websites and trickAttack.Phishingvictims into handing over their credentials – has yet to be patchedVulnerability-related.PatchVulnerability. A browser address bar spoofing flaw was foundVulnerability-related.DiscoverVulnerabilityby researchers this week in Safari – and Apple has yet issueVulnerability-related.PatchVulnerabilitya patch for the flaw . Researcher Rafay Baloch on Monday disclosedVulnerability-related.DiscoverVulnerabilitytwo proof-of-concepts revealingVulnerability-related.DiscoverVulnerabilityhow vulnerabilities in Edge browser 42.17134.1.0 and Safari iOS 11.3.1 could be abused to manipulate the browsers ’ address bars , tricking victims into thinking they are visiting a legitimate website . Baloch told Threatpost Wednesday that Apple has promised to fixVulnerability-related.PatchVulnerabilitythe flaw in its next security update for Safari . “ Apple has told [ me ] that the latest beta of iOS 12 also addressesVulnerability-related.PatchVulnerabilitythe issue , however they haven ’ t provided any dates , ” he said . Apple did not respond to multiple requests for comment from Threatpost . Microsoft for its part has fixedVulnerability-related.PatchVulnerabilitythe vulnerability Baloch foundVulnerability-related.DiscoverVulnerabilityin the Edge browser , ( CVE-2018-8383 ) in its August Patch Tuesday release . According to Microsoft ’ s vulnerability advisory releasedVulnerability-related.PatchVulnerabilityAugust 14 , the spoofing flaw exists because Edge does not properly parse HTTP content . Both flaws stem from the Edge and Safari browsers allowing JavaScript to update the address bar while the page is still loading . This means that an attacker could request data from a non-existent port and , due to the delay induced by the setInterval function , trigger the address bar spoofing . The browser would then preserve the address bar and load the content from the spoofed page , Baloch said in his blog breaking down both vulnerabilities . From there , the attacker could spoofAttack.Phishingthe website , using it to lureAttack.Phishingin victims and potentially gather credentials or spread malware . For instance , the attacker could sendAttack.Phishingan email message containing the specially crafted URL to the user , convince the user to click it , and take them to the link which could gather their credentials or sensitive information . “ As per Google , Address bar is the only reliable indicator for ensuring the identity of the website , if the Address bar points to Facebook.com and the content is hosted on attacker ’ s website , there is no reason why someone would not fall for this , ” Baloch told Threatpost . In a video demonstration , Baloch showed how he could visit a link for the vulnerable browser on Edge ( http : //sh3ifu [ . ] com/bt/Edge-Spoof.html ) , which would take him to a site purporting to beAttack.PhishingGmail login . However , while the URL points to a Gmail address , the content is hosted on sh3ifu.com , said Baloch . The Safari proof-of-concept is similar , except for one constraint where it does not allow users to type their information into the input boxes while the page is in a loading state . However , Bolach said he was able to circumvent this restriction by injecting a fake keyboard using Javascript – a common practice in banking sites . No other browsers – including Chrome or Firefox – were discoveredVulnerability-related.DiscoverVulnerabilityto have the flaw , said Baloch . Baloch is known for discoveringVulnerability-related.DiscoverVulnerabilitysimilar vulnerabilities in Chrome , Firefox and other major browsers in 2016 , which also allowed attackers to spoof URLs in the address bar . The vulnerabilities were disclosedVulnerability-related.DiscoverVulnerabilityto both Microsoft and Apple and Baloch gave both a 90-day deadline before he went publicVulnerability-related.DiscoverVulnerabilitywith the flaws . Due to the Safari browser bug being unpatchedVulnerability-related.PatchVulnerability, Baloch said he has not yet released a Proof of Concept : “ However considering there is a slight difference between the Edge browser POC and Safari , anyone with decent knowledge of Javascript can make it work on Safari , ” he told us .
