Candlelites

Everything from Everywhere

showing vulnerability - Search

showing vulnerability Searched between all the resources and sites across the web. To view the full text news click on the links searched. All links are displayed with the source site.



how to develop empathy by understanding subjective hardship


the easiest way to break down a barrier is to acknowledge. if someone you know seems a little off, say something.there are so many reasons why we experience pain in life. however, because we feel like no one will be able to understand the pain and what we are going through, we often hide them.that attitude is the barrier that we need to break down. other people will only be able to understand you if you let them in.showing vulnerability is the easiest way to get another person to open up to you. if i tell you about how my life is going and the struggles that i face, you will be more likely to open up to me. showing vulnerability is showing strength as it takes strength to admit when something is wrong.if we can break down the barriers and realize that people are just people, then we might






lastpass acknowledges browser extension vulnerability, working on fix


lastpass browser extension (lastpass) lastpass on monday acknowledged a remote code execution vulnerability that affects version 4.1.42 of the lastpass extension on chrome. the client side vulnerability was discovered over the weekend by google project zero researcher tavis ormandy. "we are now actively addressing the vulnerability. this attack is unique and highly sophisticated," lastpass wrote in a blog post. national security fbi, cia launch investigation into wikileaks file dump the agencies say the release of cia documents to the public should be considered "deeply troubling."lastpass didn't give specifics about the vulnerability or when a fix may be released, but promised more details when the issue is resolved. ormandy previously found exploits in earlier versions of lastpass on mar






xen updates hypervisor for guest breakout vulnerability


the open-source xen hypervisor is widely used to help enable public cloud operations. back in october 2014, a vulnerability in xen led to a reboot of public cloud services at amazon, rackspace and ibm softlayer. this week a new vulnerability was disclosed in xen, with the potential to enable a guest virtual machine to break out of the hypervisor isolation. but in contrast to the issue in 2014, the new xsa-212 vulnerability did not require a reboot of the public cloud.the promise of guest virtual machine isolation is a core element of virtualization hypervisor security. the new xsa-212 vulnerability, also known as cve-2017-7228, is titled by the open-source project as, 'broken check in memory_exchange() permits pv guest breakout.' the flaw was reported to the project by google project zero






whatsapp, telegram vulnerability puts accounts in danger


exploiting the vulnerability required little more than a dank image macro, some malicious code, and the hope that you'll decide to open the malicious file. but don't worry--whatsapp and telegram have already fixed the problem.






cisco finds critical vulnerability in wikileaks docs


cisco learned of a vulnerability in its software from the cia documents published by wikileaks on march 7. but the security flaw wasn't included in the problems highlighted by wikileaks--cisco's security team discovered the problem themselves while digging through the "vault 7" document trove.the company said in a security advisory that the vulnerability could "allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges." the problem was in the cisco cluster management protocol (cmp) processing code used by the cisco ios and cisco ios xe software. cisco provided a list of 318 products affected by the vulnerability; you can find the full list in the company's advisory.the vulnerability resulted from two problems:the fai






wordpress silently fixes severe vulnerability


wordpress' core development team revealed that a recent update to the content mana ent system quietly patched a critical vulnerability that could be used to modify anything handled by the popular content mana ent system.






apache struts vulnerability exposes sites to attack


the open-source apache struts 2 technology is a widely used framework component in java applications and it's currently under attack. the attacks follow the march 6 disclosure by the struts project for a remote code execution (rce) vulnerability identified as cve-2017-5638. the cve-2017-5638 issue was patched the same day as the struts project made the disclosure, though multiple security firms have observed that attackers are actively going after unpatched systems. "it is possible to perform a rce attack with a malicious content-type value," the apache struts project warns in its advisory. "if the content-type value isn't valid, an exception is thrown which is then used to display an error message to a user." john matthew holt, waratek founder and cto, commented in an email statement, tha






