Splunk recently addressed Vulnerability-related.PatchVulnerability several vulnerabilities in Enterprise and Light products , some of them have been rated “ high severity. ” Splunk Enterprise solution allows organizations to aggregate , search , analyze , and visualize data from various sources that are critical to business operations . The Splunk Light is a comprehensive solution for small IT environments that automates log analysis and integrate server and network monitoring . “ To mitigate these issues , Splunk recommends upgrading Vulnerability-related.PatchVulnerability to the latest release and applying Vulnerability-related.PatchVulnerability as many of the Hardening Standards from the Securing Splunk documentation as are relevant to your environment . Splunk Enterprise and Splunk Light releases are cumulative , meaning that future releases will contain fixes to these vulnerabilities , new features and other bug fixes , ” reads the advisory published Vulnerability-related.PatchVulnerability by Splunk . The most severe issue fixed Vulnerability-related.PatchVulnerability by the company is a high severity cross-site scripting ( XSS ) flaw in the Web interface , tracked as Vulnerability-related.DiscoverVulnerability CVE-2018-7427 , that received the CVSS score of 8.1 . Another severe vulnerability is a DoS flaw tracked as Vulnerability-related.DiscoverVulnerability CVE-2018-7432 that could be exploited Vulnerability-related.DiscoverVulnerability using malicious HTTP requests sent to Splunkd that is the system process that handles indexing , searching and forwarding . This issue was tracked as Vulnerability-related.DiscoverVulnerability “ medium severity ” by the company . The company also addressed Vulnerability-related.PatchVulnerability a denial-of-service ( DoS ) vulnerability , tracked as Vulnerability-related.DiscoverVulnerability CVE-2018-7429 , that could be exploited Vulnerability-related.DiscoverVulnerability by an attacker by sending a specially crafted HTTP request to Splunkd . The last flaw addressed Vulnerability-related.PatchVulnerability by the vendor , tracked as Vulnerability-related.DiscoverVulnerability CVE-2018-7431 , is a path traversal issue that allows an authenticated attacker to download arbitrary files from the vendor Django app . The vulnerability has been rated Vulnerability-related.DiscoverVulnerability “ medium severity. ” The vendor declared it has found Vulnerability-related.DiscoverVulnerability no evidence that these vulnerabilities have been exploited Vulnerability-related.DiscoverVulnerability in attacks in the wild .

A flaw in the mobile Safari browser has been exploited Vulnerability-related.DiscoverVulnerability by cybercriminals and used to extort money Attack.Ransom from individuals who have previously used their mobile device to view pornography or other illegal content . The Safari scareware prevents the user from accessing the Internet on their device by loading a series of pop-up messages . A popup is displayed advising the user that Safari can not open the requested page . Clicking on OK to close the message triggers another popup warning . Safari is then locked in an endless loop of popup messages that can not be closed . A message is displayed in the background claiming the device has been locked because the user has been discovered to have viewed illegal web content . Some users have reported messages containing Interpol banners , which are intended to make the user think the lock has been put on their phone by law enforcement . The only way of unlocking the device , according to the messages , is to pay a fine . One of the domains used by the attackers is police-pay.com ; however , few users would likely be fooled Attack.Phishing into thinking the browser lock was implemented by a police department as the fine had to be paid Attack.Ransom in the form of an iTunes gift card . Other messages threaten the user with police action if payment is not made Attack.Ransom . The attackers claim they will send the user ’ s browsing history and downloaded files to the Metropolitan Police if the ransom is not paid Attack.Ransom .

