Security

Researchers have discovered two critical bugs in Control Web Panel (CWP) – a popular web hosting management software used by 200K+ servers – that could allow for remote code execution (RCE) as root on vulnerable Linux servers.

CWP, formerly known as CentOS Web Panel, is an open-source Linux control panel software used for creating and managing web hosting environments. The software supports the operating systems CentOS, Rocky Linux, Alma Linux and Oracle Linux.

A new malware strain that can survive operating system reinstalls was spotted last year secretly hiding on a computer, according to the antivirus provider Kaspersky.

The company discovered the Windows-based malware last spring running on a single computer. How the malicious code infected the system remains unclear. But the malware was designed to operate on the computer’s UEFI firmware, which helps boot up the system.

Attackers have been actively targeting Log4j, or Log4shell, vulnerabilities in the servers of virtualization solution VMware Horizon to establish persistent access via web shells, according to an alert by the U.K. National Health Service.

The web shells could allow unauthenticated attackers to remotely execute commands on a server affected by Log4Shell vulnerabilities to establish persistence within affected networks, the alert says, and adds that an attacker can use these web shells to deploy malicious software or ransomware and exfiltrate data.

For the past four months, Apple’s iOS and iPadOS devices and Safari browser have violated one of the internet’s most sacrosanct security policies. The violation results from a bug that leaks user identities and browsing activity in real time.

Over the past few months, geopolitical tensions have escalated as Russia amassed tens of thousands of troops along Ukraine’s border and made subtle but far-reaching threats if Ukraine and NATO don’t agree to Kremlin demands.

For the past four months, Apple’s iOS and iPadOS devices and Safari browser have violated one of the Internet’s most sacrosanct security policies. The violation results from a bug that leaks user identities and browsing activity in real time.

Microsoft's monthly Patch Tuesday updates for Windows are generally meant to fix problems, but that isn't how it always goes. January's updates, released last week, caused a handful of problems for businesses in particular. The most serious, especially for people still dealing with pandemic-driven remote-work setups, was a bug that broke certain kinds of VPN connections. Microsoft has provided fixes for this and other issues as of today, a few days after acknowledging the problem on its Known Issues page.

A 19-year-old hacker and security researcher said he was able to control some features of dozens of Tesla cars all over the world thanks to a vulnerability in a third-party app that allows car owners to track their car’s movements, remotely unlock doors, open windows, start keyless driving, honk, and flash lights.

Most hacks require the victim to click on the wrong link or open the wrong attachment. But as so-called zero-click vulnerabilities—in which the target does nothing at all—are exploited more and more, Natalie Silvanovich of Google's Project Zero bug-hunting team has worked to find new examples and get them fixed before attackers can use them. Her list now includes Zoom, which until recently had two alarming, interactionless flaws lurking inside.

Microsoft today released updates to plug nearly 120 security holes in Windows and supported software. Six of the vulnerabilities were publicly detailed already, potentially giving attackers a head start in figuring out how to exploit them in unpatched systems. More concerning, Microsoft warns that one of the flaws fixed this month is “wormable,” meaning no human interaction would be required for an attack to spread from one vulnerable Windows box to another.