the coding flaw and sharedVulnerability-related.PatchVulnerabilitya fix for it , raising questions about why Equifax did n't updateVulnerability-related.PatchVulnerabilityits software successfully when the danger became known . A week after Equifax revealed one of the largest breachesAttack.Databreachof consumers ' private financial data in history — 143 million consumers and accessAttack.Databreachto the credit-card data of 209,000 — the industry group that manages the open source software in which the hack occurred blamed Equifax . `` The Equifax data compromiseAttack.Databreachwas due to ( Equifax 's ) failure to install the security updates providedVulnerability-related.PatchVulnerabilityin a timely manner , '' The Apache Foundation , which oversees the widely-used open source software , said in a statement Thursday . Equifax told USA TODAY late Wednesday the criminals who gained accessAttack.Databreachto its customer data exploitedVulnerability-related.DiscoverVulnerabilitya website application vulnerability known asVulnerability-related.DiscoverVulnerabilityApache Struts CVE-2017-5638 . The vulnerability was patchedVulnerability-related.PatchVulnerabilityon March 7 , the same day it was announcedVulnerability-related.DiscoverVulnerability, The Apache Foundation said . Cybersecurity professionals who lend their free services to the project of open-source software — code that 's shared by major corporations and that 's tested and modified by developers working at hundreds of firms — had shared their discovery with the industry group , making the risk and fix known to any company using the software . Modifications were made on March 10 , according to the National Vulnerability Database . But two months later , hackers took advantage of the vulnerability to enter the credit reporting agency 's systems : Equifax said the unauthorized access began in mid-May . Equifax did not respond to a question Wednesday about whether the patches were appliedVulnerability-related.PatchVulnerability, and if not , why not . `` We continue to work with law enforcement as part of our criminal investigation and have shared indicators of compromise with law enforcement , '' it said . It should have have acted faster to successfully deal with the problem , other cybersecurity professionals said . `` They should have patchedVulnerability-related.PatchVulnerabilityit as soon as possible , not to exceed a week . A typical bank would have patchedVulnerability-related.PatchVulnerabilitythis critical vulnerability within a few days , ” said Pravin Kothari , CEO of CipherCloud , a cloud security company . Federal regulators are now investigating whether Equifax is at fault . The Federal Trade Commission and the Consumer Financial Protection Bureau have said they 've opened probes into the hack . So far dozens of state attorneys general are investigating the breach , and on Tuesday Massachusetts Attorney General Maura Healey said she plans to sue the company for violating state consumer protection laws . More than 23 class-action lawsuits against the company have also been proposed . Proof that Equifax failed to protect customers , particularly when it had the tools and information to do so , is likely to further damage Equifax 's financial outlook . Shares fell 2.5 % Thursday after news of the FTC probe and are down 33 % since it revealed the link .
As part of its monthly Update Tuesday , Microsoft announcedVulnerability-related.PatchVulnerabilitythis week that they ’ ve releasedVulnerability-related.PatchVulnerabilitya preliminary fix for a vulnerability rated important , and present inVulnerability-related.DiscoverVulnerabilityall supported versions of Windows in circulation ( basically any client or server version of Windows from 2008 onward ) . The flaw affectsVulnerability-related.DiscoverVulnerabilitythe Credential Security Support Provider ( CredSSP ) protocol , which is used in all instances of Windows ’ Remote Desktop Protocol ( RDP ) and Remote Management ( WinRM ) . The vulnerability , CVE-2018-0886 , could allow remote code execution via a physical or wifi-based Man-in-the-Middle attack , where the attacker stealsAttack.Databreachsession data , including local user credentials , during the CredSSP authentication process . Although Microsoft saysVulnerability-related.DiscoverVulnerabilitythe bug has not yet been exploitedVulnerability-related.DiscoverVulnerability, it could cause serious damage if left unpatched . RDP is widely used in enterprise environments and an attacker who successfully exploitsVulnerability-related.DiscoverVulnerabilitythis bug could use it to gain a foothold from which to pivot and escalate . It ’ s also popular with small businesses who outsource their IT administration and , needless to say , an attacker with an admin account has all the aces . Security researchers at Preempt sayVulnerability-related.DiscoverVulnerabilitythey discovered and disclosedVulnerability-related.DiscoverVulnerabilitythis vulnerability to Microsoft last August , and Microsoft has been working since then to createVulnerability-related.PatchVulnerabilitythe patch releasedVulnerability-related.PatchVulnerabilitythis week . Now it ’ s out there , it ’ s a race against time to make sure you aren ’ t an easy target for an attacker who wants to try and kick the tires on this vulnerability . Obviously , patch as soon as possible and please follow Microsoft ’ s guidance carefully : Mitigation consists of installing the update on all eligible client and server operating systems and then using included Group Policy settings or registry-based equivalents to manage the setting options on the client and server computers . We recommend that administrators apply the policy and set it to “ Force updated clients ” or “ Mitigated ” on client and server computers as soon as possible . These changes will require a reboot of the affected systems . Pay close attention to Group Policy or registry settings pairs that result in “ Blocked ” interactions between clients and servers in the compatibility table later in this article . Both the “ Force updated clients ” and “ Mitigated ” settings prevent RDP clients from falling back to insecure versions of CredSSP . The “ Force updated clients ” setting will not allow services that use CredSSP to accept unpatched clients but “ Mitigated ” will .
