December 14, SecurityWeek – (International) Apple patches 72 vulnerabilities in macOS Sierra. Apple released version 10.12.2 of its Sierra operating system (OS) patching a total of 72 vulnerabilities in Apache, Audio, Bluetooth, security, the kernel, and Disk Images, among other components, after security researchers discovered that the flaws could be exploited to cause an application to enter a denial-of-service (DoS) condition, execute arbitrary code with elevated privileges, leak memory data, and overwrite existing files, among other nefarious actions. Apple also released security updates for iCloud for Microsoft Windows, iTunes for Windows, and Safari 10.0.2, which resolved two dozen flaws. Source
December 14, SecurityWeek – (International) Microsoft patches several publicly disclosed flaws. Microsoft released its December 2016 security updates which include a total of 12 critical and important security bulletins that resolve flaws in Windows, Office, Edge, and Internet Explorer, including 11 flaws in Edge, an information disclosure and 2 remote code execution bugs in Windows graphics component, and 16 privilege escalation, information disclosure, and arbitrary code execution flaws, among other flaws, in Office and Office for Apple Mac. One of the critical bulletins also includes patches for Adobe Flash Player, in which Adobe resolved a total of 17 vulnerabilities, including a zero-day flaw that was being exploited in targeted attacks. Source
December 14, Help Net Security – (International) Corporate Office 365 users hit with clever phishing attack. Security researchers reported that phishers are targeting users of Microsoft’s Corporate Office 365 service to bypass its email filters and default security protections using a trick that makes the user see one Uniform Resource Locator (URL) in the link and anti-phishing filters another link, while the actual link leads the victim to a third, phishing URL. The malicious actors exploit the way that Office 365 anti-phishing and URL-reputation security layers translate Punycode, the method for encoding domain names with Unicode characters. Source
December 13, Help Net Security – (International) More Android-powered devices found with trojans in their firmware. Doctor Web security researchers discovered two types of downloader trojans incorporated in the firmware of several Android-powered devices that are used to deliver ad-showing apps that push users to download additional apps, and are capable of updating themselves, contacting their command and control (C&C) servers, receiving instructions on which apps to covertly download and run, and start running each time the device is turned on. One of the trojans, dubbed Android.Sprovider.7 was found inserted into the firmware of Lenovo smartphones and can open specified links in a browser, as well as show ads on top of apps and in the status bar, among other malicious actions. Source
December 13, Help Net Security – (International) 93% of SOC managers unable to triage all potential threats. Intel Security released a report after interviewing 400 Security Operations Center (SOC) managers across several countries, industries, and company sizes, which revealed that on average, organizations are unable to adequately investigate 25 percent of security alerts, as many as 93 percent of SOCs are unable to triage all potential threats, and that the most common threat detection signals for 64 percent of companies come from traditional security control points, including firewall and intrusion prevention systems, among other findings. Source
December 13, SecurityWeek – (International) Apple patches 12 vulnerabilities in iOS, tvOS, and watchOS. Apple released version 10.2 of its mobile operating system (iOS) resolving 12 vulnerabilities affecting several components in iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation and later, including a memory corruption issue in the Profiles component, which was also found to impact 4th generation Apple TV and all Apple Watch models, that could allow an attacker to achieve arbitrary code execution if the victim opened a specially crafted certificate on a vulnerable device. Source
Above Reprinted from the USDHS Daily Open Source Infrastructure Report
December 15, CNN Tech –Yahoo says data stolen from 1 billion accounts. Yahoo (YHOO, Tech30) disclosed a new security breach on Wednesday that may have affected more than one billion accounts. The breach dates back to 2013 and is thought to be separate from a massive cybersecurity incident announced in September. Yahoo now believes an "unauthorized third party" stole user data from more than one billion accounts in August 2013. That data may have included names, email addresses and passwords, but not financial information. Source