The Apache Struts REST Plugin is using XStream library which is vulnerable and allow perform a DoS attack when using a m

The Apache Struts REST Plugin is using XStream library which is vulnerable and allow perform a DoS attack when using a malicious request with specially crafted XML payload. Upgrade to the Apache Struts version 2.5.16 and switch to an optional Jackson XML handler as described here http://struts.apache.org/plugins/rest/#custom-contenttypehandlers. Another option is to implement a custom XML handler based on the Jackson …

microsoft-outlook-hacking-smb-ntmlv2-hash
hack-smb-ntml-hash
smb-authentication
SMB-hack-outlook

Flaw in Microsoft Outlook Lets Hackers Easily Steal Your Windows Password

A security researcher has disclosed details of an important vulnerability in Microsoft Outlook for which the company released an incomplete patch this month—almost 18 months after receiving the responsible disclosure report. The Microsoft Outlook vulnerability (CVE-2018-0950) could allow attackers to steal sensitive information, including users’ Windows login credentials, just by convincing victims to preview an email with Microsoft Outlook, without …

Critical remote code execution vulnerabilities impact Natus medical devices | ZDNet

A set of critical vulnerabilities have been uncovered in Natus NeuroWorks software which may place medical devices connecting to the software at risk. More security news On Wednesday, researchers from Cisco Talos said in a blog post that the vulnerabilities could not only cause services to crash but may also allow attackers to remotely execute code on medical devices. Natus …

Remote Execution Flaw Threatens Apps Built Using Spring Framework — Patch Now

Security researchers have discovered three vulnerabilities in the Spring Development Framework, one of which is a critical remote code execution flaw that could allow remote attackers to execute arbitrary code against applications built with it. Spring Framework is a popular, lightweight and an open source framework for developing Java-based enterprise applications. In an

strava-heat-map-location-tracking
area51-secret-images

Heat Map Released by Fitness Tracker Reveals Location of Secret Military Bases

Every one of us now has at least one internet-connected smart device, which makes this question even more prominent —how much does your smart device know about you? Over the weekend, the popular fitness tracking app Strava proudly published a “2017 heat map” showing activities from its users around the world, but unfortunately, the map revealed what it shouldn’t—locations of …

New Intel AMT Security Issue Lets Hackers Gain Full Control of Laptops in 30 Seconds

It’s been a terrible new-year-starting for Intel. Researchers warn of a new attack which can be carried out in less than 30 seconds and potentially affects millions of laptops globally. As Intel was rushing to roll out patches for Meltdown and Spectre vulnerabilities, security researchers have discovered a new critical security flaw in Intel hardware that could allow hackers to …

[Bug] macOS High Sierra App Store Preferences Can Be Unlocked Without a Password

Yet another password vulnerability has been uncovered in macOS High Sierra, which unlocks App Store System Preferences with any password (or no password at all). A new password bug has been discovered in the latest version of macOS High Sierra that allows anyone with access to your Mac to unlock App Store menu in System Preferences with any random password …

CVE-2017-12623

CVE-2017-12623 : An authorized user could upload a template which contained malicious code and accessed sensitive files via an XML Extern An authorized user could upload a template which contained malicious code and accessed sensitive files via an XML External Entity (XXE) attack. The fix to properly handle XML External Entities was applied on the Apache NiFi 1.4.0 release. Users …

facebook-link-spoofing
facebook

Wait, Do You Really Think That’s A YouTube URL? Spoofing Links On Facebook

While scrolling on Facebook how you decide which link/article should be clicked or opened? Facebook timeline and Messenger display title, description, thumbnail image and URL of every shared-link, and this information are enough to decide if the content is of your interest or not. Since Facebook is full of spam, clickbait and fake news articles these days, most users do …

apple-id-phishing-attack
apple-id-phishing-attacks

Watch Out! Difficult-to-Detect Phishing Attack Can Steal Your Apple ID Password

Can you detect which one of the above screens—asking an iPhone user for iCloud password—is original and which is fake? Well, you would agree that both screenshots are almost identical, but the pop-up shown in the second image is fake—a perfect phishing attack that can be used to trick even the most careful users on the Internet. Felix Krause, an …