December 1, 2015 By Douglas Bonderud 2 min read

Thanksgiving should be a time for rest and relaxation; there’s good food, better company and the chance to take a break before the holiday season gets into full swing. For companies LinkedIn, Zen Cart and Lenovo, however, the weekend wasn’t a walk in the park: All three patched critical vulnerabilities in their software to address problems with style sheets, PHP and automatic update security. Here’s a quick look at what was addressed.

Big Link, Big Trouble

First up is LinkedIn. As reported by SecurityWeek, security firm BitSensor recently discovered a potential flaw in the cascading style sheets (CSS) used by LinkedIn’s publishing platform. The social site had good intentions — to allow users to customize the look and feel of their blog posts — but CSS security was apparently overlooked. While HTML tags used by the platform are deliberately limited to lower the chance of a cross-site scripting (XSS) attack, Ruben van Vreeland of BitSensor discovered modifying trusted CSS class selectors could allow malicious actors to significantly alter the user interface to permit clickjacking.

Here’s how it works: By using the li_style CSS to force a link to stretch across the entire width and length of page, attackers could covert the entire visible surface into a single, massive redirect. However, no instances of this attack were detected in the wild, and LinkedIn has already patched the problem to prevent this kind of clickjacking.

Not So Peaceful

E-commerce software Zen Cart, meanwhile, had its own problems with a PHP bug that would allow attackers “unlimited access to the files and entire database of the vulnerable application,” SecurityWeek stated. The problem only affected the newest version — Zen Cart 1.5.4 — and stemmed from a PHP file inclusion vulnerability in the /ajax.php file.

Security firm High-Tech Bridge found the flaw on Nov. 25. It reported that the PHP problem was not difficult to abuse and was possible even on hardened Web servers. Within 24 hours, Zen Cart said it patched the problem, and High-Tech Bridge has reported it will release the full details of the vulnerability on Dec. 16.

Update Headaches

Computer manufacturer Lenovo also patched two critical issues over the weekend that could have allowed malicious actors to easily guess admin passwords or elevate privileges on a Windows device. Security company IOActive reported the problems in October, and Lenovo fixed both issues on Nov. 19. The vulnerabilities stemmed from Lenovo System Update version 5.07.0013, which automatically looks for support updates. By taking advantage of weaknesses in the password-generation algorithm, however, it’s possible for attackers to guess the username and password of a temporarily generated admin account.

According to Threatpost, the vulnerability only exists when the update’s first effort at strong password generation fails and forces the program to use an easier, reproducible algorithm. If attackers know the algorithm and when the admin account was created, it’s possible to gain full access. In addition, a function intended to let lower-level users initiate system updates permitted an easy privilege escalation attack using a browser instance created by links to Lenovo support and help topics, which could then be used to gain admin privileges and save or run malicious code.

Not everyone had a restful Thanksgiving. Users of LinkedIn, Zen Cart and Lenovo machines have something to be thankful for, however: Speedy patches plugged a number of serious software holes.

More from

How to craft a comprehensive data cleanliness policy

3 min read - Practicing good data hygiene is critical for today’s businesses. With everything from operational efficiency to cybersecurity readiness relying on the integrity of stored data, having confidence in your organization’s data cleanliness policy is essential.But what does this involve, and how can you ensure your data cleanliness policy checks the right boxes? Luckily, there are practical steps you can follow to ensure data accuracy while mitigating the security and compliance risks that come with poor data hygiene.Understanding the 6 dimensions of…

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today