Intel has issuedVulnerability-related.PatchVulnerabilityfresh `` microcode revision guidance '' that reveals it won ’ t addressVulnerability-related.PatchVulnerabilitythe Meltdown and Spectre design flaws in all of its vulnerable processors – in some cases because it 's too tricky to remove the Spectre v2 class of vulnerabilities . The new guidance , issued April 2 , adds a “ stopped ” status to Intel ’ s “ production status ” category in its array of available Meltdown and Spectre security updates . `` Stopped '' indicates there will be no microcode patch to kill offVulnerability-related.PatchVulnerabilityMeltdown and Spectre . The guidance explains that a chipset earns “ stopped ” status because , “ after a comprehensive investigation of the microarchitectures and microcode capabilities for these products , Intel has determined to not releaseVulnerability-related.PatchVulnerabilitymicrocode updates for these products for one or more reasons. ” Those reasons are given as : Micro-architectural characteristics that preclude a practical implementation of features mitigatingVulnerability-related.PatchVulnerability[ Spectre ] Variant 2 ( CVE-2017-5715 ) Limited Commercially Available System Software support Based on customer inputs , most of these products are implemented as “ closed systems ” and therefore are expected to have a lower likelihood of exposure to these vulnerabilities . Thus , if a chip family falls under one of those categories – such as Intel ca n't easily fixVulnerability-related.PatchVulnerabilitySpectre v2 in the design , or customers do n't think the hardware will be exploitedVulnerability-related.DiscoverVulnerability– it gets a `` stopped '' sticker . To leverage the vulnerabilities , malware needs to be running on a system , so if the computer is totally closed off from the outside world , administrators may feel it 's not worth the hassle applying messy microcode , operating system , or application updates . `` Stopped '' CPUs that won ’ t therefore getVulnerability-related.PatchVulnerabilitya fix are in the Bloomfield , Bloomfield Xeon , Clarksfield , Gulftown , Harpertown Xeon C0 and E0 , Jasper Forest , Penryn/QC , SoFIA 3GR , Wolfdale , Wolfdale Xeon , Yorkfield , and Yorkfield Xeon families . The new list includes various Xeons , Core CPUs , Pentiums , Celerons , and Atoms – just about everything Intel makes . Most the CPUs listed above are oldies that went on sale between 2007 and 2011 , so it is likely few remain in normal use . There ’ s some good news in the tweaked guidance : the Arrandale , Clarkdale , Lynnfield , Nehalem , and Westmere families that were previously un-patchedVulnerability-related.PatchVulnerabilitynow have working fixes availableVulnerability-related.PatchVulnerabilityin production , apparently . “ We ’ ve now completed releaseVulnerability-related.PatchVulnerabilityof microcode updates for Intel microprocessor products launched in the last 9+ years that required protection against the side-channel vulnerabilities discoveredVulnerability-related.DiscoverVulnerabilityby Google Project Zero , '' an Intel spokesperson told The Reg . `` However , as indicated in our latest microcode revision guidance , we will not be providingVulnerability-related.PatchVulnerabilityupdated microcode for a select number of older platforms for several reasons , including limited ecosystem support and customer feedback. ” Now all Intel has to do is sort out a bunch of lawsuits , make sure future products don ’ t have similar problems , combat a revved-up-and-righteous AMD and Qualcomm in the data centre , find a way to get PC buyers interested in new kit again , and make sure it doesn ’ t flub emerging markets like IoT and 5G like it flubbed the billion-a-year mobile CPU market .
It was starting to feel like Intel was overdue for serious Management Engine ( ME ) vulnerabilities . But this week , researchers at Positive Technologies revealedVulnerability-related.DiscoverVulnerabilitya new security flaw in the subsystem that could let attackers compromise its MFS file system . Intel has releasedVulnerability-related.PatchVulnerabilityupdates to addressVulnerability-related.PatchVulnerabilitythe problem , though , so Intel CPU owners should make sure their firmware is up-to-date . ME has become a repeated source of problems for Intel and its customers . The utility is a chip-on-a-chip that allows IT managers to remotely access company PCs with tools like Intel 's Active Management Technology ( AMT ) . ME has its own network interface , memory , operating system and file system ( MFS ) that are kept separate from the main system in a bid to prevent it from allowing hackers to access ostensibly secure information . The problem is that researchers have discoveredVulnerability-related.DiscoverVulnerabilitynumerous vulnerabilities in ME over the last few years ; Positive Technologies revealedVulnerability-related.DiscoverVulnerabilityone in 2017 that allowed full takeover of ME via USB ( it 's since been fixedVulnerability-related.PatchVulnerability) . Now , it 's revealedVulnerability-related.DiscoverVulnerabilityanother one that allows someone with physical access to a system to compromise ME and `` manipulate the state of MFS and extract important secrets '' with the ability to `` add files , delete files and change their protection attributes . '' Positive Technologies said the attack can be used to learn four keys MFS uses to secure data -- the Intel Integrity Key , Non-Intel Integrity Key , Intel Confidentiality Key and Non-Intel Confidentiality Key -- that were supposed to be protected via a firmware update Intel releasedVulnerability-related.PatchVulnerabilityin 2017 . Positive Technologies explained how someone with physical access to the system could bypass that patch to compromise those keys in its blog post : `` Positive Technologies expert Dmitry Sklyarov discoveredVulnerability-related.DiscoverVulnerabilityvulnerability CVE-2018-3655 , described in advisory Intel-SA-00125 . He found that Non-Intel Keys are derived from two values : the SVN and the immutable non-Intel root secret , which is unique to each platform . By using an earlier vulnerability to enable the JTAG debugger , it was possible to obtain the latter value . Knowing the immutable root secret enables calculating the values of both Non-Intel Keys even in the newer firmware version . ... Attackers could calculate the Non-Intel Integrity Key and Non-Intel Confidentiality Key for firmware that has the updated SVN value and therefore compromise the MFS security mechanisms that rely on these keys . '' Intel releasedVulnerability-related.PatchVulnerabilitythe Intel-SA-00125 firmware update to defend against this vulnerability on September 11 . But this is another point in favor of companies questioning -- or outright banning -- the use of ME in their systems . Purism avoids ME and the services it enables in its privacy-focused Librem notebooks , Google is working to remove ME from the Intel processors it uses and previous security flaws have raised concerns among consumers .
