What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2021-03-26 23:57:43 | (Déjà vu) Apple Issues Urgent Patch Update for Another Zero‑Day Under Attack (lien direct) | Merely weeks after releasing out-of-band patches for iOS, iPadOS, macOS and watchOS, Apple has released yet another security update for iPhone, iPad, Apple Watch to fix a critical zero-day weakness that it says is being actively exploited in the wild.
Tracked as CVE-2021-1879, the vulnerability relates to a WebKit flaw that could enable adversaries to process maliciously crafted web content that |
Vulnerability | ||
|
2021-03-22 22:47:01 | WARNING: A New Android Zero-Day Vulnerability Is Under Active Attack (lien direct) | Google has disclosed that a now-patched vulnerability affecting Android devices that use Qualcomm chipsets is being weaponized by attackers to launch targeted attacks.
Tracked as CVE-2020-11261 (CVSS score 8.4), the flaw concerns an "improper input validation" issue in Qualcomm's Graphics component that could be exploited to trigger memory corruption when an attacker-engineered app requests |
Vulnerability | ||
|
2021-03-22 01:34:44 | Critical RCE Vulnerability Found in Apache OFBiz ERP Software-Patch Now (lien direct) | The Apache Software Foundation on Friday addressed a high severity vulnerability in Apache OFBiz that could have allowed an unauthenticated adversary to remotely seize control of the open-source enterprise resource planning (ERP) system.
Tracked as CVE-2021-26295, the flaw affects all versions of the software prior to 17.12.06 and employs an "unsafe deserialization" as an attack vector to permit |
Vulnerability | ||
|
2021-03-18 23:48:27 | New Zoom Screen-Sharing Bug Lets Other Users Access Restricted Apps (lien direct) | A newly discovered glitch in Zoom's screen sharing feature can accidentally leak sensitive information to other attendees in a call, according to the latest findings.
Tracked as CVE-2021-28133, the unpatched security vulnerability makes it possible to reveal contents of applications that are not shared, thereby briefly exposing the contents to all meeting participants.
It's worth pointing out |
Vulnerability | ||
|
2021-03-09 02:42:07 | Cybersecurity Webinar - SolarWinds Sunburst: The Big Picture (lien direct) | The SolarWinds Sunburst attack has been in the headlines since it was first discovered in December 2020.
As the so-called layers of the onion are peeled back, additional information regarding how the vulnerability was exploited, who was behind the attack, who is to blame for the attack, and the long-term ramifications of this type of supply chain vulnerabilities continue to be actively |
Vulnerability | Solardwinds Solardwinds | |
|
2021-03-09 00:05:01 | Microsoft Exchange Hackers Also Breached European Banking Authority (lien direct) | The European Banking Authority (EBA) on Monday said it had been a victim of a cyberattack targeting its Microsoft Exchange Servers, forcing it to take its email systems offline as a precautionary measure temporarily.
"As the vulnerability is related to the EBA's email servers, access to personal data through emails held on that servers may have been obtained by the attacker," the Paris-based |
Vulnerability | ||
|
2021-03-08 22:51:24 | Apple Issues Patch for Remote Hacking Bug Affecting Billions of its Devices (lien direct) | Apple has released out-of-band patches for iOS, macOS, watchOS, and Safari browsers to address a security flaw that could allow attackers to run arbitrary code on devices via malicious web content.
Tracked as CVE-2021-1844, the vulnerability was discovered and reported to the company by Clément Lecigne of Google's Threat Analysis Group and Alison Huffman of Microsoft Browser Vulnerability |
Vulnerability Threat | ||
|
2021-03-03 02:17:44 | A $50,000 Bug Could\'ve Allowed Hackers Access Any Microsoft Account (lien direct) | Microsoft has awarded an independent security researcher $50,000 as part of its bug bounty program for reporting a flaw that could have allowed a malicious actor to hijack users' accounts without their knowledge.
Reported by Laxman Muthiyah, the vulnerability aims to brute-force the seven-digit security code that's sent to a user's email address or mobile number to corroborate his (or her) |
Vulnerability | ||
|
2021-03-02 22:03:13 | New Chrome 0-day Bug Under Active Attacks – Update Your Browser ASAP! (lien direct) | Exactly a month after patching an actively exploited zero-day flaw in Chrome, Google today rolled out fixes for yet another zero-day vulnerability in the world's most popular web browser that it says is being abused in the wild.
