What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2021-01-20 03:16:59 | Google Discloses Flaws in Signal, FB Messenger, JioChat Messaging Apps (lien direct) | In January 2019, a critical flaw was reported in Apple's FaceTime group chats feature that made it possible for users to initiate a FaceTime video call and eavesdrop on targets by adding their own number as a third person in a group chat even before the person on the other end accepted the incoming call.
The vulnerability was deemed so severe that the iPhone maker removed the FaceTime group |
Vulnerability | ||
|
2021-01-08 08:56:19 | New Attack Could Let Hackers Clone Your Google Titan 2FA Security Keys (lien direct) | Hardware security keys-such as those from Google and Yubico-are considered the most secure means to protect accounts from phishing and takeover attacks.
But a new research published on Thursday demonstrates how an adversary in possession of such a two-factor authentication (2FA) device can clone it by exploiting an electromagnetic side-channel in the chip embedded in it.
The vulnerability ( |
Vulnerability | ||
|
2021-01-01 05:49:30 | Secret Backdoor Account Found in Several Zyxel Firewall, VPN Products (lien direct) | Zyxel has released a patch to address a critical vulnerability in its firmware concerning a hardcoded undocumented secret account that could be abused by an attacker to login with administrative privileges and compromise its networking devices.
The flaw, tracked as CVE-2020-29583 (CVSS score 7.8), affects version 4.60 present in wide-range of Zyxel devices, including Unified Security Gateway ( |
Vulnerability | ||
|
2020-12-29 03:21:53 | A Google Docs Bug Could Have Allowed Hackers See Your Private Documents (lien direct) | Google has patched a bug in its feedback tool incorporated across its services that could be exploited by an attacker to potentially steal screenshots of sensitive Google Docs documents simply by embedding them in a malicious website. The flaw was discovered on July 9 by security researcher Sreeram KL, for which he was awarded $3133.70 as part of Google's Vulnerability Reward Program. | Tool Vulnerability | ||
|
2020-12-26 22:24:48 | A New SolarWinds Flaw Likely Had Let Hackers Install SUPERNOVA Malware (lien direct) | An authentication bypass vulnerability in the SolarWinds Orion software may have been leveraged by adversaries to deploy the SUPERNOVA malware in target environments.
According to an advisory published yesterday by the CERT Coordination Center, the SolarWinds Orion API that's used to interface with all other Orion system monitoring and management products suffers from a security flaw that could |
Malware Vulnerability | ||
|
2020-12-24 01:01:19 | Google Discloses Poorly-Patched, Now Unpatched, Windows 0-Day Bug (lien direct) | Google's Project Zero team has made public details of an improperly patched zero-day security vulnerability in Windows print spooler API that could be leveraged by a bad actor to execute arbitrary code.
Details of the flaw were revealed after Microsoft failed to patch it within 90 days of responsible disclosure on September 24.
Originally tracked as CVE-2020-0986, the flaw concerns an elevation |
Vulnerability | ||
|
2020-12-15 22:47:24 | SolarWinds Issues Second Hotfix for Orion Platform Supply Chain Attack (lien direct) | Network monitoring services provider SolarWinds officially released a second hotfix to address a critical vulnerability in its Orion platform that was exploited to insert malware and breach public and private entities in a wide-ranging espionage campaign.
In a new update posted to its advisory page, the company urged its customers to update Orion Platform to version 2020.2.1 HF 2 immediately to |
Vulnerability | ||
|
2020-12-07 22:31:19 | Zero-Click Wormable RCE Vulnerability Reported in Microsoft Teams (lien direct) | A zero-click remote code execution (RCE) bug in Microsoft Teams desktop apps could have allowed an adversary to execute arbitrary code by merely sending a specially-crafted chat message and compromise a target's system.
The issues were reported to the Windows maker by Oskars Vegeris, a security engineer from Evolution Gaming, on August 31, 2020, before they were addressed at the end of October. |
Vulnerability | ||
|
2020-12-07 21:44:01 | NSA Warns Russian Hacker Exploiting VMware Bug to Breach Corporate Networks (lien direct) | The US National Security Agency (NSA) on Monday issued an advisory warning that Russian threat actors are leveraging recently disclosed VMware vulnerability to install malware on corporate systems and access protected data.
