A new version of Git has been emitted to ward off attempts to exploit Vulnerability-related.DiscoverVulnerability a potential arbitrary code execution vulnerability – which can be triggered by merely cloning a malicious repository . The security hole , CVE-2018-11235 , reported Vulnerability-related.DiscoverVulnerability by Etienne Stalmans , stems from a flaw in Git whereby sub-module names supplied by the .gitmodules file are not properly validated when appended to $ GIT_DIR/modules . Including `` .. / '' in a name could result in directory hopping . Post-checkout hooks could then be executed , potentially causing all manner of mayhem to ensue on the victim 's system . Another vulnerability , CVE-2018-11233 , describes Vulnerability-related.DiscoverVulnerability a flaw in the processing of pathnames in Git on NTFS-based systems , allowing the reading of memory contents . In a change from normal programming , the vulnerability appears to be cross platform . Fear not , however , because a patch is available Vulnerability-related.PatchVulnerability . The Git team released Vulnerability-related.PatchVulnerability the update in 2.13.7 of the popular coding , collaboration and control tool and forward-ported it to versions 2.14.4 , 2.15.2 , 2.16.4 and 2.13.7 . For its part , Microsoft has urged users to download 2.17.1 ( 2 ) of Git for Windows and has blocked the malicious repositories from being pushed to Visual Studio Team Services users . The software giant has also promised a hotfix will `` shortly '' be available Vulnerability-related.PatchVulnerability for its popular Visual Studio 2017 platform . Other vendors , such as Debian , have been updating Vulnerability-related.PatchVulnerability their Linux and software distributions to include the patched code and recommend that users upgrade Vulnerability-related.PatchVulnerability to thwart ne'er-do-wells seeking to exploit Vulnerability-related.DiscoverVulnerability the vulnerability .

A new version of Git has been emitted to ward off attempts to exploit Vulnerability-related.DiscoverVulnerability a potential arbitrary code execution vulnerability – which can be triggered by merely cloning a malicious repository . The security hole , CVE-2018-11235 , reported Vulnerability-related.DiscoverVulnerability by Etienne Stalmans , stems from a flaw in Git whereby sub-module names supplied by the .gitmodules file are not properly validated when appended to $ GIT_DIR/modules . Including `` .. / '' in a name could result in directory hopping . Post-checkout hooks could then be executed , potentially causing all manner of mayhem to ensue on the victim 's system . Another vulnerability , CVE-2018-11233 , describes Vulnerability-related.DiscoverVulnerability a flaw in the processing of pathnames in Git on NTFS-based systems , allowing the reading of memory contents . In a change from normal programming , the vulnerability appears to be cross platform . Fear not , however , because a patch is available Vulnerability-related.PatchVulnerability . The Git team released Vulnerability-related.PatchVulnerability the update in 2.13.7 of the popular coding , collaboration and control tool and forward-ported it to versions 2.14.4 , 2.15.2 , 2.16.4 and 2.13.7 . For its part , Microsoft has urged users to download 2.17.1 ( 2 ) of Git for Windows and has blocked the malicious repositories from being pushed to Visual Studio Team Services users . The software giant has also promised a hotfix will `` shortly '' be available Vulnerability-related.PatchVulnerability for its popular Visual Studio 2017 platform . Other vendors , such as Debian , have been updating Vulnerability-related.PatchVulnerability their Linux and software distributions to include the patched code and recommend that users upgrade Vulnerability-related.PatchVulnerability to thwart ne'er-do-wells seeking to exploit Vulnerability-related.DiscoverVulnerability the vulnerability .