11th December was Microsoft ’ s December 2018 Patch Tuesday , which means users had to updateVulnerability-related.PatchVulnerabilitytheir computers to be protected from the latest threats to Windows and Microsoft products . Microsoft has fixedVulnerability-related.PatchVulnerability39 vulnerabilities , with 10 of them being labeled as Critical . Keeping up with its December 2018 Patch Tuesday , Microsoft announcedVulnerability-related.DiscoverVulnerabilityon its blog that a vulnerability exists inVulnerability-related.DiscoverVulnerabilityWindows Domain Name System ( DNS ) . There was not much information provided to the customers about how and when this vulnerability was discoveredVulnerability-related.DiscoverVulnerability. The following details were released by Microsoft : The Exploit Microsoft Windows is proneVulnerability-related.DiscoverVulnerabilityto a heap-based buffer-overflow vulnerability . A remote code execution vulnerability exists inVulnerability-related.DiscoverVulnerabilityWindows Domain Name System ( DNS ) servers when they fail to properly handle requests . An attacker who successfully exploitsVulnerability-related.DiscoverVulnerabilitythis issue may execute arbitrary code within the context of the affected application . Microsoft states that failed exploit attempts will result in a denial-of-service condition . Windows servers that are configured as DNS servers are at risk from this vulnerability . Affected Systems Find a list of the affected systems on Microsoft ’ s Blog . The company has also providedVulnerability-related.PatchVulnerabilityusers with security updates for the affected systems . Workarounds and Mitigations As of today , Microsoft has not identified any workarounds or mitigations for the affected systems . Jake Williams , the founder of Rendition Security and Rally security , posted an update on Twitter about the issue , questioning why there is no sufficient discussion among the infosec community about the matter .
US Postal Service website flaw was patchedVulnerability-related.PatchVulnerabilitythis week but reportedVulnerability-related.DiscoverVulnerabilityby a security researcher a year ago . The US Postal Service has fixedVulnerability-related.PatchVulnerabilitya security bug in its website that allowed anyone with an account to see the account details of the site 's 60 million users . The flaw was patchedVulnerability-related.PatchVulnerabilitythis week after USPS was informedVulnerability-related.DiscoverVulnerabilityof the issue by Krebs on Security , which reports that an unnamed independent researcher reportedVulnerability-related.DiscoverVulnerabilitythe bug a year ago but never received a response . According to Krebs , the flaw was caused by an authentication weakness in the application programming interface ( API ) on usps.com that supported the USPS 'Informed Visibility ' program , which offers business customers `` near real-time tracking data '' about mail campaigns and packages . The bug let anyone who was logged in to usps.com to see account details for others users , including email address , username , user ID , account number , street address , phone number , authorized users , mailing campaign data and more . Krebs notes that the `` API also let any user request account changes for any other user , such as email address , phone number or other key details '' . USPS said in a statement it had no information that the vulnerability had been used to access customer records . `` Computer networks are constantly under attackAttack.Databreachfrom criminals who try to exploit vulnerabilities to illegally obtainAttack.Databreachinformation . Similar to other companies , the Postal Service 's Information Security program and the Inspection Service uses industry best practices to constantly monitor our network for suspicious activity , '' USPS said . `` Any information suggesting criminals have tried to exploit potential vulnerabilities in our network is taken very seriously . Out of an abundance of caution , the Postal Service is further investigating to ensure that anyone who may have sought to access our systems inappropriately is pursued to the fullest extent of the law . '' However , a recent vulnerability assessment of the Informed Visibility program by the Office of Inspector General of the US Postal Service turned up weaknesses , including a lack of audit logs , in the Informed Visibility database . The partially redacted audit report , published in October , assessed 13 Informed Visibility ( IV ) servers . It found overall compliance with Postal Service server configuration baselines , but weakness in the IV database 's account-management systems . `` We identified weaknesses in account management controls , specifically with password complexity , disabling user accounts , and maintaining audit logs , '' the OIG report notes . `` Without account management controls , the IV system is at risk for [ redacted ] . Further , if expired accounts are not disabled in a timely manner , this increases the duration that Postal Service information resources are vulnerable to compromise . `` Additionally , without audit logs , the Postal Service would not be able to obtain sufficient detail to reconstruct activities in the event of a compromise or malfunction '' . USPS has faced scrutiny in the past , after a 2014 hack exposedAttack.Databreachpersonal information on 800,000 employees , 485,000 workers ' compensation records , and 2.9 million customer-inquiry records . The OIG in 2015 criticized the USPS for focusing on compliance and failing to foster a `` culture of effective cybersecurity across the enterprise '' .
