Researchers found they were able to infect robots with ransomware ; in the real world , such attacks could be highly damaging to businesses if robotic security is n't addressed . Ransomware has long been a headache for PC and smartphone users , but in the future , it could be robots that stop working unless a ransom is paid Attack.Ransom . Researchers at security company IOActive have shown how they managed to hack the humanoid NAO robot made by Softbank and infect one with custom-built ransomware . The researchers said the same attack would work on the Pepper robot too . After the infection , the robot is shown insulting its audience and demanding Attack.Ransom to be 'fed ' bitcoin cryptocurrency in order to restore systems back to normal . While a tiny robot making threats might initially seem amusing -- if a little creepy -- the proof-of-concept attack demonstrates the risks associated with a lack of security in robots and how organisations that employ robots could suddenly see parts of their business grind to a halt should they become a victim of ransomware . `` In order to get a business owner to pay a ransom Attack.Ransom to a hacker , you could make robots stop working . And , because the robots are directly tied to production and services , when they stop working they 'll cause a financial problem for the owner , losing money every second they 're not working , '' Cesar Cerrudo , CTO at IOActive Labs , told ZDNet . Taking what was learned in previous studies into the security vulnerabilities of robots , researchers were able to inject and run code in Pepper and NAO robots and take complete control of the systems , giving them the option to shut the robot down or modify its actions . The researchers said it was possible for an attacker with access to the Wi-Fi network the robot is running on to inject malicious code into the machine . `` The attack can come from a computer or other device that is connected to internet , so a computer gets hacked , and from there , the robot can be hacked since it 's in the same network as the hacked computer , '' said Cerrudo , who conducted the research alongside Lucas Apa , Senior Security Consultant at IOActive . Unlike computers , robots do n't yet store vast amounts of valuable information that the user might be willing to pay a ransom Attack.Ransom to retrieve . But , as companies often do n't have backups to restore systems from , if a robot becomes infected with ransomware , it 's almost impossible for the user to restore it to normal by themselves . If the alternative for a victim of robot ransomware is waiting for a technician to come to fix the robot -- or even losing access it to weeks if it needs to be returned to the manufacturer -- a business owner might view giving into the ransom demand Attack.Ransom as a lesser evil . `` If it 's one robot then it could take less time , but if there are dozens or more , every second they are n't working , the business is losing money . Keeping this in mind , shipping lots of robots takes a lot of time , so the financial impact is bigger when you have a computer compromised with ransomware , '' said Cerrudo . While the robot ransomware infections have been done for the purposes of research -- and presented at the 2018 Kaspersky Security Analyst Summit in Cancun , Mexico -- IOActive warn that if security in robotics is n't properly addressed now , there could be big risks in the near future . `` While we do n't see robots every day , they 're going mainstream soon , businesses worldwide are deploying robots for different services . If we do n't start making robots secure now , if more get out there which are easily hacked , there are very serious consequences , '' said Cerrudo . As with security vulnerabilities the Internet of Things and other products , the solution to this issue is for robotics manufacturers to think about cybersecurity at every step of the manufacturing process from day one . IOActive informed Softbank about the research in January but Cerrudo said : `` We do n't know if they [ Softbank ] are going to fix Vulnerability-related.PatchVulnerability the issues and when , or even if they can fix Vulnerability-related.PatchVulnerability the issues with the current design . '' Responding to the IOActive research , a Softbank spokesperson told ZDNet : `` We will continue to improve our security measures on Pepper , so we can counter any risks we may face . ''

Intel has issued Vulnerability-related.PatchVulnerability fresh `` microcode revision guidance '' that reveals it won ’ t address Vulnerability-related.PatchVulnerability the Meltdown and Spectre design flaws in all of its vulnerable processors – in some cases because it 's too tricky to remove the Spectre v2 class of vulnerabilities . The new guidance , issued April 2 , adds a “ stopped ” status to Intel ’ s “ production status ” category in its array of available Meltdown and Spectre security updates . `` Stopped '' indicates there will be no microcode patch to kill off Vulnerability-related.PatchVulnerability Meltdown and Spectre . The guidance explains that a chipset earns “ stopped ” status because , “ after a comprehensive investigation of the microarchitectures and microcode capabilities for these products , Intel has determined to not release Vulnerability-related.PatchVulnerability microcode updates for these products for one or more reasons. ” Those reasons are given as : Micro-architectural characteristics that preclude a practical implementation of features mitigating Vulnerability-related.PatchVulnerability [ Spectre ] Variant 2 ( CVE-2017-5715 ) Limited Commercially Available System Software support Based on customer inputs , most of these products are implemented as “ closed systems ” and therefore are expected to have a lower likelihood of exposure to these vulnerabilities . Thus , if a chip family falls under one of those categories – such as Intel ca n't easily fix Vulnerability-related.PatchVulnerability Spectre v2 in the design , or customers do n't think the hardware will be exploited Vulnerability-related.DiscoverVulnerability – it gets a `` stopped '' sticker . To leverage the vulnerabilities , malware needs to be running on a system , so if the computer is totally closed off from the outside world , administrators may feel it 's not worth the hassle applying messy microcode , operating system , or application updates . `` Stopped '' CPUs that won ’ t therefore get Vulnerability-related.PatchVulnerability a fix are in the Bloomfield , Bloomfield Xeon , Clarksfield , Gulftown , Harpertown Xeon C0 and E0 , Jasper Forest , Penryn/QC , SoFIA 3GR , Wolfdale , Wolfdale Xeon , Yorkfield , and Yorkfield Xeon families . The new list includes various Xeons , Core CPUs , Pentiums , Celerons , and Atoms – just about everything Intel makes . Most the CPUs listed above are oldies that went on sale between 2007 and 2011 , so it is likely few remain in normal use . There ’ s some good news in the tweaked guidance : the Arrandale , Clarkdale , Lynnfield , Nehalem , and Westmere families that were previously un-patched Vulnerability-related.PatchVulnerability now have working fixes available Vulnerability-related.PatchVulnerability in production , apparently . “ We ’ ve now completed release Vulnerability-related.PatchVulnerability of microcode updates for Intel microprocessor products launched in the last 9+ years that required protection against the side-channel vulnerabilities discovered Vulnerability-related.DiscoverVulnerability by Google Project Zero , '' an Intel spokesperson told The Reg . `` However , as indicated in our latest microcode revision guidance , we will not be providing Vulnerability-related.PatchVulnerability updated microcode for a select number of older platforms for several reasons , including limited ecosystem support and customer feedback. ” Now all Intel has to do is sort out a bunch of lawsuits , make sure future products don ’ t have similar problems , combat a revved-up-and-righteous AMD and Qualcomm in the data centre , find a way to get PC buyers interested in new kit again , and make sure it doesn ’ t flub emerging markets like IoT and 5G like it flubbed the billion-a-year mobile CPU market .

