Recent research details a method to exploit a security flaw in the Amazon Web Services (AWS) API Gateway through an HTTP header smuggling attack. Pentesting specialist Daniel Thatcher, in charge of the report, points out that a threat actor can use this flaw to hide HTTP request headers from certain servers while keeping them visible […]
The tech giant wins an appeal against a claim that it unlawfully collected personal data of millions of iPhone users
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published a catalog of vulnerabilities, including from Apple, Cisco, Microsoft, and Google, that have known exploits and are being actively exploited by malicious cyber actors, in addition to requiring federal agencies to prioritize applying patches for those security flaws within “aggressive” timeframes. “These vulnerabilities pose significant […]
In December 2020, several U.S. states filed a lawsuit against Google for engaging in alleged anti-competitive practices in the field of digital advertising. One of the main arguments of the plaintiff states was that the tech giant deliberately limited unpublished ads on Accelerated Mobile Pages (AMP) and now, almost a year later, some details about […]
Google on Thursday pushed urgent security fixes for its Chrome browser, including a pair of new security weaknesses that the company said are being exploited in the wild, making them the fourth and fifth actively zero-days plugged this month alone. The issues, designated as CVE-2021-37975 and CVE-2021-37976, are part of a total of four patches, […]
Networking equipment maker Cisco Systems has rolled out patches to address three critical security vulnerabilities in its IOS XE network operating system that remote attackers could potentially abuse to execute arbitrary code with administrative privileges and trigger a denial-of-service (DoS) condition on vulnerable devices. The list of three flaws is as follows – CVE-2021-34770 (CVSS […]
Microsoft on Tuesday addressed a quartet of security flaws as part of its Patch Tuesday updates that could be abused by adversaries to target Azure cloud customers and elevate privileges as well as allow for remote takeover of vulnerable systems. The list of flaws, collectively called OMIGOD by researchers from Wiz, affect a little-known software […]
The trove of data was left exposed unencrypted and without any password or security authentication. The team of IT security researchers at WizCase team discovered a misconfigured Amazon S3 bucket belonging to the online art retail service Artwork Archive. The incident affected around 7,000 customers including galleries, artists, and collectors. Private and Purchase Data Exposed […]
Cybersecurity researchers at Berlin-based infosec company Positive Security have identified two serious zero-day vulnerabilities impacting Pling-based FOSS (free and open-source software) marketplaces for Linux. The vulnerabilities remain unpatched and can be exploited to launch supply-chain attacks or achieve RCE (remote code execution) against Linux marketplaces. The vulnerabilities were discovered in Opendesktop’s Pling. Positive Security’s co-founder […]
Korea Atomic Energy Research Institute (KAERI), which is a government-owned organization in South Korea, has disclosed that its internal network was targeted by cybercriminals possibly operating from North Korea. The KAERI is a Seoul-funded research institute established in 1959. It is located in Daejeon and is responsible for designing and developing nuclear technologies for fuel […]
The cybersecurity authorities of the U.S. Cyber command have recently been notified regarding the increase in the number of scans and attempts to exploit a newly identified vulnerability in corporate servers along with the Atlassian Confluence wiki engine installed. CVE-2021-26084 in Confluence Server and Confluence Data Center software is the vulnerability that has been confirmed […]
U.S. technology firm Kaseya has released security patches to address two zero-day vulnerabilities affecting its Unitrends enterprise backup and continuity solution that could result in privilege escalation and authenticated remote code execution. The two weaknesses are part of a trio of vulnerabilities discovered and reported by researchers at the Dutch Institute for Vulnerability Disclosure (DIVD) […]
Microsoft’s Windows 10 and the upcoming Windows 11 versions have been found vulnerable to a new local privilege escalation vulnerability that permits users with low-level permissions access Windows system files, in turn, enabling them to unmask the operating system installation password and even decrypt private keys. The vulnerability has been nicknamed “SeriousSAM.” “Starting with Windows […]
Threat intelligence researchers from Google on Wednesday shed more light on four in-the-wild zero-days in Chrome, Safari, and Internet Explorer browsers that were exploited by malicious actors in different campaigns since the start of the year. What’s more, three of the four zero-days were engineered by commercial providers and sold to and used by government-backed […]
Microsoft rolled out Patch Tuesday updates for the month of July with fixes for a total of 117 security vulnerabilities, including nine zero-day flaws, of which four are said to be under active attacks in the wild, potentially enabling an adversary to take control of affected systems. Of the 117 issues, 13 are rated Critical, […]
Cybersecurity specialists report the discovery of a critical vulnerability in Less.js, a widely used preprocessor language. According to the report, the flaw could be exploited by threat actors to deploy remote code execution attacks. Researchers report that Less.js is transpiles into valid CSS code and used for CSS writing of websites. In addition, the Less.js […]
Florida-based software vendor Kaseya on Sunday rolled out urgent updates to address critical security vulnerabilities in its Virtual System Administrator (VSA) solution that was used as a jumping off point to target as many as 1,500 businesses across the globe as part of a widespread supply-chain ransomware attack. Following the incident, the company had urged […]
Multiple security vulnerabilities have been disclosed in Philips Clinical Collaboration Platform Portal (aka Vue PACS), some of which could be exploited by an adversary to take control of an affected system. “Successful exploitation of these vulnerabilities could allow an unauthorized person or process to eavesdrop, view or modify data, gain system access, perform code execution, […]
Four security vulnerabilities have been uncovered in the Sage X3 enterprise resource planning (ERP) product, two of which could be chained together as part of an attack sequence to enable adversaries to execute malicious commands and take control of vulnerable systems. These issues were discovered by researchers from Rapid7, who notified Sage Group of their […]
U.S. graphics chip specialist NVIDIA has released software updates to address a total of 26 vulnerabilities impacting its Jetson system-on-module (SOM) series that could be abused by adversaries to escalate privileges and even lead to denial-of-service and information disclosure. Tracked from CVE‑2021‑34372 through CVE‑2021‑34397, the flaws affect products Jetson TX1, TX2 series, TX2 NX, AGX […]
Cybersecurity researchers on Thursday disclosed as many as ten critical vulnerabilities impacting CODESYS automation software that could be exploited to remote code execution on programmable logic controllers (PLCs). “To exploit the vulnerabilities, an attacker does not need a username or password; having network access to the industrial controller is enough,” researchers from Positive Technologies said. […]