in March . Ransomware is no longer just a nuisance . Now it 's quite literally a matter of life and death . A massive ransomware attackAttack.Ransombeing labeled as `` WannaCryAttack.Ransom`` has been reported around the world and is responsible for shutting down hospitals in the United Kingdom and encrypting files at Spanish telecom firm Telefonica . The WannaCry attackAttack.Ransomis not a zero-day flaw , but rather is based on an exploit that Microsoft patchedVulnerability-related.PatchVulnerabilitywith its MS17-010 advisory on March 14 in the SMB Server . However , Microsoft did not highlightVulnerability-related.DiscoverVulnerabilitythe SMB flaw until April 14 , when a hacker group known as the Shadow Brokers releasedVulnerability-related.DiscoverVulnerabilitya set of exploits , allegedly stolenAttack.Databreachfrom the U.S.National Security Agency . SMB , or Server Message Block , is a critical protocol used by Windows to enable file and folder sharing . It 's also the protocol that today 's WannaCry attackAttack.Ransomis exploiting to rapidly spread from one host to the next around the world , literally at the speed of light . The attack is what is known as a worm , `` slithering '' from one host to the next on connected networks . Among the first large organizations to be impacted by WannaCry is The National Health Service in the UK , which has publicly confirmed that it was attackedAttack.Ransomby the Wan na Decryptor. `` This attackAttack.Ransomwas not specifically targeted at the NHS and is affecting organisations from across a range of sectors , '' the NHS stated . `` At this stage we do not have any evidence that patient data has been accessedAttack.Databreach. '' Security firm Kaspersky Lab reported that by 2:30 p.m . ET May 12 it had already seen more than 45,000 WannaCry attacksAttack.Ransomin 74 countries . While the ransomware attackAttack.Ransomis making use of the SMB vulnerability to spread , the encryption of files is done by the Wanna Decryptor attackAttack.Ransomthat seeks out all files on a victim 's network . Once the ransomware has completed encrypting files , victims are presented with a screen demanding a ransomAttack.Ransom. Initially , the ransom requestedAttack.Ransomwas reported to be $ 300 worth of Bitcoin , according to Kaspersky Lab . `` Many of your documents , photos , videos , databases and other files are no longer accessible because they have been encrypted , '' the ransom note states . `` Maybe you are busy looking for a way to recover your files , but do not waste your time . Nobody can recover your files without our decryption service . '' It 's not clear who the original source of the global WannaCry attacksAttack.Ransomis at this point , or even if it 's a single threat actor or multiple actors . What is clear is that despite the fact that a software patch has been availableVulnerability-related.PatchVulnerabilitysince March for the SMB flaws , WannaCry is using tens of thousands of organizations that did n't patchVulnerability-related.PatchVulnerability.
Intel revealedVulnerability-related.DiscoverVulnerabilitythat it will not be issuingVulnerability-related.PatchVulnerabilitySpectre patches to a number of older Intel processor families , potentially leaving many customers vulnerable to the security exploit . Intel claims the processors affected are mostly implemented as closed systems , so they aren ’ t at risk from the Spectre exploit , and that the age of these processors means they have limited commercial availability . The processors which Intel won ’ t be patchingVulnerability-related.PatchVulnerabilityinclude four lines from 2007 , Penryn , Yorkfield , and Wolfdale , along with Bloomfield ( 2009 ) , Clarksfield ( 2009 ) , Jasper Forest ( 2010 ) and the Intel Atom SoFIA processors from 2015 . According to Tom ’ s Hardware , Intel ’ s decision not to patchVulnerability-related.PatchVulnerabilitythese products could stem from the relative difficulty of patchingVulnerability-related.PatchVulnerabilitythe Spectre exploit on older systems . “ After a comprehensive investigation of the microarchitectures and microcode capabilities for these products , Intel has determined to not releaseVulnerability-related.PatchVulnerabilitymicrocode updates for these products , ” Intel said . Because of the nature of the Spectre exploit , patches for it need to be deliveredVulnerability-related.PatchVulnerabilityas an operating system or BIOS update , and if Microsoft and motherboard OEMs aren ’ t going to distributeVulnerability-related.PatchVulnerabilitythe patches , developingVulnerability-related.PatchVulnerabilitythem isn ’ t much of a priority . “ However , the real reason Intel gave up on patchingVulnerability-related.PatchVulnerabilitythese systems seems to be that neither motherboard makers nor Microsoft may be willing to updateVulnerability-related.PatchVulnerabilitysystems sold a decade ago , ” Tom ’ s Hardware reports . It sounds bad , but as Intel pointed out , these are all relatively old processors — with the exception of the Intel Atom SoFIA processor , which came out in 2015 — and it ’ s unlikely they ’ re used in any high-security environments . The Spectre exploit is a serious security vulnerability to be sure , but as some commentators have pointed out in recent months , it ’ s not the kind of exploit the average user needs to worry about . “ We ’ ve now completed releaseVulnerability-related.PatchVulnerabilityof microcode updates for Intel microprocessor products launched in the last 9+ years that required protection against the side-channel vulnerabilities discoveredVulnerability-related.DiscoverVulnerabilityby Google Project Zero , ” said an Intel spokseperson . “ However , as indicated in our latest microcode revision guidance , we will not be providingVulnerability-related.PatchVulnerabilityupdated microcode for a select number of older platforms for several reasons , including limited ecosystem support and customer feedback. ” If you have an old Penryn processor toiling away in an office PC somewhere , you ’ re probably more at risk for a malware infection arising from a bad download than you are susceptible to something as technically sophisticated as the Spectre or Meltdown vulnerabilities .
Due to the far reaching implications , Security Researchers will typically submitVulnerability-related.DiscoverVulnerabilityserious 0-day Windows exploits to Microsoft and give the company ample time to patchVulnerability-related.PatchVulnerabilitythe vulnerabilities before they can be used to create malware and do harm . A security researcher that goes by the Twitter handle SandboxEscaper , however , decided it would be a good idea to exposeVulnerability-related.DiscoverVulnerabilitya 0-day threat to the world on Twitter , without forewarningVulnerability-related.DiscoverVulnerabilityMicrosoft , and even linked to proof on concept code on GitHub that has since been verified as functional . The language in the original Tweet prevents me from directly embedding it here . SandboxEscaper essentially saidVulnerability-related.DiscoverVulnerability, “ Here is the alpc bug as 0day ... I do n't * * * * ing care about life anymore . Neither do I ever again want to submit to MSFT anyway ... ” The official post on the CERT/CC website explainsVulnerability-related.DiscoverVulnerability, “ The Microsoft Windows task scheduler SchRpcSetSecurity API containsVulnerability-related.DiscoverVulnerabilitya vulnerability in the handling of ALPC , which can allow a local user to gain SYSTEM privileges . We have confirmedVulnerability-related.DiscoverVulnerabilitythat the public exploit code works on 64-bit Windows 10 and Windows Server 2016 systems . We have also confirmedVulnerability-related.DiscoverVulnerabilitycompatibility with 32-bit Windows 10 with minor modifications to the public exploit code . Compatibility with other Windows versions is possible with further modifications. ” At this point , Microsoft does not have a patch at the ready , but according to reports a fix will be comingVulnerability-related.PatchVulnerabilityin the next batch of patch Tuesday updates . Because the exploit requires the local execution of code , it doesn ’ t necessarily warrant an out-of-band update . However , with proof of concept code readily available , it ’ s possible nefarious individuals could trick less savvy users into running the code and gain full access to their systems . As always , never execute any files from unknown or untrusted sources.The bug lies in the Windows Task Scheduler ’ s Advanced Local Procedure Call , or ALPC , interface . It allows a local user to gain system level privileges and have free reign over the system to do whatever they want , including overwriting / modifying system files . Will Dormann of CERT/CC verifiedVulnerability-related.DiscoverVulnerabilitythe original exploit code works on a fully patched Windows 10 x64 installation and later modified the code to work on 32-bit systems as well .
