Vulnerabilities / Threats // Vulnerability Management
News & Commentary
NFL Mobile Sports App Contains Super Bowl-Sized Vulns
Ericka Chickowski, Contributing Writer, Dark ReadingNews
Lack of protections puts users at risk of exposed information by way of man-in-the-middle attacks.
By Ericka Chickowski Contributing Writer, Dark Reading, 1/27/2015
Comment6 comments  |  Read  |  Post a Comment
Adobe Fixes Second Flash Flaw Exploited By Angler
Ericka Chickowski, Contributing Writer, Dark ReadingNews
Second 0-day fix addresses UAF vulnerability.
By Ericka Chickowski Contributing Writer, Dark Reading, 1/26/2015
Comment1 Comment  |  Read  |  Post a Comment
Adobe Investigating New Flash Zero-Day Spotted In Crimeware Kit
Kelly Jackson Higgins, Executive Editor at Dark ReadingQuick Hits
Researcher Kafeine's 0day discovery confirmed by Malwarebytes.
By Kelly Jackson Higgins Executive Editor at Dark Reading, 1/21/2015
Comment2 comments  |  Read  |  Post a Comment
The Truth About Malvertising
Peter Zavlaris, Analyst, RiskIQCommentary
Malvertising accounts for huge amounts of cyberfraud and identity theft. Yet there is still no consensus on who is responsible for addressing these threats.
By Peter Zavlaris Analyst, RiskIQ, 1/16/2015
Comment7 comments  |  Read  |  Post a Comment
4 Mega-Vulnerabilities Hiding in Plain Sight
Giora Engel, VP Product & Strategy, LightCyberCommentary
How four recently discovered, high-impact vulnerabilities provided ďgod modeĒ access to 90% of the Internet for 15 years, and what that means for the future.
By Giora Engel VP Product & Strategy, LightCyber, 1/14/2015
Comment1 Comment  |  Read  |  Post a Comment
2015: The Year Of The Security Startup – Or Letdown
Tim Wilson, Editor in Chief, Dark ReadingCommentary
While stealth startup Ionic and other newcomers promise to change the cyber security game, ISC8 may be the first of many to head for the showers.
By Tim Wilson Editor in Chief, Dark Reading, 1/13/2015
Comment5 comments  |  Read  |  Post a Comment
Microsoft Protests Bug Disclosure By Google
Thomas Claburn, Editor-at-LargeNews
After Google discloses Win 8.1 vulnerability two days prior to planned patch, Microsoft argues in favor of vulnerability publication schedules.
By Thomas Claburn Editor-at-Large, 1/12/2015
Comment13 comments  |  Read  |  Post a Comment
Banking Trojans Disguised As ICS/SCADA Software Infecting Plants
Kelly Jackson Higgins, Executive Editor at Dark ReadingNews
Researcher spots spike in traditional financial malware hitting ICS/SCADA networks -- posing as popular GE, Siemens, and Advantech HMI products.
By Kelly Jackson Higgins Executive Editor at Dark Reading, 1/8/2015
Comment4 comments  |  Read  |  Post a Comment
Time To Rethink Patching Strategies
Kevin E. Greene, Software Assurance Program Manager, Department of Homeland Security Science & Technology DirectorateCommentary
In 2014, the National Vulnerability Database is expected to log a record-breaking 8,000 vulnerabilities. That's 8,000 reasons to improve software quality at the outset.
By Kevin E. Greene Software Assurance Program Manager, Department of Homeland Security Science & Technology Directorate, 12/19/2014
Comment14 comments  |  Read  |  Post a Comment
5 Pitfalls to Avoid When Running Your SOC
Jeff Schilling, CSO, FirehostCommentary
The former head of the US Army Cyber Command SOC shares his wisdom and battle scars about playing offense not defense against attackers.
By Jeff Schilling CSO, Firehost, 12/18/2014
Comment6 comments  |  Read  |  Post a Comment
2014: The Year of Privilege Vulnerabilities
Marc Maiffret, CTO, BeyondTrustCommentary
Of the 30 critical-rated Microsoft Security Bulletins this year, 24 involved vulnerabilities where the age-old best practice of "least privilege" could limit the impact of malware and raise the bar of difficulty for attackers.
By Marc Maiffret CTO, BeyondTrust, 12/16/2014
Comment0 comments  |  Read  |  Post a Comment
Ekoparty Isnít The Next Defcon (& It Doesnít Want To Be)
Andrew Ford, Developer, BugcrowdCommentary
Unlike American security conferences that offer a buffet of merchandise, meals, and drinks, Ekoparty, in Buenos Aires, is every bit as functional -- with a little less fluff.
