Security News

VMware patches critical auth bypass flaw in multiple products
2022-05-18 16:01

VMware warned customers today to immediately patch a critical authentication bypass vulnerability "Affecting local domain users" in multiple products that can be exploited to obtain admin privileges."This critical vulnerability should be patched or mitigated immediately per the instructions in VMSA-2021-0014," VMware warned on Wednesday.

Novel Phishing Trick Uses Weird Links to Bypass Spam Filters
2022-05-11 12:13

Researchers have identified a never-before-seen method for sneaking malicious links into email inboxes. The clever trick takes advantage of a key difference in how email inboxes and browsers read URLs, according a Monday report by Perception Point.

Atlassian Drops Patches for Critical Jira Authentication Bypass Vulnerability
2022-04-22 22:52

Atlassian has published a security advisory warning of a critical vulnerability in its Jira software that could be abused by a remote, unauthenticated attacker to circumvent authentication protections. Tracked as CVE-2022-0540, the flaw is rated 9.9 out of 10 on the CVSS scoring system and resides in Jira's authentication framework, Jira Seraph.

Atlassian fixes critical Jira authentication bypass vulnerability
2022-04-22 14:05

Atlassian has published a security advisory to alert that its Jira and Jira Service Management products are affected by a critical authentication bypass vulnerability in Seraph, the company's web application security framework.Seraph is used in Jira and Confluence for handling all login and logout requests via a system of pluggable core elements.

Oracle already wins 'crypto bug of the year' with Java digital signature bypass
2022-04-20 20:11

Java versions 15 to 18 contain a flaw in its ECDSA signature validation that makes it trivial for miscreants to digitally sign files and other data as if they were legit organizations. Java 15-18 ECDSA doesn't sanity check that the random x coordinate and signature proof are nonzero; a signature validates any message.

Criminals adopting new methods to bypass improved defenses, says Zscaler
2022-04-20 12:15

The number of phishing attacks worldwide jumped 29 percent last year as threat actors countered stronger enterprise defenses with newer methods, according to researchers with Zscaler's ThreatLabz research team. While the United States remained the country with the most phishing attempts, others are seeing faster growth in the number of incidents - exploiting new vectors like SMS and lowering the barrier of entry for launching attacks through pre-built tools made available on the market.

Critical Auth Bypass Bug Reported in Cisco Wireless LAN Controller Software
2022-04-17 20:04

Cisco has released patches to contain a critical security vulnerability affecting the Wireless LAN Controller that could be abused by an unauthenticated, remote attacker to take control of an affected system. "An attacker could exploit this vulnerability by logging in to an affected device with crafted credentials."

How cybercriminals are creating malicious hyperlinks that bypass security software
2022-04-14 15:21

How cybercriminals are creating malicious hyperlinks that bypass security software. A report released Thursday by email security provider Avanan reveals how a coding practice called Quoted-printable is being used in phishing emails to present malicious links as legitimate.

Russians bypass website blocks to access Western news sources
2022-04-04 17:06

Cloudflare sees signs of Russians increasingly turning to Western news sources to get accurate information about the situation in Ukraine. A new blog post published today by Cloudflare presents statistical evidence that the netizens of Russia are adopting blockage circumvention tools pretty aggressively to access British, American, and French news sites.

Russia creates its own TLS certificate authority to bypass sanctions
2022-03-10 16:06

Russia has created its own trusted TLS certificate authority to solve website access problems that have been piling up after sanctions prevent certificate renewals. The sanctions imposed by western companies and governments are preventing Russian sites from renewing existing TLS certificates, causing browsers to block access to sites with expired certificates.