CRITICAL PATCH for WordPress

Widely used open-source content management system WordPress version 4.1.2 gets a critical fix for a security flaw that allows attackers to conduct XSS attacks. Site admins are notified about the latest release and urge to apply the update on earliest basis. Website operators who have enabled auto-update feature dont need to do anything as their sites are already updated - so just chill. WordPress warns in a blog post that sites using WordPress versions 4.1.1 and earlier can be compromised due to cross site scripting flaw and advised them to update immediately. Besides this, there is another XSS issue that affects WordPress versions 3.9 and later that has been patched as well. WordPress alerts users that it could aid intruders to launch a social engineering attack. WordPress 4.1.2 also patches an SQL injection flaw for plugins that allows user to upload arbitrary files with invalid file names. <more>

Fingerprints cloning in Samsung Galaxy S5

RSA conference is being held in San Francisco, where security researchers from FireEye revealed a security flaw related to the fingerprint sensor embedded in the Samsung Galaxy S5 and other smartphones running Android - allows cybercriminals to make duplicate user's fingerprints. According to Tao Wei and Yulong Zhang from FireEye, although mobile manufacturers have taken numerous steps to ensure the integrity and confidentiality of biometric systems, but still there is a possibility to clone users' fingerprint which can aid further attacks. This would give opportunity to hacker to get user-level access and run a program as root to steal information from the affected Android phones. In the case of Samsung Galaxy S5, all you need is to have system-level access. Android 5.0 Lollipop or above are unaffected to this issue. Samsung has not yet provided any details regarding updates for users. <more>

Oracle Critical Patch Update for April fixes 98 flaws

14th April, Oracle has released its quarterly critical patch update covering around 98 security flaws targeting different product lines. According to advisory, 14 security fixes for vulnerabilities in Oracle Java SE which are remotely exploitable without authentication. This patches set contains last fix for Java 7 applications as company has decided to shut the door for Java 7 support. Apart from Java, this update fixes 17 vulnerabilities in Oracle Fusion Middleware, 8 vulnerabilities are addressed in Oracle Sun Systems Product Suite, 26 MySQL bugs are patched, 4 issues are fixed in Database server, Oracle Supply Chain Products Suite gets the update for 7 vulnerabilities. <more>

11 security bulletins in MS Patch Tuesday

Last Tuesday, Microsoft released 11 security bulletins for Windows, Office and Internet Explorer where four bulletins are rated 'CRITICAL'. Most of the IE vulnerabilities are related to memory corruption issues that allow remote code execution. Besides this ASLR bypass issue is also found in IE. Security flaws affecting Word 2007, Word 2010, Office 2010 and Office Web Apps Server 2010 are also addressed in this Patch Tuesday. Microsoft Windows also get critical fixes for HTTP.sys and Microsoft Graphics Component. 'Important' rated Bulletins cover privileges escalation, security bypass, information disclosure and Denial-of-Service (DoS) affecting SharePoint, AD federation services, all versions of .Net and Hyper-V. <more>

Security update for Apple OS X and iOS

Apple addresses numerous fixes for OS X and iOS along with some additional features. OS X 10.10.3 security update covers 79 vulnerabilities where 21 of those flaws are related to OS X PHP port. Six other flaws are related to OpenSSL and nine security flaws for Apache. There was a flaw in the Nvidia OS X kernel driver which has been patched in the latest update. Similarly, there are updates for 58 vulnerabilities in iOS 8.3 - 24 security issues target Safari's WebKit engine, one update for phishing issue while two are related to XSS issue. iOS 8.3 update addresses 21 remote code vulnerabilities. There are patches available for iOS kernel to rectify eight security flaws that could allow attackers to cause a denial of service, remote code execution with escalated privileges. Apple urged users to migrate to 10.10.3 on earliest basis as there is locally exploited root escalation bug found in the OS X 10.8.5 and 10.9.5 which are not covered in this security update that means un-patched. <more>

Over 1M sites affected by WordPress Plugin flaw

WP-Super-Cache plug-in for WordPress responsible for generating static html files from dynamic WordPress blog. Recently security researchers from Sucuri identified cross-site scripting (XSS) vulnerability that allows an intruder to take complete control of the website. Over 1 million websites are using this plugin that means it's a huge risk for everyone. Fortunately, WP-Super-Cache developers addresses this security flaw with a release of new version 1.4.4. Sysadmins should update the vulnerable plugin on earliest basis otherwise attackers can take the advantage via malformed query and add malicious scripts to the cached files published by the component. Sucuri gives CVSS score 8.0 to this issue that means it can be done with ease. There is a high possibility that attacker could add new admin account and install backdoors on the vulnerable website. <more>

New Firefox 37 rectifies security flaws

Latest version of open-source web browser Mozilla Firefox 37 is available for download and eliminates several critical security flaws present in prior versions. Not only security fixes this time but also Firefox gets a new feature 'OneCRL' which is responsible for improved revocation of invalid certificates used for validating and securing the connection to an authorized host. According to company's classification - a CRITICAL flaw is the one that allows arbitrary code execution without human intervention. Critical fixes cover under CVE-2015-0803, CVE-2015-0804 and CVE-2015-0813 - all are related to use-after-free issues allowing users to execute arbitrary code or crash vulnerable application. Two memory corruption errors are also reported by Abhishek Arya of Google Chrome Security Team and covered under CVE-2015-0805 and CVE-2015-0806 related to 2D graphics rendering. Besides security updates, OneCRL gives the developer an opportunity to update the list of revoked certificates without pushing a new Firefox update. <more>

LESS Admin rights result LESS Microsoft flaws

UK security firm Avecto states that if you want to mitigate critical vulnerabilities in Microsoft applications. All you need is just to remove admin rights from users. Exploitation requires admin privileges for almost 97% of Windows flaws; 99.5% of Internet Explorer and 95% of Office applications. Avecto did in-depth analysis of Microsoft security updates and found 92% of vulnerabilities in 2013 which can be mitigated by revoking admin rights - Similarly in 2014, it surges to 97%. According to Avecto's European VP, Paul Kenyon, companies can get rid of security woes by just breaking down the admin rights so that most of the users are unable to do installation. <more>