Cisco has patched Vulnerability-related.PatchVulnerability a set of severe vulnerabilities which could lead to remote code execution in the Cisco Webex Network Recording Player for Advanced Recording Format ( ARF ) . The security flaws , CVE-2018-15414 , CVE-2018-15421 , and CVE-2018-15422 , have been issued Vulnerability-related.DiscoverVulnerability a base score of 7.8 . According to the Cisco Product Security Incident Response Team ( PSIRT ) , the flaws could lead to `` an unauthenticated , remote attacker to execute arbitrary code on a targeted system . '' The Cisco Webex Network Recording Player for Advanced Recording Format ( ARF ) , available for Windows , Mac , and Linux machines is a component for recording meetings taking place in the Cisco Webex Meetings Suite sites , Cisco Webex Meetings Online sites , and Cisco Webex Meetings Server . In a security advisory posted this week , Cisco says that the following software is affected : Cisco Webex Meetings Suite ( WBS32 ) : Webex Network Recording Player versions prior to WBS32.15.10 ; Cisco Webex Meetings Suite ( WBS33 ) : Webex Network Recording Player versions prior to WBS33.3 ; Cisco Webex Meetings Online : Webex Network Recording Player versions prior to 1.3.37 ; Cisco Webex Meetings Server : Webex Network Recording Player versions prior to 3.0MR2 . According to Cisco , each operating system is vulnerable Vulnerability-related.DiscoverVulnerability to at least one of the security flaws . The vulnerabilities are due to the improper invalidation of Webex recording files . If a victim opens a crafted , malicious file in the Cisco Webex Player -- potentially sent over Attack.Phishing email as part of a spear phishing campaign Attack.Phishing -- the bugs are triggered , leading to exploit . TechRepublic : Cisco switch flaw led to attacks on critical infrastructure in several countries There are no workarounds to address Vulnerability-related.PatchVulnerability these vulnerabilities . However , Cisco has developed Vulnerability-related.PatchVulnerability patches to automatically update Vulnerability-related.PatchVulnerability vulnerable software . It is recommended that users accept these updates as quickly as possible . The tech giant notes that some Cisco Webex Meetings builds might be at the end of their support cycles and wo n't receive these updates . In these cases , users should contact the company directly . CNET : Kansas City gets smarter thanks to Cisco and Sprint Alternatively , the ARF component is an add-on and can simply be uninstalled manually . A removal tool is has been made available . Cisco is not aware Vulnerability-related.DiscoverVulnerability of any reports of any active exploits in the wild . Steven Seeley from Source Incite and Ziad Badawi , working together with the Trend Micro Zero Day Initiative , have been credited with finding and reporting Vulnerability-related.DiscoverVulnerability the bugs . In related news this week , Trend Micro 's Zero Day Initiative disclosed Vulnerability-related.DiscoverVulnerability a Microsoft Jet zero-day vulnerability which was unpatched Vulnerability-related.PatchVulnerability at the point of public disclosure Vulnerability-related.DiscoverVulnerability . If exploited Vulnerability-related.DiscoverVulnerability , the vulnerability permits attackers to remotely execute code on infected machines .

EOS has tweeted to confirm that it has patched Vulnerability-related.PatchVulnerability “ most ” of the reported bugs and is “ working hard ” on the remainder . It expects the mainnet launch to stay on schedule . Qihoo 360 , a China-based internet security firm , says it has notified Vulnerability-related.DiscoverVulnerability the EOS blockchain project about “ a series of epic vulnerabilities ” discovered Vulnerability-related.DiscoverVulnerability on its platform . The firm said in a Tuesday report Vulnerability-related.DiscoverVulnerability that loopholes found Vulnerability-related.DiscoverVulnerability in the EOS platform could expose nodes on the network to attackers , giving them the ability to execute code remotely and take “ full control ” of transactions . The firm claims that such an attack could potentially “ decimate ” the entire cryptocurrency network . Qihoo 360 went on to explain that bad actors would be able to attack the network by constructing and publishing smart contracts containing malicious code on the EOS mainnet and have EOS supernodes pack them into new blocks . Subsequently the code would affect all nodes on the network , including those of cryptocurrency wallets and exchanges , letting the attackers gain control of private keys to cryptocurrency transactions . While EOS has not yet made any public comment on the issue , Qihoo 360 said in another blog update that the project ’ s lead developer , Daniel Larimer , was notified Vulnerability-related.DiscoverVulnerability of the issues and that he has since said Vulnerability-related.DiscoverVulnerability the vulnerabilities – identified as issue number 3498 on Github – have been fixed Vulnerability-related.PatchVulnerability . “ If any of these asserts trigger in release it shouldn ’ t pass , but should throw . Allowing the code to continue running in release is a potential security vulnerability and will likely result in crashes elsewhere , ” Larimer wrote on the Github page . Meanwhile , Larimer has today appealed for more external assistance in identifying Vulnerability-related.DiscoverVulnerability critical bugs in the system with the project ’ s mainnet launch just days away .

