An exploit in the Android operating system means almost 40 percent of users are vulnerable Vulnerability-related.DiscoverVulnerability to screen-hijacking apps , but it is unlikely to be fixed Vulnerability-related.PatchVulnerability until winter . The bug , which was first spotted Vulnerability-related.DiscoverVulnerability by researchers at Check Point , is caused by a development oversight in Android permissions , which in the past required users to manually grant downloaded applications the ability to display content on top of other app panes . However following complaints from users who found it difficult to manually whitelist each app , the Android 6.0.1 'Marshmallow ' update made this process automatic , which was good news for legitimate apps like WhatsApp and Facebook Messenger . It appears that fix has meant apps hiding malicious codes are able to bypass security also being automatically granted the same access , specifically the 'SYSTEM_ALERT_WINDOW ' permission . According to Google 's own statistics , the vulnerability will be active Vulnerability-related.DiscoverVulnerability on close to 40 percent of all Android devices . `` As a temporary solution , Google applied Vulnerability-related.PatchVulnerability a patch in Android version 6.0.1 that allows the Play Store app to grant run-time permissions , which are later used to grant SYSTEM_ALERT_WINDOW permission to apps installed from the app store , '' the Check Point research team explained in a blog post . `` This means that a malicious app downloaded directly from the app store will be automatically granted this dangerous permission . '' This permission is particularly dangerous as it allows an app to display over any other app , without notifying the user . This means apps are able to display fraudulent adverts or links to content hosting malicious code , which are heavily used in banking Trojans . `` It can also be used by ransomware to create a persistent on-top screen that will prevent non-technical users from accessing their devices , '' explained the team . This particular permissions exploit is used by 74 percent of all ransomware , 57 percent of adware and 14 percent of banker malware , according to the report , clearly demonstrating that this is a widespread tactic in the wild . What 's worrying is that Google has stated that a fix will be available Vulnerability-related.PatchVulnerability in time for the release of Android O , which is n't expected until late summer . In the meantime , Check Point has urged users to beware of dodgy-looking apps and to check the comments left by other users . Although the Play Store is able to police the apps being uploaded to its platform , malicious content is repeatedly bypassing security checks . Check Point recently disclosed the discovery of a new malware strain hidden inside game guides hosted on the Play Store , thought to have infected close to two million Android devices over the past seven months .

A security flaw affecting Vulnerability-related.DiscoverVulnerability LibreOffice and Apache OpenOffice has been fixed Vulnerability-related.PatchVulnerability in one of the two open-source office suites . The other still appears to be vulnerable Vulnerability-related.DiscoverVulnerability . Before attempting to guess which app has yet to be patched Vulnerability-related.PatchVulnerability , consider that Apache OpenOffice for years has struggled attract more contributors . And though the number of people adding code to the project has grown since last we checked , the project missed its recent January report to the Apache Foundation . The upshot is : security holes are n't being patched Vulnerability-related.PatchVulnerability , it seems . The issue , identified Vulnerability-related.DiscoverVulnerability by security researcher Alex Inführ , is that there 's a way to achieve remote code execution by triggering an event embedded in an ODT ( OpenDocument Text ) file . In a blog post on Friday , Inführ explains Vulnerability-related.DiscoverVulnerability how he found Vulnerability-related.DiscoverVulnerability a way to abuse the OpenDocument scripting framework by adding an onmouseover event to a link in an ODT file . The event , which fires when a user 's mouse pointer moves over the link , can traverse local directories and execute a local Python script . After trying various approaches to exploit the vulnerability , Inführ found Vulnerability-related.DiscoverVulnerability that he could rig the event to call a specific function within a Python file included with the Python interpreter that ships with LibreOffice . `` For the solution I looked into the Python parsing code a little more in depth and discovered that it is not only possible to specify the function you want to call inside a python script , but it is possible to pass parameters as well , '' he said . The exploit was tested on Windows , and should work on Linux , too . Inführ says