Joomla users: Update immediately to kill severe SQLi vulnerability

Version 3.7 of Joomla, pushed out less than a month ago, opens websites to SQL injection attacks, Sucury Security researchers have found. As explained by researcher Marc-Alexandre Montpas: “The vulnerability is caused by a new component, com_fields, which was introduced in version 3.7. This vulnerable component is publicly accessible, which means this issue can be exploited by any malicious individual visiting your site.” Sucuri has published technical details about the vulnerability on Wednesday, in the … More

SAP closes critical vulnerability affecting TREX

SAP closed a critical vulnerability for an issue that was exposed for almost two years. The vulnerability (SAP Security Note 2419592) affects TREX, a SAP NetWeaver standalone search engine, which is deployed in over a dozen SAP products including SAP HANA. The identified security issue allows an attacker to anonymously perform sensitive operations that can be combined to execute a command on the server remotely. Originally, the vulnerability was discovered in SAP HANA in 2015 … More

Exploit revealed for remote root access vulnerability affecting many router models

Back in January 2013, researchers from application security services firm DefenseCode unearthed a remote root access vulnerability in the default installation of some Cisco Linksys (now Belkin) routers. The flaw was actually found in Broadcom’s UPnP implementation used in popular routers, and ultimately the researchers extended the list of vulnerable routers to encompass devices manufactured by the likes of ASUS, D-Link, Zyxel, US Robotics, TP-Link, Netgear, and others. Since there were millions of vulnerable devices … More

Vulnerability in WhatsApp and Telegram allowed complete account takeover

Check Point researchers today revealed a new vulnerability on WhatsApp and Telegram’s online platforms – WhatsApp Web & Telegram Web. By exploiting this vulnerability, attackers could completely take over user accounts, and access victims’ personal and group conversations, photos, videos and other shared files, contact lists, and more. Vulnerability impact The vulnerability allows an attacker to send the victim malicious code, hidden within an innocent looking image. As soon as the user clicks on the … More

Qualys app for IBM QRadar offers critical insight into key vulnerability metrics

At RSA Conference 2017, Qualys launched a new Qualys App for the IBM QRadar Security Intelligence Platform, which allows customers to visualize their network IT assets and vulnerabilities in real-time, and helps teams produce continuous vulnerability and risk metrics from a data analytics perspective. The new application is freely available to the security community through the IBM Security App Exchange, a marketplace where developers across the industry can share applications based on IBM Security technologies. … More

The latest on the critical RCE Cisco WebEx extension vulnerability

Since Google bug hunter Tavis Ormandy revealed the existence of a remotely exploitable code execution flaw in the Cisco WebEx extension for Google Chrome last week, Cisco has pushed out several updates for it in quick succession. We’re now up to version 1.0.7 (the initial update to fix the flaw was 1.0.3), and ostensibly the vulnerability has now been fixed. The latest update of the security advisory detailing the issue says that the WebEx extensions … More

Addressing the challenges of vulnerability coordination

The FIRST Vulnerability Coordination Special Interest Group (SIG) made available for public comment through January 31, 2017 the draft Guidelines and Practices for Multi-party Vulnerability Coordination. Stakeholder roles and communication paths While ISO standards provide basic guidance on the handling of potential vulnerabilities in products, the guidelines document is geared to consider more complex and typical real-life scenarios. Case studies start with products in the design stage with no affected users and scale to vulnerability … More

Joomla vulnerability can be exploited to hijack sites, so patch now!

If you’re running a website on Joomla, you should update to the newly released 3.6.5 version as soon as possible – or risk your site being hijacked. The newest version of the popular CMS has been released on Tuesday (December 13), and it fixes three vulnerabilities, several bugs, and includes a number of new security hardening mechanisms. Among the fixed vulnerabilities is one (CVE-2016-9838) that is especially dangerous, as it could allow attackers to take … More

Components of an effective vulnerability management process

Vulnerabilities continue to grab headlines. Whether it is a zero-day that affects “tens of millions” servers around the globe or an old unpatched flaw that leads to a data compromise, we will keep reading about them. The modern security landscape demands a process to manage and keep on the top of the ever-evolving threats and vulnerabilities. This process is known as a vulnerability management program and it is designed to identify, classify and proactively prevent … More

Top trends in security testing and vulnerability management

Many businesses fail to conduct frequent security testing despite believing that it’s critically important to securing their systems and data. One in five of businesses surveyed admitted they don’t do any security testing, despite the fact that 95 percent of survey respondents reported encountering one of the dozen common security issues associated with security vulnerabilities. The findings are based on an Osterman Research survey of 126 security professionals who have knowledge about or responsibility for … More