Security News

Major news sites including The Washington Post, New York Magazine, and HuffPost, saw their stories now displaying porn videos instead of the once-embedded intended ones. The fiasco happened as prominent websites relied on the domain vid.

The original DoS issue is a string-format bug discovered by researcher Carl Schou, who found that connecting to an access point with the SSID "%p%s%s%s%s%n" would disable a device's Wi-Fi. String-format problems occur when operating systems mistakenly read certain characters as commands: In this case, the "%" combined with various letters. "My iPhone permanently disabled it's [sic] Wi-Fi functionality," Schou wrote in his writeup, in June.

The 'ModiPwn' bug lays open production lines, sensors, conveyor belts, elevators, HVACs and more that use Schneider Electric PLCs. A critical remote code-execution vulnerability in Schneider Electric programmable logic controllers has come to light, which allows unauthenticated cyberattackers to gain root-level control over PLCs used in manufacturing, building automation, healthcare and enterprise environments. If exploited, attackers could impact production lines, sensors and conveyor belts in factory settings, according to the researchers at Armis who discovered the bug - as well as affect devices familiar to the everyday consumer, such as elevators, HVACs and other automated devices.

A vulnerability discovered in Schneider Electric's Modicon programmable logic controllers, used in millions of devices worldwide, could allow a remote attacker to gain total and undetectable control over the chips, leading to remote code execution, malware installation and other security compromises. Discovered by security researchers at asset visibility and security vendor Armis, the vulnerability, dubbed Modipwn, is similar to the vulnerability that was leveraged by the Triton malware that targeted Schneider Electric safety controllers used in Saudi Arabian petrochemical plants.

Four vulnerabilities afflict the popular Sage X3 enterprise resource planning platform, researchers found - including one critical bug that rates 10 out of 10 on the CVSS vulnerability-severity scale. The critical bug allows unauthenticated remote command execution with elevated privileges in the AdxDSrv.

Netgear has patched three bugs in one of its router families that, if exploited, can allow threat actors to bypass authentication to breach corporate networks and steal data and credentials. Microsoft security researchers discovered the bugs in Netgear DGN-2200v1 series routers while they were researching device fingerprinting, Microsoft 365 Defender research team's Jonathan Bar Or said in a blog post, posted Wednesday.

Cybersecurity researchers have detailed critical security vulnerabilities affecting NETGEAR DGN2200v1 series routers, which they say could be reliably abused as a jumping-off point to compromise a network's security and gain unfettered access. The three HTTPd authentication security weaknesses impact routers running firmware versions prior to v1.0.0.60, and have since been fixed by the company in December 2020 as part of a coordinated vulnerability disclosure process.

Update: Microsoft acknowledged PrintNightmare as a zero-day that has been affecting all Windows versions since before June 2021 security updates. Technical details and a proof-of-concept exploit have been accidentally leaked for a currently unpatched vulnerability in Windows that allows remote code execution.

A security researcher has disclosed the details of a vulnerability that can be exploited to take over virtual machines on Google Cloud Platform. Rad decided to disclose the vulnerability due to Google's failure to fix the issue and provide information on its progress.

An unpatched security vulnerability affecting Google's Compute Engine platform could be abused by an attacker to take over virtual machines over the network. "This is done by impersonating the metadata server from the targeted virtual machine's point of view," security researcher Imre Rad said in an analysis published Friday.