Google researcher Tavis Ormandy has disclosed that the Chromodo browser installed with Comodo Internet Security disables the same-origin policy by default. The same-origin policy is a fundamental tenet of web security, ensuring that scripts access data from a second webpage only if the two pages have the same origin. “Chromodo is described as ‘highest levels...

Developers at WordPress are encouraging users to upgrade to the latest version, 4.4.2, in order to resolve a handful of bugs and vulnerabilities in the content management system. The update pushed out on Tuesday addresses two main issues. Until yesterday an attacker could have potentially carried out a server-side request forgery (SSRF) attack that could...

Researchers are warning that some visitors to eBay.com could be tricked into opening a page on the site that could expose them to phishing attacks and data theft. The vulnerability exists in the site’s online sales platform, according to Roman Zaikin, a researcher with Check Point. With it, an attacker could bypass the site’s code validation...

Socat is the latest open source tool to come under suspicion that it is backdoored. Socat is a versatile command line utility that builds bi-directional communication streams and moves data between channels, including files, network pipes, serial connected devices, sockets or a combination of any of these. A security advisory published Monday warned that the...

Mike Mimoso and Chris Brook discuss the news of the week, including the latest on the BlackEnergy APT Group, Amazon getting into the SSL certificate game, and government agencies being told to audit their systems for the Juniper backdoor. Download: news_wrap_01-29-16.mp3 Music by Chris Gonsalves

It’s the end of an era. Oracle has announced its intent to nail the coffin shut on the Java browser plugin. The company confirmed Wednesday that it expects to deprecate the plugin in JDK 9, slated for release in September, and JRE, in a future Java SE release. Dalibor Topic, a member of Oracle’s Java Strategy...

The OpenSSL project team today patched two vulnerabilities in the crypto library, one of which is rated high severity and exposes many popular applications to attack. The patches are in new releases of OpenSSL, 1.0.1r and 1.0.2f, along with an enhancement to the strength of the cryptography in a previous mitigation for last year’s Logjam...

A Java serialization vulnerability disclosed more than a year ago figured to have a long shelf life. It lived in popular Java application development frameworks such as Apache Commons Collections—where it’s been patched—and not to mention widely deployed application servers such as Oracle WebLogic, IBM WebSphere, Red Hat’s JBoss and others. PayPal this week put...

The Internet of Things security challenge is twofold: finding bugs, and more urgent—fixing them. Cisco’s Talos security intelligence and research group found and privately disclosed a serious and trivially exploitable client-side bug in MiniUPnP that was patched in September of last year. The problem is: How many patches were applied by vendors in their products...

Mozilla has patched a number of critical vulnerabilities in Firefox 44 and Firefox Extended Release 38.6, which were released this week. The most serious flaws were memory vulnerabilities that lived in both the public and extended support versions of the browser. A buffer overflow (write) in WebGL, the browser’s Web graphics library, was patched. WebGL...