Specifics regarding the identities of the threat actor exploiting the VMware flaw or when these attacks started were not disclosed.
The development comes two weeks after the |
Malware Vulnerability Threat | ||
|
2020-11-24 23:14:18 | 2-Factor Authentication Bypass Flaw Reported in cPanel and WHM Software (lien direct) | cPanel, a provider of popular administrative tools to manage web hosting, has patched a security vulnerability that could have allowed remote attackers with access to valid credentials to bypass two-factor authentication (2FA) protection on an account.
The issue, tracked as "SEC-575" and discovered by researchers from Digital Defense, has been remedied by the company in versions 11.92.0.2, |
Vulnerability | ||
|
2020-11-23 23:08:37 | Critical Unpatched VMware Flaw Affects Multiple Corporates Products (lien direct) | VMware has released temporary workarounds to address a critical vulnerability in its products that could be exploited by an attacker to take control of an affected system.
"A malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating |
Vulnerability | ★★★ | |
|
2020-11-18 23:49:41 | Researchers Warn of Critical Flaws Affecting Industrial Automation Systems (lien direct) | A critical vulnerability uncovered in Real-Time Automation's (RTA) 499ES EtherNet/IP (ENIP) stack could open up the industrial control systems to remote attacks by adversaries.
RTA's ENIP stack is one of the widely used industrial automation devices and is billed as the "standard for factory floor I/O applications in North America."
"Successful exploitation of this vulnerability could cause a |
Vulnerability | ★★★ | |
|
2020-10-21 00:02:44 | Popular Mobile Browsers Found Vulnerable To Address Bar Spoofing Attacks (lien direct) | Cybersecurity researchers on Tuesday disclosed details about an address bar spoofing vulnerability affecting multiple mobile browsers, such as Apple Safari and Opera Touch, leaving the door open for spear-phishing attacks and delivering malware.
Other impacted browsers include UCWeb, Yandex Browser, Bolt Browser, and RITS Browser.
The flaws were discovered by Pakistani security researcher Rafay |
Vulnerability | ||
|
2020-09-23 11:09:58 | Detecting and Preventing Critical ZeroLogon Windows Server Vulnerability (lien direct) | If you're administrating Windows Server, make sure it's up to date with all recent patches issued by Microsoft, especially the one that fixes a recently patched critical vulnerability that could allow unauthenticated attackers to compromise the domain controller.
Dubbed 'Zerologon' (CVE-2020-1472) and discovered by Tom Tervoort of Secura, the privilege escalation vulnerability exists due to the |
Vulnerability | ||
|
2020-09-10 14:37:22 | New Unpatched Bluetooth Flaw Lets Hackers Easily Target Nearby Devices (lien direct) | Bluetooth SIG-an organization that oversees the development of Bluetooth standards-today issued a statement informing users and vendors of a newly reported unpatched vulnerability that potentially affects hundreds of millions of devices worldwide.
Discovered independently by two separate teams of academic researchers, the flaw resides in the Cross-Transport Key Derivation (CTKD) of devices |
Vulnerability | ||
|
2020-09-01 00:40:02 | Cisco Issues Warning Over IOS XR Zero-Day Flaw Being Targeted in the Wild (lien direct) | Cisco has warned of an active zero-day vulnerability in its router software that's being exploited in the wild and could allow a remote, authenticated attacker to carry out memory exhaustion attacks on an affected device.
"An attacker could exploit these vulnerabilities by sending crafted IGMP traffic to an affected device," Cisco said in an advisory posted over the weekend.
"A successful |
Vulnerability | ||
|
2020-08-26 11:30:25 | Russian Arrested After Offering $1 Million to U.S. Company Employee for Planting Malware (lien direct) | Hackers always find a way in, even if there's no software vulnerability to exploit.
The FBI has arrested a Russian national who recently traveled to the United States and offered $1 million in bribe to an employee of a targeted company for his help in installing malware into the company's computer network manually.
Egor Igorevich Kriuchkov, 27-year-old, entered the United States as a tourist |
Malware Vulnerability | ||
|
2020-08-20 04:59:01 | Experts Reported Security Bug in IBM\'s Db2 Data Management Software (lien direct) | Cybersecurity researchers today disclosed details of a memory vulnerability in IBM's Db2 family of data management products that could potentially allow a local attacker to access sensitive data and even cause a denial of service attacks.
