THAT UN-PATCHABLE FLAW in the Nintendo Switch ? Yeah , the Japanese gaming firm has only gone and fixed Vulnerability-related.PatchVulnerability it , according to console hacker Michael . Michael , who goes by the Twitter handle @ SciresM , tweeted that it 's bad news for console hackers and Nintendo is pushing out Vulnerability-related.PatchVulnerability new console models with a fix that stops tech-savvy folks from messing around with the software that the hybrid games console can boot with . The flaw was thought to be un-patchable as it affected Vulnerability-related.DiscoverVulnerability the Nvidia Tegra X1 chip that sits at the heart of the console . But Nintendo hates piracy more than most games firms , and as such , will release new versions of the Switch that do n't have the silicon-level flaw in them . The patch involves using a system called ‘ iPatches ' which updates Vulnerability-related.PatchVulnerability parts of the code applying to the Tegra X1 's fuses which plugs Vulnerability-related.PatchVulnerability the boot hacking exploit . Current consoles out in the wild will still be vulnerable Vulnerability-related.DiscoverVulnerability due to the patch needing to be applied Vulnerability-related.PatchVulnerability at a hardware level , but new models wo n't be susceptible to the hack . But there 's a bit of an odd situation here , as the new consoles will come running 4.1.0 versions of the Switch firmware ; the latest Switch firmware is 5.1.0 . So while the new Switchers will come off the production line immune to the Tegra X1 exploit , they will still be vulnerable Vulnerability-related.DiscoverVulnerability to other hacking techniques . With this in mind , Michael advises that people keen to crack into their Switch consoles should not apply Vulnerability-related.PatchVulnerability any updates , as the older version of the console 's firmware is the easier it 's to hack . So while the un-patchable flaw may have been fixed Vulnerability-related.PatchVulnerability the current iteration of the Switch is still no un-hackable . Not that hacking the Switch is a good idea if you want to run pirated games , as Nintendo takes a very dim view of that and cracks down so hard on pirates that it 'll permanently ban any console caught with bootlegged software from its online network . With The Legend of Zelda : Breath of the Wild and Mario Odyssey alone there are tens of hours of gaming to be had on the Switch . let along all the stuff that 's incoming and the suite of indie titles the console supports . So if you desperately need to hack the Switch to play more games , perhaps it 's time to take a break from gaming and go out into the sun ; we hear the UK is lovely at the moment .

Adobe on Wednesday released Vulnerability-related.PatchVulnerability several unscheduled fixes for Flash Player , including a critical vulnerability that it said is being exploited Vulnerability-related.DiscoverVulnerability in the wild . The critical vulnerability , CVE-2018-15982 , is a use-after-free flaw enabling arbitrary code-execution in Flash . “ Adobe has released Vulnerability-related.PatchVulnerability security updates for Adobe Flash Player for Windows , macOS , Linux and Chrome OS , ” Adobe said in its release Vulnerability-related.PatchVulnerability . “ These updates address Vulnerability-related.PatchVulnerability one critical vulnerability in Adobe Flash Player and one important vulnerability in Adobe Flash Player installer . Successful exploitation could lead to arbitrary code-execution and privilege-escalation in the context of the current user respectively. ” The flaw was discovered Vulnerability-related.DiscoverVulnerability by Chenming Xu and Ed Miles of Gigamon ATR . Researchers also outlined Vulnerability-related.DiscoverVulnerability the further technical details about the exploit of the vulnerability . Impacted Vulnerability-related.DiscoverVulnerability is Adobe Flash Player Desktop Runtime , Adobe Flash Player for Google Chrome ; Adobe Flash Player for Microsoft Edge and Internet Explorer 11 ; all for versions 31.0.0.153 and earlier . Adobe Flash Player Installer versions 31.0.0.108 and earlier is also affected Vulnerability-related.DiscoverVulnerability . Users of these impacted products can update Vulnerability-related.PatchVulnerability to version 32.0.0.101 , according to Adobe . Users of Adobe Flash Player Installer can update Vulnerability-related.PatchVulnerability to version 31.0.0.122 . Adobe also patched Vulnerability-related.PatchVulnerability an important-rated insecure library loading ( via DLL hijacking ) vulnerability , CVE-2018-15983 , that could lead to privilege escalation via Adobe Flash . This is only the latest exploit to hit Adobe Flash – earlier in June , a zero-day Flash vulnerability was is being exploited Vulnerability-related.DiscoverVulnerability in the wild in targeted attacks against Windows users in the Middle East , according to researchers . Adobe dealt with another zero-day Flash vulnerability back in February , which was exploited Vulnerability-related.DiscoverVulnerability by North Korean hackers .

Microsoft has rolled-out Vulnerability-related.PatchVulnerability security updates to fix Vulnerability-related.PatchVulnerability a critical remote code execution flaw affecting Vulnerability-related.DiscoverVulnerability Windows Defender and other anti-malware products . Ahead of April 's Patch Tuesday , Microsoft has released Vulnerability-related.PatchVulnerability patches for the critical flaw , which affects Vulnerability-related.DiscoverVulnerability Microsoft Malware Protection Engine , or mpengine.dll , the core of Windows Defender in Windows 10 . `` An attacker who successfully exploited Vulnerability-related.DiscoverVulnerability this vulnerability could execute arbitrary code in the security context of the LocalSystem Account and take control of the system , '' warns Microsoft . `` An attacker could then install programs ; view , change , or delete data ; or create new accounts with full user rights . '' Google Project Zero researcher Thomas Dullien , aka Halvar Flake , discovered Vulnerability-related.DiscoverVulnerability that attackers can trigger a memory-corruption issue in the engine if they can get Windows Defender and other affected Vulnerability-related.DiscoverVulnerability security products to scan a specially-crafted file . Microsoft warns there are many ways an attacker could achieve this , including placing the file on a website , in an email or instant message , on any site that hosts files , or in a shared directory . As with similar vulnerabilities reported Vulnerability-related.DiscoverVulnerability last year by the UK 's National Cyber Security Centre ( NCSC ) and Project Zero , an attack would be instant if the affected antivirus has real-time protection enabled . Although the patch is being released Vulnerability-related.PatchVulnerability before Microsoft 's monthly security update , the bug , CVE2018-0986 , is not an out-of-band patch as Microsoft updates Vulnerability-related.PatchVulnerability the engine as needed . Microsoft also notes that the default configuration for Microsoft 's anti-malware products in the enterprise is to automatically receive Vulnerability-related.PatchVulnerability updates .

