Technology companies are starting to respond to a new Wi-Fi exploit affecting Vulnerability-related.DiscoverVulnerability all modern Wi-Fi networks using WPA or WPA2 encryption . The security vulnerabilities allow attackers to read Wi-Fi traffic between devices and wireless access points , and in some cases even modify it to inject malware into websites . Security researchers claim Vulnerability-related.DiscoverVulnerability devices running macOS , Windows , iOS , Android , and Linux will be affected Vulnerability-related.DiscoverVulnerability by the vulnerabilities . Microsoft says it has already fixed Vulnerability-related.PatchVulnerability the problem for customers running supported versions of Windows . “ We have released Vulnerability-related.PatchVulnerability a security update to address Vulnerability-related.PatchVulnerability this issue , ” says a Microsoft spokesperson in a statement to The Verge . “ Customers who apply Vulnerability-related.PatchVulnerability the update , or have automatic updates enabled , will be protected . We continue to encourage customers to turn on automatic updates to help ensure they are protected. ” Microsoft says the Windows updates released Vulnerability-related.PatchVulnerability on October 10th protect customers , and the company “ withheld disclosure Vulnerability-related.DiscoverVulnerability until other vendors could develop and release Vulnerability-related.PatchVulnerability updates. ” While it looks like Android and Linux devices are affected Vulnerability-related.DiscoverVulnerability by the worst part of the vulnerabilities , allowing attackers to manipulate websites , Google has promised Vulnerability-related.PatchVulnerability a fix for affected devices “ in the coming weeks. ” Google ’ s own Pixel devices will be the first to receive Vulnerability-related.PatchVulnerability fixes with security patch level of November 6 , 2017 , but most other handsets are still well behind even the latest updates . Security researchers claim Vulnerability-related.DiscoverVulnerability 41 percent of Android devices are vulnerable Vulnerability-related.DiscoverVulnerability to an “ exceptionally devastating ” variant of the Wi-Fi attack that involves manipulating traffic , and it will take time to patch Vulnerability-related.PatchVulnerability older devices . The Verge has reached out to a variety of Android phone makers to clarify when security patches will reach Vulnerability-related.PatchVulnerability handsets , and we ’ ll update you accordingly . At the time of writing , Apple has not yet clarified Vulnerability-related.DiscoverVulnerability whether the latest versions of macOS and iOS are vulnerable Vulnerability-related.DiscoverVulnerability . The Wi-Fi Alliance , a network of companies responsible for Wi-Fi , has responded to the disclosure Vulnerability-related.DiscoverVulnerability of the vulnerabilities . “ This issue can be resolved Vulnerability-related.PatchVulnerability through straightforward software updates , and the Wi-Fi industry , including major platform providers , has already started deploying Vulnerability-related.PatchVulnerability patches to Wi-Fi users , ” says a Wi-Fi Alliance spokesperson . “ Users can expect all their Wi-Fi devices , whether patched or unpatched Vulnerability-related.PatchVulnerability , to continue working well together. ” Apple also confirmed to both The Verge and AppleInsider that the vulnerability is patched Vulnerability-related.PatchVulnerability in a beta version of the current operating systems . The fix should go public Vulnerability-related.PatchVulnerability in a few weeks , so iOS and macOS devices are n't in the clear just yet . AppleInsider also reports that AirPort hardware , including the Time Machine , AirPort Extreme base station , and AirPort Express do not have a patch . The publication 's source also was n't sure if one was in the works .

