Vulnerability News, Articles and Updates

'Kill switch' counters the memcached vulnerability

A newly discovered "kill switch" effectively counters the memcached vulnerability that led recently to massive DDoS attacks at specific targets including national security agencies, reports Corero Network Security.

Old version of HPE Lights-Out server management contains DoS vulnerability

Hewlett Packard Enterprise has disclosed the discovery of a serious vulnerability in a previous version of its Lights-Out 3 embedded server management technology, which could be remotely exploited to trigger a DoS condition.

Double cryptominer delivered via Oracle server exploit

Threat actors exploited the CVE-2017-10271 vulnerability which allows for remote code execution to deliver both a 64-bit variant and a 32-bit variant of an XMRig Monero miner, according to a 26 February blog post.

Adobe ReaderDC arbitrary code execution vulnerability found

Cisco Talos has made public a new vulnerability in Adobe ReaderDC that if exploited can lead to arbitrary code execution.

Vulnerability in Oracle's WebLogic installs Monero cryptominer on victims' machines

A malicious campaign that's been exploiting a vulnerability in Oracle's WebLogic application servers in order to install a Monero cryptominer on victims' machines spreads the threat worldwide, across virtually all industry sectors.

Massive code rewrite may be required to patch Skype vulnerability

Skype is reportedly refusing to patch a security vulnerability in its updater process which could allow an attacker to gain system level privileges on a vulnerable computer.

App zero-day flaw exploited to fool users into malicious downloads

Attackers were found exploiting a zero-day Telegram app vulnerability in order to make the names and extensions of malicious files appear more legitimate, in hopes that users who received these files would more willingly open them.

Windows Installer service hacked to infect victims' systems with malware

Cyber-criminals are using a malware spam campaign to exploit a remote code execution vulnerability in Microsoft Office to download and execute malicious scripts on victims' systems.

Serious DoS flaw spotted in WordPress platform - affects most versions

Vulnerability so simple, anyone could use it. Security researchers have discovered a flaw in open source CMS WordPress that would allow a hacker to take down a website through a DoS attack with a single machine.

Cisco takes a second crack at fixing critical ASA bug

Cisco Systems on Monday released a second fix for a critical vulnerability in the XML parser of its Adaptive Security Appliance (ASA) after finding additional attack vendors and learning that its previous repair job was insufficient.

POS vulnerability affecting 300,000 systems patched by Oracle

Oracle recently patched a Micros point-of-sale vulnerability which could have allowed an attacker to read any file and receive information about various services without authentication from a vulnerable MICROS workstation.

Attackers exploit critical Adobe Flash Player zero-day bug; no patch yet

Adobe Systems says it plans to address a critical zero-day vulnerability in Flash Player that a researcher asserts is being actively exploited in the wild to attack South Koreans conducting research on North Korea.

Cisco update eliminates DoS vulnerability in Aggregation Services Router OS

Cisco Systems on Wednesday issued a security update that fixes a high-severity denial of service vulnerability in release version 5.3.4 of its IOS XR Software for the Aggregation Services Router (ASR) 9000 Series.

Cisco warns of a critical vulnerability in its SSL VPN solution

Hackers could run code on VPN box. Cisco has confirmed a critical security vulnerability in its SSL VPN solution, Adaptive Security Appliance (ASA), one of the most widely-deployed SSL VPNs on the market.

Cisco patches ASA software flaw allowing VPN hacks

Cisco's latest security update patches an Adaptive Security Appliance (ASA) software vulnerability that could allow an attacker to gain complete control of an affected system.

Lenovo addresses insecure credential storage bug in Fingerprint Manager Pro

Hardware and electronics manufacturer Lenovo disclosed an insecure credential storage vulnerability in its Fingerprint Manager Pro utility software, which can be exploited for local privilege escalation on a variety of systems.

Satori creator linked with new Mirai variant Masuta

Nexus Zeta behind botnet that weaponises router exploit to enlist further vulnerable IoT devices. The author of Satori botnet may also be behind two new Mirai variants called Masuta and PureMasuta.

Lenovo patches 14-year-old vulnerability

Lenovo released a patch for a vulnerability introduced 14 years ago via a firmware update by the now-defunct Nortel Networks and its blade server and switch business unit.

New WiFi standard set to improve wireless security

The WiFi Alliance has announced that a new version of the WPA protocol, WPA3, will be released later this year.

Malicious websites steal from vulnerable Electrum cryptocurrency wallets

The popular Bitcoin client Electrum has developed a patch for a critical vulnerability that allows malicious websites to steal from digital wallets that are not password-protected.

TLS exploit capitalises on 19-year-old vulnerability; vendors issue patch

Researchers recently discovered that a nearly two-decade-old vulnerability in TLS stacks was still exploitable due to insufficient protective counter-measures some used by highly popular websites.

Two keyless entry door locks vulnerable to unauthenticated requests

A vulnerability found in two keyless entry door locks enables local attackers to lock and unlock doors as well as create their own RFID badges by sending unauthenticated requests to affected devices.

ParseDroid vulnerabilities could affect all Android developers

Checkpoint researchers discovered several vulnerabilities in Android application developer tools that put any organisation that does Java/Android development at risk of an outsider gaining access to their system.

Will IETF proposal be the end of enterprise middlebox traffic snooping?

Is the ability to effectively bypass monitoring middleboxes is a good thing, both for the enterprise and more broadly network security?

Report: Dell domain takeover could have spread malware

Dell computer users could have possibly been exposed to malware last summer after visiting a third-party customer support website, whose domain was suddenly taken over by an unaffiliated company.

Researchers pwn Alexa, turning Amazon Echo into covert snooping device

Older versions of Amazon Echo are vulnerable, and though physical access to the device is needed, this is more achievable with second hand devices.

IOActive reveals security vulnerabilities in radiation monitoring devices

Security researcher discovers numerous security flaws in multiple devices tasked with detecting radiation in critical facilities.

Ormandy criticised for revealing too much in Windows malware bug report

When security researcher Tavis Ormandy revealed a vulnerability in Microsoft's Malware Protection Engine, he published proof-of-concept code and earned himself a rebuke from Graham Cluley.

Remote access bug in Intel AMT worse than we thought, says researcher

A long-standing flaw in Intel's manageability firmware may date back 10 years and is trivial to exploit, so patch your devices now, says security researcher.

Vulnerability discovered in ATM cash machine security enables theft

Hackers could steal money using flaw in ATM security software that enables thieves to increase their user privileges via ARP spoofing.