Enlarge (credit: Own Work)

A security researcher has unearthed evidence showing that three browser-trusted certificate authorities (CAs) owned and operated by Symantec improperly issued more than 100 unvalidated transport layer security certificates. In some cases, those certificates made it possible to spoof HTTPS-protected websites.

One of the most fundamental requirements Google and other major browser developers impose on CAs is that they issue certificates only to people who verify the rightful control of an affected domain name or company name. On multiple occasions last year and earlier this month, the Symantec-owned CAs issued 108 credentials that violated these strict industry guidelines, according to research published Thursday by Andrew Ayer, a security researcher and founder of a CA reseller known as SSLMate. These guidelines were put in place to ensure the integrity of the entire encrypted Web. Nine of the certificates were issued without the permission or knowledge of the affected domain owners. The remaining 99 certificates were issued without proper validation of the company information in the certificate.

Many of the improperly issued certificates—which contained the string "test" in various places in a likely indication that they were created for test purposes—were revoked within an hour of being issued. Still, the move represents a major violation by Symantec, which in 2015 fired an undisclosed number of CA employees for doing much the same thing.

Read 7 remaining paragraphs | Comments


Microsoft has released Windows Management Framework 5.1 for windows 7 and later.

WMF 5.1 upgrades Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 to the PowerShell, WMI, WinRM and SIL components that were released with Windows Server 2016 and Windows 10 Anniversary Edition.">">">

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Symphony CVE-2017-5541 Directory Traversal Vulnerability
Subrion CMS CVE-2017-5543 PHP Object Injection Vulnerability
Symphony CMS CVE-2017-5542 Cross Site Scripting Vulnerability
Ghost 'Your profile' Page HTML Injection Vulnerability

A Chinese app which allegedly makes selfies look more attractive—or more like an anime character, at any rate—has a dark secret: it demands permissions for far more personal data than it needs, including users' IMEIs, phone numbers, and GPS coordinates.

Meitu, an app which has been out for years on both iOS and Android in China, has shot to fame outside the country in the last few weeks, due to the "beauty" filters it can apply to people's selfies. Among other functions, it can sharpen people's jaws, put a sparkle in their eyes, and smooth out and lighten their skin.

The result? Meitu-filtered pictures are suddenly everywhere. The backlash, however, has been just as swift.

Read 7 remaining paragraphs | Comments

Samsung CVE-2017-5538 Remote Memory Corruption Vulnerability
Linux Kernel CVE-2017-2583 Privilege Escalation Vulnerability
Linux Kernel CVE-2016-10150 Denial of Service Vulnerability
QEMU 'ac97.c' Denial of Service Vulnerability
PHP CVE-2016-7479 Denial of Service Vulnerability
Apache HTTP Server CVE-2016-2161 Denial of Service Vulnerability
Apache HTTP Server CVE-2016-8743 Security Bypass Vulnerability
Apache HTTP Server CVE-2016-0736 Remote Security Vulnerability
icoutils CVE-2017-5332 Local Code Execution Vulnerability
icoutils CVE-2017-5331 Incomplete Fix Local Integer Overflow Vulnerability
Gstreamer CVE-2016-9810 Invalid Memory Read Denial Of Service Vulnerability
[SECURITY] [DSA 3767-1] mysql-5.5 security update
Internet Storm Center Infocon Status