Adobe has patched Vulnerability-related.PatchVulnerability 87 vulnerabilities for Acrobat and Reader in its December Patch Tuesday update , including a slew of critical flaws that would allow arbitrary code-execution . The scheduled update comes less than a week after Adobe released Vulnerability-related.PatchVulnerability several out-of-band fixes for Flash Player , including a critical vulnerability ( CVE-2018-15982 ) that it said is being exploited Vulnerability-related.DiscoverVulnerability in the wild . That ’ s a use-after-free flaw enabling arbitrary code-execution in Flash . The addressed critical vulnerabilities are myriad this month . The arbitrary code-execution problems include : two buffer errors ; two untrusted pointer dereference glitches ; three heap-overflow issues , five out-of-bounds write flaws , 24 use-after-free bugs . Adobe also patched Vulnerability-related.PatchVulnerability three other critical-rated issues that could lead to privilege escalation ; these are all security bypass problems . In addition to the critical bugs , Adobe also patched Vulnerability-related.PatchVulnerability 43 out-of-bounds read flaws , four integer overflow problems and two security bypass issues , all of which could allow information disclosure . Adobe has characterized all of the flaws , both critical and important , as “ priority two ” for patching Vulnerability-related.PatchVulnerability , which means that the software giant deems them to be unlikely to be imminently exploited Vulnerability-related.DiscoverVulnerability in the wild , but patching Vulnerability-related.PatchVulnerability within 30 days is recommended . The flaws are far-reaching and affect Vulnerability-related.DiscoverVulnerability various implementations of Acrobat DC , Acrobat Reader DC , Acrobat 2017 and Acrobat Reader 2017 for macOS and Windows , in classic 2015 , classic 2017 and continuous-track versions . All can be mitigated by updating Vulnerability-related.PatchVulnerability to the most current versions of the software .

Foxit has patched Vulnerability-related.PatchVulnerability more than 118 vulnerabilities in its PDF reader , some of which could be exploited Vulnerability-related.DiscoverVulnerability to enable full remote code execution . Patches were released Vulnerability-related.PatchVulnerability last week for Foxit Reader 9.3 and Foxit PhantomPDF 9.3 to address Vulnerability-related.PatchVulnerability a huge number of issues in the programs . This security bulletin released by Foxit provides details on the extensive list of vulnerabilities , which were discovered Vulnerability-related.DiscoverVulnerability via internal research , end user reports , and reports from research teams . More than 118 issues were addressed Vulnerability-related.PatchVulnerability , though there was some overlap , and so the number of actual bugs was lower . Vulnerable versions are 9.2.0.9297 and earlier , and only affect Vulnerability-related.DiscoverVulnerability Windows users . A significant number of flaws were classed as ‘ critical ’ and could allow for remote code execution – 18 were reported Vulnerability-related.DiscoverVulnerability by Cisco Talos , all of which were dubbed high in severity . Several were use-after-free flaws , which allows memory to be accessed after it has been freed and can enable hackers to execute arbitrary code and take over the system . Cisco Talos wrote in a report : “ There are a couple of different ways an adversary could leverage this attack including tricking a user to opening a specially crafted , malicious PDF or , if the browser plugin is enabled , the user could trigger the exploit by viewing the document in a web browser. ” Foxit told The Daily Swig that its programs were embedded with security features designed to protect its users from malicious actors . These include a ‘ Safe Mode ’ , which “ prevents suspicious external commands to be executed by Foxit Reader ” , and the option to disable JavaScript . The company also urged its users to update to the latest version . A spokesperson told The Daily Swig : “ Overall , Foxit Reader has had over 525 million downloads , but obviously they are not all active users on the latest release . “ In Foxit Reader , we have a Safe Mode which prevents suspicious external commands to be executed by Foxit Reader . Therefore , we don ’ t know how many folks are running without Safe Mode enabled. ” However , this security feature was bypassed not just once , but twice , by researchers last year . Foxit added : “ For a number of reasons , including bug fixes Vulnerability-related.PatchVulnerability , we always advise users to download and install the latest release . Also , run the product in Safe Mode whenever possible . ”

Valve has patched Vulnerability-related.PatchVulnerability a critical vulnerability in the Steam client which has lurked undetected for at least 10 years . The vulnerability impacts Vulnerability-related.DiscoverVulnerability all versions of the gaming platform . Tom Court , a security researcher hailing from Context Information Security , discovered Vulnerability-related.DiscoverVulnerability the bug and disclosed Vulnerability-related.DiscoverVulnerability his findings on Thursday . In a blog post , the researcher said Vulnerability-related.DiscoverVulnerability that left unpatched Vulnerability-related.PatchVulnerability , the bug permits threat actors to perform remote code execution ( RCE ) attacks . It was not until July last year that Valve added modern ASLR exploit protections to its Steam source code . However , this addition made sure that the vulnerability would only cause a client crash if exploited Vulnerability-related.DiscoverVulnerability -- unless a separate information leak vulnerability was also active in the exploit chain . Valve 's Steam software uses a custom protocol , known as the `` Steam Protocol , '' which is delivered on the top of UDP . The protocol registers packet length and the total reassembled datagram length ; however , the vulnerability was caused by a simple lack of checks to ensure that for the first packet of a fragmented datagram , the specified length was less than or equal to the total datagram length . All an attacker needed to do was to send a malformed UDP packet to trigger the exploit . `` This means that it is possible to supply a data_len smaller than packet_len and have up to 64kb of data ( due to the 2-byte width of the packet_len field ) copied to a very small buffer , resulting in an exploitable heap corruption , '' Court says . `` This seems like a simple oversight , given that the check was present for all subsequent packets carrying fragments of the datagram . '' The vulnerability was reported Vulnerability-related.DiscoverVulnerability to Valve on 20 February and was fixed Vulnerability-related.PatchVulnerability in a beta release less than 12 hours later . This patch was then pushed Vulnerability-related.PatchVulnerability to a stable release on 22 March . `` This was a very simple bug , made relatively straightforward to exploit due to a lack of modern exploit protections , '' Court says . `` The vulnerable code was probably very old , but as it was otherwise in good working order , the developers likely saw no reason to go near it or update their build scripts . '' `` The lesson here is that as a developer it is important to periodically include aging code and build systems in your reviews to ensure they conform to modern security standards , even if the actual functionality of the code has remained unchanged , '' the researcher added .

