Experts disclose details about a critical flaw in Microsoft Hyper-V, tracked as CVE-2021-28476, that can allow executing arbitrary code on it. Researchers Peleg Hadar of SafeBreach and Ophir Harpaz of Guardicore disclose details about a critical flaw in Microsoft Hyper-V, tracked as  CVE-2021-28476 , that can allow triggering a DoS condition ot executing arbitrary code on it. The flaw resides in […]

OWASP Top 10 vulnerabilities is a list of the 10 most common security vulnerabilities in applications. The Top 10 OWASP web application security vulnerabilities are updated every 3-4 years. Last updated in 2017, the vulnerabilities featuring on the list are: Injection Broken Authentication Sensitive Data Exposure XML External Entities (XXE) Broken Access Control Security Misconfigurations Cross-Site Scripting […]

Google today announced it has extended its Open Source Vulnerabilities (OSV) database to incorporate data from additional open source projects, using a unified schema for “describing vulnerabilities precisely.” The benefits of open source software are widely understood, but concerns around vulnerabilities frequently rear their head. The vast majority of codebases contain at least one known open source vulnerability, while a […]

Researchers at SentinelLabs say that they found various exploitable bugs in one of Dell’s Windows kernel drivers, which they reported back in December 2020. There were five related bugs, now collectively dubbed CVE-2021-21551. Dell has now issued a patch for these vulnerabilities (the official update is dated 2021-05-04), noting that: Dell dbutil_2_3.sys driver contains an insufficient access control vulnerability […]

Apple has released iOS 14.5.1, which provides a memory corruption bug fix and patches an arbitrary code execution (ACE) vulnerability in WebKit — a web browser engine. Arbitrary code execution refers to an attacker executing code that they should not be able to execute. A malicious website could theoretically execute harmful code on your iPhone, […]

We’re sure you’ve heard of OpenSSL, and even if you aren’t a coder yourself, you’ve almost certainly used it. OpenSSL is one of the most popular open-source cryptography libraries out there, and lots of well-known products rely on it, especially on Linux, which doesn’t have a standard, built-in encryption toolkit of its own. Even on Windows […]

Google has demonstrated exploiting the Spectre CPU attack remotely over the web: Today, we’re sharing proof-of-concept (PoC) code that confirms the practicality of Spectre exploits against JavaScript engines. We use Google Chrome to demonstrate our attack, but these issues are not specific to Chrome, and we expect that other modern browsers are similarly vulnerable to this exploitation vector. We […]

On March 2nd, Microsoft has released emergency out-of-band security updates that address four zero-day issues (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) in all supported Microsoft Exchange versions that are actively exploited in the wild. The IT giant reported that at least one China-linked APT group, tracked as HAFNIUM, chained these vulnerabilities to access on-premises Exchange servers to access email […]

Apple has released out-of-band security patches to address a critical iOS, macOS, watchOS, and Safari web browser to address a security flaw tracked as CVE-2021-1844. The vulnerability was discovered by Clément Lecigne of Google’s Threat Analysis Group and Alison Huffman of Microsoft Browser Vulnerability Research. The flaw could be exploited by remote attackers to run […]

We know what you’re thinking: “I bet you this is what they call a supply chain attack.” And you’d be right. The “one man” in the headline is cybersecurity researcher Alex Birsan, and his paper Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies, which came out last week, will tell you […]

Google last week announced the OSV (Open Source Vulnerabilities), a vulnerability database and triage infrastructure for open source projects. The database aims at helping both open source maintainers and consumers of open source projects. The archive could allow users and maintainers of open-source software to find the vulnerabilities that affect them, providing detailed info about […]

Microsoft doesn’t feel the bugs are important enough to fix immediately, although one researcher disagrees Several purported security flaws in Skype have been disclosed publicly, but Microsoft claims they do not need “immediate security servicing”. On February 2, researcher “mr.d0x,” also known as “TheCyberSecurityTutor”, publicly disclosed a “plague” of spoofing vulnerabilities in the Microsoft-owned remote […]

GitHub has analyzed over 45,000 active directories and found that open source vulnerabilities often go undetected for more than four years. Source: Open source vulnerabilities go undetected for over four years – Help Net Security The State of Open Source Security Vulnerabilities Resources for Searching and Analyzing Online Information Advanced Sciences and Technologies for Security […]

A researcher disclosed technical details of an unpatched vulnerability in Apple’s Safari web browser that can be exploited to steal files from the targeted system. Source: Expert discloses unpatched Safari flaw that allows stealing local files Download a Security Risk Assessment Steps paper! Security Risk assessment Quiz – Find Out How Your security risk assessment […]

Mozilla has expanded its bug bounty program including rewards for bypass methods for the exploit mitigations and security features in Firefox. Source: Mozilla offers rewards for Bypassing Firefox Exploit Mitigations Why Firefox is the best browser for privacy and how to configure things properly

Manufactured by Thales, the EHS8 module family has security flaws that could allow attackers to take total control over internet-connected industrial machines. Source: IBM finds vulnerability in IoT chips present in billions of devices   Download a Security Risk Assessment Steps paper! Security Risk assessment Quiz – Find Out How Your security risk assessment Stands […]

Researchers spotted a new sophisticated peer-to-peer (P2P) botnet, dubbed FritzFrog, that has been actively targeting SSH servers since January 2020. Source: FritzFrog cryptocurrency P2P botnet targets Linux servers over SSH   Download a Security Risk Assessment Steps paper! Security Risk assessment Quiz – Find Out How Your security risk assessment Stands Up! DISC InfoSec 🔒 […]

Google Chrome will warn users when submitting insecure forms that deliver information via HTTP connections on HTTPS websites starting with version 86. Source: Google Chrome will warn users when submitting insecure forms   Download a Security Risk Assessment Steps paper! Security Risk assessment Quiz – Find Out How Your security risk assessment Stands Up! DISC InfoSec […]

Security researchers have discovered a PoC code and exploit available online that can be used to trigger unpatched security flaws in Apache Struts 2. Security researchers have discovered a PoC code and exploit available on GitHub that that can be used to trigger the security vulnerabilities in Apache Struts 2. The Proof-of-concept exploit code was released last […]