Microsoft today issued Vulnerability-related.PatchVulnerability an emergency security update to correct Vulnerability-related.PatchVulnerability a security update it issued Vulnerability-related.PatchVulnerability earlier this month to correct Vulnerability-related.PatchVulnerability a security update it issued Vulnerability-related.PatchVulnerability in January and February . In January and February , Redmond emitted Vulnerability-related.PatchVulnerability fixes for Windows 7 and Server 2008 R2 machines to counter Vulnerability-related.PatchVulnerability the Meltdown chip-level vulnerability in modern Intel x64 processors . Unfortunately , those patches blew Vulnerability-related.PatchVulnerability a gaping hole in the operating systems : normal applications and logged-in users could now access and modify any part of physical RAM , and gain complete control over a box , with the updates installed . Rather than stop programs and non-administrators from exploiting Meltdown to extract Attack.Databreach passwords and other secrets from protected kernel memory , the fixes on Windows 7 and Server 2008 R2 instead granted full read-write privileges to system RAM . Roll on March , and Microsoft pushed out Vulnerability-related.PatchVulnerability fixes on Patch Tuesday to correct Vulnerability-related.PatchVulnerability those January and February updates to close Vulnerability-related.PatchVulnerability the security vulnerability it accidentally opened . Except that March update did n't fully seal Vulnerability-related.PatchVulnerability the deal : the bug remained in Vulnerability-related.DiscoverVulnerability the kernel , and was exploitable by malicious software and users . Total Meltdown Now , if you 're using Windows 7 or Server 2008 R2 and have applied Vulnerability-related.PatchVulnerability Microsoft 's Meltdown patches , you 'll want to grab and install Vulnerability-related.PatchVulnerability today 's out-of-band update for CVE-2018-1038 . Swedish researcher Ulf Frisk discovered Vulnerability-related.DiscoverVulnerability the January and February Meltdown mitigations for Win7 and Server 2008 R2 were broken , and went public Vulnerability-related.DiscoverVulnerability with his findings once the March Patch Tuesday had kicked off . As it turns out , this month 's updates did not fully fix Vulnerability-related.PatchVulnerability things , and Microsoft has had to scramble to remedy Vulnerability-related.PatchVulnerability what was now a zero-day vulnerability in Windows 7 and Server 2008 . In other words , Microsoft has just had to put out Vulnerability-related.PatchVulnerability a patch for a patch for a patch . Hardly inspiring stuff , but we suppose the old Microsoft adage remains true – never trust a Redmond product until version three at the earliest . On the other hand , writing kernel-level memory management code is an absolute bastard at times , so you have to afford the devs some sympathy .

Microsoft today issued Vulnerability-related.PatchVulnerability an emergency security update to correct Vulnerability-related.PatchVulnerability a security update it issued Vulnerability-related.PatchVulnerability earlier this month to correct Vulnerability-related.PatchVulnerability a security update it issued Vulnerability-related.PatchVulnerability in January and February . In January and February , Redmond emitted Vulnerability-related.PatchVulnerability fixes for Windows 7 and Server 2008 R2 machines to counter Vulnerability-related.PatchVulnerability the Meltdown chip-level vulnerability in modern Intel x64 processors . Unfortunately , those patches blew Vulnerability-related.PatchVulnerability a gaping hole in the operating systems : normal applications and logged-in users could now access and modify any part of physical RAM , and gain complete control over a box , with the updates installed . Rather than stop programs and non-administrators from exploiting Meltdown to extract Attack.Databreach passwords and other secrets from protected kernel memory , the fixes on Windows 7 and Server 2008 R2 instead granted full read-write privileges to system RAM . Roll on March , and Microsoft pushed out Vulnerability-related.PatchVulnerability fixes on Patch Tuesday to correct Vulnerability-related.PatchVulnerability those January and February updates to close Vulnerability-related.PatchVulnerability the security vulnerability it accidentally opened . Except that March update did n't fully seal Vulnerability-related.PatchVulnerability the deal : the bug remained in Vulnerability-related.DiscoverVulnerability the kernel , and was exploitable by malicious software and users . Total Meltdown Now , if you 're using Windows 7 or Server 2008 R2 and have applied Vulnerability-related.PatchVulnerability Microsoft 's Meltdown patches , you 'll want to grab and install Vulnerability-related.PatchVulnerability today 's out-of-band update for CVE-2018-1038 . Swedish researcher Ulf Frisk discovered Vulnerability-related.DiscoverVulnerability the January and February Meltdown mitigations for Win7 and Server 2008 R2 were broken , and went public Vulnerability-related.DiscoverVulnerability with his findings once the March Patch Tuesday had kicked off . As it turns out , this month 's updates did not fully fix Vulnerability-related.PatchVulnerability things , and Microsoft has had to scramble to remedy Vulnerability-related.PatchVulnerability what was now a zero-day vulnerability in Windows 7 and Server 2008 . In other words , Microsoft has just had to put out Vulnerability-related.PatchVulnerability a patch for a patch for a patch . Hardly inspiring stuff , but we suppose the old Microsoft adage remains true – never trust a Redmond product until version three at the earliest . On the other hand , writing kernel-level memory management code is an absolute bastard at times , so you have to afford the devs some sympathy .

