Browsing category

Vulnerabilities

D-Link Accidentally Leaks Private Code-Signing Keys

A simple mistake by networking gear manufacturer D-Link could have opened the door for costly damage. Private keys used to sign software published by D-Link were found in the company’s open source firmware packages. While it’s unknown whether the keys were used by malicious third parties, the possibility exists that they could have been used […]

Microsoft Patches XSS Vulnerability in SharePoint 2013

SharePoint, one of the tools included with Microsoft Office’s server suite, has been patched to protect users from a persistent XSS (cross-site scripting) flaw which could expose their private information. The vulnerability (CVE-2015-2522) was discovered by security researchers at FortiNet’s FortiGuard Labs, and affects SharePoint 2013 15.0.4571.1502 and earlier versions. SharePoint is a web application […]

Apple mitigates but doesn’t fully fix critical iOS Airdrop vulnerability

Proof-of-concept exploit installs malicious app on nearby iPhones. Apple has mitigated a critical iOS vulnerability that allows attackers within Bluetooth range of an iPhone to install malicious apps using the Airdrop filesharing feature. Mark Dowd, the security researcher who discovered the bug and privately reported it to Apple, told Ars that the vulnerability has been […]

Android’s 5.x Lock Screen may be bypassed by attackers

Android devices may be protected by a lock screen which requires some form of authentication before access to most phone features, its settings and the data stored on it is granted. Users may protect the phone by password, pin or pattern for example, and there are other means of protection available as well, for instance […]

WordPress Patches Serious Shortcodes Core Engine Vulnerability

WordPress core engine security vulnerabilities aren’t rare, but they are uncommon. Most issues affecting the integrity of sites running on the content management system are introduced by third-party plugins and put those sites at risk for a host of attacks. Today WordPress upgraded to version 4.3.1 which patched three vulnerabilities, two of which were reported […]

CHIPSEC Module That Exploits UEFI Boot Script Table Vulnerability

This vulnerability was discovered by Rafal Wojtczuk and Corey Kallenberg, check original white paper. Around one month ago, at 31-st Chaos Communication Congress, Rafal Wojtczuk and Corey Kallenberg presented an excellent research: “Attacks on UEFI security, inspired by Darth Venamis’s misery and Speed Racer” (video, white paper 1,white paper 2). The main goal of UEFI […]

Yokogawa patches widespread SCADA vulnerability

Networking process crashed by crafted packets. One of the world’s major suppliers of industrial networking kit, Japanese company Yokogawa, has alerted the world to a vulnerability in 21 of its products. The ICS-CERT advisory, here, identifies the company’s CENTUM, ProSafe-RS, STARDOM, FAST/TOOLS and other systems as being at risk. The vulns are “stack-based buffer overflow […]

Researchers Outline Vulnerabilities in Yahoo, PayPal, Magento Apps

Researchers recently discovered a smattering of vulnerabilities in web applications and mobile applications belonging to companies like Yahoo, PayPal, Magento, and Shopify that could have led to account theft, session hijacking, and phishing, among other consequences. Hadji Samir, Ebrahim Hegazy, Ayoub Ait Elmokhtar, and Benjamin Kunz Mejri, researchers with Vulnerability Lab, found the bugs earlier this […]

Android Stagefright Exploit Code Released to Public

Joshua Drake, the researcher who found the so-called Stagefright vulnerability in Android, today released exploit code to the public, which he hopes will be used to test systems’ exposure to the flaw. The move comes more than a month after vulnerability details were released in August during presentations at the Black Hat and DEF CON […]

iOS 8.4.1 Kernel Vulnerabilities in AppleHDQGasGaugeControl

When auditing iOS kernel executable, we found that the code quality ofcom.apple.driver.AppleHDQGasGaugeControl is very bad. In this blog, we will disclose 3 vulnerabilities in this kernel extension on the latest public iOS (version 8.4.1). More importantly, one of these bugs is a perfect heap overflow vulnerability that allows us to defeat all kernel mitigations and […]

Microsoft Patches Graphics Component Flaw Under Attack

Microsoft today patched a vulnerability in its graphics component present in Windows, Office and Lync that has been publicly attacked, and is one of five vulnerabilities patched this month that have been publicly disclosed. Microsoft released a dozen bulletins today, five of them it rates critical, including separate updates for Internet Explorer and the new […]

WhatsApp “MaliciousCard” Vulnerabilities Allowed Attackers to Compromise Hundreds of Millions of WhatsApp Users

WhatsApp Web is a web-based extension of the WhatsApp application on your phone. The web application mirrors all messages sent and received, and fully synchronize your phone and your desktop computer so that users can see all messages on both devices. WhatsApp Web is available for most WhatsApp supported platforms, including Android, iPhone (iOS), Windows Phone 8.x, BlackBerry, BB10 and […]

Time to patch your firmware! Backdoor discovered in Seagate NAS drives

If you have not recently updated the firmware for your Seagate wireless NAS drives, now is the time to do so. Researchers at Tangible Security have discovered a series of vulnerabilities in a number of devices produced by Seagate that could allow unauthorized access to files and settings. An undocumented Telnet feature could be used […]

Attackers bundle an old version of TeamViewer to exploit vulnerability

We’re used to seeing malware that exploits unpatched vulnerabilities in software. But in a new twist attackers are bundling an old version of remote access package TeamViewer with their malware in order to take advantage of a flaw. The malware known as TVSPY has been uncovered by researchers at security companyDamballa. While the current version of TeamViewer […]

Attacker Compromised Mozilla Bug System, Stole Private Vulnerability Data

Security experts constantly tell users not to reuse passwords on multiple accounts, but the message often falls on deaf ears. Now, officials at Mozilla are finding that advanced users don’t always follow that advice either after discovering that an attacker was able to compromise a Bugzilla user’s account by using a password taken from a data […]

Netflix Sleepy Puppy Awakens XSS Vulnerabilities in Secondary Applications

Most automated scanning and security tools that ferret out cross-site scripting vulnerabilities don’t do much analysis beyond the target application. Netflix this week, however, released to open source a tool developed in-house that persists beyond the target app and can flag potential XSS trouble in secondary applications. The tool, called Sleepy Puppy, is available on […]