Hacker used flaw in web server to access Attack.Databreach data uploaded to website of holiday and travel association . Hackers used a flaw in the web server running the website of ABTA , the UK 's largest holiday and travel association , to access Attack.Databreach the data of as many as 43,000 people . ABTA CEO Mark Tanzer says an `` external infiltrator '' used a vulnerability in the firm 's web server to access Attack.Databreach data provided by its members and some of those members ' customers . ABTA is the UK 's largest travel association , representing travel agents and tour operators that sell £32bn of holidays and other travel each year . It said the unauthorised access Attack.Databreach -- on 27 February 2017 -- may have affected 43,000 individuals . Around 1,000 of the accessed files may include personal identity information relating to customers of ABTA members , submitted in support of their complaint about an ABTA member . These files relate to complaints uploaded to ABTA after 11 January 2017 . Additionally , around 650 files may include personal identity information of ABTA members . But Tanzer said : `` We are not aware of any information being shared Attack.Databreach beyond the infiltrator . '' The travel trade association said the vast majority of the 43,000 were people who had registered on abta.com , with email addresses and encrypted passwords , or have filled in an online form with basic contact details `` which are types of data at a very low exposure risk to identity theft or online fraud '' . Once it became aware of the intrusion , ABTA notified the third-party suppliers of the abta.com website , who immediately fixed Vulnerability-related.PatchVulnerability the vulnerability , and the association hired risk consultants to assess the potential extent of the incident . It has also alerted the Information Commissioner and the police . `` It is extremely disappointing that our web server , managed for ABTA through a third party web developer and hosting company , was compromised , and we are taking every step we can to help those affected , '' said Tanzer . ABTA said Vulnerability-related.DiscoverVulnerability its own systems remained secure and the vulnerability was in the web server for abta.com , which is managed for ABTA through a third-party web developer and hosting company . The association said that ABTA members or members of the public who have registered on abta.com should immediately change their password and , if they used this password or any variation of it for other accounts , they should change that too . It said ABTA members who have used ABTA 's online self-service facility to upload supporting documentation relating to their membership may have had their data accessed Attack.Databreach , and `` should remain vigilant regarding online and identity fraud '' .

Splunk recently addressed Vulnerability-related.PatchVulnerability several vulnerabilities in Enterprise and Light products , some of them have been rated “ high severity. ” Splunk Enterprise solution allows organizations to aggregate , search , analyze , and visualize data from various sources that are critical to business operations . The Splunk Light is a comprehensive solution for small IT environments that automates log analysis and integrate server and network monitoring . “ To mitigate these issues , Splunk recommends upgrading Vulnerability-related.PatchVulnerability to the latest release and applying Vulnerability-related.PatchVulnerability as many of the Hardening Standards from the Securing Splunk documentation as are relevant to your environment . Splunk Enterprise and Splunk Light releases are cumulative , meaning that future releases will contain fixes to these vulnerabilities , new features and other bug fixes , ” reads the advisory published Vulnerability-related.PatchVulnerability by Splunk . The most severe issue fixed Vulnerability-related.PatchVulnerability by the company is a high severity cross-site scripting ( XSS ) flaw in the Web interface , tracked as Vulnerability-related.DiscoverVulnerability CVE-2018-7427 , that received the CVSS score of 8.1 . Another severe vulnerability is a DoS flaw tracked as Vulnerability-related.DiscoverVulnerability CVE-2018-7432 that could be exploited Vulnerability-related.DiscoverVulnerability using malicious HTTP requests sent to Splunkd that is the system process that handles indexing , searching and forwarding . This issue was tracked as Vulnerability-related.DiscoverVulnerability “ medium severity ” by the company . The company also addressed Vulnerability-related.PatchVulnerability a denial-of-service ( DoS ) vulnerability , tracked as Vulnerability-related.DiscoverVulnerability CVE-2018-7429 , that could be exploited Vulnerability-related.DiscoverVulnerability by an attacker by sending a specially crafted HTTP request to Splunkd . The last flaw addressed Vulnerability-related.PatchVulnerability by the vendor , tracked as Vulnerability-related.DiscoverVulnerability CVE-2018-7431 , is a path traversal issue that allows an authenticated attacker to download arbitrary files from the vendor Django app . The vulnerability has been rated Vulnerability-related.DiscoverVulnerability “ medium severity. ” The vendor declared it has found Vulnerability-related.DiscoverVulnerability no evidence that these vulnerabilities have been exploited Vulnerability-related.DiscoverVulnerability in attacks in the wild .

For more than a month , at least ten groups of attackers have been compromising systems running applications built with Apache Struts and installing backdoors , DDoS bots , cryptocurrency miners , or ransomware , depending if the machine is running Linux or Windows . For their attacks , the groups are using a zero-day in Apache Struts , disclosed Vulnerability-related.DiscoverVulnerability and immediately fixed Vulnerability-related.PatchVulnerability last month by Apache . The vulnerability , CVE-2017-5638 , allows an attacker to execute commands on the server via content uploaded to the Jakarta Multipart parser component , deployed in some Struts installations . Attackers initially focused on Linux server . According to cyber-security firms F5 , attacks started as soon as Cisco Talos researchers revealed Vulnerability-related.DiscoverVulnerability the zero-day 's presence and several proof-of-concept exploits were published Vulnerability-related.DiscoverVulnerability online . Since early March , attacks have slowly evolved . F5 experts say that in the beginning , attackers targeted Struts instances running on Linux servers , where they would end up installing the PowerBot malware , an IRC-controlled DDoS bot also known as PerlBot or Shellbot . In later attacks , some groups switched to installing a cryptocurrency miner called `` minerd '' that mined for the Monero cryptocurrency . In other attacks reported by the SANS Technology Institute , some attackers installed Perl backdoors . Recent attacks also targeted Struts running on Windows Both SANS and F5 experts report that after March 20 , one of these groups switched to targeting Struts instances installed on Windows systems . Using a slightly modified exploit code , attackers executed various shell commands to run the BITSAdmin utility and then downloaded ( via Windows ' built-in FTP support ) the Cerber ransomware . From this point on , Cerber took over , encrypted files , and displayed its standard ransom note , leaving victims no choice but pay the ransom demand Attack.Ransom or recover data from backups . `` The attackers running this [ Cerber ] campaign are using the same Bitcoin ID for a number of campaigns , '' the F5 team said . `` This particular account has processed 84 bitcoins [ ~ $ 100,000 ] . '' F5 experts also noted that , on average , roughly 2.2 Bitcoin ( ~ $ 2,600 ) go in and out of this particular wallet on a daily basis . The most recent payments dates to today . It is worth mentioning that F5 published their findings last week , on March 29 . Today , SANS detailed similar findings , meaning the campaign spreading Cerber ransomware via Struts on Windows is still going strong . A patch for Apache Struts servers is available Vulnerability-related.PatchVulnerability on the Struts website . Struts is an open source MVC framework for creating modern Java web applications , and its widely used in enterprise environments , for both Intranets and public websites . Some of the initial attacks on Struts-based applications have been tracked by cyber-security firm AlienVault .

