Entries with tag security vulnerabilities.

Hackers Immediately Exploit Recently Discovered Drupal Vulnerability

As many as 12 million websites may have been compromised through a recently discovered vulnerability in Drupal 7 software, commonly used to manage Web content. Immediately after the bug discovery was announced, Drupal noted, hackers began attacking vulnerable sites. In a statement, Drupal said users failing to apply a patch within at least seven hours of the bug announcement on 15 October should assume they were hacked. The company said that the attacks might escape detection by conventional security approaches so users should check for back doors inserted into their sites as well as missing data. The vulnerability lets an attacker exploit a database abstraction API, which ensures queries made against a database are sanitized to prevent SQL injection attacks. Drupal reports the content of the malicious requests dictates the type of attack launched. These can include attacks used to escalate a hacker’s privilege status and inject malware. They can also use the access to steal data. (BBC)(Dark Reading)(Drupal)

Bash Vulnerability Affects Millions of Users

A software vulnerability found in Bash could potentially affect as many as 500 million computers according to security researchers. The software component is found in many Linux systems and the Apple Mac OS X operating system. The Shellshock bug can be used to remotely take control of almost any system using Bash, also known as the Bourne-Again Shell. The command prompt is found on Unix computers as well as those operating systems based on Unix, including web servers using Apache. Researchers say this bug is more serious than Heartbleed. Some security firms say they have seen it being used to infect servers with malware and in other cyberattacks. “It’s super simple and every version of Bash is vulnerable,” Josh Bressers, manager of Red Hat product security, told Kaspersky Labs’ ThreatPost. “It’s extremely serious, but you need very specific conditions in place where a remote user would be able to set that environment variable. Thankfully, it’s not common.”  The US Computer Emergency Readiness Team (US-CERT) issued a warning about Shellshock, asking users to immediately update their operating system. (BBC)(The Associated Press)(Reuters)(ThreatPost)

Developers Find, Patch Ruby on Rails Vulnerabilities

Developers of Ruby on Rails have found and patched two SQL injection vulnerabilities in the popular open-source Web development framework. These bugs enable SQL injection attacks, in which a hacker inserts a malicious SQL query from a client to an application with a database on the back end. Successful attacks let hackers read or modify information in a database, execute administration operations on the database, or even issue commands to the host machine’s operating system. The first vulnerability targets Rails 2.0.0 to 3.2.18 using the PostgreSQL database system and query bit string data types. The second affects applications running on Rails 4.0.0 to 4.1.2 when using PostgreSQL and querying range data types. To eliminate the problems, the Rails developers released versions 3.2.19, 4.0.7 and 4.1.3, and then versions 4.0.8 and 4.1.4 to fix a problem caused by the 4.0.7 and 4.1.3 updates. They released patches for users unable to immediately upgrade. (PC World)

Networked Lighting Systems Vulnerable to Attack

A UK-based security firm found a vulnerability in a Wi-Fi enabled LED light bulb that lets hackers control the lights and gain network information. Context Information Security found a way to access a “master bulb” in a mesh network of LIFX lights—Wi-Fi-enabled, multicolor, energy-efficient LED bulbs that users can control via their smartphones. This enabled the company’s researchers to control all the bulbs in the system and expose network-configuration details. LIFX Labs has patched the problem, issued a firmware update, and added encryption to its systems. Context issued a detailed description of the exploit on its website (contextis.co.uk/blog/hacking-internet-connected-light-bulbs). The firm says this work was part of its ongoing research designed to show that security is not a high priority for many of the devices built to become part of the Internet of Things. The company has already found vulnerable computer printers, baby monitors, and children’s toys. (SlashDot)(Context @ RealWire)(Context)

Yet Another OpenSSL Vulnerability Is Found

A security researcher has discovered a new, remotely exploitable vulnerability in OpenSSL that could let an attacker intercept and decrypt traffic between vulnerable clients and servers. The Heartbleed flaw in the popular OpenSSL Internet security protocol, found earlier this year, forced many website operators to update their software and advise millions of users to change their passwords. The new vulnerability—which Masashi Kikuchi, a researcher with IT consultancy Lepidum Co., found—affects all OpenSSL versions. To exploit the bug, an attacker must first have a man-in-the-middle position on a network. (SlashDot)(Threat Post)(Computerworld)(OpenSSL Security Advisory)(Lepidium Co.)

Belkin Home Automation Vulnerability Uncovered

Security researchers asked consumers to stop using Belkin’s WeMo home automation products after finding various vulnerabilities in the items that attackers could use  to gain access to home networks, thermostats, or other connected devices. The line of products enable individuals to use their IOS and Android smartphones and computers to remotely control items including light switches, Web cams, motion sensors, and other home appliances. They were found to be exposing the password and cryptographic signing key used to ensure that firmware updates are valid, stated IOActive, a security firm. The US Computer Emergency Response Team issued a vulnerability note with five identified issues in the products. Belkin, in an 18 February 2014 statement, says it has fixed the vulnerabilities, which include updates to the API server, firmware, and application that could have possibly allowed the devices to be attacked. (Ars Technica)(eWeek)(IO Active)(Belkin) 

Cyberattacks against US Infrastructure Are Increasingly Likely

Security experts predict that new cyberattacks against US targets may hit important infrastructure elements rather than corporate networks or other IT assets. Hackers could focus on remotely-controlled and –monitored infrastructure systems originally constructed without security considerations such as those for street lights, building security, sewers, oil-transport pipelines, prison security. DARPA is identifying and mapping security vulnerabilities in these systems. National Public Radio reports that “close to 200 cyberattacks on critical infrastructure” were reported to the US Department of Homeland Security in the past year. The Presidential Policy Directive on Critical Infrastructure Security and Resilience, released 12 February, is designed to address such incidents, but critics say more definitive action is necessary. (NPR)(Politico)(International Affairs Review)

Showing 7 results.