As part of Microsoft 's monthly Patch Tuesday updates , a critical flaw in Windows has been patched Vulnerability-related.PatchVulnerability that is actively being exploited Vulnerability-related.DiscoverVulnerability . A vulnerability in the VBScript engine allowed for a zero-day exploit to infect machines by opening specially crafted scripts that can corrupt memory leading to the opportunity for arbitrary code execution . In a web-based attack , specially designed web pages could exploit the same vulnerability when using Internet Explorer . Embedding AcitveX controls that were marked `` safe for initialization '' inside of a Microsoft Office document also allowed for unsafe code to be executed since the IE rendering engine is used . One of the more interesting parts of the attack is that it does not matter what a user 's default browser is . When using VBScript , it is possible to force a web page to be loaded using Internet Explorer even if Chrome , FireFox , Safari , Opera or another browser is set to default . This particular vulnerability has been found Vulnerability-related.DiscoverVulnerability in use and affects Vulnerability-related.DiscoverVulnerability Windows 7 and Windows Server 2008 and newer . Kasperksy Lab has provided a fairly detailed analysis of how the exploit functions . In short , a statement from their security researchers says it all . `` We expect this vulnerability to become one of the most exploited in the near future , as it won ’ t be long until exploit kit authors start abusing it in both drive-by ( via browser ) and spear-phishing Attack.Phishing ( via document ) campaigns . '' In addition to the VBScript flaw discovered Vulnerability-related.DiscoverVulnerability and patched Vulnerability-related.PatchVulnerability , Microsoft has also patched Vulnerability-related.PatchVulnerability a privilege escalation vulnerability . A failure of the Win32k component allows for arbitrary code to be executed in kernel mode . This allows for a standard user account to obtain full system access , although it should be noted that a user must be logged in already to perform the exploit . In this case , both exploits have been patched Vulnerability-related.PatchVulnerability but that does not mean end users and administrators are going to patch Vulnerability-related.PatchVulnerability their systems in a timely manner . It is advised to manually check for updates to verify that all of the latest patches are installed . In total , 67 updates were issued Vulnerability-related.PatchVulnerability solving 21 critically rated vulnerabilities .

The Git community has disclosed Vulnerability-related.DiscoverVulnerability a security vulnerability affecting Vulnerability-related.DiscoverVulnerability the clone and submodule commands that could enable remote code execution when vulnerable machines access malicious repositories . The vulnerability , which has been assigned Vulnerability-related.DiscoverVulnerability CVE–2018–17456 by Mitre , has been fixed Vulnerability-related.PatchVulnerability in Git 2.19.1 . To trigger the vulnerability , a malicious repository could forge a .gitmodules containing an URL starting with a dash . This would affect Vulnerability-related.DiscoverVulnerability both git clone -- recurse-submodules and git submodule update -- recursive in that they would recursively pass the URL starting with a dash to a git clone or git submodule subprocess that would interpret the URL as a command option . This could lead to executing an arbitrary command on the local machine . This vulnerability is similar to CVE–2017–1000117 , which also enabled an option-injection attack by forging ssh URLs starting with a dash that would be interpreted as an option by the ssh subprocess executed by git . No exploits are known at the moment . We were also able to use the time to scan all repositories on GitHub for evidence of the attack being used in the wild . As shown in the PR fixing Vulnerability-related.PatchVulnerability the vulnerability , submitted by @ joernchen , the fix is quite trivial in itself . Yet , this discovery provided the opportunity for an overall audit of .gitmodules , which led to implementing stricter checks on both paths and URLs found inside of it . As mentioned , the fix for this vulnerability is included in Git 2.19.1 . Additionally , it has been backported Vulnerability-related.PatchVulnerability to versions 2.14.5 , 2.15.3 , 2.16.5 , 2.17.2 , and 2.18.1 . Since git is integrated in GitHub projects such as GitHub Desktop and Atom , those have been patched Vulnerability-related.PatchVulnerability as well , so you will be better off upgrading Vulnerability-related.PatchVulnerability them as soon as possible .