Microsoft today issued Vulnerability-related.PatchVulnerability an emergency security update to correct Vulnerability-related.PatchVulnerability a security update it issued Vulnerability-related.PatchVulnerability earlier this month to correct Vulnerability-related.PatchVulnerability a security update it issued Vulnerability-related.PatchVulnerability in January and February . In January and February , Redmond emitted Vulnerability-related.PatchVulnerability fixes for Windows 7 and Server 2008 R2 machines to counter Vulnerability-related.PatchVulnerability the Meltdown chip-level vulnerability in modern Intel x64 processors . Unfortunately , those patches blew Vulnerability-related.PatchVulnerability a gaping hole in the operating systems : normal applications and logged-in users could now access and modify any part of physical RAM , and gain complete control over a box , with the updates installed . Rather than stop programs and non-administrators from exploiting Meltdown to extract Attack.Databreach passwords and other secrets from protected kernel memory , the fixes on Windows 7 and Server 2008 R2 instead granted full read-write privileges to system RAM . Roll on March , and Microsoft pushed out Vulnerability-related.PatchVulnerability fixes on Patch Tuesday to correct Vulnerability-related.PatchVulnerability those January and February updates to close Vulnerability-related.PatchVulnerability the security vulnerability it accidentally opened . Except that March update did n't fully seal Vulnerability-related.PatchVulnerability the deal : the bug remained in Vulnerability-related.DiscoverVulnerability the kernel , and was exploitable by malicious software and users . Total Meltdown Now , if you 're using Windows 7 or Server 2008 R2 and have applied Vulnerability-related.PatchVulnerability Microsoft 's Meltdown patches , you 'll want to grab and install Vulnerability-related.PatchVulnerability today 's out-of-band update for CVE-2018-1038 . Swedish researcher Ulf Frisk discovered Vulnerability-related.DiscoverVulnerability the January and February Meltdown mitigations for Win7 and Server 2008 R2 were broken , and went public Vulnerability-related.DiscoverVulnerability with his findings once the March Patch Tuesday had kicked off . As it turns out , this month 's updates did not fully fix Vulnerability-related.PatchVulnerability things , and Microsoft has had to scramble to remedy Vulnerability-related.PatchVulnerability what was now a zero-day vulnerability in Windows 7 and Server 2008 . In other words , Microsoft has just had to put out Vulnerability-related.PatchVulnerability a patch for a patch for a patch . Hardly inspiring stuff , but we suppose the old Microsoft adage remains true – never trust a Redmond product until version three at the earliest . On the other hand , writing kernel-level memory management code is an absolute bastard at times , so you have to afford the devs some sympathy .

Microsoft 's patches for the Meltdown vulnerability have had a fatal flaw all these past months , according to Alex Ionescu , a security researcher with cyber-security firm Crowdstrike . Only patches for Windows 10 versions were affected Vulnerability-related.DiscoverVulnerability , the researcher wrote today in a tweet . Microsoft quietly fixed Vulnerability-related.PatchVulnerability the issue on Windows 10 Redstone 4 ( v1803 ) , also known as the April 2018 Update , released Vulnerability-related.PatchVulnerability on Monday . `` Welp , it turns out Vulnerability-related.PatchVulnerability the Meltdown patches for Windows 10 had a fatal flaw : calling NtCallEnclave returned back to user space with the full kernel page table directory , completely undermining the mitigation , '' Ionescu wrote . Microsoft issued Vulnerability-related.PatchVulnerability today an security update , but it was n't to backport the `` fixed '' Meltdown patches for older Windows 10 versions . Instead , the emergency update fixed Vulnerability-related.PatchVulnerability a vulnerability in the Windows Host Compute Service Shim ( hcsshim ) library ( CVE-2018-8115 ) that allows an attacker to remotely execute code on vulnerable systems . Microsoft classified Vulnerability-related.DiscoverVulnerability CVE-2018-8115 as a `` critical '' issues . A patched hcsshim file is available Vulnerability-related.PatchVulnerability for download from GitHub . `` We are aware and are working to provide Vulnerability-related.PatchVulnerability customers with an update , '' a Microsoft spokesperson told Bleeping Computer today in an email . It may be that if Microsoft does n't bundle these fixes in an out-of-band update , they will most likely arrive Vulnerability-related.PatchVulnerability in Microsoft 's May 2018 Patch Tuesday , but this is only our speculation . Microsoft released Vulnerability-related.PatchVulnerability its Meltdown and Spectre patches on January 4 , a day after security researchers disclosed Vulnerability-related.DiscoverVulnerability the two flaws , vulnerabilities that allow attackers to retrieve data from protected areas of modern CPUs . The Redmond-based OS maker has had a hard time patching Vulnerability-related.PatchVulnerability the two flaws , and the company recently issued Vulnerability-related.PatchVulnerability additional security updates to fix Vulnerability-related.PatchVulnerability the original Spectre mitigations , and also deliver Vulnerability-related.PatchVulnerability Intel CPU microcode updates , as a favor to Intel .

