Google 's Project Zero has again called Apple out for silently patching Vulnerability-related.PatchVulnerability flaws . Apple has secretly patched Vulnerability-related.PatchVulnerability a bunch of high-severity bugs reported Vulnerability-related.DiscoverVulnerability to it by Google 's Project Zero researchers . The move has resulted in Google 's Project Zero once again calling Apple out for fixing Vulnerability-related.PatchVulnerability iOS and macOS security flaws without documenting them in public security advisories . While it 's good news that Apple beat Project Zero 's 90-day deadline for patching Vulnerability-related.PatchVulnerability or disclosing Vulnerability-related.DiscoverVulnerability the bugs it finds Vulnerability-related.DiscoverVulnerability , the group 's Ivan Fratric recently argued that the practice endangered users by not fully informing them why an update should be installed . This time the criticism comes from Project Zero 's Ian Beer , who 's been credited by Apple with finding Vulnerability-related.DiscoverVulnerability dozens of serious security flaws in iOS and macOS over the years . Beer posted Vulnerability-related.DiscoverVulnerability a blog about several vulnerabilities in iOS 7 he found Vulnerability-related.DiscoverVulnerability in 2014 that share commonalities with several bugs he has found Vulnerability-related.DiscoverVulnerability in iOS 11.4.1 , some of which he 's now released exploits for . Beer notes Vulnerability-related.DiscoverVulnerability that none of the latest issues is mentioned in the iOS 12 security bulletin even though Apple did fix Vulnerability-related.PatchVulnerability them . The absence of information about them is a `` disincentive '' for iOS users to patch Vulnerability-related.PatchVulnerability , Beer argues . `` Apple are still yet to assign CVEs Vulnerability-related.DiscoverVulnerability for these issues or publicly acknowledge that they were fixed Vulnerability-related.PatchVulnerability in iOS 12 , '' wrote Beer . `` In my opinion a security bulletin should mention the security bugs that were fixed Vulnerability-related.PatchVulnerability . Not doing so provides a disincentive for people to update Vulnerability-related.PatchVulnerability their devices since it appears that there were fewer security fixes than there really were . '' In other instances , such as one macOS bug Beer reported Vulnerability-related.DiscoverVulnerability , Apple did actually assign a CVE Vulnerability-related.DiscoverVulnerability , but it still hasn't updated Vulnerability-related.PatchVulnerability the relevant security bulletin to reflect the fix . Apple similarly allocated Vulnerability-related.DiscoverVulnerability CVE-2018-4337 to another high-severity iOS bug , which was fixed Vulnerability-related.PatchVulnerability in iOS 12 , but is n't currently acknowledged Vulnerability-related.DiscoverVulnerability in the iOS 12 security bulletin . In another case , Apple fixed Vulnerability-related.PatchVulnerability a bug that affected Vulnerability-related.DiscoverVulnerability iOS and macOS but didn't assign Vulnerability-related.DiscoverVulnerability a CVE or mention it in the security bulletins . Not only may it be a disincentive for end-users to patch Vulnerability-related.PatchVulnerability iPhones and Macs , but Beer also points out Vulnerability-related.DiscoverVulnerability in another bug report that the lack of public acknowledgement Vulnerability-related.DiscoverVulnerability by Apple means he has no way of knowing whether the issue is a duplicate that another researcher may have already found Vulnerability-related.DiscoverVulnerability . As he notes Vulnerability-related.DiscoverVulnerability in the blog , many of the bugs he has found Vulnerability-related.DiscoverVulnerability in iOS are very similar or the same as bugs found Vulnerability-related.DiscoverVulnerability by noted jailbreaking hackers Pangu Team .

