A Russian vulnerability researcher and exploit developer has published Vulnerability-related.DiscoverVulnerability detailed information about a zero-day vulnerability in VirtualBox . His explanations include step-by-step instructions for exploiting the bug . According to the initial details in the disclosure Vulnerability-related.DiscoverVulnerability , the issue is present Vulnerability-related.DiscoverVulnerability in a shared code base of the virtualization software , available on all supported operating systems . Exploiting Vulnerability-related.DiscoverVulnerability the vulnerability allows an attacker to escape the virtual environment of the guest machine and reach the Ring 3 privilege layer , used for running code from most user programs , with the least privileges . Turning one `` overflow '' into another Sergey Zelenyuk found Vulnerability-related.DiscoverVulnerability that the security bug can be leveraged on virtual machines configured with the Intel PRO/1000 MT Desktop ( 82540EM ) network adapter in Network Address Translation ( NAT ) mode , the default setup that allows the guest system to access external networks . `` The [ Intel PRO/1000 MT Desktop ( 82540EM ) ] has a vulnerability allowing an attacker with root/administrator privileges in a guest to escape to a host ring3 . Then the attacker can use existing techniques to escalate privileges to ring 0 via /dev/vboxdrv , '' Zelenyuk writes Vulnerability-related.DiscoverVulnerability in a technical write-up on Tuesday . Zelenyuk says that an important aspect in getting how the vulnerability works is to understand that context descriptors are processed before data descriptors . The researcher describes the mechanics behind the security flaw in detail , showing how to trigger the necessary conditions to obtain a buffer overflow that could be abused to escape the confinements of the virtual operating system . First , he caused an integer underflow condition using packet descriptors - data segments that allow the network adapter to track network packet data in the system memory . This state was then leveraged to read data from the guest OS to into a heap buffer and cause an overflow condition that could lead to overwriting function pointers ; or to cause a stack overflow condition .

Microsoft has published Vulnerability-related.PatchVulnerability a patch for an Outlook vulnerability first reported Vulnerability-related.DiscoverVulnerability in late 2016 , but the patch has been deemed Vulnerability-related.PatchVulnerability incomplete and additional workarounds are needed , according to the security researcher who discovered Vulnerability-related.DiscoverVulnerability it . Yesterday 's April 2018 Patch Tuesday updates train included a fix for CVE-2018-0950 , a vulnerability in Microsoft Outlook discovered Vulnerability-related.DiscoverVulnerability by Will Dormann , a vulnerability analyst at the CERT Coordination Center ( CERT/CC ) . Outlook retrieves remote OLE content without prompting According to Dormann , the main problem with CVE-2018-0950 is that Microsoft Outlook will automatically render the content of remote OLE objects embedded inside rich formatted emails without prompting the user , something that Microsoft does in other Office apps such as Word , Excel , and PowerPoint . This leads to a slew of problems that come from automatically rendering OLE objects , a common attack vector for malware authors . Microsoft patches SMB attack vector only In a CERT/CC vulnerability note , Dormann says he notified Microsoft of Outlook 's propensity for loading OLE objects without alerting users in November 2016 . After almost 18 months , the company finally issued Vulnerability-related.PatchVulnerability a patch for the reported issue , but Dormann says the patch does not address Vulnerability-related.PatchVulnerability the problem at the core of the issue . According to Microsoft , the CVE-2018-0950 patch delivered Vulnerability-related.PatchVulnerability yesterday only blocks Outlook from initiating SMB connections when previewing rich formatted emails . Dormann points out that Outlook still does not prompt user for permission to render OLE objects for email previews . Furthermore , the researcher also highlights that there are other ways of obtaining the NTLM hashes , such as embedding UNC links to SMB servers inside the email , links that Outlook will automatically make clickable . `` If a user clicks such a link , the impact will be the same as with this vulnerability , '' Dormann says . But even this incomplete patch is good news . This means that while Outlook will continue to render OLE objects inside email previews , at least these objects ca n't be used to steal NTLM hashes via SMB anymore . To avoid attackers from getting their hands on NTLM hashes via SMB altogether , the expert recommends that system administrators apply additional OS-level workarounds ,

