Jann Horn , the Google Project Zero researcher who discovered Vulnerability-related.DiscoverVulnerability the Meltdown and Spectre CPU flaws , has a few words for maintainers of Ubuntu and Debian : raise your game on merging kernel security fixes , you 're leaving users exposed for weeks . Horn earlier this week released an `` ugly exploit '' for Ubuntu 18.04 , which `` takes about an hour to run before popping a root shell '' . The kernel bug is a cache invalidation flaw in Linux memory management that has been tagged as Vulnerability-related.DiscoverVulnerability CVE-2018-17182 , reported Vulnerability-related.DiscoverVulnerability to Linux kernel maintainers on September 12 . Linux founder Linus Torvalds fixed Vulnerability-related.PatchVulnerability it in his upstream kernel tree two weeks ago , an impressively fast single day after Horn reported Vulnerability-related.DiscoverVulnerability the issue . And within days it was also fixed Vulnerability-related.PatchVulnerability in the upstream stable kernel releases 4.18.9 , 4.14.71 , 4.9.128 , and 4.4.157 . There 's also a fix in release 3.16.58 . However , end users of Linux distributions are n't protected until each distribution merges the changes from upstream stable kernels , and then users install that updated release Vulnerability-related.PatchVulnerability . Between those two points , the issue also gets exposure on public Vulnerability-related.DiscoverVulnerability mailing lists , giving both Linux distributions and would-be attackers a chance to take action . `` The security issue was announced Vulnerability-related.DiscoverVulnerability on the oss-security mailing list on 2018-09-18 , with a CVE allocation on 2018-09-19 , making the need to ship new distribution kernels to users clearer , '' Horn wrote in a Project Zero post published Vulnerability-related.DiscoverVulnerability Wednesday . But as he noted , as of Wednesday , Debian stable and Ubuntu releases 16.04 and 18.04 had not fixed Vulnerability-related.PatchVulnerability the issue , with the latest kernel update occurring around a month earlier . This means there 's a gap of several weeks between the flaw being publicly disclosed Vulnerability-related.DiscoverVulnerability and fixes reaching end users . However , the Fedora project was a little faster , pushing Vulnerability-related.PatchVulnerability a fix to users on 22 September . Canonical , the UK company that maintains Ubuntu , has since responded to Horn 's blog , and says fixes `` should be released Vulnerability-related.PatchVulnerability `` around Monday , October 1 . This is unlikely to be the last kernel bug Project Zero researchers find , and unless Ubuntu and other Linux distributions get their act together on upstream kernel fixes , they can expect to be named and shamed again .

It is – or it should be – a well known fact that attackers occasionally email potential victims with PDF attachments containing malware or exploit code . But the latest attacks Attack.Phishing through PDF attachments are geared towards pushing Attack.Phishing users to enter their email account credentials into well-crafted phishing pages . Microsoft security experts saw a lot of variants of the same attack Attack.Phishing , and they all start Attack.Phishing with spoofed emails supposedly delivering asked-for documents . In one variation , the PDF makes it look like there has been an error , and the document can only be displayed with Microsoft Excel . But instead of actually opening it with their own software , potential victims are urged to open it by following the link offered in the PDF : If they do that , they will be redirected to a web page that makes it seem like the document can only be opened if the user signs in with their email credentials . In another variant , the PDF urges users to click on a link that will supposedly allow them to view a Dropbox-hosted document online . “ Social engineering attacks are designed to take advantage of possible lapses in decision-making . Awareness is key ; that is why we ’ re making these cybercriminal tactics known , ” Microsoft ’ s Alden Pornasdoro explained . “ In these times , when we ’ re seeing heightened phishing attacks Attack.Phishing with improved social engineering techniques , a little bit of paranoia doesn ’ t hurt . For instance , question why Adobe Reader is trying to open an Excel file .