Adobe has emitted Vulnerability-related.PatchVulnerability software updates to address Vulnerability-related.PatchVulnerability a critical vulnerability in Flash Player for Windows , Mac , and Linux . PC owners and admins will want to upgrade Vulnerability-related.PatchVulnerability their copies of Flash to version 31.0.0.153 or later in order to get Vulnerability-related.PatchVulnerability the patch – or just dump the damn thing all together . The November 20 security update addresses Vulnerability-related.PatchVulnerability a single flaw , designated Vulnerability-related.DiscoverVulnerability CVE-2018-15981 . It is a type confusion bug that can be exploited Vulnerability-related.DiscoverVulnerability to achieve remote code execution . Basically , an attacker could slip the exploit code into a Flash .swf file , put it on a web page , and covertly install malware on any vulnerable machine that visits the page . Because Adobe does not maintain a fixed patching schedule Vulnerability-related.PatchVulnerability for Flash Player , this is n't technically considered an out-of-band band-aid . However , the update does come Vulnerability-related.PatchVulnerability just one week after Adobe pushed out Vulnerability-related.PatchVulnerability a handful of fixes for Patch Tuesday , including one for an information disclosure vulnerability in Flash Player . That Adobe would post Vulnerability-related.PatchVulnerability another update just one week after their last patch should underscore that CVE-2018-15981 is a serious enough vulnerability to be a priority fix Vulnerability-related.PatchVulnerability for users and admins . After installing Vulnerability-related.PatchVulnerability this latest fix , those who are tired of the constant security threats might also want to consider taking the advice of multiple security experts and developers and at least disable Flash by default if not permanently . The notoriously vulnerable plugin has long since been surpassed by HTML5 , and most major websites have already transitioned away from Flash , leaving it only really useful for specific sites and applications . Even Adobe wants to kill off Flash . The Photoshop giant has said that by 2020 it plans to formally retire the plugin once and for all .

Microsoft has rolled-out Vulnerability-related.PatchVulnerability security updates to fix Vulnerability-related.PatchVulnerability a critical remote code execution flaw affecting Vulnerability-related.DiscoverVulnerability Windows Defender and other anti-malware products . Ahead of April 's Patch Tuesday , Microsoft has released Vulnerability-related.PatchVulnerability patches for the critical flaw , which affects Vulnerability-related.DiscoverVulnerability Microsoft Malware Protection Engine , or mpengine.dll , the core of Windows Defender in Windows 10 . `` An attacker who successfully exploited Vulnerability-related.DiscoverVulnerability this vulnerability could execute arbitrary code in the security context of the LocalSystem Account and take control of the system , '' warns Microsoft . `` An attacker could then install programs ; view , change , or delete data ; or create new accounts with full user rights . '' Google Project Zero researcher Thomas Dullien , aka Halvar Flake , discovered Vulnerability-related.DiscoverVulnerability that attackers can trigger a memory-corruption issue in the engine if they can get Windows Defender and other affected Vulnerability-related.DiscoverVulnerability security products to scan a specially-crafted file . Microsoft warns there are many ways an attacker could achieve this , including placing the file on a website , in an email or instant message , on any site that hosts files , or in a shared directory . As with similar vulnerabilities reported Vulnerability-related.DiscoverVulnerability last year by the UK 's National Cyber Security Centre ( NCSC ) and Project Zero , an attack would be instant if the affected antivirus has real-time protection enabled . Although the patch is being released Vulnerability-related.PatchVulnerability before Microsoft 's monthly security update , the bug , CVE2018-0986 , is not an out-of-band patch as Microsoft updates Vulnerability-related.PatchVulnerability the engine as needed . Microsoft also notes that the default configuration for Microsoft 's anti-malware products in the enterprise is to automatically receive Vulnerability-related.PatchVulnerability updates .

