Tag Archives: Security patch Update

3 Popular Drupal Modules Found Vulnerable — Patch Released

Just yesterday, I wrote a warning article announcing that Drupal – the popular open source content management system – will release patches for several highly critical Remote Code Execution (RCE) bugs that could allow attackers to fully take over any affected site.

Below are the three separate Drupal modules that affect up to 10,000 websites:

1. RESTful Web Services – a popular module used

Several Critical Remotely Exploitable Flaws Found in Drupal Modules, patch ASAP!

The extraordinary ‘Panama Papers leak’ from Law firm Mossack Fonseca that exposed the tax-avoiding efforts by the world’s richest and most influential members was initially believed to be the result of an unpatched vulnerability in the popular open source Drupal content management system.

Now, we are quite sure that the Panama Papers, which implicated 72 current and former heads of state, was

Critical Print Spooler Bug allows Attackers to Hack any version of Microsoft Windows

Microsoft’s July Patch Tuesday offers 11 security bulletins with six rated critical resolving almost 50 security holes in its software.

The company has patched a security flaw in the Windows Print Spooler service that affects all supported versions of Windows ever released, which if exploited could allow an attacker to take over a device via a simple mechanism.

The “critical” flaw (

All Versions of Windows affected by Critical Security Vulnerability

Microsoft has released 13 security bulletins, six of which are considered to be critical, resolving a total of 41 security vulnerabilities in its software this month.

Every Windows version Affected:

One of the critical vulnerabilities affects all supported version of Windows, including Microsoft’s newest Windows 10 operating system, as well as Windows Server 2016 Tech Preview 4.

The

Oracle Issues Emergency Java Update for Windows

The US-based software maker Oracle delivered an unusual out-of-box emergency patch for Java in an effort to fix a during-installation flaw on the Windows platforms.

The successful exploitation of the critical vulnerability, assigned CVE-2016-0603, could allow an attacker to trick an unsuspecting user into visiting a malicious website and downloading files to the victim’s system before

Google Patches Critical Remotely-exploitable Flaws in Latest Android Update

update-android-mobile
Google has released the February Security Update for Android that patches multiple security vulnerabilities discovered in the latest version of Android operating system.
In total, there were five “critical” security vulnerabilities fixed in the release along with four “high” severity and one merely “moderate” issues.

Remote Code Execution Flaw in WiFi

A set of two critical vulnerabilities has been found in the Broadcom WiFi driver that could be exploited by attackers to perform Remote Code Execution (RCE) on affected Android devices when connected to the same network as the attacker.
The vulnerabilities (CVE-2016-0801 and CVE-2016-0802) can be exploited by sending specially crafted wireless control message packets that can corrupt kernel memory, potentially leading to remote code execution at the kernel level.

“These vulnerabilities can be triggered when the attacker and the victim are associated with the same network,” reads the advisory. “This issue is rated as a Critical severity due to the possibility of remote code execution in the context of the kernel without requiring user interaction.”

Remote Code Execution Flaw in Mediaserver

Another set of two critical security vulnerabilities were discovered in Mediaserver that was targeted last summer by critical Stagefright vulnerabilities and exploits, allowing anyone to compromise an Android device by sending just a specially crafted MMS message.
The recently discovered flaws (CVE-2016-0803 and CVE-2016-0804) in Mediaserver could enable remote code execution (RCE) on affected Android devices through email, web browsing, or MMS files when processing media files.
Moreover, a separate vulnerability called elevation of privilege (CVE-2016-0810) was also discovered in Mediaserver that could be exploited to gain elevated capabilities, including Signature or SignatureOrSystem permissions privileges, that aren’t accessible to third-party apps.
Two Elevation of Privilege vulnerabilities has also been found in Qualcomm components: the Qualcomm Performance Module (CVE-2016-0805) and the Qualcomm Wi-Fi Driver (CVE-2016-0806). Both the flaws, rated as critical, leveraged an attacker to launch further attacks.
Another critically rated bug (CVE-2016-0807) discovered in the Debuggerd component could open the door to execute arbitrary code within the device’s root level. Debuggerd is a software tool used for debugging and analyzing Android crashes.

Other high severity bugs include:

  • An elevation of privilege vulnerability in the Android Wi-Fi component
  • A denial-of-service vulnerability in the Minikin library
  • An information disclosure bug in libmediaplayerservice
The final set of vulnerabilities is an Elevation of Privilege flaw in Setup Wizard that could allow a hacker to bypass the Factory Reset Protection and gain access to the affected device.
All the Security patches are currently made available for Nexus devices only. Google also shared the patches with carrier and manufacturer partners on January 4, but users of other Android devices should have to wait until their devices receive an update.
Nexus device users are advised to patch the flaws by flashing their devices to this new build immediately. Users can also wait for the OTA (Over-the-Air) update that will be out in the next week or so.

Critical Flaws in Magento leave Millions of E-Commerce Sites at Risk

If you are using Magento to run your e-commerce website, it’s time for you to update the CMS (content management system) now.

Millions of online merchants are at risk of hijacking attacks due to a number of critical cross-site scripting (XSS) vulnerabilities in the Magento, the most popular e-commerce platform owned by eBay.

Why the Bugs are So Serious?

Virtually all versions of

From Today Onwards, Don't You Even Dare to Use Microsoft Internet Explorer

Yes, from today, Microsoft is ending the support for versions 8, 9 and 10 of its home-built browser Internet Explorer, thereby encouraging Windows users to switch on to Internet Explorer version 11 or its newest Edge browser.

Microsoft is going to release one last patch update for IE8, IE9 and IE10 today, but this time along with an “End of Life” notice, meaning Microsoft will no longer

Patch now! Adobe releases Emergency Security Updates for Flash Player

The Adobe Flash Player just said goodbye to the year with another bunch of vulnerability patches.

Adobe released an out-of-band security update on Monday to address Nineteen (19) vulnerabilities in its Flash Player, including one (CVE-2015-8651) that is being exploited in the wild.

All the programming loopholes could be abused to execute malicious code (here malicious Flash file on a

Oracle Ordered to Publicly Admit Misleading Java Security Updates

Security issues have long tantalized over 850 Million users that have Oracle’s Java software installed on their computers. The worst thing is that the software was not fully updated or secure for years, exposing millions of PCs to attack.

And for this reason, Oracle is now paying the price.

Oracle has been accused by the US government of misleading consumers about the security of its Java