A design flaw affectingVulnerability-related.DiscoverVulnerabilityall in-display fingerprint sensors – that left over a half-dozen cellphone models vulnerable to a trivial lock-screen bypass attack – has been quietly patchedVulnerability-related.PatchVulnerability. The flaw was tied to a bug in the popular in-display fingerprint reader technology used for user authentication . In-display fingerprint reader technology is widely considered an up-and-coming feature to be used in a number of flagship model phones introduced in 2019 by top OEM phone makers , according to Tencent ’ s Xuanwu Lab which is credited for first identifyingVulnerability-related.DiscoverVulnerabilitythe flaw earlier this year . “ During our research on this , we found all the in-display fingerprint sensor module suffer the same problem no matter where it was manufactured by whatever vendors , ” said Yang Yu , a researcher at Xuanwu Lab . “ This vulnerability is a design fault of in-display fingerprint sensors. ” Impacted are all phones tested in the first half of 2018 that had in-display fingerprint sensors , said Yu . That includes current models of Huawei Technologies ’ Porsche Design Mate RS and Mate 20 Pro model phones . Yu said that many more cellphone manufacturers are impactedVulnerability-related.DiscoverVulnerabilityby the issue . However , Yu would not specify other impacted vendors or models : “ Vendors differ greatly in the attitude to security issues , someone have open attitudes , like Huawei , and in contrast , some vendors strongly hope us to keep the voice down on this , ” he told Threatpost . He noted Huawei has been forthcoming , issuingVulnerability-related.PatchVulnerabilitypatches to addressVulnerability-related.PatchVulnerabilitythe issue . Other phones that use the feature include Vivo Communication Technology ’ s V11 Pro , X21 and Nex ; and OnePlus ’ 6T and Xiaomi Mi 8 Explorer Edition phones . Vivo , OnePlus and Xiaomi did not respond to requests for comment from Threatpost . In-display fingerprint readers based on optical fingerprint imaging , experts believe , will soon replace conventional authentication based on capacitance-sensor fingerprint scanners . In-display readers allow for a user to place a finger on the screen of a smartphone where a scanner from behind the display can verify a fingerprint , authenticate the user and unlock the phone . Design-wise the feature allows phones to be sleeker and less cluttered , supporting infinity displays . Usability advantages include the ability to unlock the phone simply by placing your finger on the phone ’ s screen at any angle , whether it ’ s sitting on a table or in a car mount . The vulnerability , which Huawei issuedVulnerability-related.PatchVulnerabilitya patch ( CVE-2018-7929 ) for in September , can be exploitedVulnerability-related.DiscoverVulnerabilityin a matter of seconds , researchers said . In an exclusive interview with Threatpost on the flaw Yu said all an attacker needs to carry out the attack is an opaque reflective material such as aluminum foil . By placing the reflective material over a residual fingerprint on the phone ’ s display the capacitance fingerprint imaging mechanism can be tricked into authenticating a fingerprint .
