Intel revealedVulnerability-related.DiscoverVulnerabilitythat it will not be issuingVulnerability-related.PatchVulnerabilitySpectre patches to a number of older Intel processor families , potentially leaving many customers vulnerable to the security exploit . Intel claims the processors affected are mostly implemented as closed systems , so they aren ’ t at risk from the Spectre exploit , and that the age of these processors means they have limited commercial availability . The processors which Intel won ’ t be patchingVulnerability-related.PatchVulnerabilityinclude four lines from 2007 , Penryn , Yorkfield , and Wolfdale , along with Bloomfield ( 2009 ) , Clarksfield ( 2009 ) , Jasper Forest ( 2010 ) and the Intel Atom SoFIA processors from 2015 . According to Tom ’ s Hardware , Intel ’ s decision not to patchVulnerability-related.PatchVulnerabilitythese products could stem from the relative difficulty of patchingVulnerability-related.PatchVulnerabilitythe Spectre exploit on older systems . “ After a comprehensive investigation of the microarchitectures and microcode capabilities for these products , Intel has determined to not releaseVulnerability-related.PatchVulnerabilitymicrocode updates for these products , ” Intel said . Because of the nature of the Spectre exploit , patches for it need to be deliveredVulnerability-related.PatchVulnerabilityas an operating system or BIOS update , and if Microsoft and motherboard OEMs aren ’ t going to distributeVulnerability-related.PatchVulnerabilitythe patches , developingVulnerability-related.PatchVulnerabilitythem isn ’ t much of a priority . “ However , the real reason Intel gave up on patchingVulnerability-related.PatchVulnerabilitythese systems seems to be that neither motherboard makers nor Microsoft may be willing to updateVulnerability-related.PatchVulnerabilitysystems sold a decade ago , ” Tom ’ s Hardware reports . It sounds bad , but as Intel pointed out , these are all relatively old processors — with the exception of the Intel Atom SoFIA processor , which came out in 2015 — and it ’ s unlikely they ’ re used in any high-security environments . The Spectre exploit is a serious security vulnerability to be sure , but as some commentators have pointed out in recent months , it ’ s not the kind of exploit the average user needs to worry about . “ We ’ ve now completed releaseVulnerability-related.PatchVulnerabilityof microcode updates for Intel microprocessor products launched in the last 9+ years that required protection against the side-channel vulnerabilities discoveredVulnerability-related.DiscoverVulnerabilityby Google Project Zero , ” said an Intel spokseperson . “ However , as indicated in our latest microcode revision guidance , we will not be providingVulnerability-related.PatchVulnerabilityupdated microcode for a select number of older platforms for several reasons , including limited ecosystem support and customer feedback. ” If you have an old Penryn processor toiling away in an office PC somewhere , you ’ re probably more at risk for a malware infection arising from a bad download than you are susceptible to something as technically sophisticated as the Spectre or Meltdown vulnerabilities .
A group of thieves exploitedVulnerability-related.DiscoverVulnerabilityweaknesses in Signaling System 7 ( SS7 ) to drainAttack.Databreachusers ’ bank accounts , including those protected by two-step verification ( 2SV ) . On 3 May , a representative with O2 Telefonica , a provider of mobile phones and broadband , told German newspaper Süddeutsche Zeitung that thieves managed to bypass security measures and make unauthorized withdrawals from customers ’ bank accounts : “ Criminals carried out an attack from a network of a foreign mobile network operator in the middle of January . The attack redirected incoming SMS messages for selected German customers to the attackers. ” The thieves pulled off their heist by exploiting the weak underbelly of SS7 . It ’ s a protocol that specifies how public switched telephone networks ( PSTN ) exchange data over digital signaling network . In simpler terms , SS7 helps phone carriers around the world route your calls and text messages . Useful ! Unfortunately , it ’ s also terribly insecure . That ’ s what researchers Tobias Engel and Karsten Nohl foundVulnerability-related.DiscoverVulnerabilityback in 2014 . Specifically , the duo discoveredVulnerability-related.DiscoverVulnerabilityflaws in the protocol that allowed an attacker to intercept a victim ’ s mobile phone calls as well as use a radio antenna to pick up all of a local user ’ s phone calls and texts . Along the researchers ’ observations , the January attackers first compromisedAttack.Databreachusers ’ computers with malware that stoleAttack.Databreachtheir bank account numbers , login credentials , and mobile phone numbers . The Register reports that these criminals then waited until the middle of the night to spring into action . For those accounts protected by SMS-based 2SV ( not to be confused with 2FA ) , the attackers abused SS7 to redirect customers ’ SMS text messages to phone numbers under their control . This exploit allowed the thieves to stealAttack.Databreachusers ’ mobile transaction authentication numbers ( mTAN ) and thereby withdraw money from their accounts . In the aftermath of the attack , authorities blocked the unidentified foreign network exploited by the attackers . Bank officials also notified customers of the unauthorized withdrawals . But that ’ s not all . Some people are now calling on the FCC to fixVulnerability-related.PatchVulnerabilitythe ( finally ! ) fix the issues affectingVulnerability-related.DiscoverVulnerabilitySS7 . One of them is U.S. Representative Ted Lieu , who made his position clear to Ars Technica : “ Everyone ’ s accounts protected by text-based two-factor authentication , such as bank accounts , are potentially at risk until the FCC and telecom industry fixVulnerability-related.PatchVulnerabilitythe devastating SS7 security flaw . Both the FCC and telecom industry have been aware that hackers can acquire our text messages and phone conversations just knowing our cell phone number . It is unacceptable the FCC and telecom industry have not acted sooner to protect our privacy and financial security . I urge the Republican-controlled Congress to hold immediate hearings on this issue. ” Let ’ s hope we finally get some movement on these security flaws . In the meantime , users might want to reconsider using SMS messages as a means of 2SV . They might want to go with an app like Google Authenticator or choose a solution like the U2F Security Key instead .
Oracle has releasedVulnerability-related.PatchVulnerabilitya critical patch update addressingVulnerability-related.PatchVulnerabilitymore than 300 vulnerabilities across several of its products – including one flaw with a CVSS 3.0 score of 10 that could allow the takeover of the company ’ s software package , Oracle GoldenGate . Of the 301 security flaws that were fixedVulnerability-related.PatchVulnerabilityin this month ’ s Oracle patch , 45 had a severity rating of 9.8 on the CVSS scale . “ Due to the threat posed by a successful attack , Oracle strongly recommends that customers applyVulnerability-related.PatchVulnerabilityCritical Patch Update fixes as soon as possible , ” the company said in its Tuesday advisory . The highest-severity flaw ( CVE-2018-2913 ) lies inVulnerability-related.DiscoverVulnerabilitythe Monitoring Manager component of Oracle GoldenGate , which is the company ’ s comprehensive software package that allows data to be replicated in heterogeneous data environments . According to the National Vulnerability Database , the glitch is an easily exploitable vulnerability that allows unauthenticated attacker with network access via the TCP protocol to compromise Oracle GoldenGate . The flaw was discoveredVulnerability-related.DiscoverVulnerabilityby Jacob Baines , a researcher with Tenable . “ CVE-2018-2913 is a stack buffer overflow in GoldenGate Manager , ” Baines toldVulnerability-related.DiscoverVulnerabilityThreatpost . “ The Manager listens on port 7809 where it accepts GoldenGate Software Command Interface ( GGSCI ) commands . Tenable found that a remote unauthenticated attacker can trigger a stack buffer overflow by sending a GGSCI command that is longer than expected. ” The attack is not complex and a bad actor could be remote and unauthenticated . Making matters worse , an attacker could compromise other products after initially attacking GoldenGate , the advisory warned . “ While the vulnerability is in Oracle GoldenGate , attacks may significantly impact additional products , ” the note saidVulnerability-related.DiscoverVulnerability. “ Successful attacks of this vulnerability can result in takeover of Oracle GoldenGate. ” The flaw impactsVulnerability-related.DiscoverVulnerabilityversions 12.1.2.1.0 , 12.2.0.2.0 , and 12.3.0.1.0 in Oracle GoldenGate . Currently no working exploits for the flaw have been discoveredVulnerability-related.DiscoverVulnerabilityin the wild , according to the release . It should be noted that For Linux and Windows platforms , the flaw ’ s CVSS score is 9.0 because the access complexity is lower ( only rated high , not critical ) ; while for all other platforms , the CVSS score is a critical 10 . Two other flaws were also discoveredVulnerability-related.DiscoverVulnerabilityin Oracle GoldenGate ( CVE-2018-2912 and CVE-2018-2914 ) , with ratings of 7.5 on the CVSS scale ; those vulnerabilities weren ’ t nearly as severe . “ All of these vulnerabilities may be remotely exploitable without authentication , i.e. , may be exploitedVulnerability-related.DiscoverVulnerabilityover a network without requiring user credentials . ”
Thousands , if not more , Jenkins servers are vulnerableVulnerability-related.DiscoverVulnerabilityto data theft , takeover , and cryptocurrency mining attacks . This is because hackers can exploit two vulnerabilities to gain admin rights or log in using invalid credentials on these servers . Both vulnerabilities were discoveredVulnerability-related.DiscoverVulnerabilityby security researchers from CyberArk , were privately reportedVulnerability-related.DiscoverVulnerabilityto the Jenkins team , and receivedVulnerability-related.PatchVulnerabilityfixes over the summer . But despite patches for both issues , there are still thousands of Jenkins servers availableVulnerability-related.PatchVulnerabilityonline . Jenkins is a web application for continuous integration built in Java that allows development teams to run automated tests and commands on code repositories based on test results , and even automate the process of deploying new code to production servers . Jenkins is a popular component in many companies ' IT infrastructure and these servers are very popular with both freelancers and enterprises alike . Over the summer , CyberArk researchers discoveredVulnerability-related.DiscoverVulnerabilitya vulnerability ( tracked asVulnerability-related.DiscoverVulnerabilityCVE-2018-1999001 ) that allows an attacker to provide malformed login credentials that cause Jenkins servers to move their config.xml file from the Jenkins home directory to another location . If an attacker can cause the Jenkins server to crash and restart , or if he waits for the server to restart on its own , the Jenkins server then boots in a default configuration that features no security . In this weakened setup , anyone can register on the Jenkins server and gain administrator access . With an administrator role in hand , an attacker can access private corporate source code , or even make code modifications to plant backdoors in a company 's apps . This lone issue would have been quite bad on its own , but CyberArk researchers also discoveredVulnerability-related.DiscoverVulnerabilitya second Jenkins vulnerability -- CVE-2018-1999043 . This second bug , they saidVulnerability-related.DiscoverVulnerability, allowed an attacker to create ephemeral user records in the server 's memory , allowing an attacker a short period when they could authenticate using ghost usernames and credentials . Both vulnerabilities were fixedVulnerability-related.PatchVulnerability, the first in July and the second in August , but as we 've gotten accustomed to in the past few years of covering security flaws , not all server owners have bothered to install these security updates .
