Security Alerts & News
by Tymoteusz A. Góral

History
#1673 Wix.com security flaw places millions of websites at risk
An XSS vulnerability discovered on the Wix.com platform is putting millions of websites and their users at risk of attack.

The website hosting provider, which provides free drag-and-drop website building tools, hosts millions of websites with 87 million registered users -- and all of which are currently vulnerable to an XSS bug which can be utilized by attackers to create worms capable of taking over administrator accounts. This, in turn, gives attackers full control over websites.

On Wednesday, Matt Austin, security research engineer with Contrast Security, said in a blog post that Wix.com has a severe DOM XSS vulnerability which can be exploited by simply adding a single parameter to any site created on Wix.com.
#1672 Teen pleads guilty to creating DDoS tool used in 1.7 million attacks
A 19-year-old UK teenager from Hertfordshire has pleaded guilty to creating and running the Titanium Stresser booter service, with which he launched 594 denial of service (DDoS) attacks.

According to a statement put out by the Bedfordshire Police, Adam Mudd developed the tool when he was just 15 years old.

He didn’t just use it to launch his own DDoS attacks. He also sold it online and ran it as a service, distributing it to cyber crooks.

Investigators are still working out the total amount Mudd made from the attacks, but their preliminary estimate is around $385,000.

Investigators determined that Mudd’s stressor – which is a tool used to flood networks with data, bogging them down until they’re dead in the water, non-functioning and vulnerable to compromise – was used in more than 1.7 million DDoS attacks worldwide.
#1671 Mirai botnet attackers are trying to knock an entire country offline
One of the largest Distributed Denial-of-Service (DDoS) attacks happened this week and almost nobody noticed.

Since the cyberattack on Dyn two weeks ago, the internet has been on edge, fearing another massive attack that would throw millions off the face of the web. The attack was said to be upwards of 1.1Tbps -- more than double the attack a few weeks earlier on security reporter Brian Krebs' website, which was about 620Gbps in size, said to be one of the largest at the time. The attack was made possible by the Mirai botnet, an open-source botnet that anyone can use, which harnesses the power of insecure Internet of Things (IoT) devices.

This week, another Mirai botnet, known as Botnet 14, began targeting a small, little-known African country, sending it almost entirely offline each time.

Security researcher Kevin Beaumont, who was one of the first to notice the attacks and wrote about what he found, said that the attack was one of the largest capacity botnets ever seen.
#1670 Cisco patches critical bugs in 900 series routers, prime home server
Cisco Systems has issued two critical advisories addressing flaws in a variety of enterprise-class products ranging from its 900 Series Routers to its Cisco Prime Home server and cloud-based network management platform.

Service providers running Cisco ASR 900 Series routers are being warned that a vulnerability in the Transaction Language 1 (TL1) code of the router could allow an unauthenticated, remote attacker to cause a reload of, or remotely execute code on, the affected system, according to the advisory.

Cisco said software updates are available to patch the flaw (CVE-2016-6441) and that workarounds are also available that address the security vulnerability.
#1669 Outlook web access two-factor authentication bypass exists
Enterprises running Exchange Server have been operating under a false sense of security with regard to two-factor authentication implementations on Outlook Web Access (OWA) adding an extra layer of protection.

A design weakness has been exposed that can allow an attacker to easily bypass 2FA and access an organization’s email inboxes, calendars, contacts and more.

The problem lies in the fact that Exchange Server also exposes the Exchange Web Services (EWS) interface alongside OWA and it is not covered by two-factor authentication. EWS is enabled by default and shares the same port and server as OWA, meaning an attacker with [stolen] credentials can remotely access EWS, which talks to the same backend infrastructure as OWA, and would enable access a user’s inbox.
#1668 GitLab patches command execution vulnerability
Developers with GitLab this week fixed a critical vulnerability in the open source repository management software that could have led to command execution and allowed an authenticated user to gain access to sensitive application files, tokens, or secrets.

HackerOne cofounder Jobert Abma unearthed the vulnerability last week and reported it to the company through GitLab’s bug bounty program. GitLab addressed the issue (CVE-2016-9086) when it rolled out version 8.13.3 of the software late Wednesday.
#1667 Cisco job applicants warned of potential mobile site data leak
Users of Cisco's Professional Careers mobile site, mjobs.cisco.com, have been warned of a potential leak of their data, which the networking giant is pinning on an incorrect security setting.

"Cisco's investigation found this to be the result of an incorrect security setting following system maintenance on a third-party's website," the company said in its advisory. "Upon learning this, the setting was immediately corrected and user passwords to the site were reset."

The setting was found to be in place between August and September 2015, and July and August 2016, the company said.
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12