January 11, Softpedia – (International) CSRF bug in Verizon’s API left My FiOS accounts open to attacks. Verizon released patches for a cross-site request forgery flaw and a proof-of-concept (PoC) vulnerability in its My FiOS application program interface (API) after an independent security researcher discovered that attackers can access users’ accounts via malicious web pages distributed through email campaigns. Once users open the malicious pages, a password reset command can be triggered. Source
January 11, SecurityWeek – (International) Drupal starts patching update process flaws. Drupal reported its researchers were working to patch a cross-site request forgery (CSRF) vulnerability and an update status vulnerability found in its Content Management System (CMS) product after an IOActive researcher discovered the flaws affected Drupal versions 7 and 8. Source
January 11, SecurityWeek – (International) Juniper to enhance RNG in ScreenOS. Juniper Networks reported January 8 that it will replace the Duel Elliptic Curve Deterministic Random Bit Generator (Dual EC DRBG) technology used in its ScreenOS products with the same random number generation (RNG) technology used in Junos OS products after an investigation revealed that the Junos OS products will be more difficult to plant unauthorized code and will include a more robust RNG subsystem. Source
January 9, SecurityWeek – (International) US ramps up war on IS propaganda, recruitment. White House officials reported January 8 that the U.S. Department of Justice and DHS formed a new unit called the Countering Violent Extremism Task Force to coordinate U.S. efforts to fight extremist groups such as the Islamic State (IS) domestically, and to support international partners of the U.S. in their programs to neutralize potential extremist activities by preventing radical groups from using the Internet to recruit supporters and prevent the groups from using encrypted technologies to hide their activities. Source
January 9, Softpedia – (National) Star Wars BB-8 toy vulnerable to hacking, nobody cares, the toy is still awesome. Researchers from Pen Test Partners discovered that Sphero’s Internet of Things (IoT) product, Star Wars BB-8 toy used with Microsoft Android app and Apple iOS app were vulnerable to firmware update attacks that allow hackers to change the toy’s sound files and control the product due to flawed privacy-intrusive sensors and data collection features that uses Hypertext Transfer Protocol (HTTP) systems. Sphero confirmed its researchers were working to patch the flaw. Source
January 8, SecurityWeek – (International) Privilege escalation flaw found in VMware tools. VMware released patches for its performance enhancement tools including 201512102-SG patches for ESXi, version 11.1.2 for Workstation, and version 7.1.2 for Player and Fusion products after a researcher from Secunia Research Team discovered a memory corruption flaw in the Shared Folders (HGFS) feature running on Microsoft Window products, which allowed attackers to escalate their privileges in the guest operating system. Source
January 8, SecurityWeek – (International) Adobe to release patches for Acrobat, Reader. Adobe reported that it will release patches for Microsoft Windows and Apple Mac versions for its Acrobat and Reader products January 12 resolving critical vulnerabilities with a priority rate of 2 in several of its products. Source
January 8, Help Net Security – (International) EZCast TV streaming stick leaves home networks vulnerable to attack. Researchers from Check Point found a vulnerability in the EZCast TV streaming stick that can enable attackers to take full control of home networks ad view information stored on personal networks via brute-force attacks and through a malicious link sent by most messaging services, such as Facebook and Skype. EZCast TV runs on its own Wi Fi network and can be easily hacked as the network is secured by an 8-digit numeric password. Source
January 8, SecurityWeek – (International) Rogue app store targets non-jailbroken iOS devices. Researchers from Proofpoint reported that a rogue app store called vShare is a DarkSideLoader app store, which allows users to download more than 1 million paid applications for free without having to jailbreak Apple iOS devices via sideloading applications through the use of a fraudulent or stolen enterprise application distribution certificate with application resigning. Once installed, the rogue application may use known or zero-day security vulnerabilities to jailbreak devices or to gain administrative privileges. Source
January 8, SecurityWeek – (International) Cisco Targets RIG exploit kit. Researchers from Cisco revealed that an analysis of 44 Internet Protocol (IP) addresses used to disseminate the RIG exploit kit (EK) were found to be linked to the same autonomous system number (ASN) associated with Webzilla and leased to a downstream provider, Russia-based Eurobyte. Webzilla identified and blocked malicious activities from customer hosts. Source
January 7, SecurityWeek – (International) “Spymel” trojan uses stolen certificates to evade detection. Researchers from Zscaler ThreatLabZ discovered the malware dubbed Spymel has been targeting Microsoft Windows XP and Windows 7 systems to steal information from compromised systems and spy on victims by using modules to perform various attacks including logging keystrokes and saving the data to a file and having the malware’s configuration data hardcoded inside the malware executable. Spymel is disseminated via spam emails embedded with an archived JavaScript file that downloads the malware from a remote server and installs it on infected systems. Source