September 23, Securityweek – (International) Firefox 41 patches critical vulnerabilities. Mozilla released updates addressing 30 vulnerabilities in Firefox version 41, including use-after-free bugs with IndexedDB and manipulation of HyperText Markup Language (HTML) content that could lead to an exploitable crash, memory safety bugs that can be exploited to execute arbitrary code, and two flaws involving cross-origin resource sharing (CORS) “preflight” request handling, among others. Source
September 23, Softpedia – (International) Brute-forcing URL shorteners can expose sensitive corporate information. Security researchers and social engineers discovered that brute-force attacks could be used to uncover active short links by services running Bit.ly Uniform Resource Locator (URL) shorteners, potentially accessing sensitive or private documents passed through a company’s shortener, and that attackers could bypass rate limits with the use of proxies. Source
September 23, Help Net Security – (International) WD My Cloud NAS devices can be hijacked by attackers. Security researchers from VerSprite discovered vulnerabilities in Western Digital My Cloud network attached storage (NAS) products’ RESTful Application Program Interface (API) in which any authorized remote user can remotely execute commands and steal files belonging to other users, as well as abuse root access to the NAS in a private internal network. Researchers also discovered a separate flaw in the device’s web application allowing for cross-site request forgery attacks. Source
September 23, Securityweek – (International) Large number of iOS apps infected by XcodeGhost. Security researchers from Pangu discovered that the number of iOS applications affected by the XcodeGhost malware is over 3,400, and FireEye reported the number on the App store could be over 4,000. The malware injects malicious code into legitimate iOS and OS X applications using a modified version of Apple’s Xcode development platform, and has been detected in apps distributed worldwide. Source
September 23, The Register – (International) Malvertisers slam Forbes, Realtor with world’s worst exploit kits. Security researchers from FireEye and Malwarebytes reported that multiple Forbes websites and Realtor.com were hit with malvertising attacks that redirected users to sites hosting the Neutrino and Angler exploit kits (EKs), which boast a 40 percent exploit-rate for victims and leverage Adobe Flash, Java, Microsoft Silverlight, and other browser vulnerabilities and quickly incorporate zero day flaws. Source
September 23, Softpedia – (International) New adware facilitates the distribution of trojans for Mac users. Security researchers from Dr. Web discovered a new malware named “Adware.Mac.WeDownload.1” containing a modified version of Adobe Flash Player that, once clicked, requests administrator privileges and contacts a command-and-control (C&C) server to install additional malicious applications. Source
September 22, U.S. Securities and Exchange Commission – (National) SEC charges investment adviser with failing to adopt proper cybersecurity policies and procedures prior to breach. St. Louis-based R.T. Jones Capital Equities Management agreed September 22 to pay $75,000 to settle U.S. Securities and Exchange Commission charges that the firm failed to establish required cybersecurity policies and procedures in advance of a breach that compromised information of about 100,000 individuals in July 2013. Source