LONDON — The U.K. agency tasked with fighting cyberthreats on Thursday announced a new process for the public disclosureVulnerability-related.DiscoverVulnerabilityof potentially sensitive software flaws , introducing a new level of transparency to its work . The National Cyber Security Centre laid out its new procedure , called the `` Equities Process '' in a blog post that details how it makes decisions on whether to make publicVulnerability-related.DiscoverVulnerabilitythe discovery of new flaws . National security operations sometimes hold back from announcingVulnerability-related.DiscoverVulnerabilitythe discovery of security flaws in part because the bugs can be used to gather intelligence . “ There ’ s got to be a good reason not to disclose , ” said Ian Levy , technical director at the NCSC . The default position , the NCSC said , is to discloseVulnerability-related.DiscoverVulnerabilitythose vulnerabilities to the public after fixes have been madeVulnerability-related.PatchVulnerability. The government will only keep them confidential in rare instances , such as if there ’ s an overriding intelligence reason . Levy said withholding release of a bug will require high-level government sign-off . The goal is to prevent cyberattacksAttack.Ransomlike “ WannaCry , ” which paralyzed computer systems around the world in May 2017 . The attack , which the U.S. has blamed on North Korea , wrought havoc within the U.K. ’ s National Health Service ( NHS ) by exploiting vulnerabilities in an outdated version of Microsoft Windows . WannaCry underscored the dangers of not patchingVulnerability-related.PatchVulnerabilityor updatingVulnerability-related.PatchVulnerabilitysoftware . The NCSC ’ s disclosure policy follows one implemented by the White House in 2017 . The National Security Agency ( NSA ) had come under intense pressure from transparency advocates to disclose more about its work in the wake of WannaCry . “ The best defense against a cyberattack , whether it ’ s by criminals or nation states , is to keep your box up to date , ” said Levy . “ If you patchVulnerability-related.PatchVulnerabilityyour software , a lot of the stuff that we ’ ve found goes away. ” The vast majority of attacks are carried out by exploiting vulnerabilities already known to the vendors of the technology in question , Levy said . Such was the case when Russian cyberoperatives hacked into British telecoms companies in 2017 . Levy said the primary goal of more transparency is to “ bang the drum ” about basic cybersecurity , like patchingVulnerability-related.PatchVulnerabilityand secure network setups .
AMD has acknowledgedVulnerability-related.DiscoverVulnerabilitythe Ryzenfall vulnerabilities discoveredVulnerability-related.DiscoverVulnerabilityby CTS-Labs , though the chip company believes the flaws can be patchedVulnerability-related.PatchVulnerabilityvia BIOS updates issuedVulnerability-related.PatchVulnerabilityover the next few weeks . In a blog post authored by AMD ’ s chief technical officer , Mark Papermaster , AMD confirmed that the four broad classifications of attacks—Masterkey , Ryzenfall , Fallout , and Chimera—are viable , though they require administrative access to the PC or server in question . Third-party protection , such as Microsoft Windows Credential Guard , also serve to block unauthorized administrative access , Papermaster wrote . In any event , “ any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research , ” AMD ’ s Papermaster added . But AMD also provided the answer to consumers ’ most pressing question : What , if anything , needs to be done ? For each of the first three classifications of vulnerabilities , AMD said it is working on firmware updates that the company plans to releaseVulnerability-related.PatchVulnerabilityduring the coming weeks . The fourth category of vulnerability , known as Chimera , affectedVulnerability-related.DiscoverVulnerabilitythe Promontory chipset , which CTS-Labs said was designed with logic supplied by ASMedia , a third-party vendor . While AMD said patches for that will also be releasedVulnerability-related.PatchVulnerabilityvia a BIOS update , the company said it is working with the Promontory chipset maker on developingVulnerability-related.PatchVulnerabilitythe mitigations , rather than supplying its own . AMD has neither confirmed nor denied whether the attacks can be executed remotely , or require local access . AMD did deny , however , that the attacks have anything to do with Meltdown or Spectre , the two side-channel attacks that rival Intel has worked to patchVulnerability-related.PatchVulnerability. About a week ago , CTS-Labs issued a press release as well as a website outlining the vulnerabilities , which the company provided to AMD less than 24 hours before CTS-Labs went public , AMD said . But CTS-Labs also drew fire over boilerplate copy on its website that implied a potential financial interest in the subjects of its reports . PCWorld attempted to interview CTS executives , but later rescinded that request after CTS-Labs representatives demanded a list of questions in advance , and also forbade us from asking about the timing and the company ’ s financial motivations . In the meantime , however , the vulnerabilities were confirmedVulnerability-related.DiscoverVulnerabilityby two independent researchers , Trail of Bits and Check Point . Both expressed doubts that attackers would be able to exploit the vulnerabilities that CTS-Labs had originally discoveredVulnerability-related.DiscoverVulnerability.
The device manufacturer acquired St Jude Medical last year and has since been working to fixVulnerability-related.PatchVulnerabilitysevere vulnerabilities found inVulnerability-related.DiscoverVulnerabilityits pacemakers . Abbott releasedVulnerability-related.PatchVulnerabilityits second and final round of planned cybersecurity updates to its pacemakers , programmers and remote monitoring systems to fixVulnerability-related.PatchVulnerabilitysevere cybersecurity flaws in the devices . The patch will updateVulnerability-related.PatchVulnerabilitythe battery performance alert , allowing the device to monitor for abnormal battery behavior and automatically vibrate to tell the patient when something is wrong . The planned updates began last year , and the latest firmware update was approvedVulnerability-related.PatchVulnerabilityby the Food and Drug Administration last week . The update applies toVulnerability-related.PatchVulnerabilityabout 350,000 of Abbott ’ s implantable cardioverter defibrillators and implantable cardiac resynchronization therapy defibrillators . The devices were originally manufactured by St Jude Medical , which Abbott acquired last year . At that time , St Jude was under fire for remaining quiet about defibrillator issues that caused rapid battery depletion . The FDA found St Jude continued to ship these devices despite knowing about the defect . In fact , the agency found those flaws caused patient deaths . The flaws , made publicVulnerability-related.DiscoverVulnerabilityin 2016 by Muddy Waters and security firm MedSec , could allow an unauthorized user to access the defibrillaors and modify the programming controls . Since acquiring St Jude , Abbott has been working to patchVulnerability-related.PatchVulnerabilitythose vulnerabilities . The FDA ’ s recall notice said the firmware update will reduce the risk of patient harm due to premature battery depletion and potential exploitation of the flaws in the devices . The update will effectively complete the necessary patches to prevent unauthorized access . The update is not a response to any new flaws , but are merely a continuation of last year ’ s patches , according to officials . `` Technology and its security are always evolving , and this firmware upgrade is part of our commitment to ensuring our products include the latest advancements and protections for patients , '' said Robert Ford , executive vice president of medical devices at Abbott , in a statement .
