Over a hundred HP Inkjet printers have serious flaws that should be fixed Vulnerability-related.PatchVulnerability , HP has warned Vulnerability-related.DiscoverVulnerability . Computer and printer giant HP has flagged Vulnerability-related.DiscoverVulnerability two critical flaws over a hundred different printer models that it says should be patched Vulnerability-related.PatchVulnerability “ as soon as possible ” . Owners of numerous HP Inject models will need to install new firmware for each of the affected models from its Officejet , Deskjet , Envy , as well as its larger form business printers , including DesignJet and PageWide Pro printers . Multiple models from each product line are affected so customers and consumers should scroll through HP ’ s advisory to check whether their specific model is affected . Customers should also check out HP ’ s support pages for how to install the firmware updates , which can be done directly from the printer for web-enabled printers — mostly those released after 2010 — or via Windows or Mac computers they ’ re networked with . The bugs , which have been assigned Vulnerability-related.DiscoverVulnerability the numbers CVE-2018-5924 and CVE-2018-5925 , are rated “ critical ” and could allow remote code execution . “ Two security vulnerabilities have been identified Vulnerability-related.DiscoverVulnerability with certain HP Inkjet printers . A maliciously crafted file sent to an affected device can cause a stack or static buffer overflow , which could allow remote code execution , ” HP notes in an advisory . The company hasn’t indicated Vulnerability-related.DiscoverVulnerability whether the flaws are publicly known Vulnerability-related.DiscoverVulnerability or under attack but says it was “ recently made aware Vulnerability-related.DiscoverVulnerability of a vulnerability in certain inkjet printers by a third-party researcher. ” The patches come Vulnerability-related.PatchVulnerability just a few days after HP Inc announced Vulnerability-related.DiscoverVulnerability it would soon launch its printer bug bounty , which is the world ’ s first and only print security bug bounty program . The computer maker is partnering with Australian-founded Bugcrowd to manage the program , which will validate the bug reports , and pay researchers between $ 500 to $ 10,000 , depending on their severity . It ’ s one of Bugcrowd ’ s “ private programs ” so only researchers who are invited can submit bug reports . Printers are a soft spot for organizations because chief information security officers ( CISOs ) usually don ’ t get involved in their purchase , according to a member of HP ’ s security advisory board , MedSec CEO , Justine Bone . “ CISOs are rarely involved in printing purchase decisions yet play a critical role in the overall health and security of their organization , ” said Bone . “ For decades , HP has made cybersecurity a priority rather than an afterthought by engineering business printers with powerful layers of protection . And in doing so , HP is helping to support the valuable role CISOs play in organizations of every size . ”

The Google Doc phishing scam Attack.Phishing that conned over a million users this week illustrates how attackers cleverly respond to wider spread Attack.Phishing end-user awareness about how phishing attacks Attack.Phishing work . The attack did n't ask users to enter credentials . Instead , it exhibited very few traditional phishing scam Attack.Phishing behaviors and could n't have been detected by endpoint protections . Some researchers are calling this attack a `` game changer '' that could be just the start of a new wave of attacks that take advantage of third-party authentication connections rampant in the cloud services-based economy . The attack tricked Attack.Phishing victims into clicking a link that gave attackers access to their Google Drive through OAuth authentication connections commonly used by third-party applications . The attackers did so by sending Attack.Phishing victims lure messages claiming Attack.Phishing to contain links to a shared Google Doc . Instead of a legit document , the link actually initiates a process to give a phony app masquerading as Attack.Phishing `` Google Docs '' access to the user 's Google account . If the user is already logged into Google , the connection routes that app into an OAuth permissions page asking the user to `` Allow '' access to the user 's legitimate Google Drive . `` You are n't giving your Google credentials directly to the attacker . Rather , OAuth gives the attacker permissions to act on behalf of your account . You 're on the real Google permissions page . OAuth is a legitimate way to give third-party applications access to your account . The application name is 'Google Docs , ' which is fake but convincing Attack.Phishing , '' says Jordan Wright , R & D engineer for Duo Security . `` So unless you know that Google Docs wo n't ask for your permissions , there is little you could use to determine that this was fake . '' The lure emails appear to come from Attack.Phishing Google Drive from a previous victim , making it difficult to detect as a fakeout , says Travis Smith , senior security researcher at Tripwire . `` Not only does this have a casual appearance of being legitimate , by being part of the official marketplace the link in the email went back directly to legitimate Google servers , '' says Smith . `` For those that are trained to validate the link before clicking on it , this passes two of the common techniques the majority of internet users are trained to not click on every link they come Attack.Phishing across : 'Does it come from Attack.Phishing someone you trust and validate the link is going to a trusted source ? ' '' The only big tip-off is that many of the messages seem to have an suspicious account , hhhhhhhhhhhhhhhh @ mailinator.com , cc 'd on the message , says John Bambenek , threat research manager at Fidelis Cybersecurity . He says the attack shows the glaring problem with OAuth , namely that it allows passive authentication . Netskope 's analysis found that a number of enterprise users across various industries ended up falling prey to this attack . Google worked to quickly block the attack , but there was a window of opportunity in that time between compromise and mitigation where emails , contacts , attachments and whatever else on a Google account could have been purloined , he warns . `` If an enterprise has identified that their users have granted access to the app in this attack , we recommend they conduct a full audit of the activities that were performed in Google Gmail after the permissions were granted to the app , '' Balupari writes .