A new form of ransomware has emerged which is , unusually , being distributed by two separate exploit kits -- one of which was thought to have disappeared -- and demands payment Attack.Ransom in a lesser-known form of cryptocurrency . First seen on January 26 , GandCrab has been spotted being distributed by two exploit kits , RIG EK and GrandSoft EK . According to researchers at security company Malwarebytes , it 's unusual in itself for ransomware to be pushed using an exploit kit , with such tactics usually reserved for trojans and coin-miners . An exploit kit is used by cybercriminals to take advantage of vulnerabilities in systems in order to distribute malware and perform other malicious activities . In contrast , ransomware is usually delivered by spam email . The only other form of ransomware known to be consistently distributed with an exploit kit is Magniber . GandCrab is distributed via the RIG exploit kit , which uses vulnerabilities in Internet Explorer and Flash Player to launch JavaScript , Flash , and VBscript-based attacks to distribute malware to users . It 's possible that RIG spreads GandCrab to victims using malvertising on compromised websites , in an attack method similar to that used by Princess ransomware . GandCrab is also distributed using GrandSoft , an exploit kit which first appeared in 2012 , but was thought to have disappeared . The GrandSoft EK takes advantage of a vulnerability in the Java Runtime Environment which allows attackers to remotely execute code , and in this case is used to distribute GandCrab . Once the payload has been dropped and run on a compromised system , GandCrab , for the most part , acts like any other form of ransomware , encrypting Windows files using an RSA algorithm and demanding payment Attack.Ransom for the 'GandCrab Decryptor ' required to unlock the files . The encrypted files gain a .GDCB extension , with the encryption loop designed in such a way it will eventually affect every file on the drive . However , unlike many forms of ransomware , GandCrab does n't demand payment Attack.Ransom in bitcoin , but rather in a form of cryptocurrency called Dash . Those behind the ransomware demand Attack.Ransom 1.5 Dash ( listed on the note as $ 1,200 , although the fluctuating prices mean it 's ever changing ) as a ransom Attack.Ransom , a price which doubles to three Dash ( $ 2,400 ) if the price is n't paid Attack.Ransom within a few days . The demand Attack.Ransom for payment in Dash represents the latest example of ransomware distributors attempting to move away from bitcoin and onto other cryptocurrency , for reasons ranging from increased privacy and security to other forms of blockchain-based virtual currency being less popular than bitcoin and therefore quicker to process . There 's currently no means of decrypting GandCrab ransomware files for free at this time , meaning the best way to avoid falling victim is to ensure all software updates and patches have been applied Vulnerability-related.PatchVulnerability to ensure the vulnerabilities exploited Vulnerability-related.DiscoverVulnerability by the exploit kits ca n't be used to distribute ransomware from infected sites .

SAN FRANCISCO — Hackers took advantage of an Equifax security vulnerability two months after an industry group discovered Vulnerability-related.DiscoverVulnerability the coding flaw and shared Vulnerability-related.PatchVulnerability a fix for it , raising questions about why Equifax did n't update Vulnerability-related.PatchVulnerability its software successfully when the danger became known . A week after Equifax revealed one of the largest breaches Attack.Databreach of consumers ' private financial data in history — 143 million consumers and access Attack.Databreach to the credit-card data of 209,000 — the industry group that manages the open source software in which the hack occurred blamed Equifax . `` The Equifax data compromise Attack.Databreach was due to ( Equifax 's ) failure to install the security updates provided Vulnerability-related.PatchVulnerability in a timely manner , '' The Apache Foundation , which oversees the widely-used open source software , said in a statement Thursday . Equifax told USA TODAY late Wednesday the criminals who gained access Attack.Databreach to its customer data exploited Vulnerability-related.DiscoverVulnerability a website application vulnerability known as Vulnerability-related.DiscoverVulnerability Apache Struts CVE-2017-5638 . The vulnerability was patched Vulnerability-related.PatchVulnerability on March 7 , the same day it was announced Vulnerability-related.DiscoverVulnerability , The Apache Foundation said . Cybersecurity professionals who lend their free services to the project of open-source software — code that 's shared by major corporations and that 's tested and modified by developers working at hundreds of firms — had shared their discovery with the industry group , making the risk and fix known to any company using the software . Modifications were made on March 10 , according to the National Vulnerability Database . But two months later , hackers took advantage of the vulnerability to enter the credit reporting agency 's systems : Equifax said the unauthorized access began in mid-May . Equifax did not respond to a question Wednesday about whether the patches were applied Vulnerability-related.PatchVulnerability , and if not , why not . `` We continue to work with law enforcement as part of our criminal investigation and have shared indicators of compromise with law enforcement , '' it said . It should have have acted faster to successfully deal with the problem , other cybersecurity professionals said . `` They should have patched Vulnerability-related.PatchVulnerability it as soon as possible , not to exceed a week . A typical bank would have patched Vulnerability-related.PatchVulnerability this critical vulnerability within a few days , ” said Pravin Kothari , CEO of CipherCloud , a cloud security company . Federal regulators are now investigating whether Equifax is at fault . The Federal Trade Commission and the Consumer Financial Protection Bureau have said they 've opened probes into the hack . So far dozens of state attorneys general are investigating the breach , and on Tuesday Massachusetts Attorney General Maura Healey said she plans to sue the company for violating state consumer protection laws . More than 23 class-action lawsuits against the company have also been proposed . Proof that Equifax failed to protect customers , particularly when it had the tools and information to do so , is likely to further damage Equifax 's financial outlook . Shares fell 2.5 % Thursday after news of the FTC probe and are down 33 % since it revealed the link .

