Zero Day Weekly: DHS <3 FireEye, Chrome password bypass, Kaspersky FREAK weakness

Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending May 1, 2015. Covers enterprise, controversies, reports and more.

• The Department of Homeland Security (DHS) has certified the first cybersecurity products ever under the SAFETY Act, a post-9/11 program that provides a level of liability protection to companies that use certain products to enhance their security. Customers that employ FireEye's Multi-Vector Virtual Execution engine and Dynamic Threat Intelligence platform are now protected from lawsuits or claims alleging that the products failed to prevent an act of cyberterrorism, the company said.

• European aviation giant Airbus said it will file a criminal complaint against persons unknown following German media reports that it had become the target of US industrial espionage. The company said in a statement to AFP on Thursday, "(...) in this case, we are alarmed because there is concrete suspicion of industrial espionage." This is likely to further strain already-damaged relations between the US and Germany, following reports that the US National Security Agency (NSA) had tapped into German Chancellor Angela Merkel's mobile phone.

• Less than 24 hours after Google unveiled a Chrome extension that warns when user account passwords get phished, a security researcher has devised a drop-dead simple exploit that bypassed it. In an update, Google engineer Drew Hintz said Password Alert has been updated to version 1.4 to prevent Moore's bypass from working. To install the new version, go to chrome://extensions/, enable developer mode, and click update extensions now.

• WordPress is urging users to update their software after the company fixed a critical cross-site scripting flaw. WordPress this week released version 4.2.1 of its software to address a critical stored cross-site scripting vulnerability. "This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately," Wordpress said.

• The debate over whether companies should be forced to build in ways for law enforcement to access communications protected by encryption took a tense turn this week in a congressional hearing. On one side were law enforcement officials, including a high-ranking FBI official. On the other were tech-savvy members of the House Government Oversight and Reform Committee's Information Technology subcommittee - two with computer science degrees. "It is clear to me that creating a pathway for decryption only for good guys is technologically stupid," said Rep. Ted Lieu (D-Calif.), who has a bachelor's in computer science from Stanford University. "You just can't do that."

• Amid all the warnings that attackers will eventually hit commercial airlines, hijacking and compromising planes and causing other dire results, hackers staged a more traditional assault on Ryanair, stealing nearly $5 million from the budget airline's business bank account. The funds, believed to be in the account that the budget airline uses to purchase fuel for its planes, were reportedly transferred electronically to a bank in China.

• Two months after claiming there was "no indication" that confidential information was exposed in a security cock-up, domain name overseer ICANN has admitted it happened on at least 330 occasions. Following an audit of its main customer portal, the organization confirmed what The Register reported at the start of March: that misconfigured Salesforce software had given every user access to every other user's information, including financial projections, launch plans and confidential exchanges.

• AV-Comparatives, one of the world's leading independent testers of anti-virus products, says that it has uncovered that at least one product isn't playing by the rules. Right now, mystery surrounds who the offending vendor might be or the details of what they have done. AV-Comparatives says it suspects another vendor may also be guilty of breaching the rules of the tests, and that it has informed other testing bodies of what it has found so far.

• Kaspersky is rushing to fix a weakness in its anti-virus software that exposes users to the 'FREAK' cyber-attack. The problem was revealed last Sunday by German security blogger and journalist Hanno Bock, who called Kaspersky "extremely irresponsible". Bock said that Kaspersky and other AV apps lower the security of websites when they check their encrypted traffic - because they create a TLS connection and certificate when they intercept such traffic, but typically fail to do so in a secure way.