Lenovo has fixed a vulnerability in its Lenovo Solution Center support tool that could allow attackers to execute code with system privileges and take over computers.The Lenovo Solution Center (LSC) is an application that comes pre-installed on many Lenovo laptops and desktops. It allows users to check their system’s virus and firewall status, update their software, perform backups, check battery health, get registration and warranty information and run hardware tests.The tool has two components: a graphical user interface and a service called LSCTaskService that runs in the background at all times even if the user interface is not started.To read this article in full or to leave a comment, please click here
Lenovo has fixed a vulnerability in its Lenovo Solution Center support tool that could allow attackers to execute code with system privileges and take over computers.The Lenovo Solution Center (LSC) is an application that comes pre-installed on many Lenovo laptops and desktops. It allows users to check their system’s virus and firewall status, update their software, perform backups, check battery health, get registration and warranty information and run hardware tests.The tool has two components: a graphical user interface and a service called LSCTaskService that runs in the background at all times even if the user interface is not started.To read this article in full or to leave a comment, please click here
A vulnerability in an Android component shipped with phones that use Qualcomm chips puts users' text messages and call history at risk of theft.The flaw was found by security researchers from FireEye and was patched by Qualcomm in March. However, because the vulnerability was introduced five years ago, many affected devices are unlikely to ever receive the fix because they're no longer supported by their manufacturers.The vulnerability, which is tracked as CVE-2016-2060, is located on an Android component called "netd" that Qualcomm modified in order to provide additional tethering capabilities. Malicious applications could exploit the flaw in order to execute commands as the "radio" system user, which has special privileges.To read this article in full or to leave a comment, please click here
A vulnerability in an Android component shipped with phones that use Qualcomm chips puts users' text messages and call history at risk of theft.The flaw was found by security researchers from FireEye and was patched by Qualcomm in March. However, because the vulnerability was introduced five years ago, many affected devices are unlikely to ever receive the fix because they're no longer supported by their manufacturers.The vulnerability, which is tracked as CVE-2016-2060, is located on an Android component called "netd" that Qualcomm modified in order to provide additional tethering capabilities. Malicious applications could exploit the flaw in order to execute commands as the "radio" system user, which has special privileges.To read this article in full or to leave a comment, please click here
Cisco Systems has fixed a critical vulnerability that could allow attackers to take over TelePresence systems, and patched other high-severity flaws in Cisco FirePOWER and Adaptive Security Appliance devices.The TelePresence software vulnerability stems from an improper authentication mechanism for the XML application programming interface (API). Attackers could exploit it by sending crafted HTTP requests to the XML API in order to bypass authentication and execute unauthorized configuration changes and commands on the system.To read this article in full or to leave a comment, please click here
Cisco Systems has fixed a critical vulnerability that could allow attackers to take over TelePresence systems, and patched other high-severity flaws in Cisco FirePOWER and Adaptive Security Appliance devices.The TelePresence software vulnerability stems from an improper authentication mechanism for the XML application programming interface (API). Attackers could exploit it by sending crafted HTTP requests to the XML API in order to bypass authentication and execute unauthorized configuration changes and commands on the system.To read this article in full or to leave a comment, please click here
Cisco Systems has fixed a critical vulnerability that could allow attackers to take over TelePresence systems, and patched other high-severity flaws in Cisco FirePOWER and Adaptive Security Appliance devices.The TelePresence software vulnerability stems from an improper authentication mechanism for the XML application programming interface (API). Attackers could exploit it by sending crafted HTTP requests to the XML API in order to bypass authentication and execute unauthorized configuration changes and commands on the system.To read this article in full or to leave a comment, please click here
Apple has released a new version of its Xcode development tool in order to patch two critical vulnerabilities in the Git source code management client.The Git vulnerabilities, CVE‑2016‑2324 and CVE‑2016‑2315, have been known since mid-March and can be exploited when cloning a repository with a specially crafted file structure. This allows attackers to execute malicious code on systems where such cloning operations were initiated.Xcode is an integrated development environment (IDE) used by a large number of developers to write applications for OS X and iOS. It includes a package called the OS X Command Line Tools for Xcode that contains the open-source Git client.To read this article in full or to leave a comment, please click here
Apple has released a new version of its Xcode development tool in order to patch two critical vulnerabilities in the Git source code management client.The Git vulnerabilities, CVE‑2016‑2324 and CVE‑2016‑2315, have been known since mid-March and can be exploited when cloning a repository with a specially crafted file structure. This allows attackers to execute malicious code on systems where such cloning operations were initiated.Xcode is an integrated development environment (IDE) used by a large number of developers to write applications for OS X and iOS. It includes a package called the OS X Command Line Tools for Xcode that contains the open-source Git client.To read this article in full or to leave a comment, please click here
All blogs hosted on Google's blogspot.com domain can now be accessed over an encrypted HTTPS connection. This puts more control into the hands of blog readers who value privacy.Google started offering users of its Blogger service the option to switch their blogspot.com sites to HTTPS in September, but now that setting was removed and all blogs received an HTTPS version that users can access.Instead of the "HTTPS Availability" option, blog owners can now use a setting called "HTTPS Redirect," which will redirect all visitors to the HTTPS version of their blogs automatically. If the setting is not used, users will still be able to access the non-encrypted HTTP version.To read this article in full or to leave a comment, please click here