As part of its monthly Update Tuesday , Microsoft announced Vulnerability-related.PatchVulnerability this week that they ’ ve released Vulnerability-related.PatchVulnerability a preliminary fix for a vulnerability rated important , and present in Vulnerability-related.DiscoverVulnerability all supported versions of Windows in circulation ( basically any client or server version of Windows from 2008 onward ) . The flaw affects Vulnerability-related.DiscoverVulnerability the Credential Security Support Provider ( CredSSP ) protocol , which is used in all instances of Windows ’ Remote Desktop Protocol ( RDP ) and Remote Management ( WinRM ) . The vulnerability , CVE-2018-0886 , could allow remote code execution via a physical or wifi-based Man-in-the-Middle attack , where the attacker steals Attack.Databreach session data , including local user credentials , during the CredSSP authentication process . Although Microsoft says Vulnerability-related.DiscoverVulnerability the bug has not yet been exploited Vulnerability-related.DiscoverVulnerability , it could cause serious damage if left unpatched . RDP is widely used in enterprise environments and an attacker who successfully exploits Vulnerability-related.DiscoverVulnerability this bug could use it to gain a foothold from which to pivot and escalate . It ’ s also popular with small businesses who outsource their IT administration and , needless to say , an attacker with an admin account has all the aces . Security researchers at Preempt say Vulnerability-related.DiscoverVulnerability they discovered and disclosed Vulnerability-related.DiscoverVulnerability this vulnerability to Microsoft last August , and Microsoft has been working since then to create Vulnerability-related.PatchVulnerability the patch released Vulnerability-related.PatchVulnerability this week . Now it ’ s out there , it ’ s a race against time to make sure you aren ’ t an easy target for an attacker who wants to try and kick the tires on this vulnerability . Obviously , patch as soon as possible and please follow Microsoft ’ s guidance carefully : Mitigation consists of installing the update on all eligible client and server operating systems and then using included Group Policy settings or registry-based equivalents to manage the setting options on the client and server computers . We recommend that administrators apply the policy and set it to “ Force updated clients ” or “ Mitigated ” on client and server computers as soon as possible . These changes will require a reboot of the affected systems . Pay close attention to Group Policy or registry settings pairs that result in “ Blocked ” interactions between clients and servers in the compatibility table later in this article . Both the “ Force updated clients ” and “ Mitigated ” settings prevent RDP clients from falling back to insecure versions of CredSSP . The “ Force updated clients ” setting will not allow services that use CredSSP to accept unpatched clients but “ Mitigated ” will .

Apple has issued Vulnerability-related.PatchVulnerability an update to fix Vulnerability-related.PatchVulnerability a number of issues in macOS Mojave leading to arbitrary code execution , the ability to read restricted memory and access local users Apple IDs among others . All were patched Vulnerability-related.PatchVulnerability with the release of macOS Mojave 10.14 on Sept 24. applePatchapplePatch The first issue , CVE-2018-5383 , impacted Vulnerability-related.DiscoverVulnerability a number of iMac , MacBook Air , Mac Pro and Mac mini server products . An input validation issue existed in Vulnerability-related.DiscoverVulnerability Bluetooth was fixed Vulnerability-related.PatchVulnerability that could have allowed an attacker in a privileged network position to intercept Bluetooth traffic . The App Store also patched Vulnerability-related.PatchVulnerability CVE-2018-4324 , an issue in the handling of Apple ID that could have been exploited Vulnerability-related.DiscoverVulnerability by a malicious application that would expose the Apple ID of the computer ’ s owner . Also , a validation issue that could expose Apple IDs was in Auto Unlock that was patched Vulnerability-related.PatchVulnerability with improved validation of the process entitlement . CVE-2018-4353 impacted Vulnerability-related.DiscoverVulnerability the application firewall where a sandboxed process may be able to circumvent sandbox restrictions , but this was addressed Vulnerability-related.PatchVulnerability by adding additional restrictions . In Crash Reporter a validation issue , CVE-2018-4333 , was addressed Vulnerability-related.PatchVulnerability that if exploited Vulnerability-related.DiscoverVulnerability would allow a malicious application to read restricted memory . Two Kernel problems were fixed Vulnerability-related.PatchVulnerability , CVE-2018-4336 and CVE-2018-4344 , that could let an application may be able to execute arbitrary code with kernel privileges . The final problem , CVE-2016-1777 , effected Security where an attacker could exploit a weaknesses in the RC4 cryptographic algorithm and was fixed Vulnerability-related.PatchVulnerability by removing RC4 .