Over a hundred HP Inkjet printers have serious flaws that should be fixedVulnerability-related.PatchVulnerability, HP has warnedVulnerability-related.DiscoverVulnerability. Computer and printer giant HP has flaggedVulnerability-related.DiscoverVulnerabilitytwo critical flaws over a hundred different printer models that it says should be patchedVulnerability-related.PatchVulnerability“ as soon as possible ” . Owners of numerous HP Inject models will need to install new firmware for each of the affected models from its Officejet , Deskjet , Envy , as well as its larger form business printers , including DesignJet and PageWide Pro printers . Multiple models from each product line are affected so customers and consumers should scroll through HP ’ s advisory to check whether their specific model is affected . Customers should also check out HP ’ s support pages for how to install the firmware updates , which can be done directly from the printer for web-enabled printers — mostly those released after 2010 — or via Windows or Mac computers they ’ re networked with . The bugs , which have been assignedVulnerability-related.DiscoverVulnerabilitythe numbers CVE-2018-5924 and CVE-2018-5925 , are rated “ critical ” and could allow remote code execution . “ Two security vulnerabilities have been identifiedVulnerability-related.DiscoverVulnerabilitywith certain HP Inkjet printers . A maliciously crafted file sent to an affected device can cause a stack or static buffer overflow , which could allow remote code execution , ” HP notes in an advisory . The company hasn’t indicatedVulnerability-related.DiscoverVulnerabilitywhether the flaws are publicly knownVulnerability-related.DiscoverVulnerabilityor under attack but says it was “ recently made awareVulnerability-related.DiscoverVulnerabilityof a vulnerability in certain inkjet printers by a third-party researcher. ” The patches comeVulnerability-related.PatchVulnerabilityjust a few days after HP Inc announcedVulnerability-related.DiscoverVulnerabilityit would soon launch its printer bug bounty , which is the world ’ s first and only print security bug bounty program . The computer maker is partnering with Australian-founded Bugcrowd to manage the program , which will validate the bug reports , and pay researchers between $ 500 to $ 10,000 , depending on their severity . It ’ s one of Bugcrowd ’ s “ private programs ” so only researchers who are invited can submit bug reports . Printers are a soft spot for organizations because chief information security officers ( CISOs ) usually don ’ t get involved in their purchase , according to a member of HP ’ s security advisory board , MedSec CEO , Justine Bone . “ CISOs are rarely involved in printing purchase decisions yet play a critical role in the overall health and security of their organization , ” said Bone . “ For decades , HP has made cybersecurity a priority rather than an afterthought by engineering business printers with powerful layers of protection . And in doing so , HP is helping to support the valuable role CISOs play in organizations of every size . ”
Adobe has releasedVulnerability-related.PatchVulnerabilitya priority update to plugVulnerability-related.PatchVulnerabilitya critical security flaw in its popular Flash Player on Windows . As per an official announcement by the company , the latest patch will addressVulnerability-related.PatchVulnerabilityissues in Adobe Flash Player 29.0.0.171 and other earlier versions . The vulnerabilities , according to Adobe , are being used by hackers to embed malicious content distributed via email . Security firm Icebrg on Thursday announcedVulnerability-related.DiscoverVulnerabilitythat a zero-day vulnerability has led to exploitation in Adobe Flash specifically targeted towards users in the Middle East . The vulnerability ( CVE-2018-5002 ) enables attackers to execute certain actions by executing code on the victims ' computers . As per the blog post , the exploit uses a Microsoft Office document for the attack . To circumvent the fact that Adobe Flash is blocked on most browsers , the exploit involves loading Flash Player from within Microsoft Office . The flaw was reportedVulnerability-related.DiscoverVulnerabilityby Icebrg in collaboration with Qihoo 360 Core Security . `` While this attack leveraged a zero-day exploit , individual attacker actions do not happen in isolation . There are several other behavioural aspects that can be used for detection . Any single observable might be low confidence but multiple observables clustered might be indicative of suspicious or malicious activity , '' said Icebrg staff in its blog post . Of course , this is not the first instance wherein Flash Player 's vulnerabilities have been exploitedVulnerability-related.DiscoverVulnerability. Back in October last year , the company had issuedVulnerability-related.PatchVulnerabilitya security patch to fixVulnerability-related.PatchVulnerabilitya critical leak . Users have been strongly recommended to update Adobe Flash in order to avoid any such vulnerabilities seeping into your machines . The update , however , is not a guarantee towards protection against future discrepancies . It is thus advised to enable flash on only a secondary browser that is not used majorly on the computer .
