Magento patched 20 vulnerabilities last week, including a stored cross-site scripting (XSS) flaw in the e-commerce platform that could have let an attacker take over a site and create new admin accounts. Researchers at Sucuri dug up the XSS vulnerability while combing through research audits last November. It took a while for Magento to get back to...

OpenSSL is scheduled to update two versions of the software this week, patching a pair of vulnerabilities in the process. The OpenSSL project this morning said the updates will move users to versions 1.0.2f and 1.0.1r and should be available Thursday between 8 a.m. and noon Eastern time. “They will fix two security defects, one of...

FreeBSD has patched a denial-of-service vulnerability affecting versions configured to support SCTP and IPv6, the default configurations on later version of the open source OS. Researchers at Positive Technologies in the U.K. said versions 9.3, 10.1 and 10.2 are affected and can be exploited by a specially crafted ICMPv6 packet, which will cause a kernel...

Lenovo today has patched a number of vulnerabilities that jeopardize private data, which are largely enabled by a simple hard-coded password in a freely available file-sharing application. The flaws were found in in the Lenovo ShareIT application for Android and Windows by researchers at Core Security’s CoreLabs. The app allows users to share files over...

AMX, a provider of audio-visual conferencing gear used in sensitive government and military locations, has removed a “deliberate” backdoor in one of its central controller system products. New firmware for the AMX NX-1200 was made available Thursday, removing an administrative account that was reachable remotely. AMX said in a description of the firmware update that...

Google is downplaying the scope of the critical Linux vulnerability patched this week, suggesting that the number of affected Android devices has been exaggerated. The Android OS is built upon the Linux kernel, but minus many of the libraries that are included in standard Linux builds. Initially, startup Perception Point said that upwards of two-thirds...

HD Moore, creator of the Metasploit Framework and a security innovator behind a number of Internet-wide security research projects, is moving into venture capital. Moore announced yesterday that he is leaving his current post as chief research officer at Rapid7 on Jan. 29 for a new opportunity in the VC world, an offer he called...

Oracle’s quarterly Critical Patch Updates (CPU) are known for their daunting volume, usually a disproportionately big number of fixes that database and system administrators have to deal with every three months. Yesterday’s CPU, however, takes the cake. Oracle pushed out the door a record 248 patches on Tuesday, for vulnerabilities across its product lines. That...

Apple on Tuesday released security patches for iOS, OS X and an update for the Safari browser. The patches come less than a week after a ShmooCon presentation by Synack director of research Patrick Wardle revealed that Apple’s Gatekeeper security feature in OS X can be bypassed by an attacker with network-level access. The OS...

A critical vulnerability in Yahoo Mail that could give attackers complete control of an account was patched two weeks ago. The flaw was privately disclosed Dec. 26 by Finnish researcher Jouko Pynnonen and patched Jan. 6. Pynnonen earned himself a $10,000 bounty, one of the highest paid out by Yahoo through its HackerOne program. Pynnonen...