Adobe has patched Vulnerability-related.PatchVulnerability a number of security vulnerabilities on the last scheduled monthly update of this year . All these patches specifically addressed Vulnerability-related.PatchVulnerability bugs in Adobe Reader and Acrobat . Allegedly , Adobe December Patch Tuesday Update fixed Vulnerability-related.PatchVulnerability as much as 86 different vulnerabilities , including 38 critical security flaws . This week , Adobe rolled out Vulnerability-related.PatchVulnerability the last scheduled monthly updates for its products . While the previous month ’ s update included bug fixes in Flash Player , the Adobe December Patch Tuesday update bundle remained focused on Adobe Reader and Acrobat . As much as 38 different critical security bugs received Vulnerability-related.PatchVulnerability patches with this update . The vulnerabilities include 2 buffer errors , 2 Untrusted pointer dereference vulnerabilities , 5 out-of-bounds write vulnerabilities , 3 heap overflow bugs , and 23 use after free vulnerabilities . All these vulnerabilities could allegedly lead to arbitrary code execution by a potential attacker . In addition , 3 security bypass vulnerabilities also received Vulnerability-related.PatchVulnerability fixes with this update . These flaws could allow privilege escalation on the targeted systems . In addition to the above , Adobe also released Vulnerability-related.PatchVulnerability fixes for 48 important security vulnerabilities . These include , 43 out-of-bounds read vulnerabilities , 4 integer overflow bugs , and a single security bypass bug . All these could allegedly result in information disclosure . As stated in Adobe ’ s advisory , the affected software include the following for Windows , Acrobat DC and Acrobat Reader DC ( continuous track ) versions 2019.008.20081 and earlier , Adobe Acrobat 2017 and Acrobat Reader 2017 ( Classic 2017 track ) versions 2017.011.30106 and earlier , Acrobat DC and Acrobat Reader DC ( Classic 2015 track ) versions 2015.006.30457 and earlier . Whereas , in the case of MacOS , the affected programs include , Acrobat DC and Acrobat Reader DC ( continuous track ) versions including and prior to 2019.008.20080 , Adobe Acrobat 2017 and Acrobat Reader 2017 ( track Classic 2017 ) versions 2017.011.30105 and above , Acrobat DC and Acrobat Reader DC ( track Classic 2015 ) versions 2015.006.30456 and above . Adobe has patched Vulnerability-related.PatchVulnerability all 86 vulnerabilities in the recently released versions of the respective software . The patched versions include Acrobat DC and Acrobat Reader DC versions 2019.010.20064 ( continuous track ) , Acrobat 2017 and Acrobat Reader DC 2017 ( Classic 2017 ) version 2017.011.30110 , and Acrobat DC and Acrobat Reader DC ( track Classic 2015 ) version 2015.006.30461 . Users of both Windows and MacOS should , therefore , ensure updating Vulnerability-related.PatchVulnerability their systems and download the latest versions of the affected software to stay protected from these vulnerabilities . This month ’ s scheduled update bundle did not address Vulnerability-related.PatchVulnerability any security flaws in Flash Player . Nonetheless , lately , Adobe already patched Vulnerability-related.PatchVulnerability a critical Flash vulnerability already disclosed Vulnerability-related.DiscoverVulnerability to the public .

