Microsoft Internet Explorer and Edge are prone to a remote memory-corruption vulnerability due to a use-after-free error. Specifically, this issue occur within the 'CAnchor' object. Attackers can exploit this issue by enticing an unsuspecting user to view a specially crafted web page. Attackers can exploit this issue to execute arbitrary code in the context of the currently logged-in user. Failed attacks will cause denial of service conditions. Internet Explorer 11 and Edge are vulnerable.
tags: Microsoft Internet Explorer 11 vulnerability, Microsoft Edge vulnerability, CVE-2016-3289, BSOD Get Update
Samsung will recall Galaxy Note 7 because of exploding batteries. This recall affects over 2.5 million units. Samsung issued the following statement.
In response to recently reported cases of the new Galaxy Note 7, we conducted a thorough investigation and found a battery cell issue. To date (as of September 1) there have been 35 cases that have been reported globally and we are currently conducting a thorough inspection with our suppliers to identify possible affected batteries in the market. However, because our customers’ safety is an absolute priority at Samsung, we have stopped sales of the Galaxy Note 7. For customers who already have Galaxy Note 7 devices, we will voluntarily replace their current device with a new one over the coming weeks.
tags: Samsung Galaxy Note 7 Recall, Galaxy Note 7 exploding batteries, Samsung Read More
President Obama has announced the first Chief Information Security Officer to drive cybersecurity policy, planning, and implementation across the Government. Brigadier General Gregory J. Touhill is currently the Deputy Assistant Secretary for Cybersecurity and Communications in the Office of Cybersecurity and Communications (CS&C) at the Department of Homeland Security (DHS). In his new role as Federal CISO, Greg will leverage his considerable experience in managing a range of complex and diverse technical solutions at scale with his strong knowledge of both civilian and military best practices, capabilities, and human capital training, development and retention strategies. Read More.
tags: Federal Chief Information Security Officer, CISO, Brigadier General Gregory J. Touhill
Under a plan being considered at the White House, officials said U.S. Cyber Command would become what the military calls a "unified command" equal to combat branches of the military. Cyber Command would be separated from the National Security Agency, a spy agency responsible for electronic eavesdropping, providing Cyber Command leaders a larger voice in arguing for the use of both offensive and defensive cyber tools in future conflicts. Read More
tags: President Barack Obama, National Security Agency NSA, U.S. Cyber Command plan
The new version of ISO 9001 follows a new, higher level structure to make it easier to use in conjunction with other management system standards, with increased importance given to risk. ISO 9000:2015, which defines the concepts and language used throughout the ISO 9000 family of standards, is also released. ISO certification bodies have three years to migrate certificates to the new ISO 9001:2015 version. These Quality Management Training Courses can help you manage and improve your business.
Apple announced it will opening a bug bounty program, inviting security researchers to test a number of its systems and find vulnerabilities. The company will pay bug hunters upwards of $200,000 for certain critical flaws. Apple will officially launch the program in September 2016.
The program will have five categories of risk and reward.
• Vulnerabilities in secure boot firmware components: Up to $200,000
• Vulnerabilities that allow extraction of confidential material from Secure Enclave: Up to $100,000
• Executions of arbitrary or malicious code with kernel privileges: Up to $50,000
• Access to iCloud account data on Apple servers: Up to $50,000
• Access from a sandboxed process to user data outside the sandbox: Up to $25,000
Apple Bug Bounty
tags: Apple, Apple Bug Bounty, Black Hat, iOS
A DLL hijacking vulnerability is present in the VMware Tools Shared Folders (HGFS) feature running on Microsoft Windows. Exploitation of this issue may lead to arbitrary code execution with the privileges of the victim. There are no known workarounds for this issue.
tags: VMware Tools, Windows, vCenter Server, ESXi, HTTP header injection Read More
Ranscam deletes computer files and then demands ransom to restore them or it will delete them. Yes, in that order. Ranscam further justifies the importance of ensuring that you have a sound, offline backup strategy in place rather than a sound ransom payout strategy.