apache struts vulnerability exposes sites to attack


the open-source apache struts 2 technology is a widely used framework component in java applications and it's currently under attack. the attacks follow the march 6 disclosure by the struts project for a remote code execution (rce) vulnerability identified as cve-2017-5638. the cve-2017-5638 issue was patched the same day as the struts project made the disclosure, though multiple security firms have observed that attackers are actively going after unpatched systems. "it is possible to perform a rce attack with a malicious content-type value," the apache struts project warns in its advisory. "if the content-type value isn't valid, an exception is thrown which is then used to display an error message to a user." john matthew holt, waratek founder and cto, commented in an email statement, tha






new lastpass bugs could have been used to steal users' passwords


tavis ormandy, a security researcher from google's project zero, found a new lastpass extension vulnerability that could have allowed attackers to steal users' passwords. a second vulnerability was later reported for the firefox extension.






some ugly truths about zero-day exploits


if you’ve ever read about cybersecurity, the term “zero-day” is likely to have come up once in awhile to describe vulnerabilities that have been exploited by hackers. you’ll also quickly find that these tend to be the deadliest. what they are and how they work has already been discussed succinctly by my colleague simon batt.but as you get deeper into the subject, you’ll discover some things that perhaps you might have rather not known about as you begin to think twice about everything you run on your devices (which isn’t necessarily a bad thing). cybersecurity studies such as this research from the folks at rand corporation (a u.s. armed forces think tank) demonstrate that zero-day exploits have many ways of showing us just how fragile our digital world is.zero-day exploits aren’t that har






researchers warns of a new zero-day microsoft office vulnerability


microsoft office users are under attack today from a zero-day vulnerability that is not set to be patched until april 11. security firm mcafee first publicly posted about the new zero-day vulnerability in microsoft word files on april 7, with security firm fireeye following with its own disclosure a day later on april 8.at this point, it's not entirely clear how many users may have already been exploited by the zero-day attack."we plan to address this through an update on tuesday, april 11, and customers who have updates enabled will be protected automatically," microsoft wrote in a statement sent to eweek. "meanwhile, we encourage customers to practice safe computing habits online, including exercising caution before opening unknown files and not downloading content from untrusted sources






a key ingredient of strong leadership: vulnerability


strong leaders never show vulnerability, right? james r. detert noticed something missing in his work on what makes for an effective leader, and the answer is surprising: to be seen as courageous -- and therein, inspiring -- involves a willingness to be seen as vulnerable. the post a key ingredient of strong leadership: vulnerability appeared first on holy kaw!.






wordpress fixes huge security vulnerability, all users instructed to update


why it matters to you millions of websites large and small are built with wordpress, and users who ignore this update run the risk of a severe security breach.a serious zero-day vulnerability has been discovered in wordpress, and fixed as of its most recent stable release. all wordpress users are encouraged to make sure that they have updated their installation to version 4.7.2, as otherwise their site could be hijacked.it’s thought that the exploit could give attackers the ability to modify the content on any post or page that’s part of a site built with wordpress, as per a report from tripwire. obviously, this lends itself to garden variety vandalism, but there’s also the threat of a much more troubling form of attack.the vulnerability could be used to introduce harmful links into other






cisco prime home vulnerability could let attackers into your home network


why it matters to you as careful as you might be to keep your internet connected devices updated, access to some -- like your router and modem -- are completely out of your control.as we connect more and more devices to the internet, we create more and more potential security vulnerabilities. while we’re usually aware of the gadgets we use every day — our pcs, smartphones, and tablets — we might now always think about just how secure are all of our other connected devices like networked eras, cable boxes, and internet modems.sometimes, our own devices can be compromised by systems outside of our control, such as internet service providers and other companies who can access our devices remotely. cisco prime home is a system that such companies use to remotely manage things like set-top box