Microsoft today issued Vulnerability-related.PatchVulnerability an emergency security update to correct Vulnerability-related.PatchVulnerability a security update it issued Vulnerability-related.PatchVulnerability earlier this month to correct Vulnerability-related.PatchVulnerability a security update it issued Vulnerability-related.PatchVulnerability in January and February . In January and February , Redmond emitted Vulnerability-related.PatchVulnerability fixes for Windows 7 and Server 2008 R2 machines to counter Vulnerability-related.PatchVulnerability the Meltdown chip-level vulnerability in modern Intel x64 processors . Unfortunately , those patches blew Vulnerability-related.PatchVulnerability a gaping hole in the operating systems : normal applications and logged-in users could now access and modify any part of physical RAM , and gain complete control over a box , with the updates installed . Rather than stop programs and non-administrators from exploiting Meltdown to extract Attack.Databreach passwords and other secrets from protected kernel memory , the fixes on Windows 7 and Server 2008 R2 instead granted full read-write privileges to system RAM . Roll on March , and Microsoft pushed out Vulnerability-related.PatchVulnerability fixes on Patch Tuesday to correct Vulnerability-related.PatchVulnerability those January and February updates to close Vulnerability-related.PatchVulnerability the security vulnerability it accidentally opened . Except that March update did n't fully seal Vulnerability-related.PatchVulnerability the deal : the bug remained in Vulnerability-related.DiscoverVulnerability the kernel , and was exploitable by malicious software and users . Total Meltdown Now , if you 're using Windows 7 or Server 2008 R2 and have applied Vulnerability-related.PatchVulnerability Microsoft 's Meltdown patches , you 'll want to grab and install Vulnerability-related.PatchVulnerability today 's out-of-band update for CVE-2018-1038 . Swedish researcher Ulf Frisk discovered Vulnerability-related.DiscoverVulnerability the January and February Meltdown mitigations for Win7 and Server 2008 R2 were broken , and went public Vulnerability-related.DiscoverVulnerability with his findings once the March Patch Tuesday had kicked off . As it turns out , this month 's updates did not fully fix Vulnerability-related.PatchVulnerability things , and Microsoft has had to scramble to remedy Vulnerability-related.PatchVulnerability what was now a zero-day vulnerability in Windows 7 and Server 2008 . In other words , Microsoft has just had to put out Vulnerability-related.PatchVulnerability a patch for a patch for a patch . Hardly inspiring stuff , but we suppose the old Microsoft adage remains true – never trust a Redmond product until version three at the earliest . On the other hand , writing kernel-level memory management code is an absolute bastard at times , so you have to afford the devs some sympathy .

Microsoft 's patches for the Meltdown vulnerability have had a fatal flaw all these past months , according to Alex Ionescu , a security researcher with cyber-security firm Crowdstrike . Only patches for Windows 10 versions were affected Vulnerability-related.DiscoverVulnerability , the researcher wrote today in a tweet . Microsoft quietly fixed Vulnerability-related.PatchVulnerability the issue on Windows 10 Redstone 4 ( v1803 ) , also known as the April 2018 Update , released Vulnerability-related.PatchVulnerability on Monday . `` Welp , it turns out Vulnerability-related.PatchVulnerability the Meltdown patches for Windows 10 had a fatal flaw : calling NtCallEnclave returned back to user space with the full kernel page table directory , completely undermining the mitigation , '' Ionescu wrote . Microsoft issued Vulnerability-related.PatchVulnerability today an security update , but it was n't to backport the `` fixed '' Meltdown patches for older Windows 10 versions . Instead , the emergency update fixed Vulnerability-related.PatchVulnerability a vulnerability in the Windows Host Compute Service Shim ( hcsshim ) library ( CVE-2018-8115 ) that allows an attacker to remotely execute code on vulnerable systems . Microsoft classified Vulnerability-related.DiscoverVulnerability CVE-2018-8115 as a `` critical '' issues . A patched hcsshim file is available Vulnerability-related.PatchVulnerability for download from GitHub . `` We are aware and are working to provide Vulnerability-related.PatchVulnerability customers with an update , '' a Microsoft spokesperson told Bleeping Computer today in an email . It may be that if Microsoft does n't bundle these fixes in an out-of-band update , they will most likely arrive Vulnerability-related.PatchVulnerability in Microsoft 's May 2018 Patch Tuesday , but this is only our speculation . Microsoft released Vulnerability-related.PatchVulnerability its Meltdown and Spectre patches on January 4 , a day after security researchers disclosed Vulnerability-related.DiscoverVulnerability the two flaws , vulnerabilities that allow attackers to retrieve data from protected areas of modern CPUs . The Redmond-based OS maker has had a hard time patching Vulnerability-related.PatchVulnerability the two flaws , and the company recently issued Vulnerability-related.PatchVulnerability additional security updates to fix Vulnerability-related.PatchVulnerability the original Spectre mitigations , and also deliver Vulnerability-related.PatchVulnerability Intel CPU microcode updates , as a favor to Intel .