Microsoft and Google have been bitter rivals for at least a decade , and the pair have had several disagreements over security vulnerability disclosure Vulnerability-related.DiscoverVulnerability in recent years . Google is stoking those disagreements again this week by disclosing Vulnerability-related.DiscoverVulnerability a Microsoft Edge security flaw before a patch is available Vulnerability-related.PatchVulnerability . Neowin spotted that Google disclosed Vulnerability-related.DiscoverVulnerability the security flaw to Microsoft back in November , and the company provided 90 days for Microsoft to fix Vulnerability-related.PatchVulnerability it before going public Vulnerability-related.DiscoverVulnerability as it ’ s rated “ medium ” in terms of severity . Google also provided Microsoft with an additional 14-day grace period to have a fix available Vulnerability-related.PatchVulnerability for its monthly Patch Tuesday release in February , but Microsoft missed Vulnerability-related.PatchVulnerability this goal because “ the fix is more complex than initially anticipated. ” It ’ s not clear when Microsoft will have a fix available Vulnerability-related.PatchVulnerability , and the Google engineer responsible for reporting Vulnerability-related.DiscoverVulnerability the security flaw says because of the complexity of the fix Microsoft “ do not yet have a fixed date set as of yet. ” The public disclosure will likely anger Microsoft , once again . The software giant hit back at Google ’ s approach Vulnerability-related.PatchVulnerability to security patches last October , after discovering Vulnerability-related.DiscoverVulnerability a Chrome flaw and “responsibly” disclosed Vulnerability-related.DiscoverVulnerability it to Google so the company had enough time to patch Vulnerability-related.PatchVulnerability . At the heart of the issue is whether Google ’ s policy to disclose after 90 days without a patch is reasonable . Google makes exceptions to this hard rule , with grace periods , and can even disclose Vulnerability-related.DiscoverVulnerability much sooner if the vulnerability is being actively exploited Vulnerability-related.DiscoverVulnerability . Google disclosed Vulnerability-related.DiscoverVulnerability a major Windows bug back in 2016 just 10 days after reporting Vulnerability-related.DiscoverVulnerability it to Microsoft , and the company has revealed Vulnerability-related.DiscoverVulnerability zero-day bugs in Windows in the past before patches are available Vulnerability-related.PatchVulnerability . Two big and obvious exceptions to Google ’ s security disclosure rules were the recent Meltdown and Spectre bugs . Google engineers discovered Vulnerability-related.DiscoverVulnerability the CPU flaws and Intel , AMD , and others had around six months to fix Vulnerability-related.PatchVulnerability the problems before the flaws were publicly disclosed Vulnerability-related.DiscoverVulnerability earlier this year . Chrome OS and Android devices were also affected Vulnerability-related.DiscoverVulnerability by the processor flaws , along with Windows , Linux , macOS , and iOS . Google wants the industry to adopt its aggressive disclosure policies , but Microsoft has so far resisted rather publicly . This latest episode isn ’ t as critical as some of the past disclosures , but it will likely reignite the debate over whether Google , a company with competitive commercial interests , should be leading the way security flaws in rival operating systems are disclosed Vulnerability-related.DiscoverVulnerability in the public interest .

Cisco has released Vulnerability-related.PatchVulnerability fixes for 34 flaws in its software , including 24 that affect Vulnerability-related.DiscoverVulnerability its FXOS software for Firepower firewalls and NX-OS software for Nexus switches . Cisco 's June updates include fixes for five critical arbitrary code execution vulnerabilities affecting Vulnerability-related.DiscoverVulnerability FXOS and NX-OS and 19 high-rated flaws affecting Vulnerability-related.DiscoverVulnerability the software . Four of the critical flaws affect Vulnerability-related.DiscoverVulnerability FXOS and NX-OS Cisco Fabric Services , while the fifth one affects Vulnerability-related.DiscoverVulnerability the NX-API feature of NX-OS . All have a CVSS v3 score of 9.8 out of a maximum of 10 . Cisco Fabric Services facilitate distribution and synchronization of configuration data between Cisco devices on the same network . Some of the flaws allow an unauthenticated , remote attack to execute arbitrary code and one allows an attacker to do so as root . Multiple switches are vulnerable Vulnerability-related.DiscoverVulnerability if they 've been configured to use Cisco Fabric Services , including its Nexus 2000 series through to Nexus 9000 series switches , as well as Cisco 's Firepower 4100 Series Next-Gen Firewalls and other hardware . The insufficient input validation may occur when FXOS and NX-OS process Cisco Fabric Services packets received during distribution and synchronization . There are various ways to exploit each of the flaws , depending on what Cisco Fabric Services distribution types have been configured . For example , if Fibre Channel ports are configured as a distribution type for a device , the attack could occur via Fibre Channel over Ethernet ( FCoE ) or Fibre Channel over IP ( FCIP ) . Cisco has already rolled out Vulnerability-related.PatchVulnerability fixes in some releases of FXOS and NX-OS . Cisco posted a blog this week explaining why it often fixes Vulnerability-related.PatchVulnerability bugs in IOS and NX-OS releases before disclosing Vulnerability-related.DiscoverVulnerability them in an advisory . It 's a practice that appears to cause confusion for customers wondering why it has n't told them fixed code has been available Vulnerability-related.PatchVulnerability for several months before it discloses Vulnerability-related.DiscoverVulnerability them . Cisco 's answer is that some flaws affect Vulnerability-related.DiscoverVulnerability more than 50 versions of its software . `` There have been some questions as to why creating Vulnerability-related.PatchVulnerability fixes and releasing Vulnerability-related.PatchVulnerability updates can take several weeks , or sometimes even months , before an advisory is published , '' Cisco 's Customer Assurance Security Programs team wrote . `` In some cases , there is a large number of supported software versions to be updated . The number of affected versions that will be updated Vulnerability-related.PatchVulnerability can range from single digits to nearly 50 or more . We are committed to issuing Vulnerability-related.PatchVulnerability fixes for every one of those supported versions . '' `` If we disclosed Vulnerability-related.DiscoverVulnerability the vulnerability after only fixing Vulnerability-related.PatchVulnerability one release , we would unnecessarily expose all customers running Vulnerability-related.PatchVulnerability other releases to potential exploitation once details about the attack itself became public . '' There are also 10 medium-severity flaws , including one that affects Vulnerability-related.DiscoverVulnerability some WebEx endpoints due to an already disclosed flaw in Nvidia 's Tegra TX1 chips .

