Vulnerabilities


Report: 60% of all web sites contain serious vulnerabilities

From DarkReading (Kelly Jackson Higgins)

Most Websites harbor at least one major vulnerability, and over 80 percent of Websites have had a critical security flaw, according to new data released today by WhiteHat Security.

The Website vulnerability statistics, based on Website vulnerability data gathered from WhiteHat’s own enterprise clients, show that 63 percent of Websites have at least one high, critical, or urgent vulnerability issue, and there’s an average of seven unfixed vulnerabilities in a Website today. Read the full story [darkreading.com]

New Windows netbooks may harbor malware

From Computerworld (Gregg Keizer)
After discovering attack code on a brand new Windows XP netbook, anti-virus vendor Kaspersky Labs warned users yesterday that they should scan virgin systems for malware before connecting them to the Internet.

When Kaspersky developers installed their recently-released Security for Ultra Portables on an M&A Companion Touch netbook purchased for testing, “they thought something strange was going on,” said Roel Schouwenberg [viruslist.com], a senior anti-virus researcher with the Moscow-based firm. Schouwenberg scanned the machine — a $499 netbook designed for the school market — and found three pieces of malware.  Read the full story [computerworld.com]


When news broke last year about the serious flaw in the Debian OpenSSL pseudorandom number generator, security experts knew it was a serious problem and warned users to regenerate any keys that had been created using the vulnerable versions of the OpenSSL package. It was a big problem, but it turns out that it could have been far worse.

A new remotely-exploitable vulnerability has been found in the Microsoft IIS 6.0 Web server. The flaw is quite similar to one that was discovered eight years ago in earlier versions of IIS, and exploitation of the weakness could enable an attacker to upload content to the vulnerable server.

Hundreds of thousand websites host vulnerable Adobe Flash files which can be exploited by malicious people to conduct convincing phishing and XSS attacks. In most cases, cookie hijacking is possible.
Unsuspecting users can be redirected from trustworthy SSL and non-SSL sites to malware, adware and spyware sites.  Read the full story [xssed.com]

Guest editorial by Andrew Storms
Yesterday was a perfect example of the lack of communication between software vendors and their customers about security. Three vendors released major patches for serious bugs, all within hours of each other.

You would think that customers would be a high priority for all vendors, especially in this economy. All vendors certainly give lip service to doing the right thing by their customers; unfortunately, most have a bad case of amnesia when it comes to security.

Adobe joined the Patch Tuesday barrage late yesterday, dropping fixes for a pair of code execution holes affecting its Adobe Reader and Acrobat products.

The critical update [adobe.com] addresses a publicly known vulnerability that was being exploited with booby-trapped PDF files.

On the same day Microsoft shipped a bundle of patches for gaping holes in its PowerPoint software, Apple followed suit, dropping a monster Mac OS X update to correct 67 security vulnerabilities.
The sudden Apple Patch Day also included a patch to cover a trio of flaws in the Safari Web browser (Mac OS X and Windows). Read the full story [zdnet.com]

07/21/18 8:00
How #cyberinsurance changes the conversation around risk: https://t.co/a6hKWUWuNG

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.