Microsoft 's patches for the Meltdown vulnerability have had a fatal flaw all these past months , according to Alex Ionescu , a security researcher with cyber-security firm Crowdstrike . Only patches for Windows 10 versions were affected Vulnerability-related.DiscoverVulnerability , the researcher wrote today in a tweet . Microsoft quietly fixed Vulnerability-related.PatchVulnerability the issue on Windows 10 Redstone 4 ( v1803 ) , also known as the April 2018 Update , released Vulnerability-related.PatchVulnerability on Monday . `` Welp , it turns out Vulnerability-related.PatchVulnerability the Meltdown patches for Windows 10 had a fatal flaw : calling NtCallEnclave returned back to user space with the full kernel page table directory , completely undermining the mitigation , '' Ionescu wrote . Microsoft issued Vulnerability-related.PatchVulnerability today an security update , but it was n't to backport the `` fixed '' Meltdown patches for older Windows 10 versions . Instead , the emergency update fixed Vulnerability-related.PatchVulnerability a vulnerability in the Windows Host Compute Service Shim ( hcsshim ) library ( CVE-2018-8115 ) that allows an attacker to remotely execute code on vulnerable systems . Microsoft classified Vulnerability-related.DiscoverVulnerability CVE-2018-8115 as a `` critical '' issues . A patched hcsshim file is available Vulnerability-related.PatchVulnerability for download from GitHub . `` We are aware and are working to provide Vulnerability-related.PatchVulnerability customers with an update , '' a Microsoft spokesperson told Bleeping Computer today in an email . It may be that if Microsoft does n't bundle these fixes in an out-of-band update , they will most likely arrive Vulnerability-related.PatchVulnerability in Microsoft 's May 2018 Patch Tuesday , but this is only our speculation . Microsoft released Vulnerability-related.PatchVulnerability its Meltdown and Spectre patches on January 4 , a day after security researchers disclosed Vulnerability-related.DiscoverVulnerability the two flaws , vulnerabilities that allow attackers to retrieve data from protected areas of modern CPUs . The Redmond-based OS maker has had a hard time patching Vulnerability-related.PatchVulnerability the two flaws , and the company recently issued Vulnerability-related.PatchVulnerability additional security updates to fix Vulnerability-related.PatchVulnerability the original Spectre mitigations , and also deliver Vulnerability-related.PatchVulnerability Intel CPU microcode updates , as a favor to Intel .

Microsoft has published Vulnerability-related.PatchVulnerability a patch for an Outlook vulnerability first reported Vulnerability-related.DiscoverVulnerability in late 2016 , but the patch has been deemed Vulnerability-related.PatchVulnerability incomplete and additional workarounds are needed , according to the security researcher who discovered Vulnerability-related.DiscoverVulnerability it . Yesterday 's April 2018 Patch Tuesday updates train included a fix for CVE-2018-0950 , a vulnerability in Microsoft Outlook discovered Vulnerability-related.DiscoverVulnerability by Will Dormann , a vulnerability analyst at the CERT Coordination Center ( CERT/CC ) . Outlook retrieves remote OLE content without prompting According to Dormann , the main problem with CVE-2018-0950 is that Microsoft Outlook will automatically render the content of remote OLE objects embedded inside rich formatted emails without prompting the user , something that Microsoft does in other Office apps such as Word , Excel , and PowerPoint . This leads to a slew of problems that come from automatically rendering OLE objects , a common attack vector for malware authors . Microsoft patches SMB attack vector only In a CERT/CC vulnerability note , Dormann says he notified Microsoft of Outlook 's propensity for loading OLE objects without alerting users in November 2016 . After almost 18 months , the company finally issued Vulnerability-related.PatchVulnerability a patch for the reported issue , but Dormann says the patch does not address Vulnerability-related.PatchVulnerability the problem at the core of the issue . According to Microsoft , the CVE-2018-0950 patch delivered Vulnerability-related.PatchVulnerability yesterday only blocks Outlook from initiating SMB connections when previewing rich formatted emails . Dormann points out that Outlook still does not prompt user for permission to render OLE objects for email previews . Furthermore , the researcher also highlights that there are other ways of obtaining the NTLM hashes , such as embedding UNC links to SMB servers inside the email , links that Outlook will automatically make clickable . `` If a user clicks such a link , the impact will be the same as with this vulnerability , '' Dormann says . But even this incomplete patch is good news . This means that while Outlook will continue to render OLE objects inside email previews , at least these objects ca n't be used to steal NTLM hashes via SMB anymore . To avoid attackers from getting their hands on NTLM hashes via SMB altogether , the expert recommends that system administrators apply additional OS-level workarounds ,

A design flaw affecting Vulnerability-related.DiscoverVulnerability all in-display fingerprint sensors – that left over a half-dozen cellphone models vulnerable to a trivial lock-screen bypass attack – has been quietly patched Vulnerability-related.PatchVulnerability . The flaw was tied to a bug in the popular in-display fingerprint reader technology used for user authentication . In-display fingerprint reader technology is widely considered an up-and-coming feature to be used in a number of flagship model phones introduced in 2019 by top OEM phone makers , according to Tencent ’ s Xuanwu Lab which is credited for first identifying Vulnerability-related.DiscoverVulnerability the flaw earlier this year . “ During our research on this , we found all the in-display fingerprint sensor module suffer the same problem no matter where it was manufactured by whatever vendors , ” said Yang Yu , a researcher at Xuanwu Lab . “ This vulnerability is a design fault of in-display fingerprint sensors. ” Impacted are all phones tested in the first half of 2018 that had in-display fingerprint sensors , said Yu . That includes current models of Huawei Technologies ’ Porsche Design Mate RS and Mate 20 Pro model phones . Yu said that many more cellphone manufacturers are impacted Vulnerability-related.DiscoverVulnerability by the issue . However , Yu would not specify other impacted vendors or models : “ Vendors differ greatly in the attitude to security issues , someone have open attitudes , like Huawei , and in contrast , some vendors strongly hope us to keep the voice down on this , ” he told Threatpost . He noted Huawei has been forthcoming , issuing Vulnerability-related.PatchVulnerability patches to address Vulnerability-related.PatchVulnerability the issue . Other phones that use the feature include Vivo Communication Technology ’ s V11 Pro , X21 and Nex ; and OnePlus ’ 6T and Xiaomi Mi 8 Explorer Edition phones . Vivo , OnePlus and Xiaomi did not respond to requests for comment from Threatpost . In-display fingerprint readers based on optical fingerprint imaging , experts believe , will soon replace conventional authentication based on capacitance-sensor fingerprint scanners . In-display readers allow for a user to place a finger on the screen of a smartphone where a scanner from behind the display can verify a fingerprint , authenticate the user and unlock the phone . Design-wise the feature allows phones to be sleeker and less cluttered , supporting infinity displays . Usability advantages include the ability to unlock the phone simply by placing your finger on the phone ’ s screen at any angle , whether it ’ s sitting on a table or in a car mount . The vulnerability , which Huawei issued Vulnerability-related.PatchVulnerability a patch ( CVE-2018-7929 ) for in September , can be exploited Vulnerability-related.DiscoverVulnerability in a matter of seconds , researchers said . In an exclusive interview with Threatpost on the flaw Yu said all an attacker needs to carry out the attack is an opaque reflective material such as aluminum foil . By placing the reflective material over a residual fingerprint on the phone ’ s display the capacitance fingerprint imaging mechanism can be tricked into authenticating a fingerprint .