Cisco has patchedVulnerability-related.PatchVulnerabilitya set of severe vulnerabilities which could lead to remote code execution in the Cisco Webex Network Recording Player for Advanced Recording Format ( ARF ) . The security flaws , CVE-2018-15414 , CVE-2018-15421 , and CVE-2018-15422 , have been issuedVulnerability-related.DiscoverVulnerabilitya base score of 7.8 . According to the Cisco Product Security Incident Response Team ( PSIRT ) , the flaws could lead to `` an unauthenticated , remote attacker to execute arbitrary code on a targeted system . '' The Cisco Webex Network Recording Player for Advanced Recording Format ( ARF ) , available for Windows , Mac , and Linux machines is a component for recording meetings taking place in the Cisco Webex Meetings Suite sites , Cisco Webex Meetings Online sites , and Cisco Webex Meetings Server . In a security advisory posted this week , Cisco says that the following software is affected : Cisco Webex Meetings Suite ( WBS32 ) : Webex Network Recording Player versions prior to WBS32.15.10 ; Cisco Webex Meetings Suite ( WBS33 ) : Webex Network Recording Player versions prior to WBS33.3 ; Cisco Webex Meetings Online : Webex Network Recording Player versions prior to 1.3.37 ; Cisco Webex Meetings Server : Webex Network Recording Player versions prior to 3.0MR2 . According to Cisco , each operating system is vulnerableVulnerability-related.DiscoverVulnerabilityto at least one of the security flaws . The vulnerabilities are due to the improper invalidation of Webex recording files . If a victim opens a crafted , malicious file in the Cisco Webex Player -- potentially sent overAttack.Phishingemail as part of a spear phishing campaignAttack.Phishing-- the bugs are triggered , leading to exploit . TechRepublic : Cisco switch flaw led to attacks on critical infrastructure in several countries There are no workarounds to addressVulnerability-related.PatchVulnerabilitythese vulnerabilities . However , Cisco has developedVulnerability-related.PatchVulnerabilitypatches to automatically updateVulnerability-related.PatchVulnerabilityvulnerable software . It is recommended that users accept these updates as quickly as possible . The tech giant notes that some Cisco Webex Meetings builds might be at the end of their support cycles and wo n't receive these updates . In these cases , users should contact the company directly . CNET : Kansas City gets smarter thanks to Cisco and Sprint Alternatively , the ARF component is an add-on and can simply be uninstalled manually . A removal tool is has been made available . Cisco is not awareVulnerability-related.DiscoverVulnerabilityof any reports of any active exploits in the wild . Steven Seeley from Source Incite and Ziad Badawi , working together with the Trend Micro Zero Day Initiative , have been credited with finding and reportingVulnerability-related.DiscoverVulnerabilitythe bugs . In related news this week , Trend Micro 's Zero Day Initiative disclosedVulnerability-related.DiscoverVulnerabilitya Microsoft Jet zero-day vulnerability which was unpatchedVulnerability-related.PatchVulnerabilityat the point of public disclosureVulnerability-related.DiscoverVulnerability. If exploitedVulnerability-related.DiscoverVulnerability, the vulnerability permits attackers to remotely execute code on infected machines .
A security lapse at content distribution network provider Cloudflare that resulted in customer data being leakedAttack.Databreachpublicly for several months was bad - but had the potential to be much worse . That 's Cloudflare 's initial postmortem conclusion after a twelve-day review of log data related to the breachAttack.Databreach. The review showed no evidence that attackers had exploitedVulnerability-related.DiscoverVulnerabilitythe flaw prior to it being discoveredVulnerability-related.DiscoverVulnerabilityand patchedVulnerability-related.PatchVulnerability, Cloudflare CEO and founder Matthew Prince said in a blog Wednesday . A `` vast majority '' of Cloudflare 's customers also did not appear to have had any of their data leakedAttack.Databreach. Cloudflare ’ s inspection of tens of thousands of pages that were leakedAttack.Databreachfrom its reverse-proxy servers and cached by search engines revealed a `` large number '' of instances of internal Cloudflare cookies and headers . But so far , according to Prince , there ’ s no evidence that passwords , credit card numbers , and other personal data were compromised as was initially feared . The Cloudflare security snafu stemmed from the manner in which a stream parser application that the company uses to modify content passing through its edge servers handled HTTP requests . The bug caused the parser to read memory not only from the HTML page that was being actually parsed , but also from adjacent memory that contained data in response to HTTP requests made by other customers . The flaw was triggered only when pages with certain specific attributes were requested through Cloudflare ’ s CDN . `` If you had accessed one of the pages that triggered the bug you would have seen what likely looked like random text at the end of the page , '' Prince said . A lot of the leaked data ended up getting cached by search engines and Web scrapers . A security researcher from Google ’ s Project Zero threat hunting team alertedVulnerability-related.DiscoverVulnerabilityCloudfare to the bug last month . The company claimed it fixedVulnerability-related.PatchVulnerabilitythe problem in a matter of hours after being notifiedVulnerability-related.DiscoverVulnerabilityof the problem . Some have compared the breach to Heartbleed and have even called it Cloudbleed . In his blog , Prince compared the threat posed by the bug to that posed by a stranger eavesdropping on a random conversation between two employees . Most of the time , the stranger would likely hear nothing of value , but occasionally might pick upAttack.Databreachsomething confidential . The same would have been true for a malicious attacker , who had somehow known aboutVulnerability-related.DiscoverVulnerabilitythe bug and exploitedVulnerability-related.DiscoverVulnerabilityit before Cloudflare ’ s fixVulnerability-related.PatchVulnerability, he said . The customers most at risk of having their data exposedAttack.Databreachwere those that sent the most requests through Cloudflare ’ s CDN . Cloudflare ’ s detailed postmortem and mea culpa evoked a mixed response from security experts . Ilia Kolochenko , CEO of Web security firm High-Tech Bridge praised Prince ’ s effort to be transparent about what went down . `` Even if we can not verify the accuracy of all the numbers inside – for the moment , I don ’ t have a valid reason to question either its content , or conclusion , '' Kolochenko says . In fact , until someone can come up with a credible rebuttal of Cloudflare ’ s internal investigation , it ’ s inappropriate to compare what happened at the company to Heartbleed . `` I ’ d say it ’ s inappropriate even to call this particular incident a 'Cloudbleed , ' '' he says . `` In the Heartbleed case , almost every company in the world , many software vendors including cybersecurity companies , were seriously impacted by the vulnerability . '' Heartbleed also resulted in multiple breachesAttack.Databreachand many organizations continue to be exposedAttack.Databreachto the threat . Neither of those situations applies to the Cloudflare security lapse . `` All avenues of Cloudflare ’ s vulnerability exploitation seems to be mitigatedVulnerability-related.PatchVulnerabilityby now , '' he says . But Kunal Anand , CTO of application security vendor Prevoty , says the details Cloudflare has shared are n't exactly reassuring . If no sensitive information like credit numbers and Social Security Numbers were leakedAttack.Databreachand the leaked dataset itself was relatively small , there is no reason why Cloudflare should n't share it with a third-party for an unbiased review , he says . `` CloudFlare needs to realize that HTTP headers , including cookies , contain sensitive information like session identifiers , authorization tokens and IP addresses , '' Anand says . `` All of these data points should count as private data . '' CloudFlare has been working with various search engines to purge their caches , but in the process , any evidence of the data that was leakedAttack.Databreachis being deleted as well . That makes it hard to quantify the scope of the data breachAttack.Databreachoutside of CloudFlare 's own logs . `` There 's a lot of speculation if nation-state sponsored engines will actually purge the data or copy it for further analysis , '' Anand says .
