Intel has issued Vulnerability-related.PatchVulnerability fresh `` microcode revision guidance '' that reveals it won ’ t address Vulnerability-related.PatchVulnerability the Meltdown and Spectre design flaws in all of its vulnerable processors – in some cases because it 's too tricky to remove the Spectre v2 class of vulnerabilities . The new guidance , issued April 2 , adds a “ stopped ” status to Intel ’ s “ production status ” category in its array of available Meltdown and Spectre security updates . `` Stopped '' indicates there will be no microcode patch to kill off Vulnerability-related.PatchVulnerability Meltdown and Spectre . The guidance explains that a chipset earns “ stopped ” status because , “ after a comprehensive investigation of the microarchitectures and microcode capabilities for these products , Intel has determined to not release Vulnerability-related.PatchVulnerability microcode updates for these products for one or more reasons. ” Those reasons are given as : Micro-architectural characteristics that preclude a practical implementation of features mitigating Vulnerability-related.PatchVulnerability [ Spectre ] Variant 2 ( CVE-2017-5715 ) Limited Commercially Available System Software support Based on customer inputs , most of these products are implemented as “ closed systems ” and therefore are expected to have a lower likelihood of exposure to these vulnerabilities . Thus , if a chip family falls under one of those categories – such as Intel ca n't easily fix Vulnerability-related.PatchVulnerability Spectre v2 in the design , or customers do n't think the hardware will be exploited Vulnerability-related.DiscoverVulnerability – it gets a `` stopped '' sticker . To leverage the vulnerabilities , malware needs to be running on a system , so if the computer is totally closed off from the outside world , administrators may feel it 's not worth the hassle applying messy microcode , operating system , or application updates . `` Stopped '' CPUs that won ’ t therefore get Vulnerability-related.PatchVulnerability a fix are in the Bloomfield , Bloomfield Xeon , Clarksfield , Gulftown , Harpertown Xeon C0 and E0 , Jasper Forest , Penryn/QC , SoFIA 3GR , Wolfdale , Wolfdale Xeon , Yorkfield , and Yorkfield Xeon families . The new list includes various Xeons , Core CPUs , Pentiums , Celerons , and Atoms – just about everything Intel makes . Most the CPUs listed above are oldies that went on sale between 2007 and 2011 , so it is likely few remain in normal use . There ’ s some good news in the tweaked guidance : the Arrandale , Clarkdale , Lynnfield , Nehalem , and Westmere families that were previously un-patched Vulnerability-related.PatchVulnerability now have working fixes available Vulnerability-related.PatchVulnerability in production , apparently . “ We ’ ve now completed release Vulnerability-related.PatchVulnerability of microcode updates for Intel microprocessor products launched in the last 9+ years that required protection against the side-channel vulnerabilities discovered Vulnerability-related.DiscoverVulnerability by Google Project Zero , '' an Intel spokesperson told The Reg . `` However , as indicated in our latest microcode revision guidance , we will not be providing Vulnerability-related.PatchVulnerability updated microcode for a select number of older platforms for several reasons , including limited ecosystem support and customer feedback. ” Now all Intel has to do is sort out a bunch of lawsuits , make sure future products don ’ t have similar problems , combat a revved-up-and-righteous AMD and Qualcomm in the data centre , find a way to get PC buyers interested in new kit again , and make sure it doesn ’ t flub emerging markets like IoT and 5G like it flubbed the billion-a-year mobile CPU market .

Airmail has issued Vulnerability-related.PatchVulnerability an update today to patch Vulnerability-related.PatchVulnerability a vulnerability that security researchers said Vulnerability-related.DiscoverVulnerability could let malicious third parties access email databases and read a user ’ s messages . Security consulting firm Versprite outlined Vulnerability-related.DiscoverVulnerability the issue in a blog post this morning , noting how Airmail 3 uses both a custom URL scheme and a so-called “ deterministic ” file system location for email messages for any given account . Using those two pieces of information , a hacker could theoretically retrieve Attack.Databreach every one of a user ’ s messages through a phishing scheme Attack.Phishing that relies on that custom URL scheme . Airmail told The Verge that it ’ s already updated Vulnerability-related.PatchVulnerability the app in the Mac App store and through its direct download beta program to address Vulnerability-related.PatchVulnerability the issue , calling it a “ very hypothetical ” one . The version number is Airmail 3.6 , and it should be rolling out Vulnerability-related.PatchVulnerability over the course of the day if you don ’ t already have it now . The update is also listed on Airmail ’ s website , with the update note , “ Potential URL Scheme Vulnerability Fix . ”

