LONDON — The U.K. agency tasked with fighting cyberthreats on Thursday announced a new process for the public disclosure Vulnerability-related.DiscoverVulnerability of potentially sensitive software flaws , introducing a new level of transparency to its work . The National Cyber Security Centre laid out its new procedure , called the `` Equities Process '' in a blog post that details how it makes decisions on whether to make public Vulnerability-related.DiscoverVulnerability the discovery of new flaws . National security operations sometimes hold back from announcing Vulnerability-related.DiscoverVulnerability the discovery of security flaws in part because the bugs can be used to gather intelligence . “ There ’ s got to be a good reason not to disclose , ” said Ian Levy , technical director at the NCSC . The default position , the NCSC said , is to disclose Vulnerability-related.DiscoverVulnerability those vulnerabilities to the public after fixes have been made Vulnerability-related.PatchVulnerability . The government will only keep them confidential in rare instances , such as if there ’ s an overriding intelligence reason . Levy said withholding release of a bug will require high-level government sign-off . The goal is to prevent cyberattacks Attack.Ransom like “ WannaCry , ” which paralyzed computer systems around the world in May 2017 . The attack , which the U.S. has blamed on North Korea , wrought havoc within the U.K. ’ s National Health Service ( NHS ) by exploiting vulnerabilities in an outdated version of Microsoft Windows . WannaCry underscored the dangers of not patching Vulnerability-related.PatchVulnerability or updating Vulnerability-related.PatchVulnerability software . The NCSC ’ s disclosure policy follows one implemented by the White House in 2017 . The National Security Agency ( NSA ) had come under intense pressure from transparency advocates to disclose more about its work in the wake of WannaCry . “ The best defense against a cyberattack , whether it ’ s by criminals or nation states , is to keep your box up to date , ” said Levy . “ If you patch Vulnerability-related.PatchVulnerability your software , a lot of the stuff that we ’ ve found goes away. ” The vast majority of attacks are carried out by exploiting vulnerabilities already known to the vendors of the technology in question , Levy said . Such was the case when Russian cyberoperatives hacked into British telecoms companies in 2017 . Levy said the primary goal of more transparency is to “ bang the drum ” about basic cybersecurity , like patching Vulnerability-related.PatchVulnerability and secure network setups .

Google disclosed Vulnerability-related.DiscoverVulnerability a flaw in Microsoft Edge earlier this week , after Microsoft failed to patch Vulnerability-related.PatchVulnerability the bug in time . Now Google ’ s Project Zero team of security researchers are disclosing Vulnerability-related.DiscoverVulnerability yet another Windows 10 security flaw that Microsoft has again failed to patch Vulnerability-related.PatchVulnerability before Google ’ s imposed 90-day period . Neowin spotted that Google reported Vulnerability-related.DiscoverVulnerability two bugs to Microsoft in November , but the company only addressed Vulnerability-related.PatchVulnerability one of them with its recent Patch Tuesday fixes . The latest unpatched issue is an Elevation of Privilege which allows a normal user to gain administrator privileges on a system . Microsoft has rated Vulnerability-related.DiscoverVulnerability the flaw as “ important , ” but not “ critical ” as it can ’ t be exploited Vulnerability-related.DiscoverVulnerability remotely . It ’ s still an important issue to fix Vulnerability-related.PatchVulnerability , as an attacker could potentially combine this with a separate unknown remote code execution to gain administrator access , although that ’ s an unlikely scenario unless Microsoft doesn ’ t address Vulnerability-related.PatchVulnerability it promptly . It ’ s not clear when Microsoft intends to address Vulnerability-related.PatchVulnerability the latest security flaw in Windows 10 , and the company still needs to solve Vulnerability-related.PatchVulnerability the Edge vulnerability that was disclosed Vulnerability-related.DiscoverVulnerability by Google earlier this week . Microsoft hit back at Google ’ s approach to security patches last year , after discovering Vulnerability-related.DiscoverVulnerability a Chrome flaw and “responsibly” disclosed Vulnerability-related.DiscoverVulnerability it to Google so the company had enough time to patch Vulnerability-related.PatchVulnerability . Google ’ s policy to disclose after 90 days without a patch is often criticized and applauded in equal measure . There ’ s plenty of evidence to suggest security vulnerabilities are increasing in Windows and across the industry , and Microsoft has clearly struggled to fix Vulnerability-related.PatchVulnerability these two issues with plenty of notice . It can also be argued that Google is making rival software more secure with its efforts , making everyone ’ s software secure . However , Google also has competitive commercial interests , and Project Zero has been unusually aggressive in finding and publishing new vulnerabilities . Reports suggest Google ’ s Project Zero security team originated from the fallout around the 2009 Google hack , an intrusion blamed on an unpatched flaw in Microsoft ’ s Internet Explorer 6 browser . Google makes exceptions to its strict rules , with grace periods , and can even disclose Vulnerability-related.DiscoverVulnerability much sooner if the vulnerability is being actively exploited Vulnerability-related.DiscoverVulnerability . Google disclosed Vulnerability-related.DiscoverVulnerability a major Windows bug back in 2016 just 10 days after reporting Vulnerability-related.DiscoverVulnerability it to Microsoft , and the company has revealed Vulnerability-related.DiscoverVulnerability zero-day bugs in Windows in the past before patches are available Vulnerability-related.PatchVulnerability .

