Category: vulnerabilities

Auto Added by WPeMatico

Email Security Flaw Found in the Wild

Posted on By infossl
cross-site scripting, e-mail, Security technology, Uncategorized, vulnerabilities, zero-day

Google’s Threat Analysis Group announced a zero-day against the Zimbra Collaboration email server that has been used against governments around the world. TAG has observed four different groups exploiting the same bug to steal email data, user credentials, and authentication tokens. Most of this activity occurred after the initial fix became public on Github. To … Read More “Email Security Flaw Found in the Wild” »

Friday Squid Blogging: Unpatched Vulnerabilities in the Squid Caching Proxy

Posted on By infossl
computer security, patching, proxies, Security technology, squid, Uncategorized, vulnerabilities, web

In a rare squid/security post, here’s an article about unpatched vulnerabilities in the Squid caching proxy. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here. Powered by WPeMatico

Leaving Authentication Credentials in Public Code

Posted on By infossl
credentials, Security technology, Uncategorized, vulnerabilities

Interesting article about a surprisingly common vulnerability: programmers leaving authentication credentials and other secrets in publicly accessible software code: Researchers from security firm GitGuardian this week reported finding almost 4,000 unique secrets stashed inside a total of 450,000 projects submitted to PyPI, the official code repository for the Python programming language. Nearly 3,000 projects contained … Read More “Leaving Authentication Credentials in Public Code” »

New SSH Vulnerability

Posted on By infossl
academic papers, cryptography, Security technology, signatures, ssh, Uncategorized, vulnerabilities

This is interesting: For the first time, researchers have demonstrated that a large portion of cryptographic keys used to protect data in computer-to-server SSH traffic are vulnerable to complete compromise when naturally occurring computational errors occur while the connection is being established. […] The vulnerability occurs when there are errors during the signature generation that … Read More “New SSH Vulnerability” »

Cisco Can’t Stop Using Hard-Coded Passwords

Posted on By infossl
cisco, passwords, Security technology, Uncategorized, vulnerabilities

There’s a new Cisco vulnerability in its Emergency Responder product: This vulnerability is due to the presence of static user credentials for the root account that are typically reserved for use during development. An attacker could exploit this vulnerability by using the account to log in to an affected system. A successful exploit could allow … Read More “Cisco Can’t Stop Using Hard-Coded Passwords” »

Critical Vulnerability in libwebp Library

Posted on By infossl
chrome, Chrome OS, ios, operating systems, Security technology, Uncategorized, vulnerabilities, zero-day

Both Apple and Google have recently reported critical vulnerabilities in their systems—iOS and Chrome, respectively—that are ultimately the result of the same vulnerability in the libwebp library: On Thursday, researchers from security firm Rezillion published evidence that they said made it “highly likely” both indeed stemmed from the same bug, specifically in libwebp, the code … Read More “Critical Vulnerability in libwebp Library” »

Zero-Click Exploit in iPhones

Posted on By infossl
apple, exploits, ios, iphone, Security technology, spyware, Uncategorized, vulnerabilities

Make sure you update your iPhones: Citizen Lab says two zero-days fixed by Apple today in emergency security updates were actively abused as part of a zero-click exploit chain (dubbed BLASTPASS) to deploy NSO Group’s Pegasus commercial spyware onto fully patched iPhones. The two bugs, tracked as CVE-2023-41064 and CVE-2023-41061, allowed the attackers to infect … Read More “Zero-Click Exploit in iPhones” »

Inconsistencies in the Common Vulnerability Scoring System (CVSS)

Posted on By infossl
academic papers, Security technology, Uncategorized, vulnerabilities

Interesting research: Shedding Light on CVSS Scoring Inconsistencies: A User-Centric Study on Evaluating Widespread Security Vulnerabilities Abstract: The Common Vulnerability Scoring System (CVSS) is a popular method for evaluating the severity of vulnerabilities in vulnerability management. In the evaluation process, a numeric score between 0 and 10 is calculated, 10 being the most severe (critical) … Read More “Inconsistencies in the Common Vulnerability Scoring System (CVSS)” »

Spyware Vendor Hacked

Posted on By infossl
activism, brazil, hacking, Security technology, spyware, Uncategorized, vulnerabilities

A Brazilian spyware app vendor was hacked by activists: In an undated note seen by TechCrunch, the unnamed hackers described how they found and exploited several security vulnerabilities that allowed them to compromise WebDetetive’s servers and access its user databases. By exploiting other flaws in the spyware maker’s web dashboard—used by abusers to access the … Read More “Spyware Vendor Hacked” »