THAT UN-PATCHABLE FLAW in the Nintendo Switch ? Yeah , the Japanese gaming firm has only gone and fixed Vulnerability-related.PatchVulnerability it , according to console hacker Michael . Michael , who goes by the Twitter handle @ SciresM , tweeted that it 's bad news for console hackers and Nintendo is pushing out Vulnerability-related.PatchVulnerability new console models with a fix that stops tech-savvy folks from messing around with the software that the hybrid games console can boot with . The flaw was thought to be un-patchable as it affected Vulnerability-related.DiscoverVulnerability the Nvidia Tegra X1 chip that sits at the heart of the console . But Nintendo hates piracy more than most games firms , and as such , will release new versions of the Switch that do n't have the silicon-level flaw in them . The patch involves using a system called ‘ iPatches ' which updates Vulnerability-related.PatchVulnerability parts of the code applying to the Tegra X1 's fuses which plugs Vulnerability-related.PatchVulnerability the boot hacking exploit . Current consoles out in the wild will still be vulnerable Vulnerability-related.DiscoverVulnerability due to the patch needing to be applied Vulnerability-related.PatchVulnerability at a hardware level , but new models wo n't be susceptible to the hack . But there 's a bit of an odd situation here , as the new consoles will come running 4.1.0 versions of the Switch firmware ; the latest Switch firmware is 5.1.0 . So while the new Switchers will come off the production line immune to the Tegra X1 exploit , they will still be vulnerable Vulnerability-related.DiscoverVulnerability to other hacking techniques . With this in mind , Michael advises that people keen to crack into their Switch consoles should not apply Vulnerability-related.PatchVulnerability any updates , as the older version of the console 's firmware is the easier it 's to hack . So while the un-patchable flaw may have been fixed Vulnerability-related.PatchVulnerability the current iteration of the Switch is still no un-hackable . Not that hacking the Switch is a good idea if you want to run pirated games , as Nintendo takes a very dim view of that and cracks down so hard on pirates that it 'll permanently ban any console caught with bootlegged software from its online network . With The Legend of Zelda : Breath of the Wild and Mario Odyssey alone there are tens of hours of gaming to be had on the Switch . let along all the stuff that 's incoming and the suite of indie titles the console supports . So if you desperately need to hack the Switch to play more games , perhaps it 's time to take a break from gaming and go out into the sun ; we hear the UK is lovely at the moment .

THAT UN-PATCHABLE FLAW in the Nintendo Switch ? Yeah , the Japanese gaming firm has only gone and fixed Vulnerability-related.PatchVulnerability it , according to console hacker Michael . Michael , who goes by the Twitter handle @ SciresM , tweeted that it 's bad news for console hackers and Nintendo is pushing out Vulnerability-related.PatchVulnerability new console models with a fix that stops tech-savvy folks from messing around with the software that the hybrid games console can boot with . The flaw was thought to be un-patchable as it affected Vulnerability-related.DiscoverVulnerability the Nvidia Tegra X1 chip that sits at the heart of the console . But Nintendo hates piracy more than most games firms , and as such , will release new versions of the Switch that do n't have the silicon-level flaw in them . The patch involves using a system called ‘ iPatches ' which updates Vulnerability-related.PatchVulnerability parts of the code applying to the Tegra X1 's fuses which plugs Vulnerability-related.PatchVulnerability the boot hacking exploit . Current consoles out in the wild will still be vulnerable Vulnerability-related.DiscoverVulnerability due to the patch needing to be applied Vulnerability-related.PatchVulnerability at a hardware level , but new models wo n't be susceptible to the hack . But there 's a bit of an odd situation here , as the new consoles will come running 4.1.0 versions of the Switch firmware ; the latest Switch firmware is 5.1.0 . So while the new Switchers will come off the production line immune to the Tegra X1 exploit , they will still be vulnerable Vulnerability-related.DiscoverVulnerability to other hacking techniques . With this in mind , Michael advises that people keen to crack into their Switch consoles should not apply Vulnerability-related.PatchVulnerability any updates , as the older version of the console 's firmware is the easier it 's to hack . So while the un-patchable flaw may have been fixed Vulnerability-related.PatchVulnerability the current iteration of the Switch is still no un-hackable . Not that hacking the Switch is a good idea if you want to run pirated games , as Nintendo takes a very dim view of that and cracks down so hard on pirates that it 'll permanently ban any console caught with bootlegged software from its online network . With The Legend of Zelda : Breath of the Wild and Mario Odyssey alone there are tens of hours of gaming to be had on the Switch . let along all the stuff that 's incoming and the suite of indie titles the console supports . So if you desperately need to hack the Switch to play more games , perhaps it 's time to take a break from gaming and go out into the sun ; we hear the UK is lovely at the moment .