Microsoft and Google have been bitter rivals for at least a decade , and the pair have had several disagreements over security vulnerability disclosure Vulnerability-related.DiscoverVulnerability in recent years . Google is stoking those disagreements again this week by disclosing Vulnerability-related.DiscoverVulnerability a Microsoft Edge security flaw before a patch is available Vulnerability-related.PatchVulnerability . Neowin spotted that Google disclosed Vulnerability-related.DiscoverVulnerability the security flaw to Microsoft back in November , and the company provided 90 days for Microsoft to fix Vulnerability-related.PatchVulnerability it before going public Vulnerability-related.DiscoverVulnerability as it ’ s rated “ medium ” in terms of severity . Google also provided Microsoft with an additional 14-day grace period to have a fix available Vulnerability-related.PatchVulnerability for its monthly Patch Tuesday release in February , but Microsoft missed Vulnerability-related.PatchVulnerability this goal because “ the fix is more complex than initially anticipated. ” It ’ s not clear when Microsoft will have a fix available Vulnerability-related.PatchVulnerability , and the Google engineer responsible for reporting Vulnerability-related.DiscoverVulnerability the security flaw says because of the complexity of the fix Microsoft “ do not yet have a fixed date set as of yet. ” The public disclosure will likely anger Microsoft , once again . The software giant hit back at Google ’ s approach Vulnerability-related.PatchVulnerability to security patches last October , after discovering Vulnerability-related.DiscoverVulnerability a Chrome flaw and “responsibly” disclosed Vulnerability-related.DiscoverVulnerability it to Google so the company had enough time to patch Vulnerability-related.PatchVulnerability . At the heart of the issue is whether Google ’ s policy to disclose after 90 days without a patch is reasonable . Google makes exceptions to this hard rule , with grace periods , and can even disclose Vulnerability-related.DiscoverVulnerability much sooner if the vulnerability is being actively exploited Vulnerability-related.DiscoverVulnerability . Google disclosed Vulnerability-related.DiscoverVulnerability a major Windows bug back in 2016 just 10 days after reporting Vulnerability-related.DiscoverVulnerability it to Microsoft , and the company has revealed Vulnerability-related.DiscoverVulnerability zero-day bugs in Windows in the past before patches are available Vulnerability-related.PatchVulnerability . Two big and obvious exceptions to Google ’ s security disclosure rules were the recent Meltdown and Spectre bugs . Google engineers discovered Vulnerability-related.DiscoverVulnerability the CPU flaws and Intel , AMD , and others had around six months to fix Vulnerability-related.PatchVulnerability the problems before the flaws were publicly disclosed Vulnerability-related.DiscoverVulnerability earlier this year . Chrome OS and Android devices were also affected Vulnerability-related.DiscoverVulnerability by the processor flaws , along with Windows , Linux , macOS , and iOS . Google wants the industry to adopt its aggressive disclosure policies , but Microsoft has so far resisted rather publicly . This latest episode isn ’ t as critical as some of the past disclosures , but it will likely reignite the debate over whether Google , a company with competitive commercial interests , should be leading the way security flaws in rival operating systems are disclosed Vulnerability-related.DiscoverVulnerability in the public interest .