After scrambling to patchVulnerability-related.PatchVulnerabilitya critical vulnerability late last month , Drupal is at it again . The open source content management project has issuedVulnerability-related.PatchVulnerabilityan unscheduled security update to augment its previous patch for Drupalgeddon2 . There was also a cross-site scripting bug advisory in mid-April . The latest Drupal core vulnerability , designatedVulnerability-related.DiscoverVulnerability, SA-CORE-2018-004 and assignedVulnerability-related.DiscoverVulnerabilityCVE-2018-7602 , is related to the March SA-CORE-2018-002 flaw ( CVE-2018-7600 ) , according to the Drupal security team . It can be exploitedVulnerability-related.DiscoverVulnerabilityto take over a website 's server , and allow miscreants to steal information or alter pages . `` It is a remote code execution vulnerability , '' explained a member of the Drupal security team in an email to The Register . `` No more technical details beyond that are available . '' The vulnerability affectsVulnerability-related.DiscoverVulnerabilityat least Drupal 7.x and Drupal 8.x . And a similar issue has been foundVulnerability-related.DiscoverVulnerabilityin the Drupal Media module . In a blog post from earlier this month about the March patch , Dries Buytaert , founder of the Drupal project , observedVulnerability-related.DiscoverVulnerabilitythat all software has security issues and critical security bugs are rare . While the March bug is being actively exploitedVulnerability-related.DiscoverVulnerability, the Drupal security team says it 's unaware of any exploitation of the latest vulnerability . But it wo n't be long – those maintaining the project observed automated attacks appearing about two weeks after the SA-CORE-2018-002 notice . The fix is to upgradeVulnerability-related.PatchVulnerabilityto the most recent version of Drupal 7 or 8 core . The latest code can be found at Drupal 's website . For those running 7.x , that means upgrading to Drupal 7.59 . For those running , 8.5.x , the latest version if 8.5.3 . And for those still on 8.4.x , there 's an upgrade to 8.4.8 , despite the fact that as an unsupported minor release , the 8.4.x line would not normally getVulnerability-related.PatchVulnerabilitysecurity updates . And finally , if you 're still on Drupal 6 , which is no longer officially supported , unofficial patches are being developedVulnerability-related.PatchVulnerabilityhere . Drupal users appear to be taking the release in stride , though with a bit of grumbling . `` Drupal Wednesday looks like the new Windows patch day , '' quipped designer Tom Binroth via Twitter . `` I would rather spend my time on creating new stuff than patchingVulnerability-related.PatchVulnerabilityDrupal core sites . ''
Cisco patchesVulnerability-related.PatchVulnerabilitya severe flaw in switch deployment software that can be attacked with crafted messages sent to a port that 's open by default . Cisco has releasedVulnerability-related.PatchVulnerabilitypatches for 34 vulnerabilities mostly affectingVulnerability-related.DiscoverVulnerabilityits IOS and IOS XE networking software , including three critical remote code execution security bugs . Perhaps the most serious issue Cisco has releasedVulnerability-related.PatchVulnerabilitya patch for is critical bug CVE-2018-0171 affectingVulnerability-related.DiscoverVulnerabilitySmart Install , a Cisco client for quickly deploying new switches for Cisco IOS Software and Cisco IOS XE Software . A remote unauthenticated attacker can exploit a flaw in the client to reload an affected device and cause a denial of service or execute arbitrary code . Embedi , the security firm that foundVulnerability-related.DiscoverVulnerabilitythe flaw , initially believed it could only be exploitedVulnerability-related.DiscoverVulnerabilitywithin an enterprise 's network . However , it foundVulnerability-related.DiscoverVulnerabilitymillions of affected devices exposed on the internet . `` Because in a securely configured network , Smart Install technology participants should not be accessible through the internet . But scanning the internet has shown that this is not true , '' wrote Embedi . `` During a short scan of the internet , we detected 250,000 vulnerable devices and 8.5 million devices that have a vulnerable port open . '' Smart Install is supported by a broad range of Cisco routers and switches . The high number of devices with an open port is probably because the Smart Install client 's port TCP 4786 is open by default . This situation is overlooked by network admins , Embedi said . The company has also publishedVulnerability-related.DiscoverVulnerabilityproof-of-concept exploit code , so it probably will be urgent for admins to patchVulnerability-related.PatchVulnerability. An attacker can exploit the bug by sendingAttack.Phishinga crafted Smart Install message to these devices on TCP port 4786 , according to Cisco . Embedi discoveredVulnerability-related.DiscoverVulnerabilitythe flaw last year , landing it an award at the GeekPwn conference in Hong Kong last May , and reportedVulnerability-related.DiscoverVulnerabilityit to Cisco in September . Cisco 's internal testing also turned upVulnerability-related.DiscoverVulnerabilitya critical issue in its IOS XE software , CVE-2018-0150 , due to an undocumented user account that has a default username and password . Cisco warnsVulnerability-related.DiscoverVulnerabilitythat an attacker could use this account to remotely connect to a device running the software . Cisco engineers also foundVulnerability-related.DiscoverVulnerabilityCVE-2018-0151 , a remote code execution bug in the QoS subsystem of IOS and IOS XE . `` The vulnerability is due to incorrect bounds checking of certain values in packets that are destined for UDP port 18999 of an affected device . An attacker could exploit this vulnerability by sending malicious packets to an affected device , '' writes Cisco . All three bugs were given a CVSS score of 9.8 out of 10 .