Cisco has patchedVulnerability-related.PatchVulnerabilitya set of severe vulnerabilities which could lead to remote code execution in the Cisco Webex Network Recording Player for Advanced Recording Format ( ARF ) . The security flaws , CVE-2018-15414 , CVE-2018-15421 , and CVE-2018-15422 , have been issuedVulnerability-related.DiscoverVulnerabilitya base score of 7.8 . According to the Cisco Product Security Incident Response Team ( PSIRT ) , the flaws could lead to `` an unauthenticated , remote attacker to execute arbitrary code on a targeted system . '' The Cisco Webex Network Recording Player for Advanced Recording Format ( ARF ) , available for Windows , Mac , and Linux machines is a component for recording meetings taking place in the Cisco Webex Meetings Suite sites , Cisco Webex Meetings Online sites , and Cisco Webex Meetings Server . In a security advisory posted this week , Cisco says that the following software is affected : Cisco Webex Meetings Suite ( WBS32 ) : Webex Network Recording Player versions prior to WBS32.15.10 ; Cisco Webex Meetings Suite ( WBS33 ) : Webex Network Recording Player versions prior to WBS33.3 ; Cisco Webex Meetings Online : Webex Network Recording Player versions prior to 1.3.37 ; Cisco Webex Meetings Server : Webex Network Recording Player versions prior to 3.0MR2 . According to Cisco , each operating system is vulnerableVulnerability-related.DiscoverVulnerabilityto at least one of the security flaws . The vulnerabilities are due to the improper invalidation of Webex recording files . If a victim opens a crafted , malicious file in the Cisco Webex Player -- potentially sent overAttack.Phishingemail as part of a spear phishing campaignAttack.Phishing-- the bugs are triggered , leading to exploit . TechRepublic : Cisco switch flaw led to attacks on critical infrastructure in several countries There are no workarounds to addressVulnerability-related.PatchVulnerabilitythese vulnerabilities . However , Cisco has developedVulnerability-related.PatchVulnerabilitypatches to automatically updateVulnerability-related.PatchVulnerabilityvulnerable software . It is recommended that users accept these updates as quickly as possible . The tech giant notes that some Cisco Webex Meetings builds might be at the end of their support cycles and wo n't receive these updates . In these cases , users should contact the company directly . CNET : Kansas City gets smarter thanks to Cisco and Sprint Alternatively , the ARF component is an add-on and can simply be uninstalled manually . A removal tool is has been made available . Cisco is not awareVulnerability-related.DiscoverVulnerabilityof any reports of any active exploits in the wild . Steven Seeley from Source Incite and Ziad Badawi , working together with the Trend Micro Zero Day Initiative , have been credited with finding and reportingVulnerability-related.DiscoverVulnerabilitythe bugs . In related news this week , Trend Micro 's Zero Day Initiative disclosedVulnerability-related.DiscoverVulnerabilitya Microsoft Jet zero-day vulnerability which was unpatchedVulnerability-related.PatchVulnerabilityat the point of public disclosureVulnerability-related.DiscoverVulnerability. If exploitedVulnerability-related.DiscoverVulnerability, the vulnerability permits attackers to remotely execute code on infected machines .
Adobe has posted an update to addressVulnerability-related.PatchVulnerability85 CVE-listed security vulnerabilities in Acrobat and Reader for both Windows and macOS . The PDF apps have receivedVulnerability-related.PatchVulnerabilitya major update that includes dozens of fixes for flaws that would allow for remote code execution attacks if exploitedVulnerability-related.DiscoverVulnerability. Other possible attacks include elevation of privilege flaws and information disclosure vulnerabilities . Fortunately , Adobe said that none of the bugs was currently being targeted in the wild - yet . For Mac and Windows Acrobat/Reader DC users , the fixes will be presentVulnerability-related.PatchVulnerabilityin versions 2019.008.20071 . For those using the older Acrobat and Reader 2017 versions , the fix will be labeledVulnerability-related.PatchVulnerability2017.011.30105 . Because PDF readers have become such a popular target for email and web-based malware attacks , users and admins alike would do well to test and install the updates as soon as possible . Exploit-laden PDFs have for more than a decade proven to be one of the most reliable ways to put malware on someone 's machine . In total , Adobe credited 19 different researchers with discoveringVulnerability-related.DiscoverVulnerabilityand reportingVulnerability-related.DiscoverVulnerabilitythe vulnerabilities . Among the more prolific bug hunters were Omri Herscovici of CheckPoint Software , who was credited for findingVulnerability-related.DiscoverVulnerabilityand reportingVulnerability-related.DiscoverVulnerability35 CVE-listed bugs , and Ke Liu and Tencent Security Xuanwu Lab , who was credited with findingVulnerability-related.DiscoverVulnerability11 of the patched Adobe vulnerabilities . Beihang University 's Lin Wang was given credit for nine vulnerabilities . While we 're on the subject of massive security updates , both users and admins will want to mark their calendars for a week from Tuesday . October 9 is slated to be this month 's edition of the scheduled 'Patch Tuesday ' monthly security update .
Foxit has patchedVulnerability-related.PatchVulnerabilitymore than 118 vulnerabilities in its PDF reader , some of which could be exploitedVulnerability-related.DiscoverVulnerabilityto enable full remote code execution . Patches were releasedVulnerability-related.PatchVulnerabilitylast week for Foxit Reader 9.3 and Foxit PhantomPDF 9.3 to addressVulnerability-related.PatchVulnerabilitya huge number of issues in the programs . This security bulletin released by Foxit provides details on the extensive list of vulnerabilities , which were discoveredVulnerability-related.DiscoverVulnerabilityvia internal research , end user reports , and reports from research teams . More than 118 issues were addressedVulnerability-related.PatchVulnerability, though there was some overlap , and so the number of actual bugs was lower . Vulnerable versions are 9.2.0.9297 and earlier , and only affectVulnerability-related.DiscoverVulnerabilityWindows users . A significant number of flaws were classed as ‘ critical ’ and could allow for remote code execution – 18 were reportedVulnerability-related.DiscoverVulnerabilityby Cisco Talos , all of which were dubbed high in severity . Several were use-after-free flaws , which allows memory to be accessed after it has been freed and