Lucian Constantin

About the Author Lucian Constantin


JavaScript-based attack simplifies browser exploits

Researchers have devised a new attack that can bypass one of the main exploit mitigations in browsers: Address space layout randomization (ASLR). The attack takes advantage of how modern processors cache memory and, because it doesn’t rely on a software bug, fixing the problem is not easy.

Researchers from the Systems and Network Security Group at Vrije Universiteit Amsterdam (VUSec) unveiled the attack, dubbed AnC, Wednesday after having coordinated its disclosure with processor, browser and OS vendors since October.

ASLR is a feature present in all major operating systems. Applications, including browsers, take advantage of it to make the exploitation of memory corruption vulnerabilities like buffer overflows more difficult.

To read this article in full or to leave a comment, please click here

Read more 0 Comments

Forget the network perimeter, say security vendors

What if all your company’s computers and applications were connected directly to the Internet? That was the assumption behind BeyondCorp, a new model for network security that Google proposed back in 2014, and it’s one that’s starting to get some attention from networking and security vendors.

Enterprises have moved beyond the traditional workspace in recent years, allowing employees to work remotely by using their personal devices and accessing apps in private or public clouds. To bring roaming workers back into the fold, under the security blanket of their local networks, companies rely on VPNs and endpoint software to enforce network access controls.

To read this article in full or to leave a comment, please click here

Read more 0 Comments

Recent WordPress vulnerability used to deface 1.5 million pages

Up to 20 attackers or groups of attackers are defacing WordPress websites that haven’t yet applied a recent patch for a critical vulnerability.

The vulnerability, located in the platform’s REST API, allows unauthenticated attackers to modify the content of any post or page within a WordPress site. The flaw was fixed in WordPress 4.7.2, released on Jan. 26, but the WordPress team did not publicly disclose the vulnerability’s existence until a week later, to allow enough time for a large number of users to deploy the update.

To read this article in full or to leave a comment, please click here

Read more 0 Comments