Adobe has released Vulnerability-related.PatchVulnerability a priority update to plug Vulnerability-related.PatchVulnerability a critical security flaw in its popular Flash Player on Windows . As per an official announcement by the company , the latest patch will address Vulnerability-related.PatchVulnerability issues in Adobe Flash Player 29.0.0.171 and other earlier versions . The vulnerabilities , according to Adobe , are being used by hackers to embed malicious content distributed via email . Security firm Icebrg on Thursday announced Vulnerability-related.DiscoverVulnerability that a zero-day vulnerability has led to exploitation in Adobe Flash specifically targeted towards users in the Middle East . The vulnerability ( CVE-2018-5002 ) enables attackers to execute certain actions by executing code on the victims ' computers . As per the blog post , the exploit uses a Microsoft Office document for the attack . To circumvent the fact that Adobe Flash is blocked on most browsers , the exploit involves loading Flash Player from within Microsoft Office . The flaw was reported Vulnerability-related.DiscoverVulnerability by Icebrg in collaboration with Qihoo 360 Core Security . `` While this attack leveraged a zero-day exploit , individual attacker actions do not happen in isolation . There are several other behavioural aspects that can be used for detection . Any single observable might be low confidence but multiple observables clustered might be indicative of suspicious or malicious activity , '' said Icebrg staff in its blog post . Of course , this is not the first instance wherein Flash Player 's vulnerabilities have been exploited Vulnerability-related.DiscoverVulnerability . Back in October last year , the company had issued Vulnerability-related.PatchVulnerability a security patch to fix Vulnerability-related.PatchVulnerability a critical leak . Users have been strongly recommended to update Adobe Flash in order to avoid any such vulnerabilities seeping into your machines . The update , however , is not a guarantee towards protection against future discrepancies . It is thus advised to enable flash on only a secondary browser that is not used majorly on the computer .

A serious vulnerability in a widely used , and widely forked , jQuery file upload plugin may have been exploited Vulnerability-related.DiscoverVulnerability for years by hackers to seize control of websites – and is only now patched Vulnerability-related.PatchVulnerability . Larry Cashdollar , a bug-hunter at Akamai , explained Vulnerability-related.DiscoverVulnerability late last week how the security shortcoming , designated Vulnerability-related.DiscoverVulnerability CVE-2018-9206 , allows a miscreant to upload and execute arbitrary code as root on a website that uses the vulnerable code with the Apache web server . This would potentially allow an attacker to , among other things , upload and run a webshell to execute commands on the target machine to steal Attack.Databreach data , change files , distribute malware , and so on . Cashdollar – real name , he swears – was able to track Vulnerability-related.DiscoverVulnerability the flaw down to Sebastian Tschan 's open-source jQuery File Upload tool , and got the developer to fix Vulnerability-related.PatchVulnerability it in version 9.22.1 . The flaw stems from a change to the Apache web server , from version 2.3.9 and onwards , that disabled support for .htaccess security configuration files , which left projects like jQuery File Upload open to exploitation . Additionally , Cashdollar noted Vulnerability-related.DiscoverVulnerability , it is almost certain he was not the first person to come across Vulnerability-related.DiscoverVulnerability this simple vulnerability . Demonstration videos on YouTube suggest similar flaws are known Vulnerability-related.DiscoverVulnerability to miscreants , and have been targeted in some circles for years . `` The internet relies on many security controls every day in order to keep our systems , data , and transactions safe and secure , '' Cashdollar said . `` If one of these controls suddenly does n't exist it may put security at risk unknowingly to the users and software developers relying on them . '' So , it 's believed hackers have been quietly exploiting the bug for several years as the flaw itself is fairly trivial and also eight years old . Now that details of the vulnerability are public Vulnerability-related.DiscoverVulnerability , exploit code has been produced , for example , here , and may be handy if you wish to test whether or not your website is vulnerable Vulnerability-related.DiscoverVulnerability to CVE-2018-9206 . In any case , loads of people now know about it , so that means more miscreants menacing and hijacking vulnerable websites .

