in March . Ransomware is no longer just a nuisance . Now it 's quite literally a matter of life and death . A massive ransomware attackAttack.Ransombeing labeled as `` WannaCryAttack.Ransom`` has been reported around the world and is responsible for shutting down hospitals in the United Kingdom and encrypting files at Spanish telecom firm Telefonica . The WannaCry attackAttack.Ransomis not a zero-day flaw , but rather is based on an exploit that Microsoft patchedVulnerability-related.PatchVulnerabilitywith its MS17-010 advisory on March 14 in the SMB Server . However , Microsoft did not highlightVulnerability-related.DiscoverVulnerabilitythe SMB flaw until April 14 , when a hacker group known as the Shadow Brokers releasedVulnerability-related.DiscoverVulnerabilitya set of exploits , allegedly stolenAttack.Databreachfrom the U.S.National Security Agency . SMB , or Server Message Block , is a critical protocol used by Windows to enable file and folder sharing . It 's also the protocol that today 's WannaCry attackAttack.Ransomis exploiting to rapidly spread from one host to the next around the world , literally at the speed of light . The attack is what is known as a worm , `` slithering '' from one host to the next on connected networks . Among the first large organizations to be impacted by WannaCry is The National Health Service in the UK , which has publicly confirmed that it was attackedAttack.Ransomby the Wan na Decryptor. `` This attackAttack.Ransomwas not specifically targeted at the NHS and is affecting organisations from across a range of sectors , '' the NHS stated . `` At this stage we do not have any evidence that patient data has been accessedAttack.Databreach. '' Security firm Kaspersky Lab reported that by 2:30 p.m . ET May 12 it had already seen more than 45,000 WannaCry attacksAttack.Ransomin 74 countries . While the ransomware attackAttack.Ransomis making use of the SMB vulnerability to spread , the encryption of files is done by the Wanna Decryptor attackAttack.Ransomthat seeks out all files on a victim 's network . Once the ransomware has completed encrypting files , victims are presented with a screen demanding a ransomAttack.Ransom. Initially , the ransom requestedAttack.Ransomwas reported to be $ 300 worth of Bitcoin , according to Kaspersky Lab . `` Many of your documents , photos , videos , databases and other files are no longer accessible because they have been encrypted , '' the ransom note states . `` Maybe you are busy looking for a way to recover your files , but do not waste your time . Nobody can recover your files without our decryption service . '' It 's not clear who the original source of the global WannaCry attacksAttack.Ransomis at this point , or even if it 's a single threat actor or multiple actors . What is clear is that despite the fact that a software patch has been availableVulnerability-related.PatchVulnerabilitysince March for the SMB flaws , WannaCry is using tens of thousands of organizations that did n't patchVulnerability-related.PatchVulnerability.
iOS 10.3 , releasedVulnerability-related.PatchVulnerabilityto the public on Monday , patchesVulnerability-related.PatchVulnerabilitya bug that allowed bad actors to use a JavaScript pop-up in Safari in an attempt to extort moneyAttack.Ransomfrom iOS users . Security firm Lookout ( via Ars Technica ) said the scammers would target Safari users who viewed pornography by placing malicious scripts on various pornographic website that would create an endless pop-up loop that basically locked the browser , if an uninformed user didn ’ t know how to get around the flaw . The scammers abused the handling of pop-ups in Mobile Safari in such a way that a person would be “ locked ” out from using Safari unless they paid a feeAttack.Ransom— or knew they could simply clear Safari ’ s cache ( see next section ) . The attack was contained within the app sandbox of the Safari browser ; no exploit code was used in this campaign , unlike an advanced attack like Pegasus that breaks out of the app sandbox to install malware on the device . The scammers registered domains and launched the attack from the domains they owned , such as police-pay [ . ] com , which the attackers apparently named with the intent of scaring users looking for certain types of material on the Internet into paying money . The pop-ups claimed to beAttack.Phishingfrom law-enforcement personnel , and claimed the only way to get control of the browser back was to pay a fineAttack.Ransomin the form of an iTunes gift card code delivered via text message . Users actually could have gotten out of the pop-up loop by manually clearing the Safari browser cache . However , a new or otherwise uninformed user might believe they actually needed to pay the ransomAttack.Ransombefore regaining control of their browser . “ The attackers effectively used fear as a factor to get what they wanted before the victim realized that there was little actual risk , ” Lookout researchers Andrew Blaich and Jeremy Richards said . iOS 10.3 changes the way pop-up dialogs work in Safari . Previously , a pop-up dialog took over the entire Safari app . Now , pop-ups are only per tab . iOS users who are hit by the scam before updating to iOS 10.3 can clear their browsing cache by going to “ Settings ” - > “ Safari ” and tapping : “ Clear History and Website Data . ”
