, demonstrating that it is time to pay attention to the main causes of IT system failures or risk financial loss and reputational damage.

Apple addresses KRACK exploits in iOS and macOS updates

Apple has finally addressed the KRACK vulnerabilities in its latest macOS High Sierra, Sierra, El Capitan, iOS 11.1, tvOS and watchOS.

Google bug tracker service flaw allowed access to new vulnerability reports

A private website Google used to track bugs in its own products was discovered to have its own set of flaws that could have exposed sensitive vulnerability reports - now fixed.

Apache OpenOffice patches four vulnerabilities in 4.1.4 update

Apache OpenOffice patched four medium vulnerabilities in the suites word processing and graphics apps.

T-Mobile API bug may have leaked customer account data

A bug in T-Mobile's wsg.t-mobile.com API may have allowed attackers to access customer data that can be used to carry out phishing attacks or worse.

LG patches app bug that can turn IoT vacuums into robotic spies

LG patches holes in its IOT device range following cooperation with CheckPoint, including patching vacuum cleaners which could have become digital spies in the home.

Attackers could fully compromise shipping comms server via backdoor

Backdoor account and blind SQL attacks vulnerability found in AmosConnect 8 satellite comms equipment used in shipping.

Password reuse results in Coinhive DNS Server used to mine Monero

Password reuse resulted in an unknown hacker taking over Coinhive's DNS server and replacing it with a JavaScript in-browserMonero cryptominer.

DUHK attack recovers encryption keys from Fortinet devices

Security researchers warn that hard-coded encryption keys put security at risk due to flaw in random number generator. Stop using X9.31 generator say researchers.

Quarter of financial service employee mobile devices unpatched

A quarter of financial service employee mobile devices have unpatched vulnerabilities, according to a recent Symantec report.

Google Play bug bounty programme aims to make Android apps safer

If the Google Play Security Reward Programme doesn't seem like a typical bug bounty programme, that's because it isn't.

Oracle patches 252 bugs, increase in E-Business Suite and PeopleSoft flaws

Oracle Corp's quarterly Critical Patch Update (CPU) has fixes for 252 vulnerabilities, including extremely severe bugs found in the company's Hospitality Applications, Siebel CRM solution, and PeopleSoft HR software.

ROCA vulnerability threatens RSA encrypted devices on heels of KRACK scar

ROCA proof of concept attacks threaten RSA encrypted devices as far back as 2012 - patches need updating now.

Update: Microsoft 2013 secret vulnerabilities database breach - long tail

In 2013 Microsoft discovered that hackers had breached the secret internal database it uses to track vulnerabilities, it then quietly upped its security, segmenting the database from its network and compelling two-factor authentication.

Wifi protocol falls victim to 'Krack' attack, most access points vulnerable

Every single implementation of Wi-Fi in existence is vulnerable to a new exploit unveiled by researchers.

SSH privileged access has minimal control at most organisations

Although Secure Shell (SSH) keys provide the highest levels of administrative access they are routinely untracked, unmanaged and poorly secured according to a recent report by Venafi.

Estonia releases update on Digital ID card vulnerability

The Estonia government issued an update on a vulnerability potentially affecting digital use of ID cards issued since October 2014.

Mozilla patches three critical issues in Thunderbird and Firefox

Mozilla issued a security update stating that the newly released Thunderbird 52.4 , Firefox 56 and Firefox ESR 52.4 patch 10 vulnerabilities, two rated critical, five high and three moderate found in earlier iterations of the software.