Microsoft has rolled-out Vulnerability-related.PatchVulnerability security updates to fix Vulnerability-related.PatchVulnerability a critical remote code execution flaw affecting Vulnerability-related.DiscoverVulnerability Windows Defender and other anti-malware products . Ahead of April 's Patch Tuesday , Microsoft has released Vulnerability-related.PatchVulnerability patches for the critical flaw , which affects Vulnerability-related.DiscoverVulnerability Microsoft Malware Protection Engine , or mpengine.dll , the core of Windows Defender in Windows 10 . `` An attacker who successfully exploited Vulnerability-related.DiscoverVulnerability this vulnerability could execute arbitrary code in the security context of the LocalSystem Account and take control of the system , '' warns Microsoft . `` An attacker could then install programs ; view , change , or delete data ; or create new accounts with full user rights . '' Google Project Zero researcher Thomas Dullien , aka Halvar Flake , discovered Vulnerability-related.DiscoverVulnerability that attackers can trigger a memory-corruption issue in the engine if they can get Windows Defender and other affected Vulnerability-related.DiscoverVulnerability security products to scan a specially-crafted file . Microsoft warns there are many ways an attacker could achieve this , including placing the file on a website , in an email or instant message , on any site that hosts files , or in a shared directory . As with similar vulnerabilities reported Vulnerability-related.DiscoverVulnerability last year by the UK 's National Cyber Security Centre ( NCSC ) and Project Zero , an attack would be instant if the affected antivirus has real-time protection enabled . Although the patch is being released Vulnerability-related.PatchVulnerability before Microsoft 's monthly security update , the bug , CVE2018-0986 , is not an out-of-band patch as Microsoft updates Vulnerability-related.PatchVulnerability the engine as needed . Microsoft also notes that the default configuration for Microsoft 's anti-malware products in the enterprise is to automatically receive Vulnerability-related.PatchVulnerability updates .

Microsoft published earlier today the Patch Tuesday security bulletin for May 2018 , containing Vulnerability-related.PatchVulnerability fixes for 67 security issues . This month , Microsoft fixed Vulnerability-related.PatchVulnerability security flaws in Microsoft Windows , Internet Explorer , Microsoft Edge , ChakraCore , .NET Framework , Microsoft Exchange Server , Windows Host Compute Service Shim , and Microsoft Office and Microsoft Office Services and Web Apps . Microsoft patches Vulnerability-related.PatchVulnerability two zero-days The biggest issue patched Vulnerability-related.PatchVulnerability this month is a zero-day in Internet Explorer that has been abused by a cyber-espionage campaign earlier this month . The zero-day ( CVE-2018-8174 ) affects Vulnerability-related.DiscoverVulnerability not only IE but also any other projects that embed the IE web rendering engine . Microsoft credited researchers from both Qihoo 360 Core Security and Kaspersky Lab for discovering Vulnerability-related.DiscoverVulnerability this issue . The second zero-day is CVE-2018-8120 , an elevation-of-privilege vulnerability in the Win32k component . `` An attacker who successfully exploited Vulnerability-related.DiscoverVulnerability this vulnerability could run arbitrary code in kernel mode . An attacker could then install programs ; view , change , or delete data ; or create new accounts with full user rights , '' Microsoft says . But the flaw is not as dangerous as it sounds , as an attacker already needs a foothold on Windows systems to run his malicious code in the first place , to elevate his access rights . Microsoft also patched Vulnerability-related.PatchVulnerability CVE-2018-8141 ( Windows Kernel Information Disclosure Vulnerability ) and CVE-2018-8170 ( Windows Image Elevation of Privilege Vulnerability ) , for which exploitation details became public . Despite info about these two flaws being published Vulnerability-related.DiscoverVulnerability online , Microsoft says Vulnerability-related.DiscoverVulnerability none were exploited Vulnerability-related.DiscoverVulnerability in the wild . Flash fixes also included Last but not least , the Microsoft May 2018 Patch Tuesday also included a patch for an Adobe Flash Player vulnerability ( CVE-2018-4944 ) that Adobe patched Vulnerability-related.PatchVulnerability earlier today . Below is a table listing of all the security issues Microsoft fixed Vulnerability-related.PatchVulnerability this month . We used PowerShell and the Microsoft API to assemble the table below , but the report is much longer . We hosted the full report on GitHub , here .

Cisco has patched Vulnerability-related.PatchVulnerability a set of severe vulnerabilities which could lead to remote code execution in the Cisco Webex Network Recording Player for Advanced Recording Format ( ARF ) . The security flaws , CVE-2018-15414 , CVE-2018-15421 , and CVE-2018-15422 , have been issued Vulnerability-related.DiscoverVulnerability a base score of 7.8 . According to the Cisco Product Security Incident Response Team ( PSIRT ) , the flaws could lead to `` an unauthenticated , remote attacker to execute arbitrary code on a targeted system . '' The Cisco Webex Network Recording Player for Advanced Recording Format ( ARF ) , available for Windows , Mac , and Linux machines is a component for recording meetings taking place in the Cisco Webex Meetings Suite sites , Cisco Webex Meetings Online sites , and Cisco Webex Meetings Server . In a security advisory posted this week , Cisco says that the following software is affected : Cisco Webex Meetings Suite ( WBS32 ) : Webex Network Recording Player versions prior to WBS32.15.10 ; Cisco Webex Meetings Suite ( WBS33 ) : Webex Network Recording Player versions prior to WBS33.3 ; Cisco Webex Meetings Online : Webex Network Recording Player versions prior to 1.3.37 ; Cisco Webex Meetings Server : Webex Network Recording Player versions prior to 3.0MR2 . According to Cisco , each operating system is vulnerable Vulnerability-related.DiscoverVulnerability to at least one of the security flaws . The vulnerabilities are due to the improper invalidation of Webex recording files . If a victim opens a crafted , malicious file in the Cisco Webex Player -- potentially sent over Attack.Phishing email as part of a spear phishing campaign Attack.Phishing -- the bugs are triggered , leading to exploit . TechRepublic : Cisco switch flaw led to attacks on critical infrastructure in several countries There are no workarounds to address Vulnerability-related.PatchVulnerability these vulnerabilities . However , Cisco has developed Vulnerability-related.PatchVulnerability patches to automatically update Vulnerability-related.PatchVulnerability vulnerable software . It is recommended that users accept these updates as quickly as possible . The tech giant notes that some Cisco Webex Meetings builds might be at the end of their support cycles and wo n't receive these updates . In these cases , users should contact the company directly . CNET : Kansas City gets smarter thanks to Cisco and Sprint Alternatively , the ARF component is an add-on and can simply be uninstalled manually . A removal tool is has been made available . Cisco is not aware Vulnerability-related.DiscoverVulnerability of any reports of any active exploits in the wild . Steven Seeley from Source Incite and Ziad Badawi , working together with the Trend Micro Zero Day Initiative , have been credited with finding and reporting Vulnerability-related.DiscoverVulnerability the bugs . In related news this week , Trend Micro 's Zero Day Initiative disclosed Vulnerability-related.DiscoverVulnerability a Microsoft Jet zero-day vulnerability which was unpatched Vulnerability-related.PatchVulnerability at the point of public disclosure Vulnerability-related.DiscoverVulnerability . If exploited Vulnerability-related.DiscoverVulnerability , the vulnerability permits attackers to remotely execute code on infected machines .

