November 3, Softpedia – (International) 100 million Android users may have a backdoor on their devise thanks to the Baidu SDK. Researchers from Trend Micro reported the Moplus software development kit (SDK) being offered by Chinese search engine, Baidu includes a functionality that can be abused to install backdoors on users’ devices via an Hypertext Transfer Protocol (HTTP) server on the targeted smartphone, allowing attackers to send HTTP requests to port 6259 or 40310 and execute malicious commands. The vulnerability has been included on an estimated 14,112 Android applications, potentially impacting over 100 million Android users. Source
November 3, Softpedia – (International) Windows legacy layer used to bypass EMET security measures. Security researchers from Duo Labs discovered that the Windows WoW64 subsystem used to support older or newer 32-bit applications on 64-bit architectures can be leveraged to bypass security measures added by Microsoft with the introduction of the Enhanced Mitigation Experience Toolkit (EMET) that was specifically designed to inspect 32-and 64-bit processes, allowing for more targeted attacks. Source
November 3, Softpedia – (International) Google researchers find 11 zero-day bugs in Samsung Galaxy S6 Edge. Google’s Project Zero security team identified 11 zero-day vulnerabilities in Samsung’s Galaxy S6 Edge phone after the team began investigating new flaws when Samsung adapted the Android operating system (OS) to its custom hardware setup. Samsung fixed 8 of the vulnerabilities during its October Maintenance Release, and the other 3 vulnerabilities are scheduled to be resolved by November. Source
November 2, Securityweek – (International) Flaw in SAP firm’s XSS filter exposed many sites to attacks. A security researcher identified a reflective cross-site scripting (XSS) flaw on SuccessFactors, a SAP-owned company, and discovered that about 100 websites were exposed to the XSS filter, potentially allowing attackers to easily bypass web pages due to the developers’ failure to escape certain strings when sanitizing user input. Source
November 2, IDG News Service – (International) Google patches critical media processing flaws in Android. Google released security patches for Nexus devices running both Android 5.1 (Lollipop) and 6.0 (Marshmallow) versions addressing seven vulnerabilities, two of which are critical and can be exploited remotely via specially crafted media files including sending multimedia messaging service (MMS) messages and deceiving users to play media in the browsers. The flaws are located in the mediaserver, libstagefright, Bluetooth, Telephony, and libutils components of Android. Source