The chipmaker says the patches will arrive Vulnerability-related.PatchVulnerability within a few weeks and AMD device owners shouldn ’ t worry about the reported flaws Vulnerability-related.DiscoverVulnerability . AMD is addressing Vulnerability-related.PatchVulnerability several vulnerabilities discovered Vulnerability-related.DiscoverVulnerability in its Ryzen and EPYC chips , and rolling out Vulnerability-related.PatchVulnerability updates for millions of devices `` in the coming weeks . '' The 13 vulnerabilities came to public Vulnerability-related.DiscoverVulnerability attention clouded in controversy . The security company CTS Labs gave AMD less than 24 hours notice before releasing the information to the public . Standard vulnerability disclosure Vulnerability-related.DiscoverVulnerability practices call for giving companies at least 90 days ' notice so they can fix Vulnerability-related.PatchVulnerability the flaws before researchers go public Vulnerability-related.DiscoverVulnerability and hackers can start causing trouble . Had CTS Labs given AMD that same courtesy , the issues would have been addressed Vulnerability-related.PatchVulnerability within a week of the notification . `` Each of the issues cited can be mitigated Vulnerability-related.PatchVulnerability through firmware patches and a standard BIOS update , which we plan to release Vulnerability-related.PatchVulnerability in the coming weeks , '' said Sarah Youngbauer , AMD 's senior spokeswoman . `` We believe this provides a good example of why the more standard 90-day notification window for such notifications exist . '' In the original vulnerability report Vulnerability-related.DiscoverVulnerability , CTS Labs said that it would take `` several months '' to fix Vulnerability-related.PatchVulnerability the issues and that some hardware flaws `` cannot be fixed Vulnerability-related.PatchVulnerability . '' AMD disagreed with that timeline , and said it would provide more information in several weeks . The chipmaker said the issues were not with its hardware , but with firmware , or software that 's embedded in hardware . It 'll be sending Vulnerability-related.PatchVulnerability fixes for all 13 vulnerabilities through patches and BIOS updates . According to AMD 's technical assessment , each of the flaws required administrative access . `` Any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research , '' Papermaster said in a statement . Critics also took issue with another aspect of the CTS Labs report , pointing out the legal disclaimer on the company 's website : `` You are advised that we may have , either directly or indirectly , an economic interest in the performance of the securities of the companies whose products are the subject of our reports . '' Last Wednesday , CTS Labs ' chief financial officer and co-founder , Yaron Luk-Zilberman , a former hedge fund manager , said it did n't have `` any investment ( long or short ) in Intel or AMD . ''

A WhatsApp security vulnerability could allow attackers to crash the iOS app as soon as you answer a call , and could potentially be used to hack your iPhone … The Register reports Vulnerability-related.DiscoverVulnerability that the flaw was reported Vulnerability-related.DiscoverVulnerability to WhatsApp in August , and has been patched Vulnerability-related.PatchVulnerability in the latest version – so you ’ ll want to check for an update . Google Project Zero whizkid and Tamagotchi whisperer Natalie Silvanovich discovered and reported Vulnerability-related.DiscoverVulnerability the flaw , a memory heap overflow issue , directly to WhatsApp in August . Now that a fix is out Vulnerability-related.PatchVulnerability , Silvanovich can go public Vulnerability-related.DiscoverVulnerability with details on the potentially serious flaw . According to Silvanovich’s report Vulnerability-related.DiscoverVulnerability , the bug is triggered when a user receives a malformed RTP packet , triggering the corruption error and crashing the application . In practice , the malformed packet that triggers the crash could be sent via a simple call request . “ This issue can occur when a WhatsApp user accepts a call from a malicious peer , ” Silvanovich explained . It ’ s not clear whether the WhatsApp security flaw could be exploited Vulnerability-related.DiscoverVulnerability for remote code execution , but this is a possibility , and a sufficient risk for a fellow Google researcher to describe Vulnerability-related.DiscoverVulnerability it as ‘ a big deal. ’ “ This is a big deal , ” tweeted Travis Ormandy . “ Just answering a call from an attacker could completely compromise WhatsApp. ” The same vulnerability was present in Vulnerability-related.DiscoverVulnerability the Android app , which has also been patched Vulnerability-related.PatchVulnerability . The Register says it is still waiting to hear from Google on more details , for example whether the desktop app is similarly affected Vulnerability-related.DiscoverVulnerability . It ’ s not the first time of late that a WhatsApp security issue has been identified Vulnerability-related.DiscoverVulnerability . Back in August , it was discovered Vulnerability-related.DiscoverVulnerability that it was possible for an attacker to change both the content and the sender of a WhatsApp message after you ’ ve received it .