The flaw (CVE-2020-4414), which impacts IBM Db2 V9.7, V10.1, V10.5, V11.1, and V11.5 editions on all platforms, is caused by improper usage shared memory, |
Vulnerability | ★★★★ | |
|
2020-08-18 02:55:09 | Critical Jenkins Server Vulnerability Could Leak Sensitive Information (lien direct) | Jenkins-a popular open-source automation server software-published an advisory on Monday concerning a critical vulnerability in the Jetty web server that could result in memory corruption and cause confidential information to be disclosed.
Tracked as CVE-2019-17638, the flaw has a CVSS rating of 9.4 and impacts Eclipse Jetty versions 9.4.27.v20200227 to 9.4.29.v20200521-a full-featured tool |
Vulnerability | ||
|
2020-08-11 06:40:26 | A New vBulletin 0-Day RCE Vulnerability and Exploit Disclosed Publicly (lien direct) | A security researcher earlier today publicly revealed details and proof-of-concept exploit code for an unpatched, critical zero-day remote code execution vulnerability affecting the widely used internet forum software vBulletin that's already under active exploitation in the wild.
vBulletin is a widely used proprietary Internet forum software package based on PHP and MySQL database server that |
Vulnerability | ||
|
2020-08-10 05:06:36 | TeamViewer Flaw Could Let Hackers Steal System Password Remotely (lien direct) | If you are using TeamViewer, then beware and make sure you're running the latest version of the popular remote desktop connection software for Windows.
TeamViewer team recently released a new version of its software that includes a patch for a severe vulnerability (CVE 2020-13699), which, if exploited, could let remote attackers steal your system password and eventually compromise it.
What's |
Vulnerability | ★★ | |
|
2020-08-05 02:46:54 | Apple Touch ID Flaw Could Have Let Attackers Hijack iCloud Accounts (lien direct) | Apple earlier this year fixed a security vulnerability in iOS and macOS that could have potentially allowed an attacker to gain unauthorized access to a user's iCloud account.
Uncovered in February by Thijs Alkemade, a security specialist at IT security firm Computest, the flaw resided in Apple's implementation of TouchID (or FaceID) biometric feature that authenticated users to log in to |
Vulnerability | ||
|
2020-07-29 12:50:40 | Critical GRUB2 Bootloader Bug Affects Billions of Linux and Windows Systems (lien direct) | A team of cybersecurity researchers today disclosed details of a new high-risk vulnerability affecting billions of devices worldwide-including servers and workstations, laptops, desktops, and IoT systems running nearly any Linux distribution or Windows system.
Dubbed 'BootHole' and tracked as CVE-2020-10713, the reported vulnerability resides in the GRUB2 bootloader, which, if exploited, could |
Vulnerability | ||
|
2020-07-14 10:47:11 | 17-Year-Old Critical \'Wormable\' RCE Vulnerability Impacts Windows DNS Servers (lien direct) | Cybersecurity researchers today disclosed a new highly critical "wormable" vulnerability-carrying a severity score of 10 out of 10 on the CVSS scale-affecting Windows Server versions 2003 to 2019.
The 17-year-old remote code execution flaw (CVE-2020-1350), dubbed 'SigRed' by Check Point, could allow an unauthenticated, remote attacker to gain domain administrator privileges over targeted |
Vulnerability | ★★ | |
|
2020-07-14 00:17:22 | New Highly-Critical SAP Bug Could Let Attackers Take Over Corporate Servers (lien direct) | SAP has patched a critical vulnerability impacting the LM Configuration Wizard component in NetWeaver Application Server (AS) Java platform, allowing an unauthenticated attacker to take control of SAP applications.
The bug, dubbed RECON and tracked as CVE-2020-6287, is rated with a maximum CVSS score of 10 out of 10, potentially affecting over 40,000 SAP customers, according to cybersecurity |
Vulnerability | ||
|
2020-07-11 12:03:58 | Exclusive: Any Chingari App (Indian TikTok Clone) Account Can Be Hacked Easily (lien direct) | Following vulnerability disclosure in the Mitron app, another viral TikTok clone in India has now been found vulnerable to a critical but easy-to-exploit authentication bypass vulnerability, allowing anyone to hijack any user account and tamper with their information, content, and even upload unauthorized videos.