tags: Ranscam, Cisco Talos, Crypto-ransomware, malware, ransomware Read More
Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and ChromeOS. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe is aware of a report that an exploit for CVE-2016-4171 exists in the wild, and is being used in limited, targeted attacks.
tags: Adobe, Flash Player critical vulnerabilities, CVE-2016-4171, APSB16-18, Windows, Macintosh, Linux, ChromeOS Read More
Symantec Anti-Virus Engine susceptible to memory access violation. The most common symptom of a successful attack would result in a Blue Screen of Death (BSOD).
tags: Symantec, Symantec Anti-Virus Engine, 2018.104.22.168, CVE-2016-2208 Read More
A report published by the House Committee on Science, Space and Technology found that hackers purported to be from China had compromised computers at the Federal Deposit Insurance Corporation repeatedly between 2010 and 2013. Backdoor malware was installed on 12 workstations and 10 servers by attackers—including the workstations of the chairman, chief of staff, and general counsel of the FDIC. But the incidents were never reported to the US Computer Emergency Response Team (US-CERT) or other authorities and were only brought to light after an Inspector General investigation into another serious data breach at the FDIC in October of 2015. Full Story
tags: FDIC, Federal Deposit Insurance Corporation, House Committee on Science, Space and Technology, hacking, backdoor malware
On May 30, 2016, Omni Hotels and Resorts discovered they were the victim of malware attacks on their network affecting specific point of sale systems on-site at some Omni properties. The malware was designed to collect certain payment card information, including cardholder name, credit/debit card number, security code and expiration date. Full Story
tags: Omni Hotels and Resorts, data breach, credit/debit card numbers, malware
A Chinese businessman who pleaded guilty in March to conspiring to hack into the computer networks of Boeing and other major U.S. defense contractors was sentenced to nearly four years in prison. The offender worked in conjunction with Chinese military hackers from the People’s Liberation Army Air Force to steal designs for cutting-edge military aircraft that are indispensable to our national defense. Full Story
tags: Chinese hacker, C-17 military transport plane, F-22 and F-35 fighter jets, Boeing
Apps on Google Play carry Viking Horde, a new malware family that makes Android devices send out spam, sends SMS messages to premium-rate numbers, downloads additional malicious apps, and participates in DDoS attacks as part of a botnet that uses proxied IP addresses. Viking Horde has passed through Google Play scans undetected.
tags: Google, Google Play Apps, Viking Horde Malware, Viking Jump Botnet Read More
Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and ChromeOS. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.
tags: Adobe, Adobe Flash Player, Adobe PDF Reader, Adobe Cold Fusion, APSB16-15, CVE-2016-4117 Read More
Wendy’s investigation into a credit card breach at the nationwide fast-food chain uncovered malicious software on point-of-sale systems at fewer than 300 of the 5,500 franchised stores.
tags: Wendys credit card breach Read More
Microsoft Internet Explorer and Edge are prone to a remote memory-corruption vulnerability. Attackers can exploit this issue by enticing an unsuspecting user to view a specially crafted web page. Attackers can exploit this issue to execute arbitrary code in the context of the currently logged-in user. Failed attacks will cause denial of service conditions. The following products are vulnerable: Internet Explorer 9, 10, and 11 Edge. Author: Google Security Research (MS16-023)
• Run all software as a nonprivileged user with minimal access rights.
• To reduce the impact of latent vulnerabilities, always run non-administrative software as an unprivileged user with minimal access rights.
• Deploy network intrusion detection systems to monitor network traffic for malicious activity.
• Deploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.
• Do not follow links provided by unknown or untrusted sources.
• Web users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources.
• Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users.
• Implement multiple redundant layers of security.
Note: Memory-protection schemes (such as non-executable stack and heap configurations and randomly mapped memory segments) will complicate exploits of memory-corruption vulnerabilities.