Cisco Systems yesterday issued 17 security advisories , disclosing Vulnerability-related.DiscoverVulnerability vulnerabilities in multiple products , including at least three critical flaws . One of them , a privileged access bug found in Vulnerability-related.DiscoverVulnerability seven models of its Small Business Switches , has not yet been patched Vulnerability-related.PatchVulnerability , but the company has recommended a workaround to limit its potential for damage . Designated CVE-2018-15439 with a CVSS score of 9.8 , the unsolved privileged access vulnerability could allow a remote attacker to bypass an affected device ’ s user authentication mechanism and obtain full admin rights without the proper administrators being notified . Although there is currently no software fix , a Cisco advisory says users can implement a workaround by “ adding at least one user account with access privilege set to level 15 in the device configuration. ” Affected device models are the Cisco Small Business 200 Series Smart Switches , Small Business 300 Series Managed Switches , Small Business 500 Series Stackable Managed Switches , 250 Series Smart Switches , 350 Series Managed Switches , 350X Series Stackable Managed Switches and 550X Series Stackable Managed Switches . The other critical flaws confirmed Vulnerability-related.DiscoverVulnerability in Cisco products were an authentication bypass vulnerability in the Stealthwatch Management Console of Cisco Stealthwatch Enterprise and a remote shell command execution bug in Unity Express . These also carry CVSS scores of 9.8 . Cisco published a fourth critical advisory warning Vulnerability-related.DiscoverVulnerability of a remote code execution bug in the Apache Struts Commons FileUpload Library ; however , it is unknown at this time if any Cisco products and services are affected . Additional vulnerabilities were found Vulnerability-related.DiscoverVulnerability in the Cisco ’ s Meraki networking devices , Video Surveillance Media Server , Content Security Management Appliance , Registered Envelope Service , Price Service Catalog , Prime Collaboration Assurance , Meeting Server , Immunet and AMP for Endpoints , Firepower System Software , Energy Management Suite and Integrated Management Controller Supervisor . And in one final , odd advisory , Cisco acknowledged that a flub in its QA practices allowed dormant exploit code for the Dirty Cow vulnerability to be included in shipping software images for its Expressway Series and Cisco TelePresence Video Communication Server ( VCS ) software . “ The presence of the sample , dormant exploit code does not represent nor allow an exploitable vulnerability on the product , nor does it present a risk to the product itself as all of the required patches for this vulnerability have been integrated Vulnerability-related.PatchVulnerability into all shipping software images , ” said the advisory . “ The affected software images have proactively been removed from the Cisco Software Center and will soon be replaced Vulnerability-related.PatchVulnerability with fixed software images . ”

A remote hijacking flaw that lurked in Intel chips for seven years was more severe than many people imagined , because it allowed hackers to remotely gain administrative control over huge fleets of computers without entering a password . This is according to technical analyses published Friday . Further ReadingIntel patches Vulnerability-related.PatchVulnerability remote hijacking vulnerability that lurked in chips for 7 years . As Ars reported Vulnerability-related.DiscoverVulnerability Monday , the authentication bypass vulnerability resides in Vulnerability-related.DiscoverVulnerability a feature known as Active Management Technology . AMT , as it 's usually called , allows system administrators to perform a variety of powerful tasks over a remote connection . Among the capabilities : changing the code that boots up computers , accessing the computer 's mouse , keyboard , and monitor , loading and executing programs , and remotely powering on computers that are turned off . In short , AMT makes it possible to log into a computer and exercise the same control enjoyed by administrators with physical access . AMT , which is available with many vPro processors , was set up to require a password before it could be remotely accessed over a Web browser interface . But , remarkably , that authentication mechanism can be bypassed by entering no text at all . According to a blog post published Friday by Tenable Network Security , the cryptographic hash that the interface 's digest access authentication requires to verify someone is authorized to log in can be anything at all , including no string at all . `` Authentication still worked '' even when the wrong hash was entered , Tenable Director of Reverse Engineering Carlos Perez wrote . `` We had discovered a complete bypass of the authentication scheme . '' A separate technical analysis from Embedi , the security firm Intel credited with first disclosing Vulnerability-related.DiscoverVulnerability the vulnerability , arrived at the same conclusion . Embedi e-mailed the analysis to reporters , but did n't publish it online . Making matters worse , unauthorized accesses typically are n't logged by the PC because AMT has direct access to the computer 's network hardware . When AMT is enabled , all network packets are redirected to the Intel Management Engine and from there to the AMT . The packets bypass the OS completely . The vulnerable management features were made available in some but not all Intel chipsets starting in 2010 , Embedi has said . In a blog post published Friday , Intel officials said they expect PC makers to release Vulnerability-related.PatchVulnerability a patch next week . The releases will update Vulnerability-related.PatchVulnerability Intel firmware , meaning patching Vulnerability-related.PatchVulnerability will require that each vulnerable chip set is reflashed . In the meantime , Intel is urging customers to download and run this discovery tool to diagnose potentially vulnerable computers . Systems that test positive should be temporarily secured using this mitigation guide until a patch is supplied Vulnerability-related.PatchVulnerability . Computer makers Fujitsu , HP , and Lenovo , have also issued advisories for specific models they sell .

One of the largest trading posts on the Dark Web , AlphaBay , has rewarded a researcher for disclosing Vulnerability-related.DiscoverVulnerability the existence of a vulnerability which allowed him to steal Attack.Databreach over 200,000 private messages exchanged between users and sellers . Earlier this week , the hacker , known only as Cipher0007 , disclosed Vulnerability-related.DiscoverVulnerability the existence of two `` high-risk '' bugs through Reddit . In a forum post , the hacker said Vulnerability-related.DiscoverVulnerability the two security flaws could be exploited Vulnerability-related.DiscoverVulnerability to snatch private messages . Cipher0007 was able to compromise Attack.Databreach AlphaBay and steal Attack.Databreach the first and last names of buyers and sellers , nicknames , addresses , and the tracking IDs of packages sent by traders when included in the messages and not protected by PGP keys . The hacker also issued a number of screenshots of private messages as proof , which revealed the messages were not encrypted by default . After disclosing Vulnerability-related.DiscoverVulnerability the vulnerabilities on Reddit , Cipher0007 opened a number of support tickets on AlphaBay , warning Vulnerability-related.DiscoverVulnerability the Dark Web trading post of the potentially devastating bugs which could compromise the privacy and identities of users . In a statement on PasteBin , AlphaBay confirmed Vulnerability-related.DiscoverVulnerability the validity of the vulnerabilities and said Vulnerability-related.DiscoverVulnerability the bugs allowed the hacker to slurp Attack.Databreach a total of 218,000 messages which were not older than 30 days . Older messages are automatically purged from the system . The attacker was paid for disclosing the flaws rather than selling them on or releasing the stolen information to the public . In return , Cipher0007 revealed his methods and several hours later AlphaBay developers were able to close the loopholes Vulnerability-related.PatchVulnerability . As Dark Web marketplaces must provide strong assurances that users will remain anonymous due to the nature of goods sold there , often illegally , these kinds of vulnerabilities have the potential to destroy such businesses . Alternatively , these security flaws would be of interest to law enforcement agencies attempting to close down such operations -- and may have been known Vulnerability-related.DiscoverVulnerability to them before the hacker discovered Vulnerability-related.DiscoverVulnerability the bugs . Unless users indulging in risky , illegal trading take responsibility for their own privacy by using PGP keys and personal encryption , they can not cry foul if their personal information is leaked Attack.Databreach

