An unexpected behavior in a relatively new and popular open source API framework called Swagger could lead to code execution, researchers at Rapid7 said. The company today disclosed some details on the vulnerability, and released a Metasploit exploit module and a proposed patch written by researcher Scott Davis who found the flaw. Details were privately...

WordPress last week updated to version 4.5.3, a security release for all versions of the content management system. The update patches more than two dozen vulnerabilities, including 17 bugs introduced in the last three releases, all published this year. Many of the vulnerabilities can be exploited remotely and allow an attacker to control of a...

Certificate authority Let’s Encrypt is celebrating a major milestone in the young nonprofit’s existence issuing its 5 millionth certificate this month. Let’s Encrypt launched to the general public just seven months ago. “Our goal is to get the entire web 100 percent HTTPS,” said Josh Aas, executive director for the Internet Security Research Group, the...

The libarchive programming library was recently patched against three critical memory-related vulnerabilities that could be abused to execute code on computers running the vulnerable software. As is the case with most open source software packages, patching the core library is only half the battle; admins must now ensure that third-party software running the library is...

Criminal hackers are fickle about their attack vectors. You need to look no further for evidence of this than their constant migration from one exploit kit to another. And while there is an expansive menu of exploit kits, attackers do seem to congregate around a precious few. Researchers who study exploit kits closely, however, are...

More than half of the world’s top sites suffer from misconfigured email servers, something that heightens the risk of having spoofed emails sent from their domains, researchers warn. Researchers at Detectify, a Swedish web security firm, recently combed through hundreds of domains and found that many of them suffer from poor email authentication methods. An...

The scourge of ransomware over the past two years has been impressive – and not in a good way. The number of frustrated computer users locked out of their PCs is at an all-time high with no signs of the ransomware epidemic relenting. According to security experts, the last two years have seen an astounding...

Advantech has published a new version of its WebAccess product to address vulnerabilities that put installations at risk to remote code execution attacks. Exploiting the vulnerabilities would be a challenge, however, according to an advisory published Tuesday by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). ICS-CERT said the flaws patched in versions prior...

Most major technology companies offer some take on two-factor authentication as an option for users to secure access to accounts and web-based services. Making users drink from that pond, however, has been a different story. Simplifying the process of using the second form of authentication, most often a verification code sent to a mobile device,...

For the last month, attackers have used a combination of phishing and typosquatting to carry out a campaign aimed at stealing Bitcoin and blockchain wallet credentials. More than 100 phony Bitcoin and blockchain domains have been set up so far, many which mimic legitimate Bitcoin wallets. Most of the sites were registered on May 26...