LastPass engineers have Google researcher Tavis Ormandy to thank yet again for another busy few days after the British white hat found Vulnerability-related.DiscoverVulnerability a second critical bug in the password manager . Ormandy tweeted over the weekend that he began ‘ working ’ on the research in an unusual location : “ Ah-ha , I had an epiphany in the shower this morning and realized how to get codeexec in LastPass 4.1.43 . Full report and exploit on the way. ” On Monday , LastPass responded by explaining that the Google Project Zero man had reported Vulnerability-related.DiscoverVulnerability a new client-side vulnerability in its browser extension . “ We are now actively addressing Vulnerability-related.PatchVulnerability the vulnerability . This attack is unique and highly sophisticated , ” it added . “ We don ’ t want to disclose Vulnerability-related.DiscoverVulnerability anything specific about the vulnerability or our fix that could reveal anything to less sophisticated but nefarious parties . So you can expect a more detailed post mortem once this work is complete. ” The firm offered a few steps that users could take to protect themselves from client-side security issues . These include : launching sites directly from the LastPass vault ; switching on two-factor authentication for any site that offers it ; and to be constantly on the lookout for phishing attacks Attack.Phishing . It ’ s the second vulnerability in a week that Ormandy has reported Vulnerability-related.DiscoverVulnerability to LastPass . Last week , the password manager firm was forced to fix Vulnerability-related.PatchVulnerability a critical zero day that would have allowed remote code execution , enabling an attacker to steal users ’ passwords . The prolific Ormandy also helped to make the firm more secure last year when he found Vulnerability-related.DiscoverVulnerability “ a bunch of obvious critical problems ” in the service . Yet he has also publicly appeared to query the logic of using an online service which , if breached , could give up its customers ’ passwords . One Twitter follower claimed at the time : “ I 'm perplexed anyone uses an online service to store passwords. ” Ormandy responded : “ Yeah , me too . ”

Microsoft has released Vulnerability-related.PatchVulnerability an emergency security update to patch Vulnerability-related.PatchVulnerability below-reported crazy bad remote code execution vulnerability in its Microsoft Malware Protection Engine ( MMPE ) that affects Vulnerability-related.DiscoverVulnerability Windows 7 , 8.1 , RT and 10 computers , as well as Windows Server 2016 operating systems . Google Project Zero 's security researchers have discovered Vulnerability-related.DiscoverVulnerability another critical remote code execution ( RCE ) vulnerability in Microsoft ’ s Windows operating system , claiming that it is something truly bad . Tavis Ormandy announced during the weekend that he and another Project Zero researcher Natalie Silvanovich discovered Vulnerability-related.DiscoverVulnerability `` the worst Windows remote code [ execution vulnerability ] in recent memory . This is crazy bad . Report on the way . '' Ormandy did not provide Vulnerability-related.DiscoverVulnerability any further details of the Windows RCE bug , as Google gives a 90-day security disclosure deadline to all software vendors to patch Vulnerability-related.PatchVulnerability their products and disclose Vulnerability-related.DiscoverVulnerability it to the public . This means the details of the new RCE vulnerability in Windows will likely be disclosed Vulnerability-related.DiscoverVulnerability in 90 days from now even if Microsoft fails to patch Vulnerability-related.PatchVulnerability the issue . However , Ormandy later revealed Vulnerability-related.DiscoverVulnerability some details of the Windows RCE flaw , clarifying that : The vulnerability they claimed to have discovered Vulnerability-related.DiscoverVulnerability works against default Windows installations . The attacker does not need to be on the same local area network ( LAN ) as the victim , which means vulnerable Windows computers can be hacked remotely . The attack is `` wormable , '' capability to spread itself . Despite not even releasing any technical details on the RCE flaw , some IT professionals working for corporates have criticized the Google Project Zero researcher for making the existence of the vulnerability public , while Twitter 's infosec community is happy with the work . `` If a tweet is causing panic or confusion in your organization , the problem is n't the tweet , the problem is your organization , '' Project Zero researcher Natalie Silvanovich tweeted . This is not the first time when Google 's security researchers have discovered Vulnerability-related.DiscoverVulnerability flaws in Microsoft ’ s products . Most recently in February , Google researchers disclosed Vulnerability-related.DiscoverVulnerability the details of an unpatched vulnerability impacting Vulnerability-related.DiscoverVulnerability Microsoft 's Edge and Internet Explorer browsers . Microsoft released Vulnerability-related.PatchVulnerability a patch as part of its next Patch Tuesday but criticized Google for making all details public , exposing millions of its Windows users at risk of being hacked . Microsoft has not yet responded to the latest claims , but the company has its May 2017 Patch Tuesday scheduled tomorrow , May 9 , so hopefully , it will include a security patch to resolve Vulnerability-related.PatchVulnerability this issue .

