WordPress developers have announced a maintenance update to the popular open source blogging software. WordPress 3.5.1 fixes 37 bugs and addresses three security issues, including two cross-site scripting vulnerabilities. Users running WordPress on IIS might run into a problem that prevents the upgrade; the developers have prepared documentation to help users work around this problem. Security issues addressed in the update include a server-side request forgery problem that allowed the exposure of information through pingbacks. According to the developers, this vulnerability could help attackers compromise an unpatched WordPress site.
Monday, January 28, 2013
Cisco has warned system administrators to patch their wireless LAN appliances following the discovery of flaws which could allow for remote code execution and denial-of-service attacks. The company said that the flaws affect some 17 products in its WLC wireless controller lines. Among the products are the Virtual Wireless Controller tool and the Catalyst 3750G and Flex 7500 lines. Cisco has released a fix for the flaws and the company is advising customers to update their wireless controllers to prevent attack. The threat of attack can also be mitigated on some devices by limiting SNMP access on the wireless controller.
Posted by cERTx at 6:34 AM
Tuesday, January 22, 2013
Key parts of the infrastructure supporting an espionage campaign that targeted governments around the world reportedly have been shut down in the days since the five-year operation was exposed. The so-called Red October campaign came to light on Monday in a report from researchers from antivirus provider Kaspersky Lab. It reported that the then-ongoing operation was targeting embassies as well as governmental and scientific research organizations in a wide variety of countries. The research uncovered more than 60 Internet domain names used to run the sprawling command and control network that funneled malware and received stolen data to and from infected machines. In the hours following the report, many of those domains and servers began shutting down, according to an article posted Friday by Kaspersky news service Threatpost.
Posted by cERTx at 5:03 AM
Monday, January 7, 2013
Ruby on Rails versions 3.2.10, 3.1.9, and 3.0.18 has been released in order to patch a serious SQL injection vulnerability. The vulnerability is located in the framework's Active Record database query interface and allows potential attackers to inject arbitrary SQL statements. The Rails developers apologized for releasing a security update so close to the holidays, but said that they were forced to rush out a patch because the vulnerability had been publicly disclosed. So it is recommended that all users apply the upgrade on earliest basis.
Posted by cERTx at 6:26 AM