Ghostscript bug could allow rogue documents to run system commands

By: Paul Ducklin — July 4^th 2023 at 17:57

Even if you've never heard of the venerable Ghostscript project, you may have it installed without knowing.

Naked Security

ASUS warns router customers: Patch now, or block all inbound requests

By: Paul Ducklin — June 20^th 2023 at 16:14

"Do as we say, not as we do!" - The patches took ages to come out, but don't let that lure you into taking ages to install them.

Naked Security

PaperCut security vulnerabilities under active attack – vendor urges customers to patch

By: Paul Ducklin — April 25^th 2023 at 17:53

If you have the product, but you haven't patched - well, the crooks have now landed, so please don't delay. Do it today...

Naked Security

Apple zero-day spyware patches extended to cover older Macs, iPhones and iPads

By: Paul Ducklin — April 10^th 2023 at 20:20

That double-whammy Apple browser-to-kernel spyware bug combo we wrote up last week? Turns out it applies to all supported Macs and iDevices - patch now!

Naked Security

WooCommerce Payments plugin for WordPress has an admin-level hole – patch now!

By: Paul Ducklin — March 24^th 2023 at 17:48

Admin-level holes in websites are always a bad thing... and for "bad", read "worse" if it's an e-commerce site.

woo-1200

Naked Security

Dangerous Android phone 0-day bugs revealed – patch or work around them now!

By: Paul Ducklin — March 17^th 2023 at 17:56

Despite its usually inflexible 0-day disclosure policy, Google is keeping four mobile modem bugs semi-secret due to likely ease of exploitation.

Naked Security

Popular JWT cloud security library patches “remote” code execution hole

By: Paul Ducklin — January 10^th 2023 at 17:59

It's remotely triggerable, but attackers would already have pretty deep network access if they could "prime" your server for compromise.

Naked Security

Credit card skimming – the long and winding road of supply chain failure

By: Paul Ducklin — December 8^th 2022 at 17:58

Don't keep calling home to a JavaScript server that closed its doors eight years ago!

Naked Security

Slack admits to leaking hashed passwords for five years

By: Paul Ducklin — August 8^th 2022 at 15:14

"When those invitations went out... somehow, your password hash went out with them."

Naked Security

“VMware Spring Cloud Function” Java bug gives instant remote code execution – update now!

By: Paul Ducklin — March 30^th 2022 at 20:38

Easy unauthenticated remote code execution - PoC code already out

Naked Security

Apple patches 87 security holes – from iPhones and Macs to Windows

By: Paul Ducklin — March 15^th 2022 at 16:36

Lots of fixes, with data leakage flaws and code execution bugs patched on iPhones, Macs and even Windows.

apple-1200

Naked Security

Apple fixes Safari data leak (and patches a zero-day!) – update now

By: Paul Ducklin — January 27^th 2022 at 21:09

That infamous "supercookie" bug in Safari has now been fixed. Oh, and there was a zero-day kernel hole as well.

apple-1200

Naked Security

“Log4Shell” Java vulnerability – how to safeguard your servers

By: Paul Ducklin — December 10^th 2021 at 16:22

Just when you thought it was safe to relax for the weekend... a critical bug showed up in Apache's Log4j product