Vanilla Forums open source software suffers Vulnerability-related.DiscoverVulnerability from vulnerabilities that could let an attacker gain access to user accounts , carry out web-cache poisoning attacks , and in some instances , execute arbitrary code . Popular open source forum software suffers Vulnerability-related.DiscoverVulnerability from vulnerabilities that could let an attacker gain access to user accounts , carry out web-cache poisoning attacks , and in some instances , execute arbitrary code . Legal Hackers ‘ Dawid Golunski found Vulnerability-related.DiscoverVulnerability the vulnerabilities , a host header injection and an unauthorized remote code execution vulnerability–in software which is developed by Vanilla Forums . Golunski reported Vulnerability-related.DiscoverVulnerability the issues to Vanilla Forums in January and while a support team acknowledged his reports Vulnerability-related.DiscoverVulnerability , he ’ s experienced five months of silence from the company since , something that prompted him to finally disclose Vulnerability-related.DiscoverVulnerability the vulnerabilities Thursday via his ExploitBox.io service . The researcher confirmed Vulnerability-related.DiscoverVulnerability the vulnerabilities exist in Vulnerability-related.DiscoverVulnerability the most recent , stable version ( 2.3 ) of Vanilla Forums . He presumes Vulnerability-related.DiscoverVulnerability older versions of the forum software are also vulnerable Vulnerability-related.DiscoverVulnerability . When reached Thursday , Lincoln Russell , a senior developer at Vanilla Forums stressed the vulnerabilities , which are in the middle of being fixed Vulnerability-related.PatchVulnerability , only affect Vulnerability-related.DiscoverVulnerability the company ’ s free and open source product . Golunski says Vulnerability-related.DiscoverVulnerability the most concerning vulnerability , the RCE ( CVE-2016-10033 ) stems from a PHPMailer vulnerability he disclosed Vulnerability-related.DiscoverVulnerability last December . An attacker could remotely exploit Vulnerability-related.DiscoverVulnerability the same vulnerability in Vanilla Forums by sending a web request in which a payload is passed within the HOST header . Until a fix is pushed Vulnerability-related.PatchVulnerability Golunski is encouraging users to preset the sender ’ s support email address to a static value to prevent the dynamic creation of an email address , or the use of the HOST header , as a temporary mitigation . Golunski says Vulnerability-related.DiscoverVulnerability the second issue , the host header injection vulnerability ( CVE-2016-10073 ) also affects Vulnerability-related.DiscoverVulnerability version 2.3 of the software . The issue stems from the fact that the forum software uses user-supplied HTTP HOST header when sending emails from the host on which the forum was installed . That means an attacker could use HTTP HOST header to set the email domain to an arbitrary host . It would require user interaction but if exploited Vulnerability-related.DiscoverVulnerability , it ’ s possible the bug could help an attacker intercept Attack.Databreach a password reset hash and gain access Attack.Databreach to a victim ’ s account . An attacker would have send Attack.Phishing the victim an email tricking Attack.Phishing them into clicking through a password reset link , he says . “ The resulting email will have the sender ’ s address set to noreply @ attackers_server . The password reset link will also contain the attacker ’ s server which could allow the attacker to intercept the hash if the victim user clicked on the malicious link , ” Golunski wrote Thursday . It ’ s possible the vulnerability could also lead to web-cache poisoning if the HOST header is used to form links in web responses Golunski says Vulnerability-related.DiscoverVulnerability . According to Russell , when Vanilla Forums responded to Golunski in January it told him the issue would take some time to fix Vulnerability-related.PatchVulnerability due to the “ complexity of unwinding the use of this server variable without breaking the myriad scenarios it can be used for in open source environments. ” Golunski hinted Vulnerability-related.DiscoverVulnerability at the vulnerabilities in Vanilla Forums back in December but didn ’ t name the software . When he