Samba has released Vulnerability-related.PatchVulnerability security updates addressing Vulnerability-related.PatchVulnerability a possible avenue for DoS attacks and attackers changing administrator passwords . Samba 4 users should update now . Open source server platform Samba has issued Vulnerability-related.PatchVulnerability patches for two critical vulnerabilities that could be used to launch denial-of-service attacks or allow anyone to change user and administrator passwords . Samba is a free , open source interoperability suite that extends Windows file and print services to Unix and Linux machines . Businesses that run Unix/Linux and Windows side by side frequently use Samba to link the two operating systems together , making any risk to the security and stability of Samba a serious risk . The vulnerabilities in question Vulnerability-related.DiscoverVulnerability , CVE-2018-1050 and CVE-2018-1057 , are both serious risks for anyone using Samba . If your business has a Samba implementation it 's highly recommended that you install the applicable security updates . What the Samba vulnerabilities can do The first vulnerability , 1050 , affects Vulnerability-related.DiscoverVulnerability all Samba instances version 4.0.0 and up . More specifically , it only affects Vulnerability-related.DiscoverVulnerability version 4.0.0 and up Samba installations that are also running their Remote Procedure Call ( RPC ) Spool Subsystem Service ( spoolss ) as an external daemon ( RPC spoolss is configured to internal by default ) . If the RPC spoolss misses an input sanitization check it can cause the print spooler to crash , effectively killing the ability for anyone using Samba to send files to a printer . The second vulnerability , 1057 , is a far greater risk to Samba security . Like 1050 , it affects Vulnerability-related.DiscoverVulnerability all Samba installations version 4.0.0 and up and allows users to change the passwords of other users , including those with admin rights . 1057 's problem stems from a problem with how Samba Active Directory domain controllers handle permission validations using the lightweight directory access protocol ( LDAP ) . `` The LDAP server incorrectly validates certain LDAP password modifications against the 'Change Password ' privilege , but then performs a password reset operation , '' Samba said . This vulnerability only affects Vulnerability-related.DiscoverVulnerability Samba installations being used as Active Directory domain controllers , so those using Samba in non-domain control roles do n't need to be concerned . If you are using Samba as an AD DC and ca n't install the security patch yet , there is a workaround Samba says you can put in place as a temporary protection measure : revoking password change permissions for `` the world '' group .

Apple has issued Vulnerability-related.PatchVulnerability an update to fix Vulnerability-related.PatchVulnerability a number of issues in macOS Mojave leading to arbitrary code execution , the ability to read restricted memory and access local users Apple IDs among others . All were patched Vulnerability-related.PatchVulnerability with the release of macOS Mojave 10.14 on Sept 24. applePatchapplePatch The first issue , CVE-2018-5383 , impacted Vulnerability-related.DiscoverVulnerability a number of iMac , MacBook Air , Mac Pro and Mac mini server products . An input validation issue existed in Vulnerability-related.DiscoverVulnerability Bluetooth was fixed Vulnerability-related.PatchVulnerability that could have allowed an attacker in a privileged network position to intercept Bluetooth traffic . The App Store also patched Vulnerability-related.PatchVulnerability CVE-2018-4324 , an issue in the handling of Apple ID that could have been exploited Vulnerability-related.DiscoverVulnerability by a malicious application that would expose the Apple ID of the computer ’ s owner . Also , a validation issue that could expose Apple IDs was in Auto Unlock that was patched Vulnerability-related.PatchVulnerability with improved validation of the process entitlement . CVE-2018-4353 impacted Vulnerability-related.DiscoverVulnerability the application firewall where a sandboxed process may be able to circumvent sandbox restrictions , but this was addressed Vulnerability-related.PatchVulnerability by adding additional restrictions . In Crash Reporter a validation issue , CVE-2018-4333 , was addressed Vulnerability-related.PatchVulnerability that if exploited Vulnerability-related.DiscoverVulnerability would allow a malicious application to read restricted memory . Two Kernel problems were fixed Vulnerability-related.PatchVulnerability , CVE-2018-4336 and CVE-2018-4344 , that could let an application may be able to execute arbitrary code with kernel privileges . The final problem , CVE-2016-1777 , effected Security where an attacker could exploit a weaknesses in the RC4 cryptographic algorithm and was fixed Vulnerability-related.PatchVulnerability by removing RC4 .

