Vulnerability News, Articles and Updates

TLS exploit capitalises on 19-year-old vulnerability; vendors issue patch

Researchers recently discovered that a nearly two-decade-old vulnerability in TLS stacks was still exploitable due to insufficient protective counter-measures some used by highly popular websites.

Two keyless entry door locks vulnerable to unauthenticated requests

A vulnerability found in two keyless entry door locks enables local attackers to lock and unlock doors as well as create their own RFID badges by sending unauthenticated requests to affected devices.

ParseDroid vulnerabilities could affect all Android developers

Checkpoint researchers discovered several vulnerabilities in Android application developer tools that put any organisation that does Java/Android development at risk of an outsider gaining access to their system.

Will IETF proposal be the end of enterprise middlebox traffic snooping?

Is the ability to effectively bypass monitoring middleboxes is a good thing, both for the enterprise and more broadly network security?

Report: Dell domain takeover could have spread malware

Dell computer users could have possibly been exposed to malware last summer after visiting a third-party customer support website, whose domain was suddenly taken over by an unaffiliated company.

Researchers pwn Alexa, turning Amazon Echo into covert snooping device

Older versions of Amazon Echo are vulnerable, and though physical access to the device is needed, this is more achievable with second hand devices.

IOActive reveals security vulnerabilities in radiation monitoring devices

Security researcher discovers numerous security flaws in multiple devices tasked with detecting radiation in critical facilities.

Ormandy criticised for revealing too much in Windows malware bug report

When security researcher Tavis Ormandy revealed a vulnerability in Microsoft's Malware Protection Engine, he published proof-of-concept code and earned himself a rebuke from Graham Cluley.

Remote access bug in Intel AMT worse than we thought, says researcher

A long-standing flaw in Intel's manageability firmware may date back 10 years and is trivial to exploit, so patch your devices now, says security researcher.

Vulnerability discovered in ATM cash machine security enables theft

Hackers could steal money using flaw in ATM security software that enables thieves to increase their user privileges via ARP spoofing.

LastPass bug could allow hackers to steal passwords and execute code

Google researcher Tavis Ormandy finds more flaws in the LastPass password manager, one affecting the Google Chrome extension and another affecting version 3.3.2 of its Firefox add-on.

Researcher reports of vulnerability in Nest cameras that shuts it off

As Nest cameras store all the footage they record in the cloud, it means any time the camera is down it is not recording, allowing just enough time for the home burglar to get in and out.

Ear, ear: Hacker could defeat Google reCAPTCHA with speech recognition

Google's reCAPTCHA anti-robot widget has been found to be susceptible to a robot attack that leverages its own online services.

WordPress pages defaced following patched bug disclosure

More than 100,000 WordPress web pages have been defaced, following last week's public disclosure of a patched vulnerability that allows attackers to remotely modify the content of pages and posts.

Unencrypted requests for updates by NAS exposes users to malicious updates

F-Secure researchers find multiple vulnerabilities in a NAS device that attackers can use to steal data and passwords, or even remotely execute commands.

Airplane boarding display leaks passenger data

Symantec researcher Candid Wueest spotted Airport boarding gate displays putting passengers at risk by leaking booking codes.

Google speech recognition was vulnerable to use-after-free attack

A specially crafted webpage could hook a dangling pointer created by Google Chrome and Chromium's speech recognition API object and use it to access a block of memory on a user's machine.

Extrabacon flaw isn't being patched quick enough by organisations

Cisco issues patch for Extrabacon vulnerability but thousands of routers at risk from exploit allegedly created by the NSA's Equation Group.

Apple patches remote code execution flaws

Apple patches critical vulnerabilities in iOS and OS X that could allow remote code execution.

Pornhub dismisses hacker's offer to sell access to servers as hoax

A hacker calling himself Revolver yesterday advertised on Twitter that he was selling access to Pornhub servers for $1,000 after discovering an exploit, but the pornography video sharing website is disputing the veracity of this hack.

The wave of a wand won't patch the security bug found in ImageMagick

A security bug in ImageMagick, the free open source image processing software, is allowing cyber-criminals to attack vulnerable servers from afar.

SideStepper vulnerability in iOS 9 endangers companies that use MDM to distribute apps

Researchers are warning companies that the use of MDM technology opens up a loophole in protections added to Apple's iOS 9 to help prevent employees from downloading malicious software posing as legit enterprise apps.

Even after patches, Apple's rootless feature can reportedly be bypassed

Apple's System Integrity Protection (SIP) feature, introduced into its El Capitan operating system to restrict system changes at the root level, can be circumvented by simple code, according to an article in The Register today.

Over 600 cloud providers not protecting users against Drown

Continuing exposure to DROWN vulnerability in cloud service providers could indicate deeper security issues and lackadaisical approach to software updates.

Cisco patches critical vulnerability in Nexus devices

Cisco Wednesday warned users of a critical vulnerability in Nexus 3000 and 3500 series switches.

Mozilla fixes critical vulnerabilities in Firefox browser and Extended Support Release

Mozilla has issued security advisories announcing key updates to its Firefox browser and the Firefox Extended Support Release, both of which fixed vulnerabilities that the open-source developer labeled as critical.

Zero day vulnerability found in VMware product

A team of experts at 7 Elements has discovered a recent VMware vCentre vulnerability that could result in unauthorised remote access.

WinRAR vulnerability leaves users open to attack

Just unzipping files could infect systems because of a remote code vulnerability in WinRAR

Vulnerability addressed in Cisco IMC Supervisor and Cisco UCS Director

Cisco released software updates to address a vulnerability that can lead to system instability or a denial-of-service condition.

Apple fixes bad case of Ins0mnia in iOS 8.4.1

iOS 8.4 could have a hard time making apps go to sleep, according to security researchers at FireEye.