Critical vulnerability in Oracle Database, patch without delay!

Oracle is urging users to patch their Oracle Database installations to plug a critical security issue that can result in complete compromise of the Oracle Database and shell access to the underlying server. About the vulnerability (CVE-2018-3110) The vulnerability (CVE-2018-3110) affects Oracle Database versions 11.2.0.4 and 12.2.0.1 on Windows and is apparently easy to exploit, but can only be exploited remotely by an authenticated attacker. The vulnerability is in the Java Virtual Machine component of … More

Kryptowire introduces the mobile phone firmware vulnerability feed

Kryptowire discovered vulnerabilities in mobile device firmware and pre-installed mobile apps that pose a risk for the mobile phone supply chain because they can expose consumer and enterprise data on purchase. This means that the vulnerabilities are present, and the user is exposed to attacks even before she performs any activity such as using wireless communications or installing third-party apps. Firmware exploits bypass all existing defenses including commercial Mobile Threat Detection (MTD), or mobile anti-virus, … More

WhiteSource unveils free open source Vulnerability Checker

WhiteSource announced the release of its Vulnerability Checker, a free tool that provides companies with immediate, real-time alerts on the 50 most critical open source vulnerabilities published in the open source community. The new standalone CLI tool is free to use and available for anyone to download as a desktop application directly from the WhiteSource website. Once downloaded, the Vulnerability Checker offers users the opportunity to import and scan any library and run a quick … More

Bluetooth vulnerability allows snooping of traffic between paired devices

Researchers Eli Biham and Lior Neumann have discovered a vulnerability in two Bluetooth features that could be exploited by attackers to gain a man-in-the-middle position and to monitor and fiddle with the traffic between two devices connected via that wireless technology. “Both Bluetooth low energy (LE) implementations of Secure Connections Pairing in operating system software and BR/EDR implementations of Secure Simple Pairing in device firmware may be affected,” the Carnegie-Mellon CERT notes. The vulnerability (CVE-2018-5383) … More

Vulnerability research and responsible disclosure: Advice from an industry veteran

“Everything changes once you have to supervise and mentor and schedule and coordinate and keep in mind all the things others don’t. You often have to hold back your own wish to research a certain thing yourself or crack things open, because people rely on you to take a second look on their work. You kind of become the invisible ‘I’ in ‘Team’,” says Johannes Greil, Head of the SEC Consult Vulnerability Lab. Any member … More

Tripwire’s IP360 vulnerability management solution features agent-based scanning

Tripwire announced that agent-based vulnerability scanning is available in the latest version of Tripwire IP360. With the addition of agent-based capabilities, Tripwire IP360 9.0 provides a view of vulnerability risks across hybrid environments, including on-premise, in the cloud and in container-based environments. Leveraging agents for vulnerability management provides visibility into areas where traditional network scanning is not practical – such as environments with intermittently connected devices, dynamic IP addresses and cloud images – and bypasses … More

How to improve software vulnerability disclosure in Europe

As software gets embedded in more and more things we use every day, the problem of software vulnerability reporting and patching rises in importance. Unfortunately, only a few European countries have put vulnerability disclosure processes in place. CEPS, a ​think tank and ​forum for debate on EU affairs, has delved in the problematics, listened to industry experts, academics, representatives of EU and international institutions and civil society, and has come up with recommendations on how … More

Vulnerability landscape evolution for common desktop applications

Flexera released Vulnerability Review 2018: Top Desktop Apps, part of the annual report series from Secunia Research. This new edition focuses on heavily used desktop applications, which can be easily breached through the Internet. “Companies are in desperate need to improve patching so they can reduce risk. Ultimately that means creating a smart process,” said Kasper Lindgaard, Senior Director of Research and Security at Flexera. “To do that you have to cut through the noise … More

Vulnerability in GnuPG allowed digital signature spoofing for decades

A vulnerability affecting GnuPG has made some of the widely used email encryption software vulnerable to digital signature spoofing for many years. The list of affected programs includes Enigmail and GPGTools. About the vulnerability (CVE-2018-12020) CVE-2018-12020, dubbed “SigSpoof” by Marcus Brinkmann, the researcher which found it, arises from “weak design choices.” “The signature verification routine in Enigmail 2.0.6.1, GPGTools 2018.2, and python-gnupg 0.4.2 parse the output of GnuPG 2.2.6 with a “–status-fd 2” option, which … More

Zip Slip vulnerability affects thousands of projects

An arbitrary file overwrite vulnerability that can be exploited by attackers to achieve code execution on a target system affects a myriad of projects and multiple ecosystems, Snyk researchers have revealed. About the vulnerability The vulnerability, dubbed Zip Slip by the researchers, has been seen in the past before, but was never this widely spread, Snyk CEO Guy Podjarny told Help Net Security. “Zip Slip is a form of directory traversal that can be exploited … More