Adobe has resolved Vulnerability-related.PatchVulnerability six critical updates in the company 's latest round of security fixes . On Tuesday , Adobe said in a security advisory that the update impacts Vulnerability-related.DiscoverVulnerability ColdFusion version 11 , as well as the 2016 and 2018 releases of the web application development platform . In total , six of the security flaws are deemed Vulnerability-related.DiscoverVulnerability critical . The first set of vulnerabilities -- CVE-2018-15965 , CVE-2018-15957 , CVE-2018-15958 , and CVE-2018-15959 -- relate to the deserialization of untrusted data . In addition , CVE-2018-15961 is a security flaw which permits unrestricted file uploads in the software , and the final critical bug , CVE-2018-15960 , is described as Vulnerability-related.DiscoverVulnerability `` use of a component with a known vulnerability '' which can cause arbitrary file overwrite . If exploited Vulnerability-related.DiscoverVulnerability , all of the above security flaws can lead to arbitrary code execution . Three other bugs in ColdFusion have also been resolved Vulnerability-related.PatchVulnerability . CVE-2018-15962 is a flaw within directory listings that can lead to information disclosure ; CVE-2018-15963 is a security bypass bug which could permit attackers to create arbitrary folders , and CVE-2018-15964 is another security flaw caused by the use of a component with a known vulnerability which may cause data leaks . Adobe also released Vulnerability-related.PatchVulnerability a fix for Adobe Flash Player on desktop Windows , macOS , and Linux machines , as well as Flash for Google Chrome on Windows , macOS , Linux , and Chrome OS , versions 30.0.0.154 and earlier . This security flaw , CVE-2018-15967 is listed Vulnerability-related.DiscoverVulnerability as an `` important '' privilege escalation bug which could lead to information disclosure . Originally , Microsoft listed Vulnerability-related.DiscoverVulnerability the same vulnerability as critical and one which enabled attackers to perform remote code execution attacks . However , Microsoft has now amended its advisory to reflect Adobe 's severity rating . Adobe is not aware of any reports suggesting Vulnerability-related.DiscoverVulnerability the vulnerabilities have been exploited Vulnerability-related.DiscoverVulnerability in the wild but recommends Vulnerability-related.PatchVulnerability that users accept the automatic updates as soon as possible . The tech giant thanked researchers including Matthias Kaiser of Code White GmbH , Gsrc from Venustech-Adlab , and Nick Bloor of Cognitous for reporting Vulnerability-related.DiscoverVulnerability the vulnerabilities . This month 's security fixes build Vulnerability-related.PatchVulnerability upon Adobe 's August patch update , in which 11 security flaws were resolved Vulnerability-related.PatchVulnerability , including critical vulnerabilities in Adobe Acrobat 2017 , Acrobat DC , and Acrobat Reader DC on Windows and macOS machines . In the same month , the tech giant also released Vulnerability-related.PatchVulnerability an out-of-schedule patch for Adobe Photoshop CC . The security update tackled Vulnerability-related.PatchVulnerability memory corruption bugs in the creative software which , if exploited Vulnerability-related.DiscoverVulnerability , could lead to code execution .

A bloke has told how he discovered Vulnerability-related.DiscoverVulnerability a bug in Valve 's Steam marketplace that could have been exploited Vulnerability-related.DiscoverVulnerability by thieves to steal game license keys and play pirated titles . Researcher Artem Moskowsky told The Register earlier this week that he stumbled Vulnerability-related.DiscoverVulnerability across the vulnerability – which earned him a $ 20,000 bug bounty for reporting Vulnerability-related.DiscoverVulnerability it – by accident while looking over the Steam partner portal . That 's the site developers use to manage the games they make available for download from Steam . A professional bug-hunter and pentester , Moskowsky said he has been doing security research since he was in school , and for the past several years , he has made a career out of finding and reporting Vulnerability-related.DiscoverVulnerability flaws . In this case , while looking through the Steam developer site , he noticed it was fairly easy to change parameters in an API request , and get activation keys for a selected game in return . Those keys , also known as CD keys , can be used to activate and play games downloaded from Steam . The API is provided so developers and their partners can obtain license keys for their titles to pass onto gamers . `` This bug was discovered Vulnerability-related.DiscoverVulnerability randomly during the exploration of the functionality of a web application , '' Moskowsky explained Vulnerability-related.DiscoverVulnerability . `` It could have been used by any attacker who had access to the portal . '' Essentially , anyone who had an account on the developer portal would be able to access the game activation keys for any other game Steam hosted , and sell or distribute them for pirates to use to play games from Steam . Fetching from the /partnercdkeys/assignkeys/ API with a zero key count returned a huge bunch of activation keys . `` To exploit the vulnerability , it was necessary to make only one request , '' Moskowsky told El Reg . `` I managed to bypass the verification of ownership of the game by changing only one parameter . After that , I could enter any ID into another parameter and get any set of keys . '' How severe was the flaw ? Moskowski says that , in one case , he entered a random string into the request , to pick a title at random , and in return he got 36,000 activation keys for Portal 2 , a game that still retails for $ 9.99 in the Steam store . Fortunately for Valve , Moskowsky opted to privately come forward with the flaw via HackerOne . The programming blunder has since been fixed Vulnerability-related.PatchVulnerability . As the HackerOne entry for the vulnerability shows , Moskowsky first submitted the report Vulnerability-related.DiscoverVulnerability on the flaw in early August . Three days later , Valve handed out the $ 15,000 bounty as well as a $ 5,000 bonus for the find , though Valve only allowed the report to go public on October 31 . The researcher told us this is a pretty good turnaround , and Valve in particular is very good with handling researcher requests and paying out bug bounties . Impressively , this $ 20,000 bounty is n't even the biggest payout Moskowsky has received from the games service . Back in July he was given a cool $ 25,000 for weeding out Vulnerability-related.DiscoverVulnerability a SQL Injection bug in the same developer portal .