After scrambling to patch Vulnerability-related.PatchVulnerability a critical vulnerability late last month , Drupal is at it again . The open source content management project has issued Vulnerability-related.PatchVulnerability an unscheduled security update to augment its previous patch for Drupalgeddon2 . There was also a cross-site scripting bug advisory in mid-April . The latest Drupal core vulnerability , designated Vulnerability-related.DiscoverVulnerability , SA-CORE-2018-004 and assigned Vulnerability-related.DiscoverVulnerability CVE-2018-7602 , is related to the March SA-CORE-2018-002 flaw ( CVE-2018-7600 ) , according to the Drupal security team . It can be exploited Vulnerability-related.DiscoverVulnerability to take over a website 's server , and allow miscreants to steal information or alter pages . `` It is a remote code execution vulnerability , '' explained a member of the Drupal security team in an email to The Register . `` No more technical details beyond that are available . '' The vulnerability affects Vulnerability-related.DiscoverVulnerability at least Drupal 7.x and Drupal 8.x . And a similar issue has been found Vulnerability-related.DiscoverVulnerability in the Drupal Media module . In a blog post from earlier this month about the March patch , Dries Buytaert , founder of the Drupal project , observed Vulnerability-related.DiscoverVulnerability that all software has security issues and critical security bugs are rare . While the March bug is being actively exploited Vulnerability-related.DiscoverVulnerability , the Drupal security team says it 's unaware of any exploitation of the latest vulnerability . But it wo n't be long – those maintaining the project observed automated attacks appearing about two weeks after the SA-CORE-2018-002 notice . The fix is to upgrade Vulnerability-related.PatchVulnerability to the most recent version of Drupal 7 or 8 core . The latest code can be found at Drupal 's website . For those running 7.x , that means upgrading to Drupal 7.59 . For those running , 8.5.x , the latest version if 8.5.3 . And for those still on 8.4.x , there 's an upgrade to 8.4.8 , despite the fact that as an unsupported minor release , the 8.4.x line would not normally get Vulnerability-related.PatchVulnerability security updates . And finally , if you 're still on Drupal 6 , which is no longer officially supported , unofficial patches are being developed Vulnerability-related.PatchVulnerability here . Drupal users appear to be taking the release in stride , though with a bit of grumbling . `` Drupal Wednesday looks like the new Windows patch day , '' quipped designer Tom Binroth via Twitter . `` I would rather spend my time on creating new stuff than patching Vulnerability-related.PatchVulnerability Drupal core sites . ''

Troubled browser has once again come under attack , with flaw discovered Vulnerability-related.DiscoverVulnerability in multiple versions of Internet Explorer . Microsoft has been forced to issue Vulnerability-related.PatchVulnerability an emergency security patch for its Internet Explorer browser . The release came after Google security engineer Clement Lecigne uncovered Vulnerability-related.DiscoverVulnerability a critical vulnerability in several versions of Microsoft 's browser , and could have been activated simply by directing users to a malicious website The flaw , known as CVE-2018-8653 , affects Vulnerability-related.DiscoverVulnerability Internet Explorer 9 , 10 and 11 , with the update issued Vulnerability-related.PatchVulnerability to Windows 7 , 8.1 and 10 versions , as well as Windows Server 2008 , 2012 , 2016 and 2019 . `` A remote code execution vulnerability exists in Vulnerability-related.DiscoverVulnerability the way that the scripting engine handles objects in memory in Internet Explorer , '' Microsoft stated in its support document for the threat . `` The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user . '' The company has issued Vulnerability-related.PatchVulnerability a fix for the flaw now , outside of its typical Patch Tuesday security cycle , signifying it is a significant threat and should be patched Vulnerability-related.PatchVulnerability immediately . Microsoft has gradually retired Internet Explorer from public view over the past few years as it focuses on its newer browser Edge , with only customised versions available to certain business users . The company may also be about to pull the plug on Edge as well , with report recently confirming Microsoft is set to introduce a new browser built on Google 's Chromium platform .