Technology companies are starting to respond to a new Wi-Fi exploit affecting Vulnerability-related.DiscoverVulnerability all modern Wi-Fi networks using WPA or WPA2 encryption . The security vulnerabilities allow attackers to read Wi-Fi traffic between devices and wireless access points , and in some cases even modify it to inject malware into websites . Security researchers claim Vulnerability-related.DiscoverVulnerability devices running macOS , Windows , iOS , Android , and Linux will be affected Vulnerability-related.DiscoverVulnerability by the vulnerabilities . Microsoft says it has already fixed Vulnerability-related.PatchVulnerability the problem for customers running supported versions of Windows . “ We have released Vulnerability-related.PatchVulnerability a security update to address Vulnerability-related.PatchVulnerability this issue , ” says a Microsoft spokesperson in a statement to The Verge . “ Customers who apply Vulnerability-related.PatchVulnerability the update , or have automatic updates enabled , will be protected . We continue to encourage customers to turn on automatic updates to help ensure they are protected. ” Microsoft says the Windows updates released Vulnerability-related.PatchVulnerability on October 10th protect customers , and the company “ withheld disclosure Vulnerability-related.DiscoverVulnerability until other vendors could develop and release Vulnerability-related.PatchVulnerability updates. ” While it looks like Android and Linux devices are affected Vulnerability-related.DiscoverVulnerability by the worst part of the vulnerabilities , allowing attackers to manipulate websites , Google has promised Vulnerability-related.PatchVulnerability a fix for affected devices “ in the coming weeks. ” Google ’ s own Pixel devices will be the first to receive Vulnerability-related.PatchVulnerability fixes with security patch level of November 6 , 2017 , but most other handsets are still well behind even the latest updates . Security researchers claim Vulnerability-related.DiscoverVulnerability 41 percent of Android devices are vulnerable Vulnerability-related.DiscoverVulnerability to an “ exceptionally devastating ” variant of the Wi-Fi attack that involves manipulating traffic , and it will take time to patch Vulnerability-related.PatchVulnerability older devices . The Verge has reached out to a variety of Android phone makers to clarify when security patches will reach Vulnerability-related.PatchVulnerability handsets , and we ’ ll update you accordingly . At the time of writing , Apple has not yet clarified Vulnerability-related.DiscoverVulnerability whether the latest versions of macOS and iOS are vulnerable Vulnerability-related.DiscoverVulnerability . The Wi-Fi Alliance , a network of companies responsible for Wi-Fi , has responded to the disclosure Vulnerability-related.DiscoverVulnerability of the vulnerabilities . “ This issue can be resolved Vulnerability-related.PatchVulnerability through straightforward software updates , and the Wi-Fi industry , including major platform providers , has already started deploying Vulnerability-related.PatchVulnerability patches to Wi-Fi users , ” says a Wi-Fi Alliance spokesperson . “ Users can expect all their Wi-Fi devices , whether patched or unpatched Vulnerability-related.PatchVulnerability , to continue working well together. ” Apple also confirmed to both The Verge and AppleInsider that the vulnerability is patched Vulnerability-related.PatchVulnerability in a beta version of the current operating systems . The fix should go public Vulnerability-related.PatchVulnerability in a few weeks , so iOS and macOS devices are n't in the clear just yet . AppleInsider also reports that AirPort hardware , including the Time Machine , AirPort Extreme base station , and AirPort Express do not have a patch . The publication 's source also was n't sure if one was in the works .

