July 19, SecurityWeek – (International) Apple patches tens of vulnerabilities in iOS, OS X. Apple Inc., released security updates for several of its products including OS X El Capitan version 10.11.6, which patched a total of 60 security bugs affecting components such as audio, FaceTime, and CFNetwork, among others after a Zscaler researcher discovered the flaws could allow unprivileged applications to access cookies stored in the Safari browser. Apple also released iOS version 9.3.3., resolving 43 vulnerabilities, one of which could allow an attacker with physical access to the device to abuse Siri and view private contact information, among other patches. Source
July 18, Softpedia – (International) HTTPoxy vulnerability affects CGI-based apps in PHP, Python, and Go. A developer from Vend discovered CGI applications written in Hypertext Preprocessor (PHP), Python, and Go were plagued by a HTTPoxy vulnerability after finding that CGI-based environments receiving incoming Hypertext Transfer Protocol Secure (HTTP) requests containing a “Proxy” header were dropping the header’s content in the HTTP_PROXY environment without sanitization, which could allow an attacker to force a vulnerable CGI-based application to use a malicious proxy for its outgoing HTTP requests, carry out Man-in-the-Middle (MitM) attacks, and poison servers. Source
July 18, SecurityWeek – (International) CryptXXX now being distributed via spam emails. Security researchers from Proofpoint warned that the CryptXXX malware was leveraging a spam email campaign after discovering that the emails, using subjects such as “Security Breach – Security Report #123456789,” were tricking users into activating malicious macros embedded in the emails’ document attachments, which were designed to download and install the ransomware when the victim interacted with them. Source
July 18, Softpedia – (International) Steemit social network hacked, user funds stolen, DDoS attack ensued. Steemit, a social networking platform, announced July 14 that an unknown attacker exploited the network’s browser-side vulnerabilities to steal $85,000 worth of Steem Dollars and Steem Power from approximately 260 users’ funds after a user reported mysterious transactions that transferred funds from his account to another Bittrex account, a Bitcoin trading portal. Steemit’s servers also faced a distributed denial-of-service (DDoS) attack, prompting the network to bring down its servers for maintenance and service upgrades. Source
Above Reprinted from the USDHS Daily Open Source Infrastructure Report