Wordpress update breaks auto-update, and Wordpress DoS method remains unpatched yet exploited in the wild
Wordpress had a pretty rough week. If you run a WP installation, you probably have to update manually for once to fix the auto-update bug.
Also, a researcher found a very easy way to DoS a Wordpress setup, which Wordpress themselves seem unwilling to fix. An unofficial patch is available.
iBoot is the application responsible for booting iOS, and a prime target for jailbreaks. The leaked code is a few years old and the fact that it's now public doesn't pose a serious risk though, but it made headlines though and might aid malware developers.
The above article describes the Smominru botnet which has infected of 500.000 Windows machines. This article describes another botnet named DDG, which has infected over 4000 Redis and OrientDB hosts.
The botnets seem quite succesful. Smominru has netted its creators over $2.8 million, adding $8.500 to the take per day. And DDG has made over $925.000 so far.
Grammarly is a grammar checking browser extension used by about 22 million people. As part of its functionality it reads and stores documents. Any site could get your auth token and log in to your Grammarly account. It's now fixed, make sure you run the latest version.
This tool allows you to specify a search instruction, say a certain version of Apache. It will then use Shodan (the Internet-wide portscanner) to gather public machines that use this module, and will then run the relevant Metasploit modules to try and hack them. No rocket science, but quite controversial.
Speaking of Metasploit, a researcher has ported several NSA exploits, known as EternalChampion, EternalRomance and EternalSynergy, to all Windows versions since Windows 2000, and made them available in the Metasploit framework.
It really seemed to have been a bug, and they are now blocking such incoming data server side, but you might want to update your Mixpanel SDK nonetheless.
The first step was to do this for all HTTP sites that contained password or payment fields. The next step is to do it for -all- sites starting in July.
They point to the fact that any time a wallet address is created to transfer funds to, it could be changed to a different address by malware on your system. I'm not super sure this qualifies as an actual vulnerability, but at least it's a reminder to verify the actual address before you transfer funds. Their report explains it pretty well.
Open-source shell script that checks if your Linux installation is vulnerable to Spectre and Meltdown.
Attackers only need to find and exploit one vulnerability in your web application to create havoc.
Fleetsmith is a fantastic solution for keeping your macOS devices managed and secure, used by yours truly every day. It fully integrates with G Suite, and you can try it free with 10 devices for as long as you need.