Back in August we wrote about a security bugfix for Mikrotik routers that was reverse engineered and turned into a working exploit . Indeed , patches that fix Vulnerability-related.PatchVulnerability security vulnerabilities often end up giving away enough about the vulnerability that both good guys and bad guys alike can weaponise it from first principles – all without having to figure out the vulnerability in the first place . In the August 2018 case , dubbed CVE-2018-14847 , a crook could trick an unpatched Microtik router into coughing up the contents of any file on the device , including the password file . Worse still , the password file included plaintext passwords , with no salting , hashing or stretching , meaning that a security bypass bug could be parlayed into a credential compromise . The perils of late patching What we didn ’ t know back then was that security researchers at Tenable had responsibly disclosed Vulnerability-related.DiscoverVulnerability another bunch of Mikrotik router bugs at about the same time . These bugs were serious – indeed , one of them allows a attacker to run any program of their choosing , just by making a web request to the router . This sort of hole is known , for rather obvious reasons , as an RCE , short for Remote Code Execution . Tenable ’ s bugs , however , were what ’ s known as “ authenticated vulnerabilities ” , meaning that you had to be logged in first in order to be able to exploit them . Security holes that require pre-authentication may seem harmless at first sight – after all , if you already have a username and password , or some other access token , that gives you access to a system… …well , you ’ re already in , so it sounds as though breaking in again can be dismissed as an irrelevancy . The good news is that Mikrotik has already patched Vulnerability-related.PatchVulnerability Tenable ’ s now-disclosed bugs , dubbed CVE-2018-1156 , -1157 , -1158 and -1159 . Make sure you have the latest Mikrotik firmware updates , which are : 6.40.9 , 6.42.7 or 6.43 , depending on whether you ’ re using the current , previous or pre-previous version . If you ’ re a Mikrotik user , skipping the latest patch leaves you at risk , but if you still haven ’ t applied the previous patch , you ’ re in double trouble . With both patches missing , you ’ re open to an unauthenticated password disclosure bug that could then be chained with the newer authenticated remote code execution bug . In other words , instead of anyone being able to get some access , or some people being able to get full access , anyone could get full access by pivoting from CVE-2018-14847 to CVE-2018-1156 , the RCE flaw .

Remember when the sky -- or at least Ryzen -- was falling ? You should , because it was only a few months ago , when the CTS Labs security company revealed Vulnerability-related.DiscoverVulnerability numerous vulnerabilities in AMD 's new Ryzen and EPYC processor lines . AMD has been largely quiet about these vulnerabilities in the time since , but the company assured Tom 's Hardware that it has n't forgotten about CTS Labs ' report or neglected to address Vulnerability-related.PatchVulnerability the flaws in its processors . A quick recap : In March , CTS Labs released information Vulnerability-related.DiscoverVulnerability on a collection of vulnerabilities in AMD 's latest chips that it dubbed `` Ryzenfall . '' These security flaws were said to be present in Vulnerability-related.DiscoverVulnerability the most basic aspects of the Ryzen and EPYC processors , and after consulting with other researchers , CTS Labs decided to publish Vulnerability-related.DiscoverVulnerability its findings without giving AMD the customary 90-day notice between a vulnerability's discovery Vulnerability-related.DiscoverVulnerability and its public disclosure Vulnerability-related.DiscoverVulnerability . Earlier this week , CTS Labs emailed us to express concern about the lack of updates Vulnerability-related.PatchVulnerability from AMD regarding these vulnerabilities . The company said it believed many of the vulnerabilities would take months to fix Vulnerability-related.PatchVulnerability , with the Chimera issues requiring a hardware change that could n't be implemented in products that have already shipped . AMD 's relative silence and lack of updates Vulnerability-related.PatchVulnerability apparently led CTS Labs to believe the company had stalled out . We reached out to AMD for comment and received the following in response : Within approximately 30 days of being notified Vulnerability-related.DiscoverVulnerability by CTS Labs , AMD released Vulnerability-related.PatchVulnerability patches to our ecosystem partners mitigating Vulnerability-related.PatchVulnerability all of the CTS identified vulnerabilities on our EPYC™ platform as well as patches mitigating Vulnerability-related.PatchVulnerability Chimera across all AMD platforms . These patches are in final testing with our ecosystem partners in advance of being released publicly Vulnerability-related.PatchVulnerability . We remain on track to begin releasing Vulnerability-related.PatchVulnerability patches to our ecosystem partners for the other products identified in the report this month . We expect these patches to be released publicly Vulnerability-related.PatchVulnerability as our ecosystem partners complete their validation work . That 's still vague -- we do n't know to what `` ecosystem partners '' these patches have been delivered Vulnerability-related.PatchVulnerability nor when they should be expected to roll out -- but it does show that AMD has n't simply forgotten about CTS Labs ' report . We expect to hear more about these patches and how AMD plans to address Vulnerability-related.PatchVulnerability them as the company and its partners get them ready to ship . In the meantime , it seems that much like the sky , Ryzen has yet to fall .

