Articles about vulnerability

Use of known vulnerable open source components has increased by 120 percent over the last year and 62 percent of organizations say they have no meaningful control over OSS components, according to a new study.

Sonatype's fourth annual State of the Software Supply Chain Report shows that open source continues to be a key driver of innovation -- with software developers downloading more than 300 billion open source components in the past 12 months. However, hackers are exploiting this growing trend, and even beginning to inject vulnerabilities directly into open source projects.

Continue reading →

Just 24 hours after a zero-day bug in Windows task scheduler was revealed by @SandboxEscaper on Twitter, the vulnerability has been patched. While Microsoft said it would "proactively update impacted advices as soon as possible" the patch has not come from the Windows-maker.

Instead, it was left to micro-patching specialists 0patch to produce a fix for the Task Scheduler ALPC Local Privilege Execution (VU#906424) security flaw -- one that is a mere 13 bytes in size.

Continue reading →

2018 looks like it's on track to be another record year for vulnerabilities, with over 10,000 disclosed in the half year to June.

The newly released 2018 mid-year VulnDB QuickView report from Risk Based Security shows that 16.6 percent of the reported vulnerabilities received CVSSv2 (Common Vulnerability Scoring System) scores of between 9.0 and 10.0, which is a drop from previous years. However, the severity of the vulnerabilities disclosed still remains significant.

Continue reading →

Every month details emerge of dozens of new security vulnerabilities, and open source software is not immune from these.

In order to help companies stay up to date and ensure vulnerabilities are patched quickly, open source security specialist WhiteSource is launching a free tool that provides companies with immediate, real-time alerts on the 50 most critical vulnerabilities published in the open source community.

Continue reading →

Vulnerabilities have been discovered in LTE that would make it possible for an attacker to tap into 4G networks for the purposes of spying on and hijacking 4G browsing sessions.

Security researchers from Ruhr-Universität, Bochum and New York University, Abu Dhabi show how three different attacks can be launched on the second layer of LTE -- also known as the data link layer. Two passive attacks allow for identity mapping and website fingerprinting, while the active cryptographic aLTEr attack allows for DNS spoofing and network connection redirection.

Continue reading →

Using one of four common attack vectors, 71 percent of surveyed IT professionals believe they could successfully hack any organization.

Based on a survey carried out among attendees to the RSA Conference in April 2018 by vulnerability management specialist Outpost24, 34 percent say that they would use social engineering, 23 percent say they would enter via insecure web applications, 21 percent via mobile devices, while a further 21 percent say they would enter via a public cloud.

Continue reading →

The first quarter of 2018 has shown a 1.8 percent increase in the number of disclosed vulnerabilities over the same period in 2017, with 5,375 unique vulnerabilities reported.

This is one of the findings of Risk Based Security's latest Vulnerability QuickView Report, which suggests that unless the rate of increase slows down 2018 will be another record year.

Continue reading →

Intel has issued a security advisory about its remote keyboard app after discovering a bug that made it possible for a remote user to mimic keyboard and mouse input with elevated privileges.

Intel Remote Keyboard was available for both iOS and Android, but the critical vulnerability -- and two other bugs with a High rating -- means that it has now been pulled from Google Play and the App Store. Intel is also recommending that anyone using the app uninstalls it as soon as possible.

Continue reading →

Single sign on (SSO) is popular with businesses as it allows control of access to multiple resources without the need for lots of different credentials.

But researchers at Duo Security have uncovered a vulnerability that can allow attackers to trick systems based on the commonly used SAML (Security Assertion Markup Language) into giving them a higher level of access.

Continue reading →

More than 20,000 new vulnerabilities were cataloged in 2017 according to breach analysis specialist Risk Based Security.

The figures from the company's own VulnDB eclipsed the total covered by MITRE's Common Vulnerability Enumeration (CVE) and the National Vulnerability Database (NVD) by more than 7,900.

Continue reading →

I must be honest -- I am starting to become fatigued by all of the vulnerabilities and security failures in technology nowadays. Quite frankly, between Spectre and Meltdown, I don't even want to use my computer or devices anymore -- I feel exposed.

Today, yet another security blunder becomes publicized, and it is really bad. You see, many Western Digital My Cloud NAS drives have a hardcoded backdoor, meaning anyone can access them -- your files could be at risk. It isn't even hard to take advantage of it -- the username is "mydlinkBRionyg" and the password is "abc12345cba" (without quotes). To make matters worse, it was disclosed to Western Digital six months ago and the company apparently did nothing until November 2017. Let's be realistic -- not everyone stays on top of updates, and a backdoor never should have existed in the first place.

Continue reading →