fresh `` microcode revision guidance '' that reveals it won ’ t addressVulnerability-related.PatchVulnerabilitythe Meltdown and Spectre design flaws in all of its vulnerable processors – in some cases because it 's too tricky to remove the Spectre v2 class of vulnerabilities . The new guidance , issued April 2 , adds a “ stopped ” status to Intel ’ s “ production status ” category in its array of available Meltdown and Spectre security updates . `` Stopped '' indicates there will be no microcode patch to kill offVulnerability-related.PatchVulnerabilityMeltdown and Spectre . The guidance explains that a chipset earns “ stopped ” status because , “ after a comprehensive investigation of the microarchitectures and microcode capabilities for these products , Intel has determined to not releaseVulnerability-related.PatchVulnerabilitymicrocode updates for these products for one or more reasons. ” Those reasons are given as : Micro-architectural characteristics that preclude a practical implementation of features mitigatingVulnerability-related.PatchVulnerability[ Spectre ] Variant 2 ( CVE-2017-5715 ) Limited Commercially Available System Software support Based on customer inputs , most of these products are implemented as “ closed systems ” and therefore are expected to have a lower likelihood of exposure to these vulnerabilities . Thus , if a chip family falls under one of those categories – such as Intel ca n't easily fixVulnerability-related.PatchVulnerabilitySpectre v2 in the design , or customers do n't think the hardware will be exploitedVulnerability-related.DiscoverVulnerability– it gets a `` stopped '' sticker . To leverage the vulnerabilities , malware needs to be running on a system , so if the computer is totally closed off from the outside world , administrators may feel it 's not worth the hassle applying messy microcode , operating system , or application updates . `` Stopped '' CPUs that won ’ t therefore getVulnerability-related.PatchVulnerabilitya fix are in the Bloomfield , Bloomfield Xeon , Clarksfield , Gulftown , Harpertown Xeon C0 and E0 , Jasper Forest , Penryn/QC , SoFIA 3GR , Wolfdale , Wolfdale Xeon , Yorkfield , and Yorkfield Xeon families . The new list includes various Xeons , Core CPUs , Pentiums , Celerons , and Atoms – just about everything Intel makes . Most the CPUs listed above are oldies that went on sale between 2007 and 2011 , so it is likely few remain in normal use . There ’ s some good news in the tweaked guidance : the Arrandale , Clarkdale , Lynnfield , Nehalem , and Westmere families that were previously un-patchedVulnerability-related.PatchVulnerabilitynow have working fixes availableVulnerability-related.PatchVulnerabilityin production , apparently . “ We ’ ve now completed releaseVulnerability-related.PatchVulnerabilityof microcode updates for Intel microprocessor products launched in the last 9+ years that required protection against the side-channel vulnerabilities discoveredVulnerability-related.DiscoverVulnerabilityby Google Project Zero , '' an Intel spokesperson told The Reg . `` However , as indicated in our latest microcode revision guidance , we will not be providingVulnerability-related.PatchVulnerabilityupdated microcode for a select number of older platforms for several reasons , including limited ecosystem support and customer feedback. ” Now all Intel has to do is sort out a bunch of lawsuits , make sure future products don ’ t have similar problems , combat a revved-up-and-righteous AMD and Qualcomm in the data centre , find a way to get PC buyers interested in new kit again , and make sure it doesn ’ t flub emerging markets like IoT and 5G like it flubbed the billion-a-year mobile CPU market .