The Indian video sharing app, called Chingari, is available for Android and iOS |
Vulnerability | ||
|
2020-07-10 05:35:03 | Unpatched Critical Flaw Disclosed in Zoom Software for Windows 7 (lien direct) | A zero-day vulnerability has been discovered in Zoom video conferencing software for Windows that could allow an attacker to execute arbitrary code on a victim's computer running Microsoft Windows 7 or older.
By the way, if someone is still using Windows 7, they deserve to get hacked, including many organizations without extended support, because it's only a matter of time before they'll be a |
Vulnerability | ||
|
2020-07-04 07:26:31 | Critical RCE Flaw (CVSS 10) Affects F5 BIG-IP Application Security Servers (lien direct) | Cybersecurity researchers today issued a security advisory warning enterprises and governments across the globe to immediately patch a highly-critical remote code execution vulnerability affecting F5's BIG-IP networking devices running application security servers.
The vulnerability, assigned CVE-2020-5902 and rated as critical with a CVSS score of 10 out of 10, could let remote attackers |
Vulnerability | ||
|
2020-06-11 14:35:49 | A Bug in Facebook Messenger for Windows Could\'ve Helped Malware Gain Persistence (lien direct) | Cybersecurity researchers at Reason Labs, the threat research arm of security solutions provider Reason Cybersecurity, today disclosed details of a vulnerability they recently discovered in the Facebook Messenger application for Windows.
The vulnerability, which resides in Messenger version 460.16, could allow attackers to leverage the app to potentially execute malicious files already |
Malware Vulnerability Threat | ||
|
2020-06-09 13:39:32 | SMBleed: A New Critical Vulnerability Affects Windows SMB Protocol (lien direct) | Cybersecurity researchers today uncover a new critical vulnerability affecting the Server Message Block (SMB) protocol that could allow attackers to leak kernel memory remotely, and when combined with a previously disclosed "wormable" bug, the flaw can be exploited to achieve remote code execution attacks.
Dubbed "SMBleed" (CVE-2020-1206) by cybersecurity firm ZecOps, the flaw resides in |
Vulnerability | ||
|
2020-06-08 03:07:20 | Any Indian DigiLocker Account Could\'ve Been Accessed Without Password (lien direct) | The Indian Government said it has addressed a critical vulnerability in its secure document wallet service Digilocker that could have potentially allowed a remote attacker to bypass mobile one-time passwords (OTP) and sign in as other users to access their sensitive documents stored on the platform.
"The OTP function lacks authorization which makes it possible to perform OTP validation with |
Vulnerability | ||
|
2020-06-01 22:37:18 | Critical VMware Cloud Director Flaw Lets Hackers Take Over Corporate Servers (lien direct) | Cybersecurity researchers today disclosed details for a new vulnerability in VMware's Cloud Director platform that could potentially allow an attacker to gain access to sensitive information and control private clouds within an entire infrastructure.
Tracked as CVE-2020-3956, the code injection flaw stems from an improper input handling that could be abused by an authenticated attacker to |
Vulnerability | ||
|
2020-05-30 08:43:58 | Critical \'Sign in with Apple\' Bug Could Have Let Attackers Hijack Anyone\'s Account (lien direct) | Apple recently paid Indian vulnerability researcher Bhavuk Jain a huge $100,000 bug bounty for reporting a highly critical vulnerability affecting its 'Sign in with Apple' system.
The now-patched vulnerability could have allowed remote attackers to bypass authentication and take over targeted users' accounts on third-party services and apps that have been registered using 'Sign in with Apple' |
Vulnerability | ||
|
2020-05-30 00:56:49 | Exclusive – Any Mitron (Viral TikTok Clone) Profile Can Be Hacked in Seconds (lien direct) | Mitron (means "friends" in Hindi), you have been fooled again!
Mitron is not really a 'Made in India' product, and the viral app contains a highly critical, unpatched vulnerability that could allow anyone to hack into any user account without requiring interaction from the targeted users or their passwords.
