Blog

By Nancy Rand, Posted in Security

April 27, Softpedia – (International) Wordpress 4.2 affected by zero-day stored XSS, PoC available. A security researcher from Klikki Oy discovered a stored cross-site scripting (XSS) vulnerability in WordPress 4.2 and earlier versions in which unauthenticated parties can exploit a flaw in comment text truncation to run arbitrary code on affected servers. Source April 25, Softpedia – (International) Over 25,000 iOS apps affected by bug breaking HTTPS. Security researchers at SourceDNA discovered a vulner... read more.

• April 28, 2015

By Nancy Rand, Posted in Security

April 24, Securityweek – (International) Login vulnerability exposes SAP ASE databases. The German business software company SAP patched a login vulnerability in its SAP Adaptive Server Enterprise (ASE) in which attackers could use a flawed “probe” two-phase commit login to gain unauthorized access and potentially exploit a privilege escalation flaw to take complete control of the affected server. Source ... read more.

• April 27, 2015

By Nancy Rand, Posted in Security

April 23, Softpedia – (International) Improper parsing of SSID info exposes Wi-Fi client’s memory contents. Security researchers at Alibaba and Google discovered a vulnerability in the cross-platform “wpa_supplicant” Wi-Fi software that affects versions 1.0 – 2.4 with the Config_P2P option turned on and could allow an attacker to create a service set identifier (SSID) buffer overflow condition, potentially exposing sensitive information in the memory of the device and allowing for arbitrary code execution.... read more.

• April 24, 2015

By Nancy Rand, Posted in Security

April 22, Softpedia – (International) WordPress 4.1.2 fixes critical XSS flaw. WordPress developers announced that the newest release of the blogging platform, 4.1.2, addresses critical security vulnerabilities including a cross-site scripting (XSS) glitch affecting the content management system (CMS) that could allow an attacker to compromise a vulnerable Web site, as well as three other flaws. The release also included increased protection for files that could present a security risk. Source April 22,... read more.

• April 24, 2015

By Nancy Rand, Posted in Security

April 21, Softpedia – (International) Highly popular WordPress plugins vulnerable to XSS attacks. A security researcher from Scrutinizer discovered an issue with two coding functions used in many content management system (CMS) plugins created by WordPress developers that could allow attackers to run cross-site scripting (XSS) attacks and access sensitive areas of affected Web sites. The vulnerability was a result of improper documentation regarding external users’ ability to run commands via the functions.... read more.

• April 24, 2015

By Nancy Rand, Posted in Security

April 20, Softpedia – (International) Russian hackers exploit Windows, Flash Player zero-day flaws in targeted attack. Microsoft is working to patch a privilege escalation flaw in its operating system (OS) affecting Windows 7 and earlier products after FireEye researchers reported the zero-day attack, allegedly run by a Russian group dubbed APT28, on Adobe Flash Player that relies on the Flash vulnerability to gain access to the targeted system. Adobe released a patch addressing the flaw with its current ve... read more.

• April 21, 2015

By Nancy Rand, Posted in Security

April 17, Help Net Security – (International) Pawn Storm cyberspies still at work, target NATO and the White House. Security researchers at Trend Micro reported that cybercriminals are concentrating attacks in the Pawn Storm cyber-espionage operation on the North Atlantic Treaty Organization (NATO) and White House personnel in the U.S., in addition to government and military officials and media companies. The attacks seek to compromise targets’ computers and Microsoft Outlook accounts via spear-phishing ema... read more.

• April 21, 2015

By Nancy Rand, Posted in Security

April 16, Softpedia – (International) Current threat prevention systems are not enough protection for enterprises. Findings from a recent study in automated breach detection carried out by security researchers at Seculert revealed that gateway solutions at participating Fortune 2000 enterprises only blocked 87 percent of communications from compromised devices within their networks. The report also found that about 2 percent of devices in organizations were compromised by malware, while nearly 400,000 inter... read more.

• April 17, 2015

By Nancy Rand, Posted in Security

April 14, Softpedia – (International) Misconfigured DNS servers vulnerable to domain info leak. The U.S. Computer Emergency Readiness Team (US-CERT) released a security statement warning that misconfigured, public-facing domain name system (DNS) servers utilizing Asynchronous Transfer Full Range (AXFR) protocols, are vulnerable to system takeovers, redirects to spoofed addresses, and denial-of-service (DoS) attacks from unauthenticated users via DNS zone transfer requests. Research from Alexa revealed that... read more.

• April 15, 2015

By Nancy Rand, Posted in Security

April 13, Securityweek – (International) Law enforcement, security firms team up to disrupt Simda botnet. U.S. and European agencies, along with private security firms, collaborated with Interpol to disrupt the Simda botnet by seizing 14 command and control (C&C) servers throughout the Netherlands, U.S., Poland, Luxembourg, and Russia. The malware is usually delivered via exploit kits (EK), and is often used for the distribution of malware and potentially unwanted applications (PUA), and has infected ov... read more.

• April 14, 2015