A design flaw affecting Vulnerability-related.DiscoverVulnerability all in-display fingerprint sensors – that left over a half-dozen cellphone models vulnerable to a trivial lock-screen bypass attack – has been quietly patched Vulnerability-related.PatchVulnerability . The flaw was tied to a bug in the popular in-display fingerprint reader technology used for user authentication . In-display fingerprint reader technology is widely considered an up-and-coming feature to be used in a number of flagship model phones introduced in 2019 by top OEM phone makers , according to Tencent ’ s Xuanwu Lab which is credited for first identifying Vulnerability-related.DiscoverVulnerability the flaw earlier this year . “ During our research on this , we found all the in-display fingerprint sensor module suffer the same problem no matter where it was manufactured by whatever vendors , ” said Yang Yu , a researcher at Xuanwu Lab . “ This vulnerability is a design fault of in-display fingerprint sensors. ” Impacted are all phones tested in the first half of 2018 that had in-display fingerprint sensors , said Yu . That includes current models of Huawei Technologies ’ Porsche Design Mate RS and Mate 20 Pro model phones . Yu said that many more cellphone manufacturers are impacted Vulnerability-related.DiscoverVulnerability by the issue . However , Yu would not specify other impacted vendors or models : “ Vendors differ greatly in the attitude to security issues , someone have open attitudes , like Huawei , and in contrast , some vendors strongly hope us to keep the voice down on this , ” he told Threatpost . He noted Huawei has been forthcoming , issuing Vulnerability-related.PatchVulnerability patches to address Vulnerability-related.PatchVulnerability the issue . Other phones that use the feature include Vivo Communication Technology ’ s V11 Pro , X21 and Nex ; and OnePlus ’ 6T and Xiaomi Mi 8 Explorer Edition phones . Vivo , OnePlus and Xiaomi did not respond to requests for comment from Threatpost . In-display fingerprint readers based on optical fingerprint imaging , experts believe , will soon replace conventional authentication based on capacitance-sensor fingerprint scanners . In-display readers allow for a user to place a finger on the screen of a smartphone where a scanner from behind the display can verify a fingerprint , authenticate the user and unlock the phone . Design-wise the feature allows phones to be sleeker and less cluttered , supporting infinity displays . Usability advantages include the ability to unlock the phone simply by placing your finger on the phone ’ s screen at any angle , whether it ’ s sitting on a table or in a car mount . The vulnerability , which Huawei issued Vulnerability-related.PatchVulnerability a patch ( CVE-2018-7929 ) for in September , can be exploited Vulnerability-related.DiscoverVulnerability in a matter of seconds , researchers said . In an exclusive interview with Threatpost on the flaw Yu said all an attacker needs to carry out the attack is an opaque reflective material such as aluminum foil . By placing the reflective material over a residual fingerprint on the phone ’ s display the capacitance fingerprint imaging mechanism can be tricked into authenticating a fingerprint .

The 'WannaCrypt ' ransomware has been a worldwide dilemma , impacting many countries . Luckily , the malware only impacts older versions of Microsoft 's operating system -- Windows 10 is not vulnerable . Also immune to WannaCrypt is macOS and Linux distributions . Unfortunately , many people run older versions of Windows , but Microsoft has been very active in issuing Vulnerability-related.PatchVulnerability patches for them -- including for the now-unsupported XP . Patches aside , security software can protect vulnerable computers too . In fact , today , Symantec announces that it has successfully blocked almost 22 million WannaCrypt attacks Attack.Ransom . The company even leveraged machine learning in its fight against the ransomware . The company explains that it , `` blocked nearly 22 million WannaCry infection attempts across 300,000 endpoints , providing full protection for Symantec customers through its advanced exploit protection technology . The WannaCry ransomware attacks Attack.Ransom targeted and affected users in various countries across the globe by encrypting data files on infected computers and demanding Attack.Ransom users pay Attack.Ransom a $ 300USD ransom Attack.Ransom in bitcoin to decrypt their files . The protection of Symantec customers was enabled in part due to the integration of real-time threat intelligence shared across both Symantec Endpoint Protection and the Blue Coat ProxySG , which provided real-time threat awareness across the endpoint , network and cloud . '' Mike Fey , president and chief operating officer at Symantec explains , `` The WannaCry ransomware attack Attack.Ransom is the largest we 've ever seen of its kind and we 're pleased to share that Symantec customers benefited from multiple layers of protection even before it happened , through innovations and new capabilities in our Integrated Cyber Defense Platform . Our proactive network protection and advanced machine learning technologies provided real-time , zero-day , protection for all SEP and Norton customers when WannaCry was released last week . And , our Global Intelligence Network automatically shares WannaCry intelligence between Symantec endpoint , email and Blue Coat network products , providing full protection across all control points , including the cloud . '' While Symantec 's announcement highlights the importance of security software for both home and business users , it should n't distract from the fact that it is also imperative to apply operating system updates in a timely matter . Also important is using supported software . Yes , Microsoft patched Vulnerability-related.PatchVulnerability the unsupported Windows XP , but that OS should really not even be in use anymore .

Adobe has patched Vulnerability-related.PatchVulnerability two critical flaws in Acrobat and Reader that warrant urgent attention . Officially , Adobe patches Vulnerability-related.PatchVulnerability security vulnerabilities around the middle of each month to coordinate with Microsoft ’ s Patch Tuesday , but recently it ’ s become almost routine for the company to issue Vulnerability-related.PatchVulnerability out-of-band updates in between . APSB19-02 , the first of such updates to reach customers in the new year , addresses Vulnerability-related.PatchVulnerability critical flaws with a priority rating of ‘ 2 ’ . That means that the flaw is potentially serious , but Adobe hasn ’ t detected Vulnerability-related.DiscoverVulnerability any real-world exploits ( the latter would entail issuing Vulnerability-related.PatchVulnerability an ‘ emergency ’ patch with a ‘ 1 ’ rating ) . The first flaw , identified Vulnerability-related.DiscoverVulnerability as CVE-2018-16011 , is described Vulnerability-related.DiscoverVulnerability by Adobe as a use-after-free bug that could be exploited Vulnerability-related.DiscoverVulnerability using a maliciously crafted PDF to take control of a target system with their malware of choice . The second , CVE-2018-16018 ( replacing CVE-2018-19725 ) , is a security bypass targeting JavaScript API restrictions on Adobe Reader DC and seems to have been in the works since before Christmas , affecting Vulnerability-related.DiscoverVulnerability all versions of Window and macOS Acrobat DC/Reader 2019.010.20064 and earlier , the fix in both cases is to update Vulnerability-related.PatchVulnerability to 2019.010.20069 . For the legacy Acrobat/Reader 2017 2017.011.30110 and Acrobat/Reader DC 2015 2015.006.30461 , the updates take those to 2017.011.30113 and 2015.006.30464 respectively . As critical flaws with a ‘ 2 ’ rating , there is a suggested 30-day window within which to apply Vulnerability-related.PatchVulnerability the updates , but it ’ s worth bearing in mind that a new round of patches will likely be offered Vulnerability-related.PatchVulnerability for Adobe products tomorrow as part of Patch Tuesday . In December ’ s Patch Tuesday , Adobe released Vulnerability-related.PatchVulnerability a not inconsiderable 87 patches , including 39 rated critical . Only days before , Adobe issued Vulnerability-related.PatchVulnerability an emergency Flash patch for a zero-day vulnerability that was being exploited Vulnerability-related.DiscoverVulnerability , while in November Flash received Vulnerability-related.PatchVulnerability a separate patch for one whose exploitation was believed to be imminent .