March 8, Help Net Security – (International) Google plugs 19 holes in newest Android security update. Google released 19 security issues for its Android Open Source Project (AOSP) after its company’s security researchers found two remote code execution (RCE) vulnerabilities in Mediaserver that can be leveraged via a specially crafted file, as well as discovering a critical vulnerability in the Qualcomm performance component that can be leveraged to allow elevation of privileges flaw, enabling a local malicious application to execute arbitrary code in the kernel, among other vulnerabilities. Source
March 8, SecurityWeek – (International) Facebook password reset flaw earns researchers $15,000. An independent researcher from India discovered a brute-force vulnerability in Facebook’s beta.facebook.com domain that could allow an attacker to change user account passwords by easily finding the six-digit code sent to customers requesting a password reset via email or text message. Facebook patched the vulnerability February 23. Source
March 7, Softpedia – (International) Intel fixes McAfee bug that allowed attackers to disable antivirus protection. Intel Security released version SB10151 for its McAfee Enterprise antivirus program after a security researcher from Mediaservice found attackers could bypass the administration password and unlock the safe registry keys in the McAfee VirusScan Enterprise engine due to the feature’s improper implementation. Source
March 7, SecurityWeek – (International) Multiple passcode bypass vulnerabilities discovered in iOS 9. Researchers from Vulnerability Lab reported that Apple’s iOS versions 9.0, 9.1, and 9.2.1 contain several connected passcode bypass vulnerabilities and affects iPhone 5, 5s, 6, and 6s, as well as iPad mini, iPad 1 and iPad 2 products. The vulnerability can allow an attacker to access a device and compromise sensitive user data, including address books, photos, short message service (SMS), multimedia messaging service (MMS), emails, and phone settings, among other data. Source
March 7, U.S. Securities and Exchange Commission – (Rhode Island) SEC charges Rhode Island agency and Wells Fargo with fraud in 38 Studios bond offering. The U.S. Securities and Exchange Commission charged Rhode Island Economic Development Corporation (RIEDC), two former executives, Wells Fargo Securities, and a former lead banker March 7 for defrauding investors in a $75 million municipal bond offering to finance 38 Studios, a startup video game company, after RIEDC allegedly loaned the startup only $50 million in bond proceeds and used the remaining proceeds to pay related bond offering expenses and establish other funds. RIEDC and Wells Fargo reportedly failed to disclose to investors that 38 Studios faced a funding shortage and could not produce the video game, causing the company to default on the loan, and failed to disclose that Wells Fargo had a side deal with 38 Studios which enabled the firm to receive additional compensation. Source