A selection of this week’s more interesting vulnerability disclosures and cyber security news. We all know its great adding cool features to stuff, but what’s not great if its not thought through well enough so as to be a potential issue down the line. Looks like we have a bad idea which in retrospect is potentially out to get us…
- Severe PHP Exploit Threatens WordPress Sites with Remote Code Execution The issue impacts several content management systems, including Typo3 and WordPress, as well as widely-used PDF generation library TCPDF.
We see exposure of S3 and MongoDB on a regular basis, and I seem to remember a number of times pointing out that if something could be public and you don’t want it to be, check it out. Well… It appears someone made a boo-boo and set something public which I suspect should really have been private. I’m pretty sure other such services will be coming out as researchers (and villains) scour for similar issues across a whole set of likely SaaS solutions:
- British and Canadian Governments Accidentally Exposed Passwords and Security Plans to the Entire Internet Yael Grauer reports
Can’t let the week go by without the usual IoT hit, though to be honest, its not really a fault of IoT directly, just a protocol which shouldn’t really be exposed. Then again, where have we heard that before? Oh, the last paragraph right…
In other news:
- ATM Heists Only Set to Accelerate After $13M Break-In The Cosmos Bank incident is only the latest, not the last, thanks to lagging security practices.
- China’s biggest ever bitcoin hacking case sees three held over theft of US$87 million in cryptocurrency Alice Yan reports
- Google Faces Legal Turmoil After Location Tracking Debacle After a report said Google tracks users even when they opt out
- Airmail 3 Exploit Instantly Steals Info from Apple Users Attackers can abuse URL requests processed by an email program for Mac to steal files from the victim- sometimes without user interaction.
- Researchers Blame ‘Monolithic’ Linux Code Base for Critical Vulnerabilities With an OS design based on a verified microkernel, researchers contend almost all Linux OS flaws could be mitigated to less than critical severity.
- Unpatched Ghostscript Flaws Allow Remote Takeover of Systems A remote, unauthenticated attacker could execute arbitrary commands on systems with the privileges of the Ghostscript code.