Another critical security hole has been found Vulnerability-related.DiscoverVulnerability in Apache Struts 2 , requiring an immediate update . The vulnerability – CVE-2018-11776 – affects Vulnerability-related.DiscoverVulnerability core code and allows miscreants to pull off remote code execution against vulnerable servers and websites . It affects Vulnerability-related.DiscoverVulnerability all versions of Struts 2 , the popular open-source framework for Java web apps . The Apache Software Foundation has `` urgently advised '' anyone using Struts to update Vulnerability-related.PatchVulnerability to the latest version immediately , noting that the last time a critical hole was found Vulnerability-related.DiscoverVulnerability , the holes were being exploited Vulnerability-related.DiscoverVulnerability in the wild just a day later . In other words , if you delay in patching Vulnerability-related.PatchVulnerability , your organization will be compromised in short order via this bug , if you are running vulnerable systems . It was that earlier flaw that led to a nightmare data breach Attack.Databreach from credit company Equifax after it failed to patch Vulnerability-related.PatchVulnerability swiftly enough . The details of nearly 150 million people were exposed Attack.Databreach , costing the company more than $ 600m , so this is not something to be taken lightly . The company that discovered Vulnerability-related.DiscoverVulnerability the vulnerability – Semmle Security Research Team – warns that this latest one is actually worse that the one last year , which it also found Vulnerability-related.DiscoverVulnerability . It has published a blog post with more information . Semmle found Vulnerability-related.DiscoverVulnerability the hole back in April and reported Vulnerability-related.DiscoverVulnerability it to Apache , which put out Vulnerability-related.PatchVulnerability a patch in June that it has now pulled Vulnerability-related.PatchVulnerability into formal updates ( 2.3.35 for those using version 2.3 and 2.5.17 for those on 2.5 ) . As mentioned , the vulnerability is in the core code and does n't require additional plugins to work . It is caused by insufficient validation of untrusted user data in the core of the Struts framework , and can be exploited in several different ways . Semmle says it has identified two different vectors but warns there may be others . Since it can be used remotely and due to the fact that Struts is typically used to create applications that are on the public internet , hackers are going to be especially focused on exploiting it so they can gain access to corporate networks . And there are some big targets out there : Apache Struts is extremely common with most large corporations using it somewhere in their systems for web apps . Semmle 's VP of engineering , Pavel Avgustinov , had this to say about the hole on Wednesday this week : `` Critical remote code execution vulnerabilities like the one that affected Vulnerability-related.DiscoverVulnerability Equifax and the one we announced today are incredibly dangerous for several reasons : Struts is used for publicly-accessible customer-facing websites , vulnerable systems are easily identified , and the flaw is easy to exploit Vulnerability-related.DiscoverVulnerability . A hacker can find their way in within minutes , and exfiltrate Attack.Databreach data or stage further attacks from the compromised system . It ’ s crucially important to update affected systems immediately ; to wait is to take an irresponsible risk . '' This is very far from the first time that big security holes have been found Vulnerability-related.DiscoverVulnerability in Struts , leading some to recommend that people simply stop using it .

A vulnerability in some versions of the Oracle Solaris enterprise OS could allow attackers to edit code in the memory and exploit Vulnerability-related.DiscoverVulnerability it to gain full root control over a machine . The privilege escalation vulnerability -- now patched Vulnerability-related.PatchVulnerability -- is present in Vulnerability-related.DiscoverVulnerability current versions of Oracle Solaris 10 and 11 running Sun StorageTek Availability Suite ( AVS ) for the filesystem and could be used to access to a low-level user or service account and , from there , gain complete root access to the system . The memory corruption bug has been uncovered and detailed Vulnerability-related.DiscoverVulnerability by researchers at Trustwave -- and its origins go all the way back to 2007 . The original issue was disclosed Vulnerability-related.DiscoverVulnerability in 2009 and apparently fixed Vulnerability-related.PatchVulnerability , but researchers revisited Vulnerability-related.DiscoverVulnerability the code this year only to find Vulnerability-related.DiscoverVulnerability the fix was partial and loopholes still allowed the execution of malicious code . The origins of the exploit , CVE-2018-2892 , lie in Vulnerability-related.DiscoverVulnerability one small fragment of code which contains a number of separate vulnerabilities around the dereferencing pointer , the means of getting values stored in a specific memory location . `` Attackers can exploit Vulnerability-related.DiscoverVulnerability this vulnerability to take access to a low-level user or service account and gain complete root access to the entire system , '' Neil Kettle , application security principal consultant at SpiderLabs at Trustwave , told Vulnerability-related.DiscoverVulnerability ZDNet . An attacker exploiting this vulnerability would need direct access to a user or service account . `` This can be obtained by targeting users with social engineering attacks or by exploiting vulnerabilities in existing services . Once the attacker has access to any account , this vulnerability can be very easily exploited Vulnerability-related.DiscoverVulnerability to gain complete root control over the system , '' said Vulnerability-related.DiscoverVulnerability Kettle . While the original 2007 vulnerability has probably been used in the wild , there 's no confirmation that the new exploit has been used to conduct an attack . Nonetheless , Trustwave disclosed the discovery Vulnerability-related.DiscoverVulnerability to Oracle , which has delivered Vulnerability-related.PatchVulnerability a patch to fix Vulnerability-related.PatchVulnerability the loophole .

