Apple on Monday rolled out a major refresh of its flagship iOS mobile platform, adding a built-in two-factor authentication code generator and multiple anti-tracking security and privacy features.
Apple on Monday rolled out a major refresh of its flagship iOS mobile platform, adding a built-in two-factor authentication code generator and multiple anti-tracking security and privacy features.
Misconfigured APIs make any app risky, but when you’re talking about financial apps, you’re talking about handing ne’er-do-wells the power to turn your pockets inside-out.Read More Payment API Bungling Exposes Millions of Users’ Payment Data
Event management company EventBuilder exposed files containing the personal information of at least 100,000 users who registered for events on its platform.
Cities, states, federal and military agencies should patch the Laserfiche CMS post-haste, said the security researcher whose jaw dropped at 50 sites hosting porn and Viagra spam.Read More Porn Problem: Adult Ads Persist on US Gov’t, Military Sites
Chipmaker AMD has patched a driver vulnerability that could allow an attacker to obtain sensitive information from the targeted system.
Microsoft on Thursday published additional guidance on addressing recently disclosed vulnerabilities in the Open Management Infrastructure (OMI) framework, along with new protections to resolve the bugs within affected Azure Virtual Machine (VM) manage…Read More Mirai Botnet Starts Exploiting OMIGOD Flaw as Microsoft Issues More Guidance
Microsoft and RiskIQ researchers have identified several campaigns using the recently patched zero-day, reiterating a call for organizations to update affected systems.Read More Microsoft MSHTML Flaw Exploited by Ryuk Ransomware Gang
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Coast Guard Cyber Command (CGCYBER) have sounded the alarm over in-the-wild attacks targeting a recently disclosed vulnerability in Zoh…Read More U.S. Agencies Warn of APTs Exploiting Recent ADSelfService Plus Zero-Day
Citizen Lab released a report on a zero-click iMessage exploit that is used in NSO Group’s Pegasus spyware.
Apple patched the vulnerability; everyone needs to update their OS immediately.
News articles on the exploit.
The newly identified bug in a Zoho single sign-on and password management tool has been under active attack since early August.Read More CISA, FBI: State-Backed APTs May Be Exploiting Critical Zoho Bug
Endpoint security platform Kolide on Thursday announced that it has raised $17 million in Series B funding, for a total of $27 million raised to date.
Google this week announced plans to support the Open Source Technology Improvement Fund (OSTIF) to boost the security of open source projects.
A group of researchers from North Carolina State University has built a software toolkit to explore vulnerabilities in Apple’s mobile processors and used the findings to devise a cache timing attack.
Drupal developers on Wednesday informed users that updates released for Drupal 8.9, 9.1 and 9.2 patch five vulnerabilities that can be exploited for cross-site request forgery (CSRF) and access bypass.
A driver privilege-escalation bug gives attackers kernel-mode access to millions of PCs used for gaming.Read More HP Omen Hub Exposes Millions of Gamers to Cyberattack
Dubbed OMIGOD, a series of vulnerabilities in the Open Management Infrastructure used in Azure on Linux demonstrate hidden security threats, researchers said.Read More Azure Zero-Day Flaws Highlight Lurking Supply-Chain Risk
Microsoft and threat intelligence company RiskIQ reported finding links between the exploitation of a recently patched Windows zero-day vulnerability and known ransomware operators.
Two of IBM’s aging flagship server models, retired in 2020, won’t be patched for a command-injection flaw.Read More No Patch for High-Severity Bug in Legacy IBM System X Servers
Four of the fixes that Microsoft released as part of its September 2021 Patch Tuesday updates deal with vulnerabilities in the Open Management Infrastructure (OMI) software agent embedded in Azure services.
German software maker SAP this week announced the release of 17 new and two updated security notes on the September 2021 Security Patch Day. Seven of these deal with critical vulnerabilities in SAP products.
