The US-CERT Current Activity web page is a regularly updated summary of the most frequent, high-impact types of security incidents currently being reported to the US-CERT.
Oracle has released its Critical Patch Update for April 2013 to address 128 vulnerabilities across multiple products. This update contains the following security fixes:
- 4 for Oracle Database Server
- 29 for Oracle Fusion Middleware
- 6 for Oracle E-Business Suite
- 3 for Oracle Supply Chain Products Suite
- 11 for Oracle PeopleSoft Products
- 8 for Oracle Siebel CRM
- 3 for Oracle Industry Applications
- 18 for Oracle Financial Services Software
- 2 for Oracle Primavera Products Suite
- 16 for Oracle and Sun Systems Products Suite
- 2 for Oracle Sun Middleware Products
- 25 for Oracle MySQL
- 1 for Oracle Support Tools
US-CERT encourages users and administrators to review the April 2013 Critical Patch Update and follow best practice security policies to determine which updates should be applied.
US-CERT is aware of an ongoing campaign targeting the content management software WordPress, a free and open source blogging tool and web publishing platform based on PHP and MySQL. All hosting providers offering WordPress for web content management are potentially targets. Hackers reportedly are utilizing over 90,000 servers to compromise websites’ administrator panels by exploiting hosts with “admin” as account name, and weak passwords which are being resolved through brute force attack methods.
CloudFlare, a web performance and security startup, has to block 60 million requests against its WordPress customers within one hour elapse time. The online requests reprise the WordPress scenario targeting administrative accounts from a botnet supported by more than 90,000 separate IP addresses. A CloudFlare spokesman asserted that if hackers successfully control WordPress servers, potential damage and service disruption could exceed common distributed denial of service (DDoS) attack defenses. As a mitigating strategy, HostGator, a web hosting company used for WordPress, has recommended users log into their WordPress accounts and change them to more secure passwords.
Google has released Google Chrome 26.0.1410.57 for all Chrome OS devices to address a vulnerability. This vulnerability could allow an attacker to execute arbitrary code.
US-CERT encourages users and administrators to review the Google Chrome Release blog entry and follow best-practice security policies to determine which updates should be applied.