bug Archives - Cyber Security Minute

How Attackers Get In: Unpatched Vulnerabilities and Compromised Credentials

Issued by: CSO Online

How are bad actors getting access to organizations? In many cases, they simply log in. Sophos research finds that one of the most common root cause of attacks is compromised credentials. In fact, 30% of respondents to its 2023 Active Adversary Report for Business Leaders said criminals have used these credentials to log on and…

Vulnerabilities

Critical Zyxel Firewall Bug Under Active Attack After PoC Exploit Debut

Issued by: Dark Reading

Zyxel firewalls are under active cyberattack after a critical security vulnerability was disclosed last week that could allow unauthenticated, remote arbitrary code execution. The bug (CVE-2022-30525, CVSS 9.8) was silently patched in April, but no public disclosure was made until last Thursday, May 12, when Rapid7 released a technical report on the issue. It also…

Vulnerabilities

Google patches actively exploited zero-day bug that affects Chrome users

Issued by: Blog Malwarebytes

Google has recently released Chrome version 86.0.4240.111 to patch several holes. One is for a zero-day flaw – that means a vulnerability that is being actively exploited in the wild. The flaw, which is officially designated as CVE-2020-15999, occurs in the way FreeType handles PNG images embedded in fonts using the Load_SBit_Png function. FreeType is…

Vulnerabilities

Millions of Twitter Users Affected by Information Exposure Flaw

Issued by: Security Week

According to Twitter, the issue is related to the Account Activity API (AAAPI), which allows developers registered on the social network’s developer program to build tools designed to better support businesses and their customer communications on the platform. Users who between May 2017 and September 10, 2018, interacted with an account or business on Twitter…

Malware & Threats

GitHub Exposed Passwords of Some Users

Issued by: Security Week

GitHub has instructed some users to reset their passwords after a bug caused internal logs to record passwords in plain text. Several users posted screenshots on Twitter of the security-related email they received from GitHub on Tuesday. The company told impacted customers that the incident was discovered during a regular audit. GitHub claims only a “small number”…

Vulnerabilities

Temporary Fix Available for Windows GDI Vulnerability

Issued by: Security Week

A temporary fix is available for the Windows Graphics Device Interface (Windows GDI) vulnerability that was disclosed a couple of weeks ago. The flaw was initially discovered by Mateusz Jurczyk, an engineer with Google’s Project Zero team, in March 2016, along with other issues in the user-mode Windows GDI library (gdi32.dll). Microsoft attempted to resolve…

Application Security

Slack bug paved the way for a hack that can steal user access

Issued by: CIO Security

One bug in Slack, the popular work chat application, was enough for a security researcher to design a hack that could trick users into handing over access to their accounts. Bug bounty hunter Frans Rosen noticed he could steal Slack access tokens to user accounts due to a flaw in the way the application communicates…

Malware & Threats

Bug Allowed Theft of Over $400,000 in Zcoins

Issued by: Security Week

An implementation bug has allowed someone to make a profit of more than $400,000 after creating roughly 370,000 units of the Zcoin cryptocurrency, users were told on Friday. Zcoin (XZC), worth approximately $2 per unit, is an implementation of the Zerocoin protocol, which aims to provide fully anonymous currency transactions. Zerocoin has also been used…

Vulnerabilities

Yahoo Pays Out $10,000 Bounty for Critical Mail Flaw

Issued by: Security Week

A researcher has earned $10,000 for finding a critical Yahoo! Mail vulnerability that could have been exploited simply by getting the targeted user to open a specially crafted email. Nearly one year ago, Jouko Pynnönen of Finland-based software company Klikki Oy discovered a stored cross-site scripting (XSS) vulnerability in the web version of the Yahoo!…

Vulnerabilities

Vulnerability Impacts Web-Exposed SAP Systems

Issued by: Security Week

The bug could be exploited by an external attacker to remotely obtain the list of SAP users from the system, Quenta Solutions’ Sergiu Popa, who SAP acknowledged to have reported the vulnerability, says. “This service is actually an example of application to create a time-off request. This service should not be activated in production systems,…