A zero-day vulnerability present in Vulnerability-related.DiscoverVulnerability security cameras and surveillance equipment using Nuuo software is thought to impact Vulnerability-related.DiscoverVulnerability hundreds of thousands of devices worldwide . Researchers from cybersecurity firm Tenable disclosed Vulnerability-related.DiscoverVulnerability the bug , which has been assigned as CVE-2018-1149 . The vulnerability can not get much more serious , as it allows attackers to remotely execute code in the software , the researchers said in a security advisory on Monday . Nuuo , describing itself as a provider of `` trusted video management '' software , offers a range of video solutions for surveillance systems in industries including transport , banking , government , and residential areas . Dubbed `` Peekaboo , '' the zero-day stack buffer overflow vulnerability , when exploited Vulnerability-related.DiscoverVulnerability , allows threat actors to view and tamper with video surveillance recordings and feeds . It is also possible to use the bug to steal Attack.Databreach data including credentials , IP addresses , port usage , and the make & models of connected surveillance devices . Such a security vulnerability has wide-reaching , real-world consequences -- as criminals could compromise a surveillance camera feed , replace the footage with a static image , and raid a premises , for example . In addition , the bug could be used to fully disable cameras and surveillance products . Peekaboo specifically impacts Vulnerability-related.DiscoverVulnerability the NVRMini 2 NAS and network video recorder , which acts as a hub for connected surveillance products . When exploited , the product permitted access to the control management system ( CMS ) interface , which further exposes credentials of all connected video surveillance cameras connected to the storage system . Speaking to ZDNet , Gavin Millard , VP of threat intelligence at Tenable , said that organizations all over the world use Nuuo software , including in shopping centers , hospitals , banks , and public areas . However , therein lies the problem -- as the software is also white labeled to over 100 brands and 2,500 camera product lines . Tenable disclosed Vulnerability-related.DiscoverVulnerability the zero-day vulnerability to Nuuo . A patch has not been released Vulnerability-related.PatchVulnerability , but Nuuo is currently developing Vulnerability-related.PatchVulnerability a fix for deployment . A plugin has also been released Vulnerability-related.PatchVulnerability by Tenable for organizations to assess whether or not they are vulnerable Vulnerability-related.DiscoverVulnerability to Peekaboo . ZDNet has reached out to Nuuo and will update if we hear back .

Google disclosed Vulnerability-related.DiscoverVulnerability a flaw in Microsoft Edge earlier this week , after Microsoft failed to patch Vulnerability-related.PatchVulnerability the bug in time . Now Google ’ s Project Zero team of security researchers are disclosing Vulnerability-related.DiscoverVulnerability yet another Windows 10 security flaw that Microsoft has again failed to patch Vulnerability-related.PatchVulnerability before Google ’ s imposed 90-day period . Neowin spotted that Google reported Vulnerability-related.DiscoverVulnerability two bugs to Microsoft in November , but the company only addressed Vulnerability-related.PatchVulnerability one of them with its recent Patch Tuesday fixes . The latest unpatched issue is an Elevation of Privilege which allows a normal user to gain administrator privileges on a system . Microsoft has rated Vulnerability-related.DiscoverVulnerability the flaw as “ important , ” but not “ critical ” as it can ’ t be exploited Vulnerability-related.DiscoverVulnerability remotely . It ’ s still an important issue to fix Vulnerability-related.PatchVulnerability , as an attacker could potentially combine this with a separate unknown remote code execution to gain administrator access , although that ’ s an unlikely scenario unless Microsoft doesn ’ t address Vulnerability-related.PatchVulnerability it promptly . It ’ s not clear when Microsoft intends to address Vulnerability-related.PatchVulnerability the latest security flaw in Windows 10 , and the company still needs to solve Vulnerability-related.PatchVulnerability the Edge vulnerability that was disclosed Vulnerability-related.DiscoverVulnerability by Google earlier this week . Microsoft hit back at Google ’ s approach to security patches last year , after discovering Vulnerability-related.DiscoverVulnerability a Chrome flaw and “responsibly” disclosed Vulnerability-related.DiscoverVulnerability it to Google so the company had enough time to patch Vulnerability-related.PatchVulnerability . Google ’ s policy to disclose after 90 days without a patch is often criticized and applauded in equal measure . There ’ s plenty of evidence to suggest security vulnerabilities are increasing in Windows and across the industry , and Microsoft has clearly struggled to fix Vulnerability-related.PatchVulnerability these two issues with plenty of notice . It can also be argued that Google is making rival software more secure with its efforts , making everyone ’ s software secure . However , Google also has competitive commercial interests , and Project Zero has been unusually aggressive in finding and publishing new vulnerabilities . Reports suggest Google ’ s Project Zero security team originated from the fallout around the 2009 Google hack , an intrusion blamed on an unpatched flaw in Microsoft ’ s Internet Explorer 6 browser . Google makes exceptions to its strict rules , with grace periods , and can even disclose Vulnerability-related.DiscoverVulnerability much sooner if the vulnerability is being actively exploited Vulnerability-related.DiscoverVulnerability . Google disclosed Vulnerability-related.DiscoverVulnerability a major Windows bug back in 2016 just 10 days after reporting Vulnerability-related.DiscoverVulnerability it to Microsoft , and the company has revealed Vulnerability-related.DiscoverVulnerability zero-day bugs in Windows in the past before patches are available Vulnerability-related.PatchVulnerability .

