A critical vulnerability in the MySQL open source relational database management system was reported this week, and affected vendors are in the process of issuing patches.
The vulnerability, CVE-2016-6662, can be exploited via SQL injection attack, or by an attacker with valid credentials either locally or over the Web, according to the news site ThreatPost. The flaw affects versions 5.7.15, 5.6.33, and 5.5.52 of MySQL, which is a component of the “LAMP” open source web application software stack, along with Linux, Apache, and Perl/PHP/Python. Applications using MySQL include Joomla, WordPress, and Drupal, and it’s also used by major websites such as Facebook, Twitter, and YouTube.
Researcher Dawid Golunski of Legal Hackers was the first to identify the vulnerability. “As temporary mitigations, users should ensure that no mysql config files are owned by mysql user, and create root-owned dummy my.cnf files that are not in use. These are by no means a complete solution and users should apply official vendor patches as soon as they become available,” Golunski told ThreatPost.
A successful exploitation of the vulnerability would allow attackers to execute arbitrary code with root privileges which would then allow them to fully compromise the server on which an affected version of MySQL is running, ThreatPost reported.
Password Breach Strikes U.K. Telephony Provider
Meanwhile, voice-over-IP provider VoIPTalk warned its users this week of a possible security breach relating to compromised passwords.
The company, which serves businesses and individuals in the U.K. and Europe, told users it suspects that user account data has been exposed, although an exploitation of the breach has not yet been confirmed, ZDNet reported.
VoIPTalk users are being urged to change passwords, and certain international destinations are being “blacklisted” for now, until more is learned about the breach, VoIPTalk told ZDNet.
Google Falls Victim to Cross-Site Scripting Vulnerability
Even Google is not immune to cross-site scripting vulnerabilities. It was reported this week that French security researcher Issam Rabhi discovered the flaw and posted a proof-of-concept exploit. Rabhi reported the vulnerability to the search giant’s Google France unit, which has now fixed the error.
Protecting Your Apps, Your Data, and Your Customers: Application Defense in Depth
These examples illustrate what we believe at IMMUNIO: that writing code is easy, but writing securecode is much harder. New threats to web applications dreamed up by creative attackers are emerging all the time, and many organizations have limited resources to devote to application security. It makes sense to consider new approaches to keeping web apps safe from common threats such as SQL injection, cross-site scripting, and more. By implementing an "application defense in depth" approach, your organization will be better able to stay ahead of attackers.