View the Exploit Database CVE-2016-0111 Vulnerability.
tags: Microsoft, Microsoft Internet Explorer Vulnerability, Microsoft Edge, CVE-2016-0111, MS16-023Apr 7, 2016
Adobe Flash Player remote user can cause arbitrary code to be executed on the target system. Adobe categorizes this as a critical vulnerability. Platforms: Windows, Macintosh, Linux and Chrome OS. A critical vulnerability (CVE-2016-1019) exists in Adobe Flash Player 22.214.171.124 and earlier versions for Windows, Macintosh, Linux, and Chrome OS. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system. A remote user can cause arbitrary code to be executed on the target user's system. A remote user can create specially crafted content that, when loaded by the target user, will execute arbitrary code on the target user's system.This vulnerability is being actively exploited against Windows 7 and Windows XP systems running version 126.96.36.1996 and prior versions. Adobe is planning to provide a security update to address this vulnerability on April 7, 2016.
(Adobe Flash Player Vulnerability: APSA16-01)
View the Adobe Flash Player CVE-2016-1019 Vulnerability.
tags: Adobe, Adobe Flash Player Vulnerability, CVE-2016-1019, 188.8.131.52, APSA16-01Apr 6, 2016
Apple has released a security update for Apple TV to address multiple vulnerabilities. Apple has released a security update for Apple TV to address multiple vulnerabilities. Exploitation of some of these vulnerabilities may allow a remote attacker to take control of an affected device. Users and administrators should review the Apple security update for Apple TV 7.2.1 (3rd generation) and apply the necessary update.
This security update addresses multiple CVE numbers. View the Apple TV 7.2.1 CVE Details.
tags: Apple TV, Apple, Apple TV 7.2.1, 3rd Generation Apple TVFeb 25, 2016
The Mozilla Foundation has released security updates to address vulnerabilities in Firefox and Firefox ESR. Same origin policy violation found when using Service Workers with plugins. Mozilla Firefox before 44.0.2 does not properly restrict the interaction between Service Workers and plugins, which allows remote attackers to bypass the Same Origin Policy via a crafted web site that triggers spoofed responses to requests that use NPAPI, as demonstrated by a request for a crossdomain.xml file. Plugins which make security decisions based on the content of network requests can have these decisions subverted if a service worker forges responses to those requests.
The Mozilla Foundation has released security updates to address vulnerabilities. View the CVE Details.
tags: Mozilla, Firefox, CVE-2016-1949, Firefox ESRFeb 13, 2016
Two-pronged wall plugs may break and cause an electric shock.
Apple has determined that, in very rare cases, the two prong Apple AC wall plug adapters designed for use in Continental Europe, Australia, New Zealand, Korea, Argentina and Brazil may break and create a risk of electrical shock if touched. These wall plug adapters shipped from 2003 to 2015 with Mac and certain iOS devices, and were also included in the Apple World Travel Adapter Kit.
Other wall plug adapters, including those designed for Canada, China, Hong Kong, Japan, United Kingdom, and United States and Apple USB power adapters are not affected by this program. Learn more by visiting Apple.com.
For any additional questions, you may also schedule a call with Apple Support.
tags: apple recall, apple ac wall plug adapters, mac, ipad, iphone, ipod
Toyota Motor Sales, USA, Inc. today announced that it is conducting a safety recall of approximately 5,000 Model Year 2016 Lexus RX 350 and RX 450h vehicles.
The involved vehicles are equipped with a driver’s knee airbag module that may not have been properly manufactured. This could affect the performance of the airbag and increase the risk of injury in a crash. Owners of the involved Lexus vehicles will be notified by first class mail. Lexus dealers will inspect and if necessary replace the driver’s knee airbag assembly free of charge. Customers should check their vehicle’s status by visiting Toyota Recalls and entering the Vehicle Identification Number (VIN).
For any additional questions, customer support is also available by calling Lexus Customer Service at 1-800-255-3987 or 1-800-331-4331. Read more at Toyota Newsroom.
tags: lexus recall, 2016 lexus rx 350, 2016 lexus rx hybrid
Vulnerability could allow an unauthenticated, remote attacker to bypass security restrictions. A vulnerability in the proxy engine of the Cisco Web Security Appliance (WSA) could allow an unauthenticated, remote attacker to bypass security
restrictions. The vulnerability is due to improper handling of malformed HTTP methods. An
attacker could exploit this vulnerability by crafting an improper HTTP method.