Adobe has patched Vulnerability-related.PatchVulnerability a number of security vulnerabilities on the last scheduled monthly update of this year . All these patches specifically addressed Vulnerability-related.PatchVulnerability bugs in Adobe Reader and Acrobat . Allegedly , Adobe December Patch Tuesday Update fixed Vulnerability-related.PatchVulnerability as much as 86 different vulnerabilities , including 38 critical security flaws . This week , Adobe rolled out Vulnerability-related.PatchVulnerability the last scheduled monthly updates for its products . While the previous month ’ s update included bug fixes in Flash Player , the Adobe December Patch Tuesday update bundle remained focused on Adobe Reader and Acrobat . As much as 38 different critical security bugs received Vulnerability-related.PatchVulnerability patches with this update . The vulnerabilities include 2 buffer errors , 2 Untrusted pointer dereference vulnerabilities , 5 out-of-bounds write vulnerabilities , 3 heap overflow bugs , and 23 use after free vulnerabilities . All these vulnerabilities could allegedly lead to arbitrary code execution by a potential attacker . In addition , 3 security bypass vulnerabilities also received Vulnerability-related.PatchVulnerability fixes with this update . These flaws could allow privilege escalation on the targeted systems . In addition to the above , Adobe also released Vulnerability-related.PatchVulnerability fixes for 48 important security vulnerabilities . These include , 43 out-of-bounds read vulnerabilities , 4 integer overflow bugs , and a single security bypass bug . All these could allegedly result in information disclosure . As stated in Adobe ’ s advisory , the affected software include the following for Windows , Acrobat DC and Acrobat Reader DC ( continuous track ) versions 2019.008.20081 and earlier , Adobe Acrobat 2017 and Acrobat Reader 2017 ( Classic 2017 track ) versions 2017.011.30106 and earlier , Acrobat DC and Acrobat Reader DC ( Classic 2015 track ) versions 2015.006.30457 and earlier . Whereas , in the case of MacOS , the affected programs include , Acrobat DC and Acrobat Reader DC ( continuous track ) versions including and prior to 2019.008.20080 , Adobe Acrobat 2017 and Acrobat Reader 2017 ( track Classic 2017 ) versions 2017.011.30105 and above , Acrobat DC and Acrobat Reader DC ( track Classic 2015 ) versions 2015.006.30456 and above . Adobe has patched Vulnerability-related.PatchVulnerability all 86 vulnerabilities in the recently released versions of the respective software . The patched versions include Acrobat DC and Acrobat Reader DC versions 2019.010.20064 ( continuous track ) , Acrobat 2017 and Acrobat Reader DC 2017 ( Classic 2017 ) version 2017.011.30110 , and Acrobat DC and Acrobat Reader DC ( track Classic 2015 ) version 2015.006.30461 . Users of both Windows and MacOS should , therefore , ensure updating Vulnerability-related.PatchVulnerability their systems and download the latest versions of the affected software to stay protected from these vulnerabilities . This month ’ s scheduled update bundle did not address Vulnerability-related.PatchVulnerability any security flaws in Flash Player . Nonetheless , lately , Adobe already patched Vulnerability-related.PatchVulnerability a critical Flash vulnerability already disclosed Vulnerability-related.DiscoverVulnerability to the public .