iOS 10.3 , releasedVulnerability-related.PatchVulnerabilityto the public this morning , fixesVulnerability-related.PatchVulnerabilitya bug that allowed scammers to attempt to extort moneyAttack.Ransomfrom iOS users through a JavaScript pop-up in Safari . As explained by mobile security firm Lookout ( via Ars Technica ) , the scammers targeted iOS users viewing pornographic material and abused JavaScript pop-ups to create an endless pop-up loop that essentially locked the browser if the user did n't know how to bypass it . Using `` scareware '' messages and posing asAttack.Phishinglaw enforcement , the scammers used the pop-ups to extort moneyAttack.Ransomin the form of iTunes gift cards from the victim , promising to unlock the browser for a sum of money . The scammers abused the handling of pop-ups in Mobile Safari in such a way that a person would be `` locked '' out from using Safari unless they paid a feeAttack.Ransomor knew they could simply clear Safari 's cache ( see next section ) . The attack was contained within the app sandbox of the Safari browser ; no exploit code was used in this campaign , unlike an advanced attack like Pegasus that breaks out of the app sandbox to install malware on the device . The scammers registered domains and launched the attack from the domains they owned , such as police-pay [ . ] com , which the attackers apparently named with the intent of scaring users looking for certain types of material on the Internet into paying money . The endless pop-up issue could be fixed by clearing the Safari cache , but many users likely did not know they did n't need to shell out money to regain access to their browsers . Pop-up scams are no longer possible with iOS 10.3 , as Apple has changed the way pop-up dialogs work . Pop-ups are now per-tab and no longer take over the entire Safari app .
As part of its monthly Update Tuesday , Microsoft announcedVulnerability-related.PatchVulnerabilitythis week that they ’ ve releasedVulnerability-related.PatchVulnerabilitya preliminary fix for a vulnerability rated important , and present inVulnerability-related.DiscoverVulnerabilityall supported versions of Windows in circulation ( basically any client or server version of Windows from 2008 onward ) . The flaw affectsVulnerability-related.DiscoverVulnerabilitythe Credential Security Support Provider ( CredSSP ) protocol , which is used in all instances of Windows ’ Remote Desktop Protocol ( RDP ) and Remote Management ( WinRM ) . The vulnerability , CVE-2018-0886 , could allow remote code execution via a physical or wifi-based Man-in-the-Middle attack , where the attacker stealsAttack.Databreachsession data , including local user credentials , during the CredSSP authentication process . Although Microsoft saysVulnerability-related.DiscoverVulnerabilitythe bug has not yet been exploitedVulnerability-related.DiscoverVulnerability, it could cause serious damage if left unpatched . RDP is widely used in enterprise environments and an attacker who successfully exploitsVulnerability-related.DiscoverVulnerabilitythis bug could use it to gain a foothold from which to pivot and escalate . It ’ s also popular with small businesses who outsource their IT administration and , needless to say , an attacker with an admin account has all the aces . Security researchers at Preempt sayVulnerability-related.DiscoverVulnerabilitythey discovered and disclosedVulnerability-related.DiscoverVulnerabilitythis vulnerability to Microsoft last August , and Microsoft has been working since then to createVulnerability-related.PatchVulnerabilitythe patch releasedVulnerability-related.PatchVulnerabilitythis week . Now it ’ s out there , it ’ s a race against time to make sure you aren ’ t an easy target for an attacker who wants to try and kick the tires on this vulnerability . Obviously , patch as soon as possible and please follow Microsoft ’ s guidance carefully : Mitigation consists of installing the update on all eligible client and server operating systems and then using included Group Policy settings or registry-based equivalents to manage the setting options on the client and server computers . We recommend that administrators apply the policy and set it to “ Force updated clients ” or “ Mitigated ” on client and server computers as soon as possible . These changes will require a reboot of the affected systems . Pay close attention to Group Policy or registry settings pairs that result in “ Blocked ” interactions between clients and servers in the compatibility table later in this article . Both the “ Force updated clients ” and “ Mitigated ” settings prevent RDP clients from falling back to insecure versions of CredSSP . The “ Force updated clients ” setting will not allow services that use CredSSP to accept unpatched clients but “ Mitigated ” will .