Vulnerability-related.DiscoverVulnerability he reported Vulnerability-related.DiscoverVulnerability the bug on October 18 and it was fixed Vulnerability-related.PatchVulnerability in LibreOffice by the end of the month . RedHat assigned Vulnerability-related.DiscoverVulnerability it CVE-2018-16858 in mid-November and gave Inführ a disclosure Vulnerability-related.DiscoverVulnerability date of January 31 , 2019 . When he published Vulnerability-related.DiscoverVulnerability on February 1 , in conjunction with the LibreOffice fix notification , OpenOffice still had not been patched Vulnerability-related.PatchVulnerability . Inführ says Vulnerability-related.DiscoverVulnerability he reconfirmed Vulnerability-related.DiscoverVulnerability that he could go ahead with disclosure Vulnerability-related.DiscoverVulnerability even though OpenOffice 4.16 has yet to be fixed Vulnerability-related.PatchVulnerability . His proof-of-concept exploit does n't work with OpenOffice out-of-the-box because the software does n't allow parameters to be passed in the same way as the unpatched version of LibreOffice did . However , he says Vulnerability-related.DiscoverVulnerability that the path traversal issue can still be abused to execute a local Python file and cause further mischief and damage . We 're imagining specifically targeted netizens being tricked Attack.Phishing into opening a ZIP file , unpacking an ODT and Python script , and then the ODT document attempting to execute the Python script when the victim rolls their mouse over a link , for instance . The Register tried to reach two OpenOffice contributors to find out what 's going on . We 've not heard back . According to Inführ , OpenOffice users can mitigate the risk by removing or renaming the pythonscript.py file in the installation folder .

Western Digital My Cloud NAS devices have again been found Vulnerability-related.DiscoverVulnerability wanting in the security department , as two set of researchers have revealed Vulnerability-related.DiscoverVulnerability a number of serious flaws in the devices ’ firmware . WD My Cloud is meant to be a private cloud environment hosted at home or at a small organization ’ s office , and can be accessed either from a desktop located on the same network or remotely , with a smartphone , from wherever else in the world . Users can interact with it either via the administrative user interface or an application ( that uses a RESTful API ) . Zenofex , a member of the Exploitee.rs team , revealed Vulnerability-related.DiscoverVulnerability the existence of a login bypass issue , several command injection flaws , and a number of other bugs on Saturday . Then , on Tuesday , researchers with the SEC Consult Vulnerability Lab published a security advisory warning about : “ Due to [ no anti-CSRF mechanisms ] , an attacker can force a user to execute any action through any script . As the [ OS command injection and unauthenticated arbitrary file upload vulnerabilities ] do not need authentication , those can be exploited Vulnerability-related.DiscoverVulnerability via CSRF over the Internet as well ! ” , the researchers noted . SEC consult found Vulnerability-related.DiscoverVulnerability the flaws in version 2.11.157 of the firmware on a My Cloud EX2 device , but they believe that other My Cloud devices are almost surely vulnerable Vulnerability-related.DiscoverVulnerability as well , as the same ( or pretty much the same ) firmware is used on all of them . Zenofex did his testing on a My Cloud PR4100 device , but also noted that other My Cloud devices are vulnerable Vulnerability-related.DiscoverVulnerability to the same issues . In the wake of these latest revelations , Securify researchers again pointed to their own research and security advisories from January 2017 dealing with the same or similar vulnerabilities , found Vulnerability-related.DiscoverVulnerability on versions 2.21.119 and 2.21.126 of the firmware . All three groups say that the issues have yet to be fixed Vulnerability-related.PatchVulnerability by Western Digital . SEC Consult researchers complained about the company slow reaction to their responsable disclosure Vulnerability-related.DiscoverVulnerability efforts , while Zenofex noted that the company ’ s dismal reputation when it comes to patching Vulnerability-related.PatchVulnerability reported issues . So , he opted for public disclosure Vulnerability-related.DiscoverVulnerability , in the hopes that this will push the company to pick up the pace . “ Ignoring these bugs would leave the vulnerable devices online for longer periods while responsible disclosure Vulnerability-related.DiscoverVulnerability is worked out . Instead we ’ re attempting to alert Vulnerability-related.DiscoverVulnerability the community of the flaws and hoping that users remove their devices from any public facing portions of their networks , limiting access wherever possible , ” he noted .