Apache Software Foundation has patched Vulnerability-related.PatchVulnerability a remote code execution vulnerability affecting Vulnerability-related.DiscoverVulnerability the Jakarta Multipart parser in Apache Struts . Administrators need to update Vulnerability-related.PatchVulnerability the popular Java application framework or put workarounds in place because the vulnerability is actively being targeted in attacks . The issue affects Vulnerability-related.DiscoverVulnerability Apache Struts versions 2.3.5 through 2.3.31 and versions 2.5 through 2.5.10 . The presence of vulnerable code is enough to expose the system to attack—the web application doesn ’ t need to implement file upload for attackers to exploit Vulnerability-related.DiscoverVulnerability the flaw , said Vulnerability-related.DiscoverVulnerability researchers from Cisco Talos . Talos “ found a high number of exploitation events , ” said Cisco threat researcher Nick Biasini . “ With exploitation actively underway , Talos recommends immediate upgrading if possible or following the workaround referenced in the above security advisory ” . The remote code execution vulnerability ( CVE-2017-5638 ) in the Jakarta Multipart parser is the result of improper handling of the Content-Type header , Apache said Vulnerability-related.DiscoverVulnerability in its emergency security advisory . The header indicates the media type of the resource , such as when the client tells the server what type of data was sent as part of a POST or PUT request , or the server telling the client what type of content is being returned as part of the response . The flaw is triggered when Struts parses a malformed Content-Type HTTP header and lets attackers remotely take complete control of the system without needing any kind of authentication .

Zero-day vulnerability could have allowed attackers to hijack a Windows system . Microsoft has patched Vulnerability-related.PatchVulnerability a major zero-day vulnerability in Windows , the second such exploit detected Vulnerability-related.DiscoverVulnerability in just a few weeks . The threat , the second such alert in just a month , was spotted Vulnerability-related.DiscoverVulnerability by security experts at Kaspersky Lab and fixed Vulnerability-related.PatchVulnerability as part of Microsoft 's monthly Patch Tuesday release . Kaspersky Lab says Vulnerability-related.DiscoverVulnerability the exploit had already been utilised for a number of cyberattacks in the Middle East , and was detected Vulnerability-related.DiscoverVulnerability by the company 's Automatic Exploit Prevention technology . The vulnerability , officially named Vulnerability-related.DiscoverVulnerability by Microsoft as CVE-2018-8589 , targeted the 32-bit version of Windows 7 , and could have allowed attackers to gain `` elevated privileges '' and create exploits to gain access to a victim 's system and run malicious code . The news comes just a few weeks after Kaspersky Lab detected Vulnerability-related.DiscoverVulnerability a similar zero-day threat in Microsoft 's system , having alerted Vulnerability-related.DiscoverVulnerability the computing giant to a further Windows vulnerability that had been utilised by state-backed cyber-espionage group known as FruityArmor . “ Autumn 2018 became quite a hot season when it comes to zero-day vulnerabilities , '' said Anton Ivanov , Security Expert at Kaspersky Lab . `` In just a month , we discovered Vulnerability-related.DiscoverVulnerability two of their kind and detected Vulnerability-related.DiscoverVulnerability two series of attacks in one region . Discreteness of cyberthreat actors ’ activities remind us that it is of critical importance for companies to have in their possession all necessary tools and solutions that would be intelligent enough to protect them from such sophisticated threats . Otherwise , they could become a subject to complex targeted attacks that will come out of nowhere . ''

WhatsApp has patched Vulnerability-related.PatchVulnerability a vulnerability in its smartphone code that could have been exploited Vulnerability-related.DiscoverVulnerability by miscreants to crash victims ' chat app simply by placing a call . Google Project Zero whizkid and Tamagotchi whisperer Natalie Silvanovich discovered and reported Vulnerability-related.DiscoverVulnerability the flaw , a memory heap overflow issue , directly to WhatsApp in August . Now that a fix is out Vulnerability-related.PatchVulnerability , Silvanovich can go public Vulnerability-related.DiscoverVulnerability with details on the potentially serious flaw . According to Silvanovich 's report , the bug is triggered when a user