struts vulnerability used to attack canadian government sites


the open-source apache struts project first disclosed a high impact critical remote code execution vulnerability on march 6 and now it has claimed its first public victim. the government of canada confirmed on march 13 that some of its servers were breached by attackers making use of the apache struts flaw, also identified as cve-2017-5638. while the public disclosure for the apache struts flaw came on monday march 6, canadian federal it security administrators apparently weren't aware of the issue until late on wednesday march 8. the admission came in an ottawa briefing to canadian media agencies on march 13. the government of canada took multiple sites down on march 9 including statistics canada as well as the canada revenue agency (cra) websites, with service not restored until march 12






struts vulnerability used to attack canadian government sites


the open-source apache struts project first disclosed a high impact critical remote code execution vulnerability on march 6 and now it has claimed its first public victim. the government of canada confirmed on march 13 that some of its servers were breached by attackers making use of the apache struts flaw, also identified as cve-2017-5638. while the public disclosure for the apache struts flaw came on monday march 6, canadian federal it security administrators apparently weren't aware of the issue until late on wednesday march 8. the admission came in an ottawa briefing to canadian media agencies on march 13. the government of canada took multiple sites down on march 9 including statistics canada as well as the canada revenue agency (cra) websites, with service not restored until march 12






struts vulnerability used to attack canadian government sites


the open-source apache struts project first disclosed a high impact critical remote code execution vulnerability on march 6 and now it has claimed its first public victim. the government of canada confirmed on march 13 that some of its servers were breached by attackers making use of the apache struts flaw, also identified as cve-2017-5638.while the public disclosure for the apache struts flaw came on monday march 6, canadian federal it security administrators apparently weren't aware of the issue until late on wednesday march 8. the admission came in an ottawa briefing to canadian media agencies on march 13.the government of canada took multiple sites down on march 9 including statistics canada as well as the canada revenue agency (cra) websites, with service not restored until march 12.a






wordpress 4.7.3 fixes cross site scripting vulnerabilities


the open-source wordpress blogging and content management system (cms) released a new incremental version on march 6, providing users with six new security patches and 39 bug fixes. the new wordpress 4.7.3 update is the third security update for wordpress so far in 2017, following the 4.7.2 update on jan. 26 and the 4.7.1 update on jan. 12. among the patched issues is a flaw that could have enabled control characters to trick redirect validation. there is also a patch for a vulnerability that could have potentially enabled an administrator to delete unintended files. additionally, wordpress 4.7.3 provides a patch for a cross site request forgery (csrf) issue in the press this quick publishing capability. the single biggest area of patched vulnerabilities is with cross site scripting (xss)






wordpress 4.7.3 fixes cross site scripting vulnerabilities


the open-source wordpress blogging and content management system (cms) released a new incremental version on march 6, providing users with six new security patches and 39 bug fixes. the new wordpress 4.7.3 update is the third security update for wordpress so far in 2017, following the 4.7.2 update on jan. 26 and the 4.7.1 update on jan. 12. among the patched issues is a flaw that could have enabled control characters to trick redirect validation. there is also a patch for a vulnerability that could have potentially enabled an administrator to delete unintended files. additionally, wordpress 4.7.3 provides a patch for a cross site request forgery (csrf) issue in the press this, quick publishing capability. the single biggest area of patched vulnerabilities is with cross site scripting (xss)






wordpress 4.7.3 fixes cross site scripting vulnerabilities


the open-source wordpress blogging and content management system (cms) released a new incremental version on march 6, providing users with six new security patches and 39 bug fixes. the new wordpress 4.7.3 update is the third security update for wordpress so far in 2017, following the 4.7.2 update on jan. 26 and the 4.7.1 update on jan. 12. among the patched issues is a flaw that could have enabled control characters to trick redirect validation. there is also a patch for a vulnerability that could have potentially enabled an administrator to delete unintended files. additionally, wordpress 4.7.3 provides a patch for a cross site request forgery (csrf) issue in the press this quick publishing capability. the single biggest area of patched vulnerabilities is with cross site scripting (xss)