can enable hackers to execute arbitrary code and take over the system . Cisco Talos wrote in a report : “ There are a couple of different ways an adversary could leverage this attack including tricking a user to opening a specially crafted , malicious PDF or , if the browser plugin is enabled , the user could trigger the exploit by viewing the document in a web browser. ” Foxit told The Daily Swig that its programs were embedded with security features designed to protect its users from malicious actors . These include a ‘ Safe Mode ’ , which “ prevents suspicious external commands to be executed by Foxit Reader ” , and the option to disable JavaScript . The company also urged its users to update to the latest version . A spokesperson told The Daily Swig : “ Overall , Foxit Reader has had over 525 million downloads , but obviously they are not all active users on the latest release . “ In Foxit Reader , we have a Safe Mode which prevents suspicious external commands to be executed by Foxit Reader . Therefore , we don ’ t know how many folks are running without Safe Mode enabled. ” However , this security feature was bypassed not just once , but twice , by researchers last year . Foxit added : “ For a number of reasons , including bug fixesVulnerability-related.PatchVulnerability, we always advise users to download and install the latest release . Also , run the product in Safe Mode whenever possible . ”
Oracle has releasedVulnerability-related.PatchVulnerabilitya wide-ranging security update to addressVulnerability-related.PatchVulnerabilitymore than 300 CVE-listed vulnerabilities in its various enterprise products . The October release covers the gamut of Oracle 's offerings , including its flagship Database , E-Business Suite , and Fusion Middleware packages . For Database , the update addressesVulnerability-related.PatchVulnerabilitya total of three flaws . Two of the vulnerabilities ( CVE-2018-3259 and CVE-2018-3299 ) can be remotely exploitedVulnerability-related.DiscoverVulnerabilitywithout authentication , while the third , CVE-2018-7489 , would require the user to have a Rapid Home Provisioning account to execute and is considered by far the least severe of the three . Oracle notedVulnerability-related.DiscoverVulnerabilitythat all three bugs only impactVulnerability-related.DiscoverVulnerabilitythe server versions of Database , user clients are not considered to be vulnerableVulnerability-related.DiscoverVulnerability. For Fusion Middleware , the update will include a total of 56 CVE-listed flaws , including 12 that are remotely exploitable with CVSS base scores of 9.8 , meaning an exploit would be fairly easy to pull off and offer near total control of the target machine . Of those 12 , five were for critical flaws in WebLogic Server . Java SE will getVulnerability-related.PatchVulnerability12 security fixes , with all but one being for remotely exploitable vulnerabilities in that platform . Oracle notesVulnerability-related.DiscoverVulnerabilitythat though the CVSS scores for the flaws are fairly high , Solaris and Linux machines running software with lower user privileges will be considered to be at a lower risk than Windows environments that typically operate with admin privileges . MySQL was the target of 38 CVE-listed bug fixes this month , through just three of those are remotely exploitable . The two most serious , CVE-2018-11776 and CVE-2018-8014 , concern remote code flaws in MySQL Enterprise Monitor . PeopleSoft will see 24 bug fixes , 21 of which can be remotely targeted and seven that would not require any user interaction . Just one of the 24 flaws was given a CVSS base score higher than 7.2. in the Oracle listing . Sun products were the subject of 19 security fixes , including two remote code execution flaws in XCP Firmware . libssh bug more like `` oh SSH… '' Once admins getVulnerability-related.PatchVulnerabilitythe Oracle patches in place , they will want to take a close look at the write-up for CVE-2018-10933 , an authentication bypass for libssh that would allow an attacker to get into a target machine by sending a `` SSH2_MSG_USERAUTH_SUCCESS '' message when it expects a `` SSH2_MSG_USERAUTH_REQUEST '' message . That means any miscreant can log in without a password or other credential . As you can imagine , this is a very bad thing . Fortunately , the bug does not affect OpenSSH – and thus does not affect the hugely widespread sshd and ssh tools – but rather applications , such as KDE and XMBC , that use libssh as a dependency .
Thunderbird has pushedVulnerability-related.PatchVulnerabilitycode with fixes for a dozen security vulnerabilities – including the EFAIL encryption mess that emerged in May . The EFAIL-specific fixes addressVulnerability-related.PatchVulnerabilitytwo errors in Thunderbird 's handling of encrypted messages : CVE-2018-12372 , in which an attacker can build S/MIME and PGP decryption oracles in HTML messages ; and CVE-2018-12373 , in which S/MIME plaintext can be leaked if a message is forwarded . EFAIL was announced with a much-criticised process . The discoverers emphasised the issue 's exploitability to read messages encrypted with PGP and S/MIME – but the vulnerabilities were specific to client implementations . Thunderbird users will therefore welcome news that the client has joined the list of EFAIL-safe email tools . Thunderbird 52.9 also includes some critical-rated fixes . CVE-2018-12359 was a buffer overflow leading to a potentially exploitable crash : “ A buffer overflow can occur when rendering canvas content while adjusting the height and width of the < canvas > element dynamically , causing data to be written outside of the currently computed boundaries. ” The other , CVE-2018-12360 , is a use-after-free , also with a potentially exploitable crash : “ A use-after-free vulnerability can occur when deleting an input element during a mutation event handler triggered by focusing that element. ” Security researcher Matt Nelson noticed that under Windows 10 , users were n't getting warned when they were opening executable SettingContent-ms files ( CVE-2018-12368 ) . That bug meant “ unsuspecting users unfamiliar with this new file type might run an unwanted executable . This also allows a WebExtension with the limited downloads.open permission to execute arbitrary code without user interaction on Windows 10 systems ” . Thunderbird also inherited some memory safety bugs from the Firefox code base . The program 's developers noted that many of the bugs are n't directly exploitable in the e-mail client ( scripting is disabled when you 're reading messages ) , but “ are potentially risks in browser or browser-like contexts ” .