As part of its monthly Update Tuesday , Microsoft announcedVulnerability-related.PatchVulnerabilitythis week that they ’ ve releasedVulnerability-related.PatchVulnerabilitya preliminary fix for a vulnerability rated important , and present inVulnerability-related.DiscoverVulnerabilityall supported versions of Windows in circulation ( basically any client or server version of Windows from 2008 onward ) . The flaw affectsVulnerability-related.DiscoverVulnerabilitythe Credential Security Support Provider ( CredSSP ) protocol , which is used in all instances of Windows ’ Remote Desktop Protocol ( RDP ) and Remote Management ( WinRM ) . The vulnerability , CVE-2018-0886 , could allow remote code execution via a physical or wifi-based Man-in-the-Middle attack , where the attacker stealsAttack.Databreachsession data , including local user credentials , during the CredSSP authentication process . Although Microsoft saysVulnerability-related.DiscoverVulnerabilitythe bug has not yet been exploitedVulnerability-related.DiscoverVulnerability, it could cause serious damage if left unpatched . RDP is widely used in enterprise environments and an attacker who successfully exploitsVulnerability-related.DiscoverVulnerabilitythis bug could use it to gain a foothold from which to pivot and escalate . It ’ s also popular with small businesses who outsource their IT administration and , needless to say , an attacker with an admin account has all the aces . Security researchers at Preempt sayVulnerability-related.DiscoverVulnerabilitythey discovered and disclosedVulnerability-related.DiscoverVulnerabilitythis vulnerability to Microsoft last August , and Microsoft has been working since then to createVulnerability-related.PatchVulnerabilitythe patch releasedVulnerability-related.PatchVulnerabilitythis week . Now it ’ s out there , it ’ s a race against time to make sure you aren ’ t an easy target for an attacker who wants to try and kick the tires on this vulnerability . Obviously , patch as soon as possible and please follow Microsoft ’ s guidance carefully : Mitigation consists of installing the update on all eligible client and server operating systems and then using included Group Policy settings or registry-based equivalents to manage the setting options on the client and server computers . We recommend that administrators apply the policy and set it to “ Force updated clients ” or “ Mitigated ” on client and server computers as soon as possible . These changes will require a reboot of the affected systems . Pay close attention to Group Policy or registry settings pairs that result in “ Blocked ” interactions between clients and servers in the compatibility table later in this article . Both the “ Force updated clients ” and “ Mitigated ” settings prevent RDP clients from falling back to insecure versions of CredSSP . The “ Force updated clients ” setting will not allow services that use CredSSP to accept unpatched clients but “ Mitigated ” will .
It was starting to feel like Intel was overdue for serious Management Engine ( ME ) vulnerabilities . But this week , researchers at Positive Technologies revealedVulnerability-related.DiscoverVulnerabilitya new security flaw in the subsystem that could let attackers compromise its MFS file system . Intel has releasedVulnerability-related.PatchVulnerabilityupdates to addressVulnerability-related.PatchVulnerabilitythe problem , though , so Intel CPU owners should make sure their firmware is up-to-date . ME has become a repeated source of problems for Intel and its customers . The utility is a chip-on-a-chip that allows IT managers to remotely access company PCs with tools like Intel 's Active Management Technology ( AMT ) . ME has its own network interface , memory , operating system and file system ( MFS ) that are kept separate from the main system in a bid to prevent it from allowing hackers to access ostensibly secure information . The problem is that researchers have discoveredVulnerability-related.DiscoverVulnerabilitynumerous vulnerabilities in ME over the last few years ; Positive Technologies revealedVulnerability-related.DiscoverVulnerabilityone in 2017 that allowed full takeover of ME via USB ( it 's since been fixedVulnerability-related.PatchVulnerability) . Now , it 's revealedVulnerability-related.DiscoverVulnerabilityanother one that allows someone with physical access to a system to compromise ME and `` manipulate the state of MFS and extract important secrets '' with the ability to `` add files , delete files and change their protection attributes . '' Positive Technologies said the attack can be used to learn four keys MFS uses to secure data -- the Intel Integrity Key , Non-Intel Integrity Key , Intel Confidentiality Key and Non-Intel Confidentiality Key -- that were supposed to be protected via a firmware update Intel releasedVulnerability-related.PatchVulnerabilityin 2017 . Positive Technologies explained how someone with physical access to the system could bypass that patch to compromise those keys in its blog post : `` Positive Technologies expert Dmitry Sklyarov discoveredVulnerability-related.DiscoverVulnerabilityvulnerability CVE-2018-3655 , described in advisory Intel-SA-00125 . He found that Non-Intel Keys are derived from two values : the SVN and the immutable non-Intel root secret , which is unique to each platform . By using an earlier vulnerability to enable the JTAG debugger , it was possible to obtain the latter value . Knowing the immutable root secret enables calculating the values of both Non-Intel Keys even in the newer firmware version . ... Attackers could calculate the Non-Intel Integrity Key and Non-Intel Confidentiality Key for firmware that has the updated SVN value and therefore compromise the MFS security mechanisms that rely on these keys . '' Intel releasedVulnerability-related.PatchVulnerabilitythe Intel-SA-00125 firmware update to defend against this vulnerability on September 11 . But this is another point in favor of companies questioning -- or outright banning -- the use of ME in their systems . Purism avoids ME and the services it enables in its privacy-focused Librem notebooks , Google is working to remove ME from the Intel processors it uses and previous security flaws have raised concerns among consumers .