THAT UN-PATCHABLE FLAW in the Nintendo Switch ? Yeah , the Japanese gaming firm has only gone and fixed Vulnerability-related.PatchVulnerability it , according to console hacker Michael . Michael , who goes by the Twitter handle @ SciresM , tweeted that it 's bad news for console hackers and Nintendo is pushing out Vulnerability-related.PatchVulnerability new console models with a fix that stops tech-savvy folks from messing around with the software that the hybrid games console can boot with . The flaw was thought to be un-patchable as it affected Vulnerability-related.DiscoverVulnerability the Nvidia Tegra X1 chip that sits at the heart of the console . But Nintendo hates piracy more than most games firms , and as such , will release new versions of the Switch that do n't have the silicon-level flaw in them . The patch involves using a system called ‘ iPatches ' which updates Vulnerability-related.PatchVulnerability parts of the code applying to the Tegra X1 's fuses which plugs Vulnerability-related.PatchVulnerability the boot hacking exploit . Current consoles out in the wild will still be vulnerable Vulnerability-related.DiscoverVulnerability due to the patch needing to be applied Vulnerability-related.PatchVulnerability at a hardware level , but new models wo n't be susceptible to the hack . But there 's a bit of an odd situation here , as the new consoles will come running 4.1.0 versions of the Switch firmware ; the latest Switch firmware is 5.1.0 . So while the new Switchers will come off the production line immune to the Tegra X1 exploit , they will still be vulnerable Vulnerability-related.DiscoverVulnerability to other hacking techniques . With this in mind , Michael advises that people keen to crack into their Switch consoles should not apply Vulnerability-related.PatchVulnerability any updates , as the older version of the console 's firmware is the easier it 's to hack . So while the un-patchable flaw may have been fixed Vulnerability-related.PatchVulnerability the current iteration of the Switch is still no un-hackable . Not that hacking the Switch is a good idea if you want to run pirated games , as Nintendo takes a very dim view of that and cracks down so hard on pirates that it 'll permanently ban any console caught with bootlegged software from its online network . With The Legend of Zelda : Breath of the Wild and Mario Odyssey alone there are tens of hours of gaming to be had on the Switch . let along all the stuff that 's incoming and the suite of indie titles the console supports . So if you desperately need to hack the Switch to play more games , perhaps it 's time to take a break from gaming and go out into the sun ; we hear the UK is lovely at the moment .

Microsoft 's patches for the Meltdown vulnerability have had a fatal flaw all these past months , according to Alex Ionescu , a security researcher with cyber-security firm Crowdstrike . Only patches for Windows 10 versions were affected Vulnerability-related.DiscoverVulnerability , the researcher wrote today in a tweet . Microsoft quietly fixed Vulnerability-related.PatchVulnerability the issue on Windows 10 Redstone 4 ( v1803 ) , also known as the April 2018 Update , released Vulnerability-related.PatchVulnerability on Monday . `` Welp , it turns out Vulnerability-related.PatchVulnerability the Meltdown patches for Windows 10 had a fatal flaw : calling NtCallEnclave returned back to user space with the full kernel page table directory , completely undermining the mitigation , '' Ionescu wrote . Microsoft issued Vulnerability-related.PatchVulnerability today an security update , but it was n't to backport the `` fixed '' Meltdown patches for older Windows 10 versions . Instead , the emergency update fixed Vulnerability-related.PatchVulnerability a vulnerability in the Windows Host Compute Service Shim ( hcsshim ) library ( CVE-2018-8115 ) that allows an attacker to remotely execute code on vulnerable systems . Microsoft classified Vulnerability-related.DiscoverVulnerability CVE-2018-8115 as a `` critical '' issues . A patched hcsshim file is available Vulnerability-related.PatchVulnerability for download from GitHub . `` We are aware and are working to provide Vulnerability-related.PatchVulnerability customers with an update , '' a Microsoft spokesperson told Bleeping Computer today in an email . It may be that if Microsoft does n't bundle these fixes in an out-of-band update , they will most likely arrive Vulnerability-related.PatchVulnerability in Microsoft 's May 2018 Patch Tuesday , but this is only our speculation . Microsoft released Vulnerability-related.PatchVulnerability its Meltdown and Spectre patches on January 4 , a day after security researchers disclosed Vulnerability-related.DiscoverVulnerability the two flaws , vulnerabilities that allow attackers to retrieve data from protected areas of modern CPUs . The Redmond-based OS maker has had a hard time patching Vulnerability-related.PatchVulnerability the two flaws , and the company recently issued Vulnerability-related.PatchVulnerability additional security updates to fix Vulnerability-related.PatchVulnerability the original Spectre mitigations , and also deliver Vulnerability-related.PatchVulnerability Intel CPU microcode updates , as a favor to Intel .

Microsoft 's patches for the Meltdown vulnerability have had a fatal flaw all these past months , according to Alex Ionescu , a security researcher with cyber-security firm Crowdstrike . Only patches for Windows 10 versions were affected Vulnerability-related.DiscoverVulnerability , the researcher wrote today in a tweet . Microsoft quietly fixed Vulnerability-related.PatchVulnerability the issue on Windows 10 Redstone 4 ( v1803 ) , also known as the April 2018 Update , released Vulnerability-related.PatchVulnerability on Monday . `` Welp , it turns out Vulnerability-related.PatchVulnerability the Meltdown patches for Windows 10 had a fatal flaw : calling NtCallEnclave returned back to user space with the full kernel page table directory , completely undermining the mitigation , '' Ionescu wrote . Microsoft issued Vulnerability-related.PatchVulnerability today an security update , but it was n't to backport the `` fixed '' Meltdown patches for older Windows 10 versions . Instead , the emergency update fixed Vulnerability-related.PatchVulnerability a vulnerability in the Windows Host Compute Service Shim ( hcsshim ) library ( CVE-2018-8115 ) that allows an attacker to remotely execute code on vulnerable systems . Microsoft classified Vulnerability-related.DiscoverVulnerability CVE-2018-8115 as a `` critical '' issues . A patched hcsshim file is available Vulnerability-related.PatchVulnerability for download from GitHub . `` We are aware and are working to provide Vulnerability-related.PatchVulnerability customers with an update , '' a Microsoft spokesperson told Bleeping Computer today in an email . It may be that if Microsoft does n't bundle these fixes in an out-of-band update , they will most likely arrive Vulnerability-related.PatchVulnerability in Microsoft 's May 2018 Patch Tuesday , but this is only our speculation . Microsoft released Vulnerability-related.PatchVulnerability its Meltdown and Spectre patches on January 4 , a day after security researchers disclosed Vulnerability-related.DiscoverVulnerability the two flaws , vulnerabilities that allow attackers to retrieve data from protected areas of modern CPUs . The Redmond-based OS maker has had a hard time patching Vulnerability-related.PatchVulnerability the two flaws , and the company recently issued Vulnerability-related.PatchVulnerability additional security updates to fix Vulnerability-related.PatchVulnerability the original Spectre mitigations , and also deliver Vulnerability-related.PatchVulnerability Intel CPU microcode updates , as a favor to Intel .

