Security News

According to SentinelOne's SentinelLabs, the bug in question specifically resides in a message type that allows nodes to send cryptographic keys to each other. According to the researcher, that common header contains a "Header size" allocation, which is the actual header size shifted to the right by two bits; and a "Message size" allocation that is equal to the length of the entire TIPC message.

Vulnerabilities in the Brizy Page Builder plugin for WordPress sites could be chained together to allow attackers to completely take over a website, according to researchers. The two fresh bugs can both be chained with the re-introduced access control vulnerability to allow complete site takeover, researchers explained.

Some perpetrators hire cheap human labor, for staging larger scale account takeover attacks. Hacker intervention can occasionally circumvent standard authentication measures for blocking account takeover fraud.

SonicWall has patched a critical security flaw impacting several Secure Mobile Access 100 series products that can let unauthenticated attackers remotely gain admin access on targeted devices. The SMA 100 series appliances vulnerable to attacks targeting the improper access control vulnerability tracked as CVE-2021-20034 includes SMA 200, 210, 400, 410, and 500v. There are no temporary mitigations to remove the attack vector, and SonicWall strongly urges impacted customers to deploy security updates that address the flaw as soon as possible.

Microsoft on Wednesday said it remediated a vulnerability in its Azure Container Instances services that could have been exploited by a malicious actor "To access other customers' information" in what the researcher described as the "First cross-account container takeover in the public cloud." Azure Container Instances is a managed service that allows users to run Docker containers directly in a serverless cloud environment, without requiring the use of virtual machines, clusters, or orchestrators.

Coldwind verified the vulnerabilities on the Netgear GS110TPV3 Smart Managed Pro Switch using firmware version 7.0.6.3 and below. GS752TPP fixed in firmware version 6.0.8.2.

In part one of a two-part series, Akamai's director of security technology and strategy, Tony Lauro, lays out what orgs need to know to defend against account takeover attacks. With account takeover attacks on the rise, stopping threat actors in the early phases of the kill chain will help today's defenders gain an upper hand against direct fraud campaigns.

A critical security vulnerability in Microsoft's Azure cloud database platform - Cosmos DB - could have allowed full remote takeover of accounts, with admin rights to read, write and delete any information to a database instance. "Azure Cosmos DB built-in Jupyter Notebooks are directly integrated into the Azure portal and your Azure Cosmos DB accounts, making them convenient and easy to use," according to Microsoft's documentation.

Application delivery and networking firm F5 released a baker's dozen of 13 fixes for high-severity bugs, including one that could lead to complete system takeover and hence is boosted to "Critical" for customers in "Especially sensitive sectors." F5 - maker of near-ubiquitously installed enterprise networking gear - released nearly 30 vulnerabilities for multiple devices in its August security updates.

Kalay, a P2P IoT protocol developed by Taiwanese company ThroughTek, has a serious security problem: Remote attackers are able to exploit it in order to give them total, yet nearly invisible, control over devices using the protocol. The vulnerability is low in complexity and affects more than 83 million devices, adding to its severity.