disclosed Vulnerability-related.DiscoverVulnerability the initial PHPMailer bug the researcher mentioned that he had developed an unauthenticated RCE exploit for “ a popular open-source application ( deployed on the Internet on more than a million servers ) as a PoC for real-world exploitation. ” Both the Vanilla Forums vulnerabilities and a similar RCE vulnerability in WordPress 4.6 Golunski disclosed Vulnerability-related.DiscoverVulnerability last week both relate to PHPMailer and PHP mail ( ) function injection . “ The exploits and techniques prove that these type of vulnerabilities could be exploited Vulnerability-related.DiscoverVulnerability by unauthenticated attackers via server headers such as HOST header that may be used internally by a vulnerable application to dynamically create a sender address , ” Golunski told Threatpost Thursday , “ This adds to the originally presented attack surface of contact forms that take user input including From/Sender address . ”

The National Security Agency warned Vulnerability-related.DiscoverVulnerability Microsoft about a vulnerability in Windows after a hacker group began to leak hacking tools used by the agency online , the Washington Post reported late Tuesday . The vulnerability has been the center of attention in recent days , following the outbreak of the global “Wanna Cry” ransomware attack Attack.Ransom that crippled Britain ’ s hospital system and has spread to at least 150 countries . The ransomware is widely believed to be based on an alleged NSA hacking tool leaked by the group Shadow Brokers earlier this year . The government has not publicly acknowledged that the NSA developed the tool . “ NSA identified a risk and communicated it to Microsoft , who put out Vulnerability-related.PatchVulnerability an immediate patch , ” Mike McNerney , a former Defense Department cybersecurity official , told the Post . McNerney said , however , that no top government official emphasized the seriousness of the vulnerability . Microsoft issued Vulnerability-related.PatchVulnerability a patch for its supported systems in March , weeks before Shadow Brokers released the exploit , but many computer systems around the world remained unpatched , leaving them vulnerable to the latest ransomware attack Attack.Ransom . The ransomware campaign has been less devastating to the United States than other countries , but has affected some American companies including FedEx . The events have renewed debate over the secretive process by which the federal government decides whether to disclose Vulnerability-related.DiscoverVulnerability a zero-day vulnerability to the product ’ s manufacturer , as well as spurring scrutiny of the NSA . Microsoft president and chief legal officer Brad Smith said Sunday that the ransomware attack Attack.Ransom should serve as a “ wake-up call ” to governments not to hoard vulnerabilities . On Wednesday , a bipartisan group of lawmakers introduced legislation that would codify what is known as the vulnerabilities equities process into law , bringing more transparency and oversight to it . View the discussion thread .

As part of Unit 42 ’ s ongoing threat research , we can now disclose Vulnerability-related.DiscoverVulnerability that Palo Alto Networks Unit 42 researchers have discovered Vulnerability-related.DiscoverVulnerability two code execution vulnerabilities affecting Vulnerability-related.DiscoverVulnerability Microsoft Office that were addressed Vulnerability-related.PatchVulnerability in Microsoft ’ s May 2017 monthly security update release : For current customers with a Threat Prevention subscription , Palo Alto Networks has also released Vulnerability-related.PatchVulnerability IPS signatures providing proactive protection from these vulnerabilities . Traps , Palo Alto Networks advanced endpoint solution , can block memory corruption based exploits of this nature . Palo Alto Networks is a regular contributor to vulnerability research in Microsoft , Adobe , Apple , Google Android and other ecosystems . By proactively identifying Vulnerability-related.DiscoverVulnerability these vulnerabilities , developing protections for our customers , and sharing the information with the security community , we are removing weapons used by attackers to threaten users , and compromise enterprise , government , and service provider networks .