Mozilla released Vulnerability-related.PatchVulnerability nine fixes in its Wednesday launch of Firefox 62 for Windows , Mac and Android – including one for a critical glitch that could enable attackers to run arbitrary code . Overall , the latest version of the Firefox browser included Vulnerability-related.PatchVulnerability fixes for the critical issue , three high-severity flaws , two moderate problems and three low-severity vulnerabilities . Topping the list is a memory safety bug ( CVE-2018-12376 ) , discovered Vulnerability-related.DiscoverVulnerability by a number of Mozilla developers and community members . A critical impact bug means the vulnerability can be used to run attacker code and install software , requiring no user interaction beyond normal browsing , according to Mozilla . The memory safety problem , which exists in Vulnerability-related.DiscoverVulnerability Firefox 61 and Firefox ESR 60 , meets these criteria , researchers said Vulnerability-related.DiscoverVulnerability . Mozilla didn ’ t release further details , but it did assign one CVE Vulnerability-related.DiscoverVulnerability to represent multiple similar issues . In addition to the memory safety bug ( s ) , Mozilla also fixed Vulnerability-related.PatchVulnerability three high-severity vulnerabilities in its latest update . These include a use-after-free glitch in refresh driver timers ( CVE-2018-12377 ) , which power browser-page refreshes . Another high-severity bug ( CVE-2018-12378 ) is a use-after-free vulnerability that occurs Vulnerability-related.DiscoverVulnerability when an IndexedDB index ( a low-level API for client-side storage of significant amounts of structured data ) is deleted while still in use by JavaScript code providing payload values . “ This results in a potentially exploitable crash , ” the advisory said . Mozilla developers and community members also found Vulnerability-related.DiscoverVulnerability a memory-safety bug ( CVE-2018-12375 ) in Firefox 61 , which showed evidence of memory corruption and could be exploited Vulnerability-related.DiscoverVulnerability to run arbitrary code , according to the advisory . The moderate and low-severity fixes that were deployed Vulnerability-related.PatchVulnerability in Firefox 62 include patches for an out-of-bounds write flaw ( triggered when the Mozilla Updater opens a MAR format file that contains a very long item filename ) ; and a proxy bypass glitch in the browser ’ s proxy settings . Firefox 62 for desktop is available Vulnerability-related.PatchVulnerability for download on Mozilla ’ s website .

Struts bugs , Umbrella misconfig and router Guest accounts fixed Vulnerability-related.PatchVulnerability . Cisco has issued security alerts Vulnerability-related.DiscoverVulnerability for 30 vulnerabilities across a range of its products and services , with three being ranked Vulnerability-related.DiscoverVulnerability as critical and remotely exploitable . Some 20 different Cisco products contain Vulnerability-related.DiscoverVulnerability a vulnerable version of the Apache Struts 2 framework that is currently under active exploitation by miscreants dropping cryptocurrency miner malware on exposed systems . Of these , 18 are not vulnerable Vulnerability-related.DiscoverVulnerability to any exploitation vectors for the Struts flaw , Cisco said Vulnerability-related.DiscoverVulnerability . Five Cisco products , SocialMiner , Identity Services Engine , Finesse , Unified Contact Centre Enterprise and the Video Distribution Suite for Internet Streaming have received Vulnerability-related.PatchVulnerability patches for the Struts vulnerability . Cisco 's cloud-hosted Network Performance Analysis service is yet to get Vulnerability-related.PatchVulnerability a Struts update though . A critical flaw in the application programming interface ( API ) for Cisco 's cloud-based Umbrella allowed attackers to view and potentially modify data across multiple organisations using the secure internet gateway service . The vulnerability stems from insufficient authentication configurations for the Umbrella API , and has been patched Vulnerability-related.PatchVulnerability by Cisco with no user action required . Two high-impact vulnerabilities in the Umbrella Enterprise Roaming Client and Enterprise Roaming Module that could be exploited Vulnerability-related.DiscoverVulnerability by attackers to elevate user privileges to Administrator level have also been patched Vulnerability-related.PatchVulnerability by Cisco . A third critical vulnerability can be exploited Vulnerability-related.DiscoverVulnerability to run code remotely on the Cisco RV110W VPN firewall and RV130W and RV215W wireless VPN routers , or freeze the devices in denial of service attacks . Patches for the vulnerability address Vulnerability-related.PatchVulnerability an improper boundary restriction on input via the Guest user account in the devices ' web-based remote management interface , Cisco said . Cisco also patched Vulnerability-related.PatchVulnerability three high impact vulnerabilities in the above network devices , which could be exploited Vulnerability-related.DiscoverVulnerability to remotely execute arbitrary commands and read sensitive information on them . Of the thirty vulnerabilities disclosed Vulnerability-related.DiscoverVulnerability , 13 are ranked Vulnerability-related.DiscoverVulnerability as high impact .