If you ’ re a BMW owner , prepare to patch ! Chinese researchers have found Vulnerability-related.DiscoverVulnerability 14 security vulnerabilities affecting Vulnerability-related.DiscoverVulnerability many models . The ranges affected Vulnerability-related.DiscoverVulnerability ( some as far back as 2012 ) are the BMW i Series , X Series , 3 Series , 5 Series and 7 Series , with a total of seven rated serious enough to be assigned CVE Vulnerability-related.DiscoverVulnerability numbers . The vulnerabilities are in in the Telematics Control Unit ( TCU ) , the Central Gateway Module , and Head Unit , across a range of interfaces including via GSM , BMW Remote Service , BMW ConnectedDrive , Remote Diagnosis , NGTP , Bluetooth , and the USB/OBD-II interfaces . Some require local access ( e.g . via USB ) to exploit but six including the Bluetooth flaw were accessible remotely , making them the most serious . Should owners worry that the flaws could be exploited Vulnerability-related.DiscoverVulnerability , endangering drivers and vehicles ? On the basis of the technical description , that seems unlikely , although Keen Lab won ’ t release the full proof-of-concept code until 2019 . Keen Lab described the effect of its hacking as allowing it to carry out : The execution of arbitrary , unauthorized diagnostic requests of BMW in-car systems remotely . To which BMW responded : BMW Group has already implemented security measures , which are currently being rolled out via over-the-air configuration updates . Additional security enhancements for the affected infotainment systems are being developed Vulnerability-related.PatchVulnerability and will be available Vulnerability-related.PatchVulnerability as software updates for customers . In other words , some fixes have already been made Vulnerability-related.PatchVulnerability , while others will be made Vulnerability-related.PatchVulnerability between now and early 2019 , potentially requiring a trip to a service centre . Full marks to BMW for promptly responding to the research but the press release issued Vulnerability-related.PatchVulnerability in its wake reads like PR spin . To most outsiders , this is a case of Chinese white hats finding Vulnerability-related.DiscoverVulnerability vulnerabilities in BMW ’ s in-car systems . To BMW , judging by the triumphant language of its press release , it ’ s as if this was the plan all along , right down to awarding Keen Lab the “ first-ever BMW Group Digitalization and IT Research Award. ” More likely , car makers are being caught out by the attention their in-car systems are getting from researchers , with Volkswagen Audi Group experiencing some of the same discomfort a couple of weeks ago at the hands of Dutch researchers . BMW has experienced this before too – three years ago it suffered Vulnerability-related.DiscoverVulnerability an embarrassing security flaw in its car ConnectedDrive software door-locking systems . Let ’ s not feel too sorry for the car makers because it ’ s the owners who face the biggest adjustment to their expectations – software flaws and patching Vulnerability-related.PatchVulnerability are no longer just for computers .

Another critical security hole has been found Vulnerability-related.DiscoverVulnerability in Apache Struts 2 , requiring an immediate update . The vulnerability – CVE-2018-11776 – affects Vulnerability-related.DiscoverVulnerability core code and allows miscreants to pull off remote code execution against vulnerable servers and websites . It affects Vulnerability-related.DiscoverVulnerability all versions of Struts 2 , the popular open-source framework for Java web apps . The Apache Software Foundation has `` urgently advised '' anyone using Struts to update Vulnerability-related.PatchVulnerability to the latest version immediately , noting that the last time a critical hole was found Vulnerability-related.DiscoverVulnerability , the holes were being exploited Vulnerability-related.DiscoverVulnerability in the wild just a day later . In other words , if you delay in patching Vulnerability-related.PatchVulnerability , your organization will be compromised in short order via this bug , if you are running vulnerable systems . It was that earlier flaw that led to a nightmare data breach Attack.Databreach from credit company Equifax after it failed to patch Vulnerability-related.PatchVulnerability swiftly enough . The details of nearly 150 million people were exposed Attack.Databreach , costing the company more than $ 600m , so this is not something to be taken lightly . The company that discovered Vulnerability-related.DiscoverVulnerability the vulnerability – Semmle Security Research Team – warns that this latest one is actually worse that the one last year , which it also found Vulnerability-related.DiscoverVulnerability . It has published a blog post with more information . Semmle found Vulnerability-related.DiscoverVulnerability the hole back in April and reported Vulnerability-related.DiscoverVulnerability it to Apache , which put out Vulnerability-related.PatchVulnerability a patch in June that it has now pulled Vulnerability-related.PatchVulnerability into formal updates ( 2.3.35 for those using version 2.3 and 2.5.17 for those on 2.5 ) . As mentioned , the vulnerability is in the core code and does n't require additional plugins to work . It is caused by insufficient validation of untrusted user data in the core of the Struts framework , and can be exploited in several different ways . Semmle says it has identified two different vectors but warns there may be others . Since it can be used remotely and due to the fact that Struts is typically used to create applications that are on the public internet , hackers are going to be especially focused on exploiting it so they can gain access to corporate networks . And there are some big targets out there : Apache Struts is extremely common with most large corporations using it somewhere in their systems for web apps . Semmle 's VP of engineering , Pavel Avgustinov , had this to say about the hole on Wednesday this week : `` Critical remote code execution vulnerabilities like the one that affected Vulnerability-related.DiscoverVulnerability Equifax and the one we announced today are incredibly dangerous for several reasons : Struts is used for publicly-accessible customer-facing websites , vulnerable systems are easily identified , and the flaw is easy to exploit Vulnerability-related.DiscoverVulnerability . A hacker can find their way in within minutes , and exfiltrate Attack.Databreach data or stage further attacks from the compromised system . It ’ s crucially important to update affected systems immediately ; to wait is to take an irresponsible risk . '' This is very far from the first time that big security holes have been found Vulnerability-related.DiscoverVulnerability in Struts , leading some to recommend that people simply stop using it .

