The chipmaker says the patches will arrive Vulnerability-related.PatchVulnerability within a few weeks and AMD device owners shouldn ’ t worry about the reported flaws Vulnerability-related.DiscoverVulnerability . AMD is addressing Vulnerability-related.PatchVulnerability several vulnerabilities discovered Vulnerability-related.DiscoverVulnerability in its Ryzen and EPYC chips , and rolling out Vulnerability-related.PatchVulnerability updates for millions of devices `` in the coming weeks . '' The 13 vulnerabilities came to public Vulnerability-related.DiscoverVulnerability attention clouded in controversy . The security company CTS Labs gave AMD less than 24 hours notice before releasing the information to the public . Standard vulnerability disclosure Vulnerability-related.DiscoverVulnerability practices call for giving companies at least 90 days ' notice so they can fix Vulnerability-related.PatchVulnerability the flaws before researchers go public Vulnerability-related.DiscoverVulnerability and hackers can start causing trouble . Had CTS Labs given AMD that same courtesy , the issues would have been addressed Vulnerability-related.PatchVulnerability within a week of the notification . `` Each of the issues cited can be mitigated Vulnerability-related.PatchVulnerability through firmware patches and a standard BIOS update , which we plan to release Vulnerability-related.PatchVulnerability in the coming weeks , '' said Sarah Youngbauer , AMD 's senior spokeswoman . `` We believe this provides a good example of why the more standard 90-day notification window for such notifications exist . '' In the original vulnerability report Vulnerability-related.DiscoverVulnerability , CTS Labs said that it would take `` several months '' to fix Vulnerability-related.PatchVulnerability the issues and that some hardware flaws `` cannot be fixed Vulnerability-related.PatchVulnerability . '' AMD disagreed with that timeline , and said it would provide more information in several weeks . The chipmaker said the issues were not with its hardware , but with firmware , or software that 's embedded in hardware . It 'll be sending Vulnerability-related.PatchVulnerability fixes for all 13 vulnerabilities through patches and BIOS updates . According to AMD 's technical assessment , each of the flaws required administrative access . `` Any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research , '' Papermaster said in a statement . Critics also took issue with another aspect of the CTS Labs report , pointing out the legal disclaimer on the company 's website : `` You are advised that we may have , either directly or indirectly , an economic interest in the performance of the securities of the companies whose products are the subject of our reports . '' Last Wednesday , CTS Labs ' chief financial officer and co-founder , Yaron Luk-Zilberman , a former hedge fund manager , said it did n't have `` any investment ( long or short ) in Intel or AMD . ''

MWR Labs researchers recently disclosed Vulnerability-related.DiscoverVulnerability two high-security vulnerabilities in LG G3 , G4 , and G5 mobile devices . The bugs include a Path Transversal flaw and an Arbitrary File Disclosure flaw , according to the respective security advisories . The Path Transversal flaw was caused by the application not validating that URL parameters did not contain potentially malicious characters and could allow an attacker on the same network as a user to make any media file or folder shareable without authentication or user interaction . The Arbitrary File Disclosure flaw was caused by the SmartShare.Cloud application launching an unauthenticated HTTP Server listening on all interfaces while connected to a WiFi network and could allow an attacker to retrieve any media file from the Cloud storage of the victim as long as they knew the file name . Users are encouraged to ensure their devices are updated Vulnerability-related.PatchVulnerability to the latest versions as Version 2.4.0 has mitigated Vulnerability-related.PatchVulnerability the issues