WhatsApp has patched Vulnerability-related.PatchVulnerability a vulnerability in its smartphone code that could have been exploited Vulnerability-related.DiscoverVulnerability by miscreants to crash victims ' chat app simply by placing a call . Google Project Zero whizkid and Tamagotchi whisperer Natalie Silvanovich discovered and reported Vulnerability-related.DiscoverVulnerability the flaw , a memory heap overflow issue , directly to WhatsApp in August . Now that a fix is out Vulnerability-related.PatchVulnerability , Silvanovich can go public Vulnerability-related.DiscoverVulnerability with details on the potentially serious flaw . According to Silvanovich 's report , the bug is triggered when a user receives a malformed RTP packet , triggering the corruption error and crashing the application . In practice , the malformed packet that triggers the crash could be sent via a simple call request . `` This issue can occur when a WhatsApp user accepts a call from a malicious peer , '' Silvanovich explained . `` It affects both the Android and iPhone clients . '' While Silvanovich has not said whether further actions ( like remote code execution ) would be possible to pull off in the wild , the flaw was serious enough to draw the attention of fellow Google researcher Tavis Ormandy . Fortunately , as the bug has been patched Vulnerability-related.PatchVulnerability users will be able to get Vulnerability-related.PatchVulnerability a fix for the flaw by updating Vulnerability-related.PatchVulnerability to the latest version of WhatsApp on Android and iOS . We 're still waiting to hear from Google or Facebook on more details , such as if the desktop app is affected of if RCE is possible , but its PR team has a lot on today . The disclosure will add another to the growing list of apps that will need to be updated thanks to October security patches . Earlier today , Microsoft delivered Vulnerability-related.PatchVulnerability its Patch Tuesday security bundle , with Adobe dropping Vulnerability-related.PatchVulnerability its second major patch bundle in as many weeks and Google having posted Vulnerability-related.PatchVulnerability the Android monthly update last week .

The bug was found Vulnerability-related.DiscoverVulnerability in the core infrastructure of Apache Struts 2 . The Apache Software Foundation has patched Vulnerability-related.PatchVulnerability a critical security vulnerability which affects Vulnerability-related.DiscoverVulnerability all versions of Apache Struts 2 . Uncovered Vulnerability-related.DiscoverVulnerability by researchers from cybersecurity firm Semmle , the security flaw is caused by the insufficient validation of untrusted user data in the core Struts framework . When Apache Struts uses results with no namespace and in the same time , upper actions have no wild namespace . The same opportunity for exploit exists when the URL tag is in use and there is no value or action set . As the bug , CVE-2018-11776 , has been discovered Vulnerability-related.DiscoverVulnerability in the Struts core , the team says there are multiple attack vectors threat actors could use to exploit the vulnerability . If the alwaysSelectFullNamespace flag is set to true in the Struts configuration , which is automatically the case when the Struts Convention plugin is in use , or if a user 's Struts configuration file contains a tag that does not specify the optional namespace attribute or specifies a wildcard namespace . Man Yue Mo from the Semmle Security Research Team first reported Vulnerability-related.DiscoverVulnerability the flaw . `` This vulnerability affects Vulnerability-related.DiscoverVulnerability commonly-used endpoints of Struts , which are likely to be exposed , opening up an attack vector to malicious hackers , '' Mo says Vulnerability-related.DiscoverVulnerability . `` On top of that , the weakness is related to the Struts OGNL language , which hackers are very familiar with , and are known to have been exploited Vulnerability-related.DiscoverVulnerability in the past . '' The vulnerability affects Vulnerability-related.DiscoverVulnerability all versions of Apache Struts 2 . Companies which use the popular open-source framework are urged to update their builds immediately . Users of Struts 2.3 are advised to upgrade Vulnerability-related.PatchVulnerability to 2.3.35 ; users of Struts 2.5 need to upgrade Vulnerability-related.PatchVulnerability to 2.5.17 . As the latest releases only contain Vulnerability-related.PatchVulnerability fixes for the vulnerability , Apache does not expect users to experience any backward compatibility issues . `` Previous disclosures Vulnerability-related.DiscoverVulnerability of similarly critical vulnerabilities have resulted in exploits being published Vulnerability-related.DiscoverVulnerability within a day , putting critical infrastructure and customer data at risk , '' Semmle says . `` All applications that use Struts are potentially vulnerable Vulnerability-related.DiscoverVulnerability , even when no additional plugins have been enabled . '' Mo first reported Vulnerability-related.DiscoverVulnerability the findings in April . By June , the Apache Struts team published the code which resolved Vulnerability-related.PatchVulnerability the problem , leading to the release Vulnerability-related.PatchVulnerability of official patches on August 22 .

