Ongoing Use of Windows Vista, IE8 Pose Huge Enterprise Threat

A new report highlights the high number of users still operating outdated Windows operating systems and unsupported browsers. This represents a huge threat to the organizations whose users access company networks from insecure laptops and home computers within the growing adoption of BYOD policies. Duo Security reports that 65% of its clients’ Windows users are…

Vulnerability Impacts Web-Exposed SAP Systems

The bug could be exploited by an external attacker to remotely obtain the list of SAP users from the system, Quenta Solutions’ Sergiu Popa, who SAP acknowledged to have reported the vulnerability, says. “This service is actually an example of application to create a time-off request. This service should not be activated in production systems,…

AtomBombing: The Windows Vulnerability that Cannot be Patched

Researchers have discovered a code-injection vulnerability in the Windows operating system that cannot, because of the nature of the operating system, be patched. It could be used to bypass current malware protection solutions in place. “Unfortunately,” writes enSilo researcher Tal Liberman in a report published Oct. 27, “this issue cannot be patched since it doesn’t rely…

Many Joomla Sites Hacked via Recently Patched Flaws

Less than 24 hours after Joomla released patches for a couple of critical account creation vulnerabilities, researchers noticed that malicious actors had already started exploiting the flaws in the wild. Joomla announced on October 25 the availability of version 3.6.4 to fix two serious vulnerabilities: CVE-2016-8870, which allows attackers to create user accounts even if…

Flash zero-day being exploited in targeted attacks

A newly discovered zero-day vulnerability in Adobe Flash Player is being exploited by attackers in the wild. Adobe released a Security Bulletin (APSB16-36) yesterday which patches the vulnerability (CVE-2016-7855). The critical vulnerability affects Adobe Flash Player 23.0.0.185 and earlier versions for the following operating systems: Windows Mac Linux Chrome OS According to Adobe, an exploit…

Cisco Patches 9 Flaws in Email Security Appliance

The most serious, rated “high severity,” are three DoS flaws in the AsyncOS software for Cisco ESA. The security holes, tracked as CVE-2016-6356, CVE-2016-1486 and CVE-2016-1481, allow a remote, unauthenticated attacker to cause a DoS condition on affected devices using specially crafted emails and malicious attachments. CVE-2016-1481 and CVE-2016-6356 affect AsyncOS versions 8.0 and prior,…

US transport agency guidance on vehicle cybersecurity irks lawmakers

Guidance from the National Highway Traffic Safety Administration for improving motor vehicle cybersecurity has attracted criticism from lawmakers who said that mandatory security standards were required. “This new cybersecurity guidance from the Department of Transportation is like giving a take-home exam on the honor code to failing students,” said Senators Edward J. Markey, a Democrat…