The industrial company on Tuesday released Vulnerability-related.PatchVulnerability mitigations for eight vulnerabilities overall . Siemens AG on Tuesday issued Vulnerability-related.PatchVulnerability a slew of fixes addressing Vulnerability-related.PatchVulnerability eight vulnerabilities spanning its industrial product lines . The most serious of the patched flaws include a cross-site scripting vulnerability in Siemens ’ SCALANCE firewall product . The flaw could allow an attacker to gain unauthorized access Attack.Databreach to industrial networks and ultimately put operations and production at risk . The SCALANCE S firewall is used to protect secure industrial networks from untrusted network traffic , and allows filtering incoming and outgoing network connections in different ways . Siemens S602 , S612 , S623 , S627-2M SCALANCE devices with software versions prior to V4.0.1.1 are impacted Vulnerability-related.DiscoverVulnerability . Researchers with Applied Risk , who discovered Vulnerability-related.DiscoverVulnerability the flaw , said Vulnerability-related.DiscoverVulnerability that vulnerability exists in Vulnerability-related.DiscoverVulnerability the web server of the firewall software . An attacker can carry out the attack by crafting Attack.Phishing a malicious link and tricking Attack.Phishing an administrator – who is logged into the web server – to click that link . Once an admin does so , the attacker can execute commands on the web server , on the administrator ’ s behalf . “ The integrated web server allows a cross-site scripting attack if an administrator is misled Attack.Phishing into accessing a malicious link , ” Applied Risk researcher Nelson Berg said in Vulnerability-related.DiscoverVulnerability an analysis Vulnerability-related.DiscoverVulnerability of the flaw . “ Successful exploitation may lead to the ability to bypass critical security measures provided by the firewall. ” Exploitation of this vulnerability could ultimately enable threat actors to bypass critical security functions provided by the firewall , potentially providing access to industrial networks and putting operations and production at risk . The vulnerability , CVE-2018-16555 , has a CVSS score which Applied Risk researcher calculates Vulnerability-related.DiscoverVulnerability to be 8.2 ( or high severity ) . That said , researchers said Vulnerability-related.DiscoverVulnerability a successful exploit is not completely seamless and takes some time and effort to carry out – for an attacker to exploit the flaw , user interaction is required and the administrator must be logged into the web interface . Researchers said Vulnerability-related.DiscoverVulnerability that no exploit of the vulnerability has been discovered Vulnerability-related.DiscoverVulnerability thus far . Siemens addressed Vulnerability-related.PatchVulnerability the reported vulnerability by releasing Vulnerability-related.PatchVulnerability a software update ( V4.0.1.1 ) and also advised customers to “ only access links from trusted sources in the browser you use to access the SCALANCE S administration website. ” The industrial company also released Vulnerability-related.PatchVulnerability an array of fixes for other vulnerabilities on Tuesday . Overall , eight advisories were released by the US CERT . Another serious vulnerability ( CVE-2018-16556 ) addressed Vulnerability-related.PatchVulnerability was an improper input validation flaw in certain Siemens S7-400 CPUs . Successful exploitation of these vulnerabilities could crash the device being accessed which may require a manual reboot or firmware re-image to bring the system back to normal operation , according to the advisory . “ Specially crafted packets sent to Port 102/TCP via Ethernet interface , via PROFIBUS , or via multi-point interfaces ( MPI ) could cause the affected devices to go into defect mode . Manual reboot is required to resume normal operation , ” according to US Cert . An improper access control vulnerability that is exploitable Vulnerability-related.DiscoverVulnerability remotely in Siemens IEC 61850 system configurator , DIGSI 5 , DIGSI 4 , SICAM PAS/PQS , SICAM PQ Analyzer , and SICAM SCC , was also mitigated Vulnerability-related.PatchVulnerability . The vulnerability , CVE-2018-4858 , has a CVSS of 4.2 and exists in Vulnerability-related.DiscoverVulnerability a service of the affected products listening on all of the host ’ s network interfaces on either Port 4884/TCP , Port 5885/TCP , or Port 5886/TCP . The service could allow an attacker to either exfiltrate Attack.Databreach limited data from the system or execute code with Microsoft Windows user permissions . Also mitigated Vulnerability-related.PatchVulnerability were an improper authentication vulnerability ( CVE-2018-13804 ) in SIMATIC IT Production Suite and a code injection vulnerability ( CVE-2018-13814 ) in SIMATIC Panels and SIMATIC WinCC that could allow an attacker with network access to the web server to perform a HTTP header injection attack .