Tavis Ormandy , a Google Project Zero security researcher , has revealedVulnerability-related.DiscoverVulnerabilitydetails about a new major vulnerability discoveredVulnerability-related.DiscoverVulnerabilityin Ghostscript , an interpreter for Adobe 's PostScript and PDF page description languages . Ghostscript is by far the most widely used solution of its kind . The Ghostscript interpreter is embedded in hundreds of software suites and coding libraries that allow desktop software and web servers to handle PostScript and PDF-based documents . Exploiting the bug Ormandy discoveredVulnerability-related.DiscoverVulnerabilityrequires that an attacker sends a malformed PostScript , PDF , EPS , or XPS file to a victim . Once the file reaches the Ghostscript interpreter , the malicious code contained within will execute an attacker 's desired on that machine . The vulnerability , which has not received a CVEVulnerability-related.DiscoverVulnerabilityidentifier just yet , allows an attacker to take over applications and servers that use vulnerable versions of Ghostscript . At the time of writing , there is no fix availableVulnerability-related.PatchVulnerability. By far , the most affected projects are the ImageMagick image processing library , but also many Linux distros where this library ships by default . RedHat and Ubuntu have already confirmed they are affected , according to a CERT/CC security advisory released today . `` I * strongly * suggest that [ Linux ] distributions start disabling PS , EPS , PDF and XPS coders in [ ImageMagick 's ] policy.xml by default , '' Ormandy said . Because of Ghostscript 's broad adoption in the web dev and software dev communities , Ormandy has had his eyes set on Ghostscript for the past few years . He discoveredVulnerability-related.DiscoverVulnerabilitysimilar high severity issues affectingVulnerability-related.DiscoverVulnerabilityGhostscript in 2016 and again in 2017 . The vulnerability he foundVulnerability-related.DiscoverVulnerabilityin 2017 —CVE-2017-8291— was adopted by North Korean hackers , who used it to break into South Korean cryptocurrency exchanges , steal funds , and later plant false flags in an attempt to pin the hacks on Chinese-speaking threat actors . Because of Ghostscript 's wide adoption , any bugs , and especially those that lead to remote code execution , are highly sought-after by any threat actor .
Thousands , if not more , Jenkins servers are vulnerableVulnerability-related.DiscoverVulnerabilityto data theft , takeover , and cryptocurrency mining attacks . This is because hackers can exploit two vulnerabilities to gain admin rights or log in using invalid credentials on these servers . Both vulnerabilities were discoveredVulnerability-related.DiscoverVulnerabilityby security researchers from CyberArk , were privately reportedVulnerability-related.DiscoverVulnerabilityto the Jenkins team , and receivedVulnerability-related.PatchVulnerabilityfixes over the summer . But despite patches for both issues , there are still thousands of Jenkins servers availableVulnerability-related.PatchVulnerabilityonline . Jenkins is a web application for continuous integration built in Java that allows development teams to run automated tests and commands on code repositories based on test results , and even automate the process of deploying new code to production servers . Jenkins is a popular component in many companies ' IT infrastructure and these servers are very popular with both freelancers and enterprises alike . Over the summer , CyberArk researchers discoveredVulnerability-related.DiscoverVulnerabilitya vulnerability ( tracked asVulnerability-related.DiscoverVulnerabilityCVE-2018-1999001 ) that allows an attacker to provide malformed login credentials that cause Jenkins servers to move their config.xml file from the Jenkins home directory to another location . If an attacker can cause the Jenkins server to crash and restart , or if he waits for the server to restart on its own , the Jenkins server then boots in a default configuration that features no security . In this weakened setup , anyone can register on the Jenkins server and gain administrator access . With an administrator role in hand , an attacker can access private corporate source code , or even make code modifications to plant backdoors in a company 's apps . This lone issue would have been quite bad on its own , but CyberArk researchers also discoveredVulnerability-related.DiscoverVulnerabilitya second Jenkins vulnerability -- CVE-2018-1999043 . This second bug , they saidVulnerability-related.DiscoverVulnerability, allowed an attacker to create ephemeral user records in the server 's memory , allowing an attacker a short period when they could authenticate using ghost usernames and credentials . Both vulnerabilities were fixedVulnerability-related.PatchVulnerability, the first in July and the second in August , but as we 've gotten accustomed to in the past few years of covering security flaws , not all server owners have bothered to install these security updates .
