Entries with tag software vulnerabilities.

Security Researchers: Don’t Compare Every Vulnerability to Heartbleed, Shellshock

Some security researchers are berating the media and others in the security field for using Heartbleed or Shellshock as a source of comparison when a new software flaw is discovered. In early November, Microsoft patched a serious bug in SChannel (Secure Channel) that was found in each version of the Windows operating system since Windows 95. An IBM researcher reported the bug to Microsoft in May, and it was recently fixed. According to a recent article on securitywatch.pcmag.com, a security researcher from Tripwire referenced Heartbleed and Shellshock when discussing the Microsoft patch. The article states that the need for sensationalism to gain attention for information security to be taken seriously indicates “a problem, and it’s not the bug itself.” Each vulnerability issue should be taken on its own. Josh Feinblum, vice president of information security at Rapid7, noted that the SChannel vulnerability wasn’t like Heartbleed. “This vulnerability poses serious theoretical risk to organizations and should be patched as soon as possible, but it does not have the same release-time impact as many of the other recently highly-publicized vulnerabilities,” he wrote. “Microsoft customers can take a deep breath before they dive head first into patching, but should make sure patching is treated at the highest priority given the potential risk if/when an exploit is successfully developed.” (PC Mag)(Rapid7 Blog)

Hackers Immediately Exploit Recently Discovered Drupal Vulnerability

As many as 12 million websites may have been compromised through a recently discovered vulnerability in Drupal 7 software, commonly used to manage Web content. Immediately after the bug discovery was announced, Drupal noted, hackers began attacking vulnerable sites. In a statement, Drupal said users failing to apply a patch within at least seven hours of the bug announcement on 15 October should assume they were hacked. The company said that the attacks might escape detection by conventional security approaches so users should check for back doors inserted into their sites as well as missing data. The vulnerability lets an attacker exploit a database abstraction API, which ensures queries made against a database are sanitized to prevent SQL injection attacks. Drupal reports the content of the malicious requests dictates the type of attack launched. These can include attacks used to escalate a hacker’s privilege status and inject malware. They can also use the access to steal data. (BBC)(Dark Reading)(Drupal)

Yet Another OpenSSL Vulnerability Is Found

A security researcher has discovered a new, remotely exploitable vulnerability in OpenSSL that could let an attacker intercept and decrypt traffic between vulnerable clients and servers. The Heartbleed flaw in the popular OpenSSL Internet security protocol, found earlier this year, forced many website operators to update their software and advise millions of users to change their passwords. The new vulnerability—which Masashi Kikuchi, a researcher with IT consultancy Lepidum Co., found—affects all OpenSSL versions. To exploit the bug, an attacker must first have a man-in-the-middle position on a network. (SlashDot)(Threat Post)(Computerworld)(OpenSSL Security Advisory)(Lepidium Co.)

Research: Attackers Could Use Radios to Hack Energy-Industry Sensors

New research finds that industrial sensors commonly used for energy-infrastructure monitoring could be hacked from distances of up to 64 kilometers (about 40 miles) via radio transmitter. Lucas Apa and Carlos Mario Penagos, researchers with security firm IOActive, say they found numerous software vulnerabilities in the wireless automation systems used in the oil and gas industry that hackers could use to launch attacks. They didn’t release details about the precise vulnerabilities, citing safety concerns. Apa and Penagos used a radio antenna for several types of attacks that disrupted the communications between a sensor and a base station or disabled the industrial control sensors. The researchers say they exploited several types of weaknesses in the devices, including unspecified configuration errors and weak cryptographic keys used to authenticate communications. A hacker could use the attacks to, for example, alter readings such as pressure and volume in a pipeline, which could alter the sensor readings and ultimately disable a pipeline or shut-down a facility’s operations or even cause an explosion that could result in injuries or deaths. The researchers say the problems they found cannot be easily fixed. The researchers gave their findings to the US Computer Emergency Readiness Team. Apa and Penagos plan to present their findings this week at the Black Hat USA security conference in Las Vegas. (PC World)(Reuters)(IOActive)

Showing 4 results.