May 12, SecurityWeek – (International) Adobe patches Flash zero-day exploited in the wild. Adobe updated its Flash Player for Microsoft Windows, Apple Mac, and Linux addressing 25 vulnerabilities including a type confusion, use-after-free, buffer overflow, directory search path, various memory corruption vulnerabilities that can lead to arbitrary code execution, and a zero-day that has been exploited in the wild. Source
May 12, Softpedia – (International) 7-Zip 16.0 released to fix gaping security hole. The 7-Zip project released version 16.0 of their open-source (de)compression software patching two critical vulnerabilities discovered by Cisco’s Talos team, which include a heap overflow vulnerability and an out-of-bounds read vulnerability, due to an issue with how the 7-Zip client handles Universal Disk Format (UDF) files. Attackers can create a booby-trapped 7-Zip archive which contains a malicious file that clients’ can unzip, initiating the attack. Source
May 12, Network World – (National) DHS inspector general lambasts TSA’s IT security flaws. The DHS Office of Inspector General released a report the week of May 9 following a review of the Transportation Security Administration’s (TSA) Security Technology Integrated Program (STIP) and its Information Technology (IT) department, which found several security issues including unpatched software, inadequate contractor oversight, physical security, and inadequate vulnerability reporting, among other issues. The TSA stated that it is addressing the recommendations made in the report, and has developed a Cybersecurity Statement of Objective in order to bring legacy transportation security equipment into compliance with IT security controls mandated by DHS. Source
Reprinted from the USDHS Daily Open Source Infrastructure Report