November 13, Securityweek – (International) Flaw in “Spring Social” puts user accounts at risk. Researchers at SourceClear (SRC:CLR) discovered that a vulnerability in Pivotal Software’s Spring Social authentication feature can be exploited via a specially crafted Uniform Resource Locator (URL) that bypasses the cross-site request forgery (CSRF) protection to link an attacker’s account, on a similar service to GitHub or Facebook, with a victim’s account on a compromised website. Pivotal Software patched the vulnerability with the release of Spring Social Core update. Source
November 12, The Register – (International) Jenkins plugs 11 security holes with two updates. Jenkins released Versions 1.638 and 1.625.2 for its open source integration tool that patched 11 critical security vulnerabilities including a zero-day vulnerability that exploited Jenkins CLI subsystem; a secret key flaw that allowed attackers to connect as slaves, take over Jenkins systems, and access private data; and a critical flaw that used unsafe deserialization, allowing remote attackers to run arbitrary code on the Jenkins master, among other vulnerabilities. Source
November 12, The Register – (International) Latest Android phones hijacked with tidy one-stop-Chrome-pop. A researcher from Quihoo 360 discovered, and reported during the MobilePwn2Own event at the PacSec security conference, a single clean exploit in Google’s Chrome browser for Android via its JavaScript v8 engine that does not require several chained vulnerabilities to gain access and load software without user interaction once a user visits a malicious website. Source
November 12, Foster’s Daily Democrat – (New Hampshire) Computer virus infects county dispatch center. The Strafford County chief deputy announced November 12 that computers at the Strafford County Regional Dispatch Center in Dover were infected by the CryptoLocker ransomware which severely limited the amount of data used by both dispatchers and emergency personnel on the field. Officials were able to isolate the virus and are working on bringing systems back online. Source
November 12, Securityweek – (National) New PoS malware delivered via malicious docs, exploit kit. Researchers from Proofpoint observed the “AbaddonPOS” point-of-sale (PoS) malware and determined that it was being widely distributed with the aid compromised Microsoft Word documents designed to download information-stealing threats. Once the malware infects the system, it targets the memory of all processes in track 1 and track 2 data associated with payment cards. Source