If you ’ re a BMW owner , prepare to patch ! Chinese researchers have found Vulnerability-related.DiscoverVulnerability 14 security vulnerabilities affecting Vulnerability-related.DiscoverVulnerability many models . The ranges affected Vulnerability-related.DiscoverVulnerability ( some as far back as 2012 ) are the BMW i Series , X Series , 3 Series , 5 Series and 7 Series , with a total of seven rated serious enough to be assigned CVE Vulnerability-related.DiscoverVulnerability numbers . The vulnerabilities are in in the Telematics Control Unit ( TCU ) , the Central Gateway Module , and Head Unit , across a range of interfaces including via GSM , BMW Remote Service , BMW ConnectedDrive , Remote Diagnosis , NGTP , Bluetooth , and the USB/OBD-II interfaces . Some require local access ( e.g . via USB ) to exploit but six including the Bluetooth flaw were accessible remotely , making them the most serious . Should owners worry that the flaws could be exploited Vulnerability-related.DiscoverVulnerability , endangering drivers and vehicles ? On the basis of the technical description , that seems unlikely , although Keen Lab won ’ t release the full proof-of-concept code until 2019 . Keen Lab described the effect of its hacking as allowing it to carry out : The execution of arbitrary , unauthorized diagnostic requests of BMW in-car systems remotely . To which BMW responded : BMW Group has already implemented security measures , which are currently being rolled out via over-the-air configuration updates . Additional security enhancements for the affected infotainment systems are being developed Vulnerability-related.PatchVulnerability and will be available Vulnerability-related.PatchVulnerability as software updates for customers . In other words , some fixes have already been made Vulnerability-related.PatchVulnerability , while others will be made Vulnerability-related.PatchVulnerability between now and early 2019 , potentially requiring a trip to a service centre . Full marks to BMW for promptly responding to the research but the press release issued Vulnerability-related.PatchVulnerability in its wake reads like PR spin . To most outsiders , this is a case of Chinese white hats finding Vulnerability-related.DiscoverVulnerability vulnerabilities in BMW ’ s in-car systems . To BMW , judging by the triumphant language of its press release , it ’ s as if this was the plan all along , right down to awarding Keen Lab the “ first-ever BMW Group Digitalization and IT Research Award. ” More likely , car makers are being caught out by the attention their in-car systems are getting from researchers , with Volkswagen Audi Group experiencing some of the same discomfort a couple of weeks ago at the hands of Dutch researchers . BMW has experienced this before too – three years ago it suffered Vulnerability-related.DiscoverVulnerability an embarrassing security flaw in its car ConnectedDrive software door-locking systems . Let ’ s not feel too sorry for the car makers because it ’ s the owners who face the biggest adjustment to their expectations – software flaws and patching Vulnerability-related.PatchVulnerability are no longer just for computers .

AMD has acknowledged Vulnerability-related.DiscoverVulnerability the Ryzenfall vulnerabilities discovered Vulnerability-related.DiscoverVulnerability by CTS-Labs , though the chip company believes the flaws can be patched Vulnerability-related.PatchVulnerability via BIOS updates issued Vulnerability-related.PatchVulnerability over the next few weeks . In a blog post authored by AMD ’ s chief technical officer , Mark Papermaster , AMD confirmed that the four broad classifications of attacks—Masterkey , Ryzenfall , Fallout , and Chimera—are viable , though they require administrative access to the PC or server in question . Third-party protection , such as Microsoft Windows Credential Guard , also serve to block unauthorized administrative access , Papermaster wrote . In any event , “ any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research , ” AMD ’ s Papermaster added . But AMD also provided the answer to consumers ’ most pressing question : What , if anything , needs to be done ? For each of the first three classifications of vulnerabilities , AMD said it is working on firmware updates that the company plans to release Vulnerability-related.PatchVulnerability during the coming weeks . The fourth category of vulnerability , known as Chimera , affected Vulnerability-related.DiscoverVulnerability the Promontory chipset , which CTS-Labs said was designed with logic supplied by ASMedia , a third-party vendor . While AMD said patches for that will also be released Vulnerability-related.PatchVulnerability via a BIOS update , the company said it is working with the Promontory chipset maker on developing Vulnerability-related.PatchVulnerability the mitigations , rather than supplying its own . AMD has neither confirmed nor denied whether the attacks can be executed remotely , or require local access . AMD did deny , however , that the attacks have anything to do with Meltdown or Spectre , the two side-channel attacks that rival Intel has worked to patch Vulnerability-related.PatchVulnerability . About a week ago , CTS-Labs issued a press release as well as a website outlining the vulnerabilities , which the company provided to AMD less than 24 hours before CTS-Labs went public , AMD said . But CTS-Labs also drew fire over boilerplate copy on its website that implied a potential financial interest in the subjects of its reports . PCWorld attempted to interview CTS executives , but later rescinded that request after CTS-Labs representatives demanded a list of questions in advance , and also forbade us from asking about the timing and the company ’ s financial motivations . In the meantime , however , the vulnerabilities were confirmed Vulnerability-related.DiscoverVulnerability by two independent researchers , Trail of Bits and Check Point . Both expressed doubts that attackers would be able to exploit the vulnerabilities that CTS-Labs had originally discovered Vulnerability-related.DiscoverVulnerability .

