The Hacker News Logo
Subscribe to Newsletter

The Hacker News - Cybersecurity News and Analysis: software security

Unpatched Critical Flaw Disclosed in Zoom Software for Windows 7 or Earlier

Unpatched Critical Flaw Disclosed in Zoom Software for Windows 7 or Earlier
July 10, 2020Swati Khandelwal
A zero-day vulnerability has been discovered in Zoom video conferencing software for Windows that could allow an attacker to execute arbitrary code on a victim's computer running Microsoft Windows 7 or older. To successfully exploit the zoom vulnerability, all an attacker needs to do is tricking a Zoom user into performing some typical action like opening a received document file. No security warning is triggered or shown to the user at the time of the attack. The vulnerability has been discovered by a researcher who reported it to Acros Security, who then reported the flaw to the Zoom security team earlier today. The researcher wishes to remain anonymous. Although the flaw is present in all supported versions of the Zoom client for Windows, it is only exploitable on systems running Windows 7 and older Windows systems due to some specific system characteristics. "This vulnerability is only exploitable on Windows 7 and earlier Windows versions. It is likely also explo

Cynet Empowers IT Resellers and Service Providers to Become Fully Qualified MSSPs

Cynet Empowers IT Resellers and Service Providers to Become Fully Qualified MSSPs
January 29, 2020The Hacker News
As cyber incidents increase in scope and impact, more and more organizations come to realize that outsourcing their defenses is the best practice—significantly increasing the Managed Security Service Provider (MSSP) market opportunities. Until recently, IT integrators, VARs, and MSPs haven't participated in the growing and profitable MSSP market as it entailed massive investments in building an in-house skilled security team. However, this is beginning to change as a result of certain security vendors, like Cynet, that provide a purpose-built partner offering that enables IT integrators, VARs, and MSPs to provide managed security service with zero investment in hardware or personnel. Their offering includes a 24/7 SOC that trains and supports the partner's existing team and a security platform that consolidates and automates breach protection (including endpoint, user, and network security), making it simple to operate by any IT professional. To learn more about th

Zoom Bug Could Have Let Uninvited People Join Private Meetings

Zoom Bug Could Have Let Uninvited People Join Private Meetings
January 28, 2020Swati Khandelwal
If you use Zoom to host your remote online meetings, you need to read this piece carefully. The massively popular video conferencing software has patched a security loophole that could have allowed anyone to remotely eavesdrop on unprotected active meetings, potentially exposing private audio, video, and documents shared throughout the session. Besides hosting password-protected virtual meetings and webinars, Zoom also allows users to set up a session for non-pre-registered participants who can join an active meeting by entering a unique Meeting ID, without requiring a password or going through the Waiting Rooms. Zoom generates this random meeting ID, comprised of 9, 10, and 11-digit numbers, for each meeting you schedule or create. If leaked beyond an individual or intended group of people, merely knowing Meeting IDs could allow unwelcome guests joining meetings or webinars. This could be bad news for anyone expecting their conversations to be private. To circumvent suc

Latest Microsoft Update Patches New Windows 0-Day Under Active Attack

Latest Microsoft Update Patches New Windows 0-Day Under Active Attack
December 10, 2019Swati Khandelwal
With its latest and last Patch Tuesday for 2019, Microsoft is warning billions of its users of a new Windows zero-day vulnerability that attackers are actively exploiting in the wild in combination with a Chrome exploit to take remote control over vulnerable computers. Microsoft's December security updates include patches for a total of 36 vulnerabilities, where 7 are critical, 27 important, 1 moderate, and one is low in severity—brief information on which you can find later in this article. Tracked as CVE-2019-1458 and rated as Important, the newly patched zero-day Win32k privilege escalation vulnerability, reported by Kaspersky, was used in Operation WizardOpium attacks to gain higher privileges on targeted systems by escaping the Chrome sandbox. Although Google addressed the flaw in Chrome 78.0.3904.87 with the release of an emergency update last month after Kaspersky disclosed it to the tech giant, hackers are still targeting users who are using vulnerable versions of th

Zoom RCE Flaw Also Affects Its Rebranded Versions RingCentral and Zhumu

Zoom RCE Flaw Also Affects Its Rebranded Versions RingCentral and Zhumu
July 16, 2019Swati Khandelwal
The same security vulnerabilities that were recently reported in Zoom for macOS also affect two other popular video conferencing software that under the hood, are just a rebranded version of Zoom video conferencing software. Security researchers confirmed The Hacker News that RingCentral, used by over 350,000 businesses, and Zhumu, a Chinese version of Zoom, also runs a hidden local web server on users' computers, just like Zoom for macOS. The controversial local web server that has been designed to offer an automatic click-to-join feature was found vulnerable to remote command injection attacks through 3rd-party websites. Security researcher Jonathan Leitschuh initially provided a proof-of-concept demonstrating how the vulnerable web server  could eventually allow attackers to turn on users laptop's webcam and microphone remotely. The flaw was later escalated to remote code execution attack by another security researcher, Karan Lyons , who has now published a new v

Cynet Free Visibility Experience – Unmatched Insight into IT Assets and Activities