hundreds of cisco switches vulnerable to flaw found in wikileaks files


cia headquarters in langley, va. (image: file photo)cisco is warning that the software used in hundreds of its products are vulnerable to a "critical"-rated security flaw, which can be easily and remotely exploited with a simple command.the vulnerability can allow an attacker to remotely gain access and take over an affected device.more than 300 switches are affected by the vulnerability, cisco said in an advisory.national security fbi, cia launch investigation into wikileaks file dump the agencies say the release of cia documents to the public should be considered "deeply troubling."according to the advisory, the bug is found in the cluster management protocol code in cisco's ios and ios xe software, which the company installs on the routers and switches it sells. an attacker can exploit






hundreds of cisco switches vulnerable to flaw found in wikileaks files


cia headquarters in langley, va. (image: file photo)cisco is warning that the software used in hundreds of its products are vulnerable to a "critical"-rated security flaw, which can be easily and remotely exploited with a simple command.the vulnerability can allow an attacker to remotely gain access and take over an affected device.more than 300 switches are affected by the vulnerability, cisco said in an advisory.national security fbi, cia launch investigation into wikileaks file dump the agencies say the release of cia documents to the public should be considered "deeply troubling."according to the advisory, the bug is found in the cluster management protocol code in cisco's ios and ios xe software, which the company installs on the routers and switches it sells. an attacker can exploit






whatsapp security flaw reveals you can apparently use whatsapp in a browser


image: whatsapp / gizmodosecurity researchers just announced the discovery of major vulnerabilities in whatsapp and telegram, two popular messaging apps with end-to-end encryption, when used in an internet browser. in related news, you can use whatsapp and telegram in an internet browser.advertisementa team at israeli security firm check point just disclosed details of the vulnerability, which let a hacker send a single image, embedded with malware, through a web browser and take complete control of the recipient’s account. to be more specific, the hacker could send a message to any user and attach a malicious html document and then upload a picture as a preview image. when the user thinks they’re opening an image file (in this case, a perennially hilarious fat cat meme), the poor sheep is






everything you need to know about cloudbleed, the latest internet security disas


image: cloudflare / gizmodohave you heard? a tiny bug in cloudflare’s code has led an unknown quantity of data—including passwords, personal information, messages, cookies, and more—to leak all over the internet. if you haven’t heard of the so-called cloudbleed vulnerability, keep reading. this is a scary big deal.advertisementlet’s start with the good news. cloudflare, one of the world’s largest internet security companies, acted fast when security researcher tavis ormandy of google’s project zero identified the vulnerability. the bad news is that the cloudflare-backed websites had been leaking data for months before ormandy noticed the bug. cloudflare says the earliest data leak dates back to september 2016. it’s so far unclear if blackhat hackers had already found the vulnerability and






lastpass is scrambling to fix another serious vulnerability


for the second time in two weeks developers of the popular lastpass password manager are working to fix a serious vulnerability that could allow malicious websites to steal user passwords or infect computers with malware.like the lastpass flaws patched last week, the new issue was discovered and reported to lastpass by tavis ormandy, a researcher with google's project zero team. the researcher revealed the vulnerability's existence in a message on twitter, but didn't publish any technical details about it that could allow attackers to exploit it.according to ormandy, the flaw affects the latest version of the lastpass browser extension for all major browsers. he claims to have tested the exploit successfully on windows and linux, but believes that it likely works on mac as well.if the exte






some hackers figured out how to take control of any whatsapp account


image: whatsapp / gizmodosecurity researchers just announced the discovery of major vulnerabilities in whatsapp and telegram, two popular messaging apps with end-to-end encryption, when used in an internet browser. in related news, you can use whatsapp and telegram in an internet browser.advertisementa team at israeli security firm check point just disclosed details of the vulnerability, which let a hacker send a single image, embedded with malware, through a web browser and take complete control of the recipient’s account. to be more specific, the hacker could send a message to any user and attach a malicious html document and then upload a picture as a preview image. when the user thinks they’re opening an image file (in this case, a perennially hilarious fat cat meme), the poor sheep is