A vulnerability in some versions of the Oracle Solaris enterprise OS could allow attackers to edit code in the memory and exploit Vulnerability-related.DiscoverVulnerability it to gain full root control over a machine . The privilege escalation vulnerability -- now patched Vulnerability-related.PatchVulnerability -- is present in Vulnerability-related.DiscoverVulnerability current versions of Oracle Solaris 10 and 11 running Sun StorageTek Availability Suite ( AVS ) for the filesystem and could be used to access to a low-level user or service account and , from there , gain complete root access to the system . The memory corruption bug has been uncovered and detailed Vulnerability-related.DiscoverVulnerability by researchers at Trustwave -- and its origins go all the way back to 2007 . The original issue was disclosed Vulnerability-related.DiscoverVulnerability in 2009 and apparently fixed Vulnerability-related.PatchVulnerability , but researchers revisited Vulnerability-related.DiscoverVulnerability the code this year only to find Vulnerability-related.DiscoverVulnerability the fix was partial and loopholes still allowed the execution of malicious code . The origins of the exploit , CVE-2018-2892 , lie in Vulnerability-related.DiscoverVulnerability one small fragment of code which contains a number of separate vulnerabilities around the dereferencing pointer , the means of getting values stored in a specific memory location . `` Attackers can exploit Vulnerability-related.DiscoverVulnerability this vulnerability to take access to a low-level user or service account and gain complete root access to the entire system , '' Neil Kettle , application security principal consultant at SpiderLabs at Trustwave , told Vulnerability-related.DiscoverVulnerability ZDNet . An attacker exploiting this vulnerability would need direct access to a user or service account . `` This can be obtained by targeting users with social engineering attacks or by exploiting vulnerabilities in existing services . Once the attacker has access to any account , this vulnerability can be very easily exploited Vulnerability-related.DiscoverVulnerability to gain complete root control over the system , '' said Vulnerability-related.DiscoverVulnerability Kettle . While the original 2007 vulnerability has probably been used in the wild , there 's no confirmation that the new exploit has been used to conduct an attack . Nonetheless , Trustwave disclosed the discovery Vulnerability-related.DiscoverVulnerability to Oracle , which has delivered Vulnerability-related.PatchVulnerability a patch to fix Vulnerability-related.PatchVulnerability the loophole .

Apache Software Foundation has patched Vulnerability-related.PatchVulnerability a remote code execution vulnerability affecting Vulnerability-related.DiscoverVulnerability the Jakarta Multipart parser in Apache Struts . Administrators need to update Vulnerability-related.PatchVulnerability the popular Java application framework or put workarounds in place because the vulnerability is actively being targeted in attacks . The issue affects Vulnerability-related.DiscoverVulnerability Apache Struts versions 2.3.5 through 2.3.31 and versions 2.5 through 2.5.10 . The presence of vulnerable code is enough to expose the system to attack—the web application doesn ’ t need to implement file upload for attackers to exploit Vulnerability-related.DiscoverVulnerability the flaw , said Vulnerability-related.DiscoverVulnerability researchers from Cisco Talos . Talos “ found a high number of exploitation events , ” said Cisco threat researcher Nick Biasini . “ With exploitation actively underway , Talos recommends immediate upgrading if possible or following the workaround referenced in the above security advisory ” . The remote code execution vulnerability ( CVE-2017-5638 ) in the Jakarta Multipart parser is the result of improper handling of the Content-Type header , Apache said Vulnerability-related.DiscoverVulnerability in its emergency security advisory . The header indicates the media type of the resource , such as when the client tells the server what type of data was sent as part of a POST or PUT request , or the server telling the client what type of content is being returned as part of the response . The flaw is triggered when Struts parses a malformed Content-Type HTTP header and lets attackers remotely take complete control of the system without needing any kind of authentication .

The US Postal Service says it ’ s fixed Vulnerability-related.PatchVulnerability a security weakness on usps.com that let anyone see the personal account info of its users , including usernames and street addresses . The open vulnerability was reportedly identified Vulnerability-related.DiscoverVulnerability over a year ago by an independent researcher but USPS never patched Vulnerability-related.PatchVulnerability it until this week , when Krebs on Security flagged Vulnerability-related.DiscoverVulnerability the issue . The vulnerability included all 60 million user accounts on the website . It was caused by an authentication weakness in the site ’ s application programming interface ( API ) that allowed anyone to access a USPS database offered to businesses and advertisers to track user data and packages . The API should have verified whether an account had permissions to read user data but USPS didn ’ t have such controls in place . Users ’ personal data including emails , phone numbers , mailing campaign data were all exposed Attack.Databreach to anyone who was logged into the site . Additionally , any user could request account changes for another user , so they could potentially change another account ’ s email address and phone number , although USPS does at least send a confirmation email to confirm the changes . Since street addresses are searchable through the database , any logged-in user could see who was living at each residence and even gain the data of multiple people in the same household . Krebs notes that because of the vulnerability , “ no special hacking tools were needed to pull this data. ” USPS said in a statement to Krebs : “ Any information suggesting criminals have tried to exploit Vulnerability-related.DiscoverVulnerability potential vulnerabilities in our network is taken very seriously . Out of an abundance of caution , the Postal Service is further investigating to ensure that anyone who may have sought to access our systems inappropriately is pursued to the fullest extent of the law. ” A recent audit of its system in October did not turn up this vulnerability , although it did find numerous other weaknesses . We ’ ve reached out for comment on whether USPS was aware of the issue when it was initially noted over a year ago . So far , no known exploits were made through this vulnerability . In USPS ’ continued efforts to modernize and adapt to the digital age , it ’ s faced numerous cybersecurity challenges .

