When it comes to fixing Vulnerability-related.PatchVulnerability security vulnerabilities , it should be clear by now that words only count when they ’ re swiftly followed by actions . Ask peripherals maker Logitech , which last week became the latest company to find itself on the receiving end of an embarrassing public flaw disclosure Vulnerability-related.DiscoverVulnerability by Google ’ s Project Zero team . In September , Project Zero researcher Tavis Ormandy installed Logitech ’ s Options application for Windows ( available separately for Mac ) , used to customise buttons on the company ’ s keyboards , mice , and touchpads . Pretty quickly , he noticed Vulnerability-related.DiscoverVulnerability some problems with the application ’ s design , starting with the fact that it… opens a websocket server on port 10134 that any website can connect to , and has no origin checking at all . Websockets simplify the communication between a client and a server and , unlike HTTP , make it possible for servers to send data to clients without first being asked to , which creates additional security risks . The only “ authentication ” is that you have to provide a pid [ process ID ] of a process owned by your user , but you get unlimited guesses so you can bruteforce it in microseconds . Ormandy claimed Vulnerability-related.DiscoverVulnerability this might offer attackers a way of executing keystroke injection to take control of a Windows PC running the software . Within days of contacting Logitech , Ormandy says he had a meeting to discuss Vulnerability-related.DiscoverVulnerability the vulnerability with its engineers on 18 September , who assured him they understood the problem . A new version of Options appeared Vulnerability-related.PatchVulnerability on 1 October without a fix , although in fairness to Logitech that was probably too soon for any patch for Ormandy ’ s vulnerability to be included Vulnerability-related.PatchVulnerability . As anyone who ’ s followed Google ’ s Project Zero will know , it operates a strict 90-day deadline for a company to fix Vulnerability-related.PatchVulnerability vulnerabilities disclosed Vulnerability-related.DiscoverVulnerability to it , after which they are made public Vulnerability-related.DiscoverVulnerability . I would recommend disabling Logitech Options until an update is available Vulnerability-related.PatchVulnerability . Clearly , the disclosure got things moving – on 13 December , Logitech suddenly updated Vulnerability-related.PatchVulnerability Options to version 7.00.564 ( 7.00.554 for Mac ) . The company also tweeted that the flaws had been fixed Vulnerability-related.PatchVulnerability , confirmed by Ormandy on the same day . Logitech aren ’ t the first to feel Project Zero ’ s guillotine on their neck . Earlier in 2018 , Microsoft ran into a similar issue over a vulnerability found Vulnerability-related.DiscoverVulnerability by Project Zero in the Edge browser . Times have changed – vendors have to move from learning about a bug to releasing Vulnerability-related.PatchVulnerability a fix much more rapidly than they used to .

Researchers at Germany-based security firm Cure53 have conducted a 32-day audit of the Network Time Protocol ( NTP ) and the NTPsec project and discovered Vulnerability-related.DiscoverVulnerability more than a dozen vulnerabilities . Experts identified Vulnerability-related.DiscoverVulnerability a total of 16 security-related issues , including 8 weaknesses that only affect Vulnerability-related.DiscoverVulnerability NTP and two that only impact Vulnerability-related.DiscoverVulnerability NTPsec , which is meant to be a secure , hardened and improved implementation of NTP . Cure53 has published separate reports focusing on the NTP and NTPsec problems . The Network Time Foundation addressed Vulnerability-related.PatchVulnerability the flaws earlier this month with the release of ntp-4.2.8p10 . Cure53 has classified Vulnerability-related.DiscoverVulnerability one vulnerability as being critical . CVE-2017-6460 , which only affects Vulnerability-related.DiscoverVulnerability NTP , has been described