The ransomware is linked to a leaked vulnerability originally kept by the National Security Agency . Major corporations across the world have been hit Attack.Ransom by a wave of ransomware attacks Attack.Ransom that encrypt computers and then demand Attack.Ransom that users pay Attack.Ransom $ 300 to a bitcoin address to restore access . While countries across Europe — the United Kingdom , Ukraine , Spain and France , to name a few — were hit hardest by the outbreak , the virus has now spread to the United States . Today , one of the largest drug makers in the U.S. , Merck , reported being infected by the malware , as did the multinational law firm DLA Piper , which counts more than 20 offices in the U.S. Heritage Valley Health Systems , a health care network that runs two hospitals in Western Pennsylvania , also confirmed in a statement to Recode on Tuesday that it was a victim of the same ransomware attack Attack.Ransom that has spread around the globe . At least one surgery had to be postponed because of the hack , according to a woman interviewed by Pittsburgh Action News 4 . The malware , which has been dubbed NotPetya , has been confirmed by multiple security firms to resemble the WannaCry ransomware attack Attack.Ransom , which in May infected hundreds of thousands of computers by taking advantage of a National Security Agency hacking tool called Eternal Blue . That exploit was leaked last April by a hacker or group of hackers called ShadowBrokers . Eternal Blue takes advantage of a vulnerability in the Windows operating system , for which Microsoft issued Vulnerability-related.PatchVulnerability a patch earlier this year . Not all Windows users installed the update — hence one of the reasons WannaCry was able to spread . “ Our initial analysis found that the ransomware uses multiple techniques to spread , including one which was addressed Vulnerability-related.PatchVulnerability by a security update previously provided for all platforms from Windows XP to Windows 10 , ” Microsoft said in a statement to Recode . Microsoft further advised users to exercise caution when opening files in emails from unknown sources , since malware is often spread through email attachments . Microsoft also noted that its antivirus software is capable of detecting and removing the ransomware . Ukraine appears to have been the country most affected by today ’ s ransomware outbreak , according to a chart shared in a tweet by Costin Raiu , the director of a global research team with Kaspersky Lab .

Adobe has resolved Vulnerability-related.PatchVulnerability 11 security flaws in this month 's patch update on the heels of a far larger security round last month in which over a hundred bugs were squashed Vulnerability-related.PatchVulnerability . The patch release impacts Vulnerability-related.PatchVulnerability Adobe Flash , Acrobat and Reader , Experience Manager , and Creative Cloud . Two of the vulnerabilities disclosed Vulnerability-related.DiscoverVulnerability in the release are described Vulnerability-related.DiscoverVulnerability as critical and affect Vulnerability-related.DiscoverVulnerability Acrobat and Reader . In July , Adobe issued Vulnerability-related.PatchVulnerability a security update which patched Vulnerability-related.PatchVulnerability a total of 112 vulnerabilities . The majority of bugs were uncovered Vulnerability-related.DiscoverVulnerability in Adobe Acrobat , but a critical code execution flaw was also resolved Vulnerability-related.PatchVulnerability in Adobe Flash . The critical bugs in this release impact Vulnerability-related.DiscoverVulnerability Adobe Acrobat 2017 , Acrobat DC , and Acrobat Reader DC on Windows and macOS machines . The tech giant says Vulnerability-related.DiscoverVulnerability that exploitation of the security flaws , an out of bounds write issue ( CVE-2018-12808 ) and an untrusted pointer dereference problem ( CVE-2018-12799 ) can lead to arbitrary code execution . The vulnerabilities resolved Vulnerability-related.PatchVulnerability include five bugs in Adobe Flash . An out of bounds read flaw ( CVE-2018-12824 ) , a security bypass error ( CVE-2018-12825 ) , two information disclosure vulnerabilities ( CVE-2018-12826 , CVE-2018-12827 ) , and a privilege escalation flaw ( CVE-2018-12828 ) have all been patched Vulnerability-related.PatchVulnerability . A reflected cross-site scripting flaw ( CVE-2018-12806 ) , input validation bypass ( CVE-2018-12807 ) , and cross-site scripting ( XSS ) bug ( CVE-2018-5005 ) have been patched Vulnerability-related.PatchVulnerability in Adobe Experience Manager versions 6.0 -- 6.4 on all platforms . If exploited Vulnerability-related.DiscoverVulnerability , the security flaws can facilitate sensitive information disclosure and data modification . In addition , a single bug in Adobe Creative Cloud Desktop affecting Vulnerability-related.DiscoverVulnerability versions 4.5.0.324 and earlier versions on Windows systems has been resolved Vulnerability-related.PatchVulnerability . The DLL hijacking vulnerability ( CVE-2018-5003 ) can be exploited Vulnerability-related.DiscoverVulnerability in order for an attacker to escalate privileges on an account . Adobe recommends that users update their software as quickly as possible . Researchers from Trend Micro 's Zero Day Initiative , Palo Alto Networks , Google Project Zero , TenCent , and Cognizant Technology Solutions , among others , were thanked for reporting Vulnerability-related.DiscoverVulnerability the bugs . On Tuesday , Microsoft 's latest round of patches tackled Vulnerability-related.PatchVulnerability a total of 60 vulnerabilities , 19 of which were deemed critical . Two severe security flaws resolved Vulnerability-related.PatchVulnerability in the update are zero-day vulnerabilities which are being actively exploited Vulnerability-related.DiscoverVulnerability in the wild .