The Bitcoin Core developers recently fixed Vulnerability-related.PatchVulnerability a major vulnerability in the Bitcoin ( BTC ) network ’ s ( client ) codebase . Explaining the potentially serious nature of the software bug , which is tracked as Vulnerability-related.DiscoverVulnerability CVE-2018-17144 and classified as a denial-of-service ( DoS ) attack , Casaba Security co-founder Jason Glassberg said Vulnerability-related.DiscoverVulnerability : “ [ It ] can take down the network. ” Glassberg also told Vulnerability-related.DiscoverVulnerability ZDNet the vulnerability in the Bitcoin Core codebase “ would [ have ] affected transactions in the sense that they can not be completed , but does not appear to open up a way to steal or manipulate wallets. ” Denial-of-Service ( DoS ) , 51 % Attacks The Bitcoin Core client software is used by BTC miners to validate transactions on the cryptocurrency ’ s blockchain and the recent vulnerability found Vulnerability-related.DiscoverVulnerability in its source code could have been used to intentionally crash bitcoin ’ s full-node operators . Although not logistically feasible , this particular software bug could have been remotely exploited Vulnerability-related.DiscoverVulnerability by an attacker to launch a 51 % attack in which one entity controls the majority of the hashing ( or computing ) power of a cryptocurrency network . Advisory Notice , Critical Patch Released Vulnerability-related.PatchVulnerability In most cases , a bad actor has orchestrated a 51 % attack in order to manipulate transactions on a cryptocurrency ’ s blockchain for financial gains . At present , it would cost approximately $ 490,000 to launch such an attack ( for 1 hour ) on the Bitcoin network , according to Crypto51 . However , if the recent Bitcoin Core software bug had not been patched Vulnerability-related.PatchVulnerability , a bad actor could have initiated a 51 % attack on the cryptocurrency ’ s network at a considerably lower cost . The Bitcoin Core developers posted Vulnerability-related.DiscoverVulnerability an advisory notice ( on September 19th ) regarding this DoS vulnerability . Users of Bitcoin Core have been instructed to upgrade Vulnerability-related.PatchVulnerability to version 0.16.3 of the software . Previous versions ( 0.14.0 to 0.16.3 ) of the client contain the DoS vulnerability . Bitcoin Knots , one of at least 96 bitcoin forks to date , was considered vulnerable Vulnerability-related.DiscoverVulnerability as well and its client software was patched Vulnerability-related.PatchVulnerability . `` Copycat '' Cryptos Are At Risk Notably , the CVE-2018-17144 vulnerability could have also affected Vulnerability-related.DiscoverVulnerability the litecoin ( LTC ) network but its client has received Vulnerability-related.PatchVulnerability a patch . Commenting on the serious nature of these software bugs , Cornell computer science professor Emin Gün Sirer said Vulnerability-related.DiscoverVulnerability : “ Copycat currencies are at risk ” - meaning that all bitcoin forks are vulnerable Vulnerability-related.DiscoverVulnerability to the attack . The Turkish-American cryptographer , who identified Vulnerability-related.DiscoverVulnerability critical vulnerabilities in Ethereum ’ s codebase before its network was hit with the DAO attack , was referring to all the currently 69 active bitcoin forks that could still be exploited Vulnerability-related.DiscoverVulnerability with a 51 % attack as their clients might still not have received Vulnerability-related.PatchVulnerability a patch and are not as secure as bitcoin network due to their smaller size . In fact , Crypto51 has estimated it would only cost $ 122 to launch a 51 % attack on the Bitcoin Private ( BTCP ) network . However , this estimate has not been confirmed by another source .