One of the largest trading posts on the Dark Web , AlphaBay , has rewarded a researcher for disclosing Vulnerability-related.DiscoverVulnerability the existence of a vulnerability which allowed him to steal Attack.Databreach over 200,000 private messages exchanged between users and sellers . Earlier this week , the hacker , known only as Cipher0007 , disclosed Vulnerability-related.DiscoverVulnerability the existence of two `` high-risk '' bugs through Reddit . In a forum post , the hacker said Vulnerability-related.DiscoverVulnerability the two security flaws could be exploited Vulnerability-related.DiscoverVulnerability to snatch private messages . Cipher0007 was able to compromise Attack.Databreach AlphaBay and steal Attack.Databreach the first and last names of buyers and sellers , nicknames , addresses , and the tracking IDs of packages sent by traders when included in the messages and not protected by PGP keys . The hacker also issued a number of screenshots of private messages as proof , which revealed the messages were not encrypted by default . After disclosing Vulnerability-related.DiscoverVulnerability the vulnerabilities on Reddit , Cipher0007 opened a number of support tickets on AlphaBay , warning Vulnerability-related.DiscoverVulnerability the Dark Web trading post of the potentially devastating bugs which could compromise the privacy and identities of users . In a statement on PasteBin , AlphaBay confirmed Vulnerability-related.DiscoverVulnerability the validity of the vulnerabilities and said Vulnerability-related.DiscoverVulnerability the bugs allowed the hacker to slurp Attack.Databreach a total of 218,000 messages which were not older than 30 days . Older messages are automatically purged from the system . The attacker was paid for disclosing the flaws rather than selling them on or releasing the stolen information to the public . In return , Cipher0007 revealed his methods and several hours later AlphaBay developers were able to close the loopholes Vulnerability-related.PatchVulnerability . As Dark Web marketplaces must provide strong assurances that users will remain anonymous due to the nature of goods sold there , often illegally , these kinds of vulnerabilities have the potential to destroy such businesses . Alternatively , these security flaws would be of interest to law enforcement agencies attempting to close down such operations -- and may have been known Vulnerability-related.DiscoverVulnerability to them before the hacker discovered Vulnerability-related.DiscoverVulnerability the bugs . Unless users indulging in risky , illegal trading take responsibility for their own privacy by using PGP keys and personal encryption , they can not cry foul if their personal information is leaked Attack.Databreach

Will Strafach , CEO of Sudo Security Group , said Vulnerability-related.DiscoverVulnerability he found Vulnerability-related.DiscoverVulnerability 76 iOS apps that are vulnerable Vulnerability-related.DiscoverVulnerability to an attack that can intercept protected data . TLS is used to secure an app ’ s communication over an internet connection . Without it , a hacker can essentially eavesdrop over a network to spy on whatever data the app sends , such as login information . “ This sort of attack can be conducted by any party within Wi-Fi range of your device while it is in use , ” Strafach said . “ This can be anywhere in public , or even within your home if an attacker can get within close range ” . Strafach discovered Vulnerability-related.DiscoverVulnerability the vulnerability in the 76 apps by scanning them with his company-developed security service , verify.ly , which he 's promoting . It flagged “ hundreds of applications ” with a high likelihood of data interception . He ’ s so far confirmed Vulnerability-related.DiscoverVulnerability that these 76 apps possess the vulnerability . He did so by running them on an iPhone running iOS 10 and using a proxy to insert an invalid TLS certificate into the connection . Strafach declared Vulnerability-related.DiscoverVulnerability that 43 of the apps were either a high or medium risk , because they risked exposing login information and authentication tokens . Some of them are from “ banks , medical providers , and other developers of sensitive applications , ” he said . He 's not disclosing Vulnerability-related.DiscoverVulnerability their names , to give them time to patch Vulnerability-related.PatchVulnerability the problem . The remaining 33 apps were deemed low risks because they revealed only partially sensitive data , such as email addresses . They include the free messaging service ooVoo , video uploaders to Snapchat and lesser-known music streaming services , among many others . In all , the 76 apps have 18 million downloads , according to app market tracker Apptopia , Strafach said . It ’ ll be up to the app developers to fix Vulnerability-related.PatchVulnerability the problem , but it only involves changing a few lines of code , says Strafach , who ’ s been trying to contact the developers . He included some warnings for developers in the blog post . “ Be extremely careful when inserting network-related code and changing application behaviors , ” he wrote . “ Many issues like this arise from an application developer not fully understanding the code they ’ ve borrowed from the web ” . Users of affected apps can protect themselves by turning off the Wi-Fi when in a public location , Strafach says . That will force the phone to use a cellular connection to the internet , making it much harder for any hacker to eavesdrop unless they use expensive and illegal equipment , Strafach said