The two vulnerabilities are critical remote code execution flaws that exist in Vulnerability-related.DiscoverVulnerability Adobe Photoshop CC . Adobe hurried out Vulnerability-related.PatchVulnerability unscheduled patches today for two critical flaws that could enable remote code-execution in Photoshop CC . The patches impact Vulnerability-related.PatchVulnerability two memory corruption vulnerabilities in Adobe Photoshop products , including Photoshop CC 2018 ( v 19.1.6 ) and Photoshop CC 2017 ( v 18.1.6 ) , both for Windows and macOS . The release comes Vulnerability-related.PatchVulnerability only a week after the company fixed Vulnerability-related.PatchVulnerability a slew of glitches last Patch Tuesday . “ Adobe has released Vulnerability-related.PatchVulnerability updates for Photoshop CC for Windows and macOS , ” the company said in a Wednesday security bulletin . “ These updates resolve Vulnerability-related.PatchVulnerability critical vulnerabilities in Photoshop CC 19.1.5 and earlier 19.x versions , as well as 18.1.5 and earlier 18.x versions . Successful exploitation could lead to arbitrary code-execution in the context of the current user. ” Both vulnerabilities ( CVE-2018-12810 ) and ( CVE-2018-12811 ) are critical remote code-execution flaws , according to the advisory , but further details around both flaws are not available . Kushal Arvind Shah of Fortinet ’ s FortiGuard Labs was credited with reporting Vulnerability-related.DiscoverVulnerability the two flaws . Adobe said impacted users need to apply Vulnerability-related.PatchVulnerability the fixes to the affected versions of Photoshop by updating to version 19.1.6 ( via the applications ’ update mechanism ) . Last week , Adobe released Vulnerability-related.PatchVulnerability 11 total fixes for an array of products , including two critical patches for Acrobat and Reader for Windows and macOS . Exploitation of those two vulnerabilities could lead to arbitrary code execution in the context of the current user . Adobe said in an email that it is not aware of any exploits in the wild for the flaws . The update is a priority 3 in severity , meaning that it resolves vulnerabilities in a product that has historically not been a target for attackers , according to the company ’ s ranking system . In this case I would expect there may have been a disclosure deadline and the release did not make this month ’ s typical release cycle but needed to release before September ’ s release cycle . ”

Jann Horn , the Google Project Zero researcher who discovered Vulnerability-related.DiscoverVulnerability the Meltdown and Spectre CPU flaws , has a few words for maintainers of Ubuntu and Debian : raise your game on merging kernel security fixes , you 're leaving users exposed for weeks . Horn earlier this week released an `` ugly exploit '' for Ubuntu 18.04 , which `` takes about an hour to run before popping a root shell '' . The kernel bug is a cache invalidation flaw in Linux memory management that has been tagged as Vulnerability-related.DiscoverVulnerability CVE-2018-17182 , reported Vulnerability-related.DiscoverVulnerability to Linux kernel maintainers on September 12 . Linux founder Linus Torvalds fixed Vulnerability-related.PatchVulnerability it in his upstream kernel tree two weeks ago , an impressively fast single day after Horn reported Vulnerability-related.DiscoverVulnerability the issue . And within days it was also fixed Vulnerability-related.PatchVulnerability in the upstream stable kernel releases 4.18.9 , 4.14.71 , 4.9.128 , and 4.4.157 . There 's also a fix in release 3.16.58 . However , end users of Linux distributions are n't protected until each distribution merges the changes from upstream stable kernels , and then users install that updated release Vulnerability-related.PatchVulnerability . Between those two points , the issue also gets exposure on public Vulnerability-related.DiscoverVulnerability mailing lists , giving both Linux distributions and would-be attackers a chance to take action . `` The security issue was announced Vulnerability-related.DiscoverVulnerability on the oss-security mailing list on 2018-09-18 , with a CVE allocation on 2018-09-19 , making the need to ship new distribution kernels to users clearer , '' Horn wrote in a Project Zero post published Vulnerability-related.DiscoverVulnerability Wednesday . But as he noted , as of Wednesday , Debian stable and Ubuntu releases 16.04 and 18.04 had not fixed Vulnerability-related.PatchVulnerability the issue , with the latest kernel update occurring around a month earlier . This means there 's a gap of several weeks between the flaw being publicly disclosed Vulnerability-related.DiscoverVulnerability and fixes reaching end users . However , the Fedora project was a little faster , pushing Vulnerability-related.PatchVulnerability a fix to users on 22 September . Canonical , the UK company that maintains Ubuntu , has since responded to Horn 's blog , and says fixes `` should be released Vulnerability-related.PatchVulnerability `` around Monday , October 1 . This is unlikely to be the last kernel bug Project Zero researchers find , and unless Ubuntu and other Linux distributions get their act together on upstream kernel fixes , they can expect to be named and shamed again .

Jann Horn , the Google Project Zero researcher who discovered Vulnerability-related.DiscoverVulnerability the Meltdown and Spectre CPU flaws , has a few words for maintainers of Ubuntu and Debian : raise your game on merging kernel security fixes , you 're leaving users exposed for weeks . Horn earlier this week released an `` ugly exploit '' for Ubuntu 18.04 , which `` takes about an hour to run before popping a root shell '' . The kernel bug is a cache invalidation flaw in Linux memory management that has been tagged as Vulnerability-related.DiscoverVulnerability CVE-2018-17182 , reported Vulnerability-related.DiscoverVulnerability to Linux kernel maintainers on September 12 . Linux founder Linus Torvalds fixed Vulnerability-related.PatchVulnerability it in his upstream kernel tree two weeks ago , an impressively fast single day after Horn reported Vulnerability-related.DiscoverVulnerability the issue . And within days it was also fixed Vulnerability-related.PatchVulnerability in the upstream stable kernel releases 4.18.9 , 4.14.71 , 4.9.128 , and 4.4.157 . There 's also a fix in release 3.16.58 . However , end users of Linux distributions are n't protected until each distribution merges the changes from upstream stable kernels , and then users install that updated release Vulnerability-related.PatchVulnerability . Between those two points , the issue also gets exposure on public Vulnerability-related.DiscoverVulnerability mailing lists , giving both Linux distributions and would-be attackers a chance to take action . `` The security issue was announced Vulnerability-related.DiscoverVulnerability on the oss-security mailing list on 2018-09-18 , with a CVE allocation on 2018-09-19 , making the need to ship new distribution kernels to users clearer , '' Horn wrote in a Project Zero post published Vulnerability-related.DiscoverVulnerability Wednesday . But as he noted , as of Wednesday , Debian stable and Ubuntu releases 16.04 and 18.04 had not fixed Vulnerability-related.PatchVulnerability the issue , with the latest kernel update occurring around a month earlier . This means there 's a gap of several weeks between the flaw being publicly disclosed Vulnerability-related.DiscoverVulnerability and fixes reaching end users . However , the Fedora project was a little faster , pushing Vulnerability-related.PatchVulnerability a fix to users on 22 September . Canonical , the UK company that maintains Ubuntu , has since responded to Horn 's blog , and says fixes `` should be released Vulnerability-related.PatchVulnerability `` around Monday , October 1 . This is unlikely to be the last kernel bug Project Zero researchers find , and unless Ubuntu and other Linux distributions get their act together on upstream kernel fixes , they can expect to be named and shamed again .