Researchers from Positive Technologies have unearthed Vulnerability-related.DiscoverVulnerability a critical vulnerability ( CVE-2017-6968 ) in Checker ATM Security by Spanish corporate group GMV Innovating Solutions . Checker ATM Security is a specialized security solution aimed at keeping ATMs safe from logical attacks . It does so by enforcing application whitelisting , full hard disk encryption , providing ACL-based control of process execution and resource access , enforcing security policies , restricting attempts to connect peripheral devices , and so on . The found flaw can be exploited Vulnerability-related.DiscoverVulnerability to remotely run code on a targeted ATM , increase the attacker ’ s privileges in the system , and compromise the machine completely . “ To exploit the vulnerability , a criminal would need to pose as Attack.Phishing the control server , which is possible via ARP spoofing Attack.Phishing , or by simply connecting the ATM to a criminal-controlled network connection , ” researcher Georgy Zaytsev explained . “ During the process of generating the public key for traffic encryption , the rogue server can cause a buffer overflow on the ATM due to failure on the client side to limit the length of response parameters and send a command for remote code execution . This can give an attacker full control over the ATM and allow a variety of manipulations , including unauthorized money withdrawal ” . ” When informed Vulnerability-related.DiscoverVulnerability of the vulnerability and provided with test exploits , GMV confirmed Vulnerability-related.DiscoverVulnerability its existence and that it affects Vulnerability-related.DiscoverVulnerability versions 4.x and 5.x of the software , and ultimately pushed Vulnerability-related.PatchVulnerability out a patch , which users are urged to install Vulnerability-related.PatchVulnerability as soon as possible . Exploitation not detected in the wild A company spokesperson has made sure to point out that there is no indication that the vulnerability has been exploited Vulnerability-related.DiscoverVulnerability in attacks in the wild . Also , that exploitation is not that easy , as the attacker must first gain access to the ATM network and log into the target system . “ Secondly , the attack is difficult to be systematically exploited in an ATM network . In order to exploit it , the attacker needs some memory address that are strongly dependent on Windows kernel version , while in Windows XP systems could be theoretically possible to take advantage of the vulnerability , in Windows 7 is almost impossible because those memory address are different in every windows installation , ” the spokesperson told The Register . Like any software , security software is not immune to vulnerabilities and can open systems to exploitation . While antivirus and other security solutions for personal computers are often scrutinized and tested for flaws by third-party researchers , specialized security software has not , so far , received that amount of attention . So , it ’ s good to hear that some researchers have decided to focus on them , and that vendors are positively responding to vulnerability disclosures Vulnerability-related.DiscoverVulnerability .

De Ceukelaire has discovered Vulnerability-related.DiscoverVulnerability that he can exploit Facebook to obtain cell phone numbers of users ; which they want to remain hidden . According to De Ceukelaire , he can easily identify the cell phone numbers of well-known personalities including top politicians and “ Flemish ” celebs simply through checking out their Facebook profile . This is done by analyzing the numbers that are associated with their profiles . It must be noted that these numbers are supposed to be confidential information and aren ’ t viewable by the public . Must Read : Hacking Facebook Account by Knowing Account Phone Number Reportedly , De Ceukelaire proved his claim Vulnerability-related.DiscoverVulnerability by obtaining the cell number of Jan Jambon , the Interior Minister for Belgium , through his Facebook profile . He further stated that : “ For clarity , I could find out his number on his account , not vice versa ; roughly , I think you get the number 20 percent of the Flemish people can find that way . Of all the people who have their mobile number linked to their profile goes to the 80 percent ” . De Ceukelaire already warned Vulnerability-related.DiscoverVulnerability the Facebook security team twice about this issue and stated that he might expose it to the public if the social network does not fix Vulnerability-related.PatchVulnerability the issue and make necessary changes . However , according to Facebook ’ s representatives , this isn ’ t a vulnerability that has been exploited Vulnerability-related.DiscoverVulnerability but a feature . He also notified law enforcement authorities about the exploitable aspect of this feature . “ If the users enter their private phone numbers and don ’ t lock them down in the privacy settings section , chances of a privacy leak are quite bright ” . Facebook informed De Ceukelaire about how to control the searching criteria , that is , who can search for you through your phone number or email address but De Ceukelaire asserts that this is a privacy leak because phone numbers are visible to the public while these are supposed to remain confidential . This problem was identified way back in 2012 because the cell number ’ s setting could not be set to visible by “ Only Me ” . Facebook did make Vulnerability-related.PatchVulnerability some modifications in its privacy settings feature , due to which only a limited number of reverse lookups would come from a particular IP address . This happened after a security researcher managed to access thousands of random phone numbers . But , it is apparent that the problem hasn ’ t been fixed Vulnerability-related.PatchVulnerability even today . It is worth noting that De Ceukelaire didn ’ t release details about how he managed to exploit Facebook to conduct this privacy leak and whether he used any different method than previous security researchers or not . But , yet again Facebook is paying no heed to his pleas of getting this feature fixed and he has been given the same ‘ Feature not Flaw ’ reply this time as well

