Vulnerabilities And Flaws News, Articles and Updates

14 flaws found that could take over industrial control systems

Licence management systems used in industrial control systems are plagued with vulnerabilities - contain 14 flaws could enable hackers to take control of systems and carry out DoS attacks

Hackers could get certificates for domains they don't own

Certificate authority Let's Encrypt has disabled TLS-SNI-01 validation on its service. Through the vulnerability, a hacker could have requested certificates for domains that were not theirs.

Symantec endpoint zero-day unpatched for months

A vulnerability in Symantec endpoint clients remains unpatched months after disclosure, according to security researchers.

Discount deception: AliExpress patches fake coupon vulnerability

Online retailer AliExpress fixed an open redirect vulnerability in its online shopping portal last October that could have been exploited to display a fake coupon designed to phish sensitive information from those who viewed it.

2,837 flaws found under US Defence Dept vulnerability disclosure programme

The US Defence Department's vulnerability disclosure programme (VDP) has yielded 2,837 security flaws in the nearly one year since its inception.

Joomla 3.8 patches eight-year-old credential stealing flaw

Joomla researchers patched a vulnerability that could have let hackers to steal passwords, including administrator credentials but which has flown under the radar for eight years.

Microsoft patches memory corruption & info disclosure vulnerabilities

Microsoft has patched a memory corruption vulnerability and an information disclosure vulnerability in Microsoft Office Outlook.

Hikvision patches camera flaw that could allow hackers to execute code

Hikvision, a world leader in the production of CCTV surveillance cameras, has been pulled up short by US-CERT which is warning that some models are vulnerable to two authentication bugs.

CRASH report: UK comes last in analysis of secure coding practises

An analysis of over one billion lines of code finds the UK ranks last for the security of its code and finds that teams of 10 do better than teams of 20 or more.

Kenya opens centre to combat cyber-crime

The African continent has seen an upsurge in cyber-attacks, particularly on telecommunications infrastructure and especially via DDoS, leading Kenya to set up a new Cyber Coordination Centre.

IP Expo: The future of cyber security [video]

"Where bits and bytes meet flesh and blood" was the main area of concern for industry panelists, ranging from Critical Infrastructure - where strict controls may be impossed, to consumer IOT goods - where they can't.

DEF CON 24: US government retains dozens, not thousands, of zero-days

The number of vulnerabilities in the US federal government arsenal hovers in the dozens, Columbia University senior research scholar Jason Healey told a DEF CON 24 audience.

ICYMI: CEO Sacked; MS Zero-day; Passwords dropped; Ransomware wild, charging hack

The latest In Case You Missed It (ICYMI) looks at CEO whaling victim; Unpatched zero-day; Passwords dropped; Self-propagating ransomware; USB charging hack

ICYMI: Buffalo stampede; Airport attack?; Ransomware plus; Patching halted; Short URLs

The latest In Case You Missed It (ICYMI) looks at Malware targeting malware; Was airport attacked?; Ransomware, malvertising & phishing; Quicktime unfixed; Short urls a risk

Android vulnerabilities could allow "easy" root access

Google has fixed this latest flaw with Android but Trend Micro warns that fragmentation in the Android ecosystem means hackers can still exploit it.

ICYMI:; Backdoor concerns; TalkTalk losses; EBay exploit; Safe-Harbour 2; Malwarebytes flaw

The latest In Case You Missed It (ICYMI) looks at; Investigatory Powers Bill; TalkTalk woes continue; EBay exploit unfixed; EU-US Privacy Shield agreed; Malwarebytes apologises for flaw.

Snap vulnerability in LG G3 Android phones leave users at risk of data theft

Users urged to apply patch to Android vulnerability as soon as possible.

Fortinet on SSH vulnerabilities: look, this really isn't a backdoor, honest

Security firm goes full disclosure on mechanics of SSH issue and finds three more vulnerabilities

Juniper Networks backdoor password 'hackable' within six hours

Juniper Networks own ScreenOS software harboured unauthorised code, questions of possible use by NSA.

Five last minute retail risk mitigations for Black Friday weekend

Most corporate attacks apparently happen on a Friday, but just imagine how much of a threat is posed to retailers this coming weekend which is topped and tailed by Black Friday and Cyber Monday?

Exclusive: Microsoft 'Delay in fix to Advanced Threat Protection flaw'

Microsoft customer Nick Ioannou "incredulous at company's failure to fix Safe Links flaw which leaves security holes in supposedly cleansed email"

All smartwatches are vulnerable to attack, finds study

All ten smartwatches tested by HP Fortify reported significant security vulnerabilities, along with their Android and iOS cloud and mobile application components, according to a new report.

Don't let your Apple Mac snooze, warns security researcher

A security researcher has criticised Apple for failing to address a root-level vulnerability.

'Rowhammer' hijack via hardware flaw hits half of laptops tested

A DRAM hardware 'reliability issue' turns out to be a vulnerability issue for half of all laptops as Google researchers demonstrate Rowhammer hijack.

Smart TVs, wearables and sheep: online and hackable

As the internet of things rolls out into every aspect of our lives, new security issues will arise, and regulators need to ensure minimum standards apply says Geoff Webb.

Microsoft pulls Windows 7 and Windows Server 2008 elements of Patch Tuesday

Microsoft has unexpectedly withdrawn a key element of its Patch Tuesday operating system refresh after discovering a flaw in an update for Windows 7 and Windows Server 2008.

Should we care about XSS vulnerabilities on eBay?

The ability of attackers to exploit XSS flaws is more an economic issue than a technical one says Ilia Kolochenko who calls for prompt professional action when vulnerabilities are identified.