SAN FRANCISCO — Hackers took advantage of an Equifax security vulnerability two months after an industry group discoveredVulnerability-related.DiscoverVulnerabilitythe coding flaw and sharedVulnerability-related.PatchVulnerabilitya fix for it , raising questions about why Equifax did n't updateVulnerability-related.PatchVulnerabilityits software successfully when the danger became known . A week after Equifax revealed one of the largest breachesAttack.Databreachof consumers ' private financial data in history — 143 million consumers and accessAttack.Databreachto the credit-card data of 209,000 — the industry group that manages the open source software in which the hack occurred blamed Equifax . `` The Equifax data compromiseAttack.Databreachwas due to ( Equifax 's ) failure to install the security updates providedVulnerability-related.PatchVulnerabilityin a timely manner , '' The Apache Foundation , which oversees the widely-used open source software , said in a statement Thursday . Equifax told USA TODAY late Wednesday the criminals who gained accessAttack.Databreachto its customer data exploitedVulnerability-related.DiscoverVulnerabilitya website application vulnerability known asVulnerability-related.DiscoverVulnerabilityApache Struts CVE-2017-5638 . The vulnerability was patchedVulnerability-related.PatchVulnerabilityon March 7 , the same day it was announcedVulnerability-related.DiscoverVulnerability, The Apache Foundation said . Cybersecurity professionals who lend their free services to the project of open-source software — code that 's shared by major corporations and that 's tested and modified by developers working at hundreds of firms — had shared their discovery with the industry group , making the risk and fix known to any company using the software . Modifications were made on March 10 , according to the National Vulnerability Database . But two months later , hackers took advantage of the vulnerability to enter the credit reporting agency 's systems : Equifax said the unauthorized access began in mid-May . Equifax did not respond to a question Wednesday about whether the patches were appliedVulnerability-related.PatchVulnerability, and if not , why not . `` We continue to work with law enforcement as part of our criminal investigation and have shared indicators of compromise with law enforcement , '' it said . It should have have acted faster to successfully deal with the problem , other cybersecurity professionals said . `` They should have patchedVulnerability-related.PatchVulnerabilityit as soon as possible , not to exceed a week . A typical bank would have patchedVulnerability-related.PatchVulnerabilitythis critical vulnerability within a few days , ” said Pravin Kothari , CEO of CipherCloud , a cloud security company . Federal regulators are now investigating whether Equifax is at fault . The Federal Trade Commission and the Consumer Financial Protection Bureau have said they 've opened probes into the hack . So far dozens of state attorneys general are investigating the breach , and on Tuesday Massachusetts Attorney General Maura Healey said she plans to sue the company for violating state consumer protection laws . More than 23 class-action lawsuits against the company have also been proposed . Proof that Equifax failed to protect customers , particularly when it had the tools and information to do so , is likely to further damage Equifax 's financial outlook . Shares fell 2.5 % Thursday after news of the FTC probe and are down 33 % since it revealed the link .
The hacker leakedAttack.Databreachthe FBI.GOV accounts that he found in several backup files ( acc_102016.bck , acc_112016.bck , old_acc16.bck , etc ) . Leaked records contain accounts data , including names , SHA1 Encrypted Passwords , SHA1 salts , and emails . The intrusion occurred on December 22 , 2016 , the hacker revealedVulnerability-related.DiscoverVulnerabilityto have exploitedVulnerability-related.DiscoverVulnerabilitya zero-day vulnerability in the Plone Content Management System Going back to 22nd December 2016 , I tweeted aboutVulnerability-related.DiscoverVulnerabilitya 0day vulnerability in Plone CMS which is considered as the most secure CMS till date . The vulnerability resides inVulnerability-related.DiscoverVulnerabilitysome python modules of the CMS . The hacker noticed that while media from Germany and Russia published the news about the hack , but US based publishers ignored it . According to CyberZeist , the FBI contacted him to pass on the leaks . `` I was contacted by various sources to pass on the leaks to them that I obtained after hacking FBI.GOV but I denied all of them . just because I was waiting for FBI to react on time . They didn ’ t directly react and I don ’ t know yet what are they up to , but at the time I was extracting my finds after hacking FBI.GOV , '' he wrote . The expert added further info on the attack , while experts at the FBI were working to fixVulnerability-related.PatchVulnerabilitythe issue , he noticedVulnerability-related.DiscoverVulnerabilitythat the Plone 0day exploit was still working against the CMS backend . ) , but I was able to recon that they were runningVulnerability-related.PatchVulnerabilityFreeBSD ver 6.2-RELEASE that dates back to 2007 with their own custom configurations . Their last reboot time was 15th December 2016 at 6:32 PM in the evening . `` While exploiting FBI.GOV , it was clearly evident that their webmaster had a very lazy attitude as he/she had kept the backup files ( .bck extension ) on that same folder where the site root was placed ( Thank you Webmaster ! ) , but still I didn ’ t leak outAttack.Databreachthe whole contents of the backup files , instead I tweeted outVulnerability-related.DiscoverVulnerabilitymy findings and thought to wait for FBI ’ s response '' Now let ’ s sit and wait for the FBI ’ s response . I obviously can not publishVulnerability-related.DiscoverVulnerabilitythe 0day attack vector myself . The hacker confirmedVulnerability-related.DiscoverVulnerabilitythat the 0-day is offered for sale on Tor by a hacker that goes by the moniker “ lo4fer ” . Once this 0day is no longer being sold , I will tweet outVulnerability-related.DiscoverVulnerabilitythe Plone CMS 0day attack vector myself . Let ’ s close with a curiosity … CyberZeist is asking you to chose the next target . The hacker is very popular , among his victims , there are Barclays , Tesco Bank and the MI5 .
With a bunch of security fixes releasedVulnerability-related.PatchVulnerabilityand more on the way , details have been made publicVulnerability-related.DiscoverVulnerabilityof a Bluetooth bug that potentially allows miscreants to commandeer nearby devices . This Carnegie-Mellon CERT vulnerability advisory on Monday laid outVulnerability-related.DiscoverVulnerabilitythe cryptographic flaw : firmware or operating system drivers skip a vital check during a Diffie-Hellman key exchange between devices . The impact : a nearby eavesdropper could “ intercept and decrypt and/or forge and inject device messages ” carried over Bluetooth Low Energy and Bluetooth Basic Rate/Enhanced Data Rate ( BR/EDR ) wireless connections between gizmos . In other words , you can potentially snoop on supposedly encrypted communications between two devices to stealAttack.Databreachtheir info going over the air , and inject malicious commands . To pull this off , you must have been within radio range and transmitting while the gadgets were initially pairing . The bug 's status in Android is confusing : while it does n't appear in the operating system project 's July monthly bulletin , phone and tablet manufacturers like LG and Huawei list the bug as being patchedVulnerability-related.PatchVulnerabilityin the , er , July security update . Microsoft has declared itself in the clear . The CERT note says fixes are needed both in software and firmware , which should be obtained from manufacturers and developers , and installed – if at all possible . We 're guessing for random small-time Bluetooth gizmos , it wo n't be very easy to prise an update out of the vendors , although you should have better luck with bigger brand gear . So , make sure you 're patched via the usual software update mechanisms , or just look out for nearby snoops , and be ready to thwart them , when pairing devices . Manufacturers were warned in January , it appears , so have had plenty of time to work on solutions . Indeed , silicon vendor patches for CVE-2018-5383 are already rolling outVulnerability-related.PatchVulnerabilityamong larger gadget and device makers , with Lenovo and Dell posting updatesVulnerability-related.PatchVulnerabilityin the past month or so . Linux versions prior to 3.19 do n't support Bluetooth LE Secure Connections and are therefore not vulnerable , we 're told .