Vulnerability-related.DiscoverVulnerability as a stack-based buffer overflow that can be triggered by a malicious server when a client requests the restriction list . The flaw can be exploited Vulnerability-related.DiscoverVulnerability to cause a crash and possibly to execute arbitrary code . The security holes rated Vulnerability-related.DiscoverVulnerability by Cure53 as high severity are CVE-2017-6463 and CVE-2017-6464 , both of which can be exploited Vulnerability-related.DiscoverVulnerability for DoS attacks . It ’ s worth noting that while some of the vulnerabilities have been classified Vulnerability-related.DiscoverVulnerability as critical and high severity by Cure53 , NTP developers have only assigned Vulnerability-related.DiscoverVulnerability medium , low and informational-level severity ratings to the discovered flaws . Ntp-4.2.8p10 patches Vulnerability-related.PatchVulnerability a total of 15 vulnerabilities and also includes just as many non-security fixes and improvements . Of the 15 security holes resolved Vulnerability-related.PatchVulnerability in the latest version , 14 were discovered Vulnerability-related.DiscoverVulnerability by Cure53 , which also noticed Vulnerability-related.DiscoverVulnerability that a flaw initially patched Vulnerability-related.PatchVulnerability in December 2014 was reintroduced Vulnerability-related.DiscoverVulnerability in November 2016 . One of the vulnerabilities fixed Vulnerability-related.PatchVulnerability in ntp-4.2.8p10 was reported Vulnerability-related.DiscoverVulnerability by researchers at Cisco Talos . Experts identified Vulnerability-related.DiscoverVulnerability a DoS vulnerability affecting Vulnerability-related.DiscoverVulnerability the origin timestamp check functionality

The bug could 've likely been exploited Vulnerability-related.DiscoverVulnerability to make a self-spreading worm too , according to hackers and security researchers . Steam 's operator Valve announced that it fixed Vulnerability-related.PatchVulnerability the bug earlier today , but with over 125 million monthly active users on its platform , the exploit could have wreaked havoc for thousands of people , and for the company itself . `` Anyone who views a specially crafted profile gets popped , '' a white hat hacker who has found Vulnerability-related.DiscoverVulnerability several bugs in Steam in the past , and asked to remain anonymous , told me in a Twitter DM . Several users and security researchers noticed Vulnerability-related.DiscoverVulnerability this week that it was possible to put malicious javascript code inside a Steam user 's profile page , and the code will execute whenever someone visits that profile page , without any need for the victim to click anywhere . This type of bug is known as a cross-site scripting vulnerability , or XSS , a problem that 's plagued Steam for years. `` Phishing scams Attack.Phishing and virus downloads are possible at the very least , but if account take overs are possible , that 's about as bad as XSS gets , '' Jeremiah Grossman , a web security expert , said in a chat . A Valve spokesperson said the bug was fixed Vulnerability-related.PatchVulnerability on Tuesday at noon , but there 's no telling how long the door was open for hackers to exploit it . ( The spokesperson did not immediately respond to a request for comment . ) The bug was so bad that the moderators of the Steam subreddit told users to refrain from visiting other user 's profiles . `` Do NOT click suspicious ( real ) steam profile links and Disable JavaScript on Browser , '' a moderator wrote in the warning post . Grossman and Jake Davis , a former LulzSec hacker , confirmed that Vulnerability-related.DiscoverVulnerability the bug existed as Vulnerability-related.DiscoverVulnerability of Tuesday morning and analyzed the potential attacks that bad guys could do if they were to exploit it . `` If something like this were to be found Vulnerability-related.DiscoverVulnerability on Google or Facebook , it would be a high-severity issue , '' said Grossman , who 's the Chief of Security Strategy at security firm ‎SentinelOne .