Microsoft has quickly reacted to the disclosure Vulnerability-related.DiscoverVulnerability of a previously unknown zero-day vulnerability in the Windows operating system . On Monday , Twitter user SandboxEscaper revealed Vulnerability-related.DiscoverVulnerability the existence of the bug on the microblogging platform . As reported by the Register , the user said : `` Here is the alpc bug as 0day . I do n't f * * king care about life anymore . Neither do I ever again want to submit to MSFT anyway . F * * k all of this shit . '' The user linked to a page on GitHub which appears to contain a proof-of-concept ( PoC ) for the vulnerability . Following the disclosure Vulnerability-related.DiscoverVulnerability , on Tuesday , Will Dormann , vulnerability analyst at CERT/CC verified Vulnerability-related.DiscoverVulnerability the bug , adding that the zero-day flaw works `` well in a fully-patched 64-bit Windows 10 system Vulnerability-related.PatchVulnerability . '' The Windows vulnerability is described as Vulnerability-related.DiscoverVulnerability a local privilege escalation security flaw in the Microsoft Windows task scheduler caused by errors in the handling of Advanced Local Procedure Call ( ALPC ) systems . If exploited Vulnerability-related.DiscoverVulnerability , the zero-day bug permits local users to obtain system privileges . As ALPC is a local system , the impact is limited , but the public disclosure Vulnerability-related.DiscoverVulnerability of a zero-day is still likely a headache for the Redmond giant . There are no known workarounds for the vulnerability , which has been awarded a CVSS score of 6.4 -- 6.8 . SandboxEscaper 's tweet has since been deleted . However , Microsoft has acknowledged Vulnerability-related.DiscoverVulnerability the zero-day flaw . This is likely to take place Vulnerability-related.PatchVulnerability on September 11 , the next scheduled Microsoft Patch Tuesday , unless the firm decides to issue Vulnerability-related.PatchVulnerability an out-of-schedule patch . `` Windows has a customer commitment to investigate reported security issues , and proactively update impacted devices as soon as possible . Our standard policy is to provide solutions via our current Update Tuesday schedule . ''

Apple has issued Vulnerability-related.PatchVulnerability an update to fix Vulnerability-related.PatchVulnerability a number of issues in macOS Mojave leading to arbitrary code execution , the ability to read restricted memory and access local users Apple IDs among others . All were patched Vulnerability-related.PatchVulnerability with the release of macOS Mojave 10.14 on Sept 24. applePatchapplePatch The first issue , CVE-2018-5383 , impacted Vulnerability-related.DiscoverVulnerability a number of iMac , MacBook Air , Mac Pro and Mac mini server products . An input validation issue existed in Vulnerability-related.DiscoverVulnerability Bluetooth was fixed Vulnerability-related.PatchVulnerability that could have allowed an attacker in a privileged network position to intercept Bluetooth traffic . The App Store also patched Vulnerability-related.PatchVulnerability CVE-2018-4324 , an issue in the handling of Apple ID that could have been exploited Vulnerability-related.DiscoverVulnerability by a malicious application that would expose the Apple ID of the computer ’ s owner . Also , a validation issue that could expose Apple IDs was in Auto Unlock that was patched Vulnerability-related.PatchVulnerability with improved validation of the process entitlement . CVE-2018-4353 impacted Vulnerability-related.DiscoverVulnerability the application firewall where a sandboxed process may be able to circumvent sandbox restrictions , but this was addressed Vulnerability-related.PatchVulnerability by adding additional restrictions . In Crash Reporter a validation issue , CVE-2018-4333 , was addressed Vulnerability-related.PatchVulnerability that if exploited Vulnerability-related.DiscoverVulnerability would allow a malicious application to read restricted memory . Two Kernel problems were fixed Vulnerability-related.PatchVulnerability , CVE-2018-4336 and CVE-2018-4344 , that could let an application may be able to execute arbitrary code with kernel privileges . The final problem , CVE-2016-1777 , effected Security where an attacker could exploit a weaknesses in the RC4 cryptographic algorithm and was fixed Vulnerability-related.PatchVulnerability by removing RC4 .

Adobe has posted an update to address Vulnerability-related.PatchVulnerability 85 CVE-listed security vulnerabilities in Acrobat and Reader for both Windows and macOS . The PDF apps have received Vulnerability-related.PatchVulnerability a major update that includes dozens of fixes for flaws that would allow for remote code execution attacks if exploited Vulnerability-related.DiscoverVulnerability . Other possible attacks include elevation of privilege flaws and information disclosure vulnerabilities . Fortunately , Adobe said that none of the bugs was currently being targeted in the wild - yet . For Mac and Windows Acrobat/Reader DC users , the fixes will be present Vulnerability-related.PatchVulnerability in versions 2019.008.20071 . For those using the older Acrobat and Reader 2017 versions , the fix will be labeled Vulnerability-related.PatchVulnerability 2017.011.30105 . Because PDF readers have become such a popular target for email and web-based malware attacks , users and admins alike would do well to test and install the updates as soon as possible . Exploit-laden PDFs have for more than a decade proven to be one of the most reliable ways to put malware on someone 's machine . In total , Adobe credited 19 different researchers with discovering Vulnerability-related.DiscoverVulnerability and reporting Vulnerability-related.DiscoverVulnerability the vulnerabilities . Among the more prolific bug hunters were Omri Herscovici of CheckPoint Software , who was credited for finding Vulnerability-related.DiscoverVulnerability and reporting Vulnerability-related.DiscoverVulnerability 35 CVE-listed bugs , and Ke Liu and Tencent Security Xuanwu Lab , who was credited with finding Vulnerability-related.DiscoverVulnerability 11 of the patched Adobe vulnerabilities . Beihang University 's Lin Wang was given credit for nine vulnerabilities . While we 're on the subject of massive security updates , both users and admins will want to mark their calendars for a week from Tuesday . October 9 is slated to be this month 's edition of the scheduled 'Patch Tuesday ' monthly security update .