AMD has acknowledged Vulnerability-related.DiscoverVulnerability the Ryzenfall vulnerabilities discovered Vulnerability-related.DiscoverVulnerability by CTS-Labs , though the chip company believes the flaws can be patched Vulnerability-related.PatchVulnerability via BIOS updates issued Vulnerability-related.PatchVulnerability over the next few weeks . In a blog post authored by AMD ’ s chief technical officer , Mark Papermaster , AMD confirmed that the four broad classifications of attacks—Masterkey , Ryzenfall , Fallout , and Chimera—are viable , though they require administrative access to the PC or server in question . Third-party protection , such as Microsoft Windows Credential Guard , also serve to block unauthorized administrative access , Papermaster wrote . In any event , “ any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research , ” AMD ’ s Papermaster added . But AMD also provided the answer to consumers ’ most pressing question : What , if anything , needs to be done ? For each of the first three classifications of vulnerabilities , AMD said it is working on firmware updates that the company plans to release Vulnerability-related.PatchVulnerability during the coming weeks . The fourth category of vulnerability , known as Chimera , affected Vulnerability-related.DiscoverVulnerability the Promontory chipset , which CTS-Labs said was designed with logic supplied by ASMedia , a third-party vendor . While AMD said patches for that will also be released Vulnerability-related.PatchVulnerability via a BIOS update , the company said it is working with the Promontory chipset maker on developing Vulnerability-related.PatchVulnerability the mitigations , rather than supplying its own . AMD has neither confirmed nor denied whether the attacks can be executed remotely , or require local access . AMD did deny , however , that the attacks have anything to do with Meltdown or Spectre , the two side-channel attacks that rival Intel has worked to patch Vulnerability-related.PatchVulnerability . About a week ago , CTS-Labs issued a press release as well as a website outlining the vulnerabilities , which the company provided to AMD less than 24 hours before CTS-Labs went public , AMD said . But CTS-Labs also drew fire over boilerplate copy on its website that implied a potential financial interest in the subjects of its reports . PCWorld attempted to interview CTS executives , but later rescinded that request after CTS-Labs representatives demanded a list of questions in advance , and also forbade us from asking about the timing and the company ’ s financial motivations . In the meantime , however , the vulnerabilities were confirmed Vulnerability-related.DiscoverVulnerability by two independent researchers , Trail of Bits and Check Point . Both expressed doubts that attackers would be able to exploit the vulnerabilities that CTS-Labs had originally discovered Vulnerability-related.DiscoverVulnerability .

This week , Adobe released Vulnerability-related.PatchVulnerability its monthly scheduled update bundle addressing Vulnerability-related.PatchVulnerability vulnerabilities within its different products . The Adobe patch Tuesday November updates allegedly fixed Vulnerability-related.PatchVulnerability numerous vulnerabilities leading to information disclosure . These vulnerabilities existed in Vulnerability-related.DiscoverVulnerability Adobe Acrobat/Reader , Flash Player , and Photoshop CC . The recently released Adobe Patch Tuesday November updates addressed Vulnerability-related.PatchVulnerability three different vulnerabilities – all resulting in information disclosure . The first one existed in Vulnerability-related.DiscoverVulnerability the Adobe Photoshop CC affecting Vulnerability-related.DiscoverVulnerability versions 19.1.6 and prior for both Windows and MacOS . As described in the security advisory , Adobe has fixed Vulnerability-related.PatchVulnerability this important Out-of-bounds read vulnerability ( CVE-2018-15980 ) in the Photoshop CC versions 19.1.7 and 20.0 . The second information disclosure flaw affected Vulnerability-related.DiscoverVulnerability Adobe Reader and Acrobat for Windows . Explaining about the flaw in their advisory , Adobe stated , “ Successful exploitation could lead to an inadvertent leak of the user ’ s hashed NTLM password. ” The vulnerability initially received the CVE Vulnerability-related.DiscoverVulnerability number CVE-2018-4993 , when Check Point Research first reported Vulnerability-related.DiscoverVulnerability the bug . However , as recently disclosed Vulnerability-related.DiscoverVulnerability by the EdgeSpot , Adobe only patched Vulnerability-related.PatchVulnerability a single variant of this bug . Whereas , the EdgeSpot team discovered Vulnerability-related.DiscoverVulnerability other variants that hinted towards a failed patching Vulnerability-related.PatchVulnerability of the bug instead of a new vulnerability . The patched vulnerability has now received CVE Vulnerability-related.DiscoverVulnerability number CVE-2018-15979 “ to reflect that the patch is available Vulnerability-related.PatchVulnerability ” . The third vulnerability addressed Vulnerability-related.PatchVulnerability this month is an out-of-bounds Read vulnerability ( CVE-2018-15978 ) in the Adobe Flash Player . The affected versions include 31.0.0.122 and earlier for Windows , Linux , and MacOS . Unlike previous months , the Adobe Patch Tuesday November update bundle addressed Vulnerability-related.PatchVulnerability fewer bugs . Moreover , none of the patched vulnerabilities had a critical severity impact . In October , Adobe patched Vulnerability-related.PatchVulnerability 86 different vulnerabilities including 47 critical ones . Whereas , in September , they addressed Vulnerability-related.PatchVulnerability 6 critical flaws . Adobe has fixed Vulnerability-related.PatchVulnerability the bugs CVE-2018-15980 and CVE-2018-15978 in Adobe Photoshop CC versions 19.1.7 and 20.0 and Adobe Flash Player version 31.0.0.148 , respectively . Whereas , CVE-2018-15979 has received Vulnerability-related.PatchVulnerability a patch in Adobe Acrobat DC and Reader DC version 2019.008.20081 , Acrobat 2017 and Acrobat Reader DC 2017 version 2017.011.30106 , and Acrobat DC and Acrobat Reader DC ( Classic 2015 ) version 2015.006.30457 . For protection against the three important vulnerabilities addressed Vulnerability-related.PatchVulnerability in November updates , users should make sure to upgrade Vulnerability-related.PatchVulnerability their software to the patched versions at the earliest convenience .