The Git Project announcedVulnerability-related.DiscoverVulnerabilityyesterday a critical arbitrary code execution vulnerability in the Git command line client , Git Desktop , and Atom that could allow malicious repositories to remotely execute commands on a vulnerable machine . This vulnerability has been assignedVulnerability-related.DiscoverVulnerabilitythe CVE-2018-17456 ID and is similar to a previous CVE-2017-1000117 option injection vulnerability . Like the previous vulnerability , a malicious repository can create a .gitmodules file that contains an URL that starts with a dash . By using a dash , when Git clones a repository using the -- recurse-submodules argument , the command will interpret the URL as an option , which could then be used to perform remote code execution on the computer . `` When running `` git clone -- recurse-submodules '' , Git parses the supplied .gitmodules file for a URL field and blindly passes it as an argument to a `` git clone '' subprocess . If the URL field is set to a string that begins with a dash , this `` git clone '' subprocess interprets the URL as an option . This can lead to executing an arbitrary script shipped in the superproject as the user who ran `` git clone '' . '' This vulnerability has been fixedVulnerability-related.PatchVulnerabilityin Git v2.19.1 ( with backports in v2.14.5 , v2.15.3 , v2.16.5 , v2.17.2 , and v2.18.1 ) , GitHub Desktop 1.4.2 , Github Desktop 1.4.3-beta0 , Atom 1.31.2 , and Atom 1.32.0-beta3 . The Git Project strongly recommendsVulnerability-related.PatchVulnerabilitythat all users upgradeVulnerability-related.PatchVulnerabilityto the latest version of the Git client , Github Desktop , or Atom in order to be protected from malicious repositories .
11th December was Microsoft ’ s December 2018 Patch Tuesday , which means users had to updateVulnerability-related.PatchVulnerabilitytheir computers to be protected from the latest threats to Windows and Microsoft products . Microsoft has fixedVulnerability-related.PatchVulnerability39 vulnerabilities , with 10 of them being labeled as Critical . Keeping up with its December 2018 Patch Tuesday , Microsoft announcedVulnerability-related.DiscoverVulnerabilityon its blog that a vulnerability exists inVulnerability-related.DiscoverVulnerabilityWindows Domain Name System ( DNS ) . There was not much information provided to the customers about how and when this vulnerability was discoveredVulnerability-related.DiscoverVulnerability. The following details were released by Microsoft : The Exploit Microsoft Windows is proneVulnerability-related.DiscoverVulnerabilityto a heap-based buffer-overflow vulnerability . A remote code execution vulnerability exists inVulnerability-related.DiscoverVulnerabilityWindows Domain Name System ( DNS ) servers when they fail to properly handle requests . An attacker who successfully exploitsVulnerability-related.DiscoverVulnerabilitythis issue may execute arbitrary code within the context of the affected application . Microsoft states that failed exploit attempts will result in a denial-of-service condition . Windows servers that are configured as DNS servers are at risk from this vulnerability . Affected Systems Find a list of the affected systems on Microsoft ’ s Blog . The company has also providedVulnerability-related.PatchVulnerabilityusers with security updates for the affected systems . Workarounds and Mitigations As of today , Microsoft has not identified any workarounds or mitigations for the affected systems . Jake Williams , the founder of Rendition Security and Rally security , posted an update on Twitter about the issue , questioning why there is no sufficient discussion among the infosec community about the matter .
