Vulnerability News, Articles and Updates

Patched Cisco flaw lets attackers perform MITM attacks, steal credentials

Positive Technologies has elaborated on a critical remote code execution vulnerability its researchers discovered in the web interface of the Cisco Systems Access Control Server (ACS).

DTS bug bounty challenge yields 654 valid, unique vulnerabilities

Hackers filed more than 100 security vulnerability reports during the 29-day Hack the DTS (Defence Travel System) bug bounty initiative and amassed nearly US$ 80,000 (£60,183) for their efforts.

T-Mobile bug exposed personal customer data

A glitch in T-Mobile's website allowed anyone to look up customer details including full names, postal addresses, billing account numbers, and in some cases information about tax identification numbers.

Schneider Electric patches XML external entity vulnerability

Schneider Electric patched a vulnerability (CVE-2018-7783) in its SoMachine Basic that could result in the disclosure or retrieval of data during an out-of-band attack.

Vulnerable connected devices posing immense security risk to organisations

Even though thousands of smart devices are being regularly connected to enterprise networks, many organisations do not have security policies for connected devices, or their employees do not follow existing policies by the book.

Botched firmware patches: Six tips to avoid the pain

OEMs don't have the luxury of passing off failures like Meltdown and Spectre to customers as it impacts reputation and revenues. However, there are steps organisations can take to help protect both their business and customers.

PDF exploit built to combine zero-day Windows and Adobe Reader bugs

A privilege escalation vulnerability patched last week in Microsoft Windows and an Adobe Reader remote code execution bug fixed in a product update were both jointly targeted by a PDF-based zero-day exploit.

Report: Vulnerability management strategies are flawed

Vulnerability management strategies based on responding to published - and patched - CVE vulnerabilities are fatally flawed, according to a new in-depth report.

Vulnerability in Electron could pose danger to Skype and Wordpress web apps

A security vulnerability has been discovered in a software framework used web apps that could enable hackers to execute remote code. The problem could affect many web apps that use the framework.

LG patches RCE bug in smartphone keyboards

LG on Monday released a security update fixing a high-severity remote code execution vulnerability found in the default keyboards of all its mainstream smartphone models.

Adobe Patch Tuesday update fixes confusion flaw in Flash

A patch released Tuesday by Adobe fixes a critical confusion vulnerability, CVE-2018-4944, found in all Flash Player versions up to 29.0.0.140.

Half of Global Fortune 100 continue to download flawed Apache Struts

After a vulnerability in Apache Struts led to serious breaches at Equifax and laid the credit reporting agency low last autumn, organisations should have scrambled to bolster security.

Microsoft issues more Spectre updates

Microsoft has released two updates as part of the company's on-going effort to secure devices running Intel processors from the Spectre vulnerability.

NHS could have prevented WannaCry by following IT security best practice

Even after warnings, NHS trusts did little to update or replace legacy software and the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks says the National Audit Office.

UK manufacturers often outdated & highly vulnerable to cyber-threats

More than 80 UK manufacturing plants have faced cyber-incidents, yet many use old systems and lack the visibility, tools or manpower to carry out cyber-risk assessments. Are manufacturers fighting a losing battle?

43% businesses, 19% of charities hit by data breaches: Cyber Breach survey

In a month from now, the UK will welcome GDPR which will give the ICO more powers to defend consumer interests and issue fines of up to £17 million or four percent of global turnover on organisations in the event of data breaches.

Cisco patches vulnerability in WebEx

A Cisco security advisory is warning users of a vulnerability in the firm's WebEx Meetings and WebEx Meetings Server that could allow a remote attacker to execute arbitrary code on their system.

AMD Processors address Spectre vulnerabilities

AMD releases processor security updates for vulnerabilities concerning the Spectre Variant 2 vulnerability or Microsoft Windows users.

Microsoft pushes update for critical RCE bug in Malware Protection Engine

Microsoft Corporation on Tuesday announced an emergency patch for a memory corruption vulnerability in its Microsoft Malware Protection Engine (MMPE) that remote attackers can exploit to execute arbitrary code.

Researchers uncover BranchScope, a new Intel processor vulnerability

Cyber-security researchers from four major universities have disclosed a new processor-based vulnerability called BranchScope similar to Spectre/Meltdown, but is immune to the fixes put in place that patch those vulnerabilities.

'Kill switch' counters the memcached vulnerability

A newly discovered "kill switch" effectively counters the memcached vulnerability that led recently to massive DDoS attacks at specific targets including national security agencies, reports Corero Network Security.

Old version of HPE Lights-Out server management contains DoS vulnerability

Hewlett Packard Enterprise has disclosed the discovery of a serious vulnerability in a previous version of its Lights-Out 3 embedded server management technology, which could be remotely exploited to trigger a DoS condition.

Double cryptominer delivered via Oracle server exploit

Threat actors exploited the CVE-2017-10271 vulnerability which allows for remote code execution to deliver both a 64-bit variant and a 32-bit variant of an XMRig Monero miner, according to a 26 February blog post.

Adobe ReaderDC arbitrary code execution vulnerability found

Cisco Talos has made public a new vulnerability in Adobe ReaderDC that if exploited can lead to arbitrary code execution.

Vulnerability in Oracle's WebLogic installs Monero cryptominer on victims' machines

A malicious campaign that's been exploiting a vulnerability in Oracle's WebLogic application servers in order to install a Monero cryptominer on victims' machines spreads the threat worldwide, across virtually all industry sectors.

Massive code rewrite may be required to patch Skype vulnerability

Skype is reportedly refusing to patch a security vulnerability in its updater process which could allow an attacker to gain system level privileges on a vulnerable computer.

App zero-day flaw exploited to fool users into malicious downloads

Attackers were found exploiting a zero-day Telegram app vulnerability in order to make the names and extensions of malicious files appear more legitimate, in hopes that users who received these files would more willingly open them.

Windows Installer service hacked to infect victims' systems with malware

Cyber-criminals are using a malware spam campaign to exploit a remote code execution vulnerability in Microsoft Office to download and execute malicious scripts on victims' systems.

Serious DoS flaw spotted in WordPress platform - affects most versions

Vulnerability so simple, anyone could use it. Security researchers have discovered a flaw in open source CMS WordPress that would allow a hacker to take down a website through a DoS attack with a single machine.

Cisco takes a second crack at fixing critical ASA bug

Cisco Systems on Monday released a second fix for a critical vulnerability in the XML parser of its Adaptive Security Appliance (ASA) after finding additional attack vendors and learning that its previous repair job was insufficient.