To understand why it is so difficult to defend computers from even moderately capable hackers , consider the case of the security flaw officially known asVulnerability-related.DiscoverVulnerabilityCVE-2017-0199 . The bug was unusually dangerous but of a common genre : it was in Microsoft software , could allow a hacker to seize control of a personal computer with little trace , and was fixedVulnerability-related.PatchVulnerabilityApril 11 in Microsoft ’ s regular monthly security update . But it had traveled a rocky , nine-month journey from discovery to resolution , which cyber security experts say is an unusually long time . Google ’ s security researchers , for example , give vendors just 90 days’ warningVulnerability-related.DiscoverVulnerabilitybefore publishingVulnerability-related.DiscoverVulnerabilityflaws they findVulnerability-related.DiscoverVulnerability. Microsoft Corp ( MSFT.O ) declined to say how long it usually takes to patchVulnerability-related.PatchVulnerabilitya flaw . While Microsoft investigated , hackers foundVulnerability-related.DiscoverVulnerabilitythe flaw and manipulated the software to spy on unknown Russian speakers , possibly in Ukraine . And a group of thieves used it to bolster their efforts to stealAttack.Databreachfrom millions of online bank accounts in Australia and other countries . Those conclusions and other details emerged from interviews with researchers at cyber security firms who studied the events and analyzed versions of the attack code . Microsoft confirmed the sequence of events . The tale began last July , when Ryan Hanson , a 2010 Idaho State University graduate and consultant at boutique security firm Optiv Inc in Boise , foundVulnerability-related.DiscoverVulnerabilitya weakness in the way that Microsoft Word processes documents from another format . That allowed him to insert a link to a malicious program that would take control of a computer . The company often pays a modest bounty of a few thousands dollars for the identification of security risks . Soon after that point six months ago , Microsoft could have fixedVulnerability-related.PatchVulnerabilitythe problem , the company acknowledgedVulnerability-related.DiscoverVulnerability. But it was not that simple . A quick change in the settings on Word by customers would do the trick , but if Microsoft notifiedVulnerability-related.DiscoverVulnerabilitycustomers about the bug and the recommended changesVulnerability-related.PatchVulnerability, it would also be telling hackers about how to break in . Alternatively , Microsoft could have createdVulnerability-related.PatchVulnerabilitya patch that would be distributedVulnerability-related.PatchVulnerabilityas part of its monthly software updates . But the company did not patch immediatelyVulnerability-related.PatchVulnerabilityand instead dug deeper . It was not aware that anyone was using Hanson ’ s method , and it wanted to be sure it had a comprehensive solution . “ We performedVulnerability-related.PatchVulnerabilityan investigation to identify other potentially similar methods and ensure that our fix addresses [ sic ] more than just the issue reported , ” Microsoft said through a spokesman , who answered emailed questions on the condition of anonymity . “ This was a complex investigation. ” Hanson declined interview requests . The saga shows that Microsoft ’ s progress on security issues , as well as that of the software industry as a whole , remains uneven in an era when the stakes are growing dramatically . Finally , on the Tuesday , about six months after hearing from Hanson , Microsoft madeVulnerability-related.PatchVulnerabilitythe patch availableVulnerability-related.PatchVulnerability. As always , some computer owners are lagging behind and have not installed it . Ben-Gurion University employees in Israel were hacked , after the patch , by attackers linked to Iran who took over their email accounts and sent infected documents to their contacts at technology companies and medical professionals , said Michael Gorelik , vice president of cyber security firm Morphisec . When Microsoft patchedVulnerability-related.PatchVulnerability, it thanked Hanson , a FireEye researcher and its own staff . A six-month delay is bad but not unheard of , said Marten Mickos , chief executive of HackerOne , which coordinates patching efforts between researchers and vendors . “ Normal fixing times are a matter of weeks , ” Mickos said . Privately-held Optiv said through a spokeswoman that it usually gives vendors 45 days to makeVulnerability-related.PatchVulnerabilityfixes before publishing researchVulnerability-related.DiscoverVulnerabilitywhen appropriate , and that it “ materially followed ” that practice in this case . If the patchingVulnerability-related.PatchVulnerabilitytook time , others who learned of the flaw moved quickly . On the final weekend before the patch , the criminals could have sold it along to the Dridex hackers , or the original makers could have cashed in a third time , Hultquist said , effectively staging a last clearance sale before it lost peak effectiveness . It is unclear how many people were ultimately infected or how much money was stolen .
CIsco has issuedVulnerability-related.PatchVulnerabilitya critical patch of a patch for a Cisco Prime License Manager SQL fix . Cisco this week said it patchedVulnerability-related.PatchVulnerabilitya “ critical ” patch for its Prime License Manager ( PLM ) software that would let attackers execute random SQL queries . The Cisco Prime License Manager offers enterprise-wide management of user-based licensing , including license fulfillment . ReleasedVulnerability-related.PatchVulnerabilityin November , the first version of the Prime License Manager patch caused its own “ functional ” problems that Cisco was then forced to fixVulnerability-related.PatchVulnerability. That patch , called ciscocm.CSCvk30822_v1.0.k3.cop.sgn addressedVulnerability-related.PatchVulnerabilitythe SQL vulnerability but caused backup , upgrade and restore problems , and should no longer be used Cisco said . Cisco wrote that “ customers who have previously installedVulnerability-related.PatchVulnerabilitythe ciscocm.CSCvk30822_v1.0.k3.cop.sgn patch should upgradeVulnerability-related.PatchVulnerabilityto the ciscocm.CSCvk30822_v2.0.k3.cop.sgn patch to remediate the functional issues . InstallingVulnerability-related.PatchVulnerabilitythe v2.0 patch will first rollback the v1.0 patch and then installVulnerability-related.PatchVulnerabilitythe v2.0 patch. ” As for the vulnerability that started this process , Cisco says it “ is due to a lack of proper validation of user-supplied input in SQL queries . An attacker could exploit this vulnerability by sending crafted HTTP POST requests that contain malicious SQL statements to an affected application . A successful exploit could allow the attacker to modify and delete arbitrary data in the PLM database or gain shell access with the privileges of the postgres [ SQL ] user. ” The vulnerability impactsVulnerability-related.DiscoverVulnerabilityCisco Prime License Manager Releases 11.0.1 and later .
Microsoft is aware of the zero-day , but it 's highly unlikely it will be able to deliverVulnerability-related.PatchVulnerabilitya patch until its next Patch Tuesday , which is scheduled in three days . McAfee researchers , who disclosedVulnerability-related.DiscoverVulnerabilitythe zero-day 's presence , sayVulnerability-related.DiscoverVulnerabilitythey 've detectedVulnerability-related.DiscoverVulnerabilityattacks leveraging this unpatched vulnerability going back to January this year . Attacks with this zero-day follow a simple scenario , and start with an adversary emailing a victim a Microsoft Word document . The Word document contains a booby-trapped OLE2link object . If the victim uses Office Protected View when opening files , the exploit is disabled and wo n't execute . If the user has disabled Protected View , the exploit executes automatically , making an HTTP request to the attacker 's server , from where it downloads an HTA ( HTML application ) file , disguised asAttack.Phishingan RTF . The HTA file is executed automatically , launching exploit code to take over the user 's machine , closing the weaponized Word file , and displaying a decoy document instead . According to FireEye , `` the original winword.exe process is terminated in order to hide a user prompt generated by the OLE2link . '' While the attack uses Word documents , OLE2link objects can also be embedded in other Office suite applications , such as Excel and PowerPoint . McAfee experts sayVulnerability-related.DiscoverVulnerabilitythe vulnerability affectsVulnerability-related.DiscoverVulnerabilityall current Office versions on all Windows operating systems . The attack routine does not rely on enabling macros , so if you do n't see a warning for macro-laced documents , that does n't mean the document is safe .