The industrial company on Tuesday released Vulnerability-related.PatchVulnerability mitigations for eight vulnerabilities overall . Siemens AG on Tuesday issued Vulnerability-related.PatchVulnerability a slew of fixes addressing Vulnerability-related.PatchVulnerability eight vulnerabilities spanning its industrial product lines . The most serious of the patched flaws include a cross-site scripting vulnerability in Siemens ’ SCALANCE firewall product . The flaw could allow an attacker to gain unauthorized access Attack.Databreach to industrial networks and ultimately put operations and production at risk . The SCALANCE S firewall is used to protect secure industrial networks from untrusted network traffic , and allows filtering incoming and outgoing network connections in different ways . Siemens S602 , S612 , S623 , S627-2M SCALANCE devices with software versions prior to V4.0.1.1 are impacted Vulnerability-related.DiscoverVulnerability . Researchers with Applied Risk , who discovered Vulnerability-related.DiscoverVulnerability the flaw , said Vulnerability-related.DiscoverVulnerability that vulnerability exists in Vulnerability-related.DiscoverVulnerability the web server of the firewall software . An attacker can carry out the attack by crafting Attack.Phishing a malicious link and tricking Attack.Phishing an administrator – who is logged into the web server – to click that link . Once an admin does so , the attacker can execute commands on the web server , on the administrator ’ s behalf . “ The integrated web server allows a cross-site scripting attack if an administrator is misled Attack.Phishing into accessing a malicious link , ” Applied Risk researcher Nelson Berg said in Vulnerability-related.DiscoverVulnerability an analysis Vulnerability-related.DiscoverVulnerability of the flaw . “ Successful exploitation may lead to the ability to bypass critical security measures provided by the firewall. ” Exploitation of this vulnerability could ultimately enable threat actors to bypass critical security functions provided by the firewall , potentially providing access to industrial networks and putting operations and production at risk . The vulnerability , CVE-2018-16555 , has a CVSS score which Applied Risk researcher calculates Vulnerability-related.DiscoverVulnerability to be 8.2 ( or high severity ) . That said , researchers said Vulnerability-related.DiscoverVulnerability a successful exploit is not completely seamless and takes some time and effort to carry out – for an attacker to exploit the flaw , user interaction is required and the administrator must be logged into the web interface . Researchers said Vulnerability-related.DiscoverVulnerability that no exploit of the vulnerability has been discovered Vulnerability-related.DiscoverVulnerability thus far . Siemens addressed Vulnerability-related.PatchVulnerability the reported vulnerability by releasing Vulnerability-related.PatchVulnerability a software update ( V4.0.1.1 ) and also advised customers to “ only access links from trusted sources in the browser you use to access the SCALANCE S administration website. ” The industrial company also released Vulnerability-related.PatchVulnerability an array of fixes for other vulnerabilities on Tuesday . Overall , eight advisories were released by the US CERT . Another serious vulnerability ( CVE-2018-16556 ) addressed Vulnerability-related.PatchVulnerability was an improper input validation flaw in certain Siemens S7-400 CPUs . Successful exploitation of these vulnerabilities could crash the device being accessed which may require a manual reboot or firmware re-image to bring the system back to normal operation , according to the advisory . “ Specially crafted packets sent to Port 102/TCP via Ethernet interface , via PROFIBUS , or via multi-point interfaces ( MPI ) could cause the affected devices to go into defect mode . Manual reboot is required to resume normal operation , ” according to US Cert . An improper access control vulnerability that is exploitable Vulnerability-related.DiscoverVulnerability remotely in Siemens IEC 61850 system configurator , DIGSI 5 , DIGSI 4 , SICAM PAS/PQS , SICAM PQ Analyzer , and SICAM SCC , was also mitigated Vulnerability-related.PatchVulnerability . The vulnerability , CVE-2018-4858 , has a CVSS of 4.2 and exists in Vulnerability-related.DiscoverVulnerability a service of the affected products listening on all of the host ’ s network interfaces on either Port 4884/TCP , Port 5885/TCP , or Port 5886/TCP . The service could allow an attacker to either exfiltrate Attack.Databreach limited data from the system or execute code with Microsoft Windows user permissions . Also mitigated Vulnerability-related.PatchVulnerability were an improper authentication vulnerability ( CVE-2018-13804 ) in SIMATIC IT Production Suite and a code injection vulnerability ( CVE-2018-13814 ) in SIMATIC Panels and SIMATIC WinCC that could allow an attacker with network access to the web server to perform a HTTP header injection attack .