Update , Cisco will take a second crack at addressing Vulnerability-related.PatchVulnerability a vulnerability in WebEx that can be exploited Vulnerability-related.DiscoverVulnerability to execute malicious code on a vulnerable installation . Switchzilla has issued Vulnerability-related.PatchVulnerability a new fix to address Vulnerability-related.PatchVulnerability CVE-2018-15442 , a command injection bug in its video conference software that allows a local attacker to their elevate privileges , and then execute code by injecting commands through the software update component of the WebEx Meetings Client . The bug was traced back to the failure by Webex Meetings to properly check arguments passed via its update service commands . Thus a miscreant could run an update command with specially crafted arguments to ultimately execute code with system privileges . This means rogue logged-in users or malware on a Windows system could leverage WebEx to completely hijack the machine . Cisco had hoped to plug Vulnerability-related.PatchVulnerability the vulnerability in October with a patch that was thought to have resolved Vulnerability-related.PatchVulnerability the flaw . However , software-breakers at SecureAuth found that Switchzilla failed to account for DLL preloading . By sticking the malicious commands inside a DLL file and then executing the update program with that library loaded , an attacker would be able to circumvent the patch and then exploit Vulnerability-related.DiscoverVulnerability the flaw as before to execute commands with system-level clearance . `` The vulnerability can be exploited Vulnerability-related.DiscoverVulnerability by copying to an a local attacker controller folder , the ptUpdate.exe binary . Also , a malicious dll must be placed in the same folder , named wbxtrace.dll , '' SecureAuth explained in its disclosure today . `` To gain privileges , the attacker must start the service with the command line : '' Fortunately , the flaw was privately disclosed Vulnerability-related.DiscoverVulnerability to Cisco , giving the teleconferencing vendor time to get out Vulnerability-related.PatchVulnerability a fix prior to this bug going public . Those running Webex Meetings on their Windows machines should update as soon as possible . While the flaw is n't as severe as a remote code bug that could be exploited Vulnerability-related.DiscoverVulnerability without any user interaction , the fact it has now been patched Vulnerability-related.PatchVulnerability twice and has working proof-of-concept code public should make patching Vulnerability-related.PatchVulnerability a priority .

A group known as the Shadow Brokers published Vulnerability-related.DiscoverVulnerability on Good Friday a set of confidential hacking tools used by the NSA to exploit Vulnerability-related.DiscoverVulnerability software vulnerabilities in Microsoft Windows software . According to Fortune , Microsoft announced Vulnerability-related.PatchVulnerability on the same day that it had patched Vulnerability-related.PatchVulnerability the vulnerabilities related to the NSA leak Attack.Databreach . It was especially important that the company moved quickly since juvenile hackers — also known as script kiddies — were expected to be active over the holiday weekend while defenders were away . The threat was the latest and , according to security experts , the most damaging set of stolen documents published Attack.Databreach by the Shadow Brokers , which is believed to be tied to the Russian government . Experts say Vulnerability-related.DiscoverVulnerability the leak , which was mostly lines of computer code , was made up of a variety of “ zero-day exploits ” that can infiltrate Windows machines and then be used for espionage , vandalism or document theft . The group also published Attack.Databreach another set of documents that show that the NSA penetrated the SWIFT banking network in the Middle East . “ There appears to be at least several dozen exploits , including zero-day vulnerabilities , in this release . Some of the exploits even offer a potential ‘ God mode ’ on select Windows systems . A few of the products targeted include Lotus Notes , Lotus Domino , IIS , SMB , Windows XP , Windows 8 , Windows Server 2003 and Windows Server 2012 , ” said Cris Thomas , a strategist at Tenable Network Security . The Shadow Brokers have been threatening the U.S. government for some time but until last Friday had not released anything critical . There is speculation that this document dump Attack.Databreach could be retaliation by Russia ( if the hackers are indeed tied to the country ) in response to recent U.S. military actions .