I am sure many of you already know what TikTok is, and those still unaware, it's a |
Hack Vulnerability | ★★★★★ | |
|
2020-05-26 07:40:30 | New Android Flaw Affecting Over 1 Billion Phones Let Attackers Hijack Apps (lien direct) | Remember Strandhogg?
A security vulnerability affecting Android that malicious apps can exploit to masquerade as any other app installed on a targeted device to display fake interfaces to the users, tricking them into giving away sensitive information.
Late last year, at the time of its public disclosure, researchers also confirmed that some attackers were already exploiting the flaw in the |
Vulnerability | ||
|
2020-05-19 04:20:48 | New Bluetooth Vulnerability Exposes Billions of Devices to Hackers (lien direct) | Academics from École Polytechnique Fédérale de Lausanne (EPFL) disclosed a security vulnerability in Bluetooth that could potentially allow an attacker to spoof a remotely paired device, exposing over a billion of modern devices to hackers.
The attacks, dubbed Bluetooth Impersonation AttackS or BIAS, concerns Bluetooth Classic, which supports Basic Rate (BR) and Enhanced Data Rate (EDR) for |
Vulnerability | ||
|
2020-05-14 03:24:50 | Improper Microsoft Patch for Reverse RDP Attacks Leaves 3rd-Party RDP Clients Vulnerable (lien direct) | Remember the Reverse RDP Attack-wherein a client system vulnerable to a path traversal vulnerability could get compromised when remotely accessing a server over Microsoft's Remote Desktop Protocol?
Though Microsoft had patched the vulnerability (CVE-2019-0887) as part of its July 2019 Patch Tuesday update, it turns out researchers were able to bypass the patch just by replacing the backward |
Vulnerability | ||
|
2020-05-11 12:11:00 | An Undisclosed Critical Vulnerability Affect vBulletin Forums - Patch Now (lien direct) | If you are running an online discussion forum based on vBulletin software, make sure it has been updated to install a newly issued security patch that fixes a critical vulnerability.
Maintainers of the vBulletin project recently announced an important patch update but didn't reveal any information on the underlying security vulnerability, identified as CVE-2020-12720.
Written in PHP |
Vulnerability | ||
|
2020-05-04 02:58:02 | Hackers Breach LineageOS, Ghost, DigiCert Servers Using SaltStack Vulnerability (lien direct) | Days after cybersecurity researchers sounded the alarm over two critical vulnerabilities in the SaltStack configuration framework, a hacking campaign has already begun exploiting the flaws to breach servers of LineageOS, Ghost, and Digicert.
Tracked as CVE-2020-11651 and CVE-2020-11652, the disclosed flaws could allow an adversary to execute arbitrary code on remote servers deployed in data |
Vulnerability | ||
|
2020-04-27 01:34:39 | How An Image Could\'ve Let Attackers Hack Microsoft Teams Accounts (lien direct) | Microsoft has patched a worm-like vulnerability in its Teams workplace video chat and collaboration platform that could have allowed attackers to take over an organization's entire roster of Teams accounts just by sending participants a malicious link to an innocent-looking image.
The flaw, impacting both desktop and web versions of the app, was discovered by cybersecurity researchers at |
Hack Vulnerability | ★★★★ | |
|
2020-04-21 02:55:42 | Unpatchable \'Starbleed\' Bug in FPGA Chips Exposes Critical Devices to Hackers (lien direct) | A newly discovered unpatchable hardware vulnerability in Xilinx programmable logic products could allow an attacker to break bitstream encryption, and clone intellectual property, change the functionality, and even implant hardware Trojans.
The details of the attacks against Xilinx 7-Series and Virtex-6 Field Programmable Gate Arrays (FPGAs) have been covered in a paper titled "The |
Vulnerability | ||
|
2020-04-17 04:20:03 | CISA Warns Patched Pulse Secure VPNs Could Still Expose Organizations to Hackers (lien direct) | The United States Cybersecurity and Infrastructure Security Agency (CISA) yesterday issued a fresh advisory alerting organizations to change all their Active Directory credentials as a defense against cyberattacks trying to leverage a known remote code execution (RCE) vulnerability in Pulse Secure VPN servers-even if they have already patched it.
