Drupal Core Vulnerability

This Public Service Announcement is a follow up to SA-CORE-2014-005 - Drupal core - SQL injection. This is not an announcement of a new vulnerability in Drupal.

Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 - Drupal core - SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement.

Read more ...

Google roll out Penguin 3.0

Google confirmed Sunday that a new version of its Penguin filter aimed at fighting spam went live on Friday. Penguin targets sites deemed to be spammy, especially those found in violation of Google’s guidelines about linking.

Some noticed major changes in Google search results beginning late Friday night US time and speculated that this was due to the long-awaited Penguin Update that Google had said to expect this month.

Read more ...

Bash/Shellshock Patches May Not be Enough to Protect Systems

Simply patching systems against the Bash/Shellshock vulnerability may not be adequate. Attacks exploiting the flaw appeared within a day of its disclosure. Those attacks may have made changes to systems that would not be remedied by the application of a patch. The problem is due in part to the incomplete patches that were issued initially. Attackers reportedly exploited Bash/Shellshock to create a botnet for a phishing campaign against Spanish-speaking Citibank customers. Many of the compromised machines are running Linux. The command-and-control server for the botnet has been taken offline.

Read more ...

OpenSSL (RHEL) Security Update Issued

An update for OpenSSL on RHEL was just released to help address the Poodle OpenSSL security vulnerability and it is recommended that you update as soon as possible.

This update adds support for the TLS Fallback Signaling Cipher Suite Value (TLS_FALLBACK_SCSV), which can be used to prevent protocol downgrade attacks against applications which re-connect using a lower SSL/TLS protocol version when the initial connection indicating the highest supported protocol version fails.

Read more ...

Woktron Live Chat