fresh `` microcode revision guidance '' that reveals it won ’ t addressVulnerability-related.PatchVulnerabilitythe Meltdown and Spectre design flaws in all of its vulnerable processors – in some cases because it 's too tricky to remove the Spectre v2 class of vulnerabilities . The new guidance , issued April 2 , adds a “ stopped ” status to Intel ’ s “ production status ” category in its array of available Meltdown and Spectre security updates . `` Stopped '' indicates there will be no microcode patch to kill offVulnerability-related.PatchVulnerabilityMeltdown and Spectre . The guidance explains that a chipset earns “ stopped ” status because , “ after a comprehensive investigation of the microarchitectures and microcode capabilities for these products , Intel has determined to not releaseVulnerability-related.PatchVulnerabilitymicrocode updates for these products for one or more reasons. ” Those reasons are given as : Micro-architectural characteristics that preclude a practical implementation of features mitigatingVulnerability-related.PatchVulnerability[ Spectre ] Variant 2 ( CVE-2017-5715 ) Limited Commercially Available System Software support Based on customer inputs , most of these products are implemented as “ closed systems ” and therefore are expected to have a lower likelihood of exposure to these vulnerabilities . Thus , if a chip family falls under one of those categories – such as Intel ca n't easily fixVulnerability-related.PatchVulnerabilitySpectre v2 in the design , or customers do n't think the hardware will be exploitedVulnerability-related.DiscoverVulnerability– it gets a `` stopped '' sticker . To leverage the vulnerabilities , malware needs to be running on a system , so if the computer is totally closed off from the outside world , administrators may feel it 's not worth the hassle applying messy microcode , operating system , or application updates . `` Stopped '' CPUs that won ’ t therefore getVulnerability-related.PatchVulnerabilitya fix are in the Bloomfield , Bloomfield Xeon , Clarksfield , Gulftown , Harpertown Xeon C0 and E0 , Jasper Forest , Penryn/QC , SoFIA 3GR , Wolfdale , Wolfdale Xeon , Yorkfield , and Yorkfield Xeon families . The new list includes various Xeons , Core CPUs , Pentiums , Celerons , and Atoms – just about everything Intel makes . Most the CPUs listed above are oldies that went on sale between 2007 and 2011 , so it is likely few remain in normal use . There ’ s some good news in the tweaked guidance : the Arrandale , Clarkdale , Lynnfield , Nehalem , and Westmere families that were previously un-patchedVulnerability-related.PatchVulnerabilitynow have working fixes availableVulnerability-related.PatchVulnerabilityin production , apparently . “ We ’ ve now completed releaseVulnerability-related.PatchVulnerabilityof microcode updates for Intel microprocessor products launched in the last 9+ years that required protection against the side-channel vulnerabilities discoveredVulnerability-related.DiscoverVulnerabilityby Google Project Zero , '' an Intel spokesperson told The Reg . `` However , as indicated in our latest microcode revision guidance , we will not be providingVulnerability-related.PatchVulnerabilityupdated microcode for a select number of older platforms for several reasons , including limited ecosystem support and customer feedback. ” Now all Intel has to do is sort out a bunch of lawsuits , make sure future products don ’ t have similar problems , combat a revved-up-and-righteous AMD and Qualcomm in the data centre , find a way to get PC buyers interested in new kit again , and make sure it doesn ’ t flub emerging markets like IoT and 5G like it flubbed the billion-a-year mobile CPU market .
Merely a day after rolling outVulnerability-related.PatchVulnerabilitythe December 2018 security patch early , Samsung has now revealedVulnerability-related.PatchVulnerabilitythe details of the latest security maintenance release . The Galaxy Xcover 4 is the first smartphone to getVulnerability-related.PatchVulnerabilitythis update . Samsung will be releasingVulnerability-related.PatchVulnerabilitythe patch for more compatible devices in the coming weeks . It has detailed the contents of this patch as part of its monthly security maintenance release process . The update includes patches from Google for Android in addition to patches from Samsung for its custom software . The December 2018 security patch has fixes for six critical vulnerabilities discoveredVulnerability-related.DiscoverVulnerabilityin the Android operating system . The most severe vulnerability in the framework section could enable a malicious app to run unapproved code in the context of a privileged process . However , no moderate or low-risk vulnerabilities were required to be patchedVulnerability-related.PatchVulnerabilityin this latest security maintenance release . The updateVulnerability-related.PatchVulnerabilitydoes bringVulnerability-related.PatchVulnerabilityquite a patches for 40 Samsung Vulnerabilities and Exposures ( SVE ) items . This includes a vulnerability in the Secure Folder app which could have allowed access without authentication . Another vulnerability in the app could have resulted in the exposure of the gallery app without authentication . Therefore , Samsung will now get down to the business of rolling outVulnerability-related.PatchVulnerabilitythe December 2018 security patch to supported devices . We should expect some handsets to start receiving it within the next few days . The company may start rolling it out to high-end devices first .
