'

Zero Day Weekly: Flash patch meltdown, Australia's new nightmare, Netgear strikes back

Notable security news items for the week ending October 16, 2015. Covers enterprise, application and mobile security, reports and more. UPDATED.

zero day flash

Welcome to Zero Day's Week In Security, ZDNet's roundup of notable security news items for the week ending October 16, 2015.

From CNET:US House committee aims to make car hacking illegal "If the House Energy and Commerce Committee has its way, the National Highway Traffic Safety Administration (NHTSA) will spearhead a series of reforms changing how the government deals with recalls, hackers and data collection, as well as compliance with current and future fuel-economy regulations. The committee's draft proposal (PDF), released Wednesday, will drag both automakers and regulators into the 21st century, thanks largely to a number of high-profile debacles in the last few years, including GM's ignition-switch recall and Jeep's Cherokee hacking. The bill would make it illegal to hack a vehicle, with civil penalties up to $100,000 for such an offense."

From ZDNet: All Flash versions vulnerable to remote control attack until next week "In the wake of its monthly patch rollout yesterday, Adobe has announced it is currently working on a new update for Flash to fix a critical vulnerability that is currently being exploited. All current versions of Flash are vulnerable to the exploit that could allow an attacker to take control of the affected machine. "Adobe expects to make an update available during the week of October 19," the company said in its advisory."

From ZDNet: Turnbull's mutual respect campaign to kick off with taking away privacy "This week, Australians will begin to have their telecommunications data retained for warrantless access by police, intelligence organisations, regulation bodies, and anyone else that the Australian attorney-general decides is worthy of access, and that could include private companies."

From PC World: Google, Facebook and peers criticize CISA bill ahead of Senate consideration "A trade group representing Facebook, Google, Yahoo and other tech and communications companies has come down heavily against the Cybersecurity Information Sharing Act of 2015, a controversial bill in the U.S. that is intended to encourage businesses to share information about cyberthreats with the government. The Computer & Communications Industry Association claims that the mechanism CISA prescribes for the sharing of cyberthreat information does not adequately protect users' privacy or put an appropriate limit on the permissible uses of information shared with the government."

From ThreatPost: Netgear Published Patched Firmware for Routers Under Attack "After a pair of very public disclosures in the last two weeks, Netgear published new firmware for vulnerabilities in its routers that have been publicly exploited. Researchers discovered as many as 10,000 routers had been taken over, according to data lifted from one of the command and control servers involved in an attack against a victim investigated by Compass Security Schweiz Ltd., of Switzerland."

From Help Net Security: Wealth of personal data found on used electronics purchased online "Varying amounts and types of residual data have been found on used mobile devices, hard disk drives and solid state drives purchased online from Amazon, eBay and Gazelle.com. Based on an examination of 122 pieces of second-hand equipment, 48 percent of the hard disk drives and solid state drives contained residual data, while thousands of leftover emails, call logs, texts/SMS/IMs, photos and videos were retrieved from 35 percent of the mobile devices."

From ZDNet: Google Apps bolsters account security while Cloud Platform preps for smart apps "On the front end, Google for Work users are being promised with bolstered account and identity services security. Google is beefing up its list of supported OpenID Connect (OIDC) identity providers that offer single sign-on access for Software-as-a-Service (Saas) and custom-built applications deployed on desktop computers and mobile devices."

From Malwarebytes: Angler Exploit Kit Blasts Daily Mail Visitors Via Malvertising "There has been a lot of buzz about the powerful Angler Exploit Kit in recent days. This time it struck on popular British newspaper the Daily Mail which accounts for 156 million monthly visits according to SimilarWeb. The malicious ad would have been displayed to a fraction of its users during the timeframe of the attack which we first caught Friday and was addressed by Monday morning."

From ZDNet: After spike in Windows infections, Microsoft steps in to tackle TeslaCrypt ransomware "Microsoft has released a rescue tool for thousands of Windows machines that were infected in August by file-encrypting ransomware TeslaCrypt. Along with yesterday's 'Patch Tuesday' updates, Microsoft upgraded its malicious software removal tool to tackle TeslaCrypt, or Tescrypt as it calls it."

From ZDNet: All versions of Windows affected by critical security flaw "Microsoft has issued a "critical" patch for every supported version of Windows. The software giant said in its monthly security bulletin as part of its so-called Patch Tuesday that Windows Vista and later, including Windows 10, require patching from a serious remote code execution flaw in Internet Explorer. Microsoft's Edge browser is unaffected by the flaw."

From ZDNet: US says no to encryption law - for now "The US government has decided not to call for new legislation to force tech companies to decode the encrypted communications of their customers - for now at least. With more traditional methods of communication there is usually a way for the service provider to allow police - with a warrant - access to the data. But end-to-end encryption means the only place the message is unscrambled is on the smartphone itself."

From ZDNet: After LogMeIn, LastPass rivals like Dashlane welcome defectors "Late last week, remote access software maker LogMeIn acquired the password management software startup LastPass for $110 million. Immediately after the deal was announced there was an outcry from LastPass users, some of whom say they refused to do business with LogMeIn - a company apparently considered untrustworthy by some due to a history of hiking prices without warning."