A security researcher has published Vulnerability-related.DiscoverVulnerability details of a vulnerability in a popular cloud storage drive after the company failed to issue Vulnerability-related.PatchVulnerability security patches for over a year . Remco Vermeulen found Vulnerability-related.DiscoverVulnerability a privilege escalation bug in Western Digital ’ s My Cloud devices , which he said Vulnerability-related.DiscoverVulnerability allows an attacker to bypass the admin password on the drive , gaining “ complete control ” over the user ’ s data . The exploit works because drive ’ s web-based dashboard doesn ’ t properly check a user ’ s credentials before giving a possible attacker access to tools that should require higher levels of access . The bug was “ easy ” to exploit , Vermeulen told TechCrunch in an email , and was remotely exploitable if a My Cloud device allows remote access over the internet — which thousands of devices do . He posted a proof-of-concept video on Twitter . Details of the bug were also independently found Vulnerability-related.DiscoverVulnerability by another security team , which released its own exploit code . Vermeulen reported Vulnerability-related.DiscoverVulnerability the bug over a year ago , in April 2017 , but said the company stopped responding . Normally , security researchers give 90 days for a company to respond , in line with industry-accepted responsible disclosure guidelines . After he found Vulnerability-related.DiscoverVulnerability that WD updated Vulnerability-related.PatchVulnerability the My Cloud firmware in the meanwhile without fixing Vulnerability-related.PatchVulnerability the vulnerability he found Vulnerability-related.DiscoverVulnerability , he decided to post Vulnerability-related.DiscoverVulnerability his findings . A year later , WD still hasn’t released Vulnerability-related.PatchVulnerability a patch . The company confirmed Vulnerability-related.DiscoverVulnerability that it knows Vulnerability-related.DiscoverVulnerability of the vulnerability but did not say why it took more than a year to issue Vulnerability-related.PatchVulnerability a fix . “ We are in the process of finalizing a scheduled firmware update that will resolve Vulnerability-related.PatchVulnerability the reported issue , ” a spokesperson said , which will arrive Vulnerability-related.PatchVulnerability “ within a few weeks. ” WD said Vulnerability-related.DiscoverVulnerability that several of its My Cloud products are vulnerable Vulnerability-related.DiscoverVulnerability — including the EX2 , EX4 and Mirror , but not My Cloud Home . In the meantime , Vermeulen said that there ’ s no fix and that users have to “ just disconnect ” the drive altogether if they want to keep their data safe .

Simon Kenin , a security researcher at Trustwave , was – by his own admission – being lazy the day he discovered Vulnerability-related.DiscoverVulnerability an authentication vulnerability in his Netgear router . Instead of getting up out of bed to address a connection problem , he started fuzzing the web interface and discovered Vulnerability-related.DiscoverVulnerability a serious issue . Kenin had hit upon unauth.cgi , code that was previously tied to two different exploits in 2014 for unauthenticated password disclosure flaws . The short version of the 2014 vulnerability is that an attacker can get unauth.cgi to issue a number that can be passed over to passwordrecovered.cgi in order to receive credentials . Kenin tested their exploits and was able to get his password . [ Learn about top security certifications : Who they 're for , what they cost , and which you need . The following day he started gathering other Netgear devices to test . While repeating the process , he made an error , but that did n't prevent him from obtaining credentials . That accidental discovery Vulnerability-related.DiscoverVulnerability resulted in CVE-2017-5521 . `` After few trials and errors trying to reproduce the issue , I found Vulnerability-related.DiscoverVulnerability that the very first call to passwordrecovered.cgi will give out the credentials no matter what the parameter you send . This is totally new bug that I haven’t seen Vulnerability-related.DiscoverVulnerability anywhere else . When I tested both bugs on different NETGEAR models , I found Vulnerability-related.DiscoverVulnerability that my second bug works on a much wider range of models , '' Kenin explained in a recent blog post . There are at least ten thousand devices online that are vulnerable Vulnerability-related.DiscoverVulnerability to the flaw that Kenin discovered Vulnerability-related.DiscoverVulnerability , but he says the real number could reach the hundreds of thousands , or even millions . `` The vulnerability can be used by a remote attacker if remote administration is set to be Internet facing . However , anyone with physical access to a network with a vulnerable router can exploit it locally . This would include public Wi-Fi spaces like cafés and libraries using vulnerable equipment , '' Kenin wrote . Kenin reached out to Netgear and reported the problems , but it was no easy task . The first advisory listed 18 devices that were vulnerable Vulnerability-related.DiscoverVulnerability , followed by a second advisory detailing an additional 25 models . A few months later , in June 2016 , Netgear finally published an advisory that offered Vulnerability-related.PatchVulnerability a fix for a small subset of the vulnerable devices , and a workaround for others . Eventually , Netgear reported that they were going to fix Vulnerability-related.PatchVulnerability all the unpatched models . They also teamed up with Bugcrowd to improve their vulnerability handling process . Netgear has a status page on the vulnerability , they also provide a workaround for those who ca n't update their firmware yet . It was n't until after the story ran that the PR firm representing Trustwave and pitching the research named Simon Kenin as one who made the discovery Vulnerability-related.DiscoverVulnerability . Netgear issued a statement , downplaying the discovery some Vulnerability-related.DiscoverVulnerability , and reminding users that fixes are available Vulnerability-related.PatchVulnerability for most of the impacted devices . The emailed comments are reprinted below : NETGEAR is aware of the vulnerability ( CVE-2017-5521 ) , that has been recently publicized Vulnerability-related.DiscoverVulnerability by Trustwave . We have been working with the security analysts to evaluate the vulnerability . NETGEAR has published Vulnerability-related.DiscoverVulnerability a knowledge base article from our support page , which lists the affected routers and the available firmware fix Vulnerability-related.PatchVulnerability . Firmware fixes are currently available Vulnerability-related.PatchVulnerability for the majority of the affected devices . To download the firmware release that fixes Vulnerability-related.PatchVulnerability the password recovery vulnerability , click the link for the model and visit the firmware release page for further instructions .