Troubled browser has once again come under attack , with flaw discovered Vulnerability-related.DiscoverVulnerability in multiple versions of Internet Explorer . Microsoft has been forced to issue Vulnerability-related.PatchVulnerability an emergency security patch for its Internet Explorer browser . The release came after Google security engineer Clement Lecigne uncovered Vulnerability-related.DiscoverVulnerability a critical vulnerability in several versions of Microsoft 's browser , and could have been activated simply by directing users to a malicious website The flaw , known as CVE-2018-8653 , affects Vulnerability-related.DiscoverVulnerability Internet Explorer 9 , 10 and 11 , with the update issued Vulnerability-related.PatchVulnerability to Windows 7 , 8.1 and 10 versions , as well as Windows Server 2008 , 2012 , 2016 and 2019 . `` A remote code execution vulnerability exists in Vulnerability-related.DiscoverVulnerability the way that the scripting engine handles objects in memory in Internet Explorer , '' Microsoft stated in its support document for the threat . `` The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user . '' The company has issued Vulnerability-related.PatchVulnerability a fix for the flaw now , outside of its typical Patch Tuesday security cycle , signifying it is a significant threat and should be patched Vulnerability-related.PatchVulnerability immediately . Microsoft has gradually retired Internet Explorer from public view over the past few years as it focuses on its newer browser Edge , with only customised versions available to certain business users . The company may also be about to pull the plug on Edge as well , with report recently confirming Microsoft is set to introduce a new browser built on Google 's Chromium platform .

Microsoft issued Vulnerability-related.PatchVulnerability numerous bug fixes on its most recent Patch Tuesday , but according to the security firm 0patch , there were issues with one of the flaws for a critical vulnerability . The vulnerability in question Vulnerability-related.DiscoverVulnerability , ( CVE-2018-8423 ) , is a memory corruption vulnerability that exists in Vulnerability-related.DiscoverVulnerability the Jet Database Engine that , when exploited Vulnerability-related.DiscoverVulnerability , allows for remote code execution . 0patch noticed that the patch Microsoft had issued Vulnerability-related.PatchVulnerability was flawed as a result of studying the official patch of the Jet Database Engine and a “ micropatch ” that the security researchers had created for the same flaw . They explain this revelation as follows : As expected , the update brought a modified msrd3x40.dll binary : this is the binary with the vulnerability , which we had micropatched with 4 CPU instructions ( one of which was just for reporting purposes ) . The version of msrd3x40.dll changed from 4.0.9801.0 to 4.0.9801.5 and of course , its cryptographic hash also changed - which resulted in our micropatch for this issue no longer getting applied to msrd3x40.dll . So far so good , but the problems became glaring once further analysis began : We BinDiff-ed the patched msrd3x40.dll to its vulnerable version and reviewed the differences . At this point we will only state that we found the official fix to be slightly different to our micropatch , and unfortunately in a way that only limited the vulnerability instead of eliminating it . We promptly notified Microsoft about it and will not reveal further details or proof-of-concept until they issue Vulnerability-related.PatchVulnerability a correct fix . It may be a little frustrating to not know what the problem is from a tech journalist ’ s perspective , but as I am also an “ ethical ” hacker , I totally understand the lack of disclosure on the part of both Microsoft and 0patch . If the flaw is not public knowledge and has not been patched Vulnerability-related.PatchVulnerability , it makes no sense to hand a cybercriminal the keys to Windows user ’ s machines . What this story shows is how vital the relationship between third-party security researchers and vendors . Without the due diligence of first Trend Micro ’ s ZDI discovering Vulnerability-related.DiscoverVulnerability the original flaw , and then 0patch uncovering Vulnerability-related.DiscoverVulnerability the secondary flaw in the patch , Microsoft and their customers would be exposed to hackers with bad intentions .

