February 19, Softpedia – (International) JSF***eBay XSS bug exploited in the wild, despite the company’s fix. Security researchers from Check Point discovered that eBay’s platform was susceptible to a JSF*** cross-site scripting (XSS) attack that was exploited in the wild and allowed attackers to convert the site’s JavaScript syntax into the JSF*** non-standard character set, disguise the code to pass through eBay’s XSS filters, and store the character set in the product’s description, allowing the malicious code to execute and infect a system once the victim opens the eBay store. Source
February 19, SecurityWeek – (International) Google pays $25,000 reward for critical Chrome flaw. Google released an updated version for its Chrome web browser affecting Microsoft Windows, Apple Mac, and Linux systems after a security researcher found a flaw in the Blink web browser engine and Chrome sandbox escape. Source
February 18, SecurityWeek – (International) “Locky” ransomware encrypts unmapped network shares. Security researchers from BleepingComputer discovered that a new ransomware named Locky uses the Advanced Encryption Standard (AES) encryption algorithm to target certain file extensions after it creates and assigns a unique 16 hexadecimal number to a victim’s computer and scans all unmapped network shares and drives for files to encrypt. The ransomware renames encrypted files to [unique_id][identifier].locky and deletes all Shadow Volume Copies to prevent victims from restoring encrypted files. Source