Microsoft today issued Vulnerability-related.PatchVulnerability an emergency security update to correct Vulnerability-related.PatchVulnerability a security update it issued Vulnerability-related.PatchVulnerability earlier this month to correct Vulnerability-related.PatchVulnerability a security update it issued Vulnerability-related.PatchVulnerability in January and February . In January and February , Redmond emitted Vulnerability-related.PatchVulnerability fixes for Windows 7 and Server 2008 R2 machines to counter Vulnerability-related.PatchVulnerability the Meltdown chip-level vulnerability in modern Intel x64 processors . Unfortunately , those patches blew Vulnerability-related.PatchVulnerability a gaping hole in the operating systems : normal applications and logged-in users could now access and modify any part of physical RAM , and gain complete control over a box , with the updates installed . Rather than stop programs and non-administrators from exploiting Meltdown to extract Attack.Databreach passwords and other secrets from protected kernel memory , the fixes on Windows 7 and Server 2008 R2 instead granted full read-write privileges to system RAM . Roll on March , and Microsoft pushed out Vulnerability-related.PatchVulnerability fixes on Patch Tuesday to correct Vulnerability-related.PatchVulnerability those January and February updates to close Vulnerability-related.PatchVulnerability the security vulnerability it accidentally opened . Except that March update did n't fully seal Vulnerability-related.PatchVulnerability the deal : the bug remained in Vulnerability-related.DiscoverVulnerability the kernel , and was exploitable by malicious software and users . Total Meltdown Now , if you 're using Windows 7 or Server 2008 R2 and have applied Vulnerability-related.PatchVulnerability Microsoft 's Meltdown patches , you 'll want to grab and install Vulnerability-related.PatchVulnerability today 's out-of-band update for CVE-2018-1038 . Swedish researcher Ulf Frisk discovered Vulnerability-related.DiscoverVulnerability the January and February Meltdown mitigations for Win7 and Server 2008 R2 were broken , and went public Vulnerability-related.DiscoverVulnerability with his findings once the March Patch Tuesday had kicked off . As it turns out , this month 's updates did not fully fix Vulnerability-related.PatchVulnerability things , and Microsoft has had to scramble to remedy Vulnerability-related.PatchVulnerability what was now a zero-day vulnerability in Windows 7 and Server 2008 . In other words , Microsoft has just had to put out Vulnerability-related.PatchVulnerability a patch for a patch for a patch . Hardly inspiring stuff , but we suppose the old Microsoft adage remains true – never trust a Redmond product until version three at the earliest . On the other hand , writing kernel-level memory management code is an absolute bastard at times , so you have to afford the devs some sympathy .

Another critical security hole has been found Vulnerability-related.DiscoverVulnerability in Apache Struts 2 , requiring an immediate update . The vulnerability – CVE-2018-11776 – affects Vulnerability-related.DiscoverVulnerability core code and allows miscreants to pull off remote code execution against vulnerable servers and websites . It affects Vulnerability-related.DiscoverVulnerability all versions of Struts 2 , the popular open-source framework for Java web apps . The Apache Software Foundation has `` urgently advised '' anyone using Struts to update Vulnerability-related.PatchVulnerability to the latest version immediately , noting that the last time a critical hole was found Vulnerability-related.DiscoverVulnerability , the holes were being exploited Vulnerability-related.DiscoverVulnerability in the wild just a day later . In other words , if you delay in patching Vulnerability-related.PatchVulnerability , your organization will be compromised in short order via this bug , if you are running vulnerable systems . It was that earlier flaw that led to a nightmare data breach Attack.Databreach from credit company Equifax after it failed to patch Vulnerability-related.PatchVulnerability swiftly enough . The details of nearly 150 million people were exposed Attack.Databreach , costing the company more than $ 600m , so this is not something to be taken lightly . The company that discovered Vulnerability-related.DiscoverVulnerability the vulnerability – Semmle Security Research Team – warns that this latest one is actually worse that the one last year , which it also found Vulnerability-related.DiscoverVulnerability . It has published a blog post with more information . Semmle found Vulnerability-related.DiscoverVulnerability the hole back in April and reported Vulnerability-related.DiscoverVulnerability it to Apache , which put out Vulnerability-related.PatchVulnerability a patch in June that it has now pulled Vulnerability-related.PatchVulnerability into formal updates ( 2.3.35 for those using version 2.3 and 2.5.17 for those on 2.5 ) . As mentioned , the vulnerability is in the core code and does n't require additional plugins to work . It is caused by insufficient validation of untrusted user data in the core of the Struts framework , and can be exploited in several different ways . Semmle says it has identified two different vectors but warns there may be others . Since it can be used remotely and due to the fact that Struts is typically used to create applications that are on the public internet , hackers are going to be especially focused on exploiting it so they can gain access to corporate networks . And there are some big targets out there : Apache Struts is extremely common with most large corporations using it somewhere in their systems for web apps . Semmle 's VP of engineering , Pavel Avgustinov , had this to say about the hole on Wednesday this week : `` Critical remote code execution vulnerabilities like the one that affected Vulnerability-related.DiscoverVulnerability Equifax and the one we announced today are incredibly dangerous for several reasons : Struts is used for publicly-accessible customer-facing websites , vulnerable systems are easily identified , and the flaw is easy to exploit Vulnerability-related.DiscoverVulnerability . A hacker can find their way in within minutes , and exfiltrate Attack.Databreach data or stage further attacks from the compromised system . It ’ s crucially important to update affected systems immediately ; to wait is to take an irresponsible risk . '' This is very far from the first time that big security holes have been found Vulnerability-related.DiscoverVulnerability in Struts , leading some to recommend that people simply stop using it .

The National Security Agency warned Vulnerability-related.DiscoverVulnerability Microsoft about a vulnerability in Windows after a hacker group began to leak hacking tools used by the agency online , the Washington Post reported late Tuesday . The vulnerability has been the center of attention in recent days , following the outbreak of the global “Wanna Cry” ransomware attack Attack.Ransom that crippled Britain ’ s hospital system and has spread to at least 150 countries . The ransomware is widely believed to be based on an alleged NSA hacking tool leaked by the group Shadow Brokers earlier this year . The government has not publicly acknowledged that the NSA developed the tool . “ NSA identified a risk and communicated it to Microsoft , who put out Vulnerability-related.PatchVulnerability an immediate patch , ” Mike McNerney , a former Defense Department cybersecurity official , told the Post . McNerney said , however , that no top government official emphasized the seriousness of the vulnerability . Microsoft issued Vulnerability-related.PatchVulnerability a patch for its supported systems in March , weeks before Shadow Brokers released the exploit , but many computer systems around the world remained unpatched , leaving them vulnerable to the latest ransomware attack Attack.Ransom . The ransomware campaign has been less devastating to the United States than other countries , but has affected some American companies including FedEx . The events have renewed debate over the secretive process by which the federal government decides whether to disclose Vulnerability-related.DiscoverVulnerability a zero-day vulnerability to the product ’ s manufacturer , as well as spurring scrutiny of the NSA . Microsoft president and chief legal officer Brad Smith said Sunday that the ransomware attack Attack.Ransom should serve as a “ wake-up call ” to governments not to hoard vulnerabilities . On Wednesday , a bipartisan group of lawmakers introduced legislation that would codify what is known as the vulnerabilities equities process into law , bringing more transparency and oversight to it . View the discussion thread .