January 13, Softpedia – (International) Three XSS bugs found on Mozilla’s add-ons and support portals. Mozilla released one patch for its Add-ons portal addressing a cross-site scripting (XSS) flaw that was exploited via the “Create new collection” feature, allowing attackers to add malicious code to the collection’s name field. The company reported they are also working to release patches for two other XSS flaws in its Add-ons portal and in its Support Center. Source
January 13, Help Net Security – (International) Fortinet says backdoor is found in FortiOS is “a management authentication issue.” Fortinet reported that a previously reported secure shell (SSH) backdoor found in its operating system, FortiOS was not a backdoor vulnerability, but a management authentication issue after its company engineers implemented their own method of authentication for logging into FortiOS-powered devices. Source
January 13, SecurityWeek – (International) SAP security updates patch 4 new vulnerabilities. Software maker, SAP released security updates for its products that resolved 23 vulnerabilities, 3 of which are Support Security notes, and 13 security flaws including cross-site scripting (XSS) flaws, disclosure flaws, and denial of service vulnerabilities, among other patched flaws. Source
January 13, SecurityWeek – (International) IoT devices easily hacked to be backdoors: Experiment. Researchers from Vectra Networks reported that commercial Internet of Things (IoT) products including Wi Fi cameras, had security flaws and were susceptible to attacks that can allow hackers to reprogram the firmware and use the device as network backdoors without disrupting the device’s operations. Source
January 13, SecurityWeek – (International) Android banking trojan “SlemBunk” targets users worldwide. Researchers at FireEye discovered that the banking trojan, SlemBunk has a longer infection chain and makes it difficult for detection, allowing the malware to be more persistent on a victim’s device by initiating a drive-by download and serving the SlemBunk dropper app, which unpacks the logic needed to recover a downloader to later customize a command and control (C&C) server and retrieve the final payload via in-app downloading. Source