Google disclosed Vulnerability-related.DiscoverVulnerability a flaw in Microsoft Edge earlier this week , after Microsoft failed to patch Vulnerability-related.PatchVulnerability the bug in time . Now Google ’ s Project Zero team of security researchers are disclosing Vulnerability-related.DiscoverVulnerability yet another Windows 10 security flaw that Microsoft has again failed to patch Vulnerability-related.PatchVulnerability before Google ’ s imposed 90-day period . Neowin spotted that Google reported Vulnerability-related.DiscoverVulnerability two bugs to Microsoft in November , but the company only addressed Vulnerability-related.PatchVulnerability one of them with its recent Patch Tuesday fixes . The latest unpatched issue is an Elevation of Privilege which allows a normal user to gain administrator privileges on a system . Microsoft has rated Vulnerability-related.DiscoverVulnerability the flaw as “ important , ” but not “ critical ” as it can ’ t be exploited Vulnerability-related.DiscoverVulnerability remotely . It ’ s still an important issue to fix Vulnerability-related.PatchVulnerability , as an attacker could potentially combine this with a separate unknown remote code execution to gain administrator access , although that ’ s an unlikely scenario unless Microsoft doesn ’ t address Vulnerability-related.PatchVulnerability it promptly . It ’ s not clear when Microsoft intends to address Vulnerability-related.PatchVulnerability the latest security flaw in Windows 10 , and the company still needs to solve Vulnerability-related.PatchVulnerability the Edge vulnerability that was disclosed Vulnerability-related.DiscoverVulnerability by Google earlier this week . Microsoft hit back at Google ’ s approach to security patches last year , after discovering Vulnerability-related.DiscoverVulnerability a Chrome flaw and “responsibly” disclosed Vulnerability-related.DiscoverVulnerability it to Google so the company had enough time to patch Vulnerability-related.PatchVulnerability . Google ’ s policy to disclose after 90 days without a patch is often criticized and applauded in equal measure . There ’ s plenty of evidence to suggest security vulnerabilities are increasing in Windows and across the industry , and Microsoft has clearly struggled to fix Vulnerability-related.PatchVulnerability these two issues with plenty of notice . It can also be argued that Google is making rival software more secure with its efforts , making everyone ’ s software secure . However , Google also has competitive commercial interests , and Project Zero has been unusually aggressive in finding and publishing new vulnerabilities . Reports suggest Google ’ s Project Zero security team originated from the fallout around the 2009 Google hack , an intrusion blamed on an unpatched flaw in Microsoft ’ s Internet Explorer 6 browser . Google makes exceptions to its strict rules , with grace periods , and can even disclose Vulnerability-related.DiscoverVulnerability much sooner if the vulnerability is being actively exploited Vulnerability-related.DiscoverVulnerability . Google disclosed Vulnerability-related.DiscoverVulnerability a major Windows bug back in 2016 just 10 days after reporting Vulnerability-related.DiscoverVulnerability it to Microsoft , and the company has revealed Vulnerability-related.DiscoverVulnerability zero-day bugs in Windows in the past before patches are available Vulnerability-related.PatchVulnerability .

Google disclosed Vulnerability-related.DiscoverVulnerability a flaw in Microsoft Edge earlier this week , after Microsoft failed to patch Vulnerability-related.PatchVulnerability the bug in time . Now Google ’ s Project Zero team of security researchers are disclosing Vulnerability-related.DiscoverVulnerability yet another Windows 10 security flaw that Microsoft has again failed to patch Vulnerability-related.PatchVulnerability before Google ’ s imposed 90-day period . Neowin spotted that Google reported Vulnerability-related.DiscoverVulnerability two bugs to Microsoft in November , but the company only addressed Vulnerability-related.PatchVulnerability one of them with its recent Patch Tuesday fixes . The latest unpatched issue is an Elevation of Privilege which allows a normal user to gain administrator privileges on a system . Microsoft has rated Vulnerability-related.DiscoverVulnerability the flaw as “ important , ” but not “ critical ” as it can ’ t be exploited Vulnerability-related.DiscoverVulnerability remotely . It ’ s still an important issue to fix Vulnerability-related.PatchVulnerability , as an attacker could potentially combine this with a separate unknown remote code execution to gain administrator access , although that ’ s an unlikely scenario unless Microsoft doesn ’ t address Vulnerability-related.PatchVulnerability it promptly . It ’ s not clear when Microsoft intends to address Vulnerability-related.PatchVulnerability the latest security flaw in Windows 10 , and the company still needs to solve Vulnerability-related.PatchVulnerability the Edge vulnerability that was disclosed Vulnerability-related.DiscoverVulnerability by Google earlier this week . Microsoft hit back at Google ’ s approach to security patches last year , after discovering Vulnerability-related.DiscoverVulnerability a Chrome flaw and “responsibly” disclosed Vulnerability-related.DiscoverVulnerability it to Google so the company had enough time to patch Vulnerability-related.PatchVulnerability . Google ’ s policy to disclose after 90 days without a patch is often criticized and applauded in equal measure . There ’ s plenty of evidence to suggest security vulnerabilities are increasing in Windows and across the industry , and Microsoft has clearly struggled to fix Vulnerability-related.PatchVulnerability these two issues with plenty of notice . It can also be argued that Google is making rival software more secure with its efforts , making everyone ’ s software secure . However , Google also has competitive commercial interests , and Project Zero has been unusually aggressive in finding and publishing new vulnerabilities . Reports suggest Google ’ s Project Zero security team originated from the fallout around the 2009 Google hack , an intrusion blamed on an unpatched flaw in Microsoft ’ s Internet Explorer 6 browser . Google makes exceptions to its strict rules , with grace periods , and can even disclose Vulnerability-related.DiscoverVulnerability much sooner if the vulnerability is being actively exploited Vulnerability-related.DiscoverVulnerability . Google disclosed Vulnerability-related.DiscoverVulnerability a major Windows bug back in 2016 just 10 days after reporting Vulnerability-related.DiscoverVulnerability it to Microsoft , and the company has revealed Vulnerability-related.DiscoverVulnerability zero-day bugs in Windows in the past before patches are available Vulnerability-related.PatchVulnerability .