A Google Project Zero researcher has published a macOS exploit to demonstrate that Apple is exposing its users to security risks by patchingVulnerability-related.PatchVulnerabilityserious flaws in iOS but not revealing the fact until it fixesVulnerability-related.PatchVulnerabilitythe same bugs in macOS a week later . This happened during Apple 's updateVulnerability-related.PatchVulnerabilityfor critical flaws in iOS 12 , tvOS 12 and Safari 12 on September 17 . A Wayback Machine snapshot of the original advisory does n't mentionVulnerability-related.DiscoverVulnerabilityany of the bugs that Project Zero researcher Ivan Fratric had reportedVulnerability-related.DiscoverVulnerabilityto Apple , and which were actually fixedVulnerability-related.PatchVulnerability. Then , a week later , after Apple patchedVulnerability-related.PatchVulnerabilitythe same bugs in macOS , the company updatedVulnerability-related.PatchVulnerabilityits original advisory with details about the nine flaws that Fratric had reportedVulnerability-related.DiscoverVulnerability, six of which affectedVulnerability-related.DiscoverVulnerabilitySafari . The update fixedVulnerability-related.PatchVulnerabilitya Safari bug that allowed arbitrary code execution on macOS if a vulnerable version of Safari browsed to a website hosting an exploit for the bugs . While Fratric concedes that Apple is probably concealingVulnerability-related.PatchVulnerabilitythe fix in iOS to buy time to patchVulnerability-related.PatchVulnerabilitymacOS , he argues the end result is that people may ignore an important security update because they were n't properly informed by Apple in the security advisory . `` This practice is misleading because customers interested in the Apple security advisories would most likely read them only once , when they are first released and the impression they would get is that the product updates fix far fewer vulnerabilities and less severe vulnerabilities than is actually the case . '' Even worse , a skilled attacker could use the update for iOS to reverse-engineer a patch , develop an exploit for macOS , and then deploy it against a macOS user-base that does n't have a patch . Users also do n't know that Apple has released information that could make their systems vulnerable to attack . Fratric developed an exploit for one of the Safari bugs he reported and publishedVulnerability-related.DiscoverVulnerabilitythe attack on Thursday . The bugs were all foundVulnerability-related.DiscoverVulnerabilityusing a publicly available fuzzing tool he developed , called Domato , meaning anyone else , including highly advanced attackers , could use it too . `` If a public tool was able to find that many bugs , it is expected that private ones might be even more successful , '' he noted . He was n't aiming to write a reliable or sophisticated exploit , but the bug is useful enough for a skilled exploit writer to develop an attack to spread malware and `` potentially do a lot of damage even with an unreliable exploit '' . Fratric said he successfully tested the exploit on Mac OS 10.13.6 High Sierra , build version 17G65 . `` If you are still using this version , you might want to update , '' noted Fratric . On the upside , it appears Apple and its Safari WebKit team have improved the security of the browser compared with the results of Fratric 's Domato fuzzing efforts last year , which turned up way more bugs in Safari than in Chrome , Internet Explorer , and Edge . Last year he foundVulnerability-related.DiscoverVulnerability17 Safari flaws using the fuzzing tool . His final word of warning is not to discount any of the bugs he found just because no one 's seen them being attacked in the wild . `` While it is easy to brush away such bugs as something we have n't seen actual attackers use , that does n't mean it 's not happening or that it could n't happen , '' the researcher noted .
Microsoft releasedVulnerability-related.PatchVulnerabilitya security update designed to patchVulnerability-related.PatchVulnerabilityremote code execution ( RCE ) and information disclosure vulnerabilities in its Microsoft Exchange Server 2019 , 2016 , and 2013 products . The RCE security issue is being tracked asVulnerability-related.DiscoverVulnerabilityCVE-2019-0586 and according to Microsoft 's advisory it exists because `` the software fails to properly handle objects in memory . '' Attackers can run code as System user Following a successful attack of a vulnerable Microsoft Exchange Server installations , potential attackers would be able to take advantage of System user permissions . An attacker who successfully exploitedVulnerability-related.DiscoverVulnerabilitythe vulnerability could run arbitrary code in the context of the System user . An attacker could then install programs ; view , change , or delete data ; or create new accounts . In order to exploit the CVE-2019-0586 vulnerability , attackers have to sendAttack.Phishingmaliciously crafter emails to a vulnerable Exchange server . The issue has been addressedVulnerability-related.PatchVulnerabilityby changing the way Microsoft Exchange handles objects in memory . The information disclosure Microsoft Exchange Server vulnerability was assignedVulnerability-related.DiscoverVulnerabilitythe CVE-2019-0588 tracking id and it is caused by the way Microsoft Exchange 's `` PowerShell API grants calendar contributors more view permissions than intended . '' To exploit this vulnerability , an attacker would need to be granted contributor access to an Exchange Calendar by an administrator via PowerShell . The attacker would then be able to view additional details about the calendar that would normally be hidden . The CVE-2019-0588 , security vulnerability was fixedVulnerability-related.PatchVulnerabilityby correcting the way Exchange 's PowerShell API grants permissions to contributors . Microsoft rated the two vulnerabilities as 'Important ' Microsoft assigned an Important severity level to both security issues and , until their public disclosure , no mitigation factors or workarounds have been found . On servers that are using user account control ( UAC ) the update may fail to install if the update packages are run without Administrator privileges .
The site was taken offline to patchVulnerability-related.PatchVulnerabilitythe security bug , and only publicly accessible information was lifted from the compromised web servers , we 're told . The flaw in the Struts 2 framework is trivial to exploit : just upload a file with an invalid Content-Type value . It then throws an exception , and opens the target to remote code execution . Shortly after the Struts 2 vulnerability was discoveredVulnerability-related.DiscoverVulnerabilityand documented last week , researchers at Cisco 's Talos said they 'd observed it under “ active attack ” . The Canada Revenue Agency held a press conference in Ottawa Monday afternoon , and confirmed Struts 2 was the reason it took down its services over the weekend . Shared Service Canada COO John Glowacki said while forensic work is continuing , analysis of system logs so far shows nobody “ got inside ” CRA 's systems . “ We will not speak for other countries , but we will say we have information that some other countries are having greater problems with this specific vulnerability , ” he added . Expect vendors to start issuing their own advisories about Struts 2 . Cisco has posted its first product advisory , and so far there 's more `` confirmed not vulnerable '' than vulnerable products . So far , only Cisco 's Identity Services Engine , Prime Service Catalog Virtual Appliance , and Unified SIP Proxy Software need fixingVulnerability-related.PatchVulnerability. There is , however , an extensive list of products still under investigation
Published December 7 , 2016 5:50 pm in Adobe , Adobe Flash , Malware , Ransomware , Vulnerability 0 Of the top 10 vulnerabilities incorporated by exploit kits in 2016 , six of them ( rather unsurprisingly ) affected Adobe Flash Player . Real-time threat intelligence provider Recorded Future arrived at those findings by analyzing thousands of sources including information security blogs and deep web forum postings . Recorded Future then rankedVulnerability-related.DiscoverVulnerabilityeach vulnerability based upon how many web references linked the bug to at least one of 141 exploit kits , malicious software packages like Neutrino and RIG which abuse security flaws to infect users with TrickBot and other malware . Recorded Future foundVulnerability-related.DiscoverVulnerabilitythe most references to CVE-2016-0189 , a vulnerability affecting Internet Explorer . More than 700 web sources linked the bug to the Magnitude , RIG , Neutrino , and Sundown exploit kits . But when it came to actual links with exploit kits , Adobe Flash Player cleaned house . In total , six Adobe Flash Player vulnerabilities appearedVulnerability-related.DiscoverVulnerabilityin the top 10 list . Two of those ( CVE-2016-1o1o and CVE-2015-8446 ) bonded with the late Angler exploit kit . Another three ( CVE-2016-1019 , CVE-2016-4117 , and CVE-2015-8651 ) connected to at least three exploit kits . Overall , the regrettable honor of integration with the most exploit kits goes to CVE-2015-7645 , a flaw which a mere 70 web sources linked to seven different packages : Neutrino , Angler , Magnitude , RIG , Nuclear Pack , Spartan , and Hunter . Recorded Future providesVulnerability-related.DiscoverVulnerabilitysome background on why this vulnerability likely received so many linkages : `` CVE-2015-7645 impacts Windows , Mac , and Linux operating systems , which makes it extremely versatile . Per Adobe , it can be used to take control of the affected system . Additionally , it was the first zero-day exploit discoveredVulnerability-related.DiscoverVulnerabilityafter Adobe introducedVulnerability-related.PatchVulnerabilitynew security mitigations , and as such , it was quickly adopted as many other older exploits ceased working on machines with newer Flash versions . The vulnerability was also noted as being used by Pawn Storm ( APT28 , Fancy Bear ) , a Russian government-backed espionage group . '' To protect against RIG and the others from exploiting some of these vulnerabilities on your machine , you should patchVulnerability-related.PatchVulnerabilityyour system regularly , install a reputable anti-virus solution , and install an ad-blocker . There 's no hope when it comes to Adobe Flash Player . It seems like new bugs are emergingVulnerability-related.DiscoverVulnerabilityevery day , which makes patch managementVulnerability-related.PatchVulnerabilitya serious headache . If you can , you should uninstall Adobe Flash Player from your computer as soon as possible .