Oracle has releasedVulnerability-related.PatchVulnerabilitya wide-ranging security update to addressVulnerability-related.PatchVulnerabilitymore than 300 CVE-listed vulnerabilities in its various enterprise products . The October release covers the gamut of Oracle 's offerings , including its flagship Database , E-Business Suite , and Fusion Middleware packages . For Database , the update addressesVulnerability-related.PatchVulnerabilitya total of three flaws . Two of the vulnerabilities ( CVE-2018-3259 and CVE-2018-3299 ) can be remotely exploitedVulnerability-related.DiscoverVulnerabilitywithout authentication , while the third , CVE-2018-7489 , would require the user to have a Rapid Home Provisioning account to execute and is considered by far the least severe of the three . Oracle notedVulnerability-related.DiscoverVulnerabilitythat all three bugs only impactVulnerability-related.DiscoverVulnerabilitythe server versions of Database , user clients are not considered to be vulnerableVulnerability-related.DiscoverVulnerability. For Fusion Middleware , the update will include a total of 56 CVE-listed flaws , including 12 that are remotely exploitable with CVSS base scores of 9.8 , meaning an exploit would be fairly easy to pull off and offer near total control of the target machine . Of those 12 , five were for critical flaws in WebLogic Server . Java SE will getVulnerability-related.PatchVulnerability12 security fixes , with all but one being for remotely exploitable vulnerabilities in that platform . Oracle notesVulnerability-related.DiscoverVulnerabilitythat though the CVSS scores for the flaws are fairly high , Solaris and Linux machines running software with lower user privileges will be considered to be at a lower risk than Windows environments that typically operate with admin privileges . MySQL was the target of 38 CVE-listed bug fixes this month , through just three of those are remotely exploitable . The two most serious , CVE-2018-11776 and CVE-2018-8014 , concern remote code flaws in MySQL Enterprise Monitor . PeopleSoft will see 24 bug fixes , 21 of which can be remotely targeted and seven that would not require any user interaction . Just one of the 24 flaws was given a CVSS base score higher than 7.2. in the Oracle listing . Sun products were the subject of 19 security fixes , including two remote code execution flaws in XCP Firmware . libssh bug more like `` oh SSH… '' Once admins getVulnerability-related.PatchVulnerabilitythe Oracle patches in place , they will want to take a close look at the write-up for CVE-2018-10933 , an authentication bypass for libssh that would allow an attacker to get into a target machine by sending a `` SSH2_MSG_USERAUTH_SUCCESS '' message when it expects a `` SSH2_MSG_USERAUTH_REQUEST '' message . That means any miscreant can log in without a password or other credential . As you can imagine , this is a very bad thing . Fortunately , the bug does not affect OpenSSH – and thus does not affect the hugely widespread sshd and ssh tools – but rather applications , such as KDE and XMBC , that use libssh as a dependency .
After scrambling to patchVulnerability-related.PatchVulnerabilitya critical vulnerability late last month , Drupal is at it again . The open source content management project has issuedVulnerability-related.PatchVulnerabilityan unscheduled security update to augment its previous patch for Drupalgeddon2 . There was also a cross-site scripting bug advisory in mid-April . The latest Drupal core vulnerability , designatedVulnerability-related.DiscoverVulnerability, SA-CORE-2018-004 and assignedVulnerability-related.DiscoverVulnerabilityCVE-2018-7602 , is related to the March SA-CORE-2018-002 flaw ( CVE-2018-7600 ) , according to the Drupal security team . It can be exploitedVulnerability-related.DiscoverVulnerabilityto take over a website 's server , and allow miscreants to steal information or alter pages . `` It is a remote code execution vulnerability , '' explained a member of the Drupal security team in an email to The Register . `` No more technical details beyond that are available . '' The vulnerability affectsVulnerability-related.DiscoverVulnerabilityat least Drupal 7.x and Drupal 8.x . And a similar issue has been foundVulnerability-related.DiscoverVulnerabilityin the Drupal Media module . In a blog post from earlier this month about the March patch , Dries Buytaert , founder of the Drupal project , observedVulnerability-related.DiscoverVulnerabilitythat all software has security issues and critical security bugs are rare . While the March bug is being actively exploitedVulnerability-related.DiscoverVulnerability, the Drupal security team says it 's unaware of any exploitation of the latest vulnerability . But it wo n't be long – those maintaining the project observed automated attacks appearing about two weeks after the SA-CORE-2018-002 notice . The fix is to upgradeVulnerability-related.PatchVulnerabilityto the most recent version of Drupal 7 or 8 core . The latest code can be found at Drupal 