Microsoft this week released Vulnerability-related.PatchVulnerability software updates to fix Vulnerability-related.PatchVulnerability roughly 50 security problems with various versions of its Windows operating system and related software , including one flaw that is already being exploited Vulnerability-related.DiscoverVulnerability and another for which exploit code is publicly available . The zero-day bug — CVE-2018-8453 — affects Vulnerability-related.DiscoverVulnerability Windows versions 7 , 8.1 , 10 and Server 2008 , 2012 , 2016 and 2019 . According to security firm Ivanti , an attacker first needs to log into the operating system , but then can exploit this vulnerability to gain administrator privileges . Another vulnerability patched Vulnerability-related.PatchVulnerability on Tuesday — CVE-2018-8423 — was publicly disclosed Vulnerability-related.DiscoverVulnerability last month along with sample exploit code . This flaw involves a component shipped on all Windows machines and used by a number of programs , and could be exploited Vulnerability-related.DiscoverVulnerability by getting a user to open a specially-crafted file — such as a booby-trapped Microsoft Office document . KrebsOnSecurity has frequently suggested that Windows users wait a day or two after Microsoft releases Vulnerability-related.PatchVulnerability monthly security updates before installing the fixes , with the rationale that occasionally buggy patches can cause serious headaches for users who install them before all the kinks are worked out . This month , Microsoft briefly paused Vulnerability-related.PatchVulnerability updates for Windows 10 users after many users reported losing all of the files in their “ My Documents ” folder . The worst part ? Rolling back to previous saved versions of Windows prior to the update did not restore the files . Microsoft appears to have since fixed Vulnerability-related.PatchVulnerability the issue , but these kinds of incidents Vulnerability-related.PatchVulnerability illustrate the value of not only waiting a day or two to install updates but also manually backing up your data prior to installing patches ( i.e. , not just simply counting on Microsoft ’ s System Restore feature to save the day should things go haywire ) . Mercifully , Adobe has spared Vulnerability-related.PatchVulnerability us an update this month for its Flash Player software , although it has shipped Vulnerability-related.PatchVulnerability a non-security update for Flash .

The chipmaker says the patches will arrive Vulnerability-related.PatchVulnerability within a few weeks and AMD device owners shouldn ’ t worry about the reported flaws Vulnerability-related.DiscoverVulnerability . AMD is addressing Vulnerability-related.PatchVulnerability several vulnerabilities discovered Vulnerability-related.DiscoverVulnerability in its Ryzen and EPYC chips , and rolling out Vulnerability-related.PatchVulnerability updates for millions of devices `` in the coming weeks . '' The 13 vulnerabilities came to public Vulnerability-related.DiscoverVulnerability attention clouded in controversy . The security company CTS Labs gave AMD less than 24 hours notice before releasing the information to the public . Standard vulnerability disclosure Vulnerability-related.DiscoverVulnerability practices call for giving companies at least 90 days ' notice so they can fix Vulnerability-related.PatchVulnerability the flaws before researchers go public Vulnerability-related.DiscoverVulnerability and hackers can start causing trouble . Had CTS Labs given AMD that same courtesy , the issues would have been addressed Vulnerability-related.PatchVulnerability within a week of the notification . `` Each of the issues cited can be mitigated Vulnerability-related.PatchVulnerability through firmware patches and a standard BIOS update , which we plan to release Vulnerability-related.PatchVulnerability in the coming weeks , '' said Sarah Youngbauer , AMD 's senior spokeswoman . `` We believe this provides a good example of why the more standard 90-day notification window for such notifications exist . '' In the original vulnerability report Vulnerability-related.DiscoverVulnerability , CTS Labs said that it would take `` several months '' to fix Vulnerability-related.PatchVulnerability the issues and that some hardware flaws `` cannot be fixed Vulnerability-related.PatchVulnerability . '' AMD disagreed with that timeline , and said it would provide more information in several weeks . The chipmaker said the issues were not with its hardware , but with firmware , or software that 's embedded in hardware . It 'll be sending Vulnerability-related.PatchVulnerability fixes for all 13 vulnerabilities through patches and BIOS updates . According to AMD 's technical assessment , each of the flaws required administrative access . `` Any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research , '' Papermaster said in a statement . Critics also took issue with another aspect of the CTS Labs report , pointing out the legal disclaimer on the company 's website : `` You are advised that we may have , either directly or indirectly , an economic interest in the performance of the securities of the companies whose products are the subject of our reports . '' Last Wednesday , CTS Labs ' chief financial officer and co-founder , Yaron Luk-Zilberman , a former hedge fund manager , said it did n't have `` any investment ( long or short ) in Intel or AMD . ''

