When it comes to fixing Vulnerability-related.PatchVulnerability security vulnerabilities , it should be clear by now that words only count when they ’ re swiftly followed by actions . Ask peripherals maker Logitech , which last week became the latest company to find itself on the receiving end of an embarrassing public flaw disclosure Vulnerability-related.DiscoverVulnerability by Google ’ s Project Zero team . In September , Project Zero researcher Tavis Ormandy installed Logitech ’ s Options application for Windows ( available separately for Mac ) , used to customise buttons on the company ’ s keyboards , mice , and touchpads . Pretty quickly , he noticed Vulnerability-related.DiscoverVulnerability some problems with the application ’ s design , starting with the fact that it… opens a websocket server on port 10134 that any website can connect to , and has no origin checking at all . Websockets simplify the communication between a client and a server and , unlike HTTP , make it possible for servers to send data to clients without first being asked to , which creates additional security risks . The only “ authentication ” is that you have to provide a pid [ process ID ] of a process owned by your user , but you get unlimited guesses so you can bruteforce it in microseconds . Ormandy claimed Vulnerability-related.DiscoverVulnerability this might offer attackers a way of executing keystroke injection to take control of a Windows PC running the software . Within days of contacting Logitech , Ormandy says he had a meeting to discuss Vulnerability-related.DiscoverVulnerability the vulnerability with its engineers on 18 September , who assured him they understood the problem . A new version of Options appeared Vulnerability-related.PatchVulnerability on 1 October without a fix , although in fairness to Logitech that was probably too soon for any patch for Ormandy ’ s vulnerability to be included Vulnerability-related.PatchVulnerability . As anyone who ’ s followed Google ’ s Project Zero will know , it operates a strict 90-day deadline for a company to fix Vulnerability-related.PatchVulnerability vulnerabilities disclosed Vulnerability-related.DiscoverVulnerability to it , after which they are made public Vulnerability-related.DiscoverVulnerability . I would recommend disabling Logitech Options until an update is available Vulnerability-related.PatchVulnerability . Clearly , the disclosure got things moving – on 13 December , Logitech suddenly updated Vulnerability-related.PatchVulnerability Options to version 7.00.564 ( 7.00.554 for Mac ) . The company also tweeted that the flaws had been fixed Vulnerability-related.PatchVulnerability , confirmed by Ormandy on the same day . Logitech aren ’ t the first to feel Project Zero ’ s guillotine on their neck . Earlier in 2018 , Microsoft ran into a similar issue over a vulnerability found Vulnerability-related.DiscoverVulnerability by Project Zero in the Edge browser . Times have changed – vendors have to move from learning about a bug to releasing Vulnerability-related.PatchVulnerability a fix much more rapidly than they used to .

Hackers are likely exploiting the easy-to-find vulnerabilities , according to the security researcher who warned Vulnerability-related.DiscoverVulnerability the Pentagon of the flaws months ago . The vulnerable systems could allow hackers or foreign actors to launch cyberattacks through the department 's systems to make it look as though it originated from US networks . Dan Tentler , founder of cybersecurity firm Phobos Group , who discovered Vulnerability-related.DiscoverVulnerability the vulnerable hosts , warned Vulnerability-related.DiscoverVulnerability the flaws are so easy to find Vulnerability-related.DiscoverVulnerability that he believes he was probably not the first person to find Vulnerability-related.DiscoverVulnerability them . `` It 's very likely that these servers are being exploited in the wild , '' he told me on the phone . While the Pentagon is said to be aware Vulnerability-related.DiscoverVulnerability of the vulnerable servers , it has yet to implement any fixes Vulnerability-related.PatchVulnerability -- more than eight months after the department was alerted Vulnerability-related.DiscoverVulnerability . It 's a unique case that casts doubts on the effectiveness of the Trump administration 's anticipated executive order on cybersecurity , which aims to review all federal systems of security issues and vulnerabilities over a 60-day period . The draft order was leaked Attack.Databreach last week , but it was abruptly pulled minutes before it was expected to be signed on Tuesday . Tentler , a critic of the plans , argued that the draft plans are `` just not feasible . '' `` It 's laughable that an order like this was drafted in the first place because it demonstrates a complete lack of understanding what the existing problems are , '' he said . `` The order will effectively demand a vulnerability assessment on the entire government , and they want it in 60 days ? It 's been months -- and they still have n't fixed it , '' he said . In the past year , the Pentagon became the first government department to ease up on computer hacking laws by allowing researchers to find and report bugs and flaws in systems in exchange for financial rewards . Trump aides ' use of encrypted messaging may violate records law Using disappearing messages in government could be a `` recipe for corruption , '' says one expert . Researchers must limit their testing to two domains -- `` defense.gov '' ( and its subdomains ) and any `` .mil '' subdomain . In an effort to pare down the list of hosts from `` all public Department of Defense hosts '' to `` only the ones in scope , '' Tentler was able to identify several hosts that answered to the domain names in scope . `` There were hosts that were discovered Vulnerability-related.DiscoverVulnerability that had serious technical misconfiguration problems that could be easily abused by an attacker inside or outside of the country , who could want to implicate the US as culprits in hacking attacks if they so desire , '' he told me . `` The flaw could allow politically motivated attacks that could implicate the US , '' he added . In other words , a foreign hacker or nation-state attacker could launch a cyberattack and make it look like it came from the Pentagon 's systems . Tentler argued that the hosts were covered by the scope of the wildcard domains . A Pentagon spokesperson confirmed Tuesday that the vulnerabilities had been fixed Vulnerability-related.PatchVulnerability , and encouraged researchers to continue to submit Vulnerability-related.DiscoverVulnerability bugs and vulnerabilities , which are covered under the Pentagon 's vulnerability disclosure policy .