Two US senators have proposed a law limiting American intelligence agencies' secret stockpiles of vulnerabilities found in products. The Protecting our Ability To Counter Hacking (PATCH) Act [PDF] would set up a board chaired by an Department of Homeland Security (DHS) official to assess security flaws spies have found in code …

WordPress has patched a series of vulnerabilities in its content management system shuttering bugs affecting more than 10 million users. The release of version 4.7.1 closes eight vulnerabilities including cross-site scripting, cross-site request forgery, and other remotely-acessible attack vectors. "This is a security release …

It is open season on open services as net scum migrate from sacking MongoDB databases to insecure ElasticSearch instances. Some 35,000 mostly Amazon Web Services ElasticSearch servers are open to the internet and to ransoming criminals, Shodan boss John Matherly says. So far more than 360 instances have had data copied and …

Authors of the Sundown exploit kit have integrated a since patched and limited Microsoft Edge vulnerability from a security firm's public proof-of-concept. The addition of the twin bugs (CVE-2016-7200 and CVE-2016-7201) means unpactched users of one of the world's most unpopular web browsers are likely to be targeted by a wide …

Remote attackers can hose EMC hybrid flash storage thanks to cryptographic weaknesses. The patched vulnerability (CVE-2016-0917) affects EMC's VNX1, VNX2 and VNXe systems, including the end-of-life Celerra which will not receive a fix. EMC researchers wrote in a security notice that remote attackers could access the SMB …

Netgear has broken ranks from the consumer router security shame factory to offer a bug bounty sporting extra rewards for chained exploits. Hoping to shake the SOHOpeless tag, the vendor will hand out up to US$15,000 for hackers reporting global remote unauthorised access from the internet to Netgear devices, and unauthorised …

Slackware has raced out of the blocks in 2017, issuing one patch for the libpng image library on New Year's Day, and two Mozilla patches. The libpng bug got its Common Vulnerabilities and Exposures number, CVE-2016-10087, on December 30. Slackware's announcement says the bug can't be exploited without active user input. The “ …

Websites using PHPMailer for forms are at risk from a critical-rated remote code execution zero day bug. Legal Hackers researcher Dawid Golunski found the vulnerability (CVE-2016-10074) in the much-used library, found in the world's most popular content management systems and addons. The bug also affects the Zend Mailer and …

Of any single product, CVE Details reckons, Android had the most reported vulnerabilities in 2016 – but as a vendor, Adobe still tops the list. The analysis is limited by the fact that only vulnerabilities passing through Mitre's Common Vulnerabilities and Exposures (CVE) database are counted. That's a statistically worthwhile …

McAfee has taken six months to patch 10 critical vulnerabilities in its VirusScan Enterprise Linux client. And these were nasty bugs as when chained they resulted remote code execution as root. Andrew Fasano, security researcher with MIT Lincoln Laboratory, says attackers can chain the flaws to compromise McAfee Linux clients …

Technical support scammers have new bait with the discovery that Microsoft's Edge browser can be abused to display native and legitimate-looking warning messages. The flaws exist in Microsoft's Edge protocols ms-appx: and ms-appx-web: which the browser uses to present warning messages when phishing or malware delivery sites …

A Flash vulnerability subject to emergency patching by Adobe has been used in all major exploit kits to compromise users not already updated. The vulnerability (CVE-2015-7645) patched in October last year was the first zero day since Adobe implemented more hardened security. It was also the most pervasive among the …

Johns Hopkins University crypto professor Dr Matthew Green is to lead a security audit of OpenVPN 2.4. The open source VPN project, published at GitHub, has been compiled for everything from Solaris to Windows, passing various Linux and BSD distributions along the way (including OSX); Windows and Android (and jailbroken iOSs …

Microsoft is working on a patch for a bug or feature in Windows 10 that allowed access to the command line and, using a live Linux .ISO, made it possible steal BitLocker keys during OS updates. The command line interface bypasses BitLocker and permits access to local drives simply by tapping the Shift and F10 keys. BitLocker …

Paypal has patched a phishing vulnerability that could allow attackers to steal any OAuth token for its payment apps and gain access to accounts. Adobe software engineer and OAuth wonk Antonio Sanso discovered the token request flaw after messing with redirect URLs. He found PayPal's authorisation server setup to handle OAuth …

Updated Mozilla is scrambling to patch a vulnerability in Firefox that is apparently being exploited in the wild to unmask Tor Browser users. Earlier today, a small package of SVG, JavaScript and x86 code popped up on a Tor mailing list that, when opened by Firefox or Tor Browser on a Windows PC, phones home to a remote server and …

Flaws in security products are among the most commonly encountered desktop software vulnerabilities, according to a new study. Eleven of the 46 products that made it into monthly top 20 most vulnerable product charts between August and October were security packages, Secunia reports. Products from vendors including AlienVault …

Microsoft has patched flaws that attackers could exploit to compromise all Azure Red Hat Enterprise Linux (RHEL) instances. Software engineer Ian Duffy found the flaws while building a secure RHEL image for Microsoft Azure. During that process he noticed an installation script Azure uses in its preconfigured RPM Package …