A security lapse at content distribution network provider Cloudflare that resulted in customer data being leaked Attack.Databreach publicly for several months was bad - but had the potential to be much worse . That 's Cloudflare 's initial postmortem conclusion after a twelve-day review of log data related to the breach Attack.Databreach . The review showed no evidence that attackers had exploited Vulnerability-related.DiscoverVulnerability the flaw prior to it being discovered Vulnerability-related.DiscoverVulnerability and patched Vulnerability-related.PatchVulnerability , Cloudflare CEO and founder Matthew Prince said in a blog Wednesday . A `` vast majority '' of Cloudflare 's customers also did not appear to have had any of their data leaked Attack.Databreach . Cloudflare ’ s inspection of tens of thousands of pages that were leaked Attack.Databreach from its reverse-proxy servers and cached by search engines revealed a `` large number '' of instances of internal Cloudflare cookies and headers . But so far , according to Prince , there ’ s no evidence that passwords , credit card numbers , and other personal data were compromised as was initially feared . The Cloudflare security snafu stemmed from the manner in which a stream parser application that the company uses to modify content passing through its edge servers handled HTTP requests . The bug caused the parser to read memory not only from the HTML page that was being actually parsed , but also from adjacent memory that contained data in response to HTTP requests made by other customers . The flaw was triggered only when pages with certain specific attributes were requested through Cloudflare ’ s CDN . `` If you had accessed one of the pages that triggered the bug you would have seen what likely looked like random text at the end of the page , '' Prince said . A lot of the leaked data ended up getting cached by search engines and Web scrapers . A security researcher from Google ’ s Project Zero threat hunting team alerted Vulnerability-related.DiscoverVulnerability Cloudfare to the bug last month . The company claimed it fixed Vulnerability-related.PatchVulnerability the problem in a matter of hours after being notified Vulnerability-related.DiscoverVulnerability of the problem . Some have compared the breach to Heartbleed and have even called it Cloudbleed . In his blog , Prince compared the threat posed by the bug to that posed by a stranger eavesdropping on a random conversation between two employees . Most of the time , the stranger would likely hear nothing of value , but occasionally might pick up Attack.Databreach something confidential . The same would have been true for a malicious attacker , who had somehow known about Vulnerability-related.DiscoverVulnerability the bug and exploited Vulnerability-related.DiscoverVulnerability it before Cloudflare ’ s fix Vulnerability-related.PatchVulnerability , he said . The customers most at risk of having their data exposed Attack.Databreach were those that sent the most requests through Cloudflare ’ s CDN . Cloudflare ’ s detailed postmortem and mea culpa evoked a mixed response from security experts . Ilia Kolochenko , CEO of Web security firm High-Tech Bridge praised Prince ’ s effort to be transparent about what went down . `` Even if we can not verify the accuracy of all the numbers inside – for the moment , I don ’ t have a valid reason to question either its content , or conclusion , '' Kolochenko says . In fact , until someone can come up with a credible rebuttal of Cloudflare ’ s internal investigation , it ’ s inappropriate to compare what happened at the company to Heartbleed . `` I ’ d say it ’ s inappropriate even to call this particular incident a 'Cloudbleed , ' '' he says . `` In the Heartbleed case , almost every company in the world , many software vendors including cybersecurity companies , were seriously impacted by the vulnerability . '' Heartbleed also resulted in multiple breaches Attack.Databreach and many organizations continue to be exposed Attack.Databreach to the threat . Neither of those situations applies to the Cloudflare security lapse . `` All avenues of Cloudflare ’ s vulnerability exploitation seems to be mitigated Vulnerability-related.PatchVulnerability by now , '' he says . But Kunal Anand , CTO of application security vendor Prevoty , says the details Cloudflare has shared are n't exactly reassuring . If no sensitive information like credit numbers and Social Security Numbers were leaked Attack.Databreach and the leaked dataset itself was relatively small , there is no reason why Cloudflare should n't share it with a third-party for an unbiased review , he says . `` CloudFlare needs to realize that HTTP headers , including cookies , contain sensitive information like session identifiers , authorization tokens and IP addresses , '' Anand says . `` All of these data points should count as private data . '' CloudFlare has been working with various search engines to purge their caches , but in the process , any evidence of the data that was leaked Attack.Databreach is being deleted as well . That makes it hard to quantify the scope of the data breach Attack.Databreach outside of CloudFlare 's own logs . `` There 's a lot of speculation if nation-state sponsored engines will actually purge the data or copy it for further analysis , '' Anand says .