Thanksgiving should be a time for rest and relaxation; there’s good food, better company and the chance to take a break before the holiday season gets into full swing. For companies LinkedIn, Zen Cart and Lenovo, however, the weekend wasn’t a walk in the park: All three patched critical vulnerabilities in their software to address problems with style sheets, PHP and automatic update security. Here’s a quick look at what was addressed.

Big Link, Big Trouble

First up is LinkedIn. As reported by SecurityWeek, security firm BitSensor recently discovered a potential flaw in the cascading style sheets (CSS) used by LinkedIn’s publishing platform. The social site had good intentions — to allow users to customize the look and feel of their blog posts — but CSS security was apparently overlooked. While HTML tags used by the platform are deliberately limited to lower the chance of a cross-site scripting (XSS) attack, Ruben van Vreeland of BitSensor discovered modifying trusted CSS class selectors could allow malicious actors to significantly alter the user interface to permit clickjacking.

Here’s how it works: By using the li_style CSS to force a link to stretch across the entire width and length of page, attackers could covert the entire visible surface into a single, massive redirect. However, no instances of this attack were detected in the wild, and LinkedIn has already patched the problem to prevent this kind of clickjacking.

Not So Peaceful

E-commerce software Zen Cart, meanwhile, had its own problems with a PHP bug that would allow attackers “unlimited access to the files and entire database of the vulnerable application,” SecurityWeek stated. The problem only affected the newest version — Zen Cart 1.5.4 — and stemmed from a PHP file inclusion vulnerability in the /ajax.php file.

Security firm High-Tech Bridge found the flaw on Nov. 25. It reported that the PHP problem was not difficult to abuse and was possible even on hardened Web servers. Within 24 hours, Zen Cart said it patched the problem, and High-Tech Bridge has reported it will release the full details of the vulnerability on Dec. 16.

Update Headaches

Computer manufacturer Lenovo also patched two critical issues over the weekend that could have allowed malicious actors to easily guess admin passwords or elevate privileges on a Windows device. Security company IOActive reported the problems in October, and Lenovo fixed both issues on Nov. 19. The vulnerabilities stemmed from Lenovo System Update version 5.07.0013, which automatically looks for support updates. By taking advantage of weaknesses in the password-generation algorithm, however, it’s possible for attackers to guess the username and password of a temporarily generated admin account.

According to Threatpost, the vulnerability only exists when the update’s first effort at strong password generation fails and forces the program to use an easier, reproducible algorithm. If attackers know the algorithm and when the admin account was created, it’s possible to gain full access. In addition, a function intended to let lower-level users initiate system updates permitted an easy privilege escalation attack using a browser instance created by links to Lenovo support and help topics, which could then be used to gain admin privileges and save or run malicious code.

Not everyone had a restful Thanksgiving. Users of LinkedIn, Zen Cart and Lenovo machines have something to be thankful for, however: Speedy patches plugged a number of serious software holes.

More from

$10.3 Billion in Cyber Crime Losses Shatters Previous Totals

4 min read - The introduction of the most recent FBI Internet Crime Report says, “At the FBI, we know ‘cyber risk is business risk’ and ‘cybersecurity is national security.’” And the numbers in the report back up this statement. The FBI report details more than 800,000 cyber crime-related complaints filed in 2022. Meanwhile, total losses were over $10 billion, shattering 2021's total of $6.9 billion, according to the bureau’s Internet Crime Complaint Center (IC3).  Top Five Cyber Crime TypesIn the past five years, the…

4 min read

How to Boost Cybersecurity Through Better Communication

4 min read - Security would be easy without users. That statement is as absurd as it is true. It’s also true that business wouldn’t be possible without users. It’s time to look at the big picture when it comes to cybersecurity. In addition to dealing with every new risk, vulnerability and attack vector that comes along, cybersecurity pros need to understand their own fellow employees - how they think, how they learn and what they really want. The human element — the individual and social factors that…

4 min read

Detecting Insider Threats: Leverage User Behavior Analytics

3 min read - Employees often play an unwitting role in many security incidents, from accidental data breaches to intentional malicious attacks. Unfortunately, most organizations don’t have the right protocols and processes to identify potential risks posed by their workforce. Based on a survey conducted by SANS Institute, 35% of respondents said they lack visibility into insider threats, while 30% said the inability to audit user access is a security blind spot in their organizations. In addition, the 2023 X-Force Threat Intelligence Index reported that…

3 min read

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read