10Fold – Security Never Sleeps – 75

Your daily digest of “All Things Security” gathered, collected and researched by your very own 10Fold Security Practice team.

Big items to consider: The European Commission has filed a formal antitrust complaint against Google and has accused the company of wielding its power as the world’s leading phone software supplier to impose its search and Web programs on billions of mobile users.  A new variant of POS malware, “multigrain” has been found by FireEye – the malware targets systems that run the POS process multi.exe. Oracle has adopted the new CVSS 3.0 vulnerability rating system that has resulted in 136 flaws that were rated as high and critical. Apple warns that QuickTime for Windows PC has known flaws – the Department of Homeland Security issued a public statement urging anyone using QuickTime to uninstall the product due to Apple ceasing development and no longer supporting security updates.  

Google’s Android Targeted by EU Over Mobile Search Curbs – Publication: Bloomberg- Reporter name: Aoife White

The European Commission sent Google a formal antitrust complaint, accusing the company of striking restrictive contracts that require makers of tablets and phones to install its search and Web browser on new phones. The company also unfairly pays phone makers and telecom operators a share of advertising revenue if they agree to make Google’s search engine the default on devices, the EU said Wednesday. By sending a statement of objections, the EU is opening a new front in its antitrust battle with the Alphabet Inc. unit — paving the way for potentially huge fines and radical changes to the way the company does business. It comes a year after the EU issued a formal complaint regarding Google’s comparison-shopping service.


‘Multigrain’ variant of POS malware crops up; uses DNS tunneling to steal data – Publication: SC Magazine – Reporter name: Bradley Barth

A variant of the NewPosThings POS malware family, dubbed Multigrain, has introduced an interesting wrinkle—exfiltrating stolen payment card data from POS systems via the Domain Name System (DNS), as opposed to via HTTP or File Transfer Protocol (FTP), FireEye explained in its threat research blog on Tuesday. Because DNS is conventionally used to translate domain names into IP addresses, and not to transfer general data, the system is often overlooked by cybersecurity officials when assessing potential threats to their organizations. While HTTP or FTP traffic might be closely monitored or restricted to prevent unauthorized external queries, the DNS “is still necessary to resolve hostnames within the corporate environment and is unlikely to be blocked,” explains the FireEye blog. Consequently, DNS remains vulnerable to cyber intruders, making this tactic especially appealing to sneaky cybercriminals.


 Oracle releases 136 security patches for wide range of products – Publication: NetworkWorld – Reporter name: Lucian Constantin

Oracle has released another monster quarterly security update containing 136 fixes for flaws in a wide range of products including Oracle Database Server, E-Business Suite, Fusion Middleware, Oracle Sun Products, Java, and MySQL. The biggest change is Oracle’s adoption of the Common Vulnerability Scoring System (CVSS) version 3.0, which more accurately reflects the impact of flaws than CVSS 2.0. This Oracle Critical Patch Update (CPU) has both CVSS 3.0 and CVSS 2.0 scores for vulnerabilities, providing a chance to compare how the new rating system might affect Oracle patch prioritization inside organizations. One immediately noticeable change is that there are five vulnerabilities rated with the maximum score of 10.0 based on the CVSS 2.0 scale, but none when using the CVSS 3.0 rating. At first glance, this would suggest that based on CVSS 3.0, flaws are rated as less critical, but that’s not true.


Apple Abruptly Pulls Plug On QuickTime for Windows – Publication: Forbes – Reporter name: Tony Bradley

Do you have Apple QuickTime installed on your Windows PC? It’s time to remove it. There are known flaws that can be exploited relatively easily, and Apple has confirmed that it is no longer supporting the software. The US-CERT, part of the Department of Homeland Security, recently issued a public statement urging anyone using QuickTime for Windows to uninstall the product immediately due to Apple ceasing development and therefore no longer issuing security updates. This alert stems from a recent call to action from TrendMicro, after the company’s Zero Day Initiative revealed two critical vulnerabilities: ZDI-16-241 and ZDI-16-242, affecting QuickTime for Windows.