HackDig : Dig high-quality web security articles for hacker

OptionsBleed – The Apache HTTP Server Now Bleeds

A new vulnerability in the Apache HTTP server was found recently. Designated as CVE-2017-9798, this vulnerability lies in how Apache handles certain settings in its configuration files, resulting in memory leaks. This vulnerability is named OptionsBleed, based on its similarities with the Heartbleed vulnerability. Patches to Apache are now available. What is
Publish At:2017-09-22 21:10 | Read:70 | Comments:0 | Tags:Vulnerabilities apache OptionsBleed

a-PATCH-e: Struts Vulnerabilities Run Rampant

by Steve Povolny Equifax confirmed the attack vector used in its data breach to be CVE-2017-5638, a vulnerability patched last March 2017 via S2-045. The vulnerability was exploited to gain unauthorized access to highly sensitive data of approximately 143 million U.S. and 400,000 U.K. customers, as well as 100,000 Canadian consumers. This vulnerability was f
Publish At:2017-09-22 02:45 | Read:115 | Comments:0 | Tags:Exploits Vulnerabilities Apache Struts CVE-2017-5638 CVE-201

The Myth of Mutual Exclusivity: Making the DevOps Process More Agile Without Compromising Security

The marketplace is demanding agility, but many enterprises perceive the need for agility as an ongoing security risk. If applications are constantly evolving, they assume, the process will constantly open up new avenues for attackers to exploit. This worry has given rise to a widespread misconception that security or agility is a binary choice. But a growing
Publish At:2017-09-21 19:15 | Read:128 | Comments:0 | Tags:Application Security CISO Agile DevOps SecDevOps Security Pr

Don’t Sweep Web Application Penetration Testing Under the Rug

Web application penetration testing is one of the most critical components of your information security program. The exploitation of a web-related vulnerability could result in a massive breach, so web security must be front and center in any organization. However, I often see people sweep web security under the rug and fail to follow through on their find
Publish At:2017-09-21 00:50 | Read:121 | Comments:0 | Tags:Application Security Risk Management Application Security Te

Advisory: BlueBorne Reportedly Affects Billions of Bluetooth-Enabled Devices

by Vít Šembera (Cyber Threat Researcher) BlueBorne is a set of vulnerabilities affecting the implementation of Bluetooth in iOS, Android, Linux, Windows and Mac OS* devices. According to the researchers who uncovered them, BlueBorne affects around 5.3 billion Bluetooth-enabled devices. The immediate mitigation for BlueBorne is to patch the device, if there’s
Publish At:2017-09-15 23:05 | Read:250 | Comments:0 | Tags:Exploits Internet of Things Vulnerabilities BlueBorne Blueto

Downward Trend in Publicly Available Exploit Code? Don’t Ease Up on Patch Management Just Yet

The IBM X-Force Vulnerability Database (XFDB), which holds over 100,000 publicly disclosed vulnerabilities, is chock-full of insights concerning the cybersecurity threat landscape. Much of the data is publicly available directly on the IBM X-Force Exchange platform and can be accessed by users anytime. In reviewing the database on an ongoing basis, the IBM
Publish At:2017-09-14 21:10 | Read:185 | Comments:0 | Tags:Advanced Threats Endpoint Threat Intelligence X-Force Resear

Hangul Word Processor and PostScript Abused Via Malicious Attachments

The Hangul Word Processor (HWP) is a word processing application which is fairly popular in South Korea. It possesses the ability to run PostScript code, which is a language originally used for printing and desktop publishing, although it is a fully capable language. Unfortunately, this ability is now being exploited in attacks involving malicious attachment
Publish At:2017-09-14 10:15 | Read:122 | Comments:0 | Tags:Malware Vulnerabilities Encapsulated PostScript Hangul Word

