Security Alerts & News
by Tymoteusz A. Góral

History
#756 Walmart sues Visa, wants to require PINs for all chip-enabled debit cards
This week, Walmart sued Visa in New York State Court, saying it wanted to be able to require PIN authorizations on all EMV debit card transactions. Although many debit card transactions already require a PIN to authorize purchases or withdrawals on that card, Visa makes its merchants give Visa card holders the option to authorize with a signature. Walmart is arguing that this puts its customers at risk for fraud.

Visa, Mastercard, and other card networks set an October 2015 deadline for merchants and card issuers in the US to shift to the chip-based EMV standard (which is eponymous for Europay, Mastercard, and Visa, the three groups that developed the standard). The transition was meant to replace the magnetic stripe cards that persisted for years in the US, even after other countries quickly made the transition to the more secure chip-based cards. Walmart made the transition early last year, becoming one of the first national retailers to buy new terminals that accepted EMV cards, the Wall Street Journal reports.
#755 Corruption, code execution vulnerabilities patched in open source archiver 7-Zip
Several vulnerabilities were fixed this week in the file archiver 7-Zip that could have led to arbitrary code execution and file corruption.

The developer behind the tool-which is open source and can be used with any compression, conversion, or encryption method-is urging users to update to the most recent patched version, 16.00, as soon as possible to mitigate the issues.

Igor Pavlov, a Russian programmer who maintains the tool, announced the update on Tuesday, in a blog post on the software’s SourceForge forum.
#754 Five vulnerabilities fixed in Chrome browser, Google pays $20K to bug hunters
Google is urging Windows, Mac and Linux users to update their Chrome browser to fix five security holes – two which rate as high severity. Google warned users of the vulnerabilities Wednesday as it released a new version, 50.0.2661.102, of the browser.

The Chrome security holes were found by four bug bounty hunters as part of Google’s Chromium Project and its bug bounty program. One of those bug bounty hunters was noted Polish security researcher Mariusz Mlynski who earned a total of $15,500 for identifying two Chrome browser security vulnerabilities.
#753 Emergency Flash update patches public zero-day
As promised earlier this week, Adobe today released an updated version of Flash Player that includes a patch for a zero-day vulnerability.

Adobe said it is aware of the existence of a public exploit for CVE-2016-4117, but said the flaw has not been publicly attacked.

The vulnerability affects Flash Player versions 21.0.0.226 and earlier on Windows, Mac OS X, Linux and Chrome OS.

“Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system,” Adobe said Tuesday in an advisory.
#752 Chinese ARM vendor left developer backdoor in kernel for Android and other devices
Allwinner, a Chinese system-on-a-chip company that makes the processor used in many low-cost Android tablets, set-top boxes, ARM-based PCs, and other devices, apparently shipped a version of its Linux kernel with a ridiculously easy-to-use backdoor built in. All any code needs to do to gain root access is send the text "rootmydevice" to an undocumented debugging process.

The backdoor code may have inadvertently been left in the kernel after developers completed debugging. But the company has been less than transparent about it: information about the backdoor was released and then apparently deleted through Allwinner's own Github account. The kernel, linux-3.4-sunxi, which was originally developed to support Android on Allwinner's ARM processors for tablets, has also been used to develop a community version. The kernel was also the basis for porting over various versions of Linux to Allwinner's processors, which are used in the Orange Pi and Banana Pi micro-PCs (developer boards compatible with Raspberry Pi) along with a number of other devices.
#751 Spam and phishing in Q1 2016
The first quarter of 2016 saw a dramatic increase in the number of unsolicited emails containing malicious attachments. Over the last two years the number of email antivirus detections on computers with a Kaspersky Lab product installed fluctuated between 3 and 6 million. At the end of 2015 this number began to grow and in early 2016 there was a sharp upturn.
#750 Opera adds power-saving mode, offers “up to 50%” longer battery life
After baking in an ad blocker and VPN client, Norwegian browser maker Opera Software has added a power saving mode to its desktop Web browser. The feature is currently only available in the latest "developer" version of the desktop browser—which should be available on Thursday morning.

Opera's SVP of engineering Krystian Kolondra said that the new feature "can increase the battery life by as much as 50 percent." The company claimed that such huge gains are possible through a number of additional optimisations, including "reducing activity from background tabs, adapting page-redrawing frequency, and tuning video-playback parameters."
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12