Google Nest ’ s Dropcam , Dropcam Pro , Nest Cam Outdoor and Nest Cam Indoor security cameras can be easily disabled by an attacker that ’ s in their Bluetooth range , a security researcher has found Vulnerability-related.DiscoverVulnerability . The vulnerabilities are present in Vulnerability-related.DiscoverVulnerability the latest firmware version running on the devices ( v5.2.1 ) . They were discovered Vulnerability-related.DiscoverVulnerability by researcher Jason Doyle last fall , and their existence responsibly disclosed Vulnerability-related.DiscoverVulnerability to Google , but have still not been patched Vulnerability-related.PatchVulnerability . The first two flaws can be triggered and lead to a buffer overflow condition if the attacker sends to the camera a too-long Wi-Fi SSID parameter or a long encrypted password parameter , respectively . That ’ s easy to do as Bluetooth is never disabled after the initial setup of the cameras , and attackers ( e.g . burglars ) can usually come close enough to them to perform the attack . Triggering one of these flaws will make the devices crash and reboot . The third flaw is a bit more serious , as it allows the attacker to force the camera to temporarily disconnect from the wireless network to which it is connected by supplying it a new SSID to connect to . If that particular SSID does not exist , the camera drops its attempt to associate with it and return to the original Wi-Fi network , but the whole process can last from 60 to 90 seconds , during which the camera won ’ t be recording . Unfortunately , Bluetooth can ’ t be disabled on these cameras , so there is little users can do to minimize this particular risk . Nest has apparently already prepared Vulnerability-related.PatchVulnerability a patch but hasn’t pushed it out Vulnerability-related.PatchVulnerability yet . It is supposedly scheduled to be released Vulnerability-related.PatchVulnerability soon , but no definite date has been offered

If you ’ re using one of the many QNAP NAS devices and you haven ’ t yet upgraded the QTS firmware to version 4.2.4 , you should do so immediately if you don ’ t want it to fall prey to attackers . Among the vulnerabilities fixed Vulnerability-related.PatchVulnerability by QNAP in this latest firmware version , released Vulnerability-related.PatchVulnerability on March 21 , are three command injection flaws in the web user interface that can be exploited Vulnerability-related.DiscoverVulnerability to gain remote command execution on a vulnerable device as administrative user ( root ) . And among these three , one can be exploited Vulnerability-related.DiscoverVulnerability by an unauthenticated attacker , via a specially crafted HTTP request . A thusly compromised NAS device can be used for further attacks , but what should worry users even more , is that an attacker can read , modify or remove content from it at will . The flaws were discovered Vulnerability-related.DiscoverVulnerability by Harry Sintonen of F-Secure , and responsibly disclosed Vulnerability-related.DiscoverVulnerability to QNAP . But , given that Sintonen has now released more information about each vulnerability , it ’ s not inconceivable that attackers might craft working exploits soon , and try to use them . The vulnerabilities are confirmed to affect Vulnerability-related.DiscoverVulnerability QTS versions 4.2.2 and 4.2.3 . Users are advised to install Vulnerability-related.PatchVulnerability the firmware update version 4.2.4 build 20170313 , or restrict access to the web user interface ( ports 8080 and 443 )

A single SMS can force Samsung Galaxy devices into a crash and reboot loop , and leave the owner with no other option than to reset it to factory settings and lose all data stored on it . This is because there are certain bugs in older Samsung Galaxy phones and tablets that can be triggered via SMS , and used by attackers to force maliciously crafted configuration messages onto the users ’ device . The bugs allow these types of messages to be executed without user interaction . As the ContextIS researchers who discovered Vulnerability-related.DiscoverVulnerability the vulnerabilities explained , this avenue of attack can be abused by crooks to hold users ’ devices for ransom . “ First a ransom note is sent , if ignored then the malicious configuration message can be sent , ” they noted . If the victim pays up Attack.Ransom , a configuration message can later be sent to stop the rebooting . The vulnerabilities in question Vulnerability-related.DiscoverVulnerability , CVE-2016-7988 and CVE-2016-7989 , can be triggered through SMS on the S4 , S4 Mini , S5 and Note 4 , but not on newer Samsung devices . “ It ’ s worth noting that although newer phones such as the S6 and S7 aren ’ t affected over the air , [ a similar result ] could be accomplished by a malicious app abusing CVE-2016-7988 , ” they added Vulnerability-related.DiscoverVulnerability . These specific issues are related to modifications Samsung made to to the Android telephony framework and are found in a Samsung-specific application for handling carrier messages . “ We responsibly disclosed Vulnerability-related.DiscoverVulnerability this to Samsung who handle the patching process Vulnerability-related.PatchVulnerability with carriers . We extended our standard 90 day disclosure policy to allow Samsung time to arrange Vulnerability-related.PatchVulnerability for the patches to be made available , ” the researchers told Help Net Security . Whether all users of vulnerable devices have received Vulnerability-related.PatchVulnerability the patches is difficult to tell . “ The Android update process is a bit of a minefield and is well illustrated in this HTC diagram , ” they commented . They also noted that it ’ s possible that the same avenue of attack could be abused to target other devices – it all depends on how this same technology is handled by other vendors

Last week WordPress released Vulnerability-related.PatchVulnerability the newest version ( 4.7.2 ) of the popular CMS , ostensibly fixing Vulnerability-related.PatchVulnerability three security issues affecting versions 4.7.1 and earlier . What the WordPress team didn ’ t share at that time is that the update also secretly fixes Vulnerability-related.PatchVulnerability a bug that allows unauthenticated users to modify the content of any post or page within a WordPress site . The vulnerability was discovered Vulnerability-related.DiscoverVulnerability by Sucuri researcher Marc-Alexandre Montpas and responsibly disclosed Vulnerability-related.DiscoverVulnerability to the WordPress security team on January 20 . A fix was soon created Vulnerability-related.PatchVulnerability , tested , and included in the security update pushed out Vulnerability-related.PatchVulnerability on January 26 . The team reached out to makers of web application firewalls ( WAFs ) like SiteLock , Cloudflare , and Incapsula to help them create rules that would block exploitation attempts . WordPress hosts have also been privately told Vulnerability-related.DiscoverVulnerability of the flaw , and they quietly moved to protect their users . “ By Wednesday afternoon , most of the hosts we worked with had protections in place . Data from all four WAFs [ this includes Sucuri ’ s ] and WordPress hosts showed Vulnerability-related.DiscoverVulnerability no indication that the vulnerability had been exploited Vulnerability-related.DiscoverVulnerability in the wild , ” the WP security team disclosed Vulnerability-related.DiscoverVulnerability on Wednesday . “ As a result , we made the decision to delay disclosure of this particular issue to give time for automatic updates to run and ensure as many users as possible were protected before the issue was made public ” . Within a couple of hours of the release of the update Vulnerability-related.PatchVulnerability , WordPress users who have opted for the automatic WP update option had the WP 4.7.2 installed and were protected . The unauthenticated privilege escalation vulnerability in question affects Vulnerability-related.DiscoverVulnerability the REST API , which was added and enabled by default on WordPress 4.7.0