A flaw in certificate pinning exposed customers of a number of high-profile banks to man-in-the-middle attacks on both iOS and Android devices . A vulnerability in the mobile apps of major banks could have allowed attackers to stealAttack.Databreachcustomers ' credentials including usernames , passwords , and pin codes , according to researchers . The flaw was foundVulnerability-related.DiscoverVulnerabilityin apps by HSBC , NatWest , Co-op , Santander , and Allied Irish bank . The banks in question have now all updatedVulnerability-related.PatchVulnerabilitytheir apps to protect against the flaw . UncoveredVulnerability-related.DiscoverVulnerabilityby researchers in the Security and Privacy Group at the University of Birmingham , the vulnerability allows an attacker who is on the same network as the victim to perform a man-in-the-middle attack and steal information . The vulnerability lay inVulnerability-related.DiscoverVulnerabilitythe certificate pinning technology , a security mechanism used to prevent impersonation attacks and use of fraudulent certificates by only accepting certificates signed by a single pinned CA root certificate . While certificate pinning usually improves security , a tool developed by the researchers to perform semi-automated security-testing of mobile apps found that a flaw in the technology meant standard tests failed to detect attackers trying to take control of a victim 's online banking . As a result , certificate pinning can hide the lack of proper hostname verification , enabling man-in-the-middle attacks . The findings have been outlinedVulnerability-related.DiscoverVulnerabilityin a research paper and presentedVulnerability-related.DiscoverVulnerabilityat the Annual Computer Security Applications Conference in Orlando , Florida . The tool was run on 400 security critical apps in total , leading to the discoveryVulnerability-related.DiscoverVulnerabilityof the flaw . Tests foundVulnerability-related.DiscoverVulnerabilityapps from some of the largest banks contained the flaw which , if exploitedVulnerability-related.DiscoverVulnerability, could have enabled attackers to decrypt , view , and even modify network traffic from users of the app . That could allow them to view information entered and perform any operation that app can usually perform -- such as making payments or transferring of funds . Other attacks allowed hackers to perform in-app phishing attacksAttack.Phishingagainst Santander and Allied Irish bank users , allowing attackers to take over part of the screen while the app was running and stealAttack.Databreachthe entered credentials . The researchers have worked with the National Cyber Security Centre and all the banks involved to fixVulnerability-related.PatchVulnerabilitythe vulnerabilities , noting that the current version of all the apps affectedVulnerability-related.DiscoverVulnerabilityby the pinning vulnerability are now secure . A University of Birmingham spokesperson told ZDNet all the banks were highly cooperative : `` once this was flagged to them they did work with the team to amend it swiftly . ''
If you ’ re a BMW owner , prepare to patch ! Chinese researchers have foundVulnerability-related.DiscoverVulnerability14 security vulnerabilities affectingVulnerability-related.DiscoverVulnerabilitymany models . The ranges affectedVulnerability-related.DiscoverVulnerability( some as far back as 2012 ) are the BMW i Series , X Series , 3 Series , 5 Series and 7 Series , with a total of seven rated serious enough to be assigned CVEVulnerability-related.DiscoverVulnerabilitynumbers . The vulnerabilities are in in the Telematics Control Unit ( TCU ) , the Central Gateway Module , and Head Unit , across a range of interfaces including via GSM , BMW Remote Service , BMW ConnectedDrive , Remote Diagnosis , NGTP , Bluetooth , and the USB/OBD-II interfaces . Some require local access ( e.g . via USB ) to exploit but six including the Bluetooth flaw were accessible remotely , making them the most serious . Should owners worry that the flaws could be exploitedVulnerability-related.DiscoverVulnerability, endangering drivers and vehicles ? On the basis of the technical description , that seems unlikely , although Keen Lab won ’ t release the full proof-of-concept code until 2019 . Keen Lab described the effect of its hacking as allowing it to carry out : The execution of arbitrary , unauthorized diagnostic requests of BMW in-car systems remotely . To which BMW responded : BMW Group has already implemented security measures , which are currently being rolled out via over-the-air configuration updates . Additional security enhancements for the affected infotainment systems are being developedVulnerability-related.PatchVulnerabilityand will be availableVulnerability-related.PatchVulnerabilityas software updates for customers . In other words , some fixes have already been madeVulnerability-related.PatchVulnerability, while others will be madeVulnerability-related.PatchVulnerabilitybetween now and early 2019 , potentially requiring a trip to a service centre . Full marks to BMW for promptly responding to the research but the press release issuedVulnerability-related.PatchVulnerabilityin its wake reads like PR spin . To most outsiders , this is a case of Chinese white hats findingVulnerability-related.DiscoverVulnerabilityvulnerabilities in BMW ’ s in-car systems . To BMW , judging by the triumphant language of its press release , it ’ s as if this was the plan all along , right down to awarding Keen Lab the “ first-ever BMW Group Digitalization and IT Research Award. ” More likely , car makers are being caught out by the attention their in-car systems are getting from researchers , with Volkswagen Audi Group experiencing some of the same discomfort a couple of weeks ago at the hands of Dutch researchers . BMW has experienced this before too – three years ago it sufferedVulnerability-related.DiscoverVulnerabilityan embarrassing security flaw in its car ConnectedDrive software door-locking systems . Let ’ s not feel too sorry for the car makers because it ’ s the owners who face the biggest adjustment to their expectations – software flaws and patchingVulnerability-related.PatchVulnerabilityare no longer just for computers .
Adobe has posted an update to addressVulnerability-related.PatchVulnerability85 CVE-listed security vulnerabilities in Acrobat and Reader for both Windows and macOS . The PDF apps have receivedVulnerability-related.PatchVulnerabilitya major update that includes dozens of fixes for flaws that would allow for remote code execution attacks if exploitedVulnerability-related.DiscoverVulnerability. Other possible attacks include elevation of privilege flaws and information disclosure vulnerabilities . Fortunately , Adobe said that none of the bugs was currently being targeted in the wild - yet . For Mac and Windows Acrobat/Reader DC users , the fixes will be presentVulnerability-related.PatchVulnerabilityin versions 2019.008.20071 . For those using the older Acrobat and Reader 2017 versions , the fix will be labeledVulnerability-related.PatchVulnerability2017.011.30105 . Because PDF readers have become such a popular target for email and web-based malware attacks , users and admins alike would do well to test and install the updates as soon as possible . Exploit-laden PDFs have for more than a decade proven to be one of the most reliable ways to put malware on someone 's machine . In total , Adobe credited 19 different researchers with discoveringVulnerability-related.DiscoverVulnerabilityand reportingVulnerability-related.DiscoverVulnerabilitythe vulnerabilities . Among the more prolific bug hunters were Omri Herscovici of CheckPoint Software , who was credited for findingVulnerability-related.DiscoverVulnerabilityand reportingVulnerability-related.DiscoverVulnerability35 CVE-listed bugs , and Ke Liu and Tencent Security Xuanwu Lab , who was credited with findingVulnerability-related.DiscoverVulnerability11 of the patched Adobe vulnerabilities . Beihang University 's Lin Wang was given credit for nine vulnerabilities . While we 're on the subject of massive security updates , both users and admins will want to mark their calendars for a week from Tuesday . October 9 is slated to be this month 's edition of the scheduled 'Patch Tuesday ' monthly security update .
Logitech Options is an app that controls all of Logitech ’ s mice and keyboards . It offers several different configurations like Changing function key shortcuts , Customizing mouse buttons , Adjusting point and scroll behavior and etc . This app containedVulnerability-related.DiscoverVulnerabilitya huge security flaw that was discoveredVulnerability-related.DiscoverVulnerabilityby Tavis Ormandy who is a Google security researcher . It was foundVulnerability-related.DiscoverVulnerabilitythat Logitech Options was opening a WebSocket server on each individual computer Logitech Options was run on . This WebSocket server would open on port 10134 on which any website could connect and send several various commands which would be JSON-encoded . PID Exploit Through this any attacker can get in and run commands just by setting up a web page . The attacker only needs the Process Identifier ( PID ) . However the PID can be guessed as the software has no limit on the amount of try ’ s conducted . Once the attacker has obtained the PID and is in , consequently he can then completely control the Computer and run it remotely . This can also be used for keystroke injection or Rubber Ducky attacks which have been used to take over PC ’ s in the past . After Ormandy got a hold of Logitech ’ s engineers , he reportedVulnerability-related.DiscoverVulnerabilitythe vulnerability privately to them in a meeting between the Logitech ’ s engineering team and Ormandy on the 18th of September . After waiting a total of 90 days , Ormandy saw the company ’ s failure in addressingVulnerability-related.PatchVulnerabilitythe issue publicly or through a patch for the app , Thus Ormandy himself posted his findingVulnerability-related.DiscoverVulnerabilityon the 11th of December making the issue public . As the story gained attention Accordingly Logitech responded with an update for Logitech Options . Logitech releasedVulnerability-related.PatchVulnerabilityOptions version 7.00.564 on the 13th of December . They claim to have fixedVulnerability-related.PatchVulnerabilitythe origin and type checking bugs along with a patch for the security vulnerability . However they have not mentionedVulnerability-related.PatchVulnerabilitythe Security Vulnerability patch on their own website . They told German magazine heise.de that the new version does indeed fixVulnerability-related.PatchVulnerabilitythe vulnerability Travis Ormandy and his team are currently checking the new version of Logitech Options for any signs of Security Vulnerabilities . Everyone with the old version of Logitech Options are advised to upgradeVulnerability-related.PatchVulnerabilityto the new 7.00.564 .