Microsoft Internet Information Services ( IIS ) 6.0 has a Zero Day vulnerability attackers leveraged last summer and is likely undergoing exploitation now , researchers saidVulnerability-related.DiscoverVulnerability. The vulnerability is a buffer overflow in a function in the WebDAV service in IIS 6.0 in Microsoft Windows Server 2003 R2 , and can end up triggered by attackers sending an overlong IF header in a PROPFIND request , saidVulnerability-related.DiscoverVulnerabilityresearchers at Trend Micro . Unfortunately , Microsoft won ’ t patchVulnerability-related.PatchVulnerabilitythe flaw because they stopped supporting Windows Server 2003 a few years ago ( IIS 6.0 was in the OS ) . There are a little over 600,000 publicly accessible IIS 6.0 servers on the Internet , and most of them are probably running on Windows Server 2003 , according to a search of Shodan . The risk of exploitation can end up mitigated by disabling the WebDAV service on the vulnerable IIS 6.0 installation , but not all administrators will want to do it . There is a fix out there from Mitja Kolsek , chief executive of Acros Security and co-founder at 0patch . The patch is free and its source code is open for inspection
To understand why it is so difficult to defend computers from even moderately capable hackers , consider the case of the security flaw officially known asVulnerability-related.DiscoverVulnerabilityCVE-2017-0199 . The bug was unusually dangerous but of a common genre : it was in Microsoft software , could allow a hacker to seize control of a personal computer with little trace , and was fixedVulnerability-related.PatchVulnerabilityApril 11 in Microsoft ’ s regular monthly security update . But it had traveled a rocky , nine-month journey from discovery to resolution , which cyber security experts say is an unusually long time . Google ’ s security researchers , for example , give vendors just 90 days’ warningVulnerability-related.DiscoverVulnerabilitybefore publishingVulnerability-related.DiscoverVulnerabilityflaws they findVulnerability-related.DiscoverVulnerability. Microsoft Corp ( MSFT.O ) declined to say how long it usually takes to patchVulnerability-related.PatchVulnerabilitya flaw . While Microsoft investigated , hackers foundVulnerability-related.DiscoverVulnerabilitythe flaw and manipulated the software to spy on unknown Russian speakers , possibly in Ukraine . And a group of thieves used it to bolster their efforts to stealAttack.Databreachfrom millions of online bank accounts in Australia and other countries . Those conclusions and other details emerged from interviews with researchers at cyber security firms who studied the events and analyzed versions of the attack code . Microsoft confirmed the sequence of events . The tale began last July , when Ryan Hanson , a 2010 Idaho State University graduate and consultant at boutique security firm Optiv Inc in Boise , foundVulnerability-related.DiscoverVulnerabilitya weakness in the way that Microsoft Word processes documents from another format . That allowed him to insert a link to a malicious program that would take control of a computer . The company often pays a modest bounty of a few thousands dollars for the identification of security risks . Soon after that point six months ago , Microsoft could have fixedVulnerability-related.PatchVulnerabilitythe problem , the company acknowledgedVulnerability-related.DiscoverVulnerability. But it was not that simple . A quick change in the settings on Word by customers would do the trick , but if Microsoft notifiedVulnerability-related.DiscoverVulnerabilitycustomers about the bug and the recommended changesVulnerability-related.PatchVulnerability, it would also be telling hackers about how to break in . Alternatively , Microsoft could have createdVulnerability-related.PatchVulnerabilitya patch that would be distributedVulnerability-related.PatchVulnerabilityas part of its monthly software updates . But the company did not patch immediatelyVulnerability-related.PatchVulnerabilityand instead dug deeper . It was not aware that anyone was using Hanson ’ s method , and it wanted to be sure it had a comprehensive solution . “ We performedVulnerability-related.PatchVulnerabilityan investigation to identify other potentially similar methods and ensure that our fix addresses [ sic ] more than just the issue reported , ” Microsoft said through a spokesman , who answered emailed questions on the condition of anonymity . “ This was a complex investigation. ” Hanson declined interview requests . The saga shows that Microsoft ’ s progress on security issues , as well as that of the software industry as a whole , remains uneven in an era when the stakes are growing dramatically . Finally , on the Tuesday , about six months after hearing from Hanson , Microsoft madeVulnerability-related.PatchVulnerabilitythe patch availableVulnerability-related.PatchVulnerability. As always , some computer owners are lagging behind and have not installed it . Ben-Gurion University employees in Israel were hacked , after the patch , by attackers linked to Iran who took over their email accounts and sent infected documents to their contacts at technology companies and medical professionals , said Michael Gorelik , vice president of cyber security firm Morphisec . When Microsoft patchedVulnerability-related.PatchVulnerability, it thanked Hanson , a FireEye researcher and its own staff . A six-month delay is bad but not unheard of , said Marten Mickos , chief executive of HackerOne , which coordinates patching efforts between researchers and vendors . “ Normal fixing times are a matter of weeks , ” Mickos said . Privately-held Optiv said through a spokeswoman that it usually gives vendors 45 days to makeVulnerability-related.PatchVulnerabilityfixes before publishing researchVulnerability-related.DiscoverVulnerabilitywhen appropriate , and that it “ materially followed ” that practice in this case . If the patchingVulnerability-related.PatchVulnerabilitytook time , others who learned of the flaw moved quickly . On the final weekend before the patch , the criminals could have sold it along to the Dridex hackers , or the original makers could have cashed in a third time , Hultquist said , effectively staging a last clearance sale before it lost peak effectiveness . It is unclear how many people were ultimately infected or how much money was stolen .