Facebook discoveredVulnerability-related.DiscoverVulnerabilitya security issue that allowed hackers to access information that could have let them take over around 50 million accounts , the company announcedVulnerability-related.DiscoverVulnerabilityon Friday . Following the disclosure , shares of Facebook extended midday losses and ended trading 2.5 percent down . `` This is a very serious security issue , and we 're taking it very seriously , '' said CEO Mark Zuckerberg on a call with reporters . Facebook shares , which were already down about 1.5 percent before the announcement , extended losses after the disclosure and ended down 2.6 percent . The company said in a blog post that its engineering team found on Tuesday that attackers identified a weakness in Facebook 's code regarding its `` View As '' feature . Facebook became aware of a potential attack after it noticed a spike in user activity on September 16 . `` View As '' lets users see what their profile looks like to other users on the platform . This vulnerability , which consisted of three separate bugs , also allowed the hackers to get access tokens — digital keys which let people stay logged into the service without having to re-enter their password — which could be used to control other people 's accounts . Almost 50 million accounts had their access tokens taken , and Facebook has reset those tokens . The company also reset tokens for an additional 40 million accounts who used the `` View As '' feature in the last year as a precautionary measure , for a total of 90 million accounts . Facebook had 2.23 billion monthly active users as of June 30 . The reset will require these users to re-enter their password when they return to Facebook or access an app that uses Facebook Login . They will also receive a notification at the top of their News Feed explaining what happened . In addition , the company suspended the `` View As '' feature while it reviews its security . Facebook said it fixedVulnerability-related.PatchVulnerabilitythe issue on Thursday night and has notified law enforcement including the FBI and the Irish Data Protection Commission in order to any addressVulnerability-related.PatchVulnerabilityGeneral Data Protection Regulation ( GDPR ) issues . Facebook said it has just begun its investigation and has not determined if any information was misused , but the initial investigation has not uncovered any information abuse . The hackers did query Facebook 's API system , which lets applications communicate with the platform , to get more user information . The company is not sure if the hackers used that data , nor does it know who orchestrated the hack or where the person or people are based . The company said there is no need to change passwords . If additional accounts are affected , Facebook said it will immediately reset those users ' access tokens . Facebook is doubling the number of employees who are working to improve security from 10,000 to 20,000 , the company reiterated . `` Security is an arms race , and we 're continuing to improve our defenses , '' Zuckerberg said . `` This just underscores there are constant attacks from people who are trying to underscore accounts in our community . ''
A group known as the Shadow Brokers publishedVulnerability-related.DiscoverVulnerabilityon Good Friday a set of confidential hacking tools used by the NSA to exploitVulnerability-related.DiscoverVulnerabilitysoftware vulnerabilities in Microsoft Windows software . According to Fortune , Microsoft announcedVulnerability-related.PatchVulnerabilityon the same day that it had patchedVulnerability-related.PatchVulnerabilitythe vulnerabilities related to the NSA leakAttack.Databreach. It was especially important that the company moved quickly since juvenile hackers — also known as script kiddies — were expected to be active over the holiday weekend while defenders were away . The threat was the latest and , according to security experts , the most damaging set of stolen documents publishedAttack.Databreachby the Shadow Brokers , which is believed to be tied to the Russian government . Experts sayVulnerability-related.DiscoverVulnerabilitythe leak , which was mostly lines of computer code , was made up of a variety of “ zero-day exploits ” that can infiltrate Windows machines and then be used for espionage , vandalism or document theft . The group also publishedAttack.Databreachanother set of documents that show that the NSA penetrated the SWIFT banking network in the Middle East . “ There appears to be at least several dozen exploits , including zero-day vulnerabilities , in this release . Some of the exploits even offer a potential ‘ God mode ’ on select Windows systems . A few of the products targeted include Lotus Notes , Lotus Domino , IIS , SMB , Windows XP , Windows 8 , Windows Server 2003 and Windows Server 2012 , ” said Cris Thomas , a strategist at Tenable Network Security . The Shadow Brokers have been threatening the U.S. government for some time but until last Friday had not released anything critical . There is speculation that this document dumpAttack.Databreachcould be retaliation by Russia ( if the hackers are indeed tied to the country ) in response to recent U.S. military actions .