The hacker leaked Attack.Databreach the FBI.GOV accounts that he found in several backup files ( acc_102016.bck , acc_112016.bck , old_acc16.bck , etc ) . Leaked records contain accounts data , including names , SHA1 Encrypted Passwords , SHA1 salts , and emails . The intrusion occurred on December 22 , 2016 , the hacker revealed Vulnerability-related.DiscoverVulnerability to have exploited Vulnerability-related.DiscoverVulnerability a zero-day vulnerability in the Plone Content Management System Going back to 22nd December 2016 , I tweeted about Vulnerability-related.DiscoverVulnerability a 0day vulnerability in Plone CMS which is considered as the most secure CMS till date . The vulnerability resides in Vulnerability-related.DiscoverVulnerability some python modules of the CMS . The hacker noticed that while media from Germany and Russia published the news about the hack , but US based publishers ignored it . According to CyberZeist , the FBI contacted him to pass on the leaks . `` I was contacted by various sources to pass on the leaks to them that I obtained after hacking FBI.GOV but I denied all of them . just because I was waiting for FBI to react on time . They didn ’ t directly react and I don ’ t know yet what are they up to , but at the time I was extracting my finds after hacking FBI.GOV , '' he wrote . The expert added further info on the attack , while experts at the FBI were working to fix Vulnerability-related.PatchVulnerability the issue , he noticed Vulnerability-related.DiscoverVulnerability that the Plone 0day exploit was still working against the CMS backend . ) , but I was able to recon that they were running Vulnerability-related.PatchVulnerability FreeBSD ver 6.2-RELEASE that dates back to 2007 with their own custom configurations . Their last reboot time was 15th December 2016 at 6:32 PM in the evening . `` While exploiting FBI.GOV , it was clearly evident that their webmaster had a very lazy attitude as he/she had kept the backup files ( .bck extension ) on that same folder where the site root was placed ( Thank you Webmaster ! ) , but still I didn ’ t leak out Attack.Databreach the whole contents of the backup files , instead I tweeted out Vulnerability-related.DiscoverVulnerability my findings and thought to wait for FBI ’ s response '' Now let ’ s sit and wait for the FBI ’ s response . I obviously can not publish Vulnerability-related.DiscoverVulnerability the 0day attack vector myself . The hacker confirmed Vulnerability-related.DiscoverVulnerability that the 0-day is offered for sale on Tor by a hacker that goes by the moniker “ lo4fer ” . Once this 0day is no longer being sold , I will tweet out Vulnerability-related.DiscoverVulnerability the Plone CMS 0day attack vector myself . Let ’ s close with a curiosity … CyberZeist is asking you to chose the next target . The hacker is very popular , among his victims , there are Barclays , Tesco Bank and the MI5 .

Today , we noticed Vulnerability-related.DiscoverVulnerability a pretty weird security flaw in Windows 10 Mobile . If you are using a Windows 10 Mobile that does not support Windows Hello , your are likely using a pin to secure your device . The pin can be easily set-up from Windows 10 Mobile ’ s Sign-in Options page in the Settings app . However , there ’ s an interesting issue with this system . That ’ s because you can easily remove the pin from the device without having to verify the current pin that ’ s set . For instance , if your pin is “ 2017 ” and someone else gets access to your phone , they can simply remove it without having to verify the pin . This , however , isn ’ t the case when you try to change the pin as the OS will ask you to verify the existing pin first . This may sound like a minor issue , but it actually isn ’ t one — that ’ s because someone can easily lock you out of your own device once they get the initial access ( which , to be fair , can be difficult to attain ) . For example , they can remove the current pin , and set a new one without having to verify the password for the linked Microsoft Account on the device or the pin ( since it ’ s already removed ) . This isn ’ t how the pin-lock system works on Android or iOS . Both of these operating systems require users to verify their pin/password/pattern before they can edit any of the settings related to the pin — including the ability to completely remove the pin from the device . What ’ s even more interesting is that this issue doesn’t exist on Vulnerability-related.DiscoverVulnerability Windows 10 PCs where you will be required to verify the existing pin when you try to remove the pin from a device . As far as we are aware , the issue is impacting Vulnerability-related.DiscoverVulnerability Windows 10 Mobile devices running Windows 10 Mobile Version 1511 , 1607 , and even the latest Insider preview releases . We hope Microsoft will fix Vulnerability-related.PatchVulnerability this issue in Windows 10 Mobile pretty soon , and we ’ ll let you know if and when that happens