December 1, 2015 By Douglas Bonderud 2 min read

Thanksgiving should be a time for rest and relaxation; there’s good food, better company and the chance to take a break before the holiday season gets into full swing. For companies LinkedIn, Zen Cart and Lenovo, however, the weekend wasn’t a walk in the park: All three patched critical vulnerabilities in their software to address problems with style sheets, PHP and automatic update security. Here’s a quick look at what was addressed.

Big Link, Big Trouble

First up is LinkedIn. As reported by SecurityWeek, security firm BitSensor recently discovered a potential flaw in the cascading style sheets (CSS) used by LinkedIn’s publishing platform. The social site had good intentions — to allow users to customize the look and feel of their blog posts — but CSS security was apparently overlooked. While HTML tags used by the platform are deliberately limited to lower the chance of a cross-site scripting (XSS) attack, Ruben van Vreeland of BitSensor discovered modifying trusted CSS class selectors could allow malicious actors to significantly alter the user interface to permit clickjacking.

Here’s how it works: By using the li_style CSS to force a link to stretch across the entire width and length of page, attackers could covert the entire visible surface into a single, massive redirect. However, no instances of this attack were detected in the wild, and LinkedIn has already patched the problem to prevent this kind of clickjacking.

Not So Peaceful

E-commerce software Zen Cart, meanwhile, had its own problems with a PHP bug that would allow attackers “unlimited access to the files and entire database of the vulnerable application,” SecurityWeek stated. The problem only affected the newest version — Zen Cart 1.5.4 — and stemmed from a PHP file inclusion vulnerability in the /ajax.php file.

Security firm High-Tech Bridge found the flaw on Nov. 25. It reported that the PHP problem was not difficult to abuse and was possible even on hardened Web servers. Within 24 hours, Zen Cart said it patched the problem, and High-Tech Bridge has reported it will release the full details of the vulnerability on Dec. 16.

Update Headaches

Computer manufacturer Lenovo also patched two critical issues over the weekend that could have allowed malicious actors to easily guess admin passwords or elevate privileges on a Windows device. Security company IOActive reported the problems in October, and Lenovo fixed both issues on Nov. 19. The vulnerabilities stemmed from Lenovo System Update version 5.07.0013, which automatically looks for support updates. By taking advantage of weaknesses in the password-generation algorithm, however, it’s possible for attackers to guess the username and password of a temporarily generated admin account.

According to Threatpost, the vulnerability only exists when the update’s first effort at strong password generation fails and forces the program to use an easier, reproducible algorithm. If attackers know the algorithm and when the admin account was created, it’s possible to gain full access. In addition, a function intended to let lower-level users initiate system updates permitted an easy privilege escalation attack using a browser instance created by links to Lenovo support and help topics, which could then be used to gain admin privileges and save or run malicious code.

Not everyone had a restful Thanksgiving. Users of LinkedIn, Zen Cart and Lenovo machines have something to be thankful for, however: Speedy patches plugged a number of serious software holes.

More from

Is AI saving jobs… or taking them?

3 min read - Artificial intelligence (AI) is coming to take your cybersecurity job. Or, AI will save your job.Well, which is it?As with all things security-related, AI-related and employment-related, it's complicated.How AI creates jobsA major reason it's complicated is that AI is helping to increase the demand for cybersecurity professionals in two broad ways. First, malicious actors use AI to get past security defenses and raise the overall risk of data breaches. The bad guys can increasingly use AI-based tools for improved reconnaissance…

CISA warns about credential access in FY23 risk & vulnerability assessment

3 min read - CISA released its Fiscal Year 2023 (FY23) Risk and Vulnerability Assessments (RVA) Analysis, providing a crucial look into the tactics and techniques threat actors employed to compromise critical infrastructure. The report is part of the agency’s ongoing effort to improve national cybersecurity through assessments of vulnerabilities in key sectors. Meanwhile, IBM’s X-Force Threat Intelligence Index 2024 has identified credential access as one of the most significant risks to organizations.Both reports shed light on the persistent and growing threat of credential…

Are we getting better at quantifying risk management?

4 min read - As cyber threats grow more sophisticated and pervasive, the need for effective risk management has never been greater. The challenge lies not only in defining risk mitigation strategy but also in quantifying risk in ways that resonate with business leaders. The ability to translate complex technical risks into understandable and actionable business terms has become a crucial component of securing the necessary resources for cybersecurity programs.What approach do companies use today for cyber risk quantification? And how has cyber risk…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today