An unpatched vulnerability in the Magento e-commerce platform could allow hackers to upload and execute malicious code on web servers that host online shops . The flaw was discovered Vulnerability-related.DiscoverVulnerability by researchers from security consultancy DefenseCode and is located in Vulnerability-related.DiscoverVulnerability a feature that retrieves preview images for videos hosted on Vimeo . Such videos can be added to product listings in Magento . The DefenseCode researchers determined that if the image URL points to a different file , for example a PHP script , Magento will download the file in order to validate it . If the file is not an image , the platform will return a `` Disallowed file type '' error , but wo n't actually remove it from the server . An attacker with access to exploit this flaw could achieve remote code execution by first tricking Magento to download an .htaccess configuration file that enables PHP execution inside the download directory and then downloading the malicious PHP file itself . Once on the server , the PHP script can act as a backdoor and can be accessed from an external location by pointing the browser to it . For example , attackers could use it to browse the server directories and read the database password from Magento 's configuration file . This can expose customer information stored in the database , which in the case of online shops , can be very sensitive . The only limitation is that this vulnerability can not be exploited Vulnerability-related.DiscoverVulnerability directly because the video-linking functionality requires authentication . This means attackers need to have access to an account on the targeted website , but this can be a lower-privileged user and not necessarily an administrator . The authentication obstacle can also be easily overcome if the website does n't have the `` Add Secret Key to URLs '' option turned on . This option is intended to prevent cross-site request forgery ( CSRF ) attacks and is enabled by default . CSRF is an attack technique that involves forcing a user ’ s browser to perform an unauthorized request on a website when visiting a different one . `` The attack can be constructed as simple as < img src=… in an email or a public message board , which will automatically trigger the arbitrary file upload if a user is currently logged into Magento , '' the DefenseCode researchers said in an advisory . `` An attacker can also entice the user to open a CSRF link using social engineering . '' This means that by simply clicking on a link in an email or by visiting a specifically crafted web page , users who have active Magento sessions in their browser might have their accounts abused to compromise websites . The DefenseCode researchers claim Vulnerability-related.DiscoverVulnerability that they 've reported Vulnerability-related.DiscoverVulnerability these issues to the Magento developers back in November , but received no information regarding patching plans Vulnerability-related.PatchVulnerability since then . Several versions of the Magento Community Edition ( CE ) have been released since November , the most recent one being 2.1.6 on Tuesday . According to DefenseCode , all Magento CE versions continue to be vulnerable Vulnerability-related.DiscoverVulnerability , which is what prompted them to go public Vulnerability-related.DiscoverVulnerability about the flaw . “ We have been actively investigating Vulnerability-related.DiscoverVulnerability the root cause of the reported issue and are not aware of any attacks in the wild , ” Magento , the company that oversees development of the e-commerce platform , said in an emailed statement . “ We will be addressing Vulnerability-related.PatchVulnerability the issue in our next patch release and continue to consistently work to improve our assurance processes. ” `` All users are strongly advised to enforce the use of 'Add Secret Key to URLs ' which mitigates the CSRF attack vector , '' the DefenseCode researchers said . `` To prevent remote code execution through arbitrary file upload the server should be configured to disallow .htaccess files in affected directories . '' Magento is used by over 250,000 online retailers , making it an attractive target for hackers . Last year , researchers found thousands of Magento-based online shops that had been compromised Attack.Databreach and infected with malicious code that skimmed Attack.Databreach payment card details .

Security researchers from Pen Test Partners have discovered Vulnerability-related.DiscoverVulnerability pretty glaring security flaws in Aga 's line of smart ovens . According to researchers , these flaws can be exploited Vulnerability-related.DiscoverVulnerability via SMS messages . The reason appears to be that Aga management opted to use a GSM SIM module to control its devices , instead of the classic option of using a Wi-Fi module . This SMS-based management feature allows Aga users to turn ovens on or off from remote locations by sending an SMS to their device . In this scenario , an attacker would need a victim 's oven SMS number , but Pen Test Partners researchers say Vulnerability-related.DiscoverVulnerability the web-based administration panel contains Vulnerability-related.DiscoverVulnerability flaws that allow attackers to scrape for all active SIM card numbers assigned to Aga ovens . There 's no authentication involved with the SMS management commands , meaning anyone could send them , and mess around with people 's `` smart '' ovens . Professional cooking ovens , like the Aga iTotal Control , need hours of warming before reaching optimal cooking temperatures . While attackers could annoy oven owners by turning their ovens off , Pen Test Partners say that an ill-intent miscreant could also turn all known Aga ovens on , and cause a spike in electric energy consumption within an area , albeit this could be an exaggerated claim , as there would need to be thousands of these devices laying around . Besides the non-authenticated SMS-based remote management feature , the research team also discovered Vulnerability-related.DiscoverVulnerability other major problems with Aga 's smart ovens . For starters , the Aga web administration panel does n't use HTTPS and forces users to use a five-digit password , one that 's incredibly easy to brute-force . Second , the Aga mobile app also works via HTTP , but even if developers used HTTPS , the app disables certificate validation on purpose , meaning attackers could use any SSL certificate to intercept traffic coming in and to the app . After spending two weeks attempting to alert the UK-based IoT manufacturer , Pen Test Researchers decided to go public Vulnerability-related.DiscoverVulnerability with their findings yesterday . Furthermore , Pent Test Partners say that the GSM SIM remote management module used for Aga 's iTotal Control smart oven was created by a company called Tekelek , which also ships similar SMS management components for oil storage tanks , heating systems , process control and medical devices . `` These appear to be monitored using SMS , so I wonder where else this bizarre unauthenticated text messaging process might lead , '' said Ken Munro , Pen Test Partners expert . At the time of writing , and following the public disclosure Vulnerability-related.DiscoverVulnerability of the iTotal Control issues , Aga appears to have taken down its web-based administration portal , as Pen Test Partners initially suggested .