Cynet Free Visibility Experience – Unmatched Insight into IT Assets and Activities
June 12, 2019The Hacker News
Real-time visibility into IT assets and activities introduces speed and efficiency to many critical productivity and security tasks organizations are struggling with—from conventional asset inventory reporting to proactive elimination of exposed attack surfaces. However, gaining such visibility is often highly resource consuming and entails manual integration of various feeds. Cynet is now offering end-users and service providers free access to its end-to-end visibility capabilities . The offering consists of 14 days access to the Cynet 360 platform, during which users can gain full visibility into their IT environment—host configurations, installed software, user account activities, password hygiene, and network traffic. "When we built the Cynet 360 platform we identified a critical need for a single-source-of-truth interface where you get all the knowledge regarding what exists in the environment and what activities take place there," said Eyal Gruner, Cynet fou

Report Reveals TeamViewer Was Breached By Chinese Hackers In 2016

Report Reveals TeamViewer Was Breached By Chinese Hackers In 2016
May 17, 2019Wang Wei
The German software company behind TeamViewer, one of the most popular software in the world that allows users to access and share their desktops remotely, was reportedly compromised in 2016, the German newspaper Der Spiegel revealed today. TeamViewer is popular remote-support software that allows you to securely share your desktop or take full control of other's PC over the Internet from anywhere in the world. With millions of users making use of its service, TeamViewer has always been a target of interest for attackers. According to the publication , the cyber attack was launched by hackers with Chinese origin who used Winnti trojan malware, activities of which have previously been found linked to the Chinese state intelligence system. Active since at least 2010, Winnti advanced persistent threat (APT) group has previously launched a series of financial attacks against software and gaming organizations primarily in the United States, Japan, and South Korea. The group i

DHS Orders Federal Agencies to Patch Critical Flaws Within 15 Days

DHS Orders Federal Agencies to Patch Critical Flaws Within 15 Days
May 01, 2019Mohit Kumar
In recent years, we have seen how hackers prey on those too lazy or ignorant to install security patches, which, if applied on time, would have prevented some devastating cyber attacks and data breaches that happened in major organisations. The United States Department of Homeland Security (DHS) has ordered government agencies to more swiftly plug the critical security vulnerabilities found on their networks within 15 calendar days since the initial detection, a reduction from 30 days. DHS's Cybersecurity and Infrastructure Security Agency (CISA) this week issued a new Binding Operational Directive (BOD) 19-02 instructing federal agencies and departments to address "critical" rated vulnerabilities within 15 days and "high" severity flaws within 30 days of initial detection. The countdown to patch a security vulnerability will start when it was initially detected during CISA's weekly Cyber Hygiene vulnerability scanning, rather than it was the firs

Adobe Releases February 2019 Patch Updates For 75 Vulnerabilities

Adobe Releases February 2019 Patch Updates For 75 Vulnerabilities
February 12, 2019Mohit Kumar
Welcome back! Adobe has today released its monthly security updates to address a total of 75 security vulnerabilities across its various products, 71 of which resides in Adobe Acrobat and Reader alone. February 2019 patch Tuesday updates address several critical and important vulnerabilities in Adobe Acrobat Reader DC, Adobe Coldfusion, Creative Cloud Desktop Application, and Adobe Flash Player for Windows, macOS, Linux, and Chrome OS. According to the advisory released today, 43 out of 71 vulnerabilities addressed by Adobe in Acrobat and Reader are rated as critical in severity, most of which could lead to arbitrary code execution in the context of the current user upon successful exploitation. The update also includes a permanent fix for a critical, publicly disclosed zero-day vulnerability (CVE 2019-7089) impacting Adobe Reader that could allow remote attackers to steal targeted Windows NTLM hash passwords just by tricking victims into opening a specially crafted PDF fi

Critical RCE Flaw in Linux APT Allows Remote Attackers to Hack Systems

Critical RCE Flaw in Linux APT Allows Remote Attackers to Hack Systems
January 22, 2019Swati Khandelwal
Just in time… Some cybersecurity experts this week arguing over Twitter in favor of not using HTTPS and suggesting software developers to only rely on signature-based package verification, just because APT on Linux also does the same. Ironically, a security researcher just today revealed details of a new critical remote code execution flaw in the apt-get utility that can be exploited by a remote, man-in-the middle attacker to compromise Linux machines. The flaw, apparently, once again demonstrates that if the software download ecosystem uses HTTPS to communicate safely, such attacks can easily be mitigated at the first place. Discovered by Max Justicz, the vulnerability (CVE-2019-3462) resides in the APT package manager, a widely used utility that handles installation, update and removal of software on Debian, Ubuntu, and other Linux distributions. According to a blog post published by Justicz and details shared with The Hacker News, the APT utility doesn't properly

Jail Authorities Mistakenly Early Released 3,200 Prisoners due to a Silly Software Bug

Jail Authorities Mistakenly Early Released 3,200 Prisoners due to a Silly Software Bug
December 29, 2015Swati Khandelwal
Washington State Department of Corrections (DoC) is facing an investigation after it early released around 3,200 prisoners over the course of 13 years , since 2002, when a bug was introduced in the software used to calculate time credits for inmates' good behavior. The software glitch led to a miscalculation of sentence reductions that US prisoners were receiving for their good behaviour. Over the next 13 years, the median number of days of those released early from prison was 49 days before their correct release date. "This problem was allowed to continue for 13 years is deeply disappointing to me, totally unacceptable and, frankly, maddening," Washington State Governor Jay Inslee said in a statement . "I've [many] questions about how and why this happened, and I understand that members of the public will have those same queries." What's the Bug and How did it Remain Undetected for 13 Years? The issue lies in DoC software that is
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.