A successful exploit could allow the attacker to circumvent WSA functionality that prevents proxied network traffic. Cisco released software updates that address this vulnerability. There are no workarounds that mitigate this vulnerability. View the CVE Details.
tags: Cisco, Web Security Appliance (wsa), CVE-2016-1296, malformed httpJan 22, 2016
Office Depot recalls approximately 300,000 executive chairs due to fall hazard
This recall involves Crawley II Executive High-Back Chairs (Office Depot SKU #493822 or OfficeMax item #23324118) sold on or before September 4, 2015. The seat plate
weld at the gas lift mounting hole can break, posing a potential fall hazard to consumers. CPSC Posting
Customers should stop using the chair immediately and contact the Office Depot Recall Hotline at (855) 743-7701 Monday through Friday, 8 a.m. to 8 p.m. EST to obtain a free replacement seat plate that consumers can install at home. Read more at Office Depot.
tags: office depot recall, officemax recall, crawley II executive high-back chairs, #16-069, #493822, #23324118
Multiple vulnerabilities were reported in Google Android. A remote user can create a specially crafted file that, when loaded by the media server, will trigger a memory corruption error and execute arbitrary code [CVE-2015-6636]. The code will run the privileges of the mediaserver process. An application can cause denial of service conditions on the target system, remote user can obtain potentially sensitive information, obtain elevated privileges, and execute arbitrary code on the target system.
tags: Google Android, Google Android vulnerabilities, CVE-2015-6636, GoogleJan 6, 2016
Multiple vulnerabilities were reported in Wireshark.A remote user can cause the target dissector to crash or enter an infinite loop. A remote user can send specially crafted data to cause the target dissector or parser to crash or cause the target AllJoyn dissector to enter an infinite loop. Versions 1.12.x are affected. View the CVE Details.
tags: wireshark, wireshark vulnerabilities, CVE wnpa-sec-2015-31, googleDec 31, 2015
Adobe Flash Player vulnerabilities could allow an attacker to take control of the affected system. Adobe has released security updates for Adobe Flash Player. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe is aware of a report that an exploit for CVE-2015-8651 is being used in limited, targeted attacks. View the Adobe Security Bulletin.
tags: adobe flash player, adobe vulnerabilities, APSB16-01, adobeDec 29, 2015
Martha Stewart Collection Stainless Steel Cookware Set recalled due to possible consumer injury.
(Recall number: 16-067)
This recall involves the Martha Stewart Collection 10-piece stainless steel cookware sets, which include an 8-inch and a 10-inch stainless steel frying pan. The frying pans have two rivets that attach the frying pan to the handle. The rivets have stainless steel discs on top of them. Other items included in the cookware sets are a 1-quart covered saucepan, 2-quart covered sauce pan, 3-quart covered saucepan and 6-quart covered stockpot. The recall affects only the two frying pans.
Read more at Macy’s Martha Stewart Cookware Recall. Consumers should immediately stop using the 8 and 10-inch frying pans from the cookware set. The other items from the cookware set are not affected by this recall. Consumers who purchased the cookware sets from Macy’s or macys.com should return the frying pans to Macy’s or Macys.com for a store credit for the full value of the two frying pans. Consumers may also contact Macy’s toll-free at 888-257-5949 from 10 a.m. to 10 p.m. ET Sunday through Saturday or online at www.Macys.com.
tags: martha stewart recall, martha stewart stainless steel cookware, macys recall, recall #16-067
Google Chrome before (version) 47.0.2526.106 allows remote attackers to execute arbitrary code or cause a denial of service. The MIDI subsystem in Google Chrome before 47.0.2526.106 does not properly handle the sending of data, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors, related to midi_manager.cc, midi_manager_alsa.cc, and midi_manager_mac.cc, a different vulnerability than CVE-2015-8664. View the CVE Details.
tags: google chrome, google chrome vulnerabilities, CVE-2015-6792, googleDec 24, 2015
Bellisio Foods, Inc., a Jackson, Ohio establishment, is recalling approximately 285,264 pounds of boneless pork rib shaped patty frozen entree products that may be adulterated with extraneous materials.
