Due to the far reaching implications , Security Researchers will typically submit Vulnerability-related.DiscoverVulnerability serious 0-day Windows exploits to Microsoft and give the company ample time to patch Vulnerability-related.PatchVulnerability the vulnerabilities before they can be used to create malware and do harm . A security researcher that goes by the Twitter handle SandboxEscaper , however , decided it would be a good idea to expose Vulnerability-related.DiscoverVulnerability a 0-day threat to the world on Twitter , without forewarning Vulnerability-related.DiscoverVulnerability Microsoft , and even linked to proof on concept code on GitHub that has since been verified as functional . The language in the original Tweet prevents me from directly embedding it here . SandboxEscaper essentially said Vulnerability-related.DiscoverVulnerability , “ Here is the alpc bug as 0day ... I do n't * * * * ing care about life anymore . Neither do I ever again want to submit to MSFT anyway ... ” The official post on the CERT/CC website explains Vulnerability-related.DiscoverVulnerability , “ The Microsoft Windows task scheduler SchRpcSetSecurity API contains Vulnerability-related.DiscoverVulnerability a vulnerability in the handling of ALPC , which can allow a local user to gain SYSTEM privileges . We have confirmed Vulnerability-related.DiscoverVulnerability that the public exploit code works on 64-bit Windows 10 and Windows Server 2016 systems . We have also confirmed Vulnerability-related.DiscoverVulnerability compatibility with 32-bit Windows 10 with minor modifications to the public exploit code . Compatibility with other Windows versions is possible with further modifications. ” At this point , Microsoft does not have a patch at the ready , but according to reports a fix will be coming Vulnerability-related.PatchVulnerability in the next batch of patch Tuesday updates . Because the exploit requires the local execution of code , it doesn ’ t necessarily warrant an out-of-band update . However , with proof of concept code readily available , it ’ s possible nefarious individuals could trick less savvy users into running the code and gain full access to their systems . As always , never execute any files from unknown or untrusted sources.The bug lies in the Windows Task Scheduler ’ s Advanced Local Procedure Call , or ALPC , interface . It allows a local user to gain system level privileges and have free reign over the system to do whatever they want , including overwriting / modifying system files . Will Dormann of CERT/CC verified Vulnerability-related.DiscoverVulnerability the original exploit code works on a fully patched Windows 10 x64 installation and later modified the code to work on 32-bit systems as well .

Microsoft has issued Vulnerability-related.PatchVulnerability an emergency , out-of-band patch for an Internet Explorer zero-day that was being actively exploited Vulnerability-related.DiscoverVulnerability in targeted attacks . The company says that it learned about the vulnerability through a report from Google . CVE-2018-8653 affects Vulnerability-related.DiscoverVulnerability a range of versions of Internet Explorer from 9 to 11 , across Windows 7 to 10 and Windows Server . The vulnerability amounts to a remote code execution exploit , and it was first spotted Vulnerability-related.DiscoverVulnerability by Google 's Threat Analysis Group . Microsoft explains Vulnerability-related.DiscoverVulnerability that a problem with Internet Explorer 's scripting engine could be exploited Vulnerability-related.DiscoverVulnerability by an attacker to execute arbitrary code on a victim 's computer . In a short security advisory , the company says : Today , we released Vulnerability-related.PatchVulnerability a security update for Internet Explorer after receiving a report Vulnerability-related.DiscoverVulnerability from Google about a new vulnerability being used in targeted attacks . Customers who have Windows Update enabled and have applied Vulnerability-related.PatchVulnerability the latest security updates , are protected automatically . We encourage customers to turn on automatic updates . Microsoft would like to thank Google for their assistance . In a more detailed security vulnerability posting , Microsoft explains the impact of the problem : A remote code execution vulnerability exists in Vulnerability-related.DiscoverVulnerability the way that the scripting engine handles objects in memory in Internet Explorer . The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user . An attacker who successfully exploited Vulnerability-related.DiscoverVulnerability the vulnerability could gain the same user rights as the current user . If the current user is logged on with administrative user rights , an attacker who successfully exploited Vulnerability-related.DiscoverVulnerability the vulnerability could take control of an affected system . An attacker could then install programs ; view , change , or delete data ; or create new accounts with full user rights . In a web-based attack scenario , an attacker could host a specially crafted website that is designed Attack.Phishing to exploit the vulnerability through Internet Explorer and then convince Attack.Phishing a user to view the website , for example , by sending Attack.Phishing an email . The security update addresses Vulnerability-related.PatchVulnerability the vulnerability by modifying Vulnerability-related.PatchVulnerability how the scripting engine handles objects in memory .