Adobe has patched Vulnerability-related.PatchVulnerability 87 vulnerabilities for Acrobat and Reader in its December Patch Tuesday update , including a slew of critical flaws that would allow arbitrary code-execution . The scheduled update comes less than a week after Adobe released Vulnerability-related.PatchVulnerability several out-of-band fixes for Flash Player , including a critical vulnerability ( CVE-2018-15982 ) that it said is being exploited Vulnerability-related.DiscoverVulnerability in the wild . That ’ s a use-after-free flaw enabling arbitrary code-execution in Flash . The addressed critical vulnerabilities are myriad this month . The arbitrary code-execution problems include : two buffer errors ; two untrusted pointer dereference glitches ; three heap-overflow issues , five out-of-bounds write flaws , 24 use-after-free bugs . Adobe also patched Vulnerability-related.PatchVulnerability three other critical-rated issues that could lead to privilege escalation ; these are all security bypass problems . In addition to the critical bugs , Adobe also patched Vulnerability-related.PatchVulnerability 43 out-of-bounds read flaws , four integer overflow problems and two security bypass issues , all of which could allow information disclosure . Adobe has characterized all of the flaws , both critical and important , as “ priority two ” for patching Vulnerability-related.PatchVulnerability , which means that the software giant deems them to be unlikely to be imminently exploited Vulnerability-related.DiscoverVulnerability in the wild , but patching Vulnerability-related.PatchVulnerability within 30 days is recommended . The flaws are far-reaching and affect Vulnerability-related.DiscoverVulnerability various implementations of Acrobat DC , Acrobat Reader DC , Acrobat 2017 and Acrobat Reader 2017 for macOS and Windows , in classic 2015 , classic 2017 and continuous-track versions . All can be mitigated by updating Vulnerability-related.PatchVulnerability to the most current versions of the software .

Oracle has released Vulnerability-related.PatchVulnerability a critical patch update addressing Vulnerability-related.PatchVulnerability more than 300 vulnerabilities across several of its products – including one flaw with a CVSS 3.0 score of 10 that could allow the takeover of the company ’ s software package , Oracle GoldenGate . Of the 301 security flaws that were fixed Vulnerability-related.PatchVulnerability in this month ’ s Oracle patch , 45 had a severity rating of 9.8 on the CVSS scale . “ Due to the threat posed by a successful attack , Oracle strongly recommends that customers apply Vulnerability-related.PatchVulnerability Critical Patch Update fixes as soon as possible , ” the company said in its Tuesday advisory . The highest-severity flaw ( CVE-2018-2913 ) lies in Vulnerability-related.DiscoverVulnerability the Monitoring Manager component of Oracle GoldenGate , which is the company ’ s comprehensive software package that allows data to be replicated in heterogeneous data environments . According to the National Vulnerability Database , the glitch is an easily exploitable vulnerability that allows unauthenticated attacker with network access via the TCP protocol to compromise Oracle GoldenGate . The flaw was discovered Vulnerability-related.DiscoverVulnerability by Jacob Baines , a researcher with Tenable . “ CVE-2018-2913 is a stack buffer overflow in GoldenGate Manager , ” Baines told Vulnerability-related.DiscoverVulnerability Threatpost . “ The Manager listens on port 7809 where it accepts GoldenGate Software Command Interface ( GGSCI ) commands . Tenable found that a remote unauthenticated attacker can trigger a stack buffer overflow by sending a GGSCI command that is longer than expected. ” The attack is not complex and a bad actor could be remote and unauthenticated . Making matters worse , an attacker could compromise other products after initially attacking GoldenGate , the advisory warned . “ While the vulnerability is in Oracle GoldenGate , attacks may significantly impact additional products , ” the note said Vulnerability-related.DiscoverVulnerability . “ Successful attacks of this vulnerability can result in takeover of Oracle GoldenGate. ” The flaw impacts Vulnerability-related.DiscoverVulnerability versions 12.1.2.1.0 , 12.2.0.2.0 , and 12.3.0.1.0 in Oracle GoldenGate . Currently no working exploits for the flaw have been discovered Vulnerability-related.DiscoverVulnerability in the wild , according to the release . It should be noted that For Linux and Windows platforms , the flaw ’ s CVSS score is 9.0 because the access complexity is lower ( only rated high , not critical ) ; while for all other platforms , the CVSS score is a critical 10 . Two other flaws were also discovered Vulnerability-related.DiscoverVulnerability in Oracle GoldenGate ( CVE-2018-2912 and CVE-2018-2914 ) , with ratings of 7.5 on the CVSS scale ; those vulnerabilities weren ’ t nearly as severe . “ All of these vulnerabilities may be remotely exploitable without authentication , i.e. , may be exploited Vulnerability-related.DiscoverVulnerability over a network without requiring user credentials . ”

Oracle has released Vulnerability-related.PatchVulnerability a wide-ranging security update to address Vulnerability-related.PatchVulnerability more than 300 CVE-listed vulnerabilities in its various enterprise products . The October release covers the gamut of Oracle 's offerings , including its flagship Database , E-Business Suite , and Fusion Middleware packages . For Database , the update addresses Vulnerability-related.PatchVulnerability a total of three flaws . Two of the vulnerabilities ( CVE-2018-3259 and CVE-2018-3299 ) can be remotely exploited Vulnerability-related.DiscoverVulnerability without authentication , while the third , CVE-2018-7489 , would require the user to have a Rapid Home Provisioning account to execute and is considered by far the least severe of the three . Oracle noted Vulnerability-related.DiscoverVulnerability that all three bugs only impact Vulnerability-related.DiscoverVulnerability the server versions of Database , user clients are not considered to be vulnerable Vulnerability-related.DiscoverVulnerability . For Fusion Middleware , the update will include a total of 56 CVE-listed flaws , including 12 that are remotely exploitable with CVSS base scores of 9.8 , meaning an exploit would be fairly easy to pull off and offer near total control of the target machine . Of those 12 , five were for critical flaws in WebLogic Server . Java SE will get Vulnerability-related.PatchVulnerability 12 security fixes , with all but one being for remotely exploitable vulnerabilities in that platform . Oracle notes Vulnerability-related.DiscoverVulnerability that though the CVSS scores for the flaws are fairly high , Solaris and Linux machines running software with lower user privileges will be considered to be at a lower risk than Windows environments that typically operate with admin privileges . MySQL was the target of 38 CVE-listed bug fixes this month , through just three of those are remotely exploitable . The two most serious , CVE-2018-11776 and CVE-2018-8014 , concern remote code flaws in MySQL Enterprise Monitor . PeopleSoft will see 24 bug fixes , 21 of which can be remotely targeted and seven that would not require any user interaction . Just one of the 24 flaws was given a CVSS base score higher than 7.2. in the Oracle listing . Sun products were the subject of 19 security fixes , including two remote code execution flaws in XCP Firmware . libssh bug more like `` oh SSH… '' Once admins get Vulnerability-related.PatchVulnerability the Oracle patches in place , they will want to take a close look at the write-up for CVE-2018-10933 , an authentication bypass for libssh that would allow an attacker to get into a target machine by sending a `` SSH2_MSG_USERAUTH_SUCCESS '' message when it expects a `` SSH2_MSG_USERAUTH_REQUEST '' message . That means any miscreant can log in without a password or other credential . As you can imagine , this is a very bad thing . Fortunately , the bug does not affect OpenSSH – and thus does not affect the hugely widespread sshd and ssh tools – but rather applications , such as KDE and XMBC , that use libssh as a dependency .

