October 28, SecurityWeek – (International) Apple patches flaws in Xcode, Windows software. Apple released version 8.1 of its Xcode integrated development environment (IDE) to address 10 vulnerabilities in Node.js and OpenSSL that an attacker could exploit for arbitrary code execution or to cause an application to crash. Apple also released iTunes version 12.5.2 and iCloud version 6.0.1 for Microsoft Windows due to flaws in the WebKit Web browser engine, which can be exploited through processing specially crafted Web content for arbitrary code execution and disclosure of user information. Source
October 28, Help Net Security – (International) New code injection attack works on all Windows versions. Security researchers from enSilo discovered a code injection method, dubbed AtomBombing can be leveraged against all Microsoft Windows versions without triggering security solutions. The researchers found attackers can write malicious code into the operating system’s atom table in order to force a legitimate program to retrieve the malicious code and manipulate the program to execute that code, thereby enabling attackers to take screenshots, access encrypted passwords, and perform Man in the Browser (MitB) attacks. Source
Above Reprinted from the USDHS Daily Open Source Infrastructure Report
October 31, DarkReading - Leak Of 1.3 Million Blood Donor Records Is Australia's Biggest Breach Ever. Sensitive medical data of 550,000 Red Cross blood donors exposed online inadvertently in country's most damaging data breach to date. In the biggest data breach in Australia to date, 1.74 GB file containing 1.28 million records of blood donors from 2010 was exposed online inadvertently by Red Cross’ service provider Precedent, iTnews says. This happened when Precedent was redesigning the blood service’s website and “human error” led to the data being published on a publicly facing website from Sep. 5 to Oct. 25 of this year. Source
October 31, DarkReading - US Bank Regulator Reports Major Security Breach. Former employee of the Office of the Comptroller of the Currency downloads 10,000 records and cannot replace them. In what is described as a “major information security incident,” a former employee of the Office of the Comptroller of the Currency (OCC) downloaded more than 10,000 records onto two thumb drives just before his retirement in November 2015, Reuters reports. Congress was informed of this incident by the US banking regulator, which said it detected the breach recently during a routine security review. Source