CRITICAL PATCH for WordPress

Widely used open-source content management system WordPress version 4.1.2 gets a critical fix for a security flaw that allows attackers to conduct XSS attacks. Site admins are notified about the latest release and urge to apply the update on earliest basis. Website operators who have enabled auto-update feature dont need to do anything as their sites are already updated - so just chill. WordPress warns in a blog post that sites using WordPress versions 4.1.1 and earlier can be compromised due to cross site scripting flaw and advised them to update immediately. Besides this, there is another XSS issue that affects WordPress versions 3.9 and later that has been patched as well. WordPress alerts users that it could aid intruders to launch a social engineering attack. WordPress 4.1.2 also patches an SQL injection flaw for plugins that allows user to upload arbitrary files with invalid file names. <more>

Fingerprints cloning in Samsung Galaxy S5

RSA conference is being held in San Francisco, where security researchers from FireEye revealed a security flaw related to the fingerprint sensor embedded in the Samsung Galaxy S5 and other smartphones running Android - allows cybercriminals to make duplicate user's fingerprints. According to Tao Wei and Yulong Zhang from FireEye, although mobile manufacturers have taken numerous steps to ensure the integrity and confidentiality of biometric systems, but still there is a possibility to clone users' fingerprint which can aid further attacks. This would give opportunity to hacker to get user-level access and run a program as root to steal information from the affected Android phones. In the case of Samsung Galaxy S5, all you need is to have system-level access. Android 5.0 Lollipop or above are unaffected to this issue. Samsung has not yet provided any details regarding updates for users. <more>

Oracle Critical Patch Update for April fixes 98 flaws

14th April, Oracle has released its quarterly critical patch update covering around 98 security flaws targeting different product lines. According to advisory, 14 security fixes for vulnerabilities in Oracle Java SE which are remotely exploitable without authentication. This patches set contains last fix for Java 7 applications as company has decided to shut the door for Java 7 support. Apart from Java, this update fixes 17 vulnerabilities in Oracle Fusion Middleware, 8 vulnerabilities are addressed in Oracle Sun Systems Product Suite, 26 MySQL bugs are patched, 4 issues are fixed in Database server, Oracle Supply Chain Products Suite gets the update for 7 vulnerabilities. <more>