Admins can now grab Cisco 's updates for 13 high-severity flaws affectingVulnerability-related.DiscoverVulnerabilitygear that uses its IOS and IOS XE networking software . All the bugs have been rated as having a high security impact because they could be used to gain elevated privileges or jam a device with denial-of-service ( DoS ) attacks . The company also has fixes availableVulnerability-related.PatchVulnerabilityfor 11 more flaws outlined in 10 advisories with a medium-severity rating , most of which also addressVulnerability-related.PatchVulnerabilityissues in IOS and IOS XE , the Linux-based train of Cisco 's popular networking operating system . The updates for the 13 high-severity IOS and IOS XE flaws are part of Cisco 's scheduled twice-yearly patch bundle for this software targeted for September . The company reportedVulnerability-related.DiscoverVulnerabilitythis week that some IOS XE releases were among 88 Cisco products vulnerable to the DoS attack on Linux systems known as FragmentSmack . And earlier this month it pluggedVulnerability-related.PatchVulnerabilitya critical hard-coded password bug in its video surveillance software . None of the flaws in the latest advisory is known to have been used in attacks and Cisco is n't aware of any public disclosures . Some of the higher severity flaws include a DoS flaw affectingVulnerability-related.DiscoverVulnerabilitythe IOS XE Web UI , which could allow a remote attacker to trigger a reload of the device by sending special HTTP requests to the UI . An unauthenticated attacker could exploit this bug in IOS XE releases prior to 16.2.2 , while 16.2.2 and later require authentication . Another DoS flaw is rooted in the IPsec driver code of multiple Cisco IOS XE platforms and the Cisco ASA 5500-X Series Adaptive Security Appliance ( ASA ) . The buggy code improperly processes malformed IPsec Authentication Header ( AH ) or Encapsulating Security Payload ( ESP ) packets . `` An attacker can exploit this vulnerability by using a crafted ESP or AH packet that meets several other conditions , such as matching the IPsec SA SPI and being within the correct sequence window , '' notes Cisco . This flaw affectsVulnerability-related.DiscoverVulnerabilitysix ASR 1000 Series Aggregation Services Routers , and two 4000 Series Integrated Routers . Cisco notesVulnerability-related.DiscoverVulnerabilitythat its software is affectedVulnerability-related.DiscoverVulnerabilityif the system has been modified from its default state and configured to terminate IPsec VPN connections , such as LAN-to-LAN VPN , and remote access VPN , but not SSL VPN .
Enigmail and GPG Tools have been patchedVulnerability-related.PatchVulnerabilityfor EFAIL . For more up-to-date information , please see EFF 's Surveillance Self-Defense guides . Don ’ t panic ! But you should stop using PGP for encrypted email and switch to a different secure communications method for now . A group of researchers released a paper today that describesVulnerability-related.DiscoverVulnerabilitya new class of serious vulnerabilities in PGP ( including GPG ) , the most popular email encryption standard . The new paper includes a proof-of-concept exploit that can allow an attacker to use the victim ’ s own email client to decrypt previously acquired messages and return the decrypted content to the attacker without alerting the victim . The proof of concept is only one implementation of this new type of attack , and variants may follow in the coming days . Because of the straightforward nature of the proof of concept , the severity of these security vulnerabilities , the range of email clients and plugins affected , and the high level of protection that PGP users need and expect , EFF is advising PGP users to pause in their use of the tool and seek other modes of secure end-to-end communication for now . Because we are awaiting the response from the security community of the flaws highlighted in the paper , we recommend that for now you uninstall or disable your PGP email plug-in . These steps are intended as a temporary , conservative stopgap until the immediate risk of the exploit has passed and been mitigated against by the wider community . There may be simpler mitigations availableVulnerability-related.PatchVulnerabilitysoon , as vendors and commentators develop narrower solutions , but this is the safest stance to take for now . Because sending PGP-encrypted emails to an unpatched client will create adverse ecosystem incentives to open incoming emails , any of which could be maliciously crafted to expose ciphertext to attackers . While you may not be directly affected , the other participants in your encrypted conversations are likely to be . For this attack , it isn ’ t important whether the sender or the receiver of the original secret message is targeted . This is because a PGP message is encrypted to both of their keys . At EFF , we have relied on PGP extensively both internally and to secure much of our external-facing email communications . Because of the severity of the vulnerabilities disclosed today , we are temporarily dialing down our use of PGP for both internal and external email . Our recommendations may change as new information becomes available , and we will update this post when that happens .