Microsoft Office Zero-Day Vulnerability Addressed in September Patch Tuesday

Microsoft has released their monthly security bulletin—colloquially known as Patch Tuesday—for September. The most important update is one that addresses a zero-day vulnerability that exploits Microsoft Word. CVE-2017-8759 is a .NET Framework Remote Code Execution Vulnerability that allows attackers to execute code on the target system remotely when exploite
Publish At:2017-09-13 15:50 | Read:277 | Comments:0 | Tags:Vulnerabilities September Patch Tuesday Vulnerability

CVE-2017-0780: Denial-of-Service Vulnerability can Crash Android Messages App

by Jason Gu and Seven Shen Just about anyone can appreciate a good old meme GIF every now and then, but what if one caused your Android Messages to crash? A denial-of-service vulnerability we recently disclosed to Google can do exactly that and more. Designated as CVE-2017-0780, we’ve confirmed it to be in the latest Nexus and Pixel devices. The security fla
Publish At:2017-09-07 07:30 | Read:238 | Comments:0 | Tags:Mobile Vulnerabilities android Android Messages CVE-2017-078

Three Practical Tips That Empower Developers and Prevent Open Source Security Risks From Entering Your Code

Employees use open source applications in organizations of all sizes and across all industries, and this trend shows no signs of slowing down. It is both cost effective and efficient to incorporate source code into software during the development stage. With all those extra resources, developers can focus more on the organization’s proprietary code. Ac
Publish At:2017-08-21 15:05 | Read:153 | Comments:0 | Tags:Application Security Risk Management Application Development

The Crisis of Connected Cars: When Vulnerabilities Affect the CAN Standard

In many instances, researchers and engineers have found ways to hack into modern, internet-capable cars, as has been documented and reported several times. One famous example is the Chrysler Jeep hack that researchers Charlie Miller and Chris Valasek discovered. This hack and those that have come before it have mostly been reliant on specific vulnerabilities
Publish At:2017-08-16 13:40 | Read:313 | Comments:0 | Tags:Exploits Internet of Things intelligent transportation syste

CVE-2017-0199: New Malware Abuses PowerPoint Slide Show

By Ronnie Giagone and Rubio Wu CVE-2017-0199 was originally a zero-day remote code execution vulnerability that allowed attackers to exploit a flaw that exists in the Windows Object Linking and Embedding (OLE) interface of Microsoft Office to deliver malware. It is commonly exploited via the use of malicious Rich Text File (RTF) documents, a method used by t
Publish At:2017-08-14 06:00 | Read:214 | Comments:0 | Tags:Malware Vulnerabilities

Eight Myths Not to Believe About Penetration Testing

Penetration testing — the process of trying to break into one’s own system to find vulnerabilities before cybercriminals do — is an integral part of information security. The data gleaned from these evaluations can help companies remediate flaws in their security infrastructure before fraudsters have a chance to expose them. Dispelling Eight Penetratio
Publish At:2017-08-10 20:40 | Read:247 | Comments:0 | Tags:Data Protection Risk Management Data Breaches Penetration Te

Critical Windows Search and Hyper-V Vulnerabilities Tackled by August’s Patch Tuesday

Microsoft has released their monthly security bulletin with 48 security patches—25 of which are labeled Critical, 21 are Important, and two are Moderate in severity. This was a standard batch of updates, addressing issues in Internet Explorer, Microsoft Edge, Windows, Microsoft SharePoint, Adobe Flash Player and Microsoft SQL Server. A majority of the critic
Publish At:2017-08-09 15:20 | Read:254 | Comments:0 | Tags:Vulnerabilities August Patch Tuesday

Assessing Risks and Remediating Threats With a Layered Approach to Vulnerability Management

Companies need to do more than just scan for known problems and provide huge vulnerability reports to system and network administrators for remediation. According to Gartner, known vulnerabilities still comprise 99 percent of all known exploit traffic. Furthermore, malware, ransomware and exploit kits target vulnerabilities that are six months or older on av
Publish At:2017-08-09 07:50 | Read:270 | Comments:0 | Tags:CISO Risk Management Security Intelligence & Analytics Patch


Share high-quality web security related articles with you:)


Tag Cloud