A zero-day vulnerability exists inVulnerability-related.DiscoverVulnerabilityWordPress Core that in some instances could allow an attacker to reset a user ’ s password and gain access to their account . Researcher Dawid Golunski of Legal Hackers disclosedVulnerability-related.DiscoverVulnerabilitythe vulnerability on Wednesday via his new ExploitBox service . All versions of WordPress , including the latest , 4.7.4 , are vulnerableVulnerability-related.DiscoverVulnerability, the researcher said . The vulnerability ( CVE-2017-8295 ) happens because WordPress uses what Golunski calls untrusted data by default when it creates a password reset email . In a proof-of-concept writeup , Golunski points out that WordPress uses a variable , SERVER_NAME , to get the hostname to create a From/Return-Path header for the password reset email . Since that variable , by its nature , can be customized , an attacker could insert a domain of his choosing and make it so an outgoing email could be sent to a malicious address , the researcher says . The attacker would then receive the reset email and be able to change the account password and take over . “ Depending on the configuration of the mail server , it may result in an email that gets sent to the victim WordPress user with such malicious From/Return-Path address set in the email headers , ” Golunski wrote . “ This could possibly allow the attacker to intercept the email containing the password reset link in some cases requiring user interaction as well as without user interaction. ” Golunski writes that there are three scenarios in which a user could be trickedAttack.Phishing, and only one of them relies on user interaction . In one , an attacker could perform a denial of service attack on the victim ’ s email account in order to prevent the password reset email from reaching the victim ’ s account . Instead , it could bounce back to the malicious sender address , pointed at the attacker . Second , Golunski says some auto-responders may attach a copy of the email sent in the body of the auto-replied message . Third , by sending multiple password reset emails , he says the attacker could trigger the victim to ask for an explanation , below , which could contain the malicious password link . Golunski saidVulnerability-related.DiscoverVulnerabilityhe reportedVulnerability-related.DiscoverVulnerabilitythe issue to WordPress ’ s security team multiple times , initially more than 10 months ago in July 2016 . The researcher told Threatpost that WordPress never outright rejected his claim – he says WordPress told him it was working on the issue – but acknowledged that too much time has passed without a clear resolution , something which prompted him to release detailsVulnerability-related.DiscoverVulnerabilityon the bug on Wednesday . Campbell said that it ’ s possible WordPress will patchVulnerability-related.PatchVulnerabilitythe issue , even if just for poorly configured servers , but acknowledged he didn ’ t have a timetable for the fix . Concerned WordPress users should follow a public ticket that was started for the issue last July , Campbell added . While there ’ s no official fix availableVulnerability-related.PatchVulnerabilityyet , Golunski says users can enable the UseCanonicalName setting on Apache to enforce a static SERVER_NAME value to ensure it doesn ’ t get modified . Golunski has had his hands full findingVulnerability-related.DiscoverVulnerabilityvulnerabilities related to PHP-based email platforms . He discoveredVulnerability-related.DiscoverVulnerabilitya remote code execution bug in SquirrelMail in January that disclosedVulnerability-related.DiscoverVulnerabilityand quickly patchedVulnerability-related.PatchVulnerabilitylast month and similar RCE bugs in PHPMailer and SwiftMailer , libraries used to send emails via PHP , at the end of 2016 .
UPDATE At DEFCON 22 in 2014 , researchers demonstrated hacks against the Samsung Smartcam that allowed an attacker to remotely take over the device . Samsung ’ s reaction at the time was to remove the web interface enabling the attack rather than patch the code in question . The Exploitee.rs , formerly the GTVHacker group , said users weren ’ t pleased with the response and in turn , decided to take another crack at analyzingVulnerability-related.DiscoverVulnerabilitythe device for vulnerabilities . On Saturday , the group publicly disclosedVulnerability-related.DiscoverVulnerabilitya remote code execution bug it foundVulnerability-related.DiscoverVulnerabilityin the SNH-1011 Smartcam , and cautioned that it likely existsVulnerability-related.DiscoverVulnerabilityin all Samsung Smartcam devices . “ The vulnerability occursVulnerability-related.DiscoverVulnerabilitybecause of improper sanitization of the iWatch firmware update filename , ” the group wroteVulnerability-related.DiscoverVulnerabilityin a technical description of the vulnerability that also included a proof-of-concept exploit and instructions on how to patchVulnerability-related.PatchVulnerabilitythe flaw . “ A specially crafted request allows an attacker the ability to inject his own command providing the attacker remote root command execution ” . A request for comment from Samsung was not returned in time for publication . A Samsung contact told Threatpost that the vulnerability affectsVulnerability-related.DiscoverVulnerabilityonly the SNH-1011 model and it will be removedVulnerability-related.PatchVulnerabilityin an upcoming firmware update . The Exploitee.rs said they were motivated to look further at the cameras because of Samsung ’ s response to their first disclosureVulnerability-related.DiscoverVulnerability. “ This angered a number of users and crippled the device from being used in any DIY monitoring solutions . So , we decided to audit the device once more to see if there is a way we can give users back access to their cameras while at the same time verifying the security of the devices new firmware ” . The original response looks especially weak in a climate where connected devices are being especially scrutinized for their security . “ While this flaw by default would not directly allow attacks from the Internet suitable for something like Mirai , it would be pretty trivial to use CSRF to infect devices on home networks , ” Tripwire principal security researcher Craig Young said . “ It is always disappointing when a vendor eliminates features rather than fixingVulnerability-related.PatchVulnerabilityvulnerabilities as was the case in this camera ” . While the original issue from 2014 has been addressed , the Exploitee.rs wrote that what remains of the web interface includes a set of PHP scripts that allow the camera ’ s firmware to be updated through the iWatch webcam monitoring service . “ These scripts contain a command injection bug that can be leveraged for root remote command execution to an unprivileged user , ” they said . The researchers saidVulnerability-related.DiscoverVulnerabilitythe flaw in iWatch can be exploitedVulnerability-related.DiscoverVulnerabilitythrough a special filename stored in a tar command that is passed to a php system call . “ Because the web-server runs as root , the filename is user supplied , and the input is used without sanitization , we are able to inject our own commands within to achieve root remote command execution , ” they said . ASUS patchedVulnerability-related.PatchVulnerabilitya bug that allowed attackers to pair two vulnerabilities to gain direct router access and execute commands as root
IP cameras manufactured by Chinese vendor Fosscam are riddledVulnerability-related.DiscoverVulnerabilitywith security flaws that allow an attacker to take over the device and penetrate your network . The issues came to light yesterday when Finnish cyber-security firm F-Secure publishedVulnerability-related.DiscoverVulnerabilityits findings after Fosscam failed to answer bug reportsVulnerability-related.DiscoverVulnerabilityand patchVulnerability-related.PatchVulnerabilityits firmware . Below is a list of 18 vulnerabilities researchers discoveredVulnerability-related.DiscoverVulnerabilityin Fosscam IP cameras : The variety of issues F-Secure researchers discoveredVulnerability-related.DiscoverVulnerabilitymeans there are multiple ways an attacker can hack one of these devices and use it for various operations . `` For example , an attacker can view the video feed , control the camera operation , and upload and download files from the built-in FTP server , '' F-Secure says. `` They can stop or freeze the video feed , and use the compromised device for further actions such as DDoS or other malicious activity . '' `` If the device is in a corporate local area network , and the attacker gains access to the network , they can compromise the device and infect it with a persistent remote access malware . The malware would then allow the attacker unfettered access to the corporate network and the associated resources , '' researchers added . F-Secure researchers sayVulnerability-related.DiscoverVulnerabilityall these vulnerabilities have been confirmedVulnerability-related.DiscoverVulnerabilityin Fosscam C2 models , but also in Opticam i5 , an IP camera sold by another vendor , but based on a white-label Fosscam device . In fact , researchers suspect that Fosscam has sold the vulnerable IP camera model as a white-label product , which other companies bought , plastered their logo on top , and resold as their own devices . F-Secure says it identified 14 other vendors that sell Fosscam made cameras , but they have not tested their products as of yet . F-Secure recommends that network administrators remove any Fosscam made IP camera from their network until the Chinese company patchesVulnerability-related.PatchVulnerabilityits firmware .
