Security Bulletin: Various IBM WebSphere MQ Installers are susceptible to DLL-planting vulnerabilities (CVE-2016-2542 & CVE-2016-4560)

Summary Various IBM WebSphere MQ graphical user interface installers are susceptible to a DLL-planting vulnerability where a malicious DLL, that is present in the Windows search path, could be loaded by the operating system in place of the genuine file. The vulnerability affects Windows executabl...

When It Comes To IoT Security, Liability Is Muddled

BOSTON—From hacked connected cars to power grids, the implications of IoT security issues seem to be getting graver – yet when it comes to pointing fingers for security troubles, many times victims don’t even know where to start. IoT experts said at the Security of Things Forum today said that a...

A week in security (June 11 – June 17)

Last week on Malwarebytes Labs, we discussed how to protect the online privacy of children, we gave you a spring 2018 overview of exploit kits, rounded up the ongoing discussions about the VPNFilter malware, and discussed the struggles of UK law enforcement with modern-day cybercrime. Other news...

Security Bulletin: A potential security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Decision Optimization Center (CVE-2016-0306)

Summary IBM WebSphere Application Server is shipped as a component of IBM Decision Optimization Center. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. Vulnerability Details Consult the security bulletin Potential...

[SECURITY] Fedora 28 Update: prosody-0.10.2-1.fc28

Prosody is a flexible communications server for Jabber/XMPP written in Lua. It aims to be easy to use, and light on resources. For developers it aims to be easy to extend and give a flexible system on which to rapidly develop added functionality, or prototype new protocols...

Malicious Typo-Squatting

shadowsock is a malicious typo-squatting package. The package uses a similar name to the original library so that developers may mistake it for the real one but have malicious actions under the hood such as stealing environment variables...

Malicious Typo-Squatting

http-proxy.js is a malicious typo-squatting package. The package uses a similar name to the original library so that developers may mistake it for the real one but have malicious actions under the hood such as stealing environment variables...

Malicious Typo-Squatting

nodemailer.js is a malicious typo-squatting package. The package uses a similar name to the original library so that developers may mistake it for the real one but have malicious actions under the hood such as stealing environment variables...

Malicious Typo-Squatting

nodecaffe is a malicious typo-squatting package. The package uses a similar name to the original library so that developers may mistake it for the real one but have malicious actions under the hood such as stealing environment variables...

Malicious Typo-Squatting

nodeffmpeg is a malicious typo-squatting package. The package uses a similar name to the original library so that developers may mistake it for the real one but have malicious actions under the hood such as stealing environment variables...

Malicious Typo-Squatting

node-opencv is a malicious typo-squatting package. The package uses a similar name to the original library so that developers may mistake it for the real one but have malicious actions under the hood such as stealing environment variables...

Malicious Typo-Squatting

node-opensl is a malicious typo-squatting package. The package uses a similar name to the original library so that developers may mistake it for the real one but have malicious actions under the hood such as stealing environment variables...

Malicious Typo-Squatting

gruntcli is a malicious typo-squatting package. The package uses a similar name to the original library so that developers may mistake it for the real one but have malicious actions under the hood such as stealing environment variables...

Apple will let users run iOS apps on macOS

Apple is making it easier for mobile developers to port their iOS apps to the next-generation macOS Mojave desktop platform—a major step in bringing the two platforms closer together. However, at the same time, the company straightforward denied the idea of merging the iPhone and Mac operating...

Malicious Typo-Squatting

fabric-js is a malicious typo-squatter package. The packages uses a similar name to a legitimate library so that developers may mistake it for the real one but executes malicious actions under the hood such as stealing environment variables upon installation...

Malicious Typo-Squatting

mariadb is a malicious typo-squatted package. The package uses a similar name to another library so that developers may mistake it for a legitimate package but executes malicious actions under the hood such as stealing environment variables on installation...

Confirmed—Microsoft Buys GitHub For $7.5 Billion

Here's the biggest news of the week—Microsoft has reportedly acquired GitHub for $7.5 billion. For those unaware, GitHub is a popular code repository hosting service that allows developers to host their projects, documentation, and code in the cloud using the popular Git source management system,...

[SECURITY] [DLA 1393-1] Debian 7 Long Term Support reaching end-of-life

The Debian Long Term Support LTS Team hereby announces that Debian 7 "Wheezy" support has reached its end-of-life on May 31, 2018, five years after its initial release on May 4, 2013. Debian will not provide further security updates for Debian 7. A subset of Wheezy packages will be supported by...

Design/Logic Flaw

product-monitor is a HTML/JavaScript template for monitoring a product by encouraging product developers to gather all the information about the status of a product, including live monitoring, statistics, endpoints, and test results into one place. product-monitor versions below 2.2.5 download...

Important: Red Hat Security Advisory: thunderbird security update

An update for thunderbird is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability fr...