Chrome 89.0.4389.72, released by the search giant for Windows, Mac, and Linux on Tuesday, comes with a total of 47 security fixes, the most severe of which concerns an " |
Vulnerability | ||
|
2021-03-02 01:37:31 | New \'unc0ver\' Tool Can Jailbreak All iPhone Models Running iOS 11.0 - 14.3 (lien direct) | A popular jailbreaking tool called "unc0ver" has been updated to support iOS 14.3 and earlier releases, thereby making it possible to unlock almost every single iPhone model using a vulnerability that Apple in January disclosed was actively exploited in the wild.
The latest release, dubbed unc0ver v6.0.0, was released on Sunday, according to its lead developer Pwn20wnd, expanding its |
Tool Vulnerability Guideline | ||
|
2021-02-26 00:11:21 | Cisco Releases Security Patches for Critical Flaws Affecting its Products (lien direct) | Cisco has addressed a maximum severity vulnerability in its Application Centric Infrastructure (ACI) Multi-Site Orchestrator (MSO) that could allow an unauthenticated, remote attacker to bypass authentication on vulnerable devices.
"An attacker could exploit this vulnerability by sending a crafted request to the affected API," the company said in an advisory published yesterday. "A successful |
Vulnerability | ||
|
2021-02-17 05:29:09 | Agora SDK Bug Left Several Video Calling Apps Vulnerable to Snooping (lien direct) | A severe security vulnerability in a popular video calling software development kit (SDK) could have allowed an attacker to spy on ongoing private video and audio calls.
That's according to new research published by the McAfee Advanced Threat Research (ATR) team today, which found the aforementioned flaw in Agora.io's SDK used by several social apps such as eHarmony, Plenty of Fish, MeetMe, and |
Vulnerability Threat | ||
|
2021-02-16 23:11:54 | (Déjà vu) Malvertisers Exploited WebKit 0-Day to Redirect Browser Users to Scam Sites (lien direct) | A malvertising group known as "ScamClub" exploited a zero-day vulnerability in WebKit-based browsers to inject malicious payloads that redirected users to fraudulent websites gift card scams.
The attacks, first spotted by ad security firm Confiant in late June 2020, leveraged a bug (CVE-2021–1801) that allowed malicious parties to bypass the iframe sandboxing policy in the browser engine that |
Vulnerability | ||
|
2021-02-12 02:18:41 | Secret Chat in Telegram Left Self-Destructing Media Files On Devices (lien direct) | Popular messaging app Telegram fixed a privacy-defeating bug in its macOS app that made it possible to access self-destructing audio and video messages long after they disappeared from secret chats.
The vulnerability was discovered by security researcher Dhiraj Mishra in version 7.3 of the app, who disclosed his findings to Telegram on December 26, 2020. The issue has since been resolved in |
Vulnerability | ★★★ | |
|
2021-02-10 02:23:24 | Apple Patches 10-Year-Old macOS SUDO Root Privilege Escalation Bug (lien direct) | Apple has rolled out a fix for a critical sudo vulnerability in macOS Big Sur, Catalina, and Mojave that could allow unauthenticated local users to gain root-level privileges on the system.
"A local attacker may be able to elevate their privileges," Apple said in a security advisory. "This issue was addressed by updating to sudo version 1.9.5p2."
Sudo is a common utility built into most Unix and |
Vulnerability | ★★ | |
|
2021-02-09 20:44:35 | Microsoft Issues Patches for In-the-Wild 0-day and 55 Others Windows Bugs (lien direct) | Microsoft on Tuesday issued fixes for 56 flaws, including a critical vulnerability that's known to be actively exploited in the wild.
In all, 11 are listed as Critical, 43 are listed as Important, and two are listed as Moderate in severity - six of which are previously disclosed vulnerabilities.
The updates cover .NET Framework, Azure IoT, Microsoft Dynamics, Microsoft Edge for Android, |
Vulnerability | ||
|
2021-02-04 23:40:02 | New Chrome Browser 0-day Under Active Attack-Update Immediately! (lien direct) | Google has patched a zero-day vulnerability in Chrome web browser for desktop that it says is being actively exploited in the wild.