It was starting to feel like Intel was overdue for serious Management Engine ( ME ) vulnerabilities . But this week , researchers at Positive Technologies revealedVulnerability-related.DiscoverVulnerabilitya new security flaw in the subsystem that could let attackers compromise its MFS file system . Intel has releasedVulnerability-related.PatchVulnerabilityupdates to addressVulnerability-related.PatchVulnerabilitythe problem , though , so Intel CPU owners should make sure their firmware is up-to-date . ME has become a repeated source of problems for Intel and its customers . The utility is a chip-on-a-chip that allows IT managers to remotely access company PCs with tools like Intel 's Active Management Technology ( AMT ) . ME has its own network interface , memory , operating system and file system ( MFS ) that are kept separate from the main system in a bid to prevent it from allowing hackers to access ostensibly secure information . The problem is that researchers have discoveredVulnerability-related.DiscoverVulnerabilitynumerous vulnerabilities in ME over the last few years ; Positive Technologies revealedVulnerability-related.DiscoverVulnerabilityone in 2017 that allowed full takeover of ME via USB ( it 's since been fixedVulnerability-related.PatchVulnerability) . Now , it 's revealedVulnerability-related.DiscoverVulnerabilityanother one that allows someone with physical access to a system to compromise ME and `` manipulate the state of MFS and extract important secrets '' with the ability to `` add files , delete files and change their protection attributes . '' Positive Technologies said the attack can be used to learn four keys MFS uses to secure data -- the Intel Integrity Key , Non-Intel Integrity Key , Intel Confidentiality Key and Non-Intel Confidentiality Key -- that were supposed to be protected via a firmware update Intel releasedVulnerability-related.PatchVulnerabilityin 2017 . Positive Technologies explained how someone with physical access to the system could bypass that patch to compromise those keys in its blog post : `` Positive Technologies expert Dmitry Sklyarov discoveredVulnerability-related.DiscoverVulnerabilityvulnerability CVE-2018-3655 , described in advisory Intel-SA-00125 . He found that Non-Intel Keys are derived from two values : the SVN and the immutable non-Intel root secret , which is unique to each platform . By using an earlier vulnerability to enable the JTAG debugger , it was possible to obtain the latter value . Knowing the immutable root secret enables calculating the values of both Non-Intel Keys even in the newer firmware version . ... Attackers could calculate the Non-Intel Integrity Key and Non-Intel Confidentiality Key for firmware that has the updated SVN value and therefore compromise the MFS security mechanisms that rely on these keys . '' Intel releasedVulnerability-related.PatchVulnerabilitythe Intel-SA-00125 firmware update to defend against this vulnerability on September 11 . But this is another point in favor of companies questioning -- or outright banning -- the use of ME in their systems . Purism avoids ME and the services it enables in its privacy-focused Librem notebooks , Google is working to remove ME from the Intel processors it uses and previous security flaws have raised concerns among consumers .
