web-security


Drupal.org Resets Passwords After Data Breach

The Drupal Association is urging all users of Drupal.org and groups.drupal.org to reset their passwords after discovering an intrusion that breached files holding usernames, e-mail addresses, countries and hashed passwords. Sites that run on Drupal do not appear to be impacted, though the organization stressed an ongoing forensic review may reveal more details and victims. […]


Google has fixed a series of serious vulnerabilities in its Chrome OS, including three high-risk bugs that could be used for code execution on vulnerable machines. As part of its reward program, Google paid out more than $30,000 to a researcher who found three of the vulnerabilities.

The maintainers of the PostgreSQL database software have patched a security vulnerability, which, in some very limited circumstances, could be used to run arbitrary code on vulnerable servers. The vulnerability, which affects versions 9.0, 9.1 and 9.2, also can be used to cause a denial-of-service by any remote attacker.

Mozilla has added a new privacy feature to Firefox that enables users to begin a new private browsing session in a separate tab while still running a normal session in other tabs. Firefox 20 also includes patches for 11 critical security vulnerabilities.The new version of Firefox expands the capabilities of the private browsing function in the browser, a feature that allows users to browse without any cookies, logs or any other data retention.

There is a critical vulnerability in several current versions of the BIND nameserver software that could allow an attacker to knock vulnerable DNS servers offline or compromise other applications running on those machines. The bug is present in several versions of the ubiquitous BIND software and the maintainers of the application have released a patch for it that they recommend users install as soon as possible.

Draped across the automobile’s front license plate is a printout, attached like it came off a roll of Scotch Tape. On the printout is a SQL statement; probably the last thing anyone would expect to see as a hood ornament. No one knows where the photograph came from or whether someone was trying to be funny, or legitimately trying to compromise the backend system controlling the traffic camera in the same photo. But one thing is for sure, this clever stunt has helped shed light on the insecurity of control systems.

Hardly a week goes by without some new vulnerability in WordPress or one of its components showing up on a mailing list or in a security advisory. This week’s first entrant is a newly disclosed flaw in a plugin that displays ad banners on WordPress sites, a bug that enables an attacker to inject malicious Javascript or HTML code on any vulnerable site.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.