Home routers are the first and sometimes last line of defense for a network . Despite this fact , many manufacturers of home routers fail to properly audit their devices for security issues before releasing them to the market . As security researchers , we are often disappointed to rediscover that this is not always the case , and that sometimes these vulnerabilities simply fall into our hands during our day-to-day lives . Such is the story of the two NETGEAR vulnerabilities I want to share Vulnerability-related.DiscoverVulnerability with you today : It was a cold and rainy winter night , almost a year ago , when my lovely NETGEAR VEGN2610 modem/router lost connection to the Internet . I was tucked in bed , cozy and warm , there was no way I was going downstairs to reset the modem , `` I will just reboot it through the web panel '' I thought to myself . Unfortunately I could n't remember the password and it was too late at night to check whether my roommates had it . I considered my options : Needless to say , I chose the latter . I thought to myself , `` Well , it has a web interface and I need to bypass the authentication somehow , so the web server is a good start . '' I started manually fuzzing the web server with different parameters , I tried `` .. / .. '' classic directory traversal and such , and after about 1 minute of fuzzing , I tried `` … '' and I got this response : Fig 1 : unauth.cgi `` Hmm , what is that unauth.cgi thingy ? Luckily for me the Internet connection had come back on its own , but I was now a man on a mission , so I started to look around to see if there were any known vulnerabilities for my VEGN2610 . I started looking up what that `` unauth.cgi '' page could be , and I found 2 publicly disclosed Vulnerability-related.DiscoverVulnerability exploits from 2014 , for different models that manage to do unauthenticated password disclosure . Those two guys found out Vulnerability-related.DiscoverVulnerability that the number we get from unauth.cgi can be used with passwordrecovered.cgi to retrieve the credentials . I tested the method described in both , and voila - I have my password , now I can go to sleep happy and satisfied . I woke up the next morning excited by the discovery , I thought to myself : `` 3 routers with same issue… Coincidence ? Luckily , I had another , older NETGEAR router laying around ; I tested it and bam ! I started asking people I knew if they have NETGEAR equipment so I could test further to see the scope of the issue . In order to make life easier for non-technical people I wrote a python script called netgore , similar to wnroast , to test for this issue . I am aware of that and that is why I do n't work as a full time programmer . As it turned out , I had an error in my code where it did n't correctly take the number from unauth.cgi and passed gibberish to passwordrecovered.cgi instead , but somehow it still managed to get the credentials ! After few trials and errors trying to reproduce the issue , I found Vulnerability-related.DiscoverVulnerability that the very first call to passwordrecovered.cgi will give out the credentials no matter what the parameter you send . This is totally new bug that I have n't seen anywhere else . When I tested both bugs on different NETGEAR models , I found Vulnerability-related.DiscoverVulnerability that my second bug works on a much wider range of models . A full description of both of these findings as well as the python script used for testing can be found here . The vulnerabilities have been assigned Vulnerability-related.DiscoverVulnerability CVE-2017-5521 and TWSL2017-003 . The Responsible Disclosure Process This is where the story of discovery ends and the story of disclosure begins . Following our Responsible Disclosure policy we sent both findings Vulnerability-related.DiscoverVulnerability to NETGEAR in the beginning of April 2016 . In our initial contact , the first advisory had 18 models listed as vulnerable Vulnerability-related.DiscoverVulnerability , although six of them did n't have the vulnerability in the latest firmware . Perhaps it was fixed Vulnerability-related.PatchVulnerability as part of a different patch cycle . The second advisory included 25 models , all of which were vulnerable Vulnerability-related.DiscoverVulnerability in their latest firmware version . In June NETGEAR published a notice that provided Vulnerability-related.PatchVulnerability a fix for a small subset of vulnerable routers and a workaround for the rest . They also made the commitment to working toward 100 % coverage for all affected routers . The notice has been updated several time since then and currently contains 31 vulnerable models , 18 of which are patched Vulnerability-related.PatchVulnerability now , and 2 models that they previously listed as vulnerable Vulnerability-related.DiscoverVulnerability , but are now listed as not vulnerable Vulnerability-related.DiscoverVulnerability . In fact , our tests show that one of the models listed as not vulnerable Vulnerability-related.DiscoverVulnerability ( DGN2200v4 ) is , in fact , vulnerable and this can easily be reproduced with the POC provided in our advisory . Over the past nine months we attempted to contact NETGEAR multiple times for clarification and to allow them time to patch Vulnerability-related.PatchVulnerability more models . Over that time we have found Vulnerability-related.DiscoverVulnerability more vulnerable models that were not listed in the initial notice , although they were added later . We also discovered Vulnerability-related.DiscoverVulnerability that the Lenovo R3220 router is powered by NETGEAR firmware and it was vulnerable Vulnerability-related.DiscoverVulnerability as well . Luckily NETGEAR did eventually get back to us right before we were set to disclose Vulnerability-related.DiscoverVulnerability these vulnerabilities publicly . We were a little skeptical since our experience to date matched that of other third-party vulnerability researchers that have tried to responsibly disclose Vulnerability-related.DiscoverVulnerability to NETGEAR only to be met with frustration . The first was that NETGEAR committed to pushing out firmware to the currently unpatched models on an aggressive timeline . The second change made us more confident that NETGEAR was not just serious about patching Vulnerability-related.PatchVulnerability these vulnerabilities , but serious about changing how they handle third-party disclosure in general . We fully expect this move will not only smooth the relationship between third-party researchers and NETGEAR , but , in the end , will result in a more secure line of products and services . For starters , it affects a large number of models . We have found Vulnerability-related.DiscoverVulnerability more than ten thousand vulnerable devices that are remotely accessible . The real number of affected devices is probably in the hundreds of thousands , if not over a million . The vulnerability can be used by a remote attacker if remote administration is set to be Internet facing .

A series of remotely exploitable vulnerabilities exist in Vulnerability-related.DiscoverVulnerability a popular web-based SCADA system made by Honeywell that make it easy to expose passwords and in turn , give attackers a foothold into the vulnerable network . The flaws exist in Vulnerability-related.DiscoverVulnerability some versions of Honeywell ’ s XL Web II controllers , systems deployed across the critical infrastructure sector , including wastewater , energy , and manufacturing companies . An advisory from the Department of Homeland Security ’ s Industrial Control Systems Cyber Emergency Response Team ( ICS-CERT ) warned about Vulnerability-related.DiscoverVulnerability the vulnerabilities Thursday . The company has developed a fix , version 3.04.05.05 , to address Vulnerability-related.PatchVulnerability the issues but users have to call their local Honeywell Building Solutions branch to receive Vulnerability-related.PatchVulnerability the update , according to the company . The controllers suffer from five vulnerabilities in total but the scariest one might be the fact that passwords for the controllers are stored in clear text . Furthermore , if attackers wanted to , they could disclose Attack.Databreach that password simply by accessing a particular URL . An attacker could also carry out a path traversal attack by accessing a specific URL , open and change some parameters by accessing a particular URL , or establish a new user session . The problem with starting a new user session is that the controllers didn ’ t invalidate any existing session identifier , something that could have made it easier for an attacker to steal any active authenticated sessions . Maxim Rupp , an independent security researcher based in Germany , dug up Vulnerability-related.DiscoverVulnerability the bugs and teased them on Twitter at the beginning of January . Rupp has identified Vulnerability-related.DiscoverVulnerability bugs in Honeywell equipment before . Two years ago he discovered Vulnerability-related.DiscoverVulnerability a pair of vulnerabilities in Tuxedo Touch , a home automation controller made by the company , that could have let an attacker unlock a house ’ s doors or modify its climate controls . It ’ s unclear how widespread the usage of Honeywell ’ s XL Web II controllers is . While Honeywell is a US-based company , according to ICS-CERT ’ s advisory the majority of the affected products are used in Europe and the Middle East . When reached on Friday , a spokesperson for Honeywell confirmed that the affected controllers are used in Europe and the Middle East . The company also stressed that the vulnerabilities were patched Vulnerability-related.PatchVulnerability in September 2016 after they were reported Vulnerability-related.DiscoverVulnerability in August .