Oracle has released Vulnerability-related.PatchVulnerability a wide-ranging security update to address Vulnerability-related.PatchVulnerability more than 300 CVE-listed vulnerabilities in its various enterprise products . The October release covers the gamut of Oracle 's offerings , including its flagship Database , E-Business Suite , and Fusion Middleware packages . For Database , the update addresses Vulnerability-related.PatchVulnerability a total of three flaws . Two of the vulnerabilities ( CVE-2018-3259 and CVE-2018-3299 ) can be remotely exploited Vulnerability-related.DiscoverVulnerability without authentication , while the third , CVE-2018-7489 , would require the user to have a Rapid Home Provisioning account to execute and is considered by far the least severe of the three . Oracle noted Vulnerability-related.DiscoverVulnerability that all three bugs only impact Vulnerability-related.DiscoverVulnerability the server versions of Database , user clients are not considered to be vulnerable Vulnerability-related.DiscoverVulnerability . For Fusion Middleware , the update will include a total of 56 CVE-listed flaws , including 12 that are remotely exploitable with CVSS base scores of 9.8 , meaning an exploit would be fairly easy to pull off and offer near total control of the target machine . Of those 12 , five were for critical flaws in WebLogic Server . Java SE will get Vulnerability-related.PatchVulnerability 12 security fixes , with all but one being for remotely exploitable vulnerabilities in that platform . Oracle notes Vulnerability-related.DiscoverVulnerability that though the CVSS scores for the flaws are fairly high , Solaris and Linux machines running software with lower user privileges will be considered to be at a lower risk than Windows environments that typically operate with admin privileges . MySQL was the target of 38 CVE-listed bug fixes this month , through just three of those are remotely exploitable . The two most serious , CVE-2018-11776 and CVE-2018-8014 , concern remote code flaws in MySQL Enterprise Monitor . PeopleSoft will see 24 bug fixes , 21 of which can be remotely targeted and seven that would not require any user interaction . Just one of the 24 flaws was given a CVSS base score higher than 7.2. in the Oracle listing . Sun products were the subject of 19 security fixes , including two remote code execution flaws in XCP Firmware . libssh bug more like `` oh SSH… '' Once admins get Vulnerability-related.PatchVulnerability the Oracle patches in place , they will want to take a close look at the write-up for CVE-2018-10933 , an authentication bypass for libssh that would allow an attacker to get into a target machine by sending a `` SSH2_MSG_USERAUTH_SUCCESS '' message when it expects a `` SSH2_MSG_USERAUTH_REQUEST '' message . That means any miscreant can log in without a password or other credential . As you can imagine , this is a very bad thing . Fortunately , the bug does not affect OpenSSH – and thus does not affect the hugely widespread sshd and ssh tools – but rather applications , such as KDE and XMBC , that use libssh as a dependency .

An unpatched vulnerability in the Magento e-commerce platform could allow hackers to upload and execute malicious code on web servers that host online shops . The flaw was discovered Vulnerability-related.DiscoverVulnerability by researchers from security consultancy DefenseCode and is located in Vulnerability-related.DiscoverVulnerability a feature that retrieves preview images for videos hosted on Vimeo . Such videos can be added to product listings in Magento . The DefenseCode researchers determined that if the image URL points to a different file , for example a PHP script , Magento will download the file in order to validate it . If the file is not an image , the platform will return a `` Disallowed file type '' error , but wo n't actually remove it from the server . An attacker with access to exploit this flaw could achieve remote code execution by first tricking Magento to download an .htaccess configuration file that enables PHP execution inside the download directory and then downloading the malicious PHP file itself . Once on the server , the PHP script can act as a backdoor and can be accessed from an external location by pointing the browser to it . For example , attackers could use it to browse the server directories and read the database password from Magento 's configuration file . This can expose customer information stored in the database , which in the case of online shops , can be very sensitive . The only limitation is that this vulnerability can not be exploited Vulnerability-related.DiscoverVulnerability directly because the video-linking functionality requires authentication . This means attackers need to have access to an account on the targeted website , but this can be a lower-privileged user and not necessarily an administrator . The authentication obstacle can also be easily overcome if the website does n't have the `` Add Secret Key to URLs '' option turned on . This option is intended to prevent cross-site request forgery ( CSRF ) attacks and is enabled by default . CSRF is an attack technique that involves forcing a user ’ s browser to perform an unauthorized request on a website when visiting a different one . `` The attack can be constructed as simple as < img src=… in an email or a public message board , which will automatically trigger the arbitrary file upload if a user is currently logged into Magento , '' the DefenseCode researchers said in an advisory . `` An attacker can also entice the user to open a CSRF link using social engineering . '' This means that by simply clicking on a