Oracle released Vulnerability-related.PatchVulnerability its latest Critical Patch Update on July 18 , fixing Vulnerability-related.PatchVulnerability 334 vulnerabilities across the company 's product portfolio . The company rated 61 of the vulnerabilities as having critical impact . Among the products patched Vulnerability-related.PatchVulnerability by Oracle are Oracle Database Server , Oracle Global Lifecycle Management , Oracle Fusion Middleware , Oracle E-Business Suite , Oracle PeopleSoft , Oracle Siebel CRM , Oracle Industry Applications , Oracle Java SE , Oracle Virtualization , Oracle MySQL and Oracle Sun Systems Products Suite . While there are issues of varying severity in the update , Oracle is blaming third-party components as being the cause of the majority of the critical issues . `` It is fair to note that bugs in third-party components make up a disproportionate amount of severe vulnerabilities in this Critical Patch Update , '' Eric Maurice , director of security assurance at Oracle , wrote in a blog post . `` 90 percent of the critical vulnerabilities addressed Vulnerability-related.PatchVulnerability in this Critical Patch Update are for non-Oracle CVEs . '' Of the 334 issues fixed Vulnerability-related.PatchVulnerability in the July Critical Patch Update , 37 percent were for third-party components included in Oracle product distributions . While many flaws were from third-party libraries , there were also flaws in Oracle 's own development efforts . Oracle 's namesake database was patched Vulnerability-related.PatchVulnerability for three issues , one of which is remotely exploitable without user authentication . Oracle 's Financial Services application received Vulnerability-related.PatchVulnerability the highest total number of patches at 56 , with 21 identified as being remotely exploitable without user authentication . Oracle 's Fusion Middleware , on the other hand , got Vulnerability-related.PatchVulnerability 44 new security fixes , with 38 of them rated as being critical . Oracle Enterprise Manager Products were patched Vulnerability-related.PatchVulnerability for 16 issues , all of which are remotely exploitable without authentication . Looking at flaws in Java , Oracle 's July CPU provides Vulnerability-related.PatchVulnerability eight security fixes , though organizations likely need to be cautious when applying Vulnerability-related.PatchVulnerability the patches , as certain functionality has been removed . `` Several actions taken to fix Vulnerability-related.PatchVulnerability Java SE vulnerabilities in the July CPU are likely to break the functionality of certain applications , '' security firm Waratek warned in an advisory . `` Application owners who apply Vulnerability-related.PatchVulnerability binary patches should be extremely cautious and thoroughly test their applications before putting Vulnerability-related.PatchVulnerability patches into production . '' The reason why the Oracle fixes could break application functionality is because Oracle has decided to remove multiple vulnerable components from its Java Development Kit ( JDK ) . At 334 fixed flaws , the July update is larger than last Critical Patch Update released Vulnerability-related.PatchVulnerability on Jan 15 , which provided Vulnerability-related.PatchVulnerability patches for 237 flaws . While the number of patches issues has grown , Matias Mevied , Oracle security researcher at Onapsis , commented that Oracle is working in the right way , fixing Vulnerability-related.PatchVulnerability the reported vulnerabilities and is getting faster every year . `` Unfortunately , based in our experience , the missing part is that the companies still do n't implement the patches as soon as they should be , '' Mevied told eWEEK .