receives a malformed RTP packet , triggering the corruption error and crashing the application . In practice , the malformed packet that triggers the crash could be sent via a simple call request . `` This issue can occur when a WhatsApp user accepts a call from a malicious peer , '' Silvanovich explained . `` It affects both the Android and iPhone clients . '' While Silvanovich has not said whether further actions ( like remote code execution ) would be possible to pull off in the wild , the flaw was serious enough to draw the attention of fellow Google researcher Tavis Ormandy . Fortunately , as the bug has been patched Vulnerability-related.PatchVulnerability users will be able to get Vulnerability-related.PatchVulnerability a fix for the flaw by updating Vulnerability-related.PatchVulnerability to the latest version of WhatsApp on Android and iOS . We 're still waiting to hear from Google or Facebook on more details , such as if the desktop app is affected of if RCE is possible , but its PR team has a lot on today . The disclosure will add another to the growing list of apps that will need to be updated thanks to October security patches . Earlier today , Microsoft delivered Vulnerability-related.PatchVulnerability its Patch Tuesday security bundle , with Adobe dropping Vulnerability-related.PatchVulnerability its second major patch bundle in as many weeks and Google having posted Vulnerability-related.PatchVulnerability the Android monthly update last week .

The bug was found Vulnerability-related.DiscoverVulnerability in the core infrastructure of Apache Struts 2 . The Apache Software Foundation has patched Vulnerability-related.PatchVulnerability a critical security vulnerability which affects Vulnerability-related.DiscoverVulnerability all versions of Apache Struts 2 . Uncovered Vulnerability-related.DiscoverVulnerability by researchers from cybersecurity firm Semmle , the security flaw is caused by the insufficient validation of untrusted user data in the core Struts framework . When Apache Struts uses results with no namespace and in the same time , upper actions have no wild namespace . The same opportunity for exploit exists when the URL tag is in use and there is no value or action set . As the bug , CVE-2018-11776 , has been discovered Vulnerability-related.DiscoverVulnerability in the Struts core , the team says there are multiple attack vectors threat actors could use to exploit the vulnerability . If the alwaysSelectFullNamespace flag is set to true in the Struts configuration , which is automatically the case when the Struts Convention plugin is in use , or if a user 's Struts configuration file contains a tag that does not specify the optional namespace attribute or specifies a wildcard namespace . Man Yue Mo from the Semmle Security Research Team first reported Vulnerability-related.DiscoverVulnerability the flaw . `` This vulnerability affects Vulnerability-related.DiscoverVulnerability commonly-used endpoints of Struts , which are likely to be exposed , opening up an attack vector to malicious hackers , '' Mo says Vulnerability-related.DiscoverVulnerability . `` On top of that , the weakness is related to the Struts OGNL language , which hackers are very familiar with , and are known to have been exploited Vulnerability-related.DiscoverVulnerability in the past . '' The vulnerability affects Vulnerability-related.DiscoverVulnerability all versions of Apache Struts 2 . Companies which use the popular open-source framework are urged to update their builds immediately . Users of Struts 2.3 are advised to upgrade Vulnerability-related.PatchVulnerability to 2.3.35 ; users of Struts 2.5 need to upgrade Vulnerability-related.PatchVulnerability to 2.5.17 . As the latest releases only contain Vulnerability-related.PatchVulnerability fixes for the vulnerability , Apache does not expect users to experience any backward compatibility issues . `` Previous disclosures Vulnerability-related.DiscoverVulnerability of similarly critical vulnerabilities have resulted in exploits being published Vulnerability-related.DiscoverVulnerability within a day , putting critical infrastructure and customer data at risk , '' Semmle says . `` All applications that use Struts are potentially vulnerable Vulnerability-related.DiscoverVulnerability , even when no additional plugins have been enabled . '' Mo first reported Vulnerability-related.DiscoverVulnerability the findings in April . By June , the Apache Struts team published the code which resolved Vulnerability-related.PatchVulnerability the problem , leading to the release Vulnerability-related.PatchVulnerability of official patches on August 22 .