Facebook discoveredVulnerability-related.DiscoverVulnerabilitya security issue that allowed hackers to access information that could have let them take over around 50 million accounts , the company announcedVulnerability-related.DiscoverVulnerabilityon Friday . Following the disclosure , shares of Facebook extended midday losses and ended trading 2.5 percent down . `` This is a very serious security issue , and we 're taking it very seriously , '' said CEO Mark Zuckerberg on a call with reporters . Facebook shares , which were already down about 1.5 percent before the announcement , extended losses after the disclosure and ended down 2.6 percent . The company said in a blog post that its engineering team found on Tuesday that attackers identified a weakness in Facebook 's code regarding its `` View As '' feature . Facebook became aware of a potential attack after it noticed a spike in user activity on September 16 . `` View As '' lets users see what their profile looks like to other users on the platform . This vulnerability , which consisted of three separate bugs , also allowed the hackers to get access tokens — digital keys which let people stay logged into the service without having to re-enter their password — which could be used to control other people 's accounts . Almost 50 million accounts had their access tokens taken , and Facebook has reset those tokens . The company also reset tokens for an additional 40 million accounts who used the `` View As '' feature in the last year as a precautionary measure , for a total of 90 million accounts . Facebook had 2.23 billion monthly active users as of June 30 . The reset will require these users to re-enter their password when they return to Facebook or access an app that uses Facebook Login . They will also receive a notification at the top of their News Feed explaining what happened . In addition , the company suspended the `` View As '' feature while it reviews its security . Facebook said it fixedVulnerability-related.PatchVulnerabilitythe issue on Thursday night and has notified law enforcement including the FBI and the Irish Data Protection Commission in order to any addressVulnerability-related.PatchVulnerabilityGeneral Data Protection Regulation ( GDPR ) issues . Facebook said it has just begun its investigation and has not determined if any information was misused , but the initial investigation has not uncovered any information abuse . The hackers did query Facebook 's API system , which lets applications communicate with the platform , to get more user information . The company is not sure if the hackers used that data , nor does it know who orchestrated the hack or where the person or people are based . The company said there is no need to change passwords . If additional accounts are affected , Facebook said it will immediately reset those users ' access tokens . Facebook is doubling the number of employees who are working to improve security from 10,000 to 20,000 , the company reiterated . `` Security is an arms race , and we 're continuing to improve our defenses , '' Zuckerberg said . `` This just underscores there are constant attacks from people who are trying to underscore accounts in our community . ''
Admins can now grab Cisco 's updates for 13 high-severity flaws affectingVulnerability-related.DiscoverVulnerabilitygear that uses its IOS and IOS XE networking software . All the bugs have been rated as having a high security impact because they could be used to gain elevated privileges or jam a device with denial-of-service ( DoS ) attacks . The company also has fixes availableVulnerability-related.PatchVulnerabilityfor 11 more flaws outlined in 10 advisories with a medium-severity rating , most of which also addressVulnerability-related.PatchVulnerabilityissues in IOS and IOS XE , the Linux-based train of Cisco 's popular networking operating system . The updates for the 13 high-severity IOS and IOS XE flaws are part of Cisco 's scheduled twice-yearly patch bundle for this software targeted for September . The company reportedVulnerability-related.DiscoverVulnerabilitythis week that some IOS XE releases were among 88 Cisco products vulnerable to the DoS attack on Linux systems known as FragmentSmack . And earlier this month it pluggedVulnerability-related.PatchVulnerabilitya critical hard-coded password bug in its video surveillance software . None of the flaws in the latest advisory is known to have been used in attacks and Cisco is n't aware of any public disclosures . Some of the higher severity flaws include a DoS flaw affectingVulnerability-related.DiscoverVulnerabilitythe IOS XE Web UI , which could allow a remote attacker to trigger a reload of the device by sending special HTTP requests to the UI . An unauthenticated attacker could exploit this bug in IOS XE releases prior to 16.2.2 , while 16.2.2 and later require authentication . Another DoS flaw is rooted in the IPsec driver code of multiple Cisco IOS XE platforms and the Cisco ASA 5500-X Series Adaptive Security Appliance ( ASA ) . The buggy code improperly processes malformed IPsec Authentication Header ( AH ) or Encapsulating Security Payload ( ESP ) packets . `` An attacker can exploit this vulnerability by using a crafted ESP or AH packet that meets several other conditions , such as matching the IPsec SA SPI and being within the correct sequence window , '' notes Cisco . This flaw affectsVulnerability-related.DiscoverVulnerabilitysix ASR 1000 Series Aggregation Services Routers , and two 4000 Series Integrated Routers . Cisco notesVulnerability-related.DiscoverVulnerabilitythat its software is affectedVulnerability-related.DiscoverVulnerabilityif the system has been modified from its default state and configured to terminate IPsec VPN connections , such as LAN-to-LAN VPN , and remote access VPN , but not SSL VPN .