A new iPhone and a new iOS are here , but a number of bugs , and security flaws , have frustrated early adopters . iOS 12.0.1 , Apple 's first update after the release of iOS 12 , has patchedVulnerability-related.PatchVulnerabilitytwo vulnerabilities that could have allowed a user to bypass a device 's passcode . Spanish hacker Jose Rodriguez was able to use Siri to enable VoiceOver mode , which could pull up the phone 's contacts . You can see the specifics of his ( very complicated ) procedure in the video below . Apple also says it has fixedVulnerability-related.PatchVulnerabilitya bug that caused the new iPhones to stop charging when their screens turned off . This was n't an issue our review unit had , but it was noted throughout multiple forums and message boards . The company has fixedVulnerability-related.PatchVulnerabilitya number of smaller bugs as well . A bug that caused the phone to automatically join 2.4-GHz networks rather than 5 GHz networks , a bug that sometimes caused Bluetooth to become unavailable , and a bug that blocked subtitles from appearing in some video apps are no longer . iPad users were n't left out , either . To some users ' chagrin , the original iOS 12 moved the `` 123 '' key closer to the center of the iPad keyboard . You can breathe easy again : The key has moved back to the far left . The update should be availableVulnerability-related.PatchVulnerabilityto all users now . If you do n't have automatic updates enabled , we recommend you updateVulnerability-related.PatchVulnerabilityto the new patch ASAP if you 've experienced any of these flaws , or are worried about hackers obtaining your phone .
A new iPhone and a new iOS are here , but a number of bugs , and security flaws , have frustrated early adopters . iOS 12.0.1 , Apple 's first update after the release of iOS 12 , has patchedVulnerability-related.PatchVulnerabilitytwo vulnerabilities that could have allowed a user to bypass a device 's passcode . Spanish hacker Jose Rodriguez was able to use Siri to enable VoiceOver mode , which could pull up the phone 's contacts . You can see the specifics of his ( very complicated ) procedure in the video below . Apple also says it has fixedVulnerability-related.PatchVulnerabilitya bug that caused the new iPhones to stop charging when their screens turned off . This was n't an issue our review unit had , but it was noted throughout multiple forums and message boards . The company has fixedVulnerability-related.PatchVulnerabilitya number of smaller bugs as well . A bug that caused the phone to automatically join 2.4-GHz networks rather than 5 GHz networks , a bug that sometimes caused Bluetooth to become unavailable , and a bug that blocked subtitles from appearing in some video apps are no longer . iPad users were n't left out , either . To some users ' chagrin , the original iOS 12 moved the `` 123 '' key closer to the center of the iPad keyboard . You can breathe easy again : The key has moved back to the far left . The update should be availableVulnerability-related.PatchVulnerabilityto all users now . If you do n't have automatic updates enabled , we recommend you updateVulnerability-related.PatchVulnerabilityto the new patch ASAP if you 've experienced any of these flaws , or are worried about hackers obtaining your phone .
ENTERPRISE-FOCUSED communication platform Fuze has fixedVulnerability-related.PatchVulnerabilitya security vulnerability that allowed anyone to access and download recorded meetings on the platform without password authentication . The flaw was discoveredVulnerability-related.DiscoverVulnerabilitytowards the end of February by Samuel Huckins of security company Rapid7 , and Fuze had disabledVulnerability-related.DiscoverVulnerabilityaccess to recorded meetings by the beginning of March . An update to version 4.3.1 of the Fuze platform on March 10 rectifiedVulnerability-related.PatchVulnerabilitythe issue . `` Security is a top priority for Fuze and we appreciate Rapid7 identifyingVulnerability-related.DiscoverVulnerabilitythis issue and bringing it to our attention . When we were informedVulnerability-related.DiscoverVulnerabilityby the Rapid7 team of the issue , we took immediate action and have resolvedVulnerability-related.PatchVulnerabilitythe problem , '' Fuze said in a statement . The vulnerability was caused by the way in which the platform incrementally added digits to the URL of recorded meetings , which resulted in relatively easy brute-force attacks proving successful . Combining the simple ability to guess URLs by inputting seven digit numbers with no requirement for authentication was always going to bring the potential for disaster , though there 's no suggestion that anyone with nefarious intent accessed any of the meetings . `` Recorded Fuze meetings are saved to Fuze 's cloud hosting service . They could be accessed by URLs such as 'https : //browser.fuzemeeting.com/ ? replayId=7DIGITNUM ' , where '7DIGITNUM ' is a seven digit number that increments over time , '' Rapid7 explains . `` Since this identifier did not provide sufficient keyspace to resist bruteforcing , specific meetings could be accessed and downloaded by simply guessing a replay ID reasonably close to the target , and iterating through all likely seven digit numbers . This format and lack of authentication also allowed one to find recordings via search engines such as Google . ''