A critical vulnerability in Kubernetes open-source system for handling containerized applications can enable an attacker to gain full administrator privileges on Kubernetes compute nodes . Kubernetes makes it easier to manage a container environment by organizing application containers into pods , nodes ( physical or virtual machines ) and clusters . Multiple nodes form a cluster , managed by a master that coordinates cluster-related activities like scaling , scheduling , or updating apps . Each node has an agent called Kubelet that facilitates communication with the Kubernetes master via the API . The number of nodes available in a Kubernetes system can be hundreds and even thousands . Pulling this off is easy on default configurations , where `` all users ( authenticated and unauthenticated ) are allowed to perform discovery API calls that allow this escalation , '' says Jordan Liggitt , staff software engineer at Google . The security bug was discovered Vulnerability-related.DiscoverVulnerability by Darren Shepherd , co-founder of Rancher Labs company that provides the Kubernetes-as-a-Service solution called Rancher . Now tracked as Vulnerability-related.DiscoverVulnerability CVE-2018-1002105 , the flaw is critical , with a Common Vulnerability Scoring System ( CVSS ) score of 9.8 out of 10 . According to the latest version of the vulnerability severity calculator , exploiting the security glitch has low difficulty and does not require user interaction . Red Hat 's OpenShift Container Platform uses Kubernetes for orchestrating and managing containers is also impacted Vulnerability-related.DiscoverVulnerability by the vulnerability . In an advisory on the matter , the company explains that the flaw can be used in two ways against its products . One involves a normal user with 'exec , ' 'attach , ' or 'portforward ' rights over a Kubernetes pod ( a group of one or more containers that share storage and network resources ) ; they can escalate their privileges to cluster-admin level and execute any process in a container . The second attack method exploits the API extension feature used by ‘ metrics-server ’ and ‘ servicecatalog ’ in OpenShift Container Platform , OpenShift Online , and Dedicated . No privileges are required and an unauthenticated user can get admin rights to any API extension deployed to the cluster . `` Cluster-admin access to ‘ servicecatalog ’ allows creation of service brokers in any namespace and on any node , '' the advisory details . The problem has been addressed Vulnerability-related.PatchVulnerability in the latest Kubernetes revisions : v1.10.11 , v1.11.5 , v1.12.3 , and v1.13.0-rc.1 . Kubernetes releases prior to these along with the products and services based on them are affected Vulnerability-related.DiscoverVulnerability by CVE-2018-1002105 . Red Hat released Vulnerability-related.PatchVulnerability patches for the OpenShift family of containerization software ( OpenShift Container Platform , OpenShift Online , and OpenShift Dedicated ) and users received Vulnerability-related.PatchVulnerability service updates they can install at their earliest convenience . The software company warns that a malicious actor could exploit the vulnerability to steal Attack.Databreach data or inject malicious code , as well as `` bring down production applications and services from within an organization ’ s firewall . ''

A flaw in certificate pinning exposed customers of a number of high-profile banks to man-in-the-middle attacks on both iOS and Android devices . A vulnerability in the mobile apps of major banks could have allowed attackers to steal Attack.Databreach customers ' credentials including usernames , passwords , and pin codes , according to researchers . The flaw was found Vulnerability-related.DiscoverVulnerability in apps by HSBC , NatWest , Co-op , Santander , and Allied Irish bank . The banks in question have now all updated Vulnerability-related.PatchVulnerability their apps to protect against the flaw . Uncovered Vulnerability-related.DiscoverVulnerability by researchers in the Security and Privacy Group at the University of Birmingham , the vulnerability allows an attacker who is on the same network as the victim to perform a man-in-the-middle attack and steal information . The vulnerability lay in Vulnerability-related.DiscoverVulnerability the certificate pinning technology , a security mechanism used to prevent impersonation attacks and use of fraudulent certificates by only accepting certificates signed by a single pinned CA root certificate . While certificate pinning usually improves security , a tool developed by the researchers to perform semi-automated security-testing of mobile apps found that a flaw in the technology meant standard tests failed to detect attackers trying to take control of a victim 's online banking . As a result , certificate pinning can hide the lack of proper hostname verification , enabling man-in-the-middle attacks . The findings have been outlined Vulnerability-related.DiscoverVulnerability in a research paper and presented Vulnerability-related.DiscoverVulnerability at the Annual Computer Security Applications Conference in Orlando , Florida . The tool was run on 400 security critical apps in total , leading to the discovery Vulnerability-related.DiscoverVulnerability of the flaw . Tests found Vulnerability-related.DiscoverVulnerability apps from some of the largest banks contained the flaw which , if exploited Vulnerability-related.DiscoverVulnerability , could have enabled attackers to decrypt , view , and even modify network traffic from users of the app . That could allow them to view information entered and perform any operation that app can usually perform -- such as making payments or transferring of funds . Other attacks allowed hackers to perform in-app phishing attacks Attack.Phishing against Santander and Allied Irish bank users , allowing attackers to take over part of the screen while the app was running and steal Attack.Databreach the entered credentials . The researchers have worked with the National Cyber Security Centre and all the banks involved to fix Vulnerability-related.PatchVulnerability the vulnerabilities , noting that the current version of all the apps affected Vulnerability-related.DiscoverVulnerability by the pinning vulnerability are now secure . A University of Birmingham spokesperson told ZDNet all the banks were highly cooperative : `` once this was flagged to them they did work with the team to amend it swiftly . ''