The company released 88.0.4324.150 for Windows, Mac, and Linux, with a fix for a heap buffer overflow flaw (CVE-2021-21148) in its V8 JavaScript rendering engine.
"Google is aware of reports that an exploit for CVE-2021-21148 exists in the wild," the company said in |
Vulnerability | ★★★★★ | |
|
2021-02-02 02:28:40 | Data Breach Exposes 1.6 Million Jobless Claims Filed in the Washington State (lien direct) | The Office of the Washington State Auditor (SAO) on Monday said it's investigating a security incident that resulted in the compromise of personal information of more than 1.6 million people who filed for unemployment claims in the state in 2020.
The SAO blamed the breach on a software vulnerability in Accellion's File Transfer Appliance (FTA) service, which allows organizations to share |
Vulnerability | ★★★ | |
|
2021-02-01 21:28:26 | Hackers Exploiting Critical Zero-Day Bug in SonicWall SMA 100 Devices (lien direct) | SonicWall on Monday warned of active exploitation attempts against a zero-day vulnerability in its Secure Mobile Access (SMA) 100 series devices.
The flaw, which affects both physical and virtual SMA 100 10.x devices (SMA 200, SMA 210, SMA 400, SMA 410, SMA 500v), came to light after the NCC Group on Sunday alerted it had detected "indiscriminate use of an exploit in the wild."
Details of the |
Vulnerability | ||
|
2021-01-31 23:14:26 | Google Discloses Severe Bug in Libgcrypt Encryption Library-Impacting Many Projects (lien direct) | A "severe" vulnerability in GNU Privacy Guard (GnuPG)'s Libgcrypt encryption software could have allowed an attacker to write arbitrary data to the target machine, potentially leading to remote code execution.
The flaw, which affects version 1.9.0 of libgcrypt, was discovered on January 28 by Tavis Ormandy of Project Zero, a security research unit within Google dedicated to finding zero-day bugs |
Vulnerability Guideline | ||
|
2021-01-27 07:01:38 | New Docker Container Escape Bug Affects Microsoft Azure Functions (lien direct) | Cybersecurity researchers today disclosed an unpatched vulnerability in Microsoft Azure Functions that could be used by an attacker to escalate privileges and escape the Docker container used for hosting them.
The findings come as part of Intezer Lab's investigations into the Azure compute infrastructure.
Following disclosure to Microsoft, the Windows maker is said to have "determined that the |
Vulnerability | ||
|
2021-01-25 21:10:52 | N. Korean Hackers Targeting Security Experts to Steal Undisclosed Researches (lien direct) | Google on Monday disclosed details about an ongoing campaign carried out by a government-backed threat actor from North Korea that has targeted security researchers working on vulnerability research and development.
The internet giant's Threat Analysis Group (TAG) said the adversary created a research blog and multiple profiles on various social media platforms such as Twitter, Twitter, LinkedIn |
Vulnerability Threat | ||
|
2021-01-23 03:00:46 | Experts Detail A Recent Remotely Exploitable Windows Vulnerability (lien direct) | More details have emerged about a security feature bypass vulnerability in Windows NT LAN Manager (NTLM) that was addressed by Microsoft as part of its monthly Patch Tuesday updates earlier this month.
The flaw, tracked as CVE-2021-1678 (CVSS score 4.3), was described as a "remotely exploitable" flaw found in a vulnerable component bound to the network stack, although exact details of the flaw |
Vulnerability | ||
|
2021-01-20 03:16:59 | Google Discloses Flaws in Signal, FB Messenger, JioChat Messaging Apps (lien direct) | In January 2019, a critical flaw was reported in Apple's FaceTime group chats feature that made it possible for users to initiate a FaceTime video call and eavesdrop on targets by adding their own number as a third person in a group chat even before the person on the other end accepted the incoming call.
The vulnerability was deemed so severe that the iPhone maker removed the FaceTime group |
Vulnerability | ||
|
2021-01-08 08:56:19 | New Attack Could Let Hackers Clone Your Google Titan 2FA Security Keys (lien direct) | Hardware security keys-such as those from Google and Yubico-are considered the most secure means to protect accounts from phishing and takeover attacks.