It has not been a good week for PDF programs . We had an Adobe Acrobat & Reader update released Vulnerability-related.PatchVulnerability yesterday that fixed Vulnerability-related.PatchVulnerability 86 vulnerabilities , including numerous critical ones . Not to be beaten , an update for Foxit PDF Reader and Foxit PhantomPDF was released Vulnerability-related.PatchVulnerability last Friday that fixes Vulnerability-related.PatchVulnerability a whopping 116 vulnerabilities , with 18 of them being discovered Vulnerability-related.DiscoverVulnerability by the Cisco Talos group . All of the 18 vulnerabilities found Vulnerability-related.DiscoverVulnerability by Cisco Talos , as well as many others fixed Vulnerability-related.PatchVulnerability by this update , are labeled as critical because they could lead to code execution . This would allow attackers to create Attack.Phishing specially crafted web pages or PDFs that could exploit these vulnerabilities to execute commands or install malware on vulnerable computers . Of the 18 vulnerabilities disclosed Vulnerability-related.DiscoverVulnerability by Cisco , 12 of them could be exploited Vulnerability-related.DiscoverVulnerability simply by visiting a web site when the Foxit PDF browser plugin is enabled . Foxit suggests that all users of Foxit PDF Reader and Foxit PhantomPDF upgrade Vulnerability-related.PatchVulnerability to version 9.3 to resolve Vulnerability-related.PatchVulnerability these vulnerabilities . Foxit PDF Reader 9.3 can be downloaded here and Foxit PhantomPDF can be downloaded here . It is strongly suggested that all users install this update . The full list of patched vulnerabilities is below and more information about who discovered Vulnerability-related.DiscoverVulnerability the vulnerabilities can be found Vulnerability-related.DiscoverVulnerability in Foxit 's security bulletin .

It has not been a good week for PDF programs . We had an Adobe Acrobat & Reader update released Vulnerability-related.PatchVulnerability yesterday that fixed Vulnerability-related.PatchVulnerability 86 vulnerabilities , including numerous critical ones . Not to be beaten , an update for Foxit PDF Reader and Foxit PhantomPDF was released Vulnerability-related.PatchVulnerability last Friday that fixes Vulnerability-related.PatchVulnerability a whopping 116 vulnerabilities , with 18 of them being discovered Vulnerability-related.DiscoverVulnerability by the Cisco Talos group . All of the 18 vulnerabilities found Vulnerability-related.DiscoverVulnerability by Cisco Talos , as well as many others fixed Vulnerability-related.PatchVulnerability by this update , are labeled as critical because they could lead to code execution . This would allow attackers to create Attack.Phishing specially crafted web pages or PDFs that could exploit these vulnerabilities to execute commands or install malware on vulnerable computers . Of the 18 vulnerabilities disclosed Vulnerability-related.DiscoverVulnerability by Cisco , 12 of them could be exploited Vulnerability-related.DiscoverVulnerability simply by visiting a web site when the Foxit PDF browser plugin is enabled . Foxit suggests that all users of Foxit PDF Reader and Foxit PhantomPDF upgrade Vulnerability-related.PatchVulnerability to version 9.3 to resolve Vulnerability-related.PatchVulnerability these vulnerabilities . Foxit PDF Reader 9.3 can be downloaded here and Foxit PhantomPDF can be downloaded here . It is strongly suggested that all users install this update . The full list of patched vulnerabilities is below and more information about who discovered Vulnerability-related.DiscoverVulnerability the vulnerabilities can be found Vulnerability-related.DiscoverVulnerability in Foxit 's security bulletin .

Microsoft published earlier today the Patch Tuesday security bulletin for May 2018 , containing Vulnerability-related.PatchVulnerability fixes for 67 security issues . This month , Microsoft fixed Vulnerability-related.PatchVulnerability security flaws in Microsoft Windows , Internet Explorer , Microsoft Edge , ChakraCore , .NET Framework , Microsoft Exchange Server , Windows Host Compute Service Shim , and Microsoft Office and Microsoft Office Services and Web Apps . Microsoft patches Vulnerability-related.PatchVulnerability two zero-days The biggest issue patched Vulnerability-related.PatchVulnerability this month is a zero-day in Internet Explorer that has been abused by a cyber-espionage campaign earlier this month . The zero-day ( CVE-2018-8174 ) affects Vulnerability-related.DiscoverVulnerability not only IE but also any other projects that embed the IE web rendering engine . Microsoft credited researchers from both Qihoo 360 Core Security and Kaspersky Lab for discovering Vulnerability-related.DiscoverVulnerability this issue . The second zero-day is CVE-2018-8120 , an elevation-of-privilege vulnerability in the Win32k component . `` An attacker who successfully exploited Vulnerability-related.DiscoverVulnerability this vulnerability could run arbitrary code in kernel mode . An attacker could then install programs ; view , change , or delete data ; or create new accounts with full user rights , '' Microsoft says . But the flaw is not as dangerous as it sounds , as an attacker already needs a foothold on Windows systems to run his malicious code in the first place , to elevate his access rights . Microsoft also patched Vulnerability-related.PatchVulnerability CVE-2018-8141 ( Windows Kernel Information Disclosure Vulnerability ) and CVE-2018-8170 ( Windows Image Elevation of Privilege Vulnerability ) , for which exploitation details became public . Despite info about these two flaws being published Vulnerability-related.DiscoverVulnerability online , Microsoft says Vulnerability-related.DiscoverVulnerability none were exploited Vulnerability-related.DiscoverVulnerability in the wild . Flash fixes also included Last but not least , the Microsoft May 2018 Patch Tuesday also included a patch for an Adobe Flash Player vulnerability ( CVE-2018-4944 ) that Adobe patched Vulnerability-related.PatchVulnerability earlier today . Below is a table listing of all the security issues Microsoft fixed Vulnerability-related.PatchVulnerability this month . We used PowerShell and the Microsoft API to assemble the table below , but the report is much longer . We hosted the full report on GitHub , here .