A new iPhone and a new iOS are here , but a number of bugs , and security flaws , have frustrated early adopters . iOS 12.0.1 , Apple 's first update after the release of iOS 12 , has patched Vulnerability-related.PatchVulnerability two vulnerabilities that could have allowed a user to bypass a device 's passcode . Spanish hacker Jose Rodriguez was able to use Siri to enable VoiceOver mode , which could pull up the phone 's contacts . You can see the specifics of his ( very complicated ) procedure in the video below . Apple also says it has fixed Vulnerability-related.PatchVulnerability a bug that caused the new iPhones to stop charging when their screens turned off . This was n't an issue our review unit had , but it was noted throughout multiple forums and message boards . The company has fixed Vulnerability-related.PatchVulnerability a number of smaller bugs as well . A bug that caused the phone to automatically join 2.4-GHz networks rather than 5 GHz networks , a bug that sometimes caused Bluetooth to become unavailable , and a bug that blocked subtitles from appearing in some video apps are no longer . iPad users were n't left out , either . To some users ' chagrin , the original iOS 12 moved the `` 123 '' key closer to the center of the iPad keyboard . You can breathe easy again : The key has moved back to the far left . The update should be available Vulnerability-related.PatchVulnerability to all users now . If you do n't have automatic updates enabled , we recommend you update Vulnerability-related.PatchVulnerability to the new patch ASAP if you 've experienced any of these flaws , or are worried about hackers obtaining your phone .

Researchers have discovered Vulnerability-related.DiscoverVulnerability some serious security flaws threatening Linux . These vulnerabilities exist in Vulnerability-related.DiscoverVulnerability Linux systemd component . According to the researchers , the vulnerabilities pose a risk to all systemd-based Linux distros . Allegedly , researchers at Qualys have disclosed Vulnerability-related.DiscoverVulnerability some bugs targeting the Linux systemd component . Systemd provides the core building blocks for Linux and handles major processes after booting . As revealed Vulnerability-related.DiscoverVulnerability , three vulnerabilities have targeted the systemd-journald , which is responsible for data collection and log storage . The vulnerabilities let an attacker gain root privileges on the target device . The researchers state Vulnerability-related.DiscoverVulnerability that these vulnerabilities threaten all Linux distros based on systemd except a few . As stated in their report , “ To the best of our knowledge , all systemd-based Linux distributions are vulnerable Vulnerability-related.DiscoverVulnerability , but SUSE Linux Enterprise 15 , openSUSE Leap 15.0 , and Fedora 28 and 29 are not exploitable because their user space is compiled with GCC ’ s -fstack-clash-protection. ” The three bugs include two different memory corruption flaws ( CVE-2018-16864 and CVE-2018-16865 ) , and an out-of-bounds flaw ( CVE-2018-16866 ) . At first , the researchers accidentally discovered Vulnerability-related.DiscoverVulnerability CVE-2018-16864 while working on an exploit for a previously disclosed vulnerability , Mutagen Astronomy . Then , when they were busy on its PoC , they spotted Vulnerability-related.DiscoverVulnerability the other two bugs . “ We developed Vulnerability-related.DiscoverVulnerability a proof of concept for CVE-2018-16864 that gains eip control on i386… We developed Vulnerability-related.DiscoverVulnerability an exploit for CVE-2018-16865 and CVE-2018-16866 that obtains a local root shell in 10 minutes on i386 and 70 minutes on amd64 , on average. ” Interestingly , the bugs had been around for quite a few years . For now , Red Hat has patched Vulnerability-related.PatchVulnerability the bugs CVE-2018-16864 and CVE-2018-16865 . Whereas , Debian has fixed Vulnerability-related.PatchVulnerability CVE-2018-16866 in the unstable systemd 240-1 release . Other distros will also supposedly release Vulnerability-related.PatchVulnerability the fixes soon . In November 2018 , a Google researcher also highlighted Vulnerability-related.DiscoverVulnerability a critical flaw in Systemd that induced system crashes and hacks .

