VMware patched two cross-site scripting vulnerabilities in its products this week that if exploited, could lead to the compromise of a user’s client workstation. The bugs, stored XSS vulnerabilities and rated important, exist in the company’s vRealize Automation and vRealize Business Advanced and Enterprise platforms. Linux users running 6.x of vRealize Automation, a cloud automation...

Big-name websites were hit with a cunning malvertising campaign over the weekend that attempted to sneak TeslaCrypt ransomware on computers vulnerable to the potent Angler Exploit Kit. Top sites running the malicious ads included The New York Times owned NYTimes.com, Answers.com and AOL.com, according three separate security firms that spotted a spike in malvertising over...

Users who choose to enable X11Forwarding in OpenSSH, or those who use software products that re-enable it, should pay close attention to last Wednesday’s OpenSSH security update. The latest version of the open source implementation of the SSH protocol patches a flaw that exposes it to command injection attacks. The open source project cautions that OpenSSH...

Malware that targets Steam accounts has proliferated the gaming platform and become what researchers are calling a “booming business” for cybercriminals over the last few months. The popular platform, owned by Valve, boasts 140 million users and is so ripe for attacks that according to the company, nearly 77,000 of them are tricked into giving up...

The National Security Agency’s silence in the Apple-FBI story is probably not so surprising. But that hasn’t stopped people from dragging the NSA’s name into the conversation. The latest to do so is Richard Clarke, former counterterrorism chair under presidents George H.W. Bush and Bill Clinton. Clarke appeared on NPR with David Greene and said...

If a report from this weekend’s New York Times is to be believed, the popular instant messaging platform WhatsApp may be the next technology company to find itself in the crosshairs of the Department of Justice and its war on crypto. Government officials are reportedly torn on how to proceed with a wiretap that a...

Typosquatters are targeting Apple computer users with malware in a recent campaign that snares clumsy web surfers who mistakenly type .om instead of .com when surfing the web. According to Endgame security researchers, the top level domain for Middle Eastern country Oman (.om) is being exploited by typosquatters who have registered more than 300 domain names with the .om...

Threatpost editor Mike Mimoso talks to Chris Valasek, Security Lead, Uber ATC, about the talk he and Charlie Miller gave at RSA, hacking cars, the challenges around getting manufacturers to patch vulnerabilities in vehicles, IoT, and more. [embedded content]

OpenSSH on Friday dropped a patch for a vulnerability that could expose files to theft and manipulation. The flaw affects all versions of OpenSSH prior to 7.2p2 with X11Forwarding enabled, the OpenSSH project said in its advisory. Unpatched versions of OpenSSH don’t properly sanitize input and can be abused to inject commands to xauth. “Injection...

Java’s miserable 2013 just will not go away. One of the endless parade of bugs found in the platform throughout 2013—many of which were zero-day vulnerabilities exploited in targeted attacks—apparently wasn’t closed off completely by an October 2013 patch released by Oracle. Researchers at Polish security company Security Explorations last week disclosed that Oracle’s patch...