Mozilla releasedVulnerability-related.PatchVulnerabilitynine fixes in its Wednesday launch of Firefox 62 for Windows , Mac and Android – including one for a critical glitch that could enable attackers to run arbitrary code . Overall , the latest version of the Firefox browser includedVulnerability-related.PatchVulnerabilityfixes for the critical issue , three high-severity flaws , two moderate problems and three low-severity vulnerabilities . Topping the list is a memory safety bug ( CVE-2018-12376 ) , discoveredVulnerability-related.DiscoverVulnerabilityby a number of Mozilla developers and community members . A critical impact bug means the vulnerability can be used to run attacker code and install software , requiring no user interaction beyond normal browsing , according to Mozilla . The memory safety problem , which exists inVulnerability-related.DiscoverVulnerabilityFirefox 61 and Firefox ESR 60 , meets these criteria , researchers saidVulnerability-related.DiscoverVulnerability. Mozilla didn ’ t release further details , but it did assign one CVEVulnerability-related.DiscoverVulnerabilityto represent multiple similar issues . In addition to the memory safety bug ( s ) , Mozilla also fixedVulnerability-related.PatchVulnerabilitythree high-severity vulnerabilities in its latest update . These include a use-after-free glitch in refresh driver timers ( CVE-2018-12377 ) , which power browser-page refreshes . Another high-severity bug ( CVE-2018-12378 ) is a use-after-free vulnerability that occursVulnerability-related.DiscoverVulnerabilitywhen an IndexedDB index ( a low-level API for client-side storage of significant amounts of structured data ) is deleted while still in use by JavaScript code providing payload values . “ This results in a potentially exploitable crash , ” the advisory said . Mozilla developers and community members also foundVulnerability-related.DiscoverVulnerabilitya memory-safety bug ( CVE-2018-12375 ) in Firefox 61 , which showed evidence of memory corruption and could be exploitedVulnerability-related.DiscoverVulnerabilityto run arbitrary code , according to the advisory . The moderate and low-severity fixes that were deployedVulnerability-related.PatchVulnerabilityin Firefox 62 include patches for an out-of-bounds write flaw ( triggered when the Mozilla Updater opens a MAR format file that contains a very long item filename ) ; and a proxy bypass glitch in the browser ’ s proxy settings . Firefox 62 for desktop is availableVulnerability-related.PatchVulnerabilityfor download on Mozilla ’ s website .
The two vulnerabilities are critical remote code execution flaws that exist inVulnerability-related.DiscoverVulnerabilityAdobe Photoshop CC . Adobe hurried outVulnerability-related.PatchVulnerabilityunscheduled patches today for two critical flaws that could enable remote code-execution in Photoshop CC . The patches impactVulnerability-related.PatchVulnerabilitytwo memory corruption vulnerabilities in Adobe Photoshop products , including Photoshop CC 2018 ( v 19.1.6 ) and Photoshop CC 2017 ( v 18.1.6 ) , both for Windows and macOS . The release comesVulnerability-related.PatchVulnerabilityonly a week after the company fixedVulnerability-related.PatchVulnerabilitya slew of glitches last Patch Tuesday . “ Adobe has releasedVulnerability-related.PatchVulnerabilityupdates for Photoshop CC for Windows and macOS , ” the company said in a Wednesday security bulletin . “ These updates resolveVulnerability-related.PatchVulnerabilitycritical vulnerabilities in Photoshop CC 19.1.5 and earlier 19.x versions , as well as 18.1.5 and earlier 18.x versions . Successful exploitation could lead to arbitrary code-execution in the context of the current user. ” Both vulnerabilities ( CVE-2018-12810 ) and ( CVE-2018-12811 ) are critical remote code-execution flaws , according to the advisory , but further details around both flaws are not available . Kushal Arvind Shah of Fortinet ’ s FortiGuard Labs was credited with reportingVulnerability-related.DiscoverVulnerabilitythe two flaws . Adobe said impacted users need to applyVulnerability-related.PatchVulnerabilitythe fixes to the affected versions of Photoshop by updating to version 19.1.6 ( via the applications ’ update mechanism ) . Last week , Adobe releasedVulnerability-related.PatchVulnerability11 total fixes for an array of products , including two critical patches for Acrobat and Reader for Windows and macOS . Exploitation of those two vulnerabilities could lead to arbitrary code execution in the context of the current user . Adobe said in an email that it is not aware of any exploits in the wild for the flaws . The update is a priority 3 in severity , meaning that it resolves vulnerabilities in a product that has historically not been a target for attackers , according to the company ’ s ranking system . In this case I would expect there may have been a disclosure deadline and the release did not make this month ’ s typical release cycle but needed to release before September ’ s release cycle . ”
