Vulnerabilities News, Articles and Updates

21% of serverless applications feature critical vulnerabilities

An audit of 1,000 open-source serverless applications carried out by serverless security company PureSec has revealed that 21 percent of such applications feature critical security vulnerabilities that can be exploited.

Talos details vulnerabilities in Allen-Bradley Programmable Controllers

Cisco Talos has detailed several vulnerabilities found in four Rockwell Automation Allen-Bradley MicroLogix 1400 Programmable Logic Controllers that are used in conjunction with industrial control systems.

Github announces 4 million vulnerabilities patched in 500,000 repositories

Github announced the discovery of more than four million vulnerabilities located in 500,000 plus repositories. In 2017, the code sharing site started vulnerability scanning for known Common Vulnerabilities and Exposures.

Patch Tuesday: Adobe patches 7 critical flaws

Patch Tuesday Adobe included updates for Adobe Flash Player, Adobe Connect, and Adobe Dreamweaver with seven critical vulnerabilities.

Critical flaws in 4G LTE protocols leaving mobile devices vulnerable

Unpatched security vulnerabilities in the 4G LTE protocol allow anyone to connect to a network by impersonating a victim's phone without possessing legitimate credentials, launch DDoS attacks, and hijack a phone's paging channel.

Kaspersky ups bounty to US$ 100K (£72K) for some severe RCE bugs

Kaspersky Lab has upped the high end of its bug bounty rewards program to US$ 100,000 (£72,000) for severe vulnerabilities that allow remote code execution (RCE) through the database update channel.

Researchers find new ways to exploit Meltdown and Spectre flaws in chips

MeltdownPrime and SpectrePrime could trick systems into leaking data. Security researchers have found new ways to exploit the Meltdown and Spectre vulnerabilities that have plagued modern CPUs.

Upright and under cover; getting your own hacker beats letting outsiders in

A social engineer will start by gathering Open Source Intelligence (OSINT) and the sleuthing continues using social media, finally giving the company an overview of their security posture without losing any of the data taken on the job.

Drupal 7 and 8 patch multiple critical vulnerabilities

Drupal patched multiple vulnerabilities in both Drupal 7 and Drupal 8 including a comment reply form flaw that allows access to restricted content and an incomplete JavaScript cross-site scripting prevention flaw, both rated critical.

Update: Dell storage platform security bugs allow root access

Security researchers recently unearthed up to nine security vulnerabilities in Dell EMC's Isilon OneFS platform that could allow remote attackers to launch social engineering attacks and subsequently access the Isilon systems at root.

Reported vulnerabilities in Microsoft products more than doubled since 2013

The total number of reported vulnerabilities in Microsoft's software products, including those in the new Windows 10 operating system, rose over two-fold in the last four years and critical vulnerabilities rose by 60 percent.

Cryptocurrency mining crimeblotter, Apache CouchDB & other vulnerabilities

The amount of illegal cryptocurrency mining that is now taking place makes keeping track a difficult task, but here is a quick roundup of what was has been spotted over the last few days.

AndroRAT exposes fragmented Android ecosystem vulnerabilities

A new version of a familiar menace, AndroRAT, has emerged from out of the trash to exploit long forgotten vulnerabilities.

Microsoft Patch Tuesday: Nearly 50 patches, most for privilege escalation

Microsoft patched nearly 50 vulnerabilities this month, including patches for an Adobe Flash Player zero-day vulnerability that was announced earlier this month.

Adobe Patch Tuesday patches issues in Acrobat, Reader & Experience manager

Adobe's Patch Tuesday updates included security updates for Adobe Acrobat and Reader for Windows and Macintosh to address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.

APIs in Samsung, Roku devices unsecure: Consumer Reports

Several Smart TVs from Samsung and others using the Roku TV platform, as well as media players from that company, are susceptible cyber-attacks, according to Consumer Reports, a claim denied vehemently by Roku.

Security shortage forces CISOs to increase reliance on machine learning

With enterprises struggling with a massive shortage of experienced cyber-security professionals, today's CISOs are placing more faith in machine learning which they believe will be important to their IT security functions.

Desperately needed fix for Flash Player bug exploitation released by Adobe

Adobe Systems today released a critical security update for a pair of vulnerabilities in Flash Player, one of which has been actively exploited in phishing attacks attributed to North Korean APT actor Group 123.

All versions' of Windows vulnerable to tweaked Shadow Broker NSA exploits

NSA exploits stolen by hacker Shadow Brokers can be tweaked to exploit vulnerabilities in all versions of Windows, including Windows 10 - so deploy the MS17-010 security update from Microsoft as soon as possible.

Core Security releases advisory on Kaspersky Labs' Secure Mail Gateway

Core Security issued an advisory for multiple vulnerabilities it found in Kaspersky Labs' Secure Mail Gateway that if left unpatched could lead to administrative account takeover.

Monero crypto miner leveraging Apache Struts vulnerability

Cryptocurrency miners have begun using two older and already patched vulnerabilities to compromise servers to mine the Monero digital currency.

Intel advises companies to stop

Intel is recommending that vendors and end users stop deploying the current version of its patch designed to fix the Spectre/Meltdown vulnerabilities that were discovered in most of the company's processors.

Cisco security updates nix high-impact DoS and privilege escalation bugs

Cisco Systems on Wednesday issued 26 security updates to fix an array of vulnerabilities, including high-impact bugs in its Unified Customer Voice Portal (CVP), its NX-OS Software, and its Email Security Appliance (ESA).

Blender 3D open source platform plagued with arbitrary code vulnerabilities

Cisco Talos researchers identified multiple unpatched vulnerabilities in the Blender Open Source 3D creation suite that could allow an attacker to run arbitrary code.

Survey: Most security pros aim to patch vulnerabilities within 30 days

High-profile cyber-security incidents continue to appear due to the mistake of companies not applying patches to known vulnerabilities according to Tripwire research.

Apple issues Spectre patches for macOS High Sierra, Safari and iOS

Apple followed up on its promise last week and rolled out updates for macOS High Sierra, Safari and iOS to patch the Spectre vulnerabilities CVE-2017-5753 and CVE-2017-5715 in Intel's processor family.

Vulnerabilities including remote execution spotted in WDMyCloud products

A GulfTech researcher spotted multiple vulnerabilities In Western Digital's MyCloud products, some of which could lead to remote code execution and unauthorised access.

Attackers exploit old WordPress to inject code enabling site redirection

Attackers exploited an old WordPress vulnerability to infect more than one thousand websites with malware capable of injecting malvertising and even creating a rogue admin user with full access privileges, according to researchers.

Apple addresses KRACK exploits in AirPort Base Station firmware

Apple has continued to roll out patches to fix the KRACK (Key Reinstallation AttaCKs) series of vulnerabilities, this time in its AirPort Base Station firmware.

TLS implementation bug put millions at risk

A critical security bug put millions of banking app users at risk, according to researchers from the University of Birmingham.