Weekly Cyber Security News

For well over a decade our focus at ionCube has been on PHP security but recently with the release of ionCube24 we have been looking into different kinds of vulnerabilities. This post has a few of the interesting issues we have found this week.

It’s been a really busy week in the news so here’s a selection of this week’s more interesting vulnerability disclosures and cybersecurity news.

 

General

Looks like you really need to keep on your toes with patching

• Exploit Kits Leverage Vulnerability One Week After Patch (SecurityWeek)

How many times has your eyes glazed over at the constant stream of alerts?

• MRIs show our brains shutting down when we see security prompts (ArsTechnica)

So much for this method then

• USAA app facial recognition can be bypassed with a video (Reddit)

Look, no passwords!

• Banks defend integrity of passcode-less TouchID login (The Register)

 

Industry

Control systems have their problems too!

• Wind turbine blown away by control system vulnerability (The Register)

Infrastructure

A slight oversight perhaps? Still, it results in an open door

• Dell Service Tag Detector RCE vulnerability through localhost HTTP request (Reddit)

And Dell responds about the allegation

• Dell denies ‘insecure autoupdate app’ flings open PC backdoor (The Register)

Another hole in Facebook

• Facebook found leaking private photos (The Register)

Not much choice but to use and hope nothing nasty happens

• The new MacBook’s single port comes with a major security risk

A potential breach

• Twitch stitch-up! Game vid stream biz hacked, passwords wiped (The Register)

A bit of a mess with certificates which could result in some man-in-the-middle attacks.

• Unauthorized digital certificates for several Google domains, issued by an intermediate certificate authority apparently held by a company called MCS Holdings. (Reddit)

With the OpenSSL last week you can bet most routers and embedded systems will never be updated! Ouch!

• Watch for updated router firmware!, (Mon, Mar 23rd)

Something that may come to bite many of us in the future

• Windows 10 to make the Secure Boot alt-OS lock out a reality (ArsTechnica)

PHP

They cant seem to shake the issues off

• Drupal SQL injection vulnerability attacks persist, despite patch release (SC Magazine)

Yoast hit again

• Security flaw in WordPress plugin Google Analytics by Yoast exposed (ZDNet)

A SOAP issue

• Type Confusion Infoleak Vulnerabilities in SoapClient
  

Our old friend unserialize

• Use After Free Vulnerability in unserialize()

Systems

School boy error – what were they thinking

• Cisco Unified Computing System Manager (UCSM) username and password hashes sent via SYSLOG

Many exploit kits use IFRAMEs to activate do ensure you follow these instructions to ensure Internet Explorer is really safe, if you use Firefox then use the NoScript plugin and set the Forbid IFRAME tick box as its off by default

• Controlling IFRAME in Internet Explorer

An old flash bug comes back

• CVE-2011-2461 is back! 

This article could make you seriously rethink how you create passwords

• Unmasked:What 10 million passwords reveal about the people who choose them (Reddit) –

See the link above on IFRAMES for how to help with this issue

• Thousands of compromised WordPress websites redirect to exploit kits (Reddit) –

You can’t always trust email sources

• A Finnish man created this simple email account – and received Microsoft’s security certificate

Web Server

It took a while to find out what the issues are but at least its not as bad as HEARTBLEED. Maybe,

• OpenSSL Patches Released