Siemens and Schneider Electric on Tuesday published a total of 25 advisories to address more than 40 vulnerabilities affecting their industrial control system (ICS) products.
Adobe releases security updates for 59 bugs affecting its core products, including Adobe Acrobat Reader, XMP Toolkit SDK and Photoshop.Read More Adobe Snuffs Critical Bugs in Acrobat, Experience Manager
On Patch Tuesday, Microsoft fixed 66 CVEs, including an RCE bug in MSHTML under active attack as threat actors passed around guides for the drop-dead simple exploit.Read More Microsoft Patches Actively Exploited Windows Zero-Day Bug
Saryu Nayyar, CEO at Gurucul, peeks into Mitre’s list of dangerous software bug types, highlighting that the oldies are still the goodies for attackers.Read More 2021’s Most Dangerous Software Weaknesses
Microsoft on Tuesday shipped a major security update to blunt zero-day attacks targeting a gaping hole in its proprietary MSHTML browsing engine.
Apple has spent the past week rushing to develop a fix for a major security flaw which allows spyware to be downloaded on an iPhone or iPad without the owner even clicking a button. But how do such “zero-click” attacks work, and can they be stopped?…Read More Apple Security Flaw: How do ‘Zero-Click’ Attacks Work?
Switzerland’s national postal organization Swiss Post is offering bug bounty rewards of up to €230,000 (roughly $271,000) for critical vulnerabilities identified in a future digital voting system.
A five-year study conducted by cybersecurity firm Imperva showed that nearly half of on-premises databases globally have at least one vulnerability that could expose them to attacks.
A threat actor has leaked online access credentials for 87,000 Fortinet VPN devices that were apparently compromised using a vulnerability identified and patched two years ago.
Attack surface management pioneer Tenable on Monday announced plans to spend $160 million in cash to snap up Accurics, an early-stage startup selling cloud-native security for DevOps and security teams.
WordPress 5.8.1, a security and maintenance release announced last week, fixes 60 bugs and several vulnerabilities.
Citrix has released patches for several vulnerabilities in Hypervisor that could result in privileged code executed in a guest virtual machine compromising or crashing the host.
Record-breaking distributed denial of service attack targets Russia’s version of Google – Yandex.Read More Yandex Pummeled by Potent Meris DDoS Botnet
Cisco this week released patches for multiple high-severity vulnerabilities in the IOS XR software and warned that attackers could exploit these bugs to reboot devices, elevate privileges, or overwrite and read arbitrary files.
A critical security vulnerability in HAProxy could allow attackers to bypass security controls and access sensitive data without authorization, according to a warning from security research outfit JFrog.
GitHub has published documentation on seven vulnerabilities in the Node.js packages and warned that exploitation could expose users to code execution attacks.
They were posted for free by former Babuk gang members who’ve bickered, squabbled and huffed off to start their own darn ransomware businesses, dagnabbit.Read More Thousands of Fortinet VPN Account Credentials Leaked
John Hammond, security researcher with Huntress, discusses how financially motivated cybercrooks use and abuse cryptocurrency.Read More Financial Cybercrime: Why Cryptocurrency is the Perfect ‘Getaway Car’
A chain of exploits could allow a malicious Azure user to infiltrate other customers’ cloud instances within Microsoft’s container-as-a-service offering.Read More ‘Azurescape’ Kubernetes Attack Allows Cross-Container Cloud Compromise
The U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) and the Office of Management and Budget (OMB) this week announced they are seeking public feedback on draft zero-trust strategic and technical documentation.
A Canadian and U.S. dual-national was sentenced to 11 years in prison for laundering illicit funds from cybercrime schemes such as business email compromise, ATM cash-outs, and bank cyber-heists.
