Zero Day Weekly: The curse of Anonabox, Apple eschews Rootpipe, Singtel acquires Trustwave, White House breach follies

A collection of notable security news items for the week ending April 10, 2015. Covers enterprise, controversies, application and mobile security, malware, reports and more.

Apple Rootpipe Zero Day Weekly
Justin Sullivan, Getty Images

Welcome to Zero Day's Week In Security, our roundup of notable security news items for the week ending April 10, 2015. Covers enterprise, controversies, reports and more.

  • Looks like Apple isn't fixing its Rootpipe privilege escalation problem for anyone except new customers. The Rootpipe bug residing in the Admin framework of OS X since 2011, which can allow for privilege escalation for the root user, will not be fixed except in the most current release of OS X, Swedish security researcher Emil Kvarnhammar of TrueSec has said. "Apple indicated that this issue required a substantial amount of changes on their side, and that they will not back port the fix to 10.9.x and older," Kvarnhammar said in a blog post explaining how he found the security hole.
  • Singtel has inked a deal to acquire a 98 percent equity interest in Trustwave for an estimated US$810 million, as the Singapore carrier looks to beef up its cloud and managed services portfolio. Headquartered in Chicago, Trustwave offers hosted services in threat, vulnerability, and compliance management, and has more than three million business subscribers. According to Singtel, Trustwave will continue to operate independently as a separate business unit after the acquisition has been finalized, but will tap the telco's assets and market presence to expand its portfolio and address market opportunities in the Asia-Pacific region.
  • The US Federal Bureau of Investigations is urging WordPress users to patch plugins for the popular content management system following a spate of ISIS-branded website attacks using WordPress plugins. The warning from the FBI follows a number of website defacements in March that affected US and European organizations, ranging from government to community websites, which saw them plastered with images and claims the attackers were linked to the extremist group known as ISIS or ISIL. According to the FBI, the attackers are sympathisers of ISIS but otherwise are not members of the terrorist organization.
  • Mozilla's Firefox has received a new update to patch a web encryption flaw which could allow malicious websites to bypass certificate verification checks. In a basic security advisory provided by the Mozilla Foundation, the security flaw was deemed "critical." The bug, exploited through the HTTP/2 Alt-Svc header -- within Mozilla's Alternative Services implementation -- allowed for SSL certification verification to be bypassed.
  • Tuesday CNN reported that anonymous White House sources believed Russia was behind a White House network breach last October (still ongoing). Wednesday, White House spokesman Josh Earnest said the source was not authorized to speak publicly about the investigation, and officially declined to blame Russia for the attacks. Kremlin spokesman Dmitry Peskov also rejected CNN's report. The White House told the NYT in October that its EOP network was hacked, at the time playing down the breach to press by emphasizing that it was on an unclassified network only - where the hackers conducted "fairly standard espionage." As we reported at the time, the intruders accessed the network that handled everything that happens on unclassified computers in the Executive Office of the President, which indicates that this breach was (and is) much more serious than is being reported. Mitigation included staffers having to change their passwords and intranet or VPN access being temporarily shut off. Also in October when news of the breach hit, the Washington Post reported that "sources said" Russian hackers may be to blame.
  • Unredacted documents published Tuesday reveal that not only is the FBI actively attempting to stop the public from knowing about stingrays, surveillance tools used to determine someone's location by spoofing a cell tower and to intercept calls and text messages, but it has also forced local law enforcement agencies to stay quiet even in court and during public hearings, too. This comes from a non-disclosure agreement signed between law enforcement and stingray's maker, the Harris Corporation -- who also require that officials interfere with FOIA requests, ostensibly to prevent public knowledge of the tool's workings. The documents also revealed that law enforcement only sought court permission to use the problematic surveillance tool only once out of 47 times.
  • TV5Monde, which broadcasts to 200 countries, was savagely attacked by pro-ISIS hackers: The media giant took to Facebook and YouTube to explain that a serious cyberattack, which began on Wednesday, had knocked out its TV channels, websites, and social networks. The Paris-based company's website was also rendered inaccessible.