Global software industry advocate BSA | The Software Alliance is warning Australian organisations to be mindful of the security risks involved with using unlicensed software after it settled with a record number of infringement settlements last year . A total of 28 case settlements for the use of unlicensed software occurred in 2017 – twice the amount in 2016 . The 28 settlements were worth more than $ 347,000 in damages against businesses across Australia . BSA warns that with the Notifiable Data BreachesAttack.Databreachlegislation now in effect , this is a good time for organisations to consider the risks unlicensed software bring to their business . “ Businesses need to remember that unlicensed software , or software downloaded from an unknown source , may contain malware which puts an organisation and its customers at significant risk of becoming the victim of a data breachAttack.Databreach, ” comments BSA APAC ’ s director of compliance programs , Gary Gan . “ Without properly licensed software , organisations don ’ t receiveVulnerability-related.PatchVulnerabilitypatch updates which strengthen the software ’ s security and addressVulnerability-related.PatchVulnerabilityvulnerabilities , which otherwise would leave the business exposed. ” One of the 28 settlements involved a Western Australia-based energy company that was found using unlicensed software . The settlement amounted to more than $ 40,000 . Every business caught using unlicensed software had to purchase genuine software licenses for ongoing use on top of the copyright infringement damages . “ It ’ s especially important that organisations are ensuring they ’ re doing all they can to protect their data given the recent introduction of NDB legislation . In order to stay on top of their software licensing , businesses should consider investing in SAM tools . The potential consequences faced by businesses that are found to be using unlicensed software far outweighs the cost of investment into SAM , something that all businesses should be considering , ” Gan continues . The BSA continues to clamp down on unlawful use of its members ’ software . Members include Adobe , Apple , IBM , Microsoft , Okta , Oracle , Symantec , Trend Micro and Workday , amongst others . BSA offers up to $ 20,000 to eligible recipients who disclose accurate information regarding unlawful copying or use of BSA members ’ software . Potential recipients must provide assistance and evidence to support the information , as may be required by the BSA ’ s legal advisers , in connection with any claim or legal proceedings initiated by the BSA members . BSA says it remains committed to its role in raising awareness of the risks to businesses when using unlicensed software and the damaging effects that software piracy has on the Australian IT industry .
While combing through WikiLeaks’ Vault 7 data dumpAttack.Databreach, Cisco has unearthedVulnerability-related.DiscoverVulnerabilitya critical vulnerability affecting 300+ of its switches and one gateway that could be exploitedVulnerability-related.DiscoverVulnerabilityto take over the devices . The flaw is presentVulnerability-related.DiscoverVulnerabilityin the Cisco Cluster Management Protocol ( CMP ) processing code in Cisco IOS and Cisco IOS XE Software . “ The vulnerability is due to the combination of two factors : the failure to restrict the use of CMP-specific Telnet options only to internal , local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device , and the incorrect processing of malformed CMP-specific Telnet options , ” Cisco explained . An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device ” . The extensive and complete list of affected devices is provided in the security advisory . Cisco says that they are not aware of any public announcements or active malicious use of the vulnerability , and that they will provideVulnerability-related.PatchVulnerabilityfree software updates to addressVulnerability-related.PatchVulnerabilityit ( they don ’ t say when ) . In the meantime , users can mitigate the risk by disabling the Telnet protocol and switching to using SSH . If that ’ s not possible , they can reduce the attack surface by implementing infrastructure access control lists . It also includes indicators of compromise that can be used to detect exploitation attempts
A malvertising campaign is targeting iOS devices with a VPN that does n't hide the fact it collectsAttack.Databreachlarge quantities of users ' information . It also employs the aggressive tactic of playing a high-pitch beeping . To help addressVulnerability-related.PatchVulnerabilitythe `` issues '' the site provides a link to a program called `` My Mobile Secure . '' `` We have detected that your Mobile Safari is ( 45.4 % ) DAMAGED by BROWSER TROJAN VIRUSES picked up while surfing recent corrupted sites . When someone clicks `` Remove Virus , '' their device presents an installation prompt for a VPN called `` My Mobile Secure . '' My Mobile Secure is linked by users ' emails to MobileXpression , a market firm which seeks to study web behavior by collectingAttack.Databreachusers ' information . If the intent is to use a VPN to anonymize your online activities , this does almost the opposite . '' It 's reasonable to expect nothing more from a malvertising campaign . With that said , users should take great care to not click on suspicious ads and should consider installing an ad-blocker in their web browsers . They should also consider downloading a VPN , but they should make sure to research VPN providers and their privacy policies carefully before they choose a solution .
