Vulnerabilities | News, how-tos, features, reviews, and videos

skull and crossbones in binary code

Supply chain attacks increased over 600% this year and companies are falling behind

Most companies believe they are using no open-source software libraries with known vulnerabilities, but new research finds them in 68% of selected enterprise applications.

4 industrial iot robotics automation manufacturing code

Researchers extract master encryption key from Siemens PLCs

Global encryption keys were hardcoded on some programmable logic controller product lines. Siemens recommends upgrading all affected devices.

Eyeglasses rest on a binary field / code review / threat assessment / check vulnerabilities

North Korea’s Lazarus group uses vulnerable Dell driver to blind security solutions

This first known exploit of the Dell vulnerability might inspire other malware developers who want to avoid detection of their code.

Microsoft  >  RDP | Remote Desktop Protocol vulnerabilities  >  caution / danger / admin login

Microsoft mitigation for new Exchange Server zero-day exploits can be bypassed

No permanent fix for the Exchange Server vulnerabilities is yet available, but other steps can mitigate the risk.

Digital bugs amid binary code. [security threats / malware / breach / hack / attack]

11 old software bugs that took way too long to squash

As these examples show, vulnerabilities can lurk within production code for years or decades—and attacks can come at any time.

backdoor / abstract security circuits, locks and data blocks

Cyberespionage group developed backdoors tailored for VMware ESXi hypervisors

A possibly new threat actor packaged and deployed backdoors as vSphere Installation Bundles, gaining remote code execution and persistence capabilities.

security audit - risk assessment - network analysis

Zoho ManageEngine flaw is actively exploited, CISA warns

Threat actors are exploiting unpatched ManageEngine instances. CISA adds the vulnerability to its catalog and Zoho urges customers to check their deployments.

SAP sign

Most common SAP vulnerabilities attackers try to exploit

Unpatched systems, misconfigurations and vulnerable custom code are making SAP environments a top target for cyberattacks.

man holding pen drawing a heartbeat and red heart

The Heartbleed bug: How a flaw in OpenSSL caused a security crisis

Heartbleed is a vulnerability in OpenSSL that came to light in April of 2014; it can be traced to a single line of code.

CSO > IoT / Internet of Things, unencrypted/unsecured/vulnerable

Up to 35% more CVEs published so far this year compared to 2021

A new report shows that significantly more CVEs will be published this year, and that some organizations are still vulnerable from older, unpatched CVEs.

Patch + update options  >  Pixelized tools + refresh symbol with branching paths

Why patching quality, vendor info on vulnerabilities are declining

It's getting harder to assess the impact of patching or not patching, and too many patches don't fully fix the problem. It's time to pressure vendors.

adding processor to circuit board computer hardware

New exploits can bypass Secure Boot and modern UEFI security protections

Two research groups demonstrate PC firmware vulnerabilities that are difficult to mitigate and likely to be exploited in the wild.

orange monitors with lock icon network security cyber threat

37 hardware and firmware vulnerabilities: A guide to the threats

Meltdown and Spectre raised the alarm over vulnerabilities that attackers can exploit in popular hardware and its firmware. This list, though not comprehensive, presents the most significant threats.

security system vulnerabilities - a grid of locks with several unlocked

CISA releases IOCs for attacks exploiting Log4Shell in VMware Horizon and UAG

The investigation by the federal agency shows not only the indicators of compromise but also the reasons why the Log4j vulnerability will persist indefinitely.

security monitoring

Flashpoint says its VulnDB records vulnerabilities that MITRE CVE missed

Flashpoint reports that its vulnerability database recorded 11,860 cybersecurity vulnerability disclosures for the first half of 2022, 27.3 % of which were missed or not detailed by MITRE's CVE system.

What's Hot  >  thermometer / flames / abstract technology

July was a hot month for cybersecurity research

Malware-laden Google Play apps, a Russian hijack of cloud storage services, and “flaws” that aren’t really flaws in the Okta platform all made for interesting security research this month.

security system vulnerabilities - a grid of locks with several unlocked

GPS trackers used for vehicle fleet management can be hijacked by hackers

At least one model of GPS tracking devices made by Chinese firm MiCODUS "lacks basic security protections needed to protect users from serious security issues."

Cybersecurity  >  Attack warning / danger / security threat

10 industry-defining security incidents from the last decade

From Heartbleed to Apache Struts to SolarWinds, these are the 10 watershed security incidents of the past 10 years.

A broken link in a digital chaing / weakness / vulnerability

Cyber Safety Review Board warns that Log4j event is an “endemic vulnerability”

The CSRB report predicts the Log4J risk will continue for years and offers best practices for mitigating the threat.

A circuit board with CPU / chip displaying glowing binary code.

New speculative execution attack Retbleed impacts Intel and AMD CPUs

Unlike other speculative execution attacks like Spectre, Retbleed exploits return instructions rather than indirect jumps or calls.

Load More