After scrambling to patch Vulnerability-related.PatchVulnerability a critical vulnerability late last month , Drupal is at it again . The open source content management project has issued Vulnerability-related.PatchVulnerability an unscheduled security update to augment its previous patch for Drupalgeddon2 . There was also a cross-site scripting bug advisory in mid-April . The latest Drupal core vulnerability , designated Vulnerability-related.DiscoverVulnerability , SA-CORE-2018-004 and assigned Vulnerability-related.DiscoverVulnerability CVE-2018-7602 , is related to the March SA-CORE-2018-002 flaw ( CVE-2018-7600 ) , according to the Drupal security team . It can be exploited Vulnerability-related.DiscoverVulnerability to take over a website 's server , and allow miscreants to steal information or alter pages . `` It is a remote code execution vulnerability , '' explained a member of the Drupal security team in an email to The Register . `` No more technical details beyond that are available . '' The vulnerability affects Vulnerability-related.DiscoverVulnerability at least Drupal 7.x and Drupal 8.x . And a similar issue has been found Vulnerability-related.DiscoverVulnerability in the Drupal Media module . In a blog post from earlier this month about the March patch , Dries Buytaert , founder of the Drupal project , observed Vulnerability-related.DiscoverVulnerability that all software has security issues and critical security bugs are rare . While the March bug is being actively exploited Vulnerability-related.DiscoverVulnerability , the Drupal security team says it 's unaware of any exploitation of the latest vulnerability . But it wo n't be long – those maintaining the project observed automated attacks appearing about two weeks after the SA-CORE-2018-002 notice . The fix is to upgrade Vulnerability-related.PatchVulnerability to the most recent version of Drupal 7 or 8 core . The latest code can be found at Drupal 's website . For those running 7.x , that means upgrading to Drupal 7.59 . For those running , 8.5.x , the latest version if 8.5.3 . And for those still on 8.4.x , there 's an upgrade to 8.4.8 , despite the fact that as an unsupported minor release , the 8.4.x line would not normally get Vulnerability-related.PatchVulnerability security updates . And finally , if you 're still on Drupal 6 , which is no longer officially supported , unofficial patches are being developed Vulnerability-related.PatchVulnerability here . Drupal users appear to be taking the release in stride , though with a bit of grumbling . `` Drupal Wednesday looks like the new Windows patch day , '' quipped designer Tom Binroth via Twitter . `` I would rather spend my time on creating new stuff than patching Vulnerability-related.PatchVulnerability Drupal core sites . ''

Last month , Microsoft Patch Tuesday addressed Vulnerability-related.PatchVulnerability 60 vulnerabilities that also included two zero-day flaws . This month also , the tech giant released Vulnerability-related.PatchVulnerability a huge patch update to mitigate Vulnerability-related.PatchVulnerability various flaws in its products . The Microsoft September patch fixed Vulnerability-related.PatchVulnerability around 61 different vulnerabilities . The patch bundle also included a fix for the recently discovered APLC zero-day vulnerability that has already created trouble . Recently , a zero-day vulnerability disclosed Vulnerability-related.DiscoverVulnerability on Twitter has created a lot of chaos as it was immediately exploited Vulnerability-related.DiscoverVulnerability in a malware campaign . The APLC zero-day flaw gained attention after a Twitter user with the alias SandboxEscaper disclosed Vulnerability-related.DiscoverVulnerability it in a tweet . Later , a CERT/CC researcher verified Vulnerability-related.DiscoverVulnerability the bug . This vulnerability in the Windows Task Scheduler allowed an attacker to gain System-level access . As promised at that time by the firm , the Microsoft September patch has addressed Vulnerability-related.PatchVulnerability this Advanced Local Procedure Call ( ALPC ) flaw . As disclosed Vulnerability-related.DiscoverVulnerability in their advisory , Microsoft acknowledged Vulnerability-related.DiscoverVulnerability the exploitation of this vulnerability ( CVE-2018-8440 ) . Explaining the details about the bug and the patch released Vulnerability-related.PatchVulnerability , Microsoft states , “ To exploit this vulnerability , an attacker would first have to log on to the system . An attacker could then run a specially crafted application that could exploit the vulnerability and take control over an affected system . The update addresses Vulnerability-related.PatchVulnerability the vulnerability by correcting how Windows handles calls to ALPC. ” Besides the single APLC zero-day flaw , Microsoft also patched Vulnerability-related.PatchVulnerability 61 other flaws in various products , including 17 critical vulnerabilities . The affected software receiving Vulnerability-related.PatchVulnerability the bug fixes include Microsoft Windows , Microsoft Edge , ChakraCore , Microsoft Office and Web Apps , Microsoft.Data.OData , Internet Explorer , ASP.NET and the .NET Framework . In addition , the Microsoft September patch also addressed Vulnerability-related.PatchVulnerability a flaw in the Adobe Flash Player ( CVE-2018-15967 ) . Although Adobe also released Vulnerability-related.PatchVulnerability a fix for this vulnerability along with other fixes released Vulnerability-related.PatchVulnerability this week in the September Update pack .