On March 25 , security researcher Kevin Beaumont discoveredVulnerability-related.DiscoverVulnerabilitysomething very unfortunate on Docs.com , Microsoft 's free document-sharing site tied to the company 's Office 365 service : its homepage had a search bar . That in itself would not have been a problem if Office 2016 and Office 365 users were aware that the documents they were posting were being shared publicly . As described in a Microsoft support document , `` with Docs.com , you can create an online portfolio of your expertise , discover , download , or bookmark works from other authors , and build your brand with built-in SEO , analytics , and email and social sharing . '' But many users used Docs.com to either share documents within their organizations or to pass them to people outside their organizations—unaware that the data was being indexed by search engines . And many of the documents are still discoverable on the Google or Bing search engines , as they had been publicly indexed . That means that until the documents are unpublished from Docs.com , they will continue to be accessible to anyone who searches against the site . Microsoft had previously published a notice on security fixesVulnerability-related.PatchVulnerabilityto Docs.com for Office 365 administrators , advising them on how to control access by users to the service . `` Because Docs.com does not yet meet all of Office 365 compliance framework requirements , Office 365 and Azure Tenant administrators must 'opt-in ' to enable users with organizational accounts to use the service , '' the Microsoft Support document states . It 's not clear how recently that change was made ; Ars has reached out to Microsoft for further comment . Update 10:30 AM ET : This morning , Microsoft disabled some searched on Docs.com , and is blocking some incoming links to searches from Google . But additional documents were discoverable via Google search , including documents with health benefits information filled in
Back in August we wrote about a security bugfix for Mikrotik routers that was reverse engineered and turned into a working exploit . Indeed , patches that fixVulnerability-related.PatchVulnerabilitysecurity vulnerabilities often end up giving away enough about the vulnerability that both good guys and bad guys alike can weaponise it from first principles – all without having to figure out the vulnerability in the first place . In the August 2018 case , dubbed CVE-2018-14847 , a crook could trick an unpatched Microtik router into coughing up the contents of any file on the device , including the password file . Worse still , the password file included plaintext passwords , with no salting , hashing or stretching , meaning that a security bypass bug could be parlayed into a credential compromise . The perils of late patching What we didn ’ t know back then was that security researchers at Tenable had responsibly disclosedVulnerability-related.DiscoverVulnerabilityanother bunch of Mikrotik router bugs at about the same time . These bugs were serious – indeed , one of them allows a attacker to run any program of their choosing , just by making a web request to the router . This sort of hole is known , for rather obvious reasons , as an RCE , short for Remote Code Execution . Tenable ’ s bugs , however , were what ’ s known as “ authenticated vulnerabilities ” , meaning that you had to be logged in first in order to be able to exploit them . Security holes that require pre-authentication may seem harmless at first sight – after all , if you already have a username and password , or some other access token , that gives you access to a system… …well , you ’ re already in , so it sounds as though breaking in again can be dismissed as an irrelevancy . The good news is that Mikrotik has already patchedVulnerability-related.PatchVulnerabilityTenable ’ s now-disclosed bugs , dubbed CVE-2018-1156 , -1157 , -1158 and -1159 . Make sure you have the latest Mikrotik firmware updates , which are : 6.40.9 , 6.42.7 or 6.43 , depending on whether you ’ re using the current , previous or pre-previous version . If you ’ re a Mikrotik user , skipping the latest patch leaves you at risk , but if you still haven ’ t applied the previous patch , you ’ re in double trouble . With both patches missing , you ’ re open to an unauthenticated password disclosure bug that could then be chained with the newer authenticated remote code execution bug . In other words , instead of anyone being able to get some access , or some people being able to get full access , anyone could get full access by pivoting from CVE-2018-14847 to CVE-2018-1156 , the RCE flaw .
For years , researchers , hackers , and even some politicians h ave warned Vulnerability-related.DiscoverVulnerabilityabout stark vulnerabilities in a mobile data network called SS7 . These flaws allow attackers to listen to calls , i ntercept Attack.Databreachtext messages , and pinpoint a device 's location armed with just the target 's phone number . Taking advantage of these issues has typically been reserved for governments or surveillance contractors . But on Wednesday , German newspaper The Süddeutsche Zeitung reported that financially-motivated hackers had used those flaws to help d rain Attack.Databreachbank accounts . This is much bigger than a series of bank accounts though : it cements the fact that the SS7 network poses a threat to all of us , the general public . And it shows that companies and services across the world urgently need to move away from SMS-based authentication to protect customer accounts . `` I 'm not surprised that hackers take money that is 'lying on the table ' . I 'm just surprised that online bank thieves took so long in joining spying contractors in abusing the global SS7 network , '' Karsten Nohl , a cybersecurity researcher who h as highlighted Vulnerability-related.DiscoverVulnerabilityvulnerabilities in SS7 , told Motherboard in an email . In short , the issue with SS7 is that the network believes whatever you tell it . SS7 is especially used for data-roaming : when a phone user goes outside their own provider 's coverage , messages still need to get routed to them . But anyone with SS7 access , which can be purchased for around 1000 Euros according to The Süddeutsche Zeitung , can send a routing request , and the network may not authenticate where the message is coming from . That allows the attacker to direct a target 's text messages to another device , and , in the case of the bank accounts , s teal Attack.Databreachany codes needed to login or greenlight money transfers ( after the hackers o btained Attack.Databreachvictim passwords ) . Although some telcos have taken steps to m itigate Vulnerability-related.PatchVulnerabilitythe issue , there are clearly still huge gaps for hackers to exploit . `` Everyone 's accounts protected by text-based two-factor authentication , such as bank accounts , are potentially at risk until the FCC and telecom industry f ix Vulnerability-related.PatchVulnerabilitythe devastating SS7 security flaw , '' Lieu said in a statement published Wednesday . `` I urge the Republican-controlled Congress to hold immediate hearings on this issue . '' In the meantime , and maybe irrespective of whether SS7 problems are ever f ixed,Vulnerability-related.PatchVulnerabilitysocial media companies , banks , and other online services need to stop using SMS-based two-factor authentication . Last year the National Institute of Standards and Technology said it was no longer recommending solutions that used SMS . Twitter does let users sign in with a code from Google Authenticator , an app on your smartphone that provides a more robust form of two-factor authentication , but the site apparently still sends those logging in an SMS code , which , in light of these recent SS7 attacks , totally undermines the extra security protections . Twitter did not immediately respond to a request for comment . Motherboard even recently published a piece telling general readers that they were likely fine with only SMS-based two-factor authentication , which focused on another type of attack and was based on the premise that non-state hackers were not widely using SS7 . That piece , clearly , is out of date . `` It is unacceptable the FCC and telecom industry have not acted sooner to protect our privacy and financial security , '' Lieu 's statement added .
Researchers at cybersecurity company Check Point have today shared detailsVulnerability-related.DiscoverVulnerabilityof a vulnerability in DJI ’ s infrastructure that could have given hackers access to consumer and corporate user accounts , personal data , flight logs , photos , videos , and – if the user was flying with DJI ’ s FlightHub application – a live camera feed and map during missions . Check Point submitted a reportVulnerability-related.DiscoverVulnerabilityto DJI ’ s Bug Bounty Program , highlighting a process in which an attacker could have gained access to a user ’ s account through a vulnerability discoveredVulnerability-related.DiscoverVulnerabilityin the user identification process within DJI Forum . Check Point ’ s researchers foundVulnerability-related.DiscoverVulnerabilitythat DJI ’ s various platforms used a token to identify registered users across different aspects of the customer experience . Hackers could plant malicious links that would compromise accounts within that framework . In a blog post outlining their investigation , Check Point explained the process of a possible exploit : The vulnerability was accessed through DJI Forum , an online forum DJI runs for discussions about its products . A user who logged into DJI Forum , then clicked a specially-planted malicious link , could have had his or her login credentials stolenAttack.Databreachto allow access to other DJI online assets : DJI ’ s web platform ( account , store , forum ) Cloud server data synced from DJI ’ s GO or GO 4 pilot apps DJI ’ s FlightHub ( centralized drone operations management platform ) We notifiedVulnerability-related.DiscoverVulnerabilityDJI about this vulnerability in March 2018 and DJI respondedVulnerability-related.DiscoverVulnerabilityresponsibly . The vulnerability has since been patchedVulnerability-related.PatchVulnerability. DJI classifiedVulnerability-related.DiscoverVulnerabilitythis vulnerability as high risk but low probability , and indicated there is no evidence this vulnerability was ever exploitedVulnerability-related.DiscoverVulnerabilityby anyone other than Check Point researchers . Check Point even made a Mission Impossible-style trailer for their findings , which is… interesting .
