Tag Archives: vulnerability

Zeroday in ubiquitous Log4j tool poses a grave threat to the Internet

Getty Images reader comments 62 with 41 posters participating Share this story Exploit code has been released for a serious code-execution vulnerability in Log4j, an open-source logging utility that’s used in countless apps, including those used by large enterprise organizations, several websites reported on last Thursday. Word of the vulnerability first came to light on… Read More: Zeroday in ubiquitous Log4j tool poses a grave threat to… »

Apple forgot to sanitize the Phone Number field for lost AirTags

Enlarge / Apple’s AirTags—as seen clipped to a backpack, above—allow users to attempt to find their own device via location rebroadcast from other Apple users. If all else fails, the user can enable a “Lost mode” intended to display their phone number when a finder scans the missing AirTag. reader comments 28 with 25 posters… Read More: Apple forgot to sanitize the Phone Number field for lost… »

PoC exploit released for Azure AD brute-force bug—here’s what to do

reader comments 20 with 16 posters participating Share this story A public proof-of-concept (PoC) exploit has been released for the Microsoft Azure Active Directory credentials brute-forcing flaw discovered by Secureworks and first reported by Ars. The exploit enables anyone to perform both username enumeration and password brute-forcing on vulnerable Azure servers. Although Microsoft had initially… Read More: PoC exploit released for Azure AD brute-force bug—here’s what to… »

New Azure Active Directory password brute-forcing flaw has no fix

reader comments 8 with 8 posters participating Share this story Imagine having unlimited attempts to guess someone’s username and password without getting caught. That would make an ideal scenario for a stealthy threat actor—leaving server admins with little to no visibility into the attacker’s actions, let alone the possibility of blocking them. A newly discovered… Read More: New Azure Active Directory password brute-forcing flaw has no fix »

Exchange/Outlook autodiscover bug exposed 100,000+ email passwords

Enlarge / If you own the right domain, you can intercept hundreds of thousands of innocent third parties’ email credentials, just by operating a standard webserver. reader comments 35 with 25 posters participating, including story author Share this story Security researcher Amit Serper of Guardicore discovered a severe flaw in Microsoft’s autodiscover—the protocol which allows… Read More: Exchange/Outlook autodiscover bug exposed 100,000+ email passwords »

Apple users warned: Clicking this attachment will take over your macOS

reader comments 37 with 30 posters participating Share this story A code execution bug in Apple’s macOS allows remote attackers to run arbitrary commands on your device. And the worst part is, Apple hasn’t fully patched it yet, as tested by Ars. Those shortcut files can take over your Mac Independent security researcher Park Minchan… Read More: Apple users warned: Clicking this attachment will take over your… »

Travis CI flaw exposed secrets of thousands of open source projects

Getty Images reader comments 38 with 32 posters participating Share this story A security flaw in Travis CI potentially exposed the secrets of thousands of open source projects that rely on the hosted continuous integration service. Travis CI is a software-testing solution used by over 900,000 open source projects and 600,000 users. A vulnerability in… Read More: Travis CI flaw exposed secrets of thousands of open source… »

Apple patches “FORCEDENTRY” zero-day exploited by Pegasus spyware

Aurich Lawson | Getty Images reader comments 44 with 39 posters participating Share this story Apple has released several security updates this week to patch a “FORCEDENTRY” vulnerability on iOS devices. The “zero-click, zero-day” vulnerability has been actively exploited by Pegasus, a spyware app developed by the Israeli company NSO Group, which has been known… Read More: Apple patches “FORCEDENTRY” zero-day exploited by Pegasus spyware »

Security researchers at Wiz discover another major Azure vulnerability

Enlarge / This isn’t how the OMIGOD vulnerability works, of course—but lightning is much more photogenic than maliciously crafted XML. reader comments 31 with 20 posters participating, including story author Share this story Cloud security vendor Wiz—which recently made news by discovering a massive vulnerability in Microsoft Azure’s CosmosDB-managed database service—has found another hole in Azure.… Read More: Security researchers at Wiz discover another major Azure vulnerability »

“Worst cloud vulnerability you can imagine” discovered in Microsoft Azure

Enlarge / Cosmos DB is a managed database service offering—including both relational and noSQL data structures—belonging to Microsoft’s Azure cloud infrastructure. reader comments 44 with 22 posters participating, including story author Share this story Cloud security vendor Wiz announced yesterday that it found a vulnerability in Microsoft Azure’s managed database service, Cosmos DB, that granted… Read More: “Worst cloud vulnerability you can imagine” discovered in Microsoft Azure »