Adobe has resolved Vulnerability-related.PatchVulnerability 11 security flaws in this month 's patch update on the heels of a far larger security round last month in which over a hundred bugs were squashed Vulnerability-related.PatchVulnerability . The patch release impacts Vulnerability-related.PatchVulnerability Adobe Flash , Acrobat and Reader , Experience Manager , and Creative Cloud . Two of the vulnerabilities disclosed Vulnerability-related.DiscoverVulnerability in the release are described Vulnerability-related.DiscoverVulnerability as critical and affect Vulnerability-related.DiscoverVulnerability Acrobat and Reader . In July , Adobe issued Vulnerability-related.PatchVulnerability a security update which patched Vulnerability-related.PatchVulnerability a total of 112 vulnerabilities . The majority of bugs were uncovered Vulnerability-related.DiscoverVulnerability in Adobe Acrobat , but a critical code execution flaw was also resolved Vulnerability-related.PatchVulnerability in Adobe Flash . The critical bugs in this release impact Vulnerability-related.DiscoverVulnerability Adobe Acrobat 2017 , Acrobat DC , and Acrobat Reader DC on Windows and macOS machines . The tech giant says Vulnerability-related.DiscoverVulnerability that exploitation of the security flaws , an out of bounds write issue ( CVE-2018-12808 ) and an untrusted pointer dereference problem ( CVE-2018-12799 ) can lead to arbitrary code execution . The vulnerabilities resolved Vulnerability-related.PatchVulnerability include five bugs in Adobe Flash . An out of bounds read flaw ( CVE-2018-12824 ) , a security bypass error ( CVE-2018-12825 ) , two information disclosure vulnerabilities ( CVE-2018-12826 , CVE-2018-12827 ) , and a privilege escalation flaw ( CVE-2018-12828 ) have all been patched Vulnerability-related.PatchVulnerability . A reflected cross-site scripting flaw ( CVE-2018-12806 ) , input validation bypass ( CVE-2018-12807 ) , and cross-site scripting ( XSS ) bug ( CVE-2018-5005 ) have been patched Vulnerability-related.PatchVulnerability in Adobe Experience Manager versions 6.0 -- 6.4 on all platforms . If exploited Vulnerability-related.DiscoverVulnerability , the security flaws can facilitate sensitive information disclosure and data modification . In addition , a single bug in Adobe Creative Cloud Desktop affecting Vulnerability-related.DiscoverVulnerability versions 4.5.0.324 and earlier versions on Windows systems has been resolved Vulnerability-related.PatchVulnerability . The DLL hijacking vulnerability ( CVE-2018-5003 ) can be exploited Vulnerability-related.DiscoverVulnerability in order for an attacker to escalate privileges on an account . Adobe recommends that users update their software as quickly as possible . Researchers from Trend Micro 's Zero Day Initiative , Palo Alto Networks , Google Project Zero , TenCent , and Cognizant Technology Solutions , among others , were thanked for reporting Vulnerability-related.DiscoverVulnerability the bugs . On Tuesday , Microsoft 's latest round of patches tackled Vulnerability-related.PatchVulnerability a total of 60 vulnerabilities , 19 of which were deemed critical . Two severe security flaws resolved Vulnerability-related.PatchVulnerability in the update are zero-day vulnerabilities which are being actively exploited Vulnerability-related.DiscoverVulnerability in the wild .

Enigmail and GPG Tools have been patched Vulnerability-related.PatchVulnerability for EFAIL . For more up-to-date information , please see EFF 's Surveillance Self-Defense guides . Don ’ t panic ! But you should stop using PGP for encrypted email and switch to a different secure communications method for now . A group of researchers released a paper today that describes Vulnerability-related.DiscoverVulnerability a new class of serious vulnerabilities in PGP ( including GPG ) , the most popular email encryption standard . The new paper includes a proof-of-concept exploit that can allow an attacker to use the victim ’ s own email client to decrypt previously acquired messages and return the decrypted content to the attacker without alerting the victim . The proof of concept is only one implementation of this new type of attack , and variants may follow in the coming days . Because of the straightforward nature of the proof of concept , the severity of these security vulnerabilities , the range of email clients and plugins affected , and the high level of protection that PGP users need and expect , EFF is advising PGP users to pause in their use of the tool and seek other modes of secure end-to-end communication for now . Because we are awaiting the response from the security community of the flaws highlighted in the paper , we recommend that for now you uninstall or disable your PGP email plug-in . These steps are intended as a temporary , conservative stopgap until the immediate risk of the exploit has passed and been mitigated against by the wider community . There may be simpler mitigations available Vulnerability-related.PatchVulnerability soon , as vendors and commentators develop narrower solutions , but this is the safest stance to take for now . Because sending PGP-encrypted emails to an unpatched client will create adverse ecosystem incentives to open incoming emails , any of which could be maliciously crafted to expose ciphertext to attackers . While you may not be directly affected , the other participants in your encrypted conversations are likely to be . For this attack , it isn ’ t important whether the sender or the receiver of the original secret message is targeted . This is because a PGP message is encrypted to both of their keys . At EFF , we have relied on PGP extensively both internally and to secure much of our external-facing email communications . Because of the severity of the vulnerabilities disclosed today , we are temporarily dialing down our use of PGP for both internal and external email . Our recommendations may change as new information becomes available , and we will update this post when that happens .