Most U.S. government agencies have until Feb. 4 to audit their IT infrastructure for the use of backdoored Juniper Networks’ Netscreen firewalls. Letters went out late last week from the House Oversight & Government Reform Committee to the leaders of the various agencies asking them to provide the committee with a report on whether the...

Magento patched 20 vulnerabilities last week, including a stored cross-site scripting (XSS) flaw in the e-commerce platform that could have let an attacker take over a site and create new admin accounts. Researchers at Sucuri dug up the XSS vulnerability while combing through research audits last November. It took a while for Magento to get back to...

Researchers believe a single group is responsible for a series of attacks over the years to spy on Tibetan and Uyghur activists. For four years the group has used a cornucopia of spearphishing emails, a watering hole attack, and a backdoor Trojan to carry out espionage. Dubbed Scarlet Mimic, the attacks are primarily spread through...

OpenSSL is scheduled to update two versions of the software this week, patching a pair of vulnerabilities in the process. The OpenSSL project this morning said the updates will move users to versions 1.0.2f and 1.0.1r and should be available Thursday between 8 a.m. and noon Eastern time. “They will fix two security defects, one of...

FreeBSD has patched a denial-of-service vulnerability affecting versions configured to support SCTP and IPv6, the default configurations on later version of the open source OS. Researchers at Positive Technologies in the U.K. said versions 9.3, 10.1 and 10.2 are affected and can be exploited by a specially crafted ICMPv6 packet, which will cause a kernel...

Lenovo today has patched a number of vulnerabilities that jeopardize private data, which are largely enabled by a simple hard-coded password in a freely available file-sharing application. The flaws were found in in the Lenovo ShareIT application for Android and Windows by researchers at Core Security’s CoreLabs. The app allows users to share files over...

AMX, a provider of audio-visual conferencing gear used in sensitive government and military locations, has removed a “deliberate” backdoor in one of its central controller system products. New firmware for the AMX NX-1200 was made available Thursday, removing an administrative account that was reachable remotely. AMX said in a description of the firmware update that...

Mike Mimoso and Chris Brook discuss the week in news, including the Linux zero day–how it was patched in Android, Twitter users sent nation state messages that are still looking for answers, and bot fraud. Download: news_wrap_01-08-16.mp3 Music by Chris Gonsalves

When Apple pushed out iOS 9.2.1 earlier this week, it fixed a nasty bug that lingered in the wild for nearly three years and could have let an attacker steal cookies and impersonate victims. The problem stems from the little windows that pop up when you connect to a public WiFi network according to Skycure, an...

Google is downplaying the scope of the critical Linux vulnerability patched this week, suggesting that the number of affected Android devices has been exaggerated. The Android OS is built upon the Linux kernel, but minus many of the libraries that are included in standard Linux builds. Initially, startup Perception Point said that upwards of two-thirds...