Security biz Qualys has revealedVulnerability-related.DiscoverVulnerabilitythree vulnerabilities in a component of systemd , a system and service manager used in most major Linux distributions . Patches for the three flaws – CVE-2018-16864 , CVE-2018-16865 , and CVE-2018-16866 – should appear inVulnerability-related.PatchVulnerabilitydistro repos soon as a result of coordinated disclosure . However , Linux distributions such as Debian remain vulnerableVulnerability-related.DiscoverVulnerabilityat the moment , depending on the version you have installed . `` They 're awareVulnerability-related.DiscoverVulnerabilityof the issues and they 're releasingVulnerability-related.PatchVulnerabilitypatches , '' said Jimmy Graham , director of product management at Qualys , in a phone interview with The Register . `` I do n't believe Red Hat has releasedVulnerability-related.PatchVulnerabilityone but it should be coming shortly . '' The bugs were foundVulnerability-related.DiscoverVulnerabilityin systemd-journald , a part of systemd that handles the collection and storage of log data . The first two CVEs refer to memory corruption flaws while the third involves an out of bounds error that can leak data . CVE-2018-16864 can be exploitedVulnerability-related.DiscoverVulnerabilityby malware running on a Linux box , or a malicious logged-in user , to crash and potentially hijack the systemd-journald system service , elevating access from user to root . CVE-2018-16865 and CVE-2018-16866 can be exploitedVulnerability-related.DiscoverVulnerabilitytogether by a local attacker to crash or hijack the root-privileged journal service . While systemd is n't universally beloved in the Linux community , Graham sees nothing unusual about the presence of the three flaws in the software . `` The noteworthiness to me is that it is very commonly found in most major distributions , '' he said . Qualys contends all systemd-based Linux distros are vulnerableVulnerability-related.DiscoverVulnerability, though the vulnerabilities can not be exploitedVulnerability-related.DiscoverVulnerabilityin SUSE Linux Enterprise 15 , openSUSE Leap 15.0 , and Fedora 28 and 29 because their user-land code is compiled with GCC 's -fstack-clash-protection option . The security biz calls it a simplified stack clash – where the size of the stack gets changed to overlap with other memory areas – because it only requires the last two steps in a four step process : Clashing the stack with another memory region , moving the stack-pointer to the stack start , jumping over the stack guard-page into another memory region , and smashing the stack or memory space . The third bug , CVE-2018-16866 , appeared inVulnerability-related.DiscoverVulnerabilityJune 2015 ( systemd v221 ) and , Qualys says , was fixedVulnerability-related.PatchVulnerabilityinadvertently in August 2018 . In code where the flaw still existsVulnerability-related.DiscoverVulnerability, it could allow an attacker to read out of bounds information , resulting in information leakage . `` The risk [ of these issues ] is a local privilege escalation to root , '' said Graham . `` It 's something that should still be a concern because usually attackers do n't just use one vulnerability to comprise a system . They often chain vulnerabilities together . ''
Businesses that failed to update Windows-based computer systems that were hit by a massive cyber attack over the weekend could be sued over their lax cyber security , but Microsoft itself enjoys strong protection from lawsuits , legal experts said . The WannaCry worm has affected more than 200,000 Windows computers around the world since Friday , disruptingAttack.Ransomcar factories , global shipper FedEx Corp and Britain 's National Health Service , among others . The hacking tool spreads silently between computers , shutting them down by encrypting data and then demanding a ransomAttack.Ransomof US $ 300 to unlock them . According to Microsoft , computers affected by the ransomware did not have security patches for various Windows versions installed or were running Windows XP , which the company no longer supports . `` Using outdated versions of Windows that are no longer supported raises a lot of questions , '' said Christopher Dore , a lawyer specializing in digital privacy law at Edelson PC . `` It would arguably be knowingly negligent to let those systems stay in place. ” Businesses could face legal claims if they failed to deliver services because of the attack , said Edward McAndrew , a data privacy lawyer at Ballard Spahr . `` There is this stream of liability that flows from the ransomware attackAttack.Ransom, '' he said `` That 's liability to individuals , consumers and patients , '' WannaCry exploitsVulnerability-related.DiscoverVulnerabilitya vulnerability in older versions of Windows , including Windows 7 and Windows XP . Microsoft issuedVulnerability-related.PatchVulnerabilitya security update in March that stops WannaCry and other malware in Windows 7 . Over the weekend the company took the unusual step of releasingVulnerability-related.PatchVulnerabilitya similar patch for Windows XP , which the company announced in 2014 it would no longer support . Dore said companies that faced disruptions because they did not run the Microsoft update or because they were using older versions of Windows could face lawsuits if they publicly touted their cyber security . His law firm sued LinkedIn after a 2012 data breachAttack.Databreach, alleging individuals paid for premium accounts because the company falsely stated it had top-quality cyber security measures . LinkedIn settled for US $ 1.25 million in 2014 . But Scott Vernick , a data security lawyer at Fox Rothschild that represents companies , said he was sceptical that WannaCry would produce a flood of consumer lawsuits . He noted there was no indication the cyber attack had resulted in widespread disclosure of personal data . `` It isn ’ t clear that there has been a harm to consumers , '' he said . Vernick said businesses that failed to update their software could face scrutiny from the US Federal Trade Commission , which has previously sued companies for misrepresenting their data privacy measures . Microsoft itself is unlikely to face legal trouble over the flaw in Windows being exploitedVulnerability-related.DiscoverVulnerabilityby WannaCry , according to legal experts . When Microsoft sells software it does so through a licensing agreement that states the company is not liable for any security breaches , said Michael Scott , a professor at Southwestern Law School . Courts have consistently upheld those agreements , he said . Alex Abdo , a staff attorney at the Knight First Amendment Institute at Columbia University , said Microsoft and other software companies have strategically settled lawsuits that could lead to court rulings weakening their licensing agreements . `` This area of law has been stunted in its growth , '' he said . `` It is very difficult to hold software manufacturers accountable for flaws in their products . '' Also enjoying strong protection from liability over the cyber attack is the US National Security Agency , whose stolen hacking tool is believed to be the basis for WannaCry . The NSA did not immediately return a request for comment . Jonathan Zittrain , a professor specializing in internet law at Harvard Law School , said courts have frequently dismissed lawsuits against the agency on the grounds they might result in the disclosure of top secret information . On top of that , the NSA would likely be able to claim that it is shielded from liability under the doctrine of sovereign immunity , which says that the government can not be sued over carrying out its official duties . `` I doubt there can be any liability that stems back to the NSA , '' Dore said .