Apple has issued Vulnerability-related.PatchVulnerability an update to fix Vulnerability-related.PatchVulnerability a number of issues in macOS Mojave leading to arbitrary code execution , the ability to read restricted memory and access local users Apple IDs among others . All were patched Vulnerability-related.PatchVulnerability with the release of macOS Mojave 10.14 on Sept 24. applePatchapplePatch The first issue , CVE-2018-5383 , impacted Vulnerability-related.DiscoverVulnerability a number of iMac , MacBook Air , Mac Pro and Mac mini server products . An input validation issue existed in Vulnerability-related.DiscoverVulnerability Bluetooth was fixed Vulnerability-related.PatchVulnerability that could have allowed an attacker in a privileged network position to intercept Bluetooth traffic . The App Store also patched Vulnerability-related.PatchVulnerability CVE-2018-4324 , an issue in the handling of Apple ID that could have been exploited Vulnerability-related.DiscoverVulnerability by a malicious application that would expose the Apple ID of the computer ’ s owner . Also , a validation issue that could expose Apple IDs was in Auto Unlock that was patched Vulnerability-related.PatchVulnerability with improved validation of the process entitlement . CVE-2018-4353 impacted Vulnerability-related.DiscoverVulnerability the application firewall where a sandboxed process may be able to circumvent sandbox restrictions , but this was addressed Vulnerability-related.PatchVulnerability by adding additional restrictions . In Crash Reporter a validation issue , CVE-2018-4333 , was addressed Vulnerability-related.PatchVulnerability that if exploited Vulnerability-related.DiscoverVulnerability would allow a malicious application to read restricted memory . Two Kernel problems were fixed Vulnerability-related.PatchVulnerability , CVE-2018-4336 and CVE-2018-4344 , that could let an application may be able to execute arbitrary code with kernel privileges . The final problem , CVE-2016-1777 , effected Security where an attacker could exploit a weaknesses in the RC4 cryptographic algorithm and was fixed Vulnerability-related.PatchVulnerability by removing RC4 .

A flaw in Safari – that allows an attacker to spoof Attack.Phishing websites and trick Attack.Phishing victims into handing over their credentials – has yet to be patched Vulnerability-related.PatchVulnerability . A browser address bar spoofing flaw was found Vulnerability-related.DiscoverVulnerability by researchers this week in Safari – and Apple has yet issue Vulnerability-related.PatchVulnerability a patch for the flaw . Researcher Rafay Baloch on Monday disclosed Vulnerability-related.DiscoverVulnerability two proof-of-concepts revealing Vulnerability-related.DiscoverVulnerability how vulnerabilities in Edge browser 42.17134.1.0 and Safari iOS 11.3.1 could be abused to manipulate the browsers ’ address bars , tricking victims into thinking they are visiting a legitimate website . Baloch told Threatpost Wednesday that Apple has promised to fix Vulnerability-related.PatchVulnerability the flaw in its next security update for Safari . “ Apple has told [ me ] that the latest beta of iOS 12 also addresses Vulnerability-related.PatchVulnerability the issue , however they haven ’ t provided any dates , ” he said . Apple did not respond to multiple requests for comment from Threatpost . Microsoft for its part has fixed Vulnerability-related.PatchVulnerability the vulnerability Baloch found Vulnerability-related.DiscoverVulnerability in the Edge browser , ( CVE-2018-8383 ) in its August Patch Tuesday release . According to Microsoft ’ s vulnerability advisory released Vulnerability-related.PatchVulnerability August 14 , the spoofing flaw exists because Edge does not properly parse HTTP content . Both flaws stem from the Edge and Safari browsers allowing JavaScript to update the address bar while the page is still loading . This means that an attacker could request data from a non-existent port and , due to the delay induced by the setInterval function , trigger the address bar spoofing . The browser would then preserve the address bar and load the content from the spoofed page , Baloch said in his blog breaking down both vulnerabilities . From there , the attacker could spoof Attack.Phishing the website , using it to lure Attack.Phishing in victims and potentially gather credentials or spread malware . For instance , the attacker could send Attack.Phishing an email message containing the specially crafted URL to the user , convince the user to click it , and take them to the link which could gather their credentials or sensitive information . “ As per Google , Address bar is the only reliable indicator for ensuring the identity of the website , if the Address bar points to Facebook.com and the content is hosted on attacker ’ s website , there is no reason why someone would not fall for this , ” Baloch told Threatpost . In a video demonstration , Baloch showed how he could visit a link for the vulnerable browser on Edge ( http : //sh3ifu [ . ] com/bt/Edge-Spoof.html ) , which would take him to a site purporting to be Attack.Phishing Gmail login . However , while the URL points to a Gmail address , the content is hosted on sh3ifu.com , said Baloch . The Safari proof-of-concept is similar , except for one constraint where it does not allow users to type their information into the input boxes while the page is in a loading state . However , Bolach said he was able to circumvent this restriction by injecting a fake keyboard using Javascript – a common practice in banking sites . No other browsers – including Chrome or Firefox – were discovered Vulnerability-related.DiscoverVulnerability to have the flaw , said Baloch . Baloch is known for discovering Vulnerability-related.DiscoverVulnerability similar vulnerabilities in Chrome , Firefox and other major browsers in 2016 , which also allowed attackers to spoof URLs in the address bar . The vulnerabilities were disclosed Vulnerability-related.DiscoverVulnerability to both Microsoft and Apple and Baloch gave both a 90-day deadline before he went public Vulnerability-related.DiscoverVulnerability with the flaws . Due to the Safari browser bug being unpatched Vulnerability-related.PatchVulnerability , Baloch said he has not yet released a Proof of Concept : “ However considering there is a slight difference between the Edge browser POC and Safari , anyone with decent knowledge of Javascript can make it work on Safari , ” he told us .