Splunk has patched Vulnerability-related.PatchVulnerability a slip in its JavaScript implementation that leaks Attack.Databreach user information . The advisory at Full Disclosure explains that the leak Attack.Databreach happens if an attacker tricks Attack.Phishing an authenticated user into visiting a malicious Web page . It only leaks Attack.Databreach the username , and whether or not that user has enabled remote access ; but this would provide enough for an attacker to try follow-up phishing attacks Attack.Phishing to try and get the user 's credentials . The bug , the advisory says Vulnerability-related.DiscoverVulnerability , is how Splunk used Object prototypes in JavaScript . Here 's the proof-of-concept JavaScript from the advisory : The issue affects Vulnerability-related.DiscoverVulnerability Splunk Enterprise versions 6.5.x before 6.5.3 , 6.4.x before 6.4.6 , 6.3.x before 6.3.10 , 6.2.x before 6.2.13.1 , 6.1.x before 6.1.13 , 6.0.x before 6.0.14 , 5.0.x before 5.0.18 and Splunk Light before 6.5.2 , and the company has issued Vulnerability-related.PatchVulnerability patches for all versions

Adobe has patched Vulnerability-related.PatchVulnerability two critical flaws in Acrobat and Reader that warrant urgent attention . Officially , Adobe patches Vulnerability-related.PatchVulnerability security vulnerabilities around the middle of each month to coordinate with Microsoft ’ s Patch Tuesday , but recently it ’ s become almost routine for the company to issue Vulnerability-related.PatchVulnerability out-of-band updates in between . APSB19-02 , the first of such updates to reach customers in the new year , addresses Vulnerability-related.PatchVulnerability critical flaws with a priority rating of ‘ 2 ’ . That means that the flaw is potentially serious , but Adobe hasn ’ t detected Vulnerability-related.DiscoverVulnerability any real-world exploits ( the latter would entail issuing Vulnerability-related.PatchVulnerability an ‘ emergency ’ patch with a ‘ 1 ’ rating ) . The first flaw , identified Vulnerability-related.DiscoverVulnerability as CVE-2018-16011 , is described Vulnerability-related.DiscoverVulnerability by Adobe as a use-after-free bug that could be exploited Vulnerability-related.DiscoverVulnerability using a maliciously crafted PDF to take control of a target system with their malware of choice . The second , CVE-2018-16018 ( replacing CVE-2018-19725 ) , is a security bypass targeting JavaScript API restrictions on Adobe Reader DC and seems to have been in the works since before Christmas , affecting Vulnerability-related.DiscoverVulnerability all versions of Window and macOS Acrobat DC/Reader 2019.010.20064 and earlier , the fix in both cases is to update Vulnerability-related.PatchVulnerability to 2019.010.20069 . For the legacy Acrobat/Reader 2017 2017.011.30110 and Acrobat/Reader DC 2015 2015.006.30461 , the updates take those to 2017.011.30113 and 2015.006.30464 respectively . As critical flaws with a ‘ 2 ’ rating , there is a suggested 30-day window within which to apply Vulnerability-related.PatchVulnerability the updates , but it ’ s worth bearing in mind that a new round of patches will likely be offered Vulnerability-related.PatchVulnerability for Adobe products tomorrow as part of Patch Tuesday . In December ’ s Patch Tuesday , Adobe released Vulnerability-related.PatchVulnerability a not inconsiderable 87 patches , including 39 rated critical . Only days before , Adobe issued Vulnerability-related.PatchVulnerability an emergency Flash patch for a zero-day vulnerability that was being exploited Vulnerability-related.DiscoverVulnerability , while in November Flash received Vulnerability-related.PatchVulnerability a separate patch for one whose exploitation was believed to be imminent .