Valve has patched Vulnerability-related.PatchVulnerability a critical vulnerability in the Steam client which has lurked undetected for at least 10 years . The vulnerability impacts Vulnerability-related.DiscoverVulnerability all versions of the gaming platform . Tom Court , a security researcher hailing from Context Information Security , discovered Vulnerability-related.DiscoverVulnerability the bug and disclosed Vulnerability-related.DiscoverVulnerability his findings on Thursday . In a blog post , the researcher said Vulnerability-related.DiscoverVulnerability that left unpatched Vulnerability-related.PatchVulnerability , the bug permits threat actors to perform remote code execution ( RCE ) attacks . It was not until July last year that Valve added modern ASLR exploit protections to its Steam source code . However , this addition made sure that the vulnerability would only cause a client crash if exploited Vulnerability-related.DiscoverVulnerability -- unless a separate information leak vulnerability was also active in the exploit chain . Valve 's Steam software uses a custom protocol , known as the `` Steam Protocol , '' which is delivered on the top of UDP . The protocol registers packet length and the total reassembled datagram length ; however , the vulnerability was caused by a simple lack of checks to ensure that for the first packet of a fragmented datagram , the specified length was less than or equal to the total datagram length . All an attacker needed to do was to send a malformed UDP packet to trigger the exploit . `` This means that it is possible to supply a data_len smaller than packet_len and have up to 64kb of data ( due to the 2-byte width of the packet_len field ) copied to a very small buffer , resulting in an exploitable heap corruption , '' Court says . `` This seems like a simple oversight , given that the check was present for all subsequent packets carrying fragments of the datagram . '' The vulnerability was reported Vulnerability-related.DiscoverVulnerability to Valve on 20 February and was fixed Vulnerability-related.PatchVulnerability in a beta release less than 12 hours later . This patch was then pushed Vulnerability-related.PatchVulnerability to a stable release on 22 March . `` This was a very simple bug , made relatively straightforward to exploit due to a lack of modern exploit protections , '' Court says . `` The vulnerable code was probably very old , but as it was otherwise in good working order , the developers likely saw no reason to go near it or update their build scripts . '' `` The lesson here is that as a developer it is important to periodically include aging code and build systems in your reviews to ensure they conform to modern security standards , even if the actual functionality of the code has remained unchanged , '' the researcher added .

Adobe has resolved Vulnerability-related.PatchVulnerability six critical updates in the company 's latest round of security fixes . On Tuesday , Adobe said in a security advisory that the update impacts Vulnerability-related.DiscoverVulnerability ColdFusion version 11 , as well as the 2016 and 2018 releases of the web application development platform . In total , six of the security flaws are deemed Vulnerability-related.DiscoverVulnerability critical . The first set of vulnerabilities -- CVE-2018-15965 , CVE-2018-15957 , CVE-2018-15958 , and CVE-2018-15959 -- relate to the deserialization of untrusted data . In addition , CVE-2018-15961 is a security flaw which permits unrestricted file uploads in the software , and the final critical bug , CVE-2018-15960 , is described as Vulnerability-related.DiscoverVulnerability `` use of a component with a known vulnerability '' which can cause arbitrary file overwrite . If exploited Vulnerability-related.DiscoverVulnerability , all of the above security flaws can lead to arbitrary code execution . Three other bugs in ColdFusion have also been resolved Vulnerability-related.PatchVulnerability . CVE-2018-15962 is a flaw within directory listings that can lead to information disclosure ; CVE-2018-15963 is a security bypass bug which could permit attackers to create arbitrary folders , and CVE-2018-15964 is another security flaw caused by the use of a component with a known vulnerability which may cause data leaks . Adobe also released Vulnerability-related.PatchVulnerability a fix for Adobe Flash Player on desktop Windows , macOS , and Linux machines , as well as Flash for Google Chrome on Windows , macOS , Linux , and Chrome OS , versions 30.0.0.154 and earlier . This security flaw , CVE-2018-15967 is listed Vulnerability-related.DiscoverVulnerability as an `` important '' privilege escalation bug which could lead to information disclosure . Originally , Microsoft listed Vulnerability-related.DiscoverVulnerability the same vulnerability as critical and one which enabled attackers to perform remote code execution attacks . However , Microsoft has now amended its advisory to reflect Adobe 's severity rating . Adobe is not aware of any reports suggesting Vulnerability-related.DiscoverVulnerability the vulnerabilities have been exploited Vulnerability-related.DiscoverVulnerability in the wild but recommends Vulnerability-related.PatchVulnerability that users accept the automatic updates as soon as possible . The tech giant thanked researchers including Matthias Kaiser of Code White GmbH , Gsrc from Venustech-Adlab , and Nick Bloor of Cognitous for reporting Vulnerability-related.DiscoverVulnerability the vulnerabilities . This month 's security fixes build Vulnerability-related.PatchVulnerability upon Adobe 's August patch update , in which 11 security flaws were resolved Vulnerability-related.PatchVulnerability , including critical vulnerabilities in Adobe Acrobat 2017 , Acrobat DC , and Acrobat Reader DC on Windows and macOS machines . In the same month , the tech giant also released Vulnerability-related.PatchVulnerability an out-of-schedule patch for Adobe Photoshop CC . The security update tackled Vulnerability-related.PatchVulnerability memory corruption bugs in the creative software which , if exploited Vulnerability-related.DiscoverVulnerability , could lead to code execution .