Grayfly campaigns have launched the novel malware against businesses in Taiwan, Vietnam, the US and Mexico and are targeting Exchange and MySQL servers.Read More SideWalk Backdoor Linked to China-Linked Spy Group ‘Grayfly’
An authentication bypass vulnerability leading to remote code execution offers up the keys to the corporate kingdom.Read More Zoho Password Manager Zero-Day Bug Under Active Attack Gets a Fix
Zoho has shipped an urgent patch for an authentication bypass vulnerability in its ManageEngine ADSelfService Plus alongside a warning that the bug is already exploited in attacks.
Tracked as CVE-2021-40539, the security flaw is deemed critical as it c…
Australian immunization app bug lets attackers fake vaccine status.Read More Spoofing Bug Highlights Cybersecurity for Digital Vaccine Passports
Howard University closed its physical campus and canceled classes this week after experiencing a ransomware attack.
Google on Tuesday published the Android Security Bulletin for September 2021 with patches for a total of 40 vulnerabilities, including seven that are rated critical.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued new guidelines for government and private organizations to take into consideration when looking to outsource services to a Managed Service Provider (MSP).
Attackers are actively attempting to exploit a vulnerability in MSHTML that allows them to craft a malicious ActiveX control to be used by Microsoft Office files.Read More Microsoft, CISA Urge Mitigations for Zero-Day RCE Flaw in Windows
A high severity vulnerability recently addressed in popular NPC package Pac-Resolver could be exploited to execute arbitrary code remotely.
Jenkins over the weekend announced that hackers managed to gain access to one of its servers after exploiting a critical vulnerability affecting Atlassian Confluence Server and Data Center.
NETGEAR has released patches to address severe vulnerabilities in its business-grade smart switches that could lead to complete device takeover.
The Demon’s Cries, Draconian Fear and Seventh Inferno security bugs are high-severity entryways to corporate networks.Read More Netgear Smart Switches Open to Complete Takeover
Microsoft’s embattled security response unit is scrambling to deal with another zero-day attack hitting users of its flagship Microsoft Office software suite.
Patch now: The popular biz-collaboration platform is seeing mass scanning and exploitation just two weeks after a critical RCE bug was disclosed.Read More Jenkins Hit as Atlassian Confluence Cyberattacks Widen
Verizon DBIR is already funny, useful & well-written, and it just got better with mapping to MITRE ATT&CK TTPs. The marriage could finally bring answers to “What are we doing right?” instead of the constant reminders of what’s not working in fe…Read More Holy Grail of Security: Answers to ‘Did XYZ Work?’ – Podcast
Yet another article on the privacy risks of static MAC addresses and always-on Bluetooth connections. This one is about wireless headphones.
The good news is that product vendors are fixing this:
Read More Tracking People by their MAC Addresses
Several of the headphones which could be tracked over time are for sale in electronics stores, but according to two of the manufacturers NRK have spoken to, these models are being phased out.
“The products in your line-up, Elite Active 65t, Elite 65e and Evolve 75e, will be going out of production before long and newer versions have already been launched with randomized MAC addresses. We have a lot of focus on privacy by design and we continuously work with the available security measures on the market,” head of PR at Jabra, Claus Fonnesbech says…
USCYBERCOM and the Cybersecurity and Infrastructure Security Agency (CISA) are sounding the alarm just before the Labor Day weekend in the U.S., urging organizations to patch a critical vulnerability (CVE-2021-26084) affecting Atlassian Confluence Serv…Read More USCYBERCOM Warns of Mass Exploitation of Atlassian Vulnerability Ahead of Holiday Weekend
Grant Oviatt, director of incident-response engagements at Red Canary, provides advice and best practices on how to get there faster.Read More The State of Incident Response: Measuring Risk and Evaluating Your Preparedness
Social media giant Facebook on Thursday announced a new payout guideline to help vulnerability hunters better understand its bounty decisions related to given bugs.
Software vendor SolarWinds failed to enable an anti-exploit mitigation available since the launch of Windows Vista 15 years ago, an oversight that made it easy for attackers to launch targeted malware attacks in July this year.
