Articles about patching

Telegram API ransomware wrecked three weeks after launch

Ransomware scum abusing the protocol of the popular Telegram encrypted chat app have been wrecked and their malware ransom system decrypted. TeleCrypt throws a message to Russian-speaking victims thanking them for helping the "Young Programmers Fund" via the US$78 (5000 ruble) ransom payments, a comparatively small charge …
Darren Pauli, 23 Nov 2016

WordPress auto-update server had flaw allowing anyone to add anything to websites worldwide

Up to a quarter of all websites on the internet could have been attacked through a since-patched vulnerability that allowed WordPress' core update server to be compromised. The since-shuttered remote code execution flaw was found in a php webhook within api.wordpress.org that allows developers to supply a hashing algorithm of …
Darren Pauli, 23 Nov 2016

Cisco's job applications site leaked personal data

Cisco has fixed a vulnerability in its Professional Careers portal that may have exposed truckloads of personal information. The networking giant has sent an email to affected users in which it says a "limited set of job application related information" was leaked from the mobile version of the website, blaming an "incorrect …
Darren Pauli, 6 Nov 2016

Universal hijack hole turns DIY Wix blogs into botnets

Millions of do-it-yourself websites built with the Wix web maker were at risk of hijack thanks to a brief zero day DOM-based cross-site scripting vulnerability. Wix boasts some 87 million users, among them two million paying subscribers. Contrast Security researcher Matt Austin (@mattaustin) dug up the flaw he rates as severe …
Darren Pauli, 3 Nov 2016

Vuln hunter finds nasty shared server god mode database hack holes

Dangerous since-patched vulnerabilities in MySQL, MariaDB, and Percona's Server and XtraDB Cluster have been found that, when chained, allow attackers in shared environments complete compromise of servers. The database servers are among the world's most popular and count all major tech giants as customers including Google and …
Darren Pauli, 3 Nov 2016

Multiple RCE flaws found in Memcached web speed tool

A remote code execution vulnerability in popular website backend performance tool Memcached has been found and squashed. Cisco penetration tester Aleksandar Nikolich reported three remote code execution holes in the tool used by big name sites including Facebook, Twitter, YouTube, and Reddit to help decrease database burdens …
Darren Pauli, 2 Nov 2016

PayPal patches bone-headed two factor authentication bypass

Update Paypal has patched a boneheaded two factor authentication breach that allowed attackers to switch off the critical account control in minutes by changing a zero to a one. British MWR InfoSecurity consultant Henry Hoggart (@_mobisek) discovered and quietly reported the flaw to the payment giant. Attackers with username and …
Darren Pauli, 27 Oct 2016

Joomla! squashes critical privileged account creation holes

Joomla! has revealed it's patched twin critical flaws allowing attackers to bypass rules and create elevated privilege accounts. Project staff warned of the looming patch this week asking administrators to prepare for the patch and apply it immediately. The Joomla! security strike team said at the time only that a hole …
Darren Pauli, 27 Oct 2016

Donald Trump running insecure email servers

US presidential candidate Donald Trump’s criticism of rival Hillary Clinton's use of a private email server while Secretary of State appeared to have rebounded on him. Security researcher Kevin Beaumont discovered the Trump organisation uses a hopelessly outdated and insecure internet setup. Servers on the Trump Organization' …
John Leyden, 19 Oct 2016
DDOS

Sweet, vulnerable IoT devices compromised 6 min after going online

The unpatched Windows XP problem that spawned the Blaster and Sasser worm a decade ago is being replicated on a different platform by hackers exploiting IoT devices to launch denial of service attacks. Two Internet of Things-powered packet floods took down the websites of cybersecurity journalist Brian Krebs and French hosting …
John Leyden, 17 Oct 2016

Outlook-on-Android alternative 'Nine' leaked Exchange Server creds

Staff logging into Exchange Server through a popular app could have placed their enterprise credentials at risk through a since-closed vulnerability. The Nine app which has clocked up to a million downloads on the Google Play store would shout Microsoft Outlook login credentials over insecure connections thanks to a bug that …
Darren Pauli, 17 Oct 2016
Facebook Lite app

Facebook's un-Liked ~900 security flaws in five years

Facebook has paid security researchers US$5million in five years, after they found vulnerabilities in its platforms and quietly disclosed them under its bug bounty program. The Social Network™ runs a well oiled bounty program and pays generously when it receives notice of flaws and working proof-of-concepts, provided they are …
Darren Pauli, 14 Oct 2016
Arcady http://www.shutterstock.com/gallery-450076p1.html

Google splats 21 bugs in Chrome 54 patch run

Google has patched 21 bugs in its Chrome web browser, closing six high-severity holes along the way. Mountain View paid US$29,133 for the bugs including a top pay out of US$7500 (CVE-2016-5181) for a universal cross-site scripting hole in Blink, and US$5500 (CVE-2016-5182) for a heap overflow in the same web browser engine. …
Darren Pauli, 14 Oct 2016
band_aid_patching_648

SAP fixes gaping authentication bypass flaw after 3 YEARS

A critical SAP vulnerability stayed unpatched for three years prior to its resolution this week, according to application security specialists. SAP monthly security updates issued on Tuesday addressed a total of 48 vulnerabilities, among them an authentication bypass vulnerability in a service called P4. The service provides …
John Leyden, 12 Oct 2016

Adobe on patch parade to march out 83 bugs

Adobe has patched 83 vulnerabilities in its Reader, Acrobat, and Flash offerings including remote code execution holes. The former apps soaked up 71 patches centred on use-after-free, memory corruption, and buffer overflow vulnerabilities that lead to code execution. A dozen remote code execution flaws are plugged in Flash …
Darren Pauli, 12 Oct 2016
android_toys_648

Google melts 78 Android security holes, two of which were critical

Google has crushed 78 Android security flaws in its October bug blitzkrieg, repairing critical core Android services along the way. The patch parade sees the tech giant return to a high-double-digit patch run after issuing only 47 fixes last month and a whopping 103 in August. The updates are split into essential Android …
Darren Pauli, 5 Oct 2016
band_aid_patching_648

Researchers gut EMC's VMAX, vApp with five god mode hack holes

Researchers with Digital Defence have reported six dangerous vulnerabilities in EMC's VMAX product line that can grant remote attackers arbitrary command execution with root privileges. The since-patched flaws affect Unisphere for VMAX and vApp Manager versions 8.0 to 8.2 – and also open up avenues for denial of service. Two …
Darren Pauli, 4 Oct 2016

Apple to crunch iOS 10 local backup password brute force hole

Apple is brewing a fix to patch an iOS password flaw that allows credentials to be stolen from backups. Elcomsoft researcher Oleg Afonin says the flaws mean cracking efforts against iOS 10 backups are 2500 times faster compared to similar efforts against iOS 9. If successful, the attack will grant access to device keychains. …
Darren Pauli, 26 Sep 2016

Create a news alert about patching, or find more stories about patching.

Biting the hand that feeds IT © 1998–2017