Threatpost for B2B

Syndicate content
The First Stop For Security News
Updated: 4 hours 54 min ago

Hotel Internet Gateways Patched Against Remote Exploit

Thu, 03/26/2015 - 14:50
A critical vulnerability in a popular hotel and convention center Internet gateway from AntLabs called InnGate has been patched. The flaw allows attackers read and write access to the devices from the Internet.

MIT Researchers Debut Debugger for Integer Overflows

Thu, 03/26/2015 - 14:38
Students from M.I.T. have devised a new way to scour raw code for integer overflows.

U.S. Government Requests for Yahoo User Data Drop

Thu, 03/26/2015 - 13:17
Yahoo received nearly 5,000 requests for user data from the United States government in the last six months of 2014 and disclosed some content in nearly 25 percent of those cases. The company said in its new transparency report that it received between 0-999 National Security Letters from the U.S. government, too. The latest report from […]

Denial of Service and Memory Vulnerabilities Patched in Cisco IOS

Thu, 03/26/2015 - 12:15
Cisco released its semiannual set of patches for its Cisco IOS router and switch operating system. The patches address 16 vulnerabilities.

GE Fixes Buffer Overflow Bug in DTM Library

Thu, 03/26/2015 - 09:57
GE has released a fix for a vulnerability in a library that’s used in several of its products deployed in critical infrastructure areas. The flaw in the HART Device Type Manager library could allow an attacker to crash affected applications or run arbitrary code. The vulnerability in the DTM library affects four of GE’s products, as […]

Default Setting in Windows 7, 8.1 Could Allow Privilege Escalation, Sandbox Escape

Wed, 03/25/2015 - 15:42
A default setting in both Windows 7 and 8.1 could allow local users to elevate privileges and in some situations, escape application sandboxes.

Tech Companies, Privacy Advocates Call for NSA Reform

Wed, 03/25/2015 - 11:49
A group of technology companies, non-profits and privacy and human rights organizations have sent a letter to President Barack Obama, the director of national intelligence and a wide range of Congressional leaders, calling for an end to the bulk collection of phone metadata under Section 215 of the USA PATRIOT Act. The letter, sent by […]

Google Adds Deceptive Software to Safe Browsing API

Wed, 03/25/2015 - 10:42
Google is continuing to refine its Safe Browsing API and now is giving users warnings about not just malicious software on sites they’re attempting to visit, but also about unwanted software. Google’s Safe Browsing API is designed to help protect users from a variety of threats on pages across the Internet. The functionality is built into […]

Using Heat to Jump Air-Gapped Computers

Tue, 03/24/2015 - 14:32
Researchers claim that when thermal energy from one computer is detected by an adjacent computer it can facilitate the spread of keys and malware.

Half of Android Users Exposed to Attack via Installation Vulnerability

Tue, 03/24/2015 - 13:50
Palo Alto Networks researchers say half of all Android devices contain a vulnerability that could allow an attacker to install malware on devices running the Android operating system.

Instagram API Bug Could Allow Malicious File Downloads

Tue, 03/24/2015 - 12:57
A security researcher says there is a bug in the Instagram API that could enable an attacker to post a message with a link to a page he controls that hosts a malicious file, but when the user downloads the file it will appear to come from a legitimate Instagram domain, leading the victim to trust […]

CA Linked to Chinese Registrar Issued Unauthorized Google Certificates

Mon, 03/23/2015 - 21:04
Google security engineers, investigating fraudulent certificates issued for several of the company’s domains, discovered that a Chinese certificate authority was using an intermediate CA, MCS Holdings, that issued the unauthorized Google certificates, and could have issued certificates for virtually any domain. Google’s engineers were able to block the fraudulent certificates in the company’s Chrome browser by pushing an […]

CSRF Vulnerability Exposed Hilton Hotel Member Accounts

Mon, 03/23/2015 - 13:19
A cross-site request forgery (CSRF) vulnerability in the website of hotel chain Hilton Worldwide could have inadvertently compromised much of its users personal information.

Adobe CVE-2011-2461 Remains Exploitable Via Flex Four Years After Patch

Mon, 03/23/2015 - 11:38
A Flash vulnerability that Adobe patched four years ago actually remains exploitable according to a presentation given by a pair of researchers at the TROOPERS security conference.

Cisco Small Business IP Phones Open to Remote Eavesdropping

Mon, 03/23/2015 - 10:46
Cisco is warning customers about several vulnerabilities in some of its IP phones that can allow an attacker to listen in on users’ conversations. The bug affects the Cisco SPA 300 and 500 Series IP phones. Cisco had confirmed the vulnerabilities, which were discovered by Chris Watts, a researcher at Tech Analysis in Australia, and is […]

Latest Dridex Campaign Evades Detection with AutoClose Function

Fri, 03/20/2015 - 13:49
Proofpoint discovered that a recent spate of phishing messages contained macros-based attacks that did not execute until the malicious document was closed.

All Major Browsers Fall at Pwn2Own Day 2

Fri, 03/20/2015 - 11:26
Two researchers took down the four major browsers, Internet Explorer, Firefox, Chrome, and Safari yesterday as Pwn2Own wrapped up in Vancouver.

Yoast Google Analytics Plugin Patches XSS Vulnerability

Fri, 03/20/2015 - 09:58
Yoast addressed a cross-site scripting vulnerability in its Google Analytics WordPress plugin that allows a hacker to store code in the WordPress administrator dashboard that executes upon viewing.

Flash, Reader, Firefox and IE Fall on Pwn2Own Day 1

Thu, 03/19/2015 - 11:39
Four different research teams cracked four different products on Wednesday--Adobe Flash, Reader, Mozilla Firefox, and Microsoft Internet Explorer—and collectively earned a payout of $317,000 on the first day of Pwn2Own 2015.

OpenSSL Mystery Patch is No Heartbleed

Thu, 03/19/2015 - 10:00
The anticipated high severity patch in OpenSSL is for a denial-of-service vulnerability in the recently released version 1.0.2 that can crash a client or server with a malformed certificate.