April 14, SecurityWeek – (International) Google patches serious account recovery vulnerability. Google released patches addressing several vulnerabilities in its account recovery process after a researcher named “Ramzes” found that attackers could change a user’s password and hijack a user’s account by executing arbitrary code in the context of a help article by specifying a page, which attackers controlled, in an sanitized Universal Resource Language (URL) parameter that could have been exploited when a user activated the account recovery process on google.com. Source
April 14, SecurityWeek – (International) White House announces commission on enhancing national cybersecurity. White House officials announced April 13 that a new non-partisan commission, the Commission on Enhancing National Cybersecurity will help gather input from subject matter experts (SMEs) for the Federal government and the private sector to strengthen cybersecurity awareness, to protect privacy, and to ensure public safety and economic and national security, as well as encourage the public to better control their digital security by recommending actionable steps each party can implement. The commission is expected to report its findings to the White House by December 2016. Source
April 13, SecurityWeek – (International) SAP patches XSS, DoS vulnerabilities. SAP released patches for several of its various products including five cross-site scripting (XSS) issues, four denial of service (DoS) vulnerabilities, three missing authorization check flaws, and one remote code execution (RCE) vulnerability, among other patched flaws. Customers were advised to apply new updates to their systems to patch the vulnerabilities and prevent business risks in their SAP systems. Source