Monday, January 28, 2013

WordPress 3.5.1 fixes 37 bugs

WordPress developers have announced a maintenance update to the popular open source blogging software. WordPress 3.5.1 fixes 37 bugs and addresses three security issues, including two cross-site scripting vulnerabilities. Users running WordPress on IIS might run into a problem that prevents the upgrade; the developers have prepared documentation to help users work around this problem. Security issues addressed in the update include a server-side request forgery problem that allowed the exposure of information through pingbacks. According to the developers, this vulnerability could help attackers compromise an unpatched WordPress site.

Cisco Warns of Vulnerabilities in Wireless LAN Controllers

Cisco has warned system administrators to patch their wireless LAN appliances following the discovery of flaws which could allow for remote code execution and denial-of-service attacks. The company said that the flaws affect some 17 products in its WLC wireless controller lines. Among the products are the Virtual Wireless Controller tool and the Catalyst 3750G and Flex 7500 lines. Cisco has released a fix for the flaws and the company is advising customers to update their wireless controllers to prevent attack. The threat of attack can also be mitigated on some devices by limiting SNMP access on the wireless controller.

Tuesday, January 22, 2013

'Red October' Cyberspy unplugged, credit to Kaspersky

Key parts of the infrastructure supporting an espionage campaign that targeted governments around the world reportedly have been shut down in the days since the five-year operation was exposed. The so-called Red October campaign came to light on Monday in a report from researchers from antivirus provider Kaspersky Lab. It reported that the then-ongoing operation was targeting embassies as well as governmental and scientific research organizations in a wide variety of countries. The research uncovered more than 60 Internet domain names used to run the sprawling command and control network that funneled malware and received stolen data to and from infected machines. In the hours following the report, many of those domains and servers began shutting down, according to an article posted Friday by Kaspersky news service Threatpost.

Monday, January 7, 2013

SQL injection flaw fixed in Ruby on Rails

Ruby on Rails versions 3.2.10, 3.1.9, and 3.0.18 has been released in order to patch a serious SQL injection vulnerability. The vulnerability is located in the framework's Active Record database query interface and allows potential attackers to inject arbitrary SQL statements. The Rails developers apologized for releasing a security update so close to the holidays, but said that they were forced to rush out a patch because the vulnerability had been publicly disclosed. So it is recommended that all users apply the upgrade on earliest basis.