Vulnerabilities & Flaws

Oracle fixes WebLogic bug; 11g flaw exposed

Dan Kaplan February 05, 2010

Oracle on Thursday released a fix for a zero-day vulnerability in its WebLogic Node Manager. The publicly released bug can allow an attacker to fully compromise a targeted server on Windows, according to an Oracle blog post. The patch does not appear to be related to researcher David Litchfield's talk this week at the Black Hat conference in Washington, D.C., where he revealed how zero-day vulnerabilities in the Oracle 11g database could be used to bypass security and take complete control of the popular software. — DK
 

Microsoft to deliver 13 security patches for 26 bugs

Dan Kaplan February 05, 2010

After a relatively quiet January, administrators next week will have to deal with an unusually large security update from Microsoft, with 26 vulnerabilities in line for fixing.
 

Microsoft responds to Black Hat talk with IE bug advisory

Dan Kaplan February 03, 2010

An Internet Explorer vulnerability revealed at this week's Black Hat conference in Washington, D.C. prompted Microsoft to issue an advisory on the issue.
 

Apple resolves five iPhone bugs with update

Dan Kaplan February 02, 2010

Apple on Tuesday pushed out an iPhone and iPod Touch security update.
 

Google to offer up to $1,337 for bug finds in Chromium

Dan Kaplan January 29, 2010

Google joins Mozilla by forming a bounty program for vulnerability discoveries in its web browser.
 

Cisco pushes updated to web conferencing software

January 28, 2010

Cisco has released software updates to address multiple flaws in its Unified MeetingPlace audio, video and web conferencing solution, according to an advisory released Wednesday. The vulnerabilities, which include an SQL injection bug, could result in information disclosure, denial of service, privilege escalation and unauthorized account creation. Versions 5, 6 and 7 of the product are affected by at least one of the vulnerabilities. — DK
 

New attack against IE could expose all PC files

Angela Moscaritolo January 27, 2010

An attacker could leverage design flaws in Internet Explorer to read every file on a user's computer, according to researchers at Core Security Technologies
 

Chrome 4.0 released to address several flaws

Angela Moscaritolo January 26, 2010

Chrome 4.0.249.78 for Windows addresses 13 vulnerabilities, six of which are rated "high" in severity, according to Google's release notes.
 

Microsoft patches Internet Explorer hole used in spying

Dan Kaplan January 21, 2010

A "critical" Internet Explorer vulnerability, used as part of a mix of malware designed to steal sensitive intellectual property from major U.S. companies, was fixed on Thursday.
 

Microsoft confirms low-risk zero-day in Windows kernel

Dan Kaplan January 21, 2010

Microsoft is dealing with another zero-day vulnerability, albeit a less risky one than the notorious Internet Explorer flaw being leveraged in data-theft attacks on major companies.
 

Adobe releases update for Shockwave vulnerabilities

Dan Kaplan January 20, 2010

Adobe has issued a "critical" security update for its Shockwave Player, according to an advisory released Tuesday. The update, for both Windows and Mac users, resolves two vulnerabilities that could enable an attacker to run malicious code on victim machines. Users are advised to immediately upgrade to version 11.5.6.606, available for installation here. Shockwave Player is one of the most widely deployed multimedia technologies. — DK
 

Apple issues Mac OS X security update

Dan Kaplan January 20, 2010

Apple has released its first Mac OS X patches of 2010 to repair a number of vulnerabilities that could lead to remote code execution.
 

Google engineer finds Windows kernel bug

Dan Kaplan January 19, 2010

A security engineer on Tuesday posted details about an unpatched Windows kernel vulnerability. The flaw affects all versions of the operating system and can result in privilege escalation, according to an advisory posted to the Full Disclosure mailing list by Google engineer Tavis Ormandy. A successful exploit can allow an attacker to change the address for the kernel stack. Ormandy was responsible for reporting the lone vulnerability patched in last week's Microsoft security update. A Microsoft spokeswoman had no immediate comment. — DK
 

Microsoft to issue early patch for Internet Explorer flaw

Dan Kaplan January 19, 2010

A dangerous, zero-day vulnerability in Internet Explorer is getting an early fix, Microsoft announced Tuesday.
 

Adobe update trumps Microsoft's lone fix in patch frenzy

Dan Kaplan January 12, 2010

Microsoft typically garners all of the attention on Patch Tuesday, but for January's installment, researchers consider Adobe's fix for a critical zero-day vulnerability to be the major priority. Oracle also was scheduled to release fixes.
 

Proof-of-concept exploiting Mac OS X flaw released

Angela Moscaritolo January 12, 2010

An overseas security firm has released proof-of-concept code for a Mac OS X vulnerability that researchers said has remained open for some seven months.
 

