JavaScript Attack Can Break ASLR

BleepingComputer has reported that security researchers discovered a new attack that can be carried out in nearly any browser just using JavaScript. Even with the protections & sandboxing of today’s modern browsers (like Google Chrome, Microsoft Edge, Opera, and Mozilla Firefox) it can break the address space layout randomization (ASLR) that most of today’s central… Continue reading JavaScript Attack Can Break ASLR

WordPress 4.7.2: Hidden Exploit Fix

The WordPress Logo

The recently released version 4.7.2 of WordPress had an additional security fix which was not disclosed in the changelog when it was released. The issue? A privilege escalation / content injection bug in the REST API that allowed for the potential that anyone could edit any post. How? Part of the REST API had an… Continue reading WordPress 4.7.2: Hidden Exploit Fix

Release: WordPress 4.7.2

The WordPress Logo

Last week WordPress released the second security update for version 4.7. There were 3 security issues fixed: Interface for assigning taxonomy terms in Press This was shown to users who did not have permission An SQL injection vulnerability was patched in the WP_Query class to prevent poorly coded plugins and themes from falling victim (involving post types)… Continue reading Release: WordPress 4.7.2

Browsers’ Interfaces Are Insecure

As browsers continue to add new features, many of them need to notify or request confirmation from the user. These notifications and dialogs are showing outside the browser interface and appear inside or overtop of the content window (considered to be untrusted since any content can be displayed by developers). This means that content developers… Continue reading Browsers’ Interfaces Are Insecure

Release: PHP 7.0.15, 7.1.1, 5.6.30

PHP (PHP: Hypertext Preprocessor) Logo

PHP has released security updates for versions 7, 7.1, and 5.6. Since these are security releases it is HIGHLY recommended you update to them. I also heavily recommend you update to them as there are some odd bugs fixed in earlier versions for rare cases that could cause hangs or segfaults (crashes) in some cases… Continue reading Release: PHP 7.0.15, 7.1.1, 5.6.30

Release: WordPress 4.7.1

The WordPress Logo

WordPress, the open-source blogging and CMS platform, has released version 4.7.1, a security update to version 4.7. The update fixes eight (8) major security issues as well as sixty-two (62) other various bugs found in 4.7. Remote code execution (RCE) in PHPMailer – No specific issue appears to affect WordPress or any of the major… Continue reading Release: WordPress 4.7.1

Chrome Changes: Encryption Notification

Google Chrome Browser Logo

Google Chrome version 56 (based on the open-source Chromium web browser) is scheduled to be released at the end of the month. One of the major user-level changes is how sites without encryption will appear. Until now there has just been a lowercase letter “i” with a circle around it — this was typically an indicator… Continue reading Chrome Changes: Encryption Notification

2016: Banner Year for Encryption

Graph showing the massive issuance of new secure/encryption certificates throughout 2016.

The Electronic Frontier Foundation (EFF) reported that the number of websites utilizing encryption (HTTPS) to secure the traffic between the browser and the web server. For the first time since the inception of the Internet, the majority (more than half) of internet traffic was encrypted! It did not matter the size: large and small websites… Continue reading 2016: Banner Year for Encryption

PHPMailer Vulnerability

PHP (PHP: Hypertext Preprocessor) Logo

A new Remote Code Execution (RCE) vulnerability has been reported on Christmas but details were only recently released. PHPMailer has already issued a patch (though they are not 100% confident in it), and WordPress (which uses PHPMailer) is considering issuing a security patch for current versions as well. The vulnerability allows the FROM address, when… Continue reading PHPMailer Vulnerability