Published December 7 , 2016 5:50 pm in Adobe , Adobe Flash , Malware , Ransomware , Vulnerability 0 Of the top 10 vulnerabilities incorporated by exploit kits in 2016 , six of them ( rather unsurprisingly ) affected Adobe Flash Player . Real-time threat intelligence provider Recorded Future arrived at those findings by analyzing thousands of sources including information security blogs and deep web forum postings . Recorded Future then ranked Vulnerability-related.DiscoverVulnerability each vulnerability based upon how many web references linked the bug to at least one of 141 exploit kits , malicious software packages like Neutrino and RIG which abuse security flaws to infect users with TrickBot and other malware . Recorded Future found Vulnerability-related.DiscoverVulnerability the most references to CVE-2016-0189 , a vulnerability affecting Internet Explorer . More than 700 web sources linked the bug to the Magnitude , RIG , Neutrino , and Sundown exploit kits . But when it came to actual links with exploit kits , Adobe Flash Player cleaned house . In total , six Adobe Flash Player vulnerabilities appeared Vulnerability-related.DiscoverVulnerability in the top 10 list . Two of those ( CVE-2016-1o1o and CVE-2015-8446 ) bonded with the late Angler exploit kit . Another three ( CVE-2016-1019 , CVE-2016-4117 , and CVE-2015-8651 ) connected to at least three exploit kits . Overall , the regrettable honor of integration with the most exploit kits goes to CVE-2015-7645 , a flaw which a mere 70 web sources linked to seven different packages : Neutrino , Angler , Magnitude , RIG , Nuclear Pack , Spartan , and Hunter . Recorded Future provides Vulnerability-related.DiscoverVulnerability some background on why this vulnerability likely received so many linkages : `` CVE-2015-7645 impacts Windows , Mac , and Linux operating systems , which makes it extremely versatile . Per Adobe , it can be used to take control of the affected system . Additionally , it was the first zero-day exploit discovered Vulnerability-related.DiscoverVulnerability after Adobe introduced Vulnerability-related.PatchVulnerability new security mitigations , and as such , it was quickly adopted as many other older exploits ceased working on machines with newer Flash versions . The vulnerability was also noted as being used by Pawn Storm ( APT28 , Fancy Bear ) , a Russian government-backed espionage group . '' To protect against RIG and the others from exploiting some of these vulnerabilities on your machine , you should patch Vulnerability-related.PatchVulnerability your system regularly , install a reputable anti-virus solution , and install an ad-blocker . There 's no hope when it comes to Adobe Flash Player . It seems like new bugs are emerging Vulnerability-related.DiscoverVulnerability every day , which makes patch management Vulnerability-related.PatchVulnerability a serious headache . If you can , you should uninstall Adobe Flash Player from your computer as soon as possible .

SEATTLE — When malicious software first became a serious problem on the internet about 15 years ago , most people agreed that the biggest villain , after the authors of the damaging code , was Microsoft . As a new cyberattack continues to sweep across the globe , the company is once again at the center of the debate over who is to blame for a vicious strain of malware demanding ransom Attack.Ransom from victims in exchange for the unlocking of their digital files . This time , though , Microsoft believes others should share responsibility for the attack , an assault that targeted flaws in the Windows operating system . On Sunday , Brad Smith , Microsoft ’ s president and chief legal officer , wrote a blog post describing the company ’ s efforts to stop the ransomware ’ s spread , including an unusual step it took to release Vulnerability-related.PatchVulnerability a security update for versions of Windows that Microsoft no longer supports . Mr. Smith wrote , “ As a technology company , we at Microsoft have the first responsibility to address Vulnerability-related.PatchVulnerability these issues. ” He went on , though , to emphasize that the attack had demonstrated the “ degree to which cybersecurity has become a shared responsibility between tech companies and customers , ” the latter of whom must update their systems if they want to be protected . He also pointed his finger at intelligence services , since the latest vulnerability appeared to have been leaked from the National Security Agency . On Monday , a Microsoft spokesman declined to comment beyond Mr. Smith ’ s post . Microsoft has recognized the risk that cybersecurity poses to it since about 2002 , when Bill Gates , the former chief executive , issued a call to arms inside the company after a wave of malicious software began infecting Windows PCs connected to the internet . “ As software has become ever more complex , interdependent and interconnected , our reputation as a company has in turn become more vulnerable , ” Mr. Gates wrote in an email to employees identifying trustworthy computing as Microsoft ’ s top priority . “ Flaws in a single Microsoft product , service or policy not only affect Vulnerability-related.DiscoverVulnerability the quality of our platform and services overall , but also our customers ’ view of us as a company. ” Since then , the company has poured billions of dollars into security initiatives , employing more than 3,500 engineers dedicated to security . In March , it released Vulnerability-related.PatchVulnerability a software patch that addressed Vulnerability-related.PatchVulnerability the vulnerability exploited by the ransomware , known as WannaCry , protecting systems such as Windows 10 , its latest operating system . Yet security flaws in older editions of Windows persist . The company no longer provides Vulnerability-related.PatchVulnerability regular software updates to Windows XP , a version first released in 2001 , unless customers pay for “ custom support , ” a practice some observers believe has put users at risk . Late Friday , Microsoft took the unusual step of making patches Vulnerability-related.PatchVulnerability that protect older systems against WannaCry , including Windows XP , free . “ Companies like Microsoft should discard the idea that they can abandon people using older software , ” Zeynep Tufekci , an associate professor at the school of information and library science at the University of North Carolina , wrote in a New York Times opinion piece over the weekend . “ The money they made from these customers hasn ’ t expired ; neither has their responsibility to fix defects. ” But security experts challenged that argument , saying that Microsoft could not be expected to keep updating old software products indefinitely . Providing Vulnerability-related.PatchVulnerability updates to older systems could make computers more insecure by removing an incentive for users to modernize , Mikko Hypponen , the chief research officer of F-Secure , a security firm . “ I can understand why they issued Vulnerability-related.PatchVulnerability an emergency patch for XP after WannaCry was found , but in general , we should just let XP die , ” Mr. Hypponen said .