link in an email or by visiting a specifically crafted web page , users who have active Magento sessions in their browser might have their accounts abused to compromise websites . The DefenseCode researchers claim Vulnerability-related.DiscoverVulnerability that they 've reported Vulnerability-related.DiscoverVulnerability these issues to the Magento developers back in November , but received no information regarding patching plans Vulnerability-related.PatchVulnerability since then . Several versions of the Magento Community Edition ( CE ) have been released since November , the most recent one being 2.1.6 on Tuesday . According to DefenseCode , all Magento CE versions continue to be vulnerable Vulnerability-related.DiscoverVulnerability , which is what prompted them to go public Vulnerability-related.DiscoverVulnerability about the flaw . “ We have been actively investigating Vulnerability-related.DiscoverVulnerability the root cause of the reported issue and are not aware of any attacks in the wild , ” Magento , the company that oversees development of the e-commerce platform , said in an emailed statement . “ We will be addressing Vulnerability-related.PatchVulnerability the issue in our next patch release and continue to consistently work to improve our assurance processes. ” `` All users are strongly advised to enforce the use of 'Add Secret Key to URLs ' which mitigates the CSRF attack vector , '' the DefenseCode researchers said . `` To prevent remote code execution through arbitrary file upload the server should be configured to disallow .htaccess files in affected directories . '' Magento is used by over 250,000 online retailers , making it an attractive target for hackers . Last year , researchers found thousands of Magento-based online shops that had been compromised Attack.Databreach and infected with malicious code that skimmed Attack.Databreach payment card details .

A security flaw affecting Vulnerability-related.DiscoverVulnerability LibreOffice and Apache OpenOffice has been fixed Vulnerability-related.PatchVulnerability in one of the two open-source office suites . The other still appears to be vulnerable Vulnerability-related.DiscoverVulnerability . Before attempting to guess which app has yet to be patched Vulnerability-related.PatchVulnerability , consider that Apache OpenOffice for years has struggled attract more contributors . And though the number of people adding code to the project has grown since last we checked , the project missed its recent January report to the Apache Foundation . The upshot is : security holes are n't being patched Vulnerability-related.PatchVulnerability , it seems . The issue , identified Vulnerability-related.DiscoverVulnerability by security researcher Alex Inführ , is that there 's a way to achieve remote code execution by triggering an event embedded in an ODT ( OpenDocument Text ) file . In a blog post on Friday , Inführ explains Vulnerability-related.DiscoverVulnerability how he found Vulnerability-related.DiscoverVulnerability a way to abuse the OpenDocument scripting framework by adding an onmouseover event to a link in an ODT file . The event , which fires when a user 's mouse pointer moves over the link , can traverse local directories and execute a local Python script . After trying various approaches to exploit the vulnerability , Inführ found Vulnerability-related.DiscoverVulnerability that he could rig the event to call a specific function within a Python file included with the Python interpreter that ships with LibreOffice . `` For the solution I looked into the Python parsing code a little more in depth and discovered that it is not only possible to specify the function you want to call inside a python script , but it is possible to pass parameters as well , '' he said . The exploit was tested on Windows , and should work on Linux , too . Inführ says Vulnerability-related.DiscoverVulnerability he reported Vulnerability-related.DiscoverVulnerability the bug on October 18 and it was fixed Vulnerability-related.PatchVulnerability in LibreOffice by the end of the month . RedHat assigned Vulnerability-related.DiscoverVulnerability it CVE-2018-16858 in mid-November and gave Inführ a disclosure Vulnerability-related.DiscoverVulnerability date of January 31 , 2019 . When he published Vulnerability-related.DiscoverVulnerability on February 1 , in conjunction with the LibreOffice fix notification , OpenOffice still had not been patched Vulnerability-related.PatchVulnerability . Inführ says Vulnerability-related.DiscoverVulnerability he reconfirmed Vulnerability-related.DiscoverVulnerability that he could go ahead with disclosure Vulnerability-related.DiscoverVulnerability even though OpenOffice 4.16 has yet to be fixed Vulnerability-related.PatchVulnerability . His proof-of-concept exploit does n't work with OpenOffice out-of-the-box because the software does n't allow parameters to be passed in the same way as the unpatched version of LibreOffice did . However , he says Vulnerability-related.DiscoverVulnerability that the path traversal issue can still be abused to execute a local Python file and cause further mischief and damage . We 're imagining specifically targeted netizens being tricked Attack.Phishing into opening a ZIP file , unpacking an ODT and Python script , and then the ODT document attempting to execute the Python script when the victim rolls their mouse over a link , for instance . The Register tried to reach two OpenOffice contributors to find out what 's going on . We 've not heard back . According to Inführ , OpenOffice users can mitigate the risk by removing or renaming the pythonscript.py file in the installation folder .