But a new research published on Thursday demonstrates how an adversary in possession of such a two-factor authentication (2FA) device can clone it by exploiting an electromagnetic side-channel in the chip embedded in it.
The vulnerability ( |
Vulnerability | ||
|
2021-01-01 05:49:30 | Secret Backdoor Account Found in Several Zyxel Firewall, VPN Products (lien direct) | Zyxel has released a patch to address a critical vulnerability in its firmware concerning a hardcoded undocumented secret account that could be abused by an attacker to login with administrative privileges and compromise its networking devices.
The flaw, tracked as CVE-2020-29583 (CVSS score 7.8), affects version 4.60 present in wide-range of Zyxel devices, including Unified Security Gateway ( |
Vulnerability | ||
|
2020-12-29 03:21:53 | A Google Docs Bug Could Have Allowed Hackers See Your Private Documents (lien direct) | Google has patched a bug in its feedback tool incorporated across its services that could be exploited by an attacker to potentially steal screenshots of sensitive Google Docs documents simply by embedding them in a malicious website. The flaw was discovered on July 9 by security researcher Sreeram KL, for which he was awarded $3133.70 as part of Google's Vulnerability Reward Program. | Tool Vulnerability | ||
|
2020-12-26 22:24:48 | A New SolarWinds Flaw Likely Had Let Hackers Install SUPERNOVA Malware (lien direct) | An authentication bypass vulnerability in the SolarWinds Orion software may have been leveraged by adversaries to deploy the SUPERNOVA malware in target environments.
According to an advisory published yesterday by the CERT Coordination Center, the SolarWinds Orion API that's used to interface with all other Orion system monitoring and management products suffers from a security flaw that could |
Malware Vulnerability | ||
|
2020-12-24 01:01:19 | Google Discloses Poorly-Patched, Now Unpatched, Windows 0-Day Bug (lien direct) | Google's Project Zero team has made public details of an improperly patched zero-day security vulnerability in Windows print spooler API that could be leveraged by a bad actor to execute arbitrary code.
Details of the flaw were revealed after Microsoft failed to patch it within 90 days of responsible disclosure on September 24.
Originally tracked as CVE-2020-0986, the flaw concerns an elevation |
Vulnerability | ||
|
2020-12-15 22:47:24 | SolarWinds Issues Second Hotfix for Orion Platform Supply Chain Attack (lien direct) | Network monitoring services provider SolarWinds officially released a second hotfix to address a critical vulnerability in its Orion platform that was exploited to insert malware and breach public and private entities in a wide-ranging espionage campaign.
In a new update posted to its advisory page, the company urged its customers to update Orion Platform to version 2020.2.1 HF 2 immediately to |
Vulnerability | ||
|
2020-12-07 22:31:19 | Zero-Click Wormable RCE Vulnerability Reported in Microsoft Teams (lien direct) | A zero-click remote code execution (RCE) bug in Microsoft Teams desktop apps could have allowed an adversary to execute arbitrary code by merely sending a specially-crafted chat message and compromise a target's system.
The issues were reported to the Windows maker by Oskars Vegeris, a security engineer from Evolution Gaming, on August 31, 2020, before they were addressed at the end of October. |
Vulnerability | ||
|
2020-12-07 21:44:01 | NSA Warns Russian Hacker Exploiting VMware Bug to Breach Corporate Networks (lien direct) | The US National Security Agency (NSA) on Monday issued an advisory warning that Russian threat actors are leveraging recently disclosed VMware vulnerability to install malware on corporate systems and access protected data.
Specifics regarding the identities of the threat actor exploiting the VMware flaw or when these attacks started were not disclosed.
The development comes two weeks after the |
Malware Vulnerability Threat | ||
|
2020-11-24 23:14:18 | 2-Factor Authentication Bypass Flaw Reported in cPanel and WHM Software (lien direct) | cPanel, a provider of popular administrative tools to manage web hosting, has patched a security vulnerability that could have allowed remote attackers with access to valid credentials to bypass two-factor authentication (2FA) protection on an account.
The issue, tracked as "SEC-575" and discovered by researchers from Digital Defense, has been remedied by the company in versions 11.92.0.2, |
Vulnerability | ||
|
2020-11-23 23:08:37 | Critical Unpatched VMware Flaw Affects Multiple Corporates Products (lien direct) | VMware has released temporary workarounds to address a critical vulnerability in its products that could be exploited by an attacker to take control of an affected system.
