April 29, Securityweek – (International) InFocus projectors plagued by authentication flaws: Core Security. Security researchers at Core Security identified an authentication bypass vulnerability in InFocus network-connected projectors in which an unauthenticated user could bypass the login page and access the projector’s Web interface as an administrator by navigating to the “main.html” page. Once logged in, the unauthenticated user would have the ability to access and modify private network and WiFi configuration information. Source
April 29, Softpedia – (International) Routers built with RealTek SDK affected by remote command-injection bug. A security researcher at HP’s Zero Day Initiative discovered a vulnerability in version 1.3 of the RealTek Software Development Kit (SDK) used in the development of D-Link and Trendnet broadband routers in which attackers can exploit a flaw in the simple object access protocol (SOAP) service to execute arbitrary code on the devices. Source
April 29, Help Net Security – (International) Threats on government networks remain undetected for 16 days. Findings from a report by MeriTalk and Splunk on the state of cyber security in Federal, State, and local government agencies revealed that cyber threats exist on government networks for an average of 16 days without detection, and that 68 percent of respondents reported that their organizations are overwhelmed by the volume of security data they must analyze. Respondents also reported the benefits of big data in analytics and the challenges they face due to lack of skill or time, among other findings. Source
April 29, Help Net Security – (International) Hacker exploits Android devices with self-implanted NFC chip. A security researcher at APA Wireless demonstrated that he could implant himself with a near field communication (NFC) chip that is undetectable by body scanners and could be used to infiltrate and compromise devices in high-security locations. The chip would ping nearby Android devices with links to malicious files that, once run and installed, would allow for further exploits from a remote computer. Source
April 28, Threatpost – (International) WordPress patches zero-day vulnerability. WordPress patched a critical stored cross-site scripting (XSS) zero-day vulnerability in its release of version 4.2.1. The vulnerability affected tens of millions of WordPress sites and allowed attackers to store malicious JavaScript in the comment fields of WordPress sites that would be executed server-side once the comments are viewed. Source
April 28, Softpedia – (International) Malware delivered via malicious macro in Word document embedded in PDF. Security researchers at Avast discovered that cybercriminals are employing a new malware delivery technique in which they embed Microsoft Word documents with malicious macros into seemingly legitimate Adobe Portable Document Files (PDFs). Once the document is opened and macros are enabled, a script downloads a variant of the Dridex banking trojan to steal banking credentials and Google and Microsoft login information. Source