Microsoft published earlier today the Patch Tuesday security bulletin for May 2018 , containing Vulnerability-related.PatchVulnerability fixes for 67 security issues . This month , Microsoft fixed Vulnerability-related.PatchVulnerability security flaws in Microsoft Windows , Internet Explorer , Microsoft Edge , ChakraCore , .NET Framework , Microsoft Exchange Server , Windows Host Compute Service Shim , and Microsoft Office and Microsoft Office Services and Web Apps . Microsoft patches Vulnerability-related.PatchVulnerability two zero-days The biggest issue patched Vulnerability-related.PatchVulnerability this month is a zero-day in Internet Explorer that has been abused by a cyber-espionage campaign earlier this month . The zero-day ( CVE-2018-8174 ) affects Vulnerability-related.DiscoverVulnerability not only IE but also any other projects that embed the IE web rendering engine . Microsoft credited researchers from both Qihoo 360 Core Security and Kaspersky Lab for discovering Vulnerability-related.DiscoverVulnerability this issue . The second zero-day is CVE-2018-8120 , an elevation-of-privilege vulnerability in the Win32k component . `` An attacker who successfully exploited Vulnerability-related.DiscoverVulnerability this vulnerability could run arbitrary code in kernel mode . An attacker could then install programs ; view , change , or delete data ; or create new accounts with full user rights , '' Microsoft says . But the flaw is not as dangerous as it sounds , as an attacker already needs a foothold on Windows systems to run his malicious code in the first place , to elevate his access rights . Microsoft also patched Vulnerability-related.PatchVulnerability CVE-2018-8141 ( Windows Kernel Information Disclosure Vulnerability ) and CVE-2018-8170 ( Windows Image Elevation of Privilege Vulnerability ) , for which exploitation details became public . Despite info about these two flaws being published Vulnerability-related.DiscoverVulnerability online , Microsoft says Vulnerability-related.DiscoverVulnerability none were exploited Vulnerability-related.DiscoverVulnerability in the wild . Flash fixes also included Last but not least , the Microsoft May 2018 Patch Tuesday also included a patch for an Adobe Flash Player vulnerability ( CVE-2018-4944 ) that Adobe patched Vulnerability-related.PatchVulnerability earlier today . Below is a table listing of all the security issues Microsoft fixed Vulnerability-related.PatchVulnerability this month . We used PowerShell and the Microsoft API to assemble the table below , but the report is much longer . We hosted the full report on GitHub , here .

Git has disclosed Vulnerability-related.DiscoverVulnerability a security vulnerability that allows for arbitrary code execution in malicious repositories , Microsoft reports . The vulnerability , CVE-2018-11235 , was addressed Vulnerability-related.PatchVulnerability and fixed Vulnerability-related.PatchVulnerability in Git 2.17.1 and Git for Windows 2.17.1 ( 2 ) , which were both released Vulnerability-related.PatchVulnerability today . In addition , the Visual Studio Team Services ( VSTS ) team has blocked malicious repositories from being pushed to VSTS to ensure that Visual Studio can not be used as a vector for transmitting malicious repositories to clients who have not yet patched Vulnerability-related.PatchVulnerability their clients . The vulnerability is caused when repositories are cloned . When cloning a repository , Git checks out the parent repository into the working directory as it prepares to clone the submodule . Then , Git realizes that it does not need to perform the clone of submodule because the submodule ’ s repository already exists on the disk from when it was checked in to the parent , and then was written to the working directory when the parent repository was checked out . According to Microsoft , the problem lies in the fact that when Git repositories are cloned , there are important configuration details not obtained from the server , such as hooks , which are scripts that can be run at certain points in the Git workflow . The configuration is not cloned from a remote server because that would lead to a vulnerability where remote servers could provide code that would be executed on the end user ’ s computer . Unfortunately , with the new vulnerability , that is exactly what happens , Microsoft explained . Because the submodule ’ s repository is checked in to a parent repository , it is not actually cloned . Therefore , the submodule repository can already have a hook configured . Additionally , if a user recursively cloned a malicious parent repository , it first checks out the parent , reads the submodule ’ s checked-in repository and prepares to write that submodule to the working directory , then it executes post-checkout hooks , Microsoft explained . In order to eliminate this vulnerability , submodule ’ s folder names are examined more closely by Git clients . Now , submodule folder names can no longer contain “ .. ” as a path segment and they can not be symbolic links . As a result , they now will have to be within the .git repository folder instead of in the actual repository ’ s working directory . According to Microsoft , Git now refuses to work with repositories that do not follow this newly specified configuration . Visual Studio Team Services and other hosting providers will also reject users from pushing repositories that do not adhere to this submodule configuration to protect clients that have not been patched Vulnerability-related.PatchVulnerability yet .