"A malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating |
Vulnerability | ★★★ | |
|
2020-11-18 23:49:41 | Researchers Warn of Critical Flaws Affecting Industrial Automation Systems (lien direct) | A critical vulnerability uncovered in Real-Time Automation's (RTA) 499ES EtherNet/IP (ENIP) stack could open up the industrial control systems to remote attacks by adversaries.
RTA's ENIP stack is one of the widely used industrial automation devices and is billed as the "standard for factory floor I/O applications in North America."
"Successful exploitation of this vulnerability could cause a |
Vulnerability | ★★★ | |
|
2020-10-21 00:02:44 | Popular Mobile Browsers Found Vulnerable To Address Bar Spoofing Attacks (lien direct) | Cybersecurity researchers on Tuesday disclosed details about an address bar spoofing vulnerability affecting multiple mobile browsers, such as Apple Safari and Opera Touch, leaving the door open for spear-phishing attacks and delivering malware.
Other impacted browsers include UCWeb, Yandex Browser, Bolt Browser, and RITS Browser.
The flaws were discovered by Pakistani security researcher Rafay |
Vulnerability | ||
|
2020-09-23 11:09:58 | Detecting and Preventing Critical ZeroLogon Windows Server Vulnerability (lien direct) | If you're administrating Windows Server, make sure it's up to date with all recent patches issued by Microsoft, especially the one that fixes a recently patched critical vulnerability that could allow unauthenticated attackers to compromise the domain controller.
Dubbed 'Zerologon' (CVE-2020-1472) and discovered by Tom Tervoort of Secura, the privilege escalation vulnerability exists due to the |
Vulnerability | ||
|
2020-09-10 14:37:22 | New Unpatched Bluetooth Flaw Lets Hackers Easily Target Nearby Devices (lien direct) | Bluetooth SIG-an organization that oversees the development of Bluetooth standards-today issued a statement informing users and vendors of a newly reported unpatched vulnerability that potentially affects hundreds of millions of devices worldwide.
Discovered independently by two separate teams of academic researchers, the flaw resides in the Cross-Transport Key Derivation (CTKD) of devices |
Vulnerability | ||
|
2020-09-01 00:40:02 | Cisco Issues Warning Over IOS XR Zero-Day Flaw Being Targeted in the Wild (lien direct) | Cisco has warned of an active zero-day vulnerability in its router software that's being exploited in the wild and could allow a remote, authenticated attacker to carry out memory exhaustion attacks on an affected device.
"An attacker could exploit these vulnerabilities by sending crafted IGMP traffic to an affected device," Cisco said in an advisory posted over the weekend.
"A successful |
Vulnerability | ||
|
2020-08-26 11:30:25 | Russian Arrested After Offering $1 Million to U.S. Company Employee for Planting Malware (lien direct) | Hackers always find a way in, even if there's no software vulnerability to exploit.
The FBI has arrested a Russian national who recently traveled to the United States and offered $1 million in bribe to an employee of a targeted company for his help in installing malware into the company's computer network manually.
Egor Igorevich Kriuchkov, 27-year-old, entered the United States as a tourist |
Malware Vulnerability | ||
|
2020-08-20 04:59:01 | Experts Reported Security Bug in IBM\'s Db2 Data Management Software (lien direct) | Cybersecurity researchers today disclosed details of a memory vulnerability in IBM's Db2 family of data management products that could potentially allow a local attacker to access sensitive data and even cause a denial of service attacks.
The flaw (CVE-2020-4414), which impacts IBM Db2 V9.7, V10.1, V10.5, V11.1, and V11.5 editions on all platforms, is caused by improper usage shared memory, |
Vulnerability | ★★★★ | |
|
2020-08-18 02:55:09 | Critical Jenkins Server Vulnerability Could Leak Sensitive Information (lien direct) | Jenkins-a popular open-source automation server software-published an advisory on Monday concerning a critical vulnerability in the Jetty web server that could result in memory corruption and cause confidential information to be disclosed.