The warning comes three months after another |
Vulnerability | ||
|
2020-03-24 13:06:59 | Critical RCE Bug Affects Millions of OpenWrt-based Network Devices (lien direct) | A cybersecurity researcher today disclosed technical details and proof-of-concept of a critical remote code execution vulnerability affecting OpenWrt, a widely used Linux-based operating system for routers, residential gateways, and other embedded devices that route network traffic.
Tracked as CVE-2020-7982, the vulnerability resides in the OPKG package manager of OpenWrt that exists in the |
Vulnerability | ||
|
2020-03-21 00:57:30 | Mukashi: A New Mirai IoT Botnet Variant Targeting Zyxel NAS Devices (lien direct) | A new version of the infamous Mirai botnet is exploiting a recently uncovered critical vulnerability in network-attached storage (NAS) devices in an attempt to remotely infect and control vulnerable machines.
Called "Mukashi," the new variant of the malware employs brute-force attacks using different combinations of default credentials to log into Zyxel NAS, UTM, ATP, and VPN firewall |
Malware Vulnerability | ||
|
2020-03-12 10:54:00 | Critical Patch Released for \'Wormable\' SMBv3 Vulnerability - Install It ASAP! (lien direct) | Microsoft today finally released software updates to patch a recently disclosed very dangerous vulnerability in SMBv3 protocol that could let attackers launch wormable malware, which can propagate itself from one vulnerable computer to another automatically.
The vulnerability, tracked as CVE-2020-0796, in question is a remote code execution flaw that impacts Windows 10 version 1903 and 1909, |
Vulnerability | ||
|
2020-03-11 05:27:42 | Warning - Unpatched Critical \'Wormable\' Windows SMBv3 Flaw Disclosed (lien direct) | Shortly after releasing its monthly batch of security updates, Microsoft late yesterday separately issued an advisory warning billions of its Windows users of a new critical, unpatched, and wormable vulnerability affecting Server Message Block 3.0 (SMBv3) network communication protocol.
It appears Microsoft originally planned to fix the flaw as part of its March 2020 Patch Tuesday update only, |
Vulnerability | ★★★★ | |
|
2020-03-10 14:35:34 | Poor Rowhammer Fixes On DDR4 DRAM Chips Re-Enable Bit Flipping Attacks (lien direct) | Remember rowhammer vulnerability? A critical issue affecting modern DRAM (dynamic random access memory) chips that could allow attackers to obtain higher kernel privileges on a targeted system by repeatedly accessing memory cells and induce bit flips.
To mitigate Rowhammer vulnerability on the latest DDR4 DRAM, many memory chip manufacturers added some defenses under the umbrella term Target |
Vulnerability | ★★★★ | |
|
2020-03-10 10:46:38 | LVI Attacks: New Intel CPU Vulnerability Puts Data Centers At Risk (lien direct) | It appears there is no end in sight to the hardware level security vulnerabilities in Intel processors, as well as to the endless 'performance killing' patches that resolve them.
Modern Intel CPUs have now been found vulnerable to a new attack that involves reversely exploiting Meltdown-type data leak vulnerabilities to bypass existing defenses, two separate teams of researchers told The |
Vulnerability | ★★★★ | |
|
2020-03-06 12:47:58 | This Unpatchable Flaw Affects All Intel CPUs Released in Last 5 Years (lien direct) | All Intel processors released in the past 5 years contain an unpatchable vulnerability that could allow hackers to compromise almost every hardware-enabled security technology that are otherwise designed to shield sensitive data of users even when a system gets compromised.
The vulnerability, tracked as CVE-2019-0090, resides in the hard-coded firmware running on the ROM ("read-only memory") |
Vulnerability | ★★★★★ | |
|
2020-03-05 12:22:14 | Critical PPP Daemon Flaw Opens Most Linux Systems to Remote Hackers (lien direct) | The US-CERT today issued advisory warning users of a new dangerous 17-year-old remote code execution vulnerability affecting the PPP daemon (pppd) software that comes installed on almost all Linux based operating systems, as well as powers the firmware of many other networking devices.
The affected pppd software is an implementation of Point-to-Point Protocol (PPP) that enables communication |
Vulnerability |
To see everything:
Our RSS (filtrered)