A case involving software vulnerabilities in medical electronics revealsVulnerability-related.DiscoverVulnerabilitythe inability for both the health care sector and federal regulators to swiftly address cybersecurity problems . This past fall , an investment firm rattled the health care industry with unsubstantiated claimsVulnerability-related.DiscoverVulnerabilityof multiple software vulnerabilities in internet-connected pacemakers and cardiac defibrillators . But it took federal authorities who regulate medical devices four months to acknowledgeVulnerability-related.DiscoverVulnerabilityonly one of the alleged defects , and for the company , St. Jude Medical , to patchVulnerability-related.PatchVulnerabilityit . The delayed response to a problem that could potentially put patients at risk raises many questions about why it took so long for the government to act , and what it will take for the health care industry to respond more swiftly to bugs in medical equipment increasingly connected to the internet . `` Software is never perfect and all systems still will have these flaws , '' says Joshua Corman , director of the Cyber Statecraft Initiative at the Atlantic Council and an expert on medical device security . `` The question is how gracefully and collaboratively and quickly and safely can we respond to these flaws . '' In this particular case , legal action as well as the unusual way the St. Jude vulnerabilities came to light may have stifled the response . A cybersecurity firm called MedSec initially discoveredVulnerability-related.DiscoverVulnerabilitythe problems in the St. Jude devices and tipped off the activist investment firm Muddy Waters , which publicizedVulnerability-related.DiscoverVulnerabilitythe flaws and advised clients to bet against the health care firm 's stock . As a result , St. Jude lodged a defamation lawsuit against MedSec and Muddy Waters , denying many of the alleged glitches in its pacemaker and implantable defibrillator systems . `` In theory , most disclosures now should take about 60 days to get to some clarity or resolution , '' said Corman . `` In part , because of the contentious nature and the lawyers involved in this particular one , it took about five months . '' Last week , the Food and Drug Administration along with the Department of Homeland Security confirmedVulnerability-related.DiscoverVulnerabilityat least some of MedSec's findings and reportedVulnerability-related.DiscoverVulnerabilitya flaw in the St. Jude @ Merlin transmitter , an at-home computer that sends data from cardiac implants to the patient 's medical team . The flaw could have allowed malicious hackers to remotely exhaust an implant 's battery power or potentially harm the patient . St. Jude spokeswoman Candace Steele Flippin said in an emailed statement that following the release of Muddy Waters ' claimsVulnerability-related.DiscoverVulnerabilityin August , the device manufacturer `` carefully reviewed the claimsVulnerability-related.DiscoverVulnerabilityin these reports along with our existing plans for our cyber ecosystem , '' evaluated them with FDA , DHS , and outside security researchers , and then identified the improvements announced on Jan. 9 and noted further enhancements `` we will be making in the coming months . '' But Muddy Waters said the problems may take as long as two years to fix . Carson Block , the firm 's founder , said this week the root causes of the vulnerabilities demand a change to firmware inside the St. Jude implants themselves . The firm said in a statement , `` these issues have just been givenVulnerability-related.PatchVulnerabilitya quick fix by St. Jude with the government 's blessing and cardiologists should go with other pacemaker manufacturers since they are much better on cybersecurity . '' It 's important to note that all the players in this medical legal drama , as well as the Veterans Affairs Department , which buys St. Jude devices , say there have been no reports of patient harm related to the cybersecurity vulnerabilities reported late August . In fact , the VA in recent months has continued paying for operations involving St. Jude devices , according to contract documents . Ever since the US government and St. Jude confirmedVulnerability-related.DiscoverVulnerabilitythe one flaw , the VA has been `` taking steps to be sure all our patients and providers are aware of this issue and take appropriate actions to be sure that all our patients get the update for their monitor , ” said Merritt Raitt , acting director of the VA National Cardiac Device Surveillance Program . The controversy could have been partly avoided , perhaps , if St. Jude and MedSec had followed new federal regulations for medical device security that encourage manufacturers to be more proactive about addressing potential vulnerabilities . A week before federal regulators publicized the one St. Jude glitch on Jan. 9 , they announced the completion of a 2016 draft policy that might have yielded multiple fixes in two months without anyone resorting to public shaming or legal action . On Jan. 4 , DHS circulated the final Food and Drug Administration ( FDA ) cybersecurity guidelines for monitoring networked medical devices on the market that threaten manufacturers with penalties such as a recall unless they cooperate with bug hunters to patchVulnerability-related.PatchVulnerabilityvulnerabilities within 60 days . Corman recommends that providers , including VA , heed all the literature that 's been published on the St. Jude glitches , including a DHS technical advisory , FDA security communication , MedSec report , and guidance written by Bishop Fox , a cybersecurity consultancy Muddy Waters hired in response to the lawsuit . `` Just understand that the FDA and DHS do need to get the ground truth , that security researcher claims do need to be validated through the normal regulatory process , '' he says .
A case involving software vulnerabilities in medical electronics revealsVulnerability-related.DiscoverVulnerabilitythe inability for both the health care sector and federal regulators to swiftly address cybersecurity problems . This past fall , an investment firm rattled the health care industry with unsubstantiated claimsVulnerability-related.DiscoverVulnerabilityof multiple software vulnerabilities in internet-connected pacemakers and cardiac defibrillators . But it took federal authorities who regulate medical devices four months to acknowledgeVulnerability-related.DiscoverVulnerabilityonly one of the alleged defects , and for the company , St. Jude Medical , to patchVulnerability-related.PatchVulnerabilityit . The delayed response to a problem that could potentially put patients at risk raises many questions about why it took so long for the government to act , and what it will take for the health care industry to respond more swiftly to bugs in medical equipment increasingly connected to the internet . `` Software is never perfect and all systems still will have these flaws , '' says Joshua Corman , director of the Cyber Statecraft Initiative at the Atlantic Council and an expert on medical device security . `` The question is how gracefully and collaboratively and quickly and safely can we respond to these flaws . '' In this particular case , legal action as well as the unusual way the St. Jude vulnerabilities came to light may have stifled the response . A cybersecurity firm called MedSec initially discoveredVulnerability-related.DiscoverVulnerabilitythe problems in the St. Jude devices and tipped off the activist investment firm Muddy Waters , which publicizedVulnerability-related.DiscoverVulnerabilitythe flaws and advised clients to bet against the health care firm 's stock . As a result , St. Jude lodged a defamation lawsuit against MedSec and Muddy Waters , denying many of the alleged glitches in its pacemaker and implantable defibrillator systems . `` In theory , most disclosures now should take about 60 days to get to some clarity or resolution , '' said Corman . `` In part , because of the contentious nature and the lawyers involved in this particular one , it took about five months . '' Last week , the Food and Drug Administration along with the Department of Homeland Security confirmedVulnerability-related.DiscoverVulnerabilityat least some of MedSec's findings and reportedVulnerability-related.DiscoverVulnerabilitya flaw in the St. Jude @ Merlin transmitter , an at-home computer that sends data from cardiac implants to the patient 's medical team . The flaw could have allowed malicious hackers to