application security Archives - Page 7 of 15

The OWASP Top 10 Threats Haven’t Changed in 2021 — But Defenses Have

Issued by: Security Intelligence

The more things change, the more they stay the same. Despite a changing threat landscape and threat actors who keep upping their game, the vulnerabilities behind the threats remain consistent. The OWASP Top 10, ranked by the Open Web Application Security Project, lists the 10 most prominent and dangerous risks and threats for applications. The OWASP…

Malware & Threats

Colonial Pipeline Confirms Personal Information Impacted in Ransomware Attack

Issued by: Security Week

The attack, which took place in May 2021, involved the Darkside ransomware and resulted in the Georgia-based company temporarily shutting down operations and paying $5 million to the attackers to recover stolen information. Most of the money was recovered, the US announced in June. In a notification letter sent to the Maine Attorney General’s Office,…

Software Security

Adobe Plugs Critical Photoshop Security Flaws

Issued by: Security Week

The flaws, rated critical, expose both Windows and MacOS users to code execution attacks, Adobe said in an advisory released Tuesday. The updates, available for Photoshop 2020 and Photoshop 2021, are being pushed via the software’s automatic updating mechanism. Adobe described the vulnerabilities as memory corruption issues with 7.8 CVSS scores. The company also shipped…

Software Security

Adobe Warns of Critical Flaws in Magento, Connect

Issued by: Security Week

As part of its scheduled Patch Tuesday release, Adobe released fixes for 29 documented security vulnerabilities, some serious enough to expose users to code execution, security feature bypass, and privilege escalation attacks. The Adobe Magento patch lists 26 CVEs with severity ratings ranging from critical to important, according to an advisory from San Jose, Calif….

Software Security

Microsoft Launches JIT-Free ‘Super Duper Secure Mode’ Edge Browser Experiment

Issued by: Security Week

The plan is to create a provocatively named “Super Duper Secure Mode” in Edge that deliberately disables support for the browser’s JavaScript JIT (Just-in-Time) compiler while adding a major anti-exploitation roadblock from Intel Corp. The new SDSM test — available in Edge preview builds for select users — essentially rips out JIT, a feature that…

Vulnerabilities

Researchers Publish Details on Recent Critical Hyper-V Vulnerability

Issued by: Security Week

Tracked as CVE-2021-28476 with a CVSS score of 9.9, the security vulnerability impacts Hyper-V’s virtual network switch driver (vmswitch.sys) and could be exploited to achieve remote code execution or cause a denial of service condition. Hyper-V is a native hypervisor that provides virtualization capabilities for both desktop and cloud systems, and which Microsoft uses as…

Application Security

Google Paid Over $29 Million in Bug Bounty Rewards in 10 Years

Issued by: Security Week

Since the launch of Google Vulnerability Rewards Program (VRP) 10 years ago, the company said it paid bounties on 11,055 vulnerabilities that were reported by 2,022 researchers from 84 countries. To date, the company paid a total of $29,357,516. Separately, the search giant announced that it is bringing all of its VRPs (Abuse, Android, Chrome,…

Application Security

Firefox 90 Drops Support for FTP Protocol

Issued by: Security Week

Built on a client-server model architecture and in use for roughly five decades, FTP allows for the easy transfer of files and folders between computers. However, because data is transmitted unencrypted, the protocol has long been considered insecure. Secure variants do exist, including one that leverages SSL/TLS (FTPS), or the SSH File Transfer Protocol (SFTP)….

Software Security

Bug Bounty and VDP Platform YesWeHack Raises $18.8 Million

Issued by: Security Week

European bug bounty and vulnerability disclosure policy platform YesWeHack this week announced the closing of a €16 million ($18.8 million) round of venture capital financing. The Series B funding round included investments from Banque des Territoires and Eiffel Investment Group, as well as existing investors Normandie Participations and CNP Assurances. Founded in 2015, the YesWeHack platform…

Application Security

Google: New Chrome Zero-Day Being Exploited

Issued by: Security Week

The search advertising giant released a Chrome security refresh overnight with a warning that malicious hackers are actively exploiting a critical type confusion vulnerability to launch malware attacks. “Google is aware of reports that an exploit for CVE-2021-30563 exists in the wild,” the company said in a cryptic line added to its advisory. The vulnerability…