(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
F5 BIG-IP APM CVE-2016-7472 Denial of Service Vulnerability
 
LibTIFF CVE-2016-9533 Heap Buffer Overflow Vulnerability
 
Ruby on Rails Action Pack CVE-2016-0751 Denial of Service Vulnerability
 

(credit: Wikimedia)

Developers of the widely used LastPass password manager are scrambling to fix a serious vulnerability that makes it possible for malicious websites to steal user passcodes and in some cases execute malicious code on computers running the program.

The flaw, which affects the latest version of the LastPass browser extension, was briefly described on Saturday by Tavis Ormandy, a researcher with Google's Project Zero vulnerability reporting team. When people have the LastPass binary running, the vulnerability allows malicious websites to execute code of their choice. Even when the binary isn't present, the flaw can be exploited in a way that lets malicious sites steal passwords from the protected LastPass vault. Ormandy said he developed a proof-of-concept exploit and sent it to LastPass officials. Developers now have three months to patch the hole before Project Zero discloses technical details.

"It will take a long time to fix this properly," Ormandy said. "It's a major architectural problem. They have 90 days, no need to scramble!"

Read 4 remaining paragraphs | Comments

 
hammer_cli CVE-2017-2667 SSL Certificate Validation Security Bypass Vulnerability
 
IBM iNotes CVE-2016-9990 Cross Site Scripting Vulnerability
 
Cherry­Music CVE-2015-8309 Directory Traversal Vulnerability
 
Cherry­Music CVE-2015-8310 Cross Site Scripting Vulnerability
 
Icinga CVE-2015-8010 Cross Site Scripting Vulnerability
 
[SECURITY] [DSA 3823-1] eject security update
 
Nghttp2 CVE-2017-2428 Multiple Remote Security Vulnerabilities
 
McAfee Anti-Malware Scan CVE-2016-8031 Engine Multiple Local Security Bypass Vulnerabilities
 
Revive Adserver Multiple Security Vulnerabilities
 
Apple iOS/tvOS/macOS/watchOS Multiple Security Vulnerabilities
 
Apple iOS APPLE-SA-2017-03-27-4 Multiple Security Vulnerabilities
 
Pivotal Cloud Foundry Elastic Runtime CVE-2017-2773 Security Bypass Vulnerability
 
Apple Safari CVE-2017-2385 Local Security Bypass Vulnerability
 
Linux Kernel CVE-2017-7277 Multiple Local Memory Corruption Vulnerabilities
 
Apple macOS, iOS and tvOS CVE-2017-2448 Security Bypass Vulnerability
 
Apple iOS/WatchOS/tvOS/Safari CVE-2017-2444 Multiple Memory Corruption Vulnerabilities
 
WebKit CVE-2017-2471 Remote Code Execution Vulnerability
 
Apple iOS/macOS/WatchOS/tvOS CVE-2017-2485 Memory Corruption Vulnerability
 
Apple macOS Server CVE-2017-2382 User Enumeration Vulnerability
 
WebKit Multiple Security Vulnerabilities
 
Apple iOS and Safari Multiple Security Vulnerabilities
 
pngdefry CVE-2017-7231 Heap Based Buffer Overflow Vulnerability
 
Multiple Huawei Honor CVE-2017-2728 Local Security Bypass Vulnerability
 
GnuTLS GNUTLS-SA-2017-3 Multiple Security Vulnerabilities
 
Deluge CVE-2017-7178 Cross Site Request Forgery Vulnerability
 
Microsoft Internet Information Services CVE-2017-7269 Buffer Overflow Vulnerability
 
APPLE-SA-2017-03-27-7 macOS Server 5.3
 
[SECURITY] [DSA 3821-1] gst-plugins-ugly1.0 security update
 
Internet Storm Center Infocon Status