The BrakTooth set of security vulnerabilities impacts at least 11 vendors’ chipsets.Read More Bluetooth Bugs Open Billions of Devices to DoS, Code Execution
A design flaw involving Google Timeline could allow someone to track another device without installing a stalkerware app.Read More Google Play Sign-Ins Allow Covert Location-Tracking
There’s proof-of-concept code out for the near-maximum critical – rated at 9.8 – authentication bypass bug, but Cisco hasn’t seen any malicious exploit yet.Read More Cisco Patches Critical Authentication Bug With Public Exploit
Network detection and response play Corelight has raised a fresh $75 million funding round to speed up its global expansion ambitions.
The San Francisco-based Corelight said the Series D investment was led by Energy Impact Partners and brings the total…
Railway Communication Devices Made by Moxa Affected by 60 Vulnerabilities
Railway and other types of wireless communication devices made by Taiwan-based industrial networking and automation firm Moxa are affected by nearly 60 vulnerabilities.
A group of researchers with the Singapore University of Technology and Design have disclosed a family of 16 new vulnerabilities that affect commercial Bluetooth Classic (BT) stacks.
Users should be careful whose pics they view and should, of course, update their apps.Read More WhatsApp Photo Filter Bug Allows Sensitive Info to Be Lifted
IoT vulnerabilities turned the remote into a listening device, researchers found, which impacted 18 million Xfinity customers.Read More Comcast RF Attack Leveraged Remotes for Surveillance
Hackers started exploiting a vulnerability in Atlassian’s Confluence enterprise collaboration product just one week after the availability of a patch was announced.
Cisco on Wednesday announced the availability of patches for a critical authentication bypass vulnerability in Enterprise NFV Infrastructure Software (NFVIS) for which proof-of-concept exploit code already exists.
Two vulnerabilities in the site-building plugin could be useful tools in the hands of a skilled attacker, researchers warned.Read More Gutenberg Template Library & Redux Framework Bugs Plague WordPress Sites
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are warning that ransomware actors are deliberately launching attacks during the holidays and weekends.
The Singapore Government Technology Agency (GovTech) on Tuesday introduced a new Vulnerability Rewards Programme (VRP) on HackerOne that offers bug bounty rewards of up to $150,000.
Google this week announced the release of Chrome 93 with a total of 27 security patches inside, including 19 for vulnerabilities that were reported by external researchers.
A serious vulnerability affecting the Linphone Session Initiation Protocol (SIP) client suite can allow malicious actors to remotely crash applications, industrial cybersecurity firm Claroty warned on Tuesday.
The Bad Practices catalog is a collection of practices that are considered to be “exceptionally risky” by the US Cybersecurity and Infrastructure Security Agency (CISA). The practices mentioned in the document are not to be used by organiza…Read More CISA Advises Users to Not Use Single-factor Authentication on Internet-exposed Systems
If you plug a Razer peripheral (mouse or keyboard, I think) into a Windows 10 or 11 machine, you can use a vulnerability in the Razer Synapse software — which automatically downloads — to gain SYSTEM privileges.
It should be noted that this…
Posted by Jan Keller, Technical Program Manager, Google VRP A little over 10 years ago, we launched our Vulnerability Rewards Program (VRP). Our goal was to establish a channel for security researchers to report bugs to Google and offer an efficie…Read More A new chapter for Google’s Vulnerability Reward Program
Posted by Oliver Chang, Google Open Source Security team and Russ Cox, Go team In recent months, Google has launched several efforts to strengthen open-source security on multiple fronts. One important focus is improving how we identify and respon…Read More Announcing a unified vulnerability schema for open source
Security researchers have discovered a way to leverage Apple’s Find My’s Offline Finding network to upload data from devices, even those that do not have a Wi-Fi or mobile network connection.
Rapid7 says unauthorized third-party accessed source code, customer data during Codecov supply chain breach
Citrix this week announced that it has patched a local privilege escalation vulnerability in the Citrix Workspace app for Windows.