The device manufacturer acquired St Jude Medical last year and has since been working to fix Vulnerability-related.PatchVulnerability severe vulnerabilities found in Vulnerability-related.DiscoverVulnerability its pacemakers . Abbott released Vulnerability-related.PatchVulnerability its second and final round of planned cybersecurity updates to its pacemakers , programmers and remote monitoring systems to fix Vulnerability-related.PatchVulnerability severe cybersecurity flaws in the devices . The patch will update Vulnerability-related.PatchVulnerability the battery performance alert , allowing the device to monitor for abnormal battery behavior and automatically vibrate to tell the patient when something is wrong . The planned updates began last year , and the latest firmware update was approved Vulnerability-related.PatchVulnerability by the Food and Drug Administration last week . The update applies to Vulnerability-related.PatchVulnerability about 350,000 of Abbott ’ s implantable cardioverter defibrillators and implantable cardiac resynchronization therapy defibrillators . The devices were originally manufactured by St Jude Medical , which Abbott acquired last year . At that time , St Jude was under fire for remaining quiet about defibrillator issues that caused rapid battery depletion . The FDA found St Jude continued to ship these devices despite knowing about the defect . In fact , the agency found those flaws caused patient deaths . The flaws , made public Vulnerability-related.DiscoverVulnerability in 2016 by Muddy Waters and security firm MedSec , could allow an unauthorized user to access the defibrillaors and modify the programming controls . Since acquiring St Jude , Abbott has been working to patch Vulnerability-related.PatchVulnerability those vulnerabilities . The FDA ’ s recall notice said the firmware update will reduce the risk of patient harm due to premature battery depletion and potential exploitation of the flaws in the devices . The update will effectively complete the necessary patches to prevent unauthorized access . The update is not a response to any new flaws , but are merely a continuation of last year ’ s patches , according to officials . `` Technology and its security are always evolving , and this firmware upgrade is part of our commitment to ensuring our products include the latest advancements and protections for patients , '' said Robert Ford , executive vice president of medical devices at Abbott , in a statement .

The device manufacturer acquired St Jude Medical last year and has since been working to fix Vulnerability-related.PatchVulnerability severe vulnerabilities found in Vulnerability-related.DiscoverVulnerability its pacemakers . Abbott released Vulnerability-related.PatchVulnerability its second and final round of planned cybersecurity updates to its pacemakers , programmers and remote monitoring systems to fix Vulnerability-related.PatchVulnerability severe cybersecurity flaws in the devices . The patch will update Vulnerability-related.PatchVulnerability the battery performance alert , allowing the device to monitor for abnormal battery behavior and automatically vibrate to tell the patient when something is wrong . The planned updates began last year , and the latest firmware update was approved Vulnerability-related.PatchVulnerability by the Food and Drug Administration last week . The update applies to Vulnerability-related.PatchVulnerability about 350,000 of Abbott ’ s implantable cardioverter defibrillators and implantable cardiac resynchronization therapy defibrillators . The devices were originally manufactured by St Jude Medical , which Abbott acquired last year . At that time , St Jude was under fire for remaining quiet about defibrillator issues that caused rapid battery depletion . The FDA found St Jude continued to ship these devices despite knowing about the defect . In fact , the agency found those flaws caused patient deaths . The flaws , made public Vulnerability-related.DiscoverVulnerability in 2016 by Muddy Waters and security firm MedSec , could allow an unauthorized user to access the defibrillaors and modify the programming controls . Since acquiring St Jude , Abbott has been working to patch Vulnerability-related.PatchVulnerability those vulnerabilities . The FDA ’ s recall notice said the firmware update will reduce the risk of patient harm due to premature battery depletion and potential exploitation of the flaws in the devices . The update will effectively complete the necessary patches to prevent unauthorized access . The update is not a response to any new flaws , but are merely a continuation of last year ’ s patches , according to officials . `` Technology and its security are always evolving , and this firmware upgrade is part of our commitment to ensuring our products include the latest advancements and protections for patients , '' said Robert Ford , executive vice president of medical devices at Abbott , in a statement .

Adobe has released Vulnerability-related.PatchVulnerability a priority update to plug Vulnerability-related.PatchVulnerability a critical security flaw in its popular Flash Player on Windows . As per an official announcement by the company , the latest patch will address Vulnerability-related.PatchVulnerability issues in Adobe Flash Player 29.0.0.171 and other earlier versions . The vulnerabilities , according to Adobe , are being used by hackers to embed malicious content distributed via email . Security firm Icebrg on Thursday announced Vulnerability-related.DiscoverVulnerability that a zero-day vulnerability has led to exploitation in Adobe Flash specifically targeted towards users in the Middle East . The vulnerability ( CVE-2018-5002 ) enables attackers to execute certain actions by executing code on the victims ' computers . As per the blog post , the exploit uses a Microsoft Office document for the attack . To circumvent the fact that Adobe Flash is blocked on most browsers , the exploit involves loading Flash Player from within Microsoft Office . The flaw was reported Vulnerability-related.DiscoverVulnerability by Icebrg in collaboration with Qihoo 360 Core Security . `` While this attack leveraged a zero-day exploit , individual attacker actions do not happen in isolation . There are several other behavioural aspects that can be used for detection . Any single observable might be low confidence but multiple observables clustered might be indicative of suspicious or malicious activity , '' said Icebrg staff in its blog post . Of course , this is not the first instance wherein Flash Player 's vulnerabilities have been exploited Vulnerability-related.DiscoverVulnerability . Back in October last year , the company had issued Vulnerability-related.PatchVulnerability a security patch to fix Vulnerability-related.PatchVulnerability a critical leak . Users have been strongly recommended to update Adobe Flash in order to avoid any such vulnerabilities seeping into your machines . The update , however , is not a guarantee towards protection against future discrepancies . It is thus advised to enable flash on only a secondary browser that is not used majorly on the computer .