(Recall number: 149-2015)
The Boston Market Boneless Pork Rib Shaped Patty with BBQ Sauce and Mashed Potatoes frozen entree items were produced on various dates between Sept. 09, 2015, and Dec. 14, 2015. The products subject to recall bear establishment number “EST. 18297” on the end panel of the package. These items were shipped to retail locations nationwide. (14-oz. boxed packages containing “Boston Market Home Style Meals Boneless Pork Rib Shaped Patty with BBQ Sauce and Mashed Potatoes” with Use By dates 09/09/2016; 09/22/2016; 10/08/2016; 10/30/2016; and 12/14/2016)
Read more at www.cpsc.gov. Consumers with questions about the recall can contact Consumer Relations at 855-871-9977.
tags: bellisio foods recall, consumer warnings, cpsc, boneless pork rib frozen entree, recall #149-2015
The U.S. Consumer Product Safety Commission (CPSC) and Home Depot are warning consumers that 28 different recalled products continued to be sold by Home Depot after they were recalled. (Recall number: 16-039)
The CPSC says this involves about 2,310 units of recalled products, including about 1,300 sold by Home Depot to consumers and 1,010 sent by Home Depot to salvagers or recyclers who could have sold them to consumers. Consumers should stop using the recalled products immediately and contact the recalling firms to receive the remedies listed in the recall, which is either a refund, replacement or repair.
Home Depot can be reached at 800-HOME-DEPOT or 800-466-3337 or online at www.cpsc.gov.
tags: home depot recall, consumer warnings, cpsc, home depot, recall #16-039
The U.S. Department of Agriculture’s Food Safety and Inspection Service (FSIS) announced All American Meats is recalling approximately 167,427 pounds of ground beef products that may be adulterated with E. coli O157:H7.
The problem was discovered on Oct. 30, 2015, when a positive result for E. coli O157:H7 from FSIS’ in-commerce surveillance program testing was traced back to the establishment. There have been no confirmed reports of adverse reactions due to consumption of these products. The products subject to recall bear establishment number “EST. 20420” inside the USDA mark of inspection. These items were shipped to retail locations nationwide. Consumers with questions regarding the recall can contact Mr. Shawn Buchanan at (402) 734-6901.
FSIS News Release: All American Meats - Possible E. Coli Contamination
tags: all american meats, ground beef recall, e. coli contamination, e. coli O157:H7Nov 2, 2015
Oktoberfest takes a backseat to Volkswagen recall in Europe
Shortly after the German Federal Motor Transport Authority ordered the recall of 2.4 million diesel cars in Germany, Volkswagen announced it would be recalling 8.5 million cars across Europe. Volkswagen said the fix will be free for customers who can enter their car's 17-character VIN (Vehicle Identification Number) through Volkswagen's website to determine if the vehicle has the so-called defeat device.
Message from President and CEO, Michael Horn
VW Jetta TDI (Model Years 2009 – 2015)
VW Jetta SportWagen TDI (Model Years 2009-2014)
VW Golf TDI (Model Years 2010-2015)
VW Golf SportWagen TDI (Model Year 2015)
VW Beetle TDI and VW Beetle Convertible TDI (Model Years 2012-2015)
VW Passat TDI (Model Years 2012-2015)
Lookup VIN (Vehicle Identification Number)
tags: volkswagen recall, europe, oktoberfest, volkswagen jetta, 2.0L 4-cylinder tdiOct 18, 2015
Food manufacturer General Mills recalled an estimated 1.8 million boxes of its gluten-free Cheerios and Honey Nut Cheerios cereals.
Consumers who would like to request refunds or who have further questions can contact General Mills Consumer Services at 1-800-775-8370.
