Gaurdio researchers recently uncovered a major cross site scripting (XSS) flaw in the Chrome extension for the popular note-taking app Evernote. The vulnerability made it possible for threat actors to steal highly sensitive data belonging to more than 4.6 million users. By exploiting the flaw, attackers could obtain unauthorized “access

Security researchers at CyberMDX have uncovered a highly dangerous vulnerability in the Alaris Gateway Workstation produced by BD. The vulnerable device is used in hospitals to “provide mounting, power, and communication support to infusion pumps,” which are used for “a wide range of therapies including fluid therapy, blood transfusions, chemotherapy,

New research by Sanguine Security shows that cyberattacks on websites relying on e-commerce content management system (CMS) Magento are surging due to increased activity by two hacking groups. The number of hacked websites using Magento 2.x has been doubling every month since March of this year. The campaigns are exploiting

Security researchers at Preempt are warning that all Windows machines that don’t have the latest security patches installed, are vulnerable to remote code execution (RCE) attacks as the result of two critical flaws affecting NTLM, a key Microsoft security protocol providing authentication. By exploiting the vulnerabilities, threat actors can “remotely

New research by academics from the US, Austria, and Australia outlines an entirely new type of Rowhammer attack that can enable threat actors to steal data from targeted machines, rather than merely tampering with it, as was the case with previous Rowhammer attacks. Rowhammer is a name for a variety

As part of Patch Tuesday, Microsoft has issued fixed for 88 vulnerabilities in its products, 21 of which were critical security flaws. Patches were also released for the following 4 zero-days that have been released by Windows exploit developer SandboxEscaper since May. CVE-2019-1069 – A local privilege escalation (LPE) flaw

New research by bug bounty firm HackerOne shows that cross-site scripting (XSS) vulnerabilities are still the most common type of security flaw found in web applications. XSS flaws can enable attackers to inject malicious code into websites in order to steal sensitive information from users. Miju Han of HackerOne says

Once again, Windows exploit developer SandboxEscaper has released a new zero-day exploit without disclosing the issue to Microsoft first. Last month, SandboxEscaper released five Windows exploits in a week. One of those exploits was a bypass for a patch that fixed a local privilege-escalation (LPE) flaw tracked as CVE-2019-0841. The

Microsoft is urging users to update a two-year-old vulnerability that is being used in a fresh wave of attacks. The flaw, tracked as CVE-2017-11882, was patched in 2017, but many unpatched systems remain vulnerable. The new campaign involves spam emails containing malicious RTF attachments capable of exploiting the vulnerability in order

Qualys researchers have discovered a critical security flaw that renders the majority of all email servers on the web vulnerable to remote command execution (RCE) attacks. The vulnerable service is Exim, a highly popular program that is being used by 57% of all email servers. Remote command execution is not the