March 4, Softpedia – (International) XSS on Fortinet’s login page let attackers log passwords in cleartext. A security researcher at Synetis found that Fortinet’s Single-Sign-On (SSO) login system contained a reflected cross-site scripting (RXSS) vulnerability that could allow attackers to insert malicious parameters in cleartext inside the login page’s Uniform Resource Locator (URL). Fortinet released a patch for the vulnerability. Source
March 4, SecurityWeek – (International) Adobe to patch flaws in Reader, Acrobat. Adobe Systems reported March 3 that it will be releasing security updates March 8 to patch critical vulnerabilities in Microsoft Windows and Apple Mac versions of Acrobat and Reader. Source
March 3, SecurityWeek – (International) Chrome 49 released with 26 security fixes. Google released Chrome 49 to the stable channel for Microsoft Windows, Apple Mac, and Linux systems, containing 26 security fixes and several other improvements including fixes for a same-origin bypass flaw in Blink, a same-origin bypass flaw in Pepper Plugin, and an information leak flaw in Skia, among other vulnerabilities. Source
March 3, Softpedia – (International) Building automation software exposes company headquarters to attacks. Schneider Electric released version 1.7.1 of its Automation Server software patching two issues after an independent security researcher discovered that default hard-coded credentials in Schneider Electric’s Automation Server software 1.7.0 and prior versions could be used by unskilled remote attackers to gain control of stand-alone servers installed in the headquarters of companies to take control over the energy supply to a building, cut off an alarm system, and facilitate trespassing. The researcher also found that by using the default hard-coded credentials, attackers could circumvent a Linux operating system’s administrative controls and execute malicious code on the server. Source