Google 's Project Zero has again called Apple out for silently patching Vulnerability-related.PatchVulnerability flaws . Apple has secretly patched Vulnerability-related.PatchVulnerability a bunch of high-severity bugs reported Vulnerability-related.DiscoverVulnerability to it by Google 's Project Zero researchers . The move has resulted in Google 's Project Zero once again calling Apple out for fixing Vulnerability-related.PatchVulnerability iOS and macOS security flaws without documenting them in public security advisories . While it 's good news that Apple beat Project Zero 's 90-day deadline for patching Vulnerability-related.PatchVulnerability or disclosing Vulnerability-related.DiscoverVulnerability the bugs it finds Vulnerability-related.DiscoverVulnerability , the group 's Ivan Fratric recently argued that the practice endangered users by not fully informing them why an update should be installed . This time the criticism comes from Project Zero 's Ian Beer , who 's been credited by Apple with finding Vulnerability-related.DiscoverVulnerability dozens of serious security flaws in iOS and macOS over the years . Beer posted Vulnerability-related.DiscoverVulnerability a blog about several vulnerabilities in iOS 7 he found Vulnerability-related.DiscoverVulnerability in 2014 that share commonalities with several bugs he has found Vulnerability-related.DiscoverVulnerability in iOS 11.4.1 , some of which he 's now released exploits for . Beer notes Vulnerability-related.DiscoverVulnerability that none of the latest issues is mentioned in the iOS 12 security bulletin even though Apple did fix Vulnerability-related.PatchVulnerability them . The absence of information about them is a `` disincentive '' for iOS users to patch Vulnerability-related.PatchVulnerability , Beer argues . `` Apple are still yet to assign CVEs Vulnerability-related.DiscoverVulnerability for these issues or publicly acknowledge that they were fixed Vulnerability-related.PatchVulnerability in iOS 12 , '' wrote Beer . `` In my opinion a security bulletin should mention the security bugs that were fixed Vulnerability-related.PatchVulnerability . Not doing so provides a disincentive for people to update Vulnerability-related.PatchVulnerability their devices since it appears that there were fewer security fixes than there really were . '' In other instances , such as one macOS bug Beer reported Vulnerability-related.DiscoverVulnerability , Apple did actually assign a CVE Vulnerability-related.DiscoverVulnerability , but it still hasn't updated Vulnerability-related.PatchVulnerability the relevant security bulletin to reflect the fix . Apple similarly allocated Vulnerability-related.DiscoverVulnerability CVE-2018-4337 to another high-severity iOS bug , which was fixed Vulnerability-related.PatchVulnerability in iOS 12 , but is n't currently acknowledged Vulnerability-related.DiscoverVulnerability in the iOS 12 security bulletin . In another case , Apple fixed Vulnerability-related.PatchVulnerability a bug that affected Vulnerability-related.DiscoverVulnerability iOS and macOS but didn't assign Vulnerability-related.DiscoverVulnerability a CVE or mention it in the security bulletins . Not only may it be a disincentive for end-users to patch Vulnerability-related.PatchVulnerability iPhones and Macs , but Beer also points out Vulnerability-related.DiscoverVulnerability in another bug report that the lack of public acknowledgement Vulnerability-related.DiscoverVulnerability by Apple means he has no way of knowing whether the issue is a duplicate that another researcher may have already found Vulnerability-related.DiscoverVulnerability . As he notes Vulnerability-related.DiscoverVulnerability in the blog , many of the bugs he has found Vulnerability-related.DiscoverVulnerability in iOS are very similar or the same as bugs found Vulnerability-related.DiscoverVulnerability by noted jailbreaking hackers Pangu Team .

IBM has withdrawn Vulnerability-related.PatchVulnerability a patch for a significant security vulnerability in its WebSphere Application Server after the code knackered some systems . Just this week , Big Blue said it is working on Vulnerability-related.PatchVulnerability a new fix for CVE-2018-1567 , a remote-code execution vulnerability in versions 9.0 , 8.5 , 8.0 , and 7.0 of the platform . According to IBM , the vulnerability would potentially allow an attacker to remotely execute Java code on a vulnerable web-app server via its SOAP connector port . The bug was sealed up Vulnerability-related.PatchVulnerability on September 5 , when IBM made Vulnerability-related.PatchVulnerability the fix available Vulnerability-related.PatchVulnerability for download and installation . Unfortunately , the patch had been causing problems , forcing IBM to pull Vulnerability-related.PatchVulnerability the fix on Wednesday , more than a month . Big Blue said the patch was yanked Vulnerability-related.PatchVulnerability `` due to regression '' , which is the fancy way of saying it was mucking stuff up . `` There may be a failure after the security fix for PI95973 is installed , '' IBM tells customers . `` The fix has been removed Vulnerability-related.PatchVulnerability while it is being reworked by development . '' IBM did not say when the updated patch might be arriving Vulnerability-related.PatchVulnerability , putting some admins in the difficult position of either leaving a vulnerability open or risking crashes . We 've asked the New York-based IT giant for more details , following a tip off from an eagle-eyed reader – let us know if you also spot any strange goings on with patches and so forth . In Big Blue 's defense , this is far from the first time a company has had to pull Vulnerability-related.PatchVulnerability a security patch that was found Vulnerability-related.DiscoverVulnerability to pose stability concerns . Microsoft has to do this with some regularity . In fact , just today word surfaced that a number of HP users have been struggling with blue screen crashes affected Vulnerability-related.DiscoverVulnerability their PCs after installing Vulnerability-related.PatchVulnerability this week 's Patch Tuesday updates .