Press Release: Recall of Cheerios and Honey Nut Cheerios
tags: general mills, cheerios, honey nut cheerios, undeclared allergen, lodi, californiaOct 16, 2015
John Deere Recalls Zero Turn Lawn Mowers Due to Risk of Fire, Serious Injury or Death (Recall Alert) (22 Dec 2015 09:30:00 GMT) This recall involves John Deere models Z445, Z645, Z655, and Z665 zero-turn mowers with serial numbers beginning with 1GXZ, manufactured from August 10, 2015 through September 9, 2015.
Ignite Recalls Kids Straw Tumblers Due to Risk of Ingestion (Tue, 10 Nov 2015 10:30:00 GMT) If a child chews on the drinking straw, small pieces can break off into the child’s mouth, posing a risk of ingestion or aspiration of the small part.
Burley Design Recalls Child Bicycle Trailers Due to Injury Risk (Wed, 28 Oct 2015 12:00:00 GMT) Trailers with black plastic tow bar receivers can separate from the tow bar when they appear to be connected, posing a crash hazard.
LaRose Industries Recalls Peanuts Flying Ace Ride-On Toys Due to Choking Hazard; Sold Exclusively at Target (Tue, 27 Oct 2015 12:00:00 GMT) The gray paint on the water bottles can contain excessive levels of lead, violating the lead paint standard.
Build-A-Bear Recalls Stuffed Animals Due to Choking Hazard (Thu, 22 Oct 2015 11:00:00 GMT) The satin seam of the stuffed animal can open, allowing the stuffing material to be exposed, posing a choking hazard for young children.
Golden Horse Recalls Children’s Denim Pants Due to Choking Hazard; Sold Exclusively at Belk Stores (Tue, 20 Oct 2015 14:30:00 GMT) The zipper pull can detach, posing a choking hazard to young children.
Safety 1st Recalls Décor Wood Highchairs Due to Fall Hazard (Thu, 08 Oct 2015 10:00:00 GMT) A child can remove the highchair tray, posing a fall hazard.
Bexco Expands Recall of DaVinci Brand Cribs Due to Entrapment, Fall and Laceration Hazards (Thu, 01 Oct 2015 13:00:00 GMT) A metal bracket on the DaVinci Reagan, Emily, Jamie and Jenny Lind cribs can break, creating a gap or uneven sleep surface.
Chewbeads Recalls Pacifier Clips Due to Choking Hazard (Tue, 29 Sep 2015 14:00:00 GMT) The "D" ring on the pacifier clip can break, allowing beads to detach, posing a choking hazard.
Rainbow Play Systems Recalls Plastic Yellow Trapeze Rings Due to Fall Hazard; Manufactured by Nylacarb (Thu, 24 Sep 2015 12:00:00 GMT) The rings can unexpectedly crack or break during use, posing a fall hazard to children.
The Land of Nod Recalls Mobiles Due to Entanglement and Strangulation Hazards (Thu, 17 Sep 2015 12:30:00 GMT) The yarn from the sheep figures can unravel, posing an entanglement and strangulation hazard to young children.
Juratoys Recalls Fishing Games Due to Choking Hazard (Thu, 10 Sep 2015 10:00:00 GMT) The plastic worm at the end of the fishing line can separate, and small magnet inside the worm can fall out. Swallowing multiple magnets can result in serious injury.
IKEA Recalls Crib Mattresses Due to Violation of Federal Flammability Standard (Tue, 08 Sep 2015 11:30:00 GMT) The crib mattresses fail to meet the federal open flame standard for mattresses, posing a fire hazard.
The James Trading Group Recalls Kids Sports Hoodie Due to Strangulation Hazard (Fri, 04 Sep 2015 10:00:00 GMT) The sweatshirt drawstring poses a strangulation hazard to children, they may entangle or catch on playground slides, vehicle doors, moving objects.
Sleeping Partners Recalls Moses Basket and Stand Due to Fall Hazard (Wed, 02 Sep 2015 12:00:00 GMT) The Moses basket fails to meet the federal hand held infant carrier standard and the stand fails to meet the bassinet/cradle standard.