Our news
-
BadAlloc Vulnerability Affecting Devices Incorporating Older BlackBerry QNX Products
Original release date: August 17, 2021 CISA released an Alert today on devices incorporating older versions of multiple BlackBerry QNX products affected by a BadAlloc vulnerability. A malicious actor could exploit this vulnerability to take control of an affected system or cause a denial-of-service condition. Because devices incorporating older versions of BlackBerry QNX products support…
-
CISA Releases Security Advisory for ThroughTek Kalay P2P SDK
Original release date: August 17, 2021 CISA has released an Industrial Control Systems (ICS) advisory detailing a vulnerability affecting several versions of ThroughTek Kalay P2P Software Development Kit (SDK). A remote attacker could exploit this vulnerability to take control of an affected system. CISA encourages users and administrators to review the ICS Advisory: ICSA-21-229-01 ThroughTek…
-
AA21-229A: BadAlloc Vulnerability Affecting BlackBerry QNX RTOS
Original release date: August 17, 2021 Summary On August 17, 2021, BlackBerry publicly disclosed that its QNX Real Time Operating System (RTOS) is affected by a BadAlloc vulnerability—CVE-2021-22156. BadAlloc is a collection of vulnerabilities affecting multiple RTOSs and supporting libraries.[1] A remote attacker could exploit CVE-2021-22156 to cause a denial-of-service condition or execute arbitrary code…
-
Apple Releases Security Update
Original release date: August 17, 2021 Apple has released a security update to address vulnerabilities in iCloud for Windows 12.5. An attacker could exploit these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the Apple security update and apply the necessary updates. This product is provided subject to this…
-
Critical Valve Bug Lets Gamers Add Unlimited Funds to Steam Wallets
Valve plugs an API bug found in its Steam platform that that abused the Smart2Pay system to add unlimited funds to gamer digital wallets.
-
XSS Bug in SEOPress WordPress Plugin Allows Site Takeover
The bug would allow a number of malicious actions, up to and including full site takeover. The vulnerable plugin is installed on 100,000 websites.
-
Vulnerability Summary for the Week of August 9, 2021
Original release date: August 16, 2021 High Vulnerabilities Primary Vendor — Product Description Published CVSS Score Source & Patch Info alg_ds_project — alg_ds An issue was discovered in the alg_ds crate through 2020-08-25 for Rust. There is a drop of uninitialized memory in Matrix::new(). 2021-08-08 7.5 CVE-2020-36432 MISC MISC care2x — hospital_information_management_system SQL Injection…
-
Exchange Servers Under Active Attack via ProxyShell Bugs
There’s an entirely new attack surface in Exchange, a researcher revealed at Black Hat, and threat actors are now exploiting servers vulnerable to the RCE bugs.
-
WordPress Sites Abused in Aggah Spear-Phishing Campaign
The Pakistan-linked threat group’s campaign uses compromised WordPress sites to deliver the Warzone RAT to manufacturing companies in Taiwan and South Korea.
-
Black Hat: Novel DNS Hack Spills Confidential Corp Data
Threatpost interviews Wiz CTO about a vulnerability recently patched by Amazon Route53’s DNS service and Google Cloud DNS.