everything you need to know about cloudbleed, the latest internet security disas


image: cloudflare / gizmodohave you heard? a tiny bug in cloudflare’s code has led an unknown quantity of data—including passwords, personal information, messages, cookies, and more—to leak all over the internet. if you haven’t heard of the so-called cloudbleed vulnerability, keep reading. this is a scary big deal.advertisementlet’s start with the good news. cloudflare, one of the world’s largest internet security companies, acted fast when security researcher tavis ormandy of google’s project zero identified the vulnerability. the bad news is that the cloudflare-backed websites had been leaking data for months before ormandy noticed the bug. cloudflare says the earliest data leak dates back to september 2016. it’s so far unclear if blackhat hackers had already found the vulnerability and






everything you need to know about cloudbleed, the latest internet security disas


image: cloudflare / gizmodohave you heard? a tiny bug in cloudflare’s code has led an unknown quantity of data—including passwords, personal information, messages, cookies, and more—to leak all over the internet. if you haven’t heard of the so-called cloudbleed vulnerability, keep reading. this is a scary big deal.advertisementlet’s start with the good news. cloudflare, one of the world’s largest internet security companies, acted fast when security researcher tavis ormandy of google’s project zero identified the vulnerability. the bad news is that the cloudflare-backed websites had been leaking data for months before ormandy noticed the bug. cloudflare says the earliest data leak dates back to september 2016. it’s so far unclear if blackhat hackers had already found the vulnerability and






apple patches vulnerability that led to cyberattack on 911 centers across the co


why it matters to you last october's attack showed how easily our emergency response systems could be overloaded and it will take effort like this to ensure it never happens again.last fall, a hacker posted a twitter link that resulted in tens of thousands of unintentional 911 calls from iphones. when tapped, the link would immediately call 911 and when the user attempted to hang up the phone, it would simply redial until the device was turned off. with the latest ios update, it appears apple has patched this exploit, according to the wall street journal.the scheme, developed by an 18-year-old in arizona, reportedly affected emergency call centers in at least 12 states and operated as simple javascript code. apple’s fix relies on a change in the behavior of certain links in ios 10.3. now,






everything you need to know about cloudbleed, the latest internet security disas


image: cloudflare / gizmodohave you heard? a tiny bug in cloudflare’s code has led an unknown quantity of data—including passwords, personal information, messages, cookies, and more—to leak all over the internet. if you haven’t heard of the so-called cloudbleed vulnerability, keep reading. this is a scary big deal.advertisementlet’s start with the good news. cloudflare, one of the world’s largest internet security companies, acted fast when security researcher tavis ormandy of google’s project zero identified the vulnerability. the bad news is that the cloudflare-backed websites had been leaking data for months before ormandy noticed the bug. cloudflare says the earliest data leak dates back to september 2016. it’s so far unclear if blackhat hackers had already found the vulnerability and






hundreds of cisco switches vulnerable to flaw found in wikileaks files


cia headquarters in langley, va. (image: file photo)cisco is warning that the software used in hundreds of its products are vulnerable to a "critical"-rated security flaw, which can be easily and remotely exploited with a simple command.the vulnerability can allow an attacker to remotely gain access and take over an affected device.more than 300 switches are affected by the vulnerability, cisco said in an advisory.national security fbi, cia launch investigation into wikileaks file dump the agencies say the release of cia documents to the public should be considered "deeply troubling."according to the advisory, the bug is found in the cluster management protocol code in cisco's ios and ios xe software, which the company installs on the routers and switches it sells. an attacker can exploit






hackers are attacking word users with new microsoft office zero-day vulnerabilit


(image: file photo)attackers are exploiting a previously undisclosed vulnerability in microsoft word, which security researchers say can be used to quietly install different kinds of malware -- even on fully-patched computers.unlike most document-related vulnerabilities, this zero-day bug that has yet to be patched doesn't rely on macros -- in which office typically warns users of risks when opening macro-enabled files.security skype users hit by ransomware through in-app malicious ads these "fake flash" ads, if triggered, can lead to a ransomware attack.instead, the vulnerability triggered when a victim opens a trick word document, which downloads a malicious html application from a server, disguised to look like a rich text document file as a decoy. the html application meanwhile downloa