For the second time in roughly a year , D-Link has failed to act on warnings Vulnerability-related.DiscoverVulnerability from security researchers involving the company ’ s routers . The latest incident arose after Silesian University of Technology researcher Błazej Adamczyk contacted Vulnerability-related.DiscoverVulnerability D-Link last May about three vulnerabilities affecting Vulnerability-related.DiscoverVulnerability eight router models . Following the warning Vulnerability-related.DiscoverVulnerability , D-Link patched Vulnerability-related.PatchVulnerability two of the affected routers , but did not initially reveal Vulnerability-related.DiscoverVulnerability how it would proceed for the remaining six models . After further prompting Vulnerability-related.DiscoverVulnerability from Adamczyk , D-Link revealed Vulnerability-related.DiscoverVulnerability that the remaining six routers would not get Vulnerability-related.PatchVulnerability a security patch because they were considered end-of-life models , leaving affected owners out in the cold . “ The D-Link models affected Vulnerability-related.DiscoverVulnerability are the DWR-116 , DWR-140L , DWR-512 , DWR-640L , DWR-712 , DWR-912 , DWR-921 , and DWR-111 , six of which date from 2013 , with the DIR-640L first appearing Vulnerability-related.DiscoverVulnerability in 2012 and the DWR-111 in 2014 , ” Naked Security reported . Though these are not current models in D-Link ’ s portfolio , many of the listed models are still likely to be in use . As a result of this impasse , Adamczyk released details Vulnerability-related.DiscoverVulnerability about the security flaws , following responsible security protocols after giving D-Link notice and the opportunity to address Vulnerability-related.PatchVulnerability the issues . Of significance is that this is the second time in about a year that D-Link has failed to address Vulnerability-related.PatchVulnerability security vulnerabilities affecting Vulnerability-related.DiscoverVulnerability its products after being notified Vulnerability-related.DiscoverVulnerability by researchers . The security researcher noted Vulnerability-related.DiscoverVulnerability that the new flaw arose Vulnerability-related.DiscoverVulnerability after D-Link reported that it had fixed Vulnerability-related.PatchVulnerability a prior security flaw . Also known as “ directory traversal ” or “ dot dot slash ” attacks , these flaws allow a malicious attacker to gain access to system files with a simple HTTP request . Despite D-Link ’ s spotty history with supporting older router models , the manufacturer is not alone in leaving routers unpatched Vulnerability-related.PatchVulnerability . The American Consumer Institute reported Vulnerability-related.DiscoverVulnerability that of the 186 routers it had tested , 155 contained Vulnerability-related.DiscoverVulnerability firmware vulnerabilities . In total , ACI discovered Vulnerability-related.DiscoverVulnerability more than 32,000 known vulnerabilities in its study . “ Our analysis shows that , on average , routers contained Vulnerability-related.DiscoverVulnerability 12 critical vulnerabilities and 36 high-risk vulnerabilities , across the entire sample , ” ACI noted in its report . “ The most common vulnerabilities were medium-risk , with an average of 103 vulnerabilities per router. ” For shoppers who are in the market for a new router , it ’ s probably best to also check with the manufacturer to see what the supported lifespan of the router is . If the router is nearing its end of life , as in the case illustrated here , you may not get Vulnerability-related.PatchVulnerability patches , regardless of how serious a security vulnerability may be . If you have an older router , you may want to consider checking out our guide for the best router options before you decide to upgrade .

Mozilla has recently fixed Vulnerability-related.PatchVulnerability multiple security flaws in its Thunderbird 60.3 email client . These vulnerabilities also include a critical security bug that allegedly affected Vulnerability-related.DiscoverVulnerability Mozilla ’ s Firefox and Firefox ESR browsers as well . Last week , Mozilla patched Vulnerability-related.PatchVulnerability multiple security flaws altogether in its latest Thunderbird 60.3 including a critical security flaw . As explained in Mozilla ’ s security advisory , numerous community members and developers at Mozilla discovered Vulnerability-related.DiscoverVulnerability reported memory safety bugs that only affected Vulnerability-related.DiscoverVulnerability Thunderbird email client , but also had impacted Vulnerability-related.DiscoverVulnerability Firefox and Firefox ESR . Describing the bugs ( CVE-2018-12390 ) , Mozilla stated , Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited Vulnerability-related.DiscoverVulnerability to run arbitrary code . Mozilla has fixed Vulnerability-related.PatchVulnerability the bugs in Firefox 63 , Firefox ESR 60.3 , and Thunderbird 60.3 respectively . Apart from the critical memory safety bugs , Mozilla also released Vulnerability-related.PatchVulnerability fixes for several other vulnerabilities affecting Vulnerability-related.DiscoverVulnerability Thunderbird . These include three vulnerabilities with a high severity level , and low severity level memory safety bugs ( CVE-2018-12389 ) . The three high severity flaws include : CVE-2018-12391 : HTTP Live Stream audio data accessible cross-origin ( affected Firefox for Android only ) . The bug could allow accessing audio data across origins during HTTP live stream playback on the Firefox browser for Android . CVE-2018-12392 : Crash with nested event loops . An attacker could trigger an exploitable crash by exploiting the bug . CVE-2018-12393 : Integer overflow during Unicode conversion while loading JavaScript . This out-of-bounds write vulnerability only affected 32-bit builds . With regards to the conditions for the exploit , Mozilla elaborated , In general , these flaws can not be exploited Vulnerability-related.DiscoverVulnerability through email in the Thunderbird product because scripting is disabled when reading mail , but are potentially risks in browser or browser-like contexts . Mozilla patched Vulnerability-related.PatchVulnerability multiple vulnerabilities in the previous versions of Thunderbird and Firefox last month . That time too , Mozilla released Vulnerability-related.PatchVulnerability a fix for critical code execution vulnerability affecting Vulnerability-related.DiscoverVulnerability Thunderbird 60.2 , Firefox 61 and Firefox ESR 60.1 .