SEATTLE — When malicious software first became a serious problem on the internet about 15 years ago , most people agreed that the biggest villain , after the authors of the damaging code , was Microsoft . As a new cyberattack continues to sweep across the globe , the company is once again at the center of the debate over who is to blame for a vicious strain of malware demanding ransomAttack.Ransomfrom victims in exchange for the unlocking of their digital files . This time , though , Microsoft believes others should share responsibility for the attack , an assault that targeted flaws in the Windows operating system . On Sunday , Brad Smith , Microsoft ’ s president and chief legal officer , wrote a blog post describing the company ’ s efforts to stop the ransomware ’ s spread , including an unusual step it took to releaseVulnerability-related.PatchVulnerabilitya security update for versions of Windows that Microsoft no longer supports . Mr. Smith wrote , “ As a technology company , we at Microsoft have the first responsibility to addressVulnerability-related.PatchVulnerabilitythese issues. ” He went on , though , to emphasize that the attack had demonstrated the “ degree to which cybersecurity has become a shared responsibility between tech companies and customers , ” the latter of whom must update their systems if they want to be protected . He also pointed his finger at intelligence services , since the latest vulnerability appeared to have been leaked from the National Security Agency . On Monday , a Microsoft spokesman declined to comment beyond Mr. Smith ’ s post . Microsoft has recognized the risk that cybersecurity poses to it since about 2002 , when Bill Gates , the former chief executive , issued a call to arms inside the company after a wave of malicious software began infecting Windows PCs connected to the internet . “ As software has become ever more complex , interdependent and interconnected , our reputation as a company has in turn become more vulnerable , ” Mr. Gates wrote in an email to employees identifying trustworthy computing as Microsoft ’ s top priority . “ Flaws in a single Microsoft product , service or policy not only affectVulnerability-related.DiscoverVulnerabilitythe quality of our platform and services overall , but also our customers ’ view of us as a company. ” Since then , the company has poured billions of dollars into security initiatives , employing more than 3,500 engineers dedicated to security . In March , it releasedVulnerability-related.PatchVulnerabilitya software patch that addressedVulnerability-related.PatchVulnerabilitythe vulnerability exploited by the ransomware , known as WannaCry , protecting systems such as Windows 10 , its latest operating system . Yet security flaws in older editions of Windows persist . The company no longer providesVulnerability-related.PatchVulnerabilityregular software updates to Windows XP , a version first released in 2001 , unless customers pay for “ custom support , ” a practice some observers believe has put users at risk . Late Friday , Microsoft took the unusual step of making patchesVulnerability-related.PatchVulnerabilitythat protect older systems against WannaCry , including Windows XP , free . “ Companies like Microsoft should discard the idea that they can abandon people using older software , ” Zeynep Tufekci , an associate professor at the school of information and library science at the University of North Carolina , wrote in a New York Times opinion piece over the weekend . “ The money they made from these customers hasn ’ t expired ; neither has their responsibility to fix defects. ” But security experts challenged that argument , saying that Microsoft could not be expected to keep updating old software products indefinitely . ProvidingVulnerability-related.PatchVulnerabilityupdates to older systems could make computers more insecure by removing an incentive for users to modernize , Mikko Hypponen , the chief research officer of F-Secure , a security firm . “ I can understand why they issuedVulnerability-related.PatchVulnerabilityan emergency patch for XP after WannaCry was found , but in general , we should just let XP die , ” Mr. Hypponen said .
The big security issue of the week is a remote code execution hole related to the Cisco WebEx service . WebEx is a popular collaboration tool for online events such as meetings , webinars and videoconferences . Like many services of this sort , you access online events via your browser , augmented by a special-purpose browser extension . Browser extensions and plugins allow web developers to extend the software features inside your browser with a mixture of scripts and program code , for example to add configuration options or to support new audio and video formats . Of course , when you add another layer of programmatic complexity on top of an already-complex browser , it ’ s easy to add new security holes , too . Perhaps the best known example of a problematic plugin is Adobe Flash , which has provided cybercrooks with such a fruitful source of exploitable security holes over the years that we have long been urging you to try to live without Flash altogether . The latest security scareVulnerability-related.DiscoverVulnerabilityof this sort has been dubbed CVE-2017-3823 , and it applies to Cisco ’ s special-purpose WebEx browser extension . In oher words , if your organisation uses WebEx , you probably have the browser extension installed , and if you have it installed , you may be at risk . According to Tavis Ormandy at Google ’ s Project Zero , who discoveredVulnerability-related.DiscoverVulnerabilityand documentedVulnerability-related.DiscoverVulnerabilitythe bug , there are more than 20 million WebEx users worldwide . According to Cisco , Internet Explorer , Chrome and Firefox on Windows are affected . Microsoft Edge on Windows and all browsers on Mac and Linux are safe . The most recent update for Chrome is Cisco WebEx extension 1.0.7 . Cisco published a notification about this update at 2017-01-26T19:45Z , having issued and then withdrawn 1.0.3 and then 1.0.5 earlier this week after deeming them “ incomplete ” . However , at 2017-01-26T19:45Z , Cisco ’ s official Security Advisory page says : Cisco is currently developingVulnerability-related.PatchVulnerabilityupdates that addressVulnerability-related.PatchVulnerabilitythis vulnerability for Firefox and Internet Explorer . There are no workarounds that address this vulnerability . Using Microsoft Edge on Windows or any browser on Mac or Linux will shield you from this bug because it doesn ’ t apply on those platforms . You can also turn off WebEx support in your browser temporarily , thus preventing the Cisco extension or add-on from activating unexpectedly .