The Bitcoin Core developers recently fixed Vulnerability-related.PatchVulnerability a major vulnerability in the Bitcoin ( BTC ) network ’ s ( client ) codebase . Explaining the potentially serious nature of the software bug , which is tracked as Vulnerability-related.DiscoverVulnerability CVE-2018-17144 and classified as a denial-of-service ( DoS ) attack , Casaba Security co-founder Jason Glassberg said Vulnerability-related.DiscoverVulnerability : “ [ It ] can take down the network. ” Glassberg also told Vulnerability-related.DiscoverVulnerability ZDNet the vulnerability in the Bitcoin Core codebase “ would [ have ] affected transactions in the sense that they can not be completed , but does not appear to open up a way to steal or manipulate wallets. ” Denial-of-Service ( DoS ) , 51 % Attacks The Bitcoin Core client software is used by BTC miners to validate transactions on the cryptocurrency ’ s blockchain and the recent vulnerability found Vulnerability-related.DiscoverVulnerability in its source code could have been used to intentionally crash bitcoin ’ s full-node operators . Although not logistically feasible , this particular software bug could have been remotely exploited Vulnerability-related.DiscoverVulnerability by an attacker to launch a 51 % attack in which one entity controls the majority of the hashing ( or computing ) power of a cryptocurrency network . Advisory Notice , Critical Patch Released Vulnerability-related.PatchVulnerability In most cases , a bad actor has orchestrated a 51 % attack in order to manipulate transactions on a cryptocurrency ’ s blockchain for financial gains . At present , it would cost approximately $ 490,000 to launch such an attack ( for 1 hour ) on the Bitcoin network , according to Crypto51 . However , if the recent Bitcoin Core software bug had not been patched Vulnerability-related.PatchVulnerability , a bad actor could have initiated a 51 % attack on the cryptocurrency ’ s network at a considerably lower cost . The Bitcoin Core developers posted Vulnerability-related.DiscoverVulnerability an advisory notice ( on September 19th ) regarding this DoS vulnerability . Users of Bitcoin Core have been instructed to upgrade Vulnerability-related.PatchVulnerability to version 0.16.3 of the software . Previous versions ( 0.14.0 to 0.16.3 ) of the client contain the DoS vulnerability . Bitcoin Knots , one of at least 96 bitcoin forks to date , was considered vulnerable Vulnerability-related.DiscoverVulnerability as well and its client software was patched Vulnerability-related.PatchVulnerability . `` Copycat '' Cryptos Are At Risk Notably , the CVE-2018-17144 vulnerability could have also affected Vulnerability-related.DiscoverVulnerability the litecoin ( LTC ) network but its client has received Vulnerability-related.PatchVulnerability a patch . Commenting on the serious nature of these software bugs , Cornell computer science professor Emin Gün Sirer said Vulnerability-related.DiscoverVulnerability : “ Copycat currencies are at risk ” - meaning that all bitcoin forks are vulnerable Vulnerability-related.DiscoverVulnerability to the attack . The Turkish-American cryptographer , who identified Vulnerability-related.DiscoverVulnerability critical vulnerabilities in Ethereum ’ s codebase before its network was hit with the DAO attack , was referring to all the currently 69 active bitcoin forks that could still be exploited Vulnerability-related.DiscoverVulnerability with a 51 % attack as their clients might still not have received Vulnerability-related.PatchVulnerability a patch and are not as secure as bitcoin network due to their smaller size . In fact , Crypto51 has estimated it would only cost $ 122 to launch a 51 % attack on the Bitcoin Private ( BTCP ) network . However , this estimate has not been confirmed by another source .

Adobe 's scheduled October update for its Acrobat and Reader PDF software addresses Vulnerability-related.PatchVulnerability 85 vulnerabilities , including dozens of critical flaws that allow arbitrary code execution . The patches also address Vulnerability-related.PatchVulnerability multiple privilege-escalation and information-disclosure flaws , shoring up Adobe 's PDF software further following a patch for a critical Acrobat and Reader flaw plugged Vulnerability-related.PatchVulnerability two weeks ago . The bugs affect Vulnerability-related.DiscoverVulnerability Acrobat DC and Reader versions 2018.011.20063 and earlier from Adobe 's continuous track , Acrobat 2017 and Acrobat Reader 2017 2017.011.30102 , and Acrobat DC and Reader DC versions 2015.006.30452 and earlier from Adobe 's classic 2015 track . The flaws affect Vulnerability-related.DiscoverVulnerability the software running on Windows and macOS systems . This update Vulnerability-related.PatchVulnerability is the largest set of fixes Adobe 's PDF software since it swatted Vulnerability-related.PatchVulnerability 105 vulnerabilities in July . However , fortunately the company says it is not currently aware Vulnerability-related.DiscoverVulnerability of any exploits in the wild for bugs fixed Vulnerability-related.PatchVulnerability in this update Vulnerability-related.PatchVulnerability . Users and admins nonetheless should install fixed versions , according to Adobe , because if an attacker developed an exploit it could lead to arbitrary code execution in the context of the current user because the software is sandboxed . Since PDFs are still widely used in the enterprise , hackers continue to develop new techniques to break the sandbox by combining PDF attacks with operating system flaws . This happened earlier this year , prompting a warning Vulnerability-related.DiscoverVulnerability from Adobe in May after it was informed Vulnerability-related.DiscoverVulnerability by researchers at ESET and Microsoft that they 'd discovered Vulnerability-related.DiscoverVulnerability a malicious PDF using a zero-day remote code execution flaw in Reader with a sandbox-busting Windows privilege escalation flaw . Adobe credits researchers from Qihoo 360 , Cisco Talos , Beihang University , Palo Alto Networks , and Check Point for reporting Vulnerability-related.DiscoverVulnerability flaws patched Vulnerability-related.PatchVulnerability in the October update . Check Point researcher Omri Herscovici was responsible for reporting Vulnerability-related.DiscoverVulnerability 35 of this month 's bugs , all of which were information disclosure flaws .