October 27, SecurityWeek – (International) Cisco patches 9 flaws in Email Security Appliance. Cisco Systems, Inc. released software updates for its Email Security Appliances (ESA) to resolve a total of nine vulnerabilities, including three denial-of-service (DoS) flaws in the AsyncOS software for Cisco ESA which could allow an unauthenticated remote attacker to cause a DoS condition using maliciously crafted emails and attachments. Cisco also patched vulnerabilities that could allow unauthenticated attackers to remotely trick a user into clicking a malicious link, initiate a DoS condition, and bypass various filters, among other flaws. Source
October 26, SecurityWeek – (International) VMware flaws allows security bypass on Mac OS X. VMware released VMware Tools version 10.1.0 after security researchers from Tencent’s KeenLab discovered that VMware Tools version 9.x and 10.x are plagued with a flaw that could allow a local user to obtain information that can be leveraged to bypass a security mechanism. VMware also released version 8.5 of its VMware Fusion products to resolve a flaw that could allow a privileged local user on a system with System Integrity Protection (SIP) enabled to obtain kernel memory addresses to bypass the kASLR protection mechanism. Source
October 26, SecurityWeek – (International) Adobe patches Flash vulnerability used in targeted attacks. Adobe released a Flash Player update after researchers from Google’s Threat Analysis Group found a critical use-after-free vulnerability that has been exploited in the wild for arbitrary code execution and targeted attacks against users running Microsoft Windows 7, 8.1, and 10. Adobe stated the security flaw affects Flash Player 23.0.0.185 and earlier and Linux versions 11.2.202.637 and earlier. Source
Above Reprinted from the USDHS Daily Open Source Infrastructure Report
October 28, DarkReading - US Charges Several In India Call Center Scam. Authorities file charges against 61 in a phone fraud that cheated 15,000 out of $250 million via identity theft and impersonation. A massive phone scam, which cheated around 15,000 people out of over $250 million, has been busted by US and Indian authorities and 61, including 20 in the US, are charged with the crime, reports The Washington Post. The scheme involved fake calls from call centers in India with the accused posing as officials from the Internal Revenue Service or immigration services and threatening victims with arrest and penalties if not paid outstanding tax dues. Source