remotely exhaust an implant 's battery power or potentially harm the patient . St. Jude spokeswoman Candace Steele Flippin said in an emailed statement that following the release of Muddy Waters ' claimsVulnerability-related.DiscoverVulnerabilityin August , the device manufacturer `` carefully reviewed the claimsVulnerability-related.DiscoverVulnerabilityin these reports along with our existing plans for our cyber ecosystem , '' evaluated them with FDA , DHS , and outside security researchers , and then identified the improvements announced on Jan. 9 and noted further enhancements `` we will be making in the coming months . '' But Muddy Waters said the problems may take as long as two years to fix . Carson Block , the firm 's founder , said this week the root causes of the vulnerabilities demand a change to firmware inside the St. Jude implants themselves . The firm said in a statement , `` these issues have just been givenVulnerability-related.PatchVulnerabilitya quick fix by St. Jude with the government 's blessing and cardiologists should go with other pacemaker manufacturers since they are much better on cybersecurity . '' It 's important to note that all the players in this medical legal drama , as well as the Veterans Affairs Department , which buys St. Jude devices , say there have been no reports of patient harm related to the cybersecurity vulnerabilities reported late August . In fact , the VA in recent months has continued paying for operations involving St. Jude devices , according to contract documents . Ever since the US government and St. Jude confirmedVulnerability-related.DiscoverVulnerabilitythe one flaw , the VA has been `` taking steps to be sure all our patients and providers are aware of this issue and take appropriate actions to be sure that all our patients get the update for their monitor , ” said Merritt Raitt , acting director of the VA National Cardiac Device Surveillance Program . The controversy could have been partly avoided , perhaps , if St. Jude and MedSec had followed new federal regulations for medical device security that encourage manufacturers to be more proactive about addressing potential vulnerabilities . A week before federal regulators publicized the one St. Jude glitch on Jan. 9 , they announced the completion of a 2016 draft policy that might have yielded multiple fixes in two months without anyone resorting to public shaming or legal action . On Jan. 4 , DHS circulated the final Food and Drug Administration ( FDA ) cybersecurity guidelines for monitoring networked medical devices on the market that threaten manufacturers with penalties such as a recall unless they cooperate with bug hunters to patchVulnerability-related.PatchVulnerabilityvulnerabilities within 60 days . Corman recommends that providers , including VA , heed all the literature that 's been published on the St. Jude glitches , including a DHS technical advisory , FDA security communication , MedSec report , and guidance written by Bishop Fox , a cybersecurity consultancy Muddy Waters hired in response to the lawsuit . `` Just understand that the FDA and DHS do need to get the ground truth , that security researcher claims do need to be validated through the normal regulatory process , '' he says .
That lingering Heartbleed flaw recently discoveredVulnerability-related.DiscoverVulnerabilityin 200,000 devices is more insidious than that number indicates . According to a report postedVulnerability-related.DiscoverVulnerabilityby Shodan , the Heartbleed vulnerability first exposedVulnerability-related.DiscoverVulnerabilityin April 2014 was still foundVulnerability-related.DiscoverVulnerabilityin 199,594 internet-accessible devices during a scan it performed last weekend . But according to open-source security firm Black Duck , about 11 % of more than 200 applications it audited between Oct 2015 and March 2016 containedVulnerability-related.DiscoverVulnerabilitythe flaw , which enables a buffer overread that endangers data from clients and servers running affected versions of OpenSSL . The company ’ s vice president of security strategy Mike Pittenger says it ’ s likely most of those machines have been remediated , but it doesn ’ t address the countless other applications – commercial and proprietary - Black Duck didn ’ t audit . “ However , I would not extrapolate that to say 11 % of all commercial applications were vulnerable to Heartbleed at that time ” . That 11 % is a number from the company ’ s last published report . In a new report due out next month that hasn ’ t been wrapped up yet , that number is likely to dip into the single digits , but is still significant . The problem is that commercial software in general uses a great deal of open source code – 35 % on average - and authors of the code don ’ t necessarily have processes in place to track when vulnerabilities are foundVulnerability-related.DiscoverVulnerabilityin that code and to then patchVulnerability-related.PatchVulnerabilitythem , he says . He says Black Duck’s studyVulnerability-related.DiscoverVulnerabilityfindsVulnerability-related.DiscoverVulnerabilitythat two-thirds of these applications have open-source vulnerabilities of one kind or another and that they average 5 years old . In regard to Heartbleed in particular , he says the reports draw on anonymized data about its audits so they don’t revealVulnerability-related.DiscoverVulnerabilitythe specific applications in which the Heartbleed vulnerability was foundVulnerability-related.DiscoverVulnerability. Running vulnerable applications in a regulated environment could have consequences for the enterprises using them , he says , because the security threat they represent could violate HIPAA or PCI security and privacy requirements . The Shodan reportVulnerability-related.DiscoverVulnerabilityon the prevalence of Heartbleed showed that the individual entities hosting the largest number of Heartbleed-vulnerable devices were service providers . That may be because these machines were set up a while ago and are no longer in use but were never taken offline , Pittenger says .
The Internet Systems Consortium patchedVulnerability-related.PatchVulnerabilitythe BIND domain name system this week , addressingVulnerability-related.PatchVulnerabilitya remotely exploitable vulnerability it considers high severity and said could lead to a crash . The issue affectsVulnerability-related.DiscoverVulnerabilityservers that use both the DNS64 and RPZ function simultaneously . DNS64 is a mechanism for synthesizing AAAA records from A records . It ’ s traditionally used to allow IPv6-only clients to receive IPv6 addresses proxied to IPv4 addresses . The RPZ mechanism is used by Domain Name System recursive resolvers to allow for the customized handling of the resolution of collections of domain name information . Versions 9.8.8 , 9.9.3-S1 , 9.9.3 , 9.9.10b1 , 9.10.0 , and 9.10.5b1 , 9.11.0 are all considered vulnerableVulnerability-related.DiscoverVulnerability, according to the ISC . When servers use both mechanisms simultaneously , a vulnerability ( CVE-2017-3135 ) that stems from query processing could result in an inconsistent state , triggering either an INSIST assertion failure or an attempt to read through a NULL pointer , according to a security advisory publishedVulnerability-related.DiscoverVulnerabilityWednesday . The INSIST assertion failure could lead to a subsequent abort , ISC said , while the NULL pointer in some instances can lead to a segmentation fault , which causes the process to be terminated . Ramesh Damodaran and Aliaksandr Shubnik , engineers at Infoblox , a Silicon Valley firm that does DNS , DHCP and IP management , uncoveredVulnerability-related.DiscoverVulnerabilitythe vulnerability and reportedVulnerability-related.DiscoverVulnerabilityit to the ISC . Damodaran previously helped identifiedVulnerability-related.DiscoverVulnerabilityan unspecified packet processing remote denial of service vulnerability in BIND 9 . The Internet Systems Consortium patchedVulnerability-related.PatchVulnerabilitythe BIND domain name system this week , addressingVulnerability-related.PatchVulnerabilitywhat it calls a critical error condition in the software . Researchers find industrial control system malware similar to BlackEnergy , Havex , and Stuxnet going undetected on Google VirusTotal for years . The Internet Systems Consortium ( ISC ) announced it is planning to patchVulnerability-related.PatchVulnerabilityversions of its DHCP to mitigateVulnerability-related.PatchVulnerabilitya denial of service vulnerability .