's website . For those running 7.x , that means upgrading to Drupal 7.59 . For those running , 8.5.x , the latest version if 8.5.3 . And for those still on 8.4.x , there 's an upgrade to 8.4.8 , despite the fact that as an unsupported minor release , the 8.4.x line would not normally getVulnerability-related.PatchVulnerabilitysecurity updates . And finally , if you 're still on Drupal 6 , which is no longer officially supported , unofficial patches are being developedVulnerability-related.PatchVulnerabilityhere . Drupal users appear to be taking the release in stride , though with a bit of grumbling . `` Drupal Wednesday looks like the new Windows patch day , '' quipped designer Tom Binroth via Twitter . `` I would rather spend my time on creating new stuff than patchingVulnerability-related.PatchVulnerabilityDrupal core sites . ''
A broad array of Android phones are vulnerableVulnerability-related.DiscoverVulnerabilityto attacks that use booby-trapped Wi-Fi signals to achieve full device takeover , a researcher has demonstratedVulnerability-related.DiscoverVulnerability. The vulnerability resides inVulnerability-related.DiscoverVulnerabilitya widely used Wi-Fi chipset manufactured by Broadcom and used in both iOS and Android devices . Apple patchedVulnerability-related.PatchVulnerabilitythe vulnerability with Monday 's releaseVulnerability-related.PatchVulnerabilityof iOS 10.3.1 . `` An attacker within range may be able to execute arbitrary code on the Wi-Fi chip , '' Apple 's accompanying advisory warnedVulnerability-related.DiscoverVulnerability. In a highly detailed blog post publishedVulnerability-related.DiscoverVulnerabilityTuesday , the Google Project Zero researcher who discoveredVulnerability-related.DiscoverVulnerabilitythe flaw saidVulnerability-related.DiscoverVulnerabilityit allowed the execution of malicious code on a fully updated 6P `` by Wi-Fi proximity alone , requiring no user interaction . '' Google is in the process of releasingVulnerability-related.PatchVulnerabilityan update in its April security bulletin . The fix is availableVulnerability-related.PatchVulnerabilityonly to a select number of device models , and even then it can take two weeks or more to be available as an over-the-air update to those who are eligible . Company representatives did n't respond to an e-mail seeking comment for this post . The proof-of-concept exploit developed by Project Zero researcher Gal Beniamini uses Wi-Fi frames that contain irregular values . The values , in turn , cause the firmware running on Broadcom 's wireless system-on-chip to overflow its stack . By using the frames to target timers responsible for carrying out regularly occurring events such as performing scans for adjacent networks , Beniamini managed to overwrite specific regions of device memory with arbitrary shellcode . Beniamini 's code does nothing more than write a benign value to a specific memory address . Attackers could obviously exploit the same series of flaws to surreptitiously execute malicious code on vulnerable devices within range of a rogue access point . Besides the specific stack overflow bugs exploitedVulnerability-related.DiscoverVulnerabilityby the proof-of-concept attack , Beniamini saidVulnerability-related.DiscoverVulnerabilitya lack of security protections built into many software and hardware platforms made the Broadcom chipset a prime target . `` We ’ ve seen that while the firmware implementation on the Wi-Fi SoC is incredibly complex , it still lags behind in terms of security , '' he wrote . `` Specifically , it lacks all basic exploit mitigations—including stack cookies , safe unlinking and access permission protection ( by means of [ a memory protection unit . ] ) '' The Broadcom chipset contains an MPU , but the researcher found that it 's implemented in a way that effectively makes all memory readable , writeable , and executable . `` We can conveniently execute our code directly from the heap . '' He said that Broadcom has informed him that newer versions of the chipset implement the MPU more effectively and also add unspecified additional security mechanisms . Given the severity of the vulnerability , people with affectedVulnerability-related.DiscoverVulnerabilitydevices should installVulnerability-related.PatchVulnerabilitya patch as soon as it 's available . For those with vulnerable iPhones , that 's easy enough . As is all too often the case for Android users , there 's no easy way to getVulnerability-related.PatchVulnerabilitya fix immediately , if at all . That 's because Google continues to stagger the releaseVulnerability-related.PatchVulnerabilityof its monthly patch bundle for the minority of devices that are eligible to receive it . At the moment , it 's not clear if there are effective workarounds available for vulnerable devices . Turning off Wi-Fi is one possibility , but as revealed in recent research into an unrelated Wi-Fi-related weakness involving Android phones , devices often relay Wi-Fi frames even when Wi-Fi is turned off