Microsoft has issued Vulnerability-related.PatchVulnerability an emergency , out-of-band patch for an Internet Explorer zero-day that was being actively exploited Vulnerability-related.DiscoverVulnerability in targeted attacks . The company says that it learned about the vulnerability through a report from Google . CVE-2018-8653 affects Vulnerability-related.DiscoverVulnerability a range of versions of Internet Explorer from 9 to 11 , across Windows 7 to 10 and Windows Server . The vulnerability amounts to a remote code execution exploit , and it was first spotted Vulnerability-related.DiscoverVulnerability by Google 's Threat Analysis Group . Microsoft explains Vulnerability-related.DiscoverVulnerability that a problem with Internet Explorer 's scripting engine could be exploited Vulnerability-related.DiscoverVulnerability by an attacker to execute arbitrary code on a victim 's computer . In a short security advisory , the company says : Today , we released Vulnerability-related.PatchVulnerability a security update for Internet Explorer after receiving a report Vulnerability-related.DiscoverVulnerability from Google about a new vulnerability being used in targeted attacks . Customers who have Windows Update enabled and have applied Vulnerability-related.PatchVulnerability the latest security updates , are protected automatically . We encourage customers to turn on automatic updates . Microsoft would like to thank Google for their assistance . In a more detailed security vulnerability posting , Microsoft explains the impact of the problem : A remote code execution vulnerability exists in Vulnerability-related.DiscoverVulnerability the way that the scripting engine handles objects in memory in Internet Explorer . The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user . An attacker who successfully exploited Vulnerability-related.DiscoverVulnerability the vulnerability could gain the same user rights as the current user . If the current user is logged on with administrative user rights , an attacker who successfully exploited Vulnerability-related.DiscoverVulnerability the vulnerability could take control of an affected system . An attacker could then install programs ; view , change , or delete data ; or create new accounts with full user rights . In a web-based attack scenario , an attacker could host a specially crafted website that is designed Attack.Phishing to exploit the vulnerability through Internet Explorer and then convince Attack.Phishing a user to view the website , for example , by sending Attack.Phishing an email . The security update addresses Vulnerability-related.PatchVulnerability the vulnerability by modifying Vulnerability-related.PatchVulnerability how the scripting engine handles objects in memory .

Update , Cisco will take a second crack at addressing Vulnerability-related.PatchVulnerability a vulnerability in WebEx that can be exploited Vulnerability-related.DiscoverVulnerability to execute malicious code on a vulnerable installation . Switchzilla has issued Vulnerability-related.PatchVulnerability a new fix to address Vulnerability-related.PatchVulnerability CVE-2018-15442 , a command injection bug in its video conference software that allows a local attacker to their elevate privileges , and then execute code by injecting commands through the software update component of the WebEx Meetings Client . The bug was traced back to the failure by Webex Meetings to properly check arguments passed via its update service commands . Thus a miscreant could run an update command with specially crafted arguments to ultimately execute code with system privileges . This means rogue logged-in users or malware on a Windows system could leverage WebEx to completely hijack the machine . Cisco had hoped to plug Vulnerability-related.PatchVulnerability the vulnerability in October with a patch that was thought to have resolved Vulnerability-related.PatchVulnerability the flaw . However , software-breakers at SecureAuth found that Switchzilla failed to account for DLL preloading . By sticking the malicious commands inside a DLL file and then executing the update program with that library loaded , an attacker would be able to circumvent the patch and then exploit Vulnerability-related.DiscoverVulnerability the flaw as before to execute commands with system-level clearance . `` The vulnerability can be exploited Vulnerability-related.DiscoverVulnerability by copying to an a local attacker controller folder , the ptUpdate.exe binary . Also , a malicious dll must be placed in the same folder , named wbxtrace.dll , '' SecureAuth explained in its disclosure today . `` To gain privileges , the attacker must start the service with the command line : '' Fortunately , the flaw was privately disclosed Vulnerability-related.DiscoverVulnerability to Cisco , giving the teleconferencing vendor time to get out Vulnerability-related.PatchVulnerability a fix prior to this bug going public . Those running Webex Meetings on their Windows machines should update as soon as possible . While the flaw is n't as severe as a remote code bug that could be exploited Vulnerability-related.DiscoverVulnerability without any user interaction , the fact it has now been patched Vulnerability-related.PatchVulnerability twice and has working proof-of-concept code public should make patching Vulnerability-related.PatchVulnerability a priority .