Cisco Systems this week issued Vulnerability-related.PatchVulnerability an update for its Adaptive Security Appliance ( ASA ) software , fixing Vulnerability-related.PatchVulnerability a high-severity vulnerability that could allow authenticated attackers with low-level access to remotely escalate their privileges on Cisco devices with web management access enabled . Designated CVE-2018-15465 , the flaw is the result of an improper validation process while using the web management interface . “ An attacker could exploit this vulnerability by sending specific HTTP requests via HTTPS to an affected device as an unprivileged user , ” states a Dec. 19 Cisco security advisory . “ An exploit could allow the attacker to retrieve files ( including the running configuration ) from the device or to upload and replace software images on the device. ” The cybersecurity firm Tenable , whose researchers discovered Vulnerability-related.DiscoverVulnerability the bug , explained its findings in further detail in a Dec 19 blog post . “ When command authorization is not enabled , an authenticated remote unprivileged ( level 0 or 1 ) user can change or download the running configuration as well as upload or replace the appliance firmware , ” wrote blog author and Tenable technical support engineer Ryan Seguin . “ Downgrading appliance firmware to an older version would allow an attacker to leverage known vulnerabilities that have been well researched or have publicly available exploit modules. ” “ Enabling command authorization prevents exploitation of this vulnerability , ” notes the Cisco advisory , although “ administrators should not enable command authorization using the AAA authorization command ” until they have defined “ which actions are allowed per privilege level using the privilege command in global configuration mode. ” Cisco adds Vulnerability-related.PatchVulnerability the AAA configuration must be “ accurate and complete ” in order for the software fix to properly take effect .

Cisco has released Vulnerability-related.PatchVulnerability a new patch designed to fix Vulnerability-related.PatchVulnerability a failed update which has not prevented the exploit of a severe Webex vulnerability . The original security flaw , CVE-2018-15442 , is present in Vulnerability-related.DiscoverVulnerability the Cisco Webex Meetings Desktop App for Windows and is described Vulnerability-related.DiscoverVulnerability as a bug which `` could allow an authenticated , local attacker to execute arbitrary commands as a privileged user . '' Cisco 's original security update was published Vulnerability-related.PatchVulnerability in October in order to remedy Vulnerability-related.PatchVulnerability the flaw , in which a lack of validation for user-supplied parameters in the app could be harnessed to exploit the bug . If an attacker is successful in utilizing the vulnerability , they can force the app to run arbitrary commands with user privileges . `` While the CVSS Attack Vector metric denotes the requirement for an attacker to have local access , administrators should be aware that in Active Directory deployments , the vulnerability could be exploited Vulnerability-related.DiscoverVulnerability remotely by leveraging the operating system remote management tools , '' the company added . Software releases prior to 33.6.4 -- alongside Cisco Webex Productivity Tools Releases 32.6.0 and later prior to 33.0.6 -- are impacted on Windows systems . It was not long after the release Vulnerability-related.PatchVulnerability of the first patch that researchers from SecureAuth deemed the original fix incomplete . The original patch only forced the service to run files signed by Webex , but failed to account for DLL-based attacks , according to the team . `` The vulnerability can be exploited Vulnerability-related.DiscoverVulnerability by copying to a local attacker controller folder , the ptUpdate.exe binary , '' the researchers said Vulnerability-related.DiscoverVulnerability in an advisory . `` Also , a malicious dll must be placed in the same folder , named wbxtrace.dll . To gain privileges , the attacker must start the service with the command line : sc start webexservice install software-update 1 `` attacker-controlled-path '' ( if the parameter 1 does n't work , then 2 should be used ) . '' These findings were sent to Cisco , which acknowledged the DLL attack method . A new patch was then issued Vulnerability-related.PatchVulnerability roughly a week after being informed Vulnerability-related.DiscoverVulnerability of the issue . `` After an additional attack method was reported to Cisco , the previous fix for this vulnerability was determined to be insufficient , '' Cisco says . `` A new fix was developed Vulnerability-related.PatchVulnerability , and the advisory was updated Vulnerability-related.PatchVulnerability on November 27 , 2018 , to reflect which software releases Vulnerability-related.PatchVulnerability include the complete fix . ''

A few days ago , Microsoft issued Vulnerability-related.PatchVulnerability an emergency patch for Internet Explorer to fix Vulnerability-related.PatchVulnerability a zero-day vulnerability in the web browser . The problem affects Vulnerability-related.DiscoverVulnerability versions of Internet Explorer from 9 to 11 across multiple versions of Windows , but it seems that the patch has been causing problems for many people . Specifically , people with some Lenovo laptops have found that after installing Vulnerability-related.PatchVulnerability the KB4467691 patch they are unable to start Windows . When the patch was released Vulnerability-related.PatchVulnerability , it was known that there were a few issues with older versions of Windows 10 -- for example , problems with the .NET framework , and with web links in the Start menu . But since the initial release , Microsoft has updated Vulnerability-related.PatchVulnerability the patch page to indicate Vulnerability-related.DiscoverVulnerability a further potential problem with some Lenovo laptops : After installing KB4467691 , Windows may fail to startup on certain Lenovo laptops that have less than 8 GB of RAM . The company goes on to suggest a couple of possible workarounds for those running into issues : Restart the affected machine using the Unified Extensible Firmware Interface ( UEFI ) . Disable Secure Boot and then restart . If BitLocker is enabled on your machine , you may have to go through BitLocker recovery after Secure Boot has been disabled . Microsoft says that it is `` working with Lenovo and will provide Vulnerability-related.PatchVulnerability an update in an upcoming release '' .