Microsoft ’ s security team had a busy weekend . On Friday night , security researcher Tavis Ormandy of Google ’ s Project Zero announcedVulnerability-related.DiscoverVulnerabilityon Twitter that he had foundVulnerability-related.DiscoverVulnerabilitya Windows bug . Well , not just any bug . It was “ crazy bad , ” Ormandy wrote . “ The worst Windows remote code exec in recent memory. ” By Monday night , Microsoft had releasedVulnerability-related.PatchVulnerabilityan emergency patch , along with details of what the vulnerability entailed . And yes , it was every bit as scary as advertised . That ’ s not only because of the extent of the damage hackers could have done , or the range of devices the bug affectedVulnerability-related.DiscoverVulnerability. It ’ s because the bug 's fundamental nature underscores the vulnerabilities inherent in the very features meant to keep our devices safe . What made this particular bug so insidious was that it would have allowed hackers to target Windows Defender , an antivirus system that Microsoft builds directly into its operating system . That means two things : First , that it impacted the billion-plus devices that have Windows Defender installed . ( Specifically , it took advantage of the Microsoft Malware Protection Engine that underpins several of the company ’ s software security products . ) Second , that it leveraged that program ’ s expansive permissions to enable general havoc , without physical access to the device or the user taking any action at all . “ This was , in fact , crazy bad , ” says Core Security systems engineer Bobby Kuzma , echoing Ormandy ’ s original assessment . As Google engineers noteVulnerability-related.DiscoverVulnerabilityin a report on the bug , to pull off the attack a hacker would have only had to sendAttack.Phishinga specialized email or trickAttack.Phishinga user into visiting a malicious website , or otherwise sneak an illicit file onto a device . This also isn ’ t just a case of clicking the wrong link ; because Microsoft ’ s antivirus protection automatically inspects every incoming file , including unopened email attachments , all it takes to fall victim is an inbox . “ The moment [ the file ] hits the system , the Microsoft malware protection intercepts it and scans it to make sure it ’ s ‘ safe , ’ ” says Kuzma . That scan triggers the exploit , which in turn enables remote code execution that enables a total machine takeover . “ As soon as it ’ s there , the malware protection will take it up and give it root access. ” It ’ s scary stuff , though tempered by Microsoft ’ s quick action and the fact that Ormandy appears to have foundVulnerability-related.DiscoverVulnerabilitythe bug before bad actors did . And because Microsoft issuesVulnerability-related.PatchVulnerabilityautomatic updates for its malware protection , most users should be fully protected soon , if not already . It should still serve as an object lesson , though , in the risks that come with antivirus software that has tendrils in every part of your system . It ’ s a scary world out there , and antivirus generally helps make it less so . To do its job correctly , though , it needs unprecedented access to your computer—meaning that if it falters , it can take your entire system down with it . “ There is a raging debate about antivirus in some circles , stating that it can be used as a springboard to infect users , ” says Jérôme Segura , lead malware intelligence analyst with Malwarebytes . “ The fact of the matter is that security software is not immune to flaws , just like any other program , but there is no denying the irony when an antivirus could be leveraged to infect users instead of protecting them. ” Irony and , well , damage . A year ago , Google ’ s Ormandy foundVulnerability-related.DiscoverVulnerabilitycritical vulnerabilities that affectedVulnerability-related.DiscoverVulnerabilityno fewer than 17 Symantec antivirus products . He ’ s found similar in offerings from security vendors like FireEye , McAfee , and more . And more recently , researchers discoveredVulnerability-related.DiscoverVulnerabilityan attack called “ DoubleAgent , ” which turned Microsoft ’ s Application Verifier tool into a malware entry point . “ Because of what they do , AV products are really complex and have to touch a lot of things that are untrusted , ” says Kuzma . “ This is the kind of vulnerability we ’ ve seen time and again. ” There ’ s also no real solution ; it ’ s not easy to weigh the protections versus the risks . The best you can hope for , really , is what Ormandy and Microsoft demonstrated during the last few days : That someone catches the mistakes before the bad guys do , and that the fixes come fast and easy .