The Equifax data breachAttack.Databreachin which millions of Americans had their personal details stolenAttack.Databreachmay have been carried out by a foreign government in a bid to recruit U.S. spies , experts believe . Hackers tookAttack.Databreachaddresses , dates of birth , Social Security details and credit card numbers from 148million people when they targeted the credit ratings giant Equifax in 2017 . But the stolen data has not appeared on any 'dark web ' sites which sell personal information for sinister use , analysts have said . The data 's apparent disappearance has led some experts to conclude that it is in the hands of a foreign government , CNBC reported . One analyst told the channel : 'We are all working to be able to consistently determine whether this data is out there and whether it has ever been out there . And at this time there has been absolutely no indication , whatsoever , that the data has been disclosed , that it has been used or that it has been offered for sale . Another ex-intelligence worker said personal data could be used by foreign governments to identify powerful people who were having financial problems . Those people would be prime targets for a bribe or might be attracted by a job offer , he said . It has also been suggested that the criminals who stoleAttack.Databreachthe data feared detection if they sold it online and have kept it to themselves to avoid capture . Equifax , one of America 's three leading consumer reporting agencies , announced the huge data hackAttack.Databreachin September 2017 and its CEO Richard Smith resigned later that month . They initially said 143million people had been affected but the number eventually grew to 148million , equivalent to nearly half the U.S. population . The hackers targeted the company for 76 days until the attack was spotted , according to a congressional report . Hackers gained accessAttack.Databreachto 48 databases between May 13 and July 29 when Equifax noticed the intrusion , the report said . Last year the firm admitted that passport images and information had also been stolenAttack.Databreach. The U.S. House committee which investigated the breach said the firm had 'failed to fully appreciate and mitigate its cybersecurity risks ' . 'Had the company taken action to addressVulnerability-related.PatchVulnerabilityits observable security issues prior to this cyberattack , the data breachAttack.Databreachcould have been prevented , ' the committee 's report said .
A series of remotely exploitable vulnerabilities exist inVulnerability-related.DiscoverVulnerabilitya popular web-based SCADA system made by Honeywell that make it easy to expose passwords and in turn , give attackers a foothold into the vulnerable network . The flaws exist inVulnerability-related.DiscoverVulnerabilitysome versions of Honeywell ’ s XL Web II controllers , systems deployed across the critical infrastructure sector , including wastewater , energy , and manufacturing companies . An advisory from the Department of Homeland Security ’ s Industrial Control Systems Cyber Emergency Response Team ( ICS-CERT ) warned aboutVulnerability-related.DiscoverVulnerabilitythe vulnerabilities Thursday . The company has developed a fix , version 3.04.05.05 , to addressVulnerability-related.PatchVulnerabilitythe issues but users have to call their local Honeywell Building Solutions branch to receiveVulnerability-related.PatchVulnerabilitythe update , according to the company . The controllers suffer from five vulnerabilities in total but the scariest one might be the fact that passwords for the controllers are stored in clear text . Furthermore , if attackers wanted to , they could discloseAttack.Databreachthat password simply by accessing a particular URL . An attacker could also carry out a path traversal attack by accessing a specific URL , open and change some parameters by accessing a particular URL , or establish a new user session . The problem with starting a new user session is that the controllers didn ’ t invalidate any existing session identifier , something that could have made it easier for an attacker to steal any active authenticated sessions . Maxim Rupp , an independent security researcher based in Germany , dug upVulnerability-related.DiscoverVulnerabilitythe bugs and teased them on Twitter at the beginning of January . Rupp has identifiedVulnerability-related.DiscoverVulnerabilitybugs in Honeywell equipment before . Two years ago he discoveredVulnerability-related.DiscoverVulnerabilitya pair of vulnerabilities in Tuxedo Touch , a home automation controller made by the company , that could have let an attacker unlock a house ’ s doors or modify its climate controls . It ’ s unclear how widespread the usage of Honeywell ’ s XL Web II controllers is . While Honeywell is a US-based company , according to ICS-CERT ’ s advisory the majority of the affected products are used in Europe and the Middle East . When reached on Friday , a spokesperson for Honeywell confirmed that the affected controllers are used in Europe and the Middle East . The company also stressed that the vulnerabilities were patchedVulnerability-related.PatchVulnerabilityin September 2016 after they were reportedVulnerability-related.DiscoverVulnerabilityin August .
The problems arise fromVulnerability-related.DiscoverVulnerabilitythe way Java and Python ( through the urllib2 library in Python 2 and urllib library in Python 3 ) handle FTP links , which allow the attacker to inject newline ( CRLF ) characters inside the URL , making the Java and Python code think some parts of the URL are new commands . This leads to a flaw that security researchers callVulnerability-related.DiscoverVulnerability`` protocol injection . '' The FTP protocol injection issue was first detailedVulnerability-related.DiscoverVulnerabilityby Russian security lab ONsec in 2014 , but never got the public attention it needed . Two recent reportsVulnerability-related.DiscoverVulnerabilityhave raisedVulnerability-related.DiscoverVulnerabilitythe profile of this flaw , describing two new exploitation scenarios . Security researcher Alexander Klink detailedVulnerability-related.DiscoverVulnerabilityon his blog how the FTP protocol injection flaw could be used to send emails using Java 's FTP URL handler . Two days later , Timothy Morgan of Blindspot Security came forward and presentedVulnerability-related.DiscoverVulnerabilitya more ominious exploitation scenario where the FTP URL handlers in Java and Python could be used to bypass firewalls . Morgan also revealedVulnerability-related.DiscoverVulnerabilitythat his company informedVulnerability-related.DiscoverVulnerabilityboth the Python team ( in January 2016 ) and Oracle ( in November 2016 ) about the FTP protocol injection flaw , but neither have issued updates to addressVulnerability-related.PatchVulnerabilitythe reported problem . At the heart of the FTP protocol injection attack resides an older issue in the FTP protocol itself , which is classic mode FTP . The classic mode FTP is an older mechanism that governs how FTP clients and servers interact , which was proved to be insecure in issue # 60 of the Phrack hacking magazine and later detailed in more depth by Florian Weimer . Classic mode FTP has been replaced by a more secure method of client-server FTP interactions known as passive mode FTP . Nevertheless , most firewall products support classic mode FTP connections .