By Andrew Ford Developer, Bugcrowd, 12/15/2014
Comment0 comments  |  Read  |  Post a Comment
Hiring Hackers To Secure The Internet Of Things
Kelly Jackson Higgins, Executive Editor at Dark ReadingNews
How some white hat hackers are changing career paths to help fix security weaknesses in consumer devices and business systems.
By Kelly Jackson Higgins Executive Editor at Dark Reading, 12/11/2014
Comment3 comments  |  Read  |  Post a Comment
'Inception' Cyber Espionage Campaign Targets PCs, Smartphones
Jai Vijayan, Freelance writerNews
Blue Coat report details sophisticated attacks mainly against Russian targets, and Kaspersky Lab calls new campaign next-generation of Red October cyber spying operation.
By Jai Vijayan Freelance writer, 12/10/2014
Comment1 Comment  |  Read  |  Post a Comment
Endpoint Security Makes Quantum Shift
Michael A. Davis, Contributing EditorNews
We can't stop every attack, so we need a new mantra: Detect and respond. Here are the essential tools, skills, and processes.
By Michael A. Davis Contributing Editor, 12/3/2014
Comment2 comments  |  Read  |  Post a Comment
Breaking the Code: The Role of Visualization in Security Research
Thibault Reuille, Security Researcher, OpenDNSCommentary
In todayís interconnected, data rich IT environments, passive inspection of information is not enough.
By Thibault Reuille Security Researcher, OpenDNS, 12/1/2014
Comment1 Comment  |  Read  |  Post a Comment
FDA Scrutinizes Networked Medical Device Security
Philip Desjardins, Counsel, Arnold & PorterCommentary
Federal agencies are trying to address threats to the privacy and security of people using connected medical devices.
By Philip Desjardins Counsel, Arnold & Porter, 12/1/2014
Comment0 comments  |  Read  |  Post a Comment
What Healthcare Can Learn From CHS Data Breach
Paula Knippa, AttorneyCommentary
Security breach that exposed personal data on 4.5 million Tennessee healthcare system patients offers key lessons to prevent similar cyber attacks.
By Paula Knippa Attorney, 11/25/2014
Comment9 comments  |  Read  |  Post a Comment
USPS Played Cat And Mouse With Cyber Attacker
Jai Vijayan, Freelance writerNews
Postal Service takes restrained, methodical approach to cyberattack. Was this the right strategy?
By Jai Vijayan Freelance writer, 11/24/2014
Comment4 comments  |  Read  |  Post a Comment
Deconstructing The Cyber Kill Chain
Giora Engel, VP Product & Strategy, LightCyberCommentary
As sexy as it is, the Cyber Kill Chain model can actually be detrimental to network security because it reinforces old-school, perimeter-focused, malware-prevention thinking.
By Giora Engel VP Product & Strategy, LightCyber, 11/18/2014
Comment4 comments  |  Read  |  Post a Comment
More Stories
Current Conversations
More Conversations
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-1375
Published: 2015-01-28
pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress does not properly restrict access to the upload functionality, which allows remote attackers to write to arbitrary files.

CVE-2015-1376
Published: 2015-01-28
pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress does not validate hostnames, which allows remote authenticated users to write to arbitrary files via an upload URL with a host other than pixabay.com.

CVE-2015-1419
Published: 2015-01-28
Unspecified vulnerability in vsftp 3.0.2 and earlier allows remote attackers to bypass access restrictions via unknown vectors, related to deny_file parsing.

CVE-2014-5211
Published: 2015-01-27
Stack-based buffer overflow in the Attachmate Reflection FTP Client before 14.1.433 allows remote FTP servers to execute arbitrary code via a large PWD response.

CVE-2014-8154
Published: 2015-01-27
The Gst.MapInfo function in Vala 0.26.0 and 0.26.1 uses an incorrect buffer length declaration for the Gstreamer bindings, which allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via unspecified vectors, which trigger a heap-based buffer overf...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If youíre a security professional, youíve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.