CIsco has issued Vulnerability-related.PatchVulnerability a critical patch of a patch for a Cisco Prime License Manager SQL fix . Cisco this week said it patched Vulnerability-related.PatchVulnerability a “ critical ” patch for its Prime License Manager ( PLM ) software that would let attackers execute random SQL queries . The Cisco Prime License Manager offers enterprise-wide management of user-based licensing , including license fulfillment . Released Vulnerability-related.PatchVulnerability in November , the first version of the Prime License Manager patch caused its own “ functional ” problems that Cisco was then forced to fix Vulnerability-related.PatchVulnerability . That patch , called ciscocm.CSCvk30822_v1.0.k3.cop.sgn addressed Vulnerability-related.PatchVulnerability the SQL vulnerability but caused backup , upgrade and restore problems , and should no longer be used Cisco said . Cisco wrote that “ customers who have previously installed Vulnerability-related.PatchVulnerability the ciscocm.CSCvk30822_v1.0.k3.cop.sgn patch should upgrade Vulnerability-related.PatchVulnerability to the ciscocm.CSCvk30822_v2.0.k3.cop.sgn patch to remediate the functional issues . Installing Vulnerability-related.PatchVulnerability the v2.0 patch will first rollback the v1.0 patch and then install Vulnerability-related.PatchVulnerability the v2.0 patch. ” As for the vulnerability that started this process , Cisco says it “ is due to a lack of proper validation of user-supplied input in SQL queries . An attacker could exploit this vulnerability by sending crafted HTTP POST requests that contain malicious SQL statements to an affected application . A successful exploit could allow the attacker to modify and delete arbitrary data in the PLM database or gain shell access with the privileges of the postgres [ SQL ] user. ” The vulnerability impacts Vulnerability-related.DiscoverVulnerability Cisco Prime License Manager Releases 11.0.1 and later .

Splunk has patched Vulnerability-related.PatchVulnerability a slip in its JavaScript implementation that leaks Attack.Databreach user information . The advisory at Full Disclosure explains that the leak Attack.Databreach happens if an attacker tricks Attack.Phishing an authenticated user into visiting a malicious Web page . It only leaks Attack.Databreach the username , and whether or not that user has enabled remote access ; but this would provide enough for an attacker to try follow-up phishing attacks Attack.Phishing to try and get the user 's credentials . The bug , the advisory says Vulnerability-related.DiscoverVulnerability , is how Splunk used Object prototypes in JavaScript . Here 's the proof-of-concept JavaScript from the advisory : The issue affects Vulnerability-related.DiscoverVulnerability Splunk Enterprise versions 6.5.x before 6.5.3 , 6.4.x before 6.4.6 , 6.3.x before 6.3.10 , 6.2.x before 6.2.13.1 , 6.1.x before 6.1.13 , 6.0.x before 6.0.14 , 5.0.x before 5.0.18 and Splunk Light before 6.5.2 , and the company has issued Vulnerability-related.PatchVulnerability patches for all versions