hackers are attacking word users with new microsoft office zero-day vulnerabilit


(image: file photo)attackers are exploiting a previously undisclosed vulnerability in microsoft word, which security researchers say can be used to quietly install different kinds of malware -- even on fully-patched computers.unlike most document-related vulnerabilities, this zero-day bug that has yet to be patched doesn't rely on macros -- in which office typically warns users of risks when opening macro-enabled files.security skype users hit by ransomware through in-app malicious ads these "fake flash" ads, if triggered, can lead to a ransomware attack.instead, the vulnerability triggered when a victim opens a trick word document, which downloads a malicious html application from a server, disguised to look like a rich text document file as a decoy. the html application meanwhile downloa






hackers are attacking word users with new microsoft office zero-day vulnerabilit


(image: file photo)attackers are exploiting a previously undisclosed vulnerability in microsoft word, which security researchers say can be used to quietly install different kinds of malware -- even on fully-patched computers.unlike most document-related vulnerabilities, this zero-day bug that has yet to be patched doesn't rely on macros -- in which office typically warns users of risks when opening macro-enabled files.security skype users hit by ransomware through in-app malicious ads these "fake flash" ads, if triggered, can lead to a ransomware attack.instead, the vulnerability is triggered when a victim opens a trick word document, which downloads a malicious html application from a server, disguised to look like a rich text document file as a decoy. the html application meanwhile down






you don't need money to hear new music from this artist. you just need 'a gestur


experimental pop musician anohni, the artist formerly known professionally as antony (of antony and the johnsons), is asking fans for unorthodox compensation for a new track from her forthcoming ep, “paradise.” all you need is “a gesture of anonymous vulnerability.”instead of “the dollar you used to send me in the olden days,” anohni said in a statement posted on facebook, “if you would like the final song from ‘paradise,’ e-mail me at [email protected] and share with me in a sentence or two what you care most about, or your hopes for the future.”the “paradise” ep, which will be released friday, features six songs. a final, seventh, track will be available only to those who take her up on the challenge. she took an additional step of advising respondents not to make their responses abo






hackers are attacking word users with new microsoft office zero-day vulnerabilit


(image: file photo)attackers are exploiting a previously undisclosed vulnerability in microsoft word, which security researchers say can be used to quietly install different kinds of malware -- even on fully-patched computers.unlike most document-related vulnerabilities, this zero-day bug that has yet to be patched doesn't rely on macros -- in which office typically warns users of risks when opening macro-enabled files.security skype users hit by ransomware through in-app malicious ads these "fake flash" ads, if triggered, can lead to a ransomware attack.instead, the vulnerability triggered when a victim opens a trick word document, which downloads a malicious html application from a server, disguised to look like a rich text document file as a decoy. the html application meanwhile downloa






microsoft fixes 'critical' office word security flaw under active attack


microsoft has rolled out a patch for a previously undisclosed vulnerability in microsoft office, which if exploited could allow an attacker to install malware on fully-patched computers.the company rolled out the fix as part of its regularly scheduled patch tuesday.in its security advisory, microsoft said the "critical"-rated bug could allow an attacker to take control of an affected system, such as install programs and creating new accounts with full user rights.news of the vulnerability spilled out over the weekend.unlike some office-related malware, attackers don't need to use macros. instead, the vulnerability, which relates to the windows object linking and embedding (ole) function, is triggered when a victim opens a trick word document, which downloads a malicious html application fr






p os: protesters welcome refugees, protest trump policy at airports across u.s.


brandon wade – ociated pressgallery: southern methodist university student osama aloabi, left, and his brother, a smu graduate, tarek alolabi, right, demonstrate against president donald trump's executive order barring muslims from certain middle eastern countries from entering the united states at dallas fort worth airport, urday, jan. 28, 2017, in dallas. the aloabi's parents, who are syrian, are being detained by immigration officials at the airport.