Mozilla has recently fixed Vulnerability-related.PatchVulnerability multiple security flaws in its Thunderbird 60.3 email client . These vulnerabilities also include a critical security bug that allegedly affected Vulnerability-related.DiscoverVulnerability Mozilla ’ s Firefox and Firefox ESR browsers as well . Last week , Mozilla patched Vulnerability-related.PatchVulnerability multiple security flaws altogether in its latest Thunderbird 60.3 including a critical security flaw . As explained in Mozilla ’ s security advisory , numerous community members and developers at Mozilla discovered Vulnerability-related.DiscoverVulnerability reported memory safety bugs that only affected Vulnerability-related.DiscoverVulnerability Thunderbird email client , but also had impacted Vulnerability-related.DiscoverVulnerability Firefox and Firefox ESR . Describing the bugs ( CVE-2018-12390 ) , Mozilla stated , Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited Vulnerability-related.DiscoverVulnerability to run arbitrary code . Mozilla has fixed Vulnerability-related.PatchVulnerability the bugs in Firefox 63 , Firefox ESR 60.3 , and Thunderbird 60.3 respectively . Apart from the critical memory safety bugs , Mozilla also released Vulnerability-related.PatchVulnerability fixes for several other vulnerabilities affecting Vulnerability-related.DiscoverVulnerability Thunderbird . These include three vulnerabilities with a high severity level , and low severity level memory safety bugs ( CVE-2018-12389 ) . The three high severity flaws include : CVE-2018-12391 : HTTP Live Stream audio data accessible cross-origin ( affected Firefox for Android only ) . The bug could allow accessing audio data across origins during HTTP live stream playback on the Firefox browser for Android . CVE-2018-12392 : Crash with nested event loops . An attacker could trigger an exploitable crash by exploiting the bug . CVE-2018-12393 : Integer overflow during Unicode conversion while loading JavaScript . This out-of-bounds write vulnerability only affected 32-bit builds . With regards to the conditions for the exploit , Mozilla elaborated , In general , these flaws can not be exploited Vulnerability-related.DiscoverVulnerability through email in the Thunderbird product because scripting is disabled when reading mail , but are potentially risks in browser or browser-like contexts . Mozilla patched Vulnerability-related.PatchVulnerability multiple vulnerabilities in the previous versions of Thunderbird and Firefox last month . That time too , Mozilla released Vulnerability-related.PatchVulnerability a fix for critical code execution vulnerability affecting Vulnerability-related.DiscoverVulnerability Thunderbird 60.2 , Firefox 61 and Firefox ESR 60.1 .

A Google Project Zero researcher has published a macOS exploit to demonstrate that Apple is exposing its users to security risks by patching Vulnerability-related.PatchVulnerability serious flaws in iOS but not revealing the fact until it fixes Vulnerability-related.PatchVulnerability the same bugs in macOS a week later . This happened during Apple 's update Vulnerability-related.PatchVulnerability for critical flaws in iOS 12 , tvOS 12 and Safari 12 on September 17 . A Wayback Machine snapshot of the original advisory does n't mention Vulnerability-related.DiscoverVulnerability any of the bugs that Project Zero researcher Ivan Fratric had reported Vulnerability-related.DiscoverVulnerability to Apple , and which were actually fixed Vulnerability-related.PatchVulnerability . Then , a week later , after Apple patched Vulnerability-related.PatchVulnerability the same bugs in macOS , the company updated Vulnerability-related.PatchVulnerability its original advisory with details about the nine flaws that Fratric had reported Vulnerability-related.DiscoverVulnerability , six of which affected Vulnerability-related.DiscoverVulnerability Safari . The update fixed Vulnerability-related.PatchVulnerability a Safari bug that allowed arbitrary code execution on macOS if a vulnerable version of Safari browsed to a website hosting an exploit for the bugs . While Fratric concedes that Apple is probably concealing Vulnerability-related.PatchVulnerability the fix in iOS to buy time to patch Vulnerability-related.PatchVulnerability macOS , he argues the end result is that people may ignore an important security update because they were n't properly informed by Apple in the security advisory . `` This practice is misleading because customers interested in the Apple security advisories would most likely read them only once , when they are first released and the impression they would get is that the product updates fix far fewer vulnerabilities and less severe vulnerabilities than is actually the case . '' Even worse , a skilled attacker could use the update for iOS to reverse-engineer a patch , develop an exploit for macOS , and then deploy it against a macOS user-base that does n't have a patch . Users also do n't know that Apple has released information that could make their systems vulnerable to attack . Fratric developed an exploit for one of the Safari bugs he reported and published Vulnerability-related.DiscoverVulnerability the attack on Thursday . The bugs were all found Vulnerability-related.DiscoverVulnerability using a publicly available fuzzing tool he developed , called Domato , meaning anyone else , including highly advanced attackers , could use it too . `` If a public tool was able to find that many bugs , it is expected that private ones might be even more successful , '' he noted . He was n't aiming to write a reliable or sophisticated exploit , but the bug is useful enough for a skilled exploit writer to develop an attack to spread malware and `` potentially do a lot of damage even with an unreliable exploit '' . Fratric said he successfully tested the exploit on Mac OS 10.13.6 High Sierra , build version 17G65 . `` If you are still using this version , you might want to update , '' noted Fratric . On the upside , it appears Apple and its Safari WebKit team have improved the security of the browser compared with the results of Fratric 's Domato fuzzing efforts last year , which turned up way more bugs in Safari than in Chrome , Internet Explorer , and Edge . Last year he found Vulnerability-related.DiscoverVulnerability 17 Safari flaws using the fuzzing tool . His final word of warning is not to discount any of the bugs he found just because no one 's seen them being attacked in the wild . `` While it is easy to brush away such bugs as something we have n't seen actual attackers use , that does n't mean it 's not happening or that it could n't happen , '' the researcher noted .

