Samba fixes critical remote code execution vulnerability

The Samba developers have patched a critical security vulnerability that effects all versions of the open source, cross-platform file sharing solution from Samba 3.0.x up to version 3.6.3 which was released in January. The hole allows an attacker to gain complete access to a Samba server from an unauthenticated connection. The GPLv3 licensed Samba is […]

Critical PHP vulnerability being fixed

The PHP developers are working to fix a critical security vulnerability in PHP that they introduced with a recent security patch. The current stable release is affected; however, it is not yet clear whether the questionable patch was also applied to older versions. The cause of the problem is the security update to PHP 5.3.9, […]

Linux root exploit due to memory access – Update 2

Linus Torvalds released a Linux kernel update last week which fixes a flaw in the access control to memory. Shortly afterwards, exploits appeared making it possible to gain root privileges using this error. Since Linux kernel version 2.6.39 the dump of each process can be viewed in /proc/ /mem and even written to. Before 2.6.39, […]

OpenSSL fixes DoS bug in recent bug fix

The OpenSSL developers have released versions 1.0.0g and 0.9.8t to address a denial of service issue introduced by one of the six fixes included in the version they released earlier this month. The problem was created by the fix for a critical vulnerability in the CBC (“Cipher block chaining”) encryption mode which enabled plaintext recovery […]

phpMyAdmin 3.4.9 fixes XSS vulnerabilities

Version 3.4.9 of phpMyAdmin has been released, closing two security holes in the open source database administration tool. The update fixes vulnerabilities in the phpMyAdmin setup interface and the export panels in the server, database and table sections that could be exploited for cross-site scripting (XSS) attacks. Read more at H-online

BIND 9 denial of service being seen in the wild

The BIND 9 DNS name server is undergoing a concerted denial of service attack, according to this Internet Systems Consortium advisory. “Organizations across the Internet reported crashes interrupting service on BIND 9 nameservers performing recursive queries. Affected servers crashed after logging an error in query.c with the following message: “INSIST(! dns_rdataset_isassociated(sigrdataset))” Multiple versions were reported […]

Joomla! updates close security holes

The Joomla! open source CMS has been updated after an error in random number generation when resetting passwords was found that could be exploited by an attacker to change a user’s password. The 1.5.x versions, 1.6.x versions and 1.7.x versions are affected. Joomla! 1.5.25 and 1.7.3 have been released to address the issue described by […]

Thousands of WordPress blogs hijacked to deploy malicious code

Anti-virus firm Avast reportsPDF that criminals are exploiting a critical hole in the TimThumb WordPress add-on to deploy malicious code on a large scale. Avast says that it blocked more than 2,500 infected sites in September and anticipates a similar number in October. The attackers install the professional BlackHole exploit framework on the affected servers. […]

MyBB downloads were infected

In a blog posting, the MyBB development team has confirmed that the download package for version 1.6.4 of MyBB had been modified to include malicious code. Unknown attackers were able to exploit a vulnerability in the MyBB web site’s CMS (content management system) to inject and execute PHP code. The attackers placed a contaminated version […]

Apache hole allows attackers to access internal servers

Security experts at Context have discovered a hole in the Apache web server that allows remote attackers to access internal servers. The mod_rewrite rewrite engine ensures that requests are distributed across different servers according to definable rules, for example, in order to balance loads or to separate dynamic and static content. This configuration is also […]

MySQL.com Hacked to Serve Malware

Well, this is embarrassing. MySQL.com has been hacked (fixed by now), and was turned into a platform serving malware to unsuspecting visitors. The criminals did this by injecting a script which redirected visitors to a website which uses the BlackHole exploit pack, which probes the browser used and serves up an appropriate exploit. Computer security […]

Adobe announces emergency patch for Flash Player

Adobe has announced an emergency patch that is scheduled to be released some time later today (Wednesday 21 September). The update will address several previously unknown critical holes in Flash Player. The new version is also designed to close a universal cross-site scripting (XSS) hole that Adobe says is already being actively exploited. The company’s […]

phpMyAdmin updates close XSS hole

The phpMyAdmin developers have announced the release of versions 3.4.4 and 3.3.10.4 of their open source database administration tool. According to the security advisory, these maintenance and security updates close a hole (CVE-2011-3181) in the Tracking feature that leads to multiple cross-site scripting (XSS) vulnerabilities. The exploit was discovered by Norman Hippert and is caused […]

E-commerce sites based on open source code under attack

About 100,000 Web pages for e-commerce sites based on the open source OS Commerce software have been compromised with malware through a mass iFrame injection attack, according to security firm Armorize. The ongoing mass-injection attacks appear to be carried out from Ukraine against the e-commerce sites. The sites that are successfully attacked are compromised with […]

Skype update enables account theft – Update

The recent update to Skype 5.5 for Windows contains a severe security vulnerability that allows attackers to get control of your Skype account, according to security expert David Vieira-Kurz. The update promises close integration with Facebook – for instance, you are to be able to track your Facebook friends’ activities from your Skype client and […]

phpMyAdmin updates close critical security holes

Versions 3.4.3.2 and 3.3.10.3 of phpMyAdmin close a total of four security holes in the open source database administration tool. According to the phpMyAdmin developers, the security releases address two “critical” vulnerabilities that could lead to possible session manipulation in swekey authentication or remote code execution. A “serious” bug that could allow an attacker to […]

phpMyAdmin updates patch critical holes

The phpMyAdmin developers have released versions 3.3.10.2 and 3.4.3.1 of their database administration tool; these are security updates that fix a total of four security holes. Rated as “highly critical” by Secunia, the vulnerabilities include a session manipulation bug in Swekey authentication that could be exploited to overwrite session variables, a possible code injection hole […]

Another DoS fix for Apache HTTP server

The update of the Apache HTTP Server (httpd) to version 2.2.18 earlier this month to close a denial of service (DoS) problem appears to have exposed a related DoS vulnerability. The developers have now released httpd 2.2.19 to fix this new problem which has been rated as moderately critical; however, as with the previous DoS […]

Google Deodorizes Sniffable Android Security Flaw

Google has begun rolling out a patch to fix a security flaw in versions 2.3.3 and earlier of its Android mobile operating system. That flaw affects all Google services using the ClientLogin authentication protocol. It lets hackers access any personal data available through Android’s application programming interfaces. “The flaw is now fixed for all versions […]

Adobe Issues Security Advisory for Flash Player

A critical vulnerability exists in Flash Player 10.2.153.1 and earlier versions (Adobe Flash Player 10.2.154.25 and earlier for Chrome users) for Windows, Macintosh, Linux and Solaris, Adobe Flash Player 10.2.156.12 and earlier versions for Android, and the Authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions for […]