Weekly Cyber and PHP Security News

As we edge closer to the release of ionCube24 we have continued to look at cyber security and vulnerabilities reported in the past week. This week you will find out about Google password alert weaknesses, various patched vulnerabilities in Safari and an article concerning PHP which is of special interest to us as we prepare to launch our latest PHP Security solution.

 

General

• Advisory: Filezilla FTP server is vulnerable to FTP PORT bounce
• Bugtraq: CSRF/XSS In Manage Engine Asset Explorer – CSRF/XSS In Manage Engine Asset Explorer
• CSRF/XSS In Manage Engine Asset Explorer
• Google Forced To Update Password Alert After ‘Embarrassing’ Weaknesses Exposed (Forbes) 
• Harbortouch is Latest POS Vendor Breach
• Hard Rock Hotel & Casino suffers data breach
• Lenovo Patches Critical ‘System Update’ Vulnerabilities
• Lenovo system update flaws plugged, security world not impressed (The Register)
• Major London rail station reveals signal system passwords during TV documentary (The Register)
• More serious security flaws found in Lenovo computers (ZDNet) 
• Apple Updates Safari to Patch Several Vulnerabilities (SecurityWeek) –
• Fake privacy gadgets, from Anonabox to Sever: Fighting a strange and profitable epidemic (ZDNet) –
• Google Report Unmasks Ad Injection Economy
• Hard Rock Hotel Casino reports possible credit card security breach (Yahoo Security) –
• Microsoft to KILL OFF PATCH TUESDAY (The Register) –
• Attackers Used CareerBuilder to Send Malicious Resumes to Victims: Proofpoint (SecurityWeek) –
• Carders crack Hard Rock casino (The Register) –
• FAA: Software bug impacts Boeing 787 electrical power (SC Magazine) –
• French lawmakers approve new sweeping spying powers (ZDNet) –
• Harbortouch reveals malware was installed on merchant POS systems (SC Magazine) –
• More Uber Accounts Have Been Hacked, This Time in the United States
• NSA-restraining US law edges closer to reality, leaves just 6.81 billion under mass surveillance (The Register) –
• Possible payment card breach at Hard Rock Hotel Casino Las Vegas (SC Magazine) –
• Programmer Convicted in Bizarre Goldman Sachs CaseAgain (WIRED) –
• Sally Beauty Investigating Possible Data Breach (SecurityWeek) –
• Super secretive malware wipes hard drive to prevent analysis (ArsTechnica) –
• Warning: Uber may have been hacked change your password immediately (Yahoo Security) –

Some ideas are good, but because you can does it mean you should?

• Samsung and Samsonite join forces to develop luggage of the future (Yahoo Security) –

An anti-virus tool as a bypass bug

• [SYSS-2015-017] BullGuard Internet Security – Authentication Bypass
• [SYSS-2015-018] BullGuard Premium Protection – Authentication Bypass
• [SYSS-2015-019] BullGuard Antivirus – Authentication Bypass

 

Malware

 

A disturbing change in approach to malware:

• Mumblehard Malware Infects Thousands of Linux and FreeBSD Servers (Reddit) 
• New ‘Rombertik’ malware destroys master boot record if analysis function detected (SC Magazine) –
• ‘Rombertik’ malware kills host computers if you attempt a cure (The Register) 
• Dyre Banking Trojan Counts Processor Cores to Detect Sandboxes (SecurityWeek) 
• Dyre Trojan Adds New Sandbox-Evasion Feature (Dark Reading) 
• Koler ransomware variant targets Android users in Canada (SC Magazine) 
• Rombertik Strike at MBR Latest in Long Line of Malware Self-Defense Tactics

PHP Security

• PHP hash comparison, you might be doing it wrong. (Reddit) –

 

Web Server

• Vuln: ownCloud CVE-2015-3013 Security Bypass Vulnerability – ownCloud CVE-2015-3013 Security Bypass Vulnerability
• [SECURITY] [DSA 3244-1] owncloud security update
• [SECURITY] [DSA 3249-1] jqueryui security update
• [ MDVSA-2015:228 ] nodejs

WordPress

A bit of a nightmare for WordPress site owners this week:

• Actively exploited WordPress bug puts millions of sites at risk (ArsTechnica) –
• Arbitrary Variable Overwrite in eShop WordPress Plugin
• Attackers Actively Exploiting Flaw That Exposes Millions of WordPress Sites (SecurityWeek) –
• Attackers target new XSS in millions of WordPress sites (The Register) –
• Bugtraq: Arbitrary Variable Overwrite in eShop WordPress Plugin – Arbitrary Variable Overwrite in eShop WordPress Plugin
• Bugtraq: CSRF/XSS In Ad_Button WordPress – CSRF/XSS In Ad_Button WordPress
• Bugtraq: CSRF/XSS In ClickBank ads WordPress Plugin – CSRF/XSS In ClickBank ads WordPress Plugin
• Bugtraq: CSRF/XSS in embed-articles WordPress Plugin – CSRF/XSS in embed-articles WordPress Plugin
• Bugtraq: CSRF/XSS In Ultimate Profile Builder by CMSLive WordPress Plugin – CSRF/XSS In Ultimate Profile Builder by CMSLive WordPress Plugin
• Bugtraq: CSRF/XSSIn Ad_InSerter WordPress – CSRF/XSSIn Ad_InSerter WordPress
• Bugtraq: WordPress Twenty Fifteen Theme – DOM XSS Vulnerability – CVE-2015-3429 – WordPress Twenty Fifteen Theme – DOM XSS Vulnerability – CVE-2015-3429
• Bugtraq: [SECURITY] [DSA 3250-1] wordpress security update – [SECURITY] [DSA 3250-1] wordpress security update
• CSRF/XSS In Ad_Button WordPress
• CSRF/XSS In ClickBank ads WordPress Plugin
• CSRF/XSS In Embed ArticlesWordpress Plugin
• CSRF/XSS in embed-articles WordPress Plugin
• CSRF/XSS In Ultimate Profile Builder by CMSLive WordPress Plugin
• CSRF/XSSIn Ad_InSerter WordPress
• Vulnerability identified in eShop WordPress plugin (SC Magazine) 
• WordPress Twenty Fifteen Theme – DOM XSS Vulnerability – CVE-2015-3429
• [SECURITY] [DSA 3250-1] wordpress security update

Drupal

And not to be left out, Drupal has one too!

• Vuln: Drupal Views Module Access Bypass Vulnerability – Drupal Views Module Access Bypass Vulnerability