December 1, 2015 By Douglas Bonderud 2 min read

Thanksgiving should be a time for rest and relaxation; there’s good food, better company and the chance to take a break before the holiday season gets into full swing. For companies LinkedIn, Zen Cart and Lenovo, however, the weekend wasn’t a walk in the park: All three patched critical vulnerabilities in their software to address problems with style sheets, PHP and automatic update security. Here’s a quick look at what was addressed.

Big Link, Big Trouble

First up is LinkedIn. As reported by SecurityWeek, security firm BitSensor recently discovered a potential flaw in the cascading style sheets (CSS) used by LinkedIn’s publishing platform. The social site had good intentions — to allow users to customize the look and feel of their blog posts — but CSS security was apparently overlooked. While HTML tags used by the platform are deliberately limited to lower the chance of a cross-site scripting (XSS) attack, Ruben van Vreeland of BitSensor discovered modifying trusted CSS class selectors could allow malicious actors to significantly alter the user interface to permit clickjacking.

Here’s how it works: By using the li_style CSS to force a link to stretch across the entire width and length of page, attackers could covert the entire visible surface into a single, massive redirect. However, no instances of this attack were detected in the wild, and LinkedIn has already patched the problem to prevent this kind of clickjacking.

Not So Peaceful

E-commerce software Zen Cart, meanwhile, had its own problems with a PHP bug that would allow attackers “unlimited access to the files and entire database of the vulnerable application,” SecurityWeek stated. The problem only affected the newest version — Zen Cart 1.5.4 — and stemmed from a PHP file inclusion vulnerability in the /ajax.php file.

Security firm High-Tech Bridge found the flaw on Nov. 25. It reported that the PHP problem was not difficult to abuse and was possible even on hardened Web servers. Within 24 hours, Zen Cart said it patched the problem, and High-Tech Bridge has reported it will release the full details of the vulnerability on Dec. 16.

Update Headaches

Computer manufacturer Lenovo also patched two critical issues over the weekend that could have allowed malicious actors to easily guess admin passwords or elevate privileges on a Windows device. Security company IOActive reported the problems in October, and Lenovo fixed both issues on Nov. 19. The vulnerabilities stemmed from Lenovo System Update version 5.07.0013, which automatically looks for support updates. By taking advantage of weaknesses in the password-generation algorithm, however, it’s possible for attackers to guess the username and password of a temporarily generated admin account.

According to Threatpost, the vulnerability only exists when the update’s first effort at strong password generation fails and forces the program to use an easier, reproducible algorithm. If attackers know the algorithm and when the admin account was created, it’s possible to gain full access. In addition, a function intended to let lower-level users initiate system updates permitted an easy privilege escalation attack using a browser instance created by links to Lenovo support and help topics, which could then be used to gain admin privileges and save or run malicious code.

Not everyone had a restful Thanksgiving. Users of LinkedIn, Zen Cart and Lenovo machines have something to be thankful for, however: Speedy patches plugged a number of serious software holes.

More from

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today