Oracle preps 24 fixes for quarterly security update

Dan Kaplan January 11, 2010

Tuesday promises to bring a flurry of patching activity across enterprises, with Oracle, Adobe and Microsoft all planning fixes.
 

Adobe plans fix for Reader bug as exploits continue

Angela Moscaritolo January 08, 2010

Security researchers have discovered a new PDF sample actively exploiting a zero-day vulnerability in Adobe Reader and Acrobat, for which a fix is scheduled on Tuesday.
 

Critical fix out for Adobe Illustrator flaws

Angela Moscaritolo January 07, 2010

Adobe on Thursday issued an update to fix two critical buffer overflow vulnerabilities in its computer drawing tool, Adobe Illustrator CS4, CS3 and earlier versions for the Windows and Macintosh operating systems. The flaws could allow an attacker to execute arbitrary code, according to the update. Adobe initially warned users about the issue last month. — AM
 

Microsoft to release single patch for January update

Dan Kaplan January 07, 2010

IT administrators may be able to ease back into the New Year now that Microsoft plans only one fix for its January security update.
 

Hacker claims to find SQL hole in Intel site

Angela Moscaritolo January 06, 2010

A Romanian hacker using the alias "Unu" claims to have found a hole in an Intel website. The hacker demonstrated in late December an SQL injection vulnerability on the Intel "Channel Webinars" site, which is used to run online registrations for channel partner events. The site is currently down for maintenance. The same hacker has previously claimed to gain access to Symantec, Kaspersky, F-Secure and BitDefender websites. — AM
 

IIS issue not a new vulnerability, Microsoft says

Dan Kaplan December 30, 2009

Microsoft has determined that its Internet Information Service (ISS) does not suffer from a new vulnerability, only an "inconsistency" that affects misconfigured installations of the web server.
 

Encryption protecting most mobile phones cracked

Angela Moscaritolo December 29, 2009

With a few thousand dollars and widely available open-source tools, the encryption algorithm used to protect most cell phone communications can be cracked, allowing an attacker to listen in on phone calls, researchers revealed Sunday at a security conference.
 

New IIS flaw deemed low risk in proper configurations

Dan Kaplan December 28, 2009

Microsoft security officials are playing down the risk of a zero-day IIS vulnerability that could lead to compromised systems.
 

New report finds Adobe programs most at risk

Dan Kaplan December 17, 2009

Adobe's popular programs — Acrobat, Flash Player, Reader and Shockwave Player — top the list of the most vulnerable applications in 2009, according to a report released Wednesday by security firm Bit9. All four applications had vulnerabilities rated "high," which mean hackers could have executed arbitrary code. Apple QuickTime, Mozilla Firefox, Opera, RealPlayer, Sun Java and Trillian followed on the list, created from stats in the National Institute of Standards and Technology's (NIST) vulnerability database. All apps on the list rely on the end-user, not an IT administrator, to patch. — DK
 

Mozilla closes critical bugs with Firefox 3.5.6

Angela Moscaritolo December 16, 2009

An updated version of Firefox closes a number of "critical" flaws, which could allow an attacker to crash a victim's browser or run arbitrary code.
 

Adobe confirms Reader flaw, advises on workarounds

Dan Kaplan December 16, 2009

Adobe expects to have a fix in place by Jan. 12 for a new, zero-day vulnerability in Reader and Acrobat.
 

RockYou hack compromises 32 million passwords

Angela Moscaritolo December 15, 2009

A hacker was able to break into the RockYou database and hijack the account credentials of tens of millions of members.
 

Exploits expected to grow for Adobe Reader zero-day bug

Dan Kaplan December 15, 2009

Adobe is staring down another unpatched vulnerability in its Reader and Acrobat products.
 

SQL attack hits 125,000 sites

Angela Moscaritolo December 10, 2009

An SQL injection attack that began in late November has compromised more than 125,000 web pages, researchers at web security provider ScanSafe, recently acquired by Cisco, said Wednesday in a blog post. The sites have been injected with an IFRAME that loads malicious content from a known malicious domain, 318x.com. A number of other IFRAMEs and code redirections, used for tracking purposes, untimely aim to install the trojan Backdoor.Win32.Buzus.croo on the user's system. The malware generally is used for credit card and other banking-related theft. — AM
 

Latest News

Popular Topics
Analyst Reports & Industry Surveys Breaches & Exposures Browser Flaws Browsers And Security Cybersecurity Cyberwarfare Data Breaches Database Security Email Security Government Hackers Hacking Iphone Lawbreakers & Cybercrime Malware Mobile Endpoint Security Nation State Network Security Non-Microsoft Patches Patch Management Patch Tuesday SC Awards 2010 Vulnerabilities & Flaws Vulnerability Management Website Compromises