October 21, Securityweek – (International) Flaws in Apple productivity apps expose users to attacks. Apple recently released updates addressing input validation vulnerabilities related to how malicious documents are parsed in Keynote, Pages, Numbers, and iWork for iOS 2.6 which could have allowed an Extensible Markup Language (XML) External Entity (XXE) attack potentially leading to disclosure of data, denial-of-service (DoS), or other impacts, as well as memory corruption issues that could lead to unexpected termination of applications or arbitrary code execution. Source
October 21, Threatpost – (International) Oracle quarterly security update patches 154 vulnerabilities. Oracle released a quarterly patch addressing 154 security issues in 54 products, including 24 vulnerabilities in Java SE, 16 remotely exploitable bugs in Fusion Middleware, and 7 in Oracle Database, among others. Eighty-four of the patches address vulnerabilities that may be remotely exploitable without authentication. Source
October 21, The Register – (International) ‘10-second’ theoretical hack could jog Fitbits into malware-spreading mode. Security researchers from Fortinet discovered a vulnerability in Fitbit devices in which attackers within a close proximity could use Bluetooth to deliver fully persistent malware within 10 seconds, which could then infect a computer once the device is synchronized. Source
October 21, Softpedia – (International) Western Digital My Passport hard drives come with a slew of security holes. Security researchers published findings on the International Association for Cryptologic Research Web site revealing that attackers could use brute force attacks to bypass built-in encryption and password-based authentication in Western Digital My Passport hard drives, and that attackers could use all Western Digital devices’ firmware update mechanisms to install malicious code via “evil maid” and “badUSB” attacks. Source
October 21, Softpedia – (International) Firefox FindMyDevice service lets hackers wipe or lock phones, change PINs. Researchers discovered a flaw in Mozilla’s “Find My Device” service for devices running the Firefox operating system (OS) in which a hacker could remotely lock device screens, make devices ring, and wipe all device data via clickjacking-enabled cross-site request forgery (CSRF) attacks. The attack requires the user to be logged in to the service with their Firefox account. Source