A security bug in Systemd can be exploitedVulnerability-related.DiscoverVulnerabilityover the network to , at best , potentially crash a vulnerable Linux machine , or , at worst , execute malicious code on the box . The flaw therefore puts Systemd-powered Linux computers – specifically those using systemd-networkd – at risk of remote hijacking : maliciously crafted DHCPv6 packets can try to exploit the programming cockup and arbitrarily change parts of memory in vulnerable systems , leading to potential code execution . This code could install malware , spyware , and other nasties , if successful . The vulnerability – which was made publicVulnerability-related.DiscoverVulnerabilitythis week – sits within the written-from-scratch DHCPv6 client of the open-source Systemd management suite , which is built into various flavors of Linux . This client is activated automatically if IPv6 support is enabled , and relevant packets arrive for processing . Thus , a rogue DHCPv6 server on a network , or in an ISP , could emit specially crafted router advertisement messages that wake up these clients , exploit the bug , and possibly hijack or crash vulnerable Systemd-powered Linux machines . Here 's the Red Hat Linux summary : systemd-networkd is vulnerableVulnerability-related.DiscoverVulnerabilityto an out-of-bounds heap write in the DHCPv6 client when handling options sent by network adjacent DHCP servers . A attacker could exploit this via malicious DHCP server to corrupt heap memory on client machines , resulting in a denial of service or potential code execution . Felix Wilhelm , of the Google Security team , was credited with discoveringVulnerability-related.DiscoverVulnerabilitythe flaw , designated CVE-2018-15688 . Wilhelm found that a specially crafted DHCPv6 network packet could trigger `` a very powerful and largely controlled out-of-bounds heap write , '' which could be used by a remote hacker to inject and execute code . `` The overflow can be triggered relatively easy by advertising a DHCPv6 server with a server-id > = 493 characters long , '' Wilhelm noted . In addition to Ubuntu and Red Hat Enterprise Linux , Systemd has been adopted as a service manager for Debian , Fedora , CoreOS , Mint , and SUSE Linux Enterprise Server . We 're told RHEL 7 , at least , does not use the vulnerable component by default . Systemd creator Lennart Poettering has already publishedVulnerability-related.PatchVulnerabilitya security fix for the vulnerable component – this should be weaving its way into distros as we type . If you run a Systemd-based Linux system , and rely on systemd-networkd , updateVulnerability-related.PatchVulnerabilityyour operating system as soon as you can to pick up the fix when availableVulnerability-related.PatchVulnerabilityand as necessary . The bug will come as another argument against Systemd as the Linux management tool continues to fight for the hearts and minds of admins and developers alike . Though a number of major admins have in recent years adopted and championed it as the replacement for the old Init era , others within the Linux world seem to still be less than impressed with Systemd and Poettering 's occasionally controversial management of the tool .
To understand why it is so difficult to defend computers from even moderately capable hackers , consider the case of the security flaw officially known asVulnerability-related.DiscoverVulnerabilityCVE-2017-0199 . The bug was unusually dangerous but of a common genre : it was in Microsoft software , could allow a hacker to seize control of a personal computer with little trace , and was fixedVulnerability-related.PatchVulnerabilityApril 11 in Microsoft ’ s regular monthly security update . But it had traveled a rocky , nine-month journey from discovery to resolution , which cyber security experts say is an unusually long time . Google ’ s security researchers , for example , give vendors just 90 days’ warningVulnerability-related.DiscoverVulnerabilitybefore publishingVulnerability-related.DiscoverVulnerabilityflaws they findVulnerability-related.DiscoverVulnerability. Microsoft Corp ( MSFT.O ) declined to say how long it usually takes to patchVulnerability-related.PatchVulnerabilitya flaw . While Microsoft investigated , hackers foundVulnerability-related.DiscoverVulnerabilitythe flaw and manipulated the software to spy on unknown Russian speakers , possibly in Ukraine . And a group of thieves used it to bolster their efforts to stealAttack.Databreachfrom millions of online bank accounts in Australia and other countries . Those conclusions and other details emerged from interviews with researchers at cyber security firms who studied the events and analyzed versions of the attack code . Microsoft confirmed the sequence of events . The tale began last July , when Ryan Hanson , a 2010 Idaho State University graduate and consultant at boutique security firm Optiv Inc in Boise , foundVulnerability-related.DiscoverVulnerabilitya weakness in the way that Microsoft Word processes documents from another format . That allowed him to insert a link to a malicious program that would take control of a computer . The company often pays a modest bounty of