Mozilla and Google have confirmed they will be aligning with Apple and their browsers will reject any web server certificate issued after 1st September which is valid for more than a year. Apple announced the move to only support 1 year certificates back in February and now Mozilla and Google (and thus all the ChromiumRead more
Blog
Microsoft has released details of a zero-day remote code execution vulnerability which is being actively exploited to attack Windows computers. It affects all versions of Internet Explorer running on Windows 7, 8.1 and 10. The problems lies in one of the two javascript engines available within IE. Since a webpage can request IE to useRead more
A serious remote command execution vulnerability in the PHP-FGM module when used with NGINX has been disclosed in CVE CVE-2019-11043. Since NGINX does not have a native in-process PHP runtime and uses PHP-FGM instead, the PHP-FGM module is widely used. By submitting a specially crafted (yet simple) HTTP requested to the NGINX server, it isRead more
The German Federal Office for Information Security (or BSI) has published a report (in German) which evaluates the most popular modern web browsers against the BSI’s own guidelines for ‘modern secure browsers’ and only Firefox emerges with flying colours. The audit examined Mozilla Firefox 68 (Extended Support Release), Google Chrome 76, Microsoft Internet Explorer 11,Read more
Google is rolling out a critical patch for their Chrome browser in order to fix four serious vulnerabilities including one which enables arbitrary code execution on the system simply by visiting a specially crafted webpage – with no other user interaction required. Google is not releasing details of the vulnerabilities, other than to say theyRead more
Microsoft’s December 2018 patch Tuesday release includes fixes for several critical vulnerabilities including one in PowerPoint which affects all versions since PowerPoint 2010. The PowerPoint bug (CVE-2018-8628) would allow an attacker to create a specially-crafted file, which when opened by PowerPoint, would enable the attacker to run arbitrary code as the logged-in user. According toRead more
A recent vulnerability in Sennheiser’s headphone management utility illustrates the risk of unexpected additions to the Microsoft windows certificate store. During installation, the Sennheiser software installed a self-signed root certificate into the computer’s trusted root CA certificate store. A copy of the certificates’ private key was also copied into application’s installation directory. Security research firmRead more
Browser cookies play an important role in nearly all modern websites and applications. From tracking user-interaction through services like Google Analytics, through to maintaining the state of customer shopping carts in eCommerce applications. Cookies can also contain session tokens for web applications to ensure that user sessions are maintained between browser page refreshes. Although securityRead more