The ‘Send My’ exploit can use Apple’s locator service to collect and send information from nearby devices for later upload to iCloud servers.Read More Apple’s ‘Find My’ Network Exploited via Bluetooth
Paper ballots and source-code transparency are recommended to improve election security.Read More Researchers Flag e-Voting Security Flaws
Asset and security control management provider Panaseer on Wednesday announced a new $26.5 million round of funding, bringing the total investment in the company up to $43 million.
Wi-Fi devices going back to 1997 are vulnerable to attackers who can steal your data if they’re in range.Read More ‘FragAttacks’: Wi-Fi Bugs Affect Millions of Devices
More than 328 control weaknesses were highlighted by the Auditor-General of Western Australia on Wednesday in a report that analyzed the computer systems used at 50 local government entities. Auditor General Caroline Spencer decided against disclosing …Read More 50 Local Australian Government Systems Found to Have Significant Digital Weaknesses
Microsoft’s May 2021 Patch Tuesday updates include fixes for four critical security vulnerabilities.Read More Wormable Windows Bug Opens Door to DoS, RCE
A patch for Adobe Acrobat, the world’s leading PDF reader, fixes a vulnerability under active attack affecting both Windows and macOS systems that could lead to arbitrary code execution.Read More Hackers Leverage Adobe Zero-Day Bug Impacting Acrobat Reader
The sophisticated threat is targeting Microsoft Exchange servers via ProxyLogon in a wave of fresh attacks against North American targets.Read More Lemon Duck Cryptojacking Botnet Changes Up Tactics
U.S. intelligence said that the Chaos iPhone remote takeover exploit was used against the minority ethnic group before Apple could patch the problem.Read More iPhone Hack Allegedly Used to Spy on China’s Uyghurs
According to a recent Which? investigation, millions of people around the UK could be at risk of using routers with security flaws, or that are no longer being supported with firmware updates. Image Source: BBC After surveying over 6,000 adults in Dece…Read More Millions of Old Broadband Routers in the UK Have Serious Security Flaws
A malicious app can exploit the issue, which could affect up to 30 percent of Android phones.Read More Qualcomm Chip Bug Opens Android Fans to Eavesdropping
The networking giant has rolled out patches for remote code-execution and command-injection security holes that could give attackers keys to the kingdom.Read More Critical Cisco SD-WAN, HyperFlex Bugs Threaten Corporate Networks
Tripwire’s April 2021 Patch Priority Index (PPI) brings together important vulnerabilities from Google Chrome and Microsoft. First on the patch priority list this month are patches for insufficient input validation vulnerabilities in Google Chrom…Read More Tripwire Patch Priority Index for April 2021
Cisco recently announced it had patched the critical security bugs in vManage and HyperFlex HX, which could have permitted remote attackers to run commands as root or create unauthorized administrator accounts. Multiple vulnerabilities in the web-based…Read More Cisco Critical Vulnerabilities Enable Remote Attackers to Execute Commands
‘Spam protection, AntiSpam, FireWall by CleanTalk’ is installed on more than 100,000 sites — and could offer up sensitive info to attackers that aren’t even logged in.Read More Anti-Spam WordPress Plugin Could Expose Website User Data
Remote code execution, privilege escalation to root and lateral movement through a victim’s environment are all on offer for the unpatched or unaware.Read More Raft of Exim Security Holes Allow Linux Mail Server Takeovers
There’s new research that demonstrates security vulnerabilities in all of the AMD and Intel chips with micro-op caches, including the ones that were specifically engineered to be resistant to the Spectre/Meltdown attacks of three years ago.
Read More New Spectre-Like Attacks
The new line of attacks exploits the micro-op cache: an on-chip structure that speeds up computing by storing simple commands and allowing the processor to fetch them quickly and early in the speculative execution process, as the team explains in a writeup from the University of Virginia. Even though the processor quickly realizes its mistake and does a U-turn to go down the right path, attackers can get at the private data while the processor is still heading in the wrong direction…