Last week WordPress released Vulnerability-related.PatchVulnerability the newest version ( 4.7.2 ) of the popular CMS , ostensibly fixing Vulnerability-related.PatchVulnerability three security issues affecting versions 4.7.1 and earlier . What the WordPress team didn ’ t share at that time is that the update also secretly fixes Vulnerability-related.PatchVulnerability a bug that allows unauthenticated users to modify the content of any post or page within a WordPress site . The vulnerability was discovered Vulnerability-related.DiscoverVulnerability by Sucuri researcher Marc-Alexandre Montpas and responsibly disclosed Vulnerability-related.DiscoverVulnerability to the WordPress security team on January 20 . A fix was soon created Vulnerability-related.PatchVulnerability , tested , and included in the security update pushed out Vulnerability-related.PatchVulnerability on January 26 . The team reached out to makers of web application firewalls ( WAFs ) like SiteLock , Cloudflare , and Incapsula to help them create rules that would block exploitation attempts . WordPress hosts have also been privately told Vulnerability-related.DiscoverVulnerability of the flaw , and they quietly moved to protect their users . “ By Wednesday afternoon , most of the hosts we worked with had protections in place . Data from all four WAFs [ this includes Sucuri ’ s ] and WordPress hosts showed Vulnerability-related.DiscoverVulnerability no indication that the vulnerability had been exploited Vulnerability-related.DiscoverVulnerability in the wild , ” the WP security team disclosed Vulnerability-related.DiscoverVulnerability on Wednesday . “ As a result , we made the decision to delay disclosure of this particular issue to give time for automatic updates to run and ensure as many users as possible were protected before the issue was made public ” . Within a couple of hours of the release of the update Vulnerability-related.PatchVulnerability , WordPress users who have opted for the automatic WP update option had the WP 4.7.2 installed and were protected . The unauthenticated privilege escalation vulnerability in question affects Vulnerability-related.DiscoverVulnerability the REST API , which was added and enabled by default on WordPress 4.7.0

The messages included ASCII art depicting robots and warned that the printers had been compromised and they were part of a botnet . The hacker , who uses the online alias Stackoverflowin , later said that the botnet claim was not true and that his efforts served only to raise awareness about the risks of leaving printers exposed to the internet . Stackoverflowin claims to be a high-school student from the U.K. who is interested in security research . He said that Vulnerability-related.DiscoverVulnerability for the most part he simply sent print jobs using the Line Printer Daemon ( LPD ) , the Internet Printing Protocol ( IPP ) and the RAW protocol on communications port 9100 to printers that did n't require authentication . However , he also claims to have exploited Vulnerability-related.DiscoverVulnerability an undisclosed remote command execution ( RCE ) vulnerability in the web management interface of Xerox printers . The hacker estimates that up to 150,000 printers were affected Vulnerability-related.DiscoverVulnerability by his effort , but claims to Vulnerability-related.DiscoverVulnerability have access to more RCE flaws that he did n't use and which would have allowed him to print to over 300,000 printers . As printers around the world started printing the hacker 's rogue messages on Friday , affected users took to Twitter to report the problem . From the photos they posted , it appears that many of the printers were part of point-of-sale systems . The issue of publicly exposed printers is not new and has been exploited Vulnerability-related.DiscoverVulnerability before to print rogue and sometimes offensive messages . However , the issue was renewed last week when researchers from Ruhr-University Bochum in Germany published a paper Vulnerability-related.DiscoverVulnerability on different attacks against network printers and an assessment of 20 printer models .