A new version of Git has been emitted to ward off attempts to exploitVulnerability-related.DiscoverVulnerabilitya potential arbitrary code execution vulnerability – which can be triggered by merely cloning a malicious repository . The security hole , CVE-2018-11235 , reportedVulnerability-related.DiscoverVulnerabilityby Etienne Stalmans , stems from a flaw in Git whereby sub-module names supplied by the .gitmodules file are not properly validated when appended to $ GIT_DIR/modules . Including `` .. / '' in a name could result in directory hopping . Post-checkout hooks could then be executed , potentially causing all manner of mayhem to ensue on the victim 's system . Another vulnerability , CVE-2018-11233 , describesVulnerability-related.DiscoverVulnerabilitya flaw in the processing of pathnames in Git on NTFS-based systems , allowing the reading of memory contents . In a change from normal programming , the vulnerability appears to be cross platform . Fear not , however , because a patch is availableVulnerability-related.PatchVulnerability. The Git team releasedVulnerability-related.PatchVulnerabilitythe update in 2.13.7 of the popular coding , collaboration and control tool and forward-ported it to versions 2.14.4 , 2.15.2 , 2.16.4 and 2.13.7 . For its part , Microsoft has urged users to download 2.17.1 ( 2 ) of Git for Windows and has blocked the malicious repositories from being pushed to Visual Studio Team Services users . The software giant has also promised a hotfix will `` shortly '' be availableVulnerability-related.PatchVulnerabilityfor its popular Visual Studio 2017 platform . Other vendors , such as Debian , have been updatingVulnerability-related.PatchVulnerabilitytheir Linux and software distributions to include the patched code and recommend that users upgradeVulnerability-related.PatchVulnerabilityto thwart ne'er-do-wells seeking to exploitVulnerability-related.DiscoverVulnerabilitythe vulnerability .
PureVPN has had two vulnerabilities which would allow hackers to retrieve stored passwords through the VPN client . This was confirmedVulnerability-related.DiscoverVulnerabilityby Trustwave ’ s security researcher Manuel Nader , and the VPN provider itself . One of the two vulnerabilities were fixedVulnerability-related.PatchVulnerabilityin the meantime , while the other one remains active , and PureVPN has , according to Nader , “ accepted the risk ” . The vulnerability that was patchedVulnerability-related.PatchVulnerabilitysaw saved passwords stored in plaintext , on this location : ' C : \ProgramData\purevpn\config\login.conf All users have had the chance to access and read the file by simply opening it through the CMD . This vulnerability has been patchedVulnerability-related.PatchVulnerabilityin the version 6.1.0. and whoever uses PureVPN is strongly advised to update to the latest version , as soon as possible . The second vulnerability is the one that remains open , and the company has decided to ‘ accept the riskVulnerability-related.DiscoverVulnerability’ . So basically , you ’ d need to open the Windows client , open Configuration , User Profile , and click on ‘ Show Password ’ . A spokesperson for PureVPN sent us the following statement . `` This is not a vulnerability rather a feature that we deployed for ease of our users . Back in April 2018 , when Trustwave reported it to us , we assessed the risk , and found it minimally due to how our systems are designed . Our systems work a bit different than most of the other VPN providers . For enhanced security , we use separate passwords for Member Area and VPN access . Member Area password which is more privileged is not shown in apps , it 's the VPN access password that is the subject of this feature . Furthermore , by default , our VPN passwords are system generated and not set by users . This curtails the risk of users using the same password for VPN accounts that they use for their sensitive accounts elsewhere on the Internet . On the other hand , this enhanced security design proved a little difficult for quite a few of our users and hence we offered a way for them to easily retrieve their VPN password . For now the community has raised concerns and is confusing it as a vulnerability , we have temporarily removed the feature and releasedVulnerability-related.PatchVulnerabilitya newer version 6.2.2 . To those users of our who pretty much use this feature to retrieve the separate password for VPN we would like to inform that we plan to redesign the future , keeping these concerns in mind , and release it back in our November 2018 release . We use Bugcrowd , a public Bug Bounty Program that employees some 90,000 ethical hackers to test our product . We remain in heavy collaboration with the InfoSec community and hence have such aggressive and streamlined processes in place to have releasedVulnerability-related.PatchVulnerabilitythe new version 6.2.2 within a few hours only . '' Those interested in learning more about VPNs and how they help improve your online privacy , make sure to read our Best VPN article .