This week , Adobe has released Vulnerability-related.PatchVulnerability its very first Patch Tuesday update bundle for the year 2019 . The Adobe January Patch Tuesday updates brought fixes for security vulnerabilities in Adobe Digital Editions and Adobe Connect . It has also released Vulnerability-related.PatchVulnerability patches for Flash Player , but they are not security fixes . This Tuesday , Adobe has rolled-out Vulnerability-related.PatchVulnerability scheduled monthly updates for its products . However , this time , it has particularly focused on Adobe Digital Editions and Adobe Connect for security fixes . Besides , the update bundle is relatively smaller , unlike the previous updates that addressed Vulnerability-related.PatchVulnerability tens of vulnerabilities . According to the security advisory , Adobe has fixed Vulnerability-related.PatchVulnerability an important security vulnerability in Adobe Digital Editions . Describing the problem , they stated , “ Successful exploitation could lead to information disclosure in the context of the current user. ” Reportedly , it ’ s an out of bounds read flaw ( CVE-2018-12817 ) that affected Vulnerability-related.DiscoverVulnerability the software version 4.5.9 and earlier for all platforms , i.e. , Windows , MacOS , Android and iOS . Users should ensure updating Vulnerability-related.PatchVulnerability their devices with the patched Adobe Digital Editions version 4.5.10 . In addition to the above , another important vulnerability existed in Vulnerability-related.DiscoverVulnerability Adobe Connect that could result in session token exposure . As stated in the advisory , the vulnerability ( CVE-2018-19718 ) could “ lead to exposure of privileges granted to a session. ” The vulnerability affected Vulnerability-related.DiscoverVulnerability the Adobe Connect versions 9.8.1 and earlier for all platforms . Users should , hence , ensure updating Vulnerability-related.PatchVulnerability their systems with the patched version 10.1 . Besides the two security fixes , Adobe have released Vulnerability-related.PatchVulnerability patches for Flash Player as well addressing Vulnerability-related.PatchVulnerability performance issues . As described in the Adobe advisory , “ Adobe has released Vulnerability-related.PatchVulnerability updates for Adobe Flash Player for Windows , macOS , Linux and Chrome OS . These updates address Vulnerability-related.PatchVulnerability feature and performance bugs , and do not include security fixes. ” The patched Flash Player version 32.0.0.114 has been rolled-out to be downloaded Vulnerability-related.PatchVulnerability across all platforms . This time , the update bundle did not address Vulnerability-related.PatchVulnerability security problems in Adobe Reader or Acrobat . However , the vendors already released Vulnerability-related.PatchVulnerability security fixes for them in the previous week . The patch addressed Vulnerability-related.PatchVulnerability two critical vulnerabilities ( CVE-2018-16011 and CVE-2018-16018 ) that could result in arbitrary code execution and privilege escalation respectively .

This week , Adobe has released Vulnerability-related.PatchVulnerability its very first Patch Tuesday update bundle for the year 2019 . The Adobe January Patch Tuesday updates brought fixes for security vulnerabilities in Adobe Digital Editions and Adobe Connect . It has also released Vulnerability-related.PatchVulnerability patches for Flash Player , but they are not security fixes . This Tuesday , Adobe has rolled-out Vulnerability-related.PatchVulnerability scheduled monthly updates for its products . However , this time , it has particularly focused on Adobe Digital Editions and Adobe Connect for security fixes . Besides , the update bundle is relatively smaller , unlike the previous updates that addressed Vulnerability-related.PatchVulnerability tens of vulnerabilities . According to the security advisory , Adobe has fixed Vulnerability-related.PatchVulnerability an important security vulnerability in Adobe Digital Editions . Describing the problem , they stated , “ Successful exploitation could lead to information disclosure in the context of the current user. ” Reportedly , it ’ s an out of bounds read flaw ( CVE-2018-12817 ) that affected Vulnerability-related.DiscoverVulnerability the software version 4.5.9 and earlier for all platforms , i.e. , Windows , MacOS , Android and iOS . Users should ensure updating Vulnerability-related.PatchVulnerability their devices with the patched Adobe Digital Editions version 4.5.10 . In addition to the above , another important vulnerability existed in Vulnerability-related.DiscoverVulnerability Adobe Connect that could result in session token exposure . As stated in the advisory , the vulnerability ( CVE-2018-19718 ) could “ lead to exposure of privileges granted to a session. ” The vulnerability affected Vulnerability-related.DiscoverVulnerability the Adobe Connect versions 9.8.1 and earlier for all platforms . Users should , hence , ensure updating Vulnerability-related.PatchVulnerability their systems with the patched version 10.1 . Besides the two security fixes , Adobe have released Vulnerability-related.PatchVulnerability patches for Flash Player as well addressing Vulnerability-related.PatchVulnerability performance issues . As described in the Adobe advisory , “ Adobe has released Vulnerability-related.PatchVulnerability updates for Adobe Flash Player for Windows , macOS , Linux and Chrome OS . These updates address Vulnerability-related.PatchVulnerability feature and performance bugs , and do not include security fixes. ” The patched Flash Player version 32.0.0.114 has been rolled-out to be downloaded Vulnerability-related.PatchVulnerability across all platforms . This time , the update bundle did not address Vulnerability-related.PatchVulnerability security problems in Adobe Reader or Acrobat . However , the vendors already released Vulnerability-related.PatchVulnerability security fixes for them in the previous week . The patch addressed Vulnerability-related.PatchVulnerability two critical vulnerabilities ( CVE-2018-16011 and CVE-2018-16018 ) that could result in arbitrary code execution and privilege escalation respectively .