March 18, Securityweek – (International) Apple fixes WebKit vulnerabilities with release of Safari 8.0.4. Apple released Safari versions 8.0.4, 7.1.4, and 6.2.4, which address a total of 16 memory corruption issues that were identified in WebKit by Apple’s own security team, and Google Chrome Security Team, and included a user interface inconsistency. Source
March 18, Securityweek – (International) Johnson Controls, XZERES, Honeywell patch vulnerable products. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) announced that Johnson Controls, Honeywell, and XZERES released patches addressing vulnerabilities in their products which can be exploited by an attacker to gain administrative access and compromise affected systems through a cross-site request forgery (CSRF) flaw, an unrestricted file upload vulnerability, or a path traversal vulnerability. Source
March 18, Softpedia – (International) Almost 2,000 popular Android and iOS apps are vulnerable to FREAK attack. FireEye researchers discovered that 1,999 popular Android and Apple iOS apps used for photo and video, financial, lifestyle, social networking, communication, or shopping are susceptible to the Factoring RSA-Export Key (FREAK) attack, which weakens encryption due to a vulnerable build of OpenSSL cryptographic library. The apps all contain sensitive information, including data related to online banking, account log-in credentials, or medical information. Source
March 17, Softpedia – (International) Windows Live SSL certificate issued to unauthorized third party. Microsoft released an advisory warning of a fraudulent certificate for the Finnish Windows Live domain that is generated by the Certificate Authority (CA) Comodo following an unauthorized request from a privileged email account, which can be used by hackers to spoof Microsoft Web content, and carry out man-in-the-middle (MitM) and phishing attacks. The certificate affects systems running certain Windows and Server versions, as well as Windows Phone 8 and Windows Phone 8.1. A standalone updater is available for revoked certificate. Source