September 18, SC Magazine – (International) VMware addresses vulnerability in vCenter server. VMware released an update addressing a certificate validation vulnerability in select versions of its vCenter Server which an attacker could exploit to intercept traffic between the vCenter Server and the Lightweight Directory Access Protocol (LDAP) server to capture sensitive information. Source
September 18, Softpedia – (International) D-Link accidentally publishes code signing keys. A Norwegian developer and researchers from Fox-IT discovered that D-Link inadvertently released private code signing keys along with a recent firmware update following the purchase of the company’s DCS-5020L surveillance camera. D-Link revoked the certificate and published new versions of the firmware that do not contain the code signing keys. Source
September 18, Help Net Security – (International) Critical Bugzilla flaw allows access to unpatched vulnerability information. Mozilla released an update addressing a critical vulnerability in its Bugzilla bug-tracking software in which an attacker could gain access to information about a project’s unpatched flaws by tricking the system into granting domain-specific privileges. Attackers can create an account with an email address different than originally requested due to a vulnerability where login names longer than 127 characters could cause the domain name of the email address to be corrupted. Source
September 18, Help Net Security – (International) Malicious SYNful Cisco router implant found on more devices across the globe. Security researchers followed recent FireEye findings of SYNful modified malicious router firmware with four scans of public IPv4 addresses and found that 79 hosts displayed behavior consistent with the SYNful Knock implant, including 25 in the U.S. which belong to a single East Coast service provider. Source
September 17, Securityweek – (International) Apple patches vulnerabilities in iOS, OS X, iTunes, Xcode. Apple released software updates adding new capabilities and addressing over 100 vulnerabilities in iOS, Mac OS X, iTunes, and Xcode, including a security flaw in AirDrop that could allow an attacker to send malicious files to an affected device within Bluetooth range, 33 vulnerabilities affecting WebKit, and 9 relating to CFNetwork, among others. Source
September 17, Network World – (International) Under DDoS attack? It could just be a distraction. Kaspersky Lab released findings from polling of managers and information technology professionals at 5,500 companies in 26 countries revealing that three-quarters of distributed denial-of-service (DDoS) attacks are accompanied by other security incidents, implying that the attacks are often used as a diversion tactic and that businesses should keep resources available to manage corporate security in its entirety. Source