With a bunch of security fixes releasedVulnerability-related.PatchVulnerabilityand more on the way , details have been made publicVulnerability-related.DiscoverVulnerabilityof a Bluetooth bug that potentially allows miscreants to commandeer nearby devices . This Carnegie-Mellon CERT vulnerability advisory on Monday laid outVulnerability-related.DiscoverVulnerabilitythe cryptographic flaw : firmware or operating system drivers skip a vital check during a Diffie-Hellman key exchange between devices . The impact : a nearby eavesdropper could “ intercept and decrypt and/or forge and inject device messages ” carried over Bluetooth Low Energy and Bluetooth Basic Rate/Enhanced Data Rate ( BR/EDR ) wireless connections between gizmos . In other words , you can potentially snoop on supposedly encrypted communications between two devices to stealAttack.Databreachtheir info going over the air , and inject malicious commands . To pull this off , you must have been within radio range and transmitting while the gadgets were initially pairing . The bug 's status in Android is confusing : while it does n't appear in the operating system project 's July monthly bulletin , phone and tablet manufacturers like LG and Huawei list the bug as being patchedVulnerability-related.PatchVulnerabilityin the , er , July security update . Microsoft has declared itself in the clear . The CERT note says fixes are needed both in software and firmware , which should be obtained from manufacturers and developers , and installed – if at all possible . We 're guessing for random small-time Bluetooth gizmos , it wo n't be very easy to prise an update out of the vendors , although you should have better luck with bigger brand gear . So , make sure you 're patched via the usual software update mechanisms , or just look out for nearby snoops , and be ready to thwart them , when pairing devices . Manufacturers were warned in January , it appears , so have had plenty of time to work on solutions . Indeed , silicon vendor patches for CVE-2018-5383 are already rolling outVulnerability-related.PatchVulnerabilityamong larger gadget and device makers , with Lenovo and Dell posting updatesVulnerability-related.PatchVulnerabilityin the past month or so . Linux versions prior to 3.19 do n't support Bluetooth LE Secure Connections and are therefore not vulnerable , we 're told .
The device manufacturer acquired St Jude Medical last year and has since been working to fixVulnerability-related.PatchVulnerabilitysevere vulnerabilities found inVulnerability-related.DiscoverVulnerabilityits pacemakers . Abbott releasedVulnerability-related.PatchVulnerabilityits second and final round of planned cybersecurity updates to its pacemakers , programmers and remote monitoring systems to fixVulnerability-related.PatchVulnerabilitysevere cybersecurity flaws in the devices . The patch will updateVulnerability-related.PatchVulnerabilitythe battery performance alert , allowing the device to monitor for abnormal battery behavior and automatically vibrate to tell the patient when something is wrong . The planned updates began last year , and the latest firmware update was approvedVulnerability-related.PatchVulnerabilityby the Food and Drug Administration last week . The update applies toVulnerability-related.PatchVulnerabilityabout 350,000 of Abbott ’ s implantable cardioverter defibrillators and implantable cardiac resynchronization therapy defibrillators . The devices were originally manufactured by St Jude Medical , which Abbott acquired last year . At that time , St Jude was under fire for remaining quiet about defibrillator issues that caused rapid battery depletion . The FDA found St Jude continued to ship these devices despite knowing about the defect . In fact , the agency found those flaws caused patient deaths . The flaws , made publicVulnerability-related.DiscoverVulnerabilityin 2016 by Muddy Waters and security firm MedSec , could allow an unauthorized user to access the defibrillaors and modify the programming controls . Since acquiring St Jude , Abbott has been working to patchVulnerability-related.PatchVulnerabilitythose vulnerabilities . The FDA ’ s recall notice said the firmware update will reduce the risk of patient harm due to premature battery depletion and potential exploitation of the flaws in the devices . The update will effectively complete the necessary patches to prevent unauthorized access . The update is not a response to any new flaws , but are merely a continuation of last year ’ s patches , according to officials . `` Technology and its security are always evolving , and this firmware upgrade is part of our commitment to ensuring our products include the latest advancements and protections for patients , '' said Robert Ford , executive vice president of medical devices at Abbott , in a statement .
Adobe has patchedVulnerability-related.PatchVulnerabilitya number of security vulnerabilities on the last scheduled monthly update of this year . All these patches