October 22, Securityweek – (International) New NTP vulnerabilities put networks at risk. The Network Time Foundation’s NTP Project released an update addressing 13 denial-of-service (DoS), directory traversal, memory corruption, authentication bypass, and file overwrite vulnerabilities in the Network Time Protocol (NTP), as well as a “crypto-NAK” issue that could allow an unauthenticated off-path attacker to force Network Time Protocol daemon (ntpd) processes to peer with malicious time sources, eventually gaining the ability to bypass security mechanisms and change system time, among other activities. Source
October 22, Softpedia – (International) Drupal releases version 7.41 to fix open redirect vulnerability. Drupal’s developers released update 7.41 addressing an open redirect vulnerability in the system’s Overlay module in which an attacker could redirect Drupal admins, logged into their admin panel, to a fake login page in order to harvest credentials. The vulnerability was previously addressed, but incompletely patched in version 7.38. Source
October 22, Softpedia – (International) New ransomware infects computers via Windows Remote Desktop Services. Researchers discovered a new strain of ransomware that hackers are manually installing by brute-forcing user account passwords onto Windows computers that have Remote Desktop or Terminal Services connections open. Once installed, the ransomware encrypts files with a 2048-bit RSA key and drops a file with information on how to pay the ransom. Source
October 22, Securityweek – (International) Apple patches flaws in OS X, iOS, other products. Apple released OS X El Capitan v10.11.1 addressing 60 vulnerabilities that could be exploited for arbitrary code execution, denial-of-service (DoS), information disclosure, privilege elevation, overwriting arbitrary files, and bypassing restrictions, as well as a flaw that allowed malicious actors to exercise unused Extensible Firmware Interface (EFI) functions. The update also addresses two vulnerabilities used for jailbreaks and a lock screen issue. Source