byPaul DucklinWe recently wrote up a fascinatingly scary warning about server hard drives that might abruptly and utterly fail.HPE warned its customers that a wide variety of its solid state disks (SSDs) needed an urgent firmware update to prevent them sailing over the edge of the earth into oblivion.The disks weren’t badly manufactured; they werenR

They see you when you’re shopping, they know when you click “pay” – cybercriminals, that is. With Black Friday and Cyber Monday deals flooding the internet, malicious actors have many opportunities to exploit users rushing to purchase gifts for family and friends. And according to Ars Technica, thieves have devised a new way to steal payment-card

VMware on Thursday informed customers that it has released patches for a critical remote code execution vulnerability in ESXi that was disclosed recently at the Tianfu Cup hacking competition in China.According to organizers of the Tianfu Cup, a member of the 360Vulcan team demonstrated a virtual machine escape and took control of the host operating system.

A vulnerability that can be exploited to determine if a user is connected to a VPN and hijack active TCP connections in a VPN tunnel has been found to affect various Linux and Unix operating systems.The vulnerability, tracked as CVE-2019-14899, was discovered recently by a team of researchers from the University of New Mexico. They privately reported their f

byJohn E DunnFor anyone lucky enough to get them, Android’s December 2019 updates arrived this week, patching a small list of system and Qualcomm flaws across the operating system’s two patch levels.In Google’s estimation, at the top of the urgent list on the 2019-12-01 patch level (see below for explanation) is CVE-2019-2232, a critical flaw affecting Andro

An undocumented hardware-based special access feature recently found by researchers in Siemens' S7-1200 can be used by attackers to gain control of the industrial devices.Siemens recently issued a security advisory with workarounds and mitigations for a vulnerability uncovered by researchers in its S7-1200 programmable logic controllers (PLCs) that could be

Microsoft recently addressed an OAuth 2.0 vulnerability that could allow an attacker to take over Azure accounts.The issue impacts specific Microsoft OAuth 2.0 applications and allows an attacker to create tokens with the victim’s permissions, CyberArk’s security researchers have discovered.The root cause of the security flaw, which CyberArk calls BlackDirec

Cisco Talos researchers have identified two vulnerabilities in the GoAhead embedded web server, including a critical flaw that can be exploited for remote code execution.Developed by EmbedThis, GoAhead is advertised as the “world's most popular tiny embedded web server.” Both open source and enterprise versions are available and the vendor says GoAhead is pr

Norwegian app security company Promon on Monday disclosed the existence of a vulnerability that has been exploited by tens of malicious Android apps, and warned that hundreds of popular applications are at risk of being targeted.Promon has dubbed the flaw StrandHogg, which is an old Norse term describing a Viking tactic that involved raiding coastal areas to

The bug enables malware to pose as any legitimate Android app, letting attackers track messages, photos, credentials, and phone conversations.A newly discovered vulnerability in the Android operating system could let attackers abuse legitimate apps to deliver malware. In doing so, they could track users without their knowledge.Researchers with Norwegian app

The Cybersecurity and Infrastructure Security Agency (CISA) publishes a draft document mandating a vulnerability disclosure policy and a strategy for handling reports of security weaknesses.The US government will require each civilian agency to create a public policy for software-vulnerability disclosure, as well as a strategy for handling any potential secu

A critical vulnerability affecting some Relion protection devices from ABB can be exploited to take control of a device or cause it to become inoperable, the DHS’s Cybersecurity and Infrastructure Security Agency (CISA) warned last week.The flaw affects Relion 670 series devices made by Swiss-based industrial technology solutions provider ABB. These products

Companies that rely solely on CVE/NVD are missing 33% of disclosed flaws, Risk Based Security says.A new report shows companies that rely solely on the Common Vulnerabilities and Exposures (CVE) system for their vulnerability information are leaving themselves exposed to a substantial number of security issues they don't know about.Risk Based Security's rese

By Lance Jiang and Jesse Chang CVE-2019-11932, which is a vulnerability in WhatsApp for Android, was first disclosed to the public on October 2, 2019 after a researcher named Awakened discovered that attackers could use maliciously crafted GIF files to allow remote code execution. The vulnerability was patched with version 2.19.244 of WhatsApp, but the under

Security and web performance services provider Cloudflare this week announced the open source availability of Flan Scan, its lightweight network vulnerability scanner.Based on the Nmap open source tool, Flan Scan was born out of the need for an easy-to-deploy scanner that could accurately detect the services on a network and then look them up in a database o