Some medical devices , smartphones and internet of things gadgets contain certain types of sensors that are vulnerable Vulnerability-related.DiscoverVulnerability to potential hacking using sound waves , says Vulnerability-related.DiscoverVulnerability cybersecurity researcher Kevin Fu . `` This is now a risk that all manufacturers should be aware of , and in their hazard analysis , it has to be a part of their cybersecurity risk management , '' says Fu , explaining findings of a recent research study conducted by the University of Michigan and the University of South Carolina . The microelectromechanical systems - or MEMS accelerometers - that the research team found Vulnerability-related.DiscoverVulnerability to contain these vulnerabilities - are sensors used in various devices to measure acceleration or velocity , and then report those readings to a microprocessor . `` What we looked at Vulnerability-related.DiscoverVulnerability was the ability to trick these sensors into delivering false readings to the microprocessor by using sound waves , '' he says in an interview with Information Security Media Group . `` What medical devices contain these sensors is still an open question . The main hazard of this sound wave vulnerability is the threat to the integrity and availability of the sensor , he explains Vulnerability-related.DiscoverVulnerability . Prior studies by other researchers had found Vulnerability-related.DiscoverVulnerability that sound waves can be used to disable these sensors . `` What 's new here is that it is now known that one can actually damage the integrity of the reading , '' he says . `` If you were trusting this reading to do something automated , such as rate-adapt a pacemaker , perhaps based on changing activity of a patient , you now need a second way to verify the integrity of that reading . '' The study lists 20 accelerometers for which the researchers were able to change the output of the sensors using sound waves , Fu says . `` In some devices , we found that there is a speaker built in right next to the sensor , which means there is a remote ability to cause these changes without an adversary being near the chip . '' Fu recommends that manufacturers assess the researchers ' list of accelerometers that contain the sound wave vulnerability `` and ask [ suppliers ] for specific parameters , including the resident frequencies , to understand the risks and mitigations .

A security flaw affecting Vulnerability-related.DiscoverVulnerability LibreOffice and Apache OpenOffice has been fixed Vulnerability-related.PatchVulnerability in one of the two open-source office suites . The other still appears to be vulnerable Vulnerability-related.DiscoverVulnerability . Before attempting to guess which app has yet to be patched Vulnerability-related.PatchVulnerability , consider that Apache OpenOffice for years has struggled attract more contributors . And though the number of people adding code to the project has grown since last we checked , the project missed its recent January report to the Apache Foundation . The upshot is : security holes are n't being patched Vulnerability-related.PatchVulnerability , it seems . The issue , identified Vulnerability-related.DiscoverVulnerability by security researcher Alex Inführ , is that there 's a way to achieve remote code execution by triggering an event embedded in an ODT ( OpenDocument Text ) file . In a blog post on Friday , Inführ explains Vulnerability-related.DiscoverVulnerability how he found Vulnerability-related.DiscoverVulnerability a way to abuse the OpenDocument scripting framework by adding an onmouseover event to a link in an ODT file . The event , which fires when a user 's mouse pointer moves over the link , can traverse local directories and execute a local Python script . After trying various approaches to exploit the vulnerability , Inführ found Vulnerability-related.DiscoverVulnerability that he could rig the event to call a specific function within a Python file included with the Python interpreter that ships with LibreOffice . `` For the solution I looked into the Python parsing code a little more in depth and discovered that it is not only possible to specify the function you want to call inside a python script , but it is possible to pass parameters as well , '' he said . The exploit was tested on Windows , and should work on Linux , too . Inführ says Vulnerability-related.DiscoverVulnerability he reported Vulnerability-related.DiscoverVulnerability the bug on October 18 and it was fixed Vulnerability-related.PatchVulnerability in LibreOffice by the end of the month . RedHat assigned Vulnerability-related.DiscoverVulnerability it CVE-2018-16858 in mid-November and gave Inführ a disclosure Vulnerability-related.DiscoverVulnerability date of January 31 , 2019 . When he published Vulnerability-related.DiscoverVulnerability on February 1 , in conjunction with the LibreOffice fix notification , OpenOffice still had not been patched Vulnerability-related.PatchVulnerability . Inführ says Vulnerability-related.DiscoverVulnerability he reconfirmed Vulnerability-related.DiscoverVulnerability that he could go ahead with disclosure Vulnerability-related.DiscoverVulnerability even though OpenOffice 4.16 has yet to be fixed Vulnerability-related.PatchVulnerability . His proof-of-concept exploit does n't work with OpenOffice out-of-the-box because the software does n't allow parameters to be passed in the same way as the unpatched version of LibreOffice did . However , he says Vulnerability-related.DiscoverVulnerability that the path traversal issue can still be abused to execute a local Python file and cause further mischief and damage . We 're imagining specifically targeted netizens being tricked Attack.Phishing into opening a ZIP file , unpacking an ODT and Python script , and then the ODT document attempting to execute the Python script when the victim rolls their mouse over a link , for instance . The Register tried to reach two OpenOffice contributors to find out what 's going on . We 've not heard back . According to Inführ , OpenOffice users can mitigate the risk by removing or renaming the pythonscript.py file in the installation folder .