Four vulnerabilities in Microsoft Teams, unpatched since March, allowed link spoofing of URLs and opened the door to DoS attacks against Android users, researchers said. Researchers from Positive Security discovered four bugs in the feature earlier this year and told Microsoft about the issues on March 10. So far, only one of the bugs-a bug allowing attackers to leak Android IP addresses-appears to have been patched by the company. READ MORE...
Sophos Labs researchers have detected the use of a novel exploit able to bypass a patch for a critical vulnerability (CVE-2021-40444) affecting the Microsoft Office file format. The attackers took a publicly available proof-of-concept Office exploit and weaponized it to deliver Formbook malware. The attackers then distributed it through spam emails for approximately 36 hours before it disappeared. READ MORE...
By impersonating 121 brands, scammers managed to defraud users in over 90 countries of an estimated $80 million per month, Singapore-based threat hunting and intelligence firm Group-IB reveals. As part of the scheme, the fraudsters lured victims with fake surveys and giveaways supposedly from popular brands, but which were designed to help the miscreants steal victims' personal information and credit card data. READ MORE...
Major services across the internet are currently facing ongoing networking outages. These services include Amazon, AWS, Hulu, Slack, Imgur, Asana, Grindr, Scruff, HubSpot, Zendesk, among other popular sites and services. Tests by BleepingComputer confirmed that IMs and file uploads have been failing on Slack, and connectivity is also impacted. Amazon has confirmed a power cut at its US-EAST-1 data center is impacting services that rely on the particular 'Availability Zone.' READ MORE...
The Apache Log4j vulnerability, now called Log4Shell, took security teams by surprise and the Internet by storm. A seemingly innocuous logging tool has been used by hackers to take control of vulnerable applications. Apache has rated this vulnerability as "critical" and has published a patch in an attempt to contain the potential damage. Log4Shell has also received the top CVSS score of 10. READ MORE...
Two critical and high severity security vulnerabilities in the highly popular "All in One" SEO WordPress plugin exposed over 3 million websites to takeover attacks. The security flaws discovered and reported by Automattic security researcher Marc Montpas are a critical Authenticated Privilege Escalation bug (CVE-2021-25036) and a high severity Authenticated SQL Injection (CVE-2021-25037). READ MORE...
Two widely used walk-through metal detectors made by Garrett are vulnerable to many remotely exploitable flaws that could severely impair their functionality, thus rendering security checkpoints deficient. Garrett is a well-known US-based manufacturer of hand-held and walk-through metal detectors commonly deployed in security-critical environments such as sports venues, airports, banks, museums, ministries, and courthouses. READ MORE...