Author: Ionut Arghire

Cosmetic company Estée Lauder exposed 440 million records to the Internet in a database that was left accessible without proper protection, a security researcher says. Headquartered in New York, Estée Lauder sells products in more than 135 countries and territories. The Estée Lauder Companies owns multiple internationally renowned brands.  The exposed database was discovered on January 30 by Security Discovery security researcher Jeremiah Fowler, who attempted to contact Estée Lauder immediately after identifying user email addresses in the database.  In total, 440,336,852 records were inadvertently exposed to the Internet, including audit logs containing a large number of email addresses in…

Read More

Critical vulnerabilities addressed in the Accusoft ImageGear library could be exploited by remote attackers to execute code on a victim machine, Cisco Talos’ security researchers report. A document-imaging developer toolkit, ImageGear was designed to provide users with the ability to convert, create, and edit images, among others. Vulnerable functions present in the library, however, expose users’ machines to code execution. Cisco Talos’ researchers have discovered a total of seven vulnerabilities in version 19.5.0 of the Accusoft ImageGear library, all of which are described as out-of-bounds write issues. All seven of these vulnerabilities were identified in the igcore19d.dll library of Accusoft…

Read More

Beginning March, when Firefox 74 is set to arrive in the release channel, Mozilla will disable older Transport Layer Security (TLS) protocol versions as default options for secure connections. An improvement over the Secure Sockets Layer (SSL) protocol, TLS is meant to improve the security of the Web, but flaws and weaknesses in older iterations, specifically TLS 1.0 and TLS 1.1, render connections vulnerable to attacks such as BEAST, CRIME and POODLE. The newer TLS 1.2 and TLS 1.3 versions are both faster and safer, and major browser vendors have already laid out plans to deprecate the older releases to…

Read More

Thousands of code repositories were found exposed in over one hundred Docker registries that are accessible from the Internet without authentication, Palo Alto Network reports.  Containing critical business data such as application source code and historical versions, these registries could put an organization’s entire cloud infrastructure at risk. Exposure could result in stolen proprietary intellectual property, hijacked operation critical data, or malicious code being injected.  Docker registries are servers where Docker images are stored and organized into repositories, with each repo containing images of one application and multiple versions of the application, each with a unique tag. Docker registries include…

Read More

The City of North Miami Beach last week announced that ransomware was found on computers within its police department’s network. The attack was discovered on Tuesday and the FBI, the Secret Service, and the Miami-Dade Police Department were immediately alerted. In a statement released on Friday, the City of North Miami Beach noted that there had been no interruption in public safety services and that the police department continues to conduct all operations. “At this time, it appears that no other department or city service has been affected,” the statement reads (PDF). Upon discovering the ransomware, IT personnel within the…

Read More

Over the course of 2019, Facebook paid security researchers a total of $2.2 million in rewards for vulnerability reports submitted to the social media platform’s bug bounty program. The company received a total of 15,000 vulnerability reports, but paid monetary rewards for only 1,300 of them, to security researchers from over 60 countries. The average bounty reward was of more than $1,500, Facebook says. For comparison, the social platform paid more than $1.1 million for over 700 valid reports submitted to its bug bounty program in 2018, and more than $880,000 for over 400 valid reports in 2017. Since 2011,…

Read More

In an attempt to improve the security of its users, the Chrome browser will soon start blocking insecure downloads on HTTPS pages, Google announced. The plan, which the Internet giant laid out this week, is expected to be completed sometime in the fall, when Chrome 86 arrives. The announcement comes just days after the release of Chrome 80, which by default blocks mixed audio and video resources if they cannot be automatically upgraded to HTTPS. The same will happen with image files in Chrome 81, which is expected to be released to the stable channel in March 2020. In the…

Read More

More than 80 percent of organizations impacted by CVE-2019-19781, a critical vulnerability in the Citrix Application Delivery Controller (ADC) and Gateway, have already taken steps to secure their deployments.  Disclosed in December 2019 and exploited in the wild shortly after, the vulnerability was estimated to expose around 80,000 companies in 158 countries to remote attacks.  The security bug impacts multiple versions of Citrix ADC and Gateway (previously known as NetScaler ADC and NetScaler Gateway), but Citrix has already released permanent patches for all of them, as attacks started to ramp up. The company also published a tool to detect compromise.…

Read More

One of the security flaws that Google addressed with the February 2020 set of Android patches is a critical vulnerability in Bluetooth that could lead to code execution. A total of 25 vulnerabilities were fixed with Android’s February 2020 security updates, and the most important of them are two critical severity issues is System. One of these is CVE-2020-0022, a bug impacting the Bluetooth component, and which can be exploited by an attacker to run arbitrary code on vulnerable devices, remotely. An attacker within proximity can exploit the flaw for silent code execution with the privileges of the Bluetooth daemon.…

Read More

Malicious optimizer, booster, and utility applications hosted on Google Play gathered nearly half a million downloads before being taken down, Trend Micro reports. The apps, which are detected by the company’s products as AndroidOS_BadBooster.HRX, were designed to perform activities such as ad fraud, and to download around 3,000 malware variants or other malicious payloads to the infected devices. Active since 2017, the campaign involved 9 malicious applications, with a collective download count of more than 470,000. Four of the apps gathered more than 100,000 downloads each before Google removed them from the official storefront. All of the offending apps —…

Read More