Apple has released security updates to address vulnerabilities in iCloud for Windows, Safari, iTunes for Windows, and macOS Sierra. Exploitation of some of these vulnerabilities may allow a remote attacker to take control of an affected system.
On December 14, Yahoo announced that after an investigation into data provided by law enforcement officials in November, the company and outside forensics experts have determined that there was in fact a previously undetected breach of data from over 1 billion user accounts. The breach took place in August 2013, and is apparently distinct from the previous mega-breach revealed this fall—one Yahoo claims was conducted by a "state-sponsored actor".
The information accessed from potentially exposed accounts "may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers," Yahoo's chief information security officer Bob Lord reported in the statement issued by the company. "The investigation indicates that the stolen information did not include passwords in clear text, payment card data, or bank account information. Payment card data and bank account information are not stored in the system the company believes was affected."
It's not clear whether the data provided by law enforcement to Yahoo is connected to samples offered on an underground site this past August, particularly since Yahoo still remains unsure of how the user data was spirited out of its systems in the first place. But the breach news doesn't end there.
Joomla! has released version 3.6.5 of its Content Management System (CMS) software to address multiple vulnerabilities. Exploitation of one of these vulnerabilities may allow a remote attacker to take control of an affected website.
US-CERT encourages users and administrators to review the Joomla! Release News and US-CERT's Alert on Content Management Systems Security and Associated Risks and apply the necessary update.
Mozilla has released security updates to address multiple vulnerabilities in Firefox and Firefox ESR. Exploitation of some of these vulnerabilities may allow a remote attacker to take control of an affected system.
Available updates include:
- Firefox 50.1
- Firefox ESR 45.6