November 18, The Register – (International) Blackhole’s back: Hated exploit kit returns from the dead. Researchers from Malwarebytes discovered that the previously extinct Blackhole Exploit Kit has resurfaced after finding an active drive-by download campaign via compromised websites with the same Adobe Java platform and PDF exploits as the Blackhole Exploit Kit, which can still compromise vulnerable computers despite its old exploits. Source
November 18, Securityweek – (International) Security flaws in LastPass exposed user passwords. LastPass security team released patches addressing a series of bugs and design flaws, discovered by two researchers from Salesforce, that could have been used to exploit user passwords through an attack against LastPass via various vectors including a special disable one-time password (dOTP) that can be used for authentication to access the encrypted vault key and decrypt it, and bypass IP restrictions and two-factor authentication (2FA), as well as using custom_js to inject and execute JavaScript code on login pages of websites. Source
November 17, Securityweek – (International) Adobe issues security fixes for ColdFusion, LiveCycleDS, Premiere Clip. Adobe released a series of updates addressing security vulnerabilities in several of its products including ColdFusion, which resolved two input validation issues that may be used in reflected cross-site scripting (XSS) attacks; LiveCycleDS, which resolved a server-side request forgery vulnerability; and Premiere Clip products, which patched an input validation issue in a mobile application that allows Apple iOS users to create or edit videos on mobile devices. Source