Tracked as CVE-2019-17638, the flaw has a CVSS rating of 9.4 and impacts Eclipse Jetty versions 9.4.27.v20200227 to 9.4.29.v20200521-a full-featured tool |
Vulnerability | ||
|
2020-08-11 06:40:26 | A New vBulletin 0-Day RCE Vulnerability and Exploit Disclosed Publicly (lien direct) | A security researcher earlier today publicly revealed details and proof-of-concept exploit code for an unpatched, critical zero-day remote code execution vulnerability affecting the widely used internet forum software vBulletin that's already under active exploitation in the wild.
vBulletin is a widely used proprietary Internet forum software package based on PHP and MySQL database server that |
Vulnerability | ||
|
2020-08-10 05:06:36 | TeamViewer Flaw Could Let Hackers Steal System Password Remotely (lien direct) | If you are using TeamViewer, then beware and make sure you're running the latest version of the popular remote desktop connection software for Windows.
TeamViewer team recently released a new version of its software that includes a patch for a severe vulnerability (CVE 2020-13699), which, if exploited, could let remote attackers steal your system password and eventually compromise it.
What's |
Vulnerability | ★★ | |
|
2020-08-05 02:46:54 | Apple Touch ID Flaw Could Have Let Attackers Hijack iCloud Accounts (lien direct) | Apple earlier this year fixed a security vulnerability in iOS and macOS that could have potentially allowed an attacker to gain unauthorized access to a user's iCloud account.
Uncovered in February by Thijs Alkemade, a security specialist at IT security firm Computest, the flaw resided in Apple's implementation of TouchID (or FaceID) biometric feature that authenticated users to log in to |
Vulnerability | ||
|
2020-07-29 12:50:40 | Critical GRUB2 Bootloader Bug Affects Billions of Linux and Windows Systems (lien direct) | A team of cybersecurity researchers today disclosed details of a new high-risk vulnerability affecting billions of devices worldwide-including servers and workstations, laptops, desktops, and IoT systems running nearly any Linux distribution or Windows system.
Dubbed 'BootHole' and tracked as CVE-2020-10713, the reported vulnerability resides in the GRUB2 bootloader, which, if exploited, could |
Vulnerability | ||
|
2020-07-14 10:47:11 | 17-Year-Old Critical \'Wormable\' RCE Vulnerability Impacts Windows DNS Servers (lien direct) | Cybersecurity researchers today disclosed a new highly critical "wormable" vulnerability-carrying a severity score of 10 out of 10 on the CVSS scale-affecting Windows Server versions 2003 to 2019.
The 17-year-old remote code execution flaw (CVE-2020-1350), dubbed 'SigRed' by Check Point, could allow an unauthenticated, remote attacker to gain domain administrator privileges over targeted |
Vulnerability | ★★ | |
|
2020-07-14 00:17:22 | New Highly-Critical SAP Bug Could Let Attackers Take Over Corporate Servers (lien direct) | SAP has patched a critical vulnerability impacting the LM Configuration Wizard component in NetWeaver Application Server (AS) Java platform, allowing an unauthenticated attacker to take control of SAP applications.
The bug, dubbed RECON and tracked as CVE-2020-6287, is rated with a maximum CVSS score of 10 out of 10, potentially affecting over 40,000 SAP customers, according to cybersecurity |
Vulnerability | ||
|
2020-07-11 12:03:58 | Exclusive: Any Chingari App (Indian TikTok Clone) Account Can Be Hacked Easily (lien direct) | Following vulnerability disclosure in the Mitron app, another viral TikTok clone in India has now been found vulnerable to a critical but easy-to-exploit authentication bypass vulnerability, allowing anyone to hijack any user account and tamper with their information, content, and even upload unauthorized videos.
The Indian video sharing app, called Chingari, is available for Android and iOS |
Vulnerability | ||
|
2020-07-10 05:35:03 | Unpatched Critical Flaw Disclosed in Zoom Software for Windows 7 (lien direct) | A zero-day vulnerability has been discovered in Zoom video conferencing software for Windows that could allow an attacker to execute arbitrary code on a victim's computer running Microsoft Windows 7 or older.
By the way, if someone is still using Windows 7, they deserve to get hacked, including many organizations without extended support, because it's only a matter of time before they'll be a |
Vulnerability |
To see everything:
Our RSS (filtrered)