a few thousands dollars for the identification of security risks . Soon after that point six months ago , Microsoft could have fixedVulnerability-related.PatchVulnerabilitythe problem , the company acknowledgedVulnerability-related.DiscoverVulnerability. But it was not that simple . A quick change in the settings on Word by customers would do the trick , but if Microsoft notifiedVulnerability-related.DiscoverVulnerabilitycustomers about the bug and the recommended changesVulnerability-related.PatchVulnerability, it would also be telling hackers about how to break in . Alternatively , Microsoft could have createdVulnerability-related.PatchVulnerabilitya patch that would be distributedVulnerability-related.PatchVulnerabilityas part of its monthly software updates . But the company did not patch immediatelyVulnerability-related.PatchVulnerabilityand instead dug deeper . It was not aware that anyone was using Hanson ’ s method , and it wanted to be sure it had a comprehensive solution . “ We performedVulnerability-related.PatchVulnerabilityan investigation to identify other potentially similar methods and ensure that our fix addresses [ sic ] more than just the issue reported , ” Microsoft said through a spokesman , who answered emailed questions on the condition of anonymity . “ This was a complex investigation. ” Hanson declined interview requests . The saga shows that Microsoft ’ s progress on security issues , as well as that of the software industry as a whole , remains uneven in an era when the stakes are growing dramatically . Finally , on the Tuesday , about six months after hearing from Hanson , Microsoft madeVulnerability-related.PatchVulnerabilitythe patch availableVulnerability-related.PatchVulnerability. As always , some computer owners are lagging behind and have not installed it . Ben-Gurion University employees in Israel were hacked , after the patch , by attackers linked to Iran who took over their email accounts and sent infected documents to their contacts at technology companies and medical professionals , said Michael Gorelik , vice president of cyber security firm Morphisec . When Microsoft patchedVulnerability-related.PatchVulnerability, it thanked Hanson , a FireEye researcher and its own staff . A six-month delay is bad but not unheard of , said Marten Mickos , chief executive of HackerOne , which coordinates patching efforts between researchers and vendors . “ Normal fixing times are a matter of weeks , ” Mickos said . Privately-held Optiv said through a spokeswoman that it usually gives vendors 45 days to makeVulnerability-related.PatchVulnerabilityfixes before publishing researchVulnerability-related.DiscoverVulnerabilitywhen appropriate , and that it “ materially followed ” that practice in this case . If the patchingVulnerability-related.PatchVulnerabilitytook time , others who learned of the flaw moved quickly . On the final weekend before the patch , the criminals could have sold it along to the Dridex hackers , or the original makers could have cashed in a third time , Hultquist said , effectively staging a last clearance sale before it lost peak effectiveness . It is unclear how many people were ultimately infected or how much money was stolen .
A zero-day vulnerability exists inVulnerability-related.DiscoverVulnerabilityWordPress Core that in some instances could allow an attacker to reset a user ’ s password and gain access to their account . Researcher Dawid Golunski of Legal Hackers disclosedVulnerability-related.DiscoverVulnerabilitythe vulnerability on Wednesday via his new ExploitBox service . All versions of WordPress , including the latest , 4.7.4 , are vulnerableVulnerability-related.DiscoverVulnerability, the researcher said . The vulnerability ( CVE-2017-8295 ) happens because WordPress uses what Golunski calls untrusted data by default when it creates a password reset email . In a proof-of-concept writeup , Golunski points out that WordPress uses a variable , SERVER_NAME , to get the hostname to create a From/Return-Path header for the password reset email . Since that variable , by its nature , can be customized , an attacker could insert a domain of his choosing and make it so an outgoing email could be sent to a malicious address , the researcher says . The attacker would then receive the reset email and be able to change the account password and take over . “ Depending on the configuration of the mail server , it may result in an email that gets sent to the victim WordPress user with such malicious From/Return-Path address set in the email headers , ” Golunski wrote . “ This could possibly allow the attacker to intercept the email containing the password reset link in some cases requiring user interaction as well as without user interaction. ” Golunski writes that there are three scenarios in which a user could be trickedAttack.Phishing, and only one of them relies on user interaction . In one , an attacker could perform a denial of service attack on the victim ’ s email account in order to prevent the password reset email from reaching the victim ’ s account . Instead , it could bounce back to the malicious sender address , pointed at the attacker . Second , Golunski