All blogs hosted on Google's blogspot.com domain can now be accessed over an encrypted HTTPS connection. This puts more control into the hands of blog readers who value privacy.Google started offering users of its Blogger service the option to switch their blogspot.com sites to HTTPS in September, but now that setting was removed and all blogs received an HTTPS version that users can access.Instead of the "HTTPS Availability" option, blog owners can now use a setting called "HTTPS Redirect," which will redirect all visitors to the HTTPS version of their blogs automatically. If the setting is not used, users will still be able to access the non-encrypted HTTP version.To read this article in full or to leave a comment, please click here
A tool used by millions of websites to process images has several critical vulnerabilities that could allow attackers to compromise Web servers. To make things worse, there's no official patch yet and exploits are already available.The vulnerabilities were discovered by Nikolay Ermishkin from the Mail.Ru security team and were reported to the ImageMagick developers who attempted a fix in version 6.9.3-9, released on April 30. However, the fix is incomplete and the vulnerabilities can still be exploited.Furthermore, there is evidence that people aside from security researchers and ImageMagick developers know about the flaws, which is why their existence was publicly disclosed Tuesday. The flaws can be exploited by uploading specially crafted images to Web applications that rely on ImageMagick to process them.To read this article in full or to leave a comment, please click here
A tool used by millions of websites to process images has several critical vulnerabilities that could allow attackers to compromise Web servers. To make things worse, there's no official patch yet and exploits are already available.The vulnerabilities were discovered by Nikolay Ermishkin from the Mail.Ru security team and were reported to the ImageMagick developers who attempted a fix in version 6.9.3-9, released on April 30. However, the fix is incomplete and the vulnerabilities can still be exploited.Furthermore, there is evidence that people aside from security researchers and ImageMagick developers know about the flaws, which is why their existence was publicly disclosed Tuesday. The flaws can be exploited by uploading specially crafted images to Web applications that rely on ImageMagick to process them.To read this article in full or to leave a comment, please click here
Attackers are aggressively pushing a new file-encrypting ransomware program called CryptXXX by compromising websites, the latest victim being U.S. toy maker Maisto. Fortunately, there's a tool that can help users decrypt CryptXXX affected files for free.Security researchers from Malwarebytes reported Thursday that maisto.com was infected with malicious JavaScript that loaded the Angler exploit kit. This is a Web-based attack tool that installs malware on users' computers by exploiting vulnerabilities in their browser plug-ins.To read this article in full or to leave a comment, please click here
Attackers are aggressively pushing a new file-encrypting ransomware program called CryptXXX by compromising websites, the latest victim being U.S. toy maker Maisto. Fortunately, there's a tool that can help users decrypt CryptXXX affected files for free.Security researchers from Malwarebytes reported Thursday that maisto.com was infected with malicious JavaScript that loaded the Angler exploit kit. This is a Web-based attack tool that installs malware on users' computers by exploiting vulnerabilities in their browser plug-ins.To read this article in full or to leave a comment, please click here
Google's efforts to police the Android app store -- Google Play -- are far from perfect, with malicious apps routinely slipping through its review process. Such was the case for multiple phishing applications this year that posed as client apps for popular online payment services.Researchers from security firm PhishLabs claim that they've found 11 such applications since the beginning of 2016 hosted on Google Play, most of them created by the same group of attackers.The apps are simple, yet effective. They load Web pages containing log-in forms that look like the target companies' websites. These pages are loaded from domain names registered by the attackers, but because they are loaded inside the apps, users don't see their actual location.To read this article in full or to leave a comment, please click here
Google's efforts to police the Android app store -- Google Play -- are far from perfect, with malicious apps routinely slipping through its review process. Such was the case for multiple phishing applications this year that posed as client apps for popular online payment services.Researchers from security firm PhishLabs claim that they've found 11 such applications since the beginning of 2016 hosted on Google Play, most of them created by the same group of attackers.The apps are simple, yet effective. They load Web pages containing log-in forms that look like the target companies' websites. These pages are loaded from domain names registered by the attackers, but because they are loaded inside the apps, users don't see their actual location.To read this article in full or to leave a comment, please click here
Developers from hundreds of companies have included access tokens for their Slack accounts in public projects on GitHub, putting their teams' internal chats and other data at risk.Slack has become one of the most popular collaboration and internal communication tools used by companies because of its versatility. The platform's API allows users to develop bots that can receive commands or post content from external services directly in Slack channels, making it easy to automate various tasks.Many developers post the code for their Slack bots -- some of which are small personal projects -- on GitHub, but fail to remove the bots' access tokens. Some developers even include private tokens associated with their own accounts in the code.To read this article in full or to leave a comment, please click here
Developers from hundreds of companies have included access tokens for their Slack accounts in public projects on GitHub, putting their teams' internal chats and other data at risk.Slack has become one of the most popular collaboration and internal communication tools used by companies because of its versatility. The platform's API allows users to develop bots that can receive commands or post content from external services directly in Slack channels, making it easy to automate various tasks.Many developers post the code for their Slack bots -- some of which are small personal projects -- on GitHub, but fail to remove the bots' access tokens. Some developers even include private tokens associated with their own accounts in the code.To read this article in full or to leave a comment, please click here
An Estonian man has been sentenced to seven years and three months in prison in the U.S. for his role in a cybercriminal operation that infected over 4 million computers with DNS hijacking malware.Vladimir Tsastsin, 35, from Tartu, Estonia, was one of the key players in a US$14 million click fraud scheme. He is the sixth individual to be sentenced in the case and has received the longest prison sentence. The sentence was handed down Tuesday in U.S. District Court for the Southern District of New York.According to the Department of Justice, between 2007 and 2011, Tsastsin and his co-conspirators set up companies that masqueraded as publisher networks and entered into agreements with advertising brokers to display ads on their properties.To read this article in full or to leave a comment, please click here
Lucian Constantin