Microsoft rolled out Vulnerability-related.PatchVulnerability 60 patches for its Patch Tuesday release , impacting 19 critical flaws and 39 important flaws . Microsoft has rolled out Vulnerability-related.PatchVulnerability its August Patch Tuesday fixes , addressing Vulnerability-related.PatchVulnerability 19 critical vulnerabilities , including fixes for two zero-day vulnerabilities that are under active attack . Overall , the company patched Vulnerability-related.PatchVulnerability a total of 60 flaws , spanning Microsoft Windows , Edge , Internet Explorer ( IE ) , Office , .NET Framework , ChakraCore , Exchange Server , Microsoft SQL Server and Visual Studio . Of those , 19 were critical , 39 were rated important , one was moderate and one was rated low in severity . The patch release includes two exploited flaws , CVE-2018-8373 and CVE-2018-8414 , which were previously disclosed Vulnerability-related.DiscoverVulnerability by researchers . The first zero-day , CVE-2018-8373 , could result in remote code-execution ( RCE ) and grants the same privileges as a logged-in user , including administrative rights . The vulnerability exists in Vulnerability-related.DiscoverVulnerability IE 9 , 10 and 11 , impacting Vulnerability-related.DiscoverVulnerability all Windows operating systems from Server 2008 to Windows 10 . Meanwhile , CVE-2018-8414 also enables RCE with the privileges of the logged-in user , and exists on Vulnerability-related.DiscoverVulnerability Windows 10 versions 1703 and newer , as well as Server 1709 and Server 1803 . “ The two zero-day vulnerabilities are … publicly disclosed Vulnerability-related.DiscoverVulnerability and exploited Vulnerability-related.DiscoverVulnerability , ” said Chris Goettl , director of product management , security , for Ivanti , in an email . “ CVE-2018-8373 is a vulnerability that exists in Vulnerability-related.DiscoverVulnerability the way that the scripting engine handles objects in memory in Internet Explorer . CVE-2018-8414 code-execution vulnerability exists Vulnerability-related.DiscoverVulnerability when the Windows Shell does not properly validate file paths. ” Microsoft also issued Vulnerability-related.PatchVulnerability fixes for security issues that don ’ t impact Windows , but the company thought they were important enough to package into its OS updates , dubbed advisories . Microsoft ’ s Patch Tuesday comes after the company found itself in hot water last month after its new update model caused stability issues for Windows operating systems and applications , particularly in July . The model irked customers so much that enterprise patching veteran Susan Bradley wrote an open letter to Microsoft executives expressing the “ dissatisfaction your customers have with the updates released Vulnerability-related.PatchVulnerability for Windows desktops and servers in recent months . ”

SEATTLE — When malicious software first became a serious problem on the internet about 15 years ago , most people agreed that the biggest villain , after the authors of the damaging code , was Microsoft . As a new cyberattack continues to sweep across the globe , the company is once again at the center of the debate over who is to blame for a vicious strain of malware demanding ransom Attack.Ransom from victims in exchange for the unlocking of their digital files . This time , though , Microsoft believes others should share responsibility for the attack , an assault that targeted flaws in the Windows operating system . On Sunday , Brad Smith , Microsoft ’ s president and chief legal officer , wrote a blog post describing the company ’ s efforts to stop the ransomware ’ s spread , including an unusual step it took to release Vulnerability-related.PatchVulnerability a security update for versions of Windows that Microsoft no longer supports . Mr. Smith wrote , “ As a technology company , we at Microsoft have the first responsibility to address Vulnerability-related.PatchVulnerability these issues. ” He went on , though , to emphasize that the attack had demonstrated the “ degree to which cybersecurity has become a shared responsibility between tech companies and customers , ” the latter of whom must update their systems if they want to be protected . He also pointed his finger at intelligence services , since the latest vulnerability appeared to have been leaked from the National Security Agency . On Monday , a Microsoft spokesman declined to comment beyond Mr. Smith ’ s post . Microsoft has recognized the risk that cybersecurity poses to it since about 2002 , when Bill Gates , the former chief executive , issued a call to arms inside the company after a wave of malicious software began infecting Windows PCs connected to the internet . “ As software has become ever more complex , interdependent and interconnected , our reputation as a company has in turn become more vulnerable , ” Mr. Gates wrote in an email to employees identifying trustworthy computing as Microsoft ’ s top priority . “ Flaws in a single Microsoft product , service or policy not only affect Vulnerability-related.DiscoverVulnerability the quality of our platform and services overall , but also our customers ’ view of us as a company. ” Since then , the company has poured billions of dollars into security initiatives , employing more than 3,500 engineers dedicated to security . In March , it released Vulnerability-related.PatchVulnerability a software patch that addressed Vulnerability-related.PatchVulnerability the vulnerability exploited by the ransomware , known as WannaCry , protecting systems such as Windows 10 , its latest operating system . Yet security flaws in older editions of Windows persist . The company no longer provides Vulnerability-related.PatchVulnerability regular software updates to Windows XP , a version first released in 2001 , unless customers pay for “ custom support , ” a practice some observers believe has put users at risk . Late Friday , Microsoft took the unusual step of making patches Vulnerability-related.PatchVulnerability that protect older systems against WannaCry , including Windows XP , free . “ Companies like Microsoft should discard the idea that they can abandon people using older software , ” Zeynep Tufekci , an associate professor at the school of information and library science at the University of North Carolina , wrote in a New York Times opinion piece over the weekend . “ The money they made from these customers hasn ’ t expired ; neither has their responsibility to fix defects. ” But security experts challenged that argument , saying that Microsoft could not be expected to keep updating old software products indefinitely . Providing Vulnerability-related.PatchVulnerability updates to older systems could make computers more insecure by removing an incentive for users to modernize , Mikko Hypponen , the chief research officer of F-Secure , a security firm . “ I can understand why they issued Vulnerability-related.PatchVulnerability an emergency patch for XP after WannaCry was found , but in general , we should just let XP die , ” Mr. Hypponen said .