The FDA confirmedVulnerability-related.DiscoverVulnerabilitythat St.Jude Medical 's implantable cardiac devices have vulnerabilities that could allow a hacker to access a device . Once in , they could deplete the battery or administer incorrect pacing or shocks , the FDA said on Monday . The devices , like pacemakers and defibrillators , are used to monitor and control patients ' heart functions and prevent heart attacks . St. Jude has developedVulnerability-related.PatchVulnerabilitya software patch to fixVulnerability-related.PatchVulnerabilitythe vulnerabilities , and it will automatically be appliedVulnerability-related.PatchVulnerabilityto affected devices beginning Monday . To receive the patch , the Merlin @ home Transmitter must be plugged in and connected to the Merlin.net network . The FDA said patients can continue to use the devices , and no patients were harmed as a result of the vulnerabilities . Abbott Laboratories ( ABT ) , which recently acquired St. Jude in a deal worth $ 25 billion , said it has worked with the FDA and DHS to update and improve the security of the affected devices . `` Cybersecurity , including device security , is an industry-wide challenge and all implanted devices with remote monitoring haveVulnerability-related.DiscoverVulnerabilitypotential vulnerabilities , '' Candace Steele Flippin , a spokeswoman for Abbott , toldVulnerability-related.DiscoverVulnerabilityCNNMoney in an email . `` As we 've been doing for years , we will continue to actively address cybersecurity risks and potential vulnerabilities and enhance our systems . '' The FDA said hackers could control a device by accessing its transmitter . In August 2016 , Muddy Waters founder Carson Block published a report claiming St. Jude 's devices could be hacked and said he was shorting the stock . St. Jude said the claims were `` absolutely untrue , '' and in September , it filed a lawsuit against the firm . In a statement , Block said Monday 's announcement `` vindicates '' the firm 's research . `` It also reaffirms our belief that had we not gone public , St. Jude would not have remediated the vulnerabilities , '' Block said . `` Regardless , the announced fixesVulnerability-related.PatchVulnerabilitydo not appear to addressVulnerability-related.PatchVulnerabilitymany of the larger problems , including the existence of a universal code that could allow hackers to control the implants . '' The confirmation of St. Jude 's vulnerabilities is the latest reminder of how internet-connected devices can put health at risk . In December , the FDA published guidance for manufacturers on how to proactively address cybersecurity risks .
Sensitive information related to the United States Air Force has been found exposed publiclyAttack.Databreachon the internet , allowing anyone with a web connection to peruse them without authorisation and no need for a password . The discoveryVulnerability-related.DiscoverVulnerabilitywas made by security researchers at MacKeeper who said that they had foundVulnerability-related.DiscoverVulnerabilitygigabytes of files on an internet-connected backup drive that was not password-protected : The most shocking document was a spreadsheet of open investigations that included the name , rank , location , and a detailed description of the accusations . The investigations range from discrimination and sexual harassment to more serious claims . One example is an investigation into a Major General who is accused of accepting $ 50k a year from a sports commission that was supposedly funneled into the National Guard . As ZDNet reports , the names and addresses , ranks , and social security numbers of more than 4000 US Air Force officers were included in the stash of personal information . Further documents included phone numbers and contact information for workers and their spouses . Clearly some of the details exposedAttack.Databreachthrough the security lapse would be of value to foreign intelligence agencies and criminal gangs , and could lead to blackmail attempts or identity theft . What we don ’ t know is how long the information has been accessibleAttack.Databreachonline , and we also do not know if anyone other than the security researchers had managed to stumble acrossAttack.Databreachthe exposed information . But the truth of the matter is that we shouldn ’ t ever have to find ourselves in a question to ask such questions . Whenever you decide to store information on the internet , particularly sensitive data , you should be doing your utmost to ensure that you have minimised the risk of it falling into the wrong hands . That means always keeping your computer patchedVulnerability-related.PatchVulnerabilityand running an up-to-date anti-virus , using encryption , enabling passwords and ensuring that the password chosen is a strong one , turning on additional authentication checks such as two-step verification and restricting the range of trusted IP addresses from where users can login from
Microsoft has publishedVulnerability-related.PatchVulnerabilitya patch for an Outlook vulnerability first reportedVulnerability-related.DiscoverVulnerabilityin late 2016 , but the patch has been deemedVulnerability-related.PatchVulnerabilityincomplete and additional workarounds are needed , according to the security researcher who discoveredVulnerability-related.DiscoverVulnerabilityit . Yesterday 's April 2018 Patch Tuesday updates train included a fix for CVE-2018-0950 , a vulnerability in Microsoft Outlook discoveredVulnerability-related.DiscoverVulnerabilityby Will Dormann , a vulnerability analyst at the CERT Coordination Center ( CERT/CC ) . Outlook retrieves remote OLE content without prompting According to Dormann , the main problem with CVE-2018-0950 is that Microsoft Outlook will automatically render the content of remote OLE objects embedded inside rich formatted emails without prompting the user , something that Microsoft does in other Office apps such as Word , Excel , and PowerPoint . This leads to a slew of problems that come from automatically rendering OLE objects , a common attack vector for malware authors . Microsoft patches SMB attack vector only In a CERT/CC vulnerability note , Dormann says he notified Microsoft of Outlook 's propensity for loading OLE objects without alerting users in November 2016 . After almost 18 months , the company finally issuedVulnerability-related.PatchVulnerabilitya patch for the reported issue , but Dormann says the patch does not addressVulnerability-related.PatchVulnerabilitythe problem at the core of the issue . According to Microsoft , the CVE-2018-0950 patch deliveredVulnerability-related.PatchVulnerabilityyesterday only blocks Outlook from initiating SMB connections when previewing rich formatted emails . Dormann points out that Outlook still does not prompt user for permission to render OLE objects for email previews . Furthermore , the researcher also highlights that there are other ways of obtaining the NTLM hashes , such as embedding UNC links to SMB servers inside the email , links that Outlook will automatically make clickable . `` If a user clicks such a link , the impact will be the same as with this vulnerability , '' Dormann says . But even this incomplete patch is good news . This means that while Outlook will continue to render OLE objects inside email previews , at least these objects ca n't be used to steal NTLM hashes via SMB anymore . To avoid attackers from getting their hands on NTLM hashes via SMB altogether , the expert recommends that system administrators apply additional OS-level workarounds ,
According to web security firm Sucuri , who detectedVulnerability-related.DiscoverVulnerabilitythe attacks after details of the vulnerability became publicVulnerability-related.DiscoverVulnerabilitylast Monday , the attacks have been slowly growing , reaching almost 3,000 defacements per day . Attackers are exploiting a vulnerability in the WordPress REST API , which the WordPress team fixedVulnerability-related.PatchVulnerabilityalmost two weeks ago , but for which they published public detailsVulnerability-related.DiscoverVulnerabilitylast Monday . Exploiting the flaw is trivial , and according to Sucuri , a few public exploits have been published online since last week . Based on data collected from Sucuri 's honeypot test servers , four attackers have been busy in the past week trying to exploit the flaw . Since the attacks have been going on for some days , Google has already started to index some of these defacements . Sucuri 's CTO , Daniel Cid , expects to see professional defacers enter the fold , such as SEO spam groups that will utilize the vulnerability to post more complex content , such as links and images .
I get an alert on my phone from a news feed around critical vulnerability patches being releasedVulnerability-related.PatchVulnerabilityby SAP . Before I discussVulnerability-related.DiscoverVulnerabilitythe details of the latest two SAP HANA vulnerabilities and the potential business impact , let me take a moment to reiterateVulnerability-related.DiscoverVulnerabilitythat this is the most vulnerable period for any SAP customer with this critical flaw in their IT landscape . This period , which I call “ Hackers Busy Cracking , ” started this morning and will not end until affected clients across the globe applyVulnerability-related.PatchVulnerabilitythe patch from SAP . Onapsis Security Research Lab discoveredVulnerability-related.DiscoverVulnerabilitythese vulnerabilities but hasn ’ t published technical details yet . We do knowVulnerability-related.DiscoverVulnerabilitythat the vulnerability is in the user self-service functionality provided by SAP HANA and has been presentVulnerability-related.DiscoverVulnerabilitysince SPS09 of SAP HANA , which was released in 2014 . As the name suggests , the user self-service functionality enables users to perform maintenance and support activities for their accounts and for new users to register the accounts . For this functionality to be useful , it must be accessible from wherever the user population is , be it on internal or external networks . The second critical vulnerability revolves aroundVulnerability-related.DiscoverVulnerabilitysession fixation , which can allow an attacker to elevate privileges by impersonating another user in the system . The SAP HANA 2.0 SPS 00 version is affected byVulnerability-related.DiscoverVulnerabilitythis vulnerability . User self-service is a good example of technology that is a double-edged sword . It cuts costs associated with supporting a large user population and reduces the time taken to correct user issues , thus ensuring individuals spend more time as productive users . However , any unattended mechanism that allows modification of accounts without human intervention will always be an attractive target . According to the Onapsis reportVulnerability-related.DiscoverVulnerability, a combination of vulnerabilities can allow an attacker with remote access to the user self-service functionality to edit any account on the system , including activating previously deactivated accounts . The natural target for this attack would be the SYSTEM account present in all HANA deployments . The potential business impact of an attacker with access to the SYSTEM account is extraordinary . I strongly urge all SAP HANA customers to check their HANA version levels and make immediate plans to prioritize these updates . SAP customers who have already deployed active threat protection ( ATP ) controls or third-party products are one step ahead of zero-day threats . For the rest , look to invest in an active threat monitoring and detection solution — meaning a SAP-specific threat vector detection solution .