April 5, SecurityWeek – (International) Researchers bypass patch for old IBM Java flaw. The founder and chief executive officer (CEO) of Security Explorations reported that a sandbox escape vulnerability in IBM Java, which was previously patched in 2013, could still be exploited by attackers after discovering the flaw could be abused by making minor modifications to the proof-of-concept (PoC) code published by the company in July 2013. A patch has yet to be released, but IBM was working to release a fix. Source
April 4, The Register – (International) Top Firefox extensions can hide silent malware using easy pre-fab tool. Two U.S. security researchers at the Black Hat Asia 2016 security conference reported that Mozilla’s Firefox extensions were open to attacks that can compromise machines and pass automated and human security tests by reusing attack exploit weaknesses in the structure of Firefox extensions to disguise malicious activity as legitimate functionality. Source
April 4, SecurityWeek – (International) Path traversal flaw found in ICONICS WebHMI. A German researcher discovered that ICONICS’ WebHMI product was plagued with a directory traversal flaw that could allow a remote attacker to access configuration files that stored password hashes and other information by sending a request to a vulnerable WebHMI product via the Internet. ICONICs have not released a patch and advised users to avoid exposing the product to the Internet. Source
April 4, IDG News Service – (International) HTTP compression continues to put encrypted communications at risk. Security researchers from the National Technical University of Athens reported at the Black Hat Asia 2016 security conference that they made improvements to the Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext (BREACH) attack to make it practical for hacking Transport Layer Security (TLS) block ciphers such as Advanced Encryption Standard (AES) by intercepting a victim’s Web traffic through a router connected to a wireless network. Source
April 4, Softpedia – (International) Chrome extension caught hijacking users’ browsers. Google reported that it banned the Better History Chrome extension from its Web Store after users reported that the extensions redirected them to click on a Hypertext Transfer Protocol (HTTP) link that lead to an extra Web page showing several types of advertisements. The extra Web page collected analytics on users which could be later used to sell online to advertisers. Source
April 4, Softpedia – (International) Google fixes another 40 security bugs in Android’s April update. Google released an Android Security Advisory patching 40 security flaws including 15 critical bugs in Android devices running versions 4.4.4 and higher, that could have allowed an attacker to root and permanently compromise the device. In addition, multiple remote code execution (RCE) flaws were patched in Dynamic Host Configuration Protocol Client Daemon (DHCPCD) service, Media Codec, Mediaserver component, and the libstagefright library, among other patched vulnerabilities. Source
April 4, SecurityWeek – (International) iOS app patching tool “rollout” prone to abuse. Security researchers from FireEye reported that another quick-patching solution, Rollout.io, used for Apple’s iOS applications and runs on 35 million devices could be abused by malicious hackers to integrate a malicious third-party ad software development kit (SDK) into a legitimate app and potentially turn harmless iOS apps into malware. Source