In a string of attacks that have escalated over the past 48 hours , hackers are actively exploiting a critical vulnerability that allows them to take almost complete control of Web servers used by banks , government agencies , and large Internet companies . The code-execution bug resides in Vulnerability-related.DiscoverVulnerability the Apache Struts 2 Web application framework and is trivial to exploit . Although maintainers of the open source project patched Vulnerability-related.PatchVulnerability the vulnerability on Monday , it remains under attack by hackers who are exploiting it to inject commands of their choice into Struts servers that have yet to install the update , researchers are warning Vulnerability-related.DiscoverVulnerability . Making matters worse , at least two working exploits are publicly available . `` We have dedicated hours to reporting to companies , governments , manufacturers , and even individuals to patch Vulnerability-related.PatchVulnerability and correct the vulnerability as soon as possible , but the exploit has already jumped to the big pages of 'advisories , ' and massive attempts to exploit the Internet have already been observed . '' Researchers at Cisco Systems said they are seeing a `` high number of exploitation events '' by hackers attempting to carry out a variety of malicious acts . One series of commands that attackers are injecting into webpages stops the firewall protecting the server and then downloads and executes malware of the attacker 's choice . The payloads include `` IRC bouncers , '' which allow the attackers to hide their real IP address during Internet chats ; denial-of-service bots ; and various other packages that conscript a server into a botnet . `` These are several of the many examples of attacks we are currently observing and blocking , '' Cisco 's Nick Biasini wrote . `` They fall into two broad categories : probing and malware distribution . The payloads being delivered vary considerably , and to their credit , many of the sites have already been taken down and the payloads are no longer available . '' The vulnerability resides in Vulnerability-related.DiscoverVulnerability what 's known as the Jakarta file upload multipart parser , which according to official Apache Struts 2 documentation is a standard part of the framework and needs only a supporting library to function . Apache Struts versions affected by Vulnerability-related.DiscoverVulnerability the vulnerability include Struts 2.3.5 through 2.3.31 , and 2.5 through 2.5.10 . Servers running any of these versions should upgrade to Vulnerability-related.PatchVulnerability 2.3.32 or 2.5.10.1 immediately . It 's not clear why the vulnerability is being exploited Vulnerability-related.DiscoverVulnerability so widely 48 hours after a patch was released Vulnerability-related.PatchVulnerability . One possibility is that the Apache Struts maintainers did n't adequately communicate the risk . Although they categorize Vulnerability-related.DiscoverVulnerability the vulnerability security rating as high , they also describe Vulnerability-related.DiscoverVulnerability it as posing a `` possible remote code execution '' risk . Outside researchers , meanwhile , have said the exploits are trivial to carry out , are highly reliable , and require no authentication . It 's also easy to scan the Internet for vulnerable servers . It 's also possible to exploit the bug even if a Web application does n't implement file upload functionality . Update 3/9/2017 10:07 California time : In a comment to this post , Ars Technology Editor Peter Bright provides Vulnerability-related.PatchVulnerability a much more plausible explanation for the delay in patching Vulnerability-related.PatchVulnerability this highly critical vulnerability . Most bug fixes Vulnerability-related.PatchVulnerability , he pointed out , require downloading and installing a patch , possibly rebooting a machine , and being done with it .