The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

The massive Equifax data breach that exposed highly sensitive data of as many as 143 million people was caused by exploiting a flaw in Apache Struts framework, which Apache patched over two months earlier of the security incident, Equifax has confirmed. Credit rating agency Equifax is yet another example of the companies that became victims of massive cyber attacks due to not patching a critical vulnerability on time, for which patches were already issued by the respected companies. Rated critical with a maximum 10.0 score, the Apache Struts2 vulnerability (CVE-2017-5638) exploited in the Equifax breach was disclosed and fixed by Apache on March 6 with the release of Apache Struts version 2.3.32 or 2.5.10.1. This flaw is separate from CVE-2017-9805, another Apache Struts2 vulnerability that was patched earlier this month, which was a programming bug that manifests due to the way Struts REST plugin handles XML payloads while deserializing them, and was fixed in Struts ve...

It seems like Tor Browser zero-day exploits are in high demand right now—so much so that someone is ready to pay ONE MILLION dollars. Zerodium—a company that specialises in acquiring and reselling zero-day exploits—just announced that it will pay up to USD 1,000,000 for working zero-day exploits for the popular Tor Browser on Tails Linux and Windows operating system. Tor browser users should take this news an early warning, especially who use Tails OS to protect their privacy. Zero-day exploit acquisition platform has also published some rules and payout details on its website, announcing that the payout for Tor exploits with no JavaScript has been kept double than those with JavaScript enabled. The company has also clearly mentioned that the exploit must leverage remote code execution vulnerability, the initial attack vector should be a web page and it should work against the latest version of Tor Browser. Moreover, the zero-day Tor exploit must work without requiring an...

Get ready to install a fairly large batch of security patches onto your Windows computers. As part of its September Patch Tuesday , Microsoft has released a large batch of security updates to patch a total of 81 CVE-listed vulnerabilities, on all supported versions of Windows and other MS products. The latest security update addresses 27 critical and 54 important vulnerabilities in severity, of which 38 vulnerabilities are impacting Windows, 39 could lead to Remote Code Execution (RCE). Affected Microsoft products include: Internet Explorer Microsoft Edge Microsoft Windows .NET Framework Skype for Business and Lync Microsoft Exchange Server Microsoft Office, Services and Web Apps Adobe Flash Player .NET 0-Day Flaw Under Active Attack According to the company, four of the patched vulnerabilities are publicly known, one of which has already been actively exploited by the attackers in the wild. Here's the list of publically known flaws and their impact: W...

Microsoft has been expressing its love for Linux for almost three years now, and this love costs Microsoft an arm and a leg. Last year, Microsoft surprised everyone by announcing the arrival of Windows Subsystem for Linux (WSL) in Windows 10, which brings the Linux command-line shell to Windows , allowing users to run native Linux applications on Windows system without virtualization. However, security researchers from security firm Check Point Software Technologies have discovered a potential security issue with the WSL feature that could allow malware families designed for Linux target Windows computers—undetected by all current security software. The researchers devised a new attack technique, dubbed Bashware , that takes advantage of Windows' built-in WSL feature, which is now out of beta and is set to arrive in the Windows 10 Fall Creators Update in October 2017. Bashware Attack Undetectable by All Anti-Virus & Security Solutions According to CheckPoint rese...

Adobe may kill Flash Player by the end of 2020, but until then, the company would not stop providing security updates to the buggy software . As part of its monthly security updates, Adobe has released patches for eight security vulnerabilities in its three products, including two vulnerabilities in Flash Player, four in ColdFusion, and two in RoboHelp—five of these are rated as critical. Both of the Adobe Flash Player vulnerabilities can be exploited for remote code execution on the affected device, and both have been classified as critical. None of the patched vulnerabilities has reportedly been exploited in the wild, according to the company. The critical Flash Player flaws are tracked as CVE-2017-11281 and CVE-2017-11282 and were discovered by Mateusz Jurczyk and Natalie Silvanovich of Google Project Zero, respectively. Both the security vulnerabilities are memory corruption issues that could lead to remote code execution and affect all major operating system, includi...