The bug could 've likely been exploited Vulnerability-related.DiscoverVulnerability to make a self-spreading worm too , according to hackers and security researchers . Steam 's operator Valve announced that it fixed Vulnerability-related.PatchVulnerability the bug earlier today , but with over 125 million monthly active users on its platform , the exploit could have wreaked havoc for thousands of people , and for the company itself . `` Anyone who views a specially crafted profile gets popped , '' a white hat hacker who has found Vulnerability-related.DiscoverVulnerability several bugs in Steam in the past , and asked to remain anonymous , told me in a Twitter DM . Several users and security researchers noticed Vulnerability-related.DiscoverVulnerability this week that it was possible to put malicious javascript code inside a Steam user 's profile page , and the code will execute whenever someone visits that profile page , without any need for the victim to click anywhere . This type of bug is known as a cross-site scripting vulnerability , or XSS , a problem that 's plagued Steam for years. `` Phishing scams Attack.Phishing and virus downloads are possible at the very least , but if account take overs are possible , that 's about as bad as XSS gets , '' Jeremiah Grossman , a web security expert , said in a chat . A Valve spokesperson said the bug was fixed Vulnerability-related.PatchVulnerability on Tuesday at noon , but there 's no telling how long the door was open for hackers to exploit it . ( The spokesperson did not immediately respond to a request for comment . ) The bug was so bad that the moderators of the Steam subreddit told users to refrain from visiting other user 's profiles . `` Do NOT click suspicious ( real ) steam profile links and Disable JavaScript on Browser , '' a moderator wrote in the warning post . Grossman and Jake Davis , a former LulzSec hacker , confirmed that Vulnerability-related.DiscoverVulnerability the bug existed as Vulnerability-related.DiscoverVulnerability of Tuesday morning and analyzed the potential attacks that bad guys could do if they were to exploit it . `` If something like this were to be found Vulnerability-related.DiscoverVulnerability on Google or Facebook , it would be a high-severity issue , '' said Grossman , who 's the Chief of Security Strategy at security firm ‎SentinelOne .

IOActive exposed Vulnerability-related.DiscoverVulnerability numerous vulnerabilities found in multiple home , business , and industrial robots available on the market today . The array of vulnerabilities identified in Vulnerability-related.DiscoverVulnerability the systems evaluated included many graded as high or critical risk , leaving the robots highly susceptible to attack . Attackers could employ the issues found Vulnerability-related.DiscoverVulnerability to maliciously spy via the robot ’ s microphone and camera , leak personal or business data , and in extreme cases , cause serious physical harm or damage to people and property in the vicinity of a hacked robot . “ There ’ s no doubt that robots and the application of Artificial Intelligence have become the new norm and the way of the future , ” said Cesar Cerrudo , CTO at IOActive . “ Robots will soon be everywhere – from toys to personal assistants to manufacturing workers – the list is endless . Given this proliferation , focusing on cybersecurity is vital in ensuring these robots are safe and don ’ t present serious cyber or physical threats to the people and organisations they ’ re intended to serve ” . During the past six months , IOActive ’ s researchers tested mobile applications , robot operating systems , firmware images , and other software in order to identify Vulnerability-related.DiscoverVulnerability the flaws in several robots from vendors , including : “ In this research , we focused on home , business , and industrial robots , in addition to robot control software used by several robot vendors , ” said Lucas Apa , Senior Security Consultant at IOActive . “ Given the huge attack surface , we found Vulnerability-related.DiscoverVulnerability nearly 50 cybersecurity vulnerabilities in our initial research alone , ranging from insecure communications and authentication issues , to weak cryptography , memory corruption , and privacy problems , just to name a few ” . According to Cerrudo and Apa , once a vulnerability has been exploited Vulnerability-related.DiscoverVulnerability , a hacker could potentially gain control of the robot for cyber espionage , turn a robot into an insider threat , use a robot to expose private information , or cause a robot to perform unwanted actions when interacting with people , business operations , or other robots . In the most extreme cases , robots could be used to cause serious physical damage and harm to people and property . As robots become smarter , threats will also increase . Hacked robots could start fires in a kitchen by tampering with electricity , or potentially poison family members and pets by mixing toxic substances in with food or drinks . Family members and pets could be in further peril if a hacked robot was able to grab and manipulate sharp objects . “ We have already begun to see incidents involving malfunctioning robots doing serious damage to their surroundings , from simple property damage to loss of human life , and the situation will only worsen as the industry evolves and robot adoption continues to grow , ” continued Cerrudo .