says some auto-responders may attach a copy of the email sent in the body of the auto-replied message . Third , by sending multiple password reset emails , he says the attacker could trigger the victim to ask for an explanation , below , which could contain the malicious password link . Golunski saidVulnerability-related.DiscoverVulnerabilityhe reportedVulnerability-related.DiscoverVulnerabilitythe issue to WordPress ’ s security team multiple times , initially more than 10 months ago in July 2016 . The researcher told Threatpost that WordPress never outright rejected his claim – he says WordPress told him it was working on the issue – but acknowledged that too much time has passed without a clear resolution , something which prompted him to release detailsVulnerability-related.DiscoverVulnerabilityon the bug on Wednesday . Campbell said that it ’ s possible WordPress will patchVulnerability-related.PatchVulnerabilitythe issue , even if just for poorly configured servers , but acknowledged he didn ’ t have a timetable for the fix . Concerned WordPress users should follow a public ticket that was started for the issue last July , Campbell added . While there ’ s no official fix availableVulnerability-related.PatchVulnerabilityyet , Golunski says users can enable the UseCanonicalName setting on Apache to enforce a static SERVER_NAME value to ensure it doesn ’ t get modified . Golunski has had his hands full findingVulnerability-related.DiscoverVulnerabilityvulnerabilities related to PHP-based email platforms . He discoveredVulnerability-related.DiscoverVulnerabilitya remote code execution bug in SquirrelMail in January that disclosedVulnerability-related.DiscoverVulnerabilityand quickly patchedVulnerability-related.PatchVulnerabilitylast month and similar RCE bugs in PHPMailer and SwiftMailer , libraries used to send emails via PHP , at the end of 2016 .
Last week , Intel revealedVulnerability-related.DiscoverVulnerabilitythat a serious security flaw in some of its chips left potentially thousands of devices vulnerable to attackers . Then , security researchers revealedVulnerability-related.DiscoverVulnerabilitythe problem was way worse than anyone initially thought as the vulnerability could allow attackers to remotely `` hijack '' affected machines . It 's still not clear just how many devices are impactedVulnerability-related.DiscoverVulnerabilityas Intel has't said , but some in the industry have put the number as high as 8,000 . Here 's a look at what you need to know and how to protect yourself . The vulnerability stems from something called Intel Active Management Technology , ( AMT ) , a technology that allows devices to be remotely managed to make it easier to update software and perform maintenance remotely . It 's a feature typically used by businesses that may be responsible for many devices that may not all be in the same place . Since the technology is integrated at a chip level , AMT can do a bit more than other software-enabled management tools . Using AMT 's capabilities , for instance , a system administrator could remotely access and control a computer 's mouse and keyboard , or turn on a computer that 's already been powered down . While those can be helpful capabilities for corporate IT departments to have , it 's obviously the type of access you 'd want locked down pretty tightly . And that 's just the problem . Security researchers found that AMT 's web portal can be accessed with just the user admin and literally any password or even no password at all . That 's why some have labeled it a `` hijacking '' flaw since anyone who exploits the vulnerability would be able to remotely control so many processes . Most importantly , the flaw does n't impactVulnerability-related.DiscoverVulnerabilityevery Intel chip out there . Since it 's rooted inVulnerability-related.DiscoverVulnerabilityAMT , the vulnerability primarily affectsVulnerability-related.DiscoverVulnerabilitybusinesses , though , as Intel points out , some consumers use computers made for businesses . One of the easiest ways to check if you might be affected is to check that Intel sticker that comes on so many PCs . Look for a `` VPro '' logo as that indicates the presence of AMT . Of course , looking for a sticker is hardly foolproof . Intel has also released a downloadable detections guide , which will guide you through the process of checking your machines . You can find the detection guide here . Though Intel has long supplied Apple with chips for Macs , AMT is only present on processors in Windows-based machines , so all Macs are safe from this particular exploit . If you do have a machine that 's impacted by the security flaw , you 'll need to update your firmware as soon as possible . Intel has already createdVulnerability-related.PatchVulnerabilitya patch and is now waiting on manufacturers to make it availableVulnerability-related.PatchVulnerability. Some , including Dell , Lenovo , HP , and Fujitsu , have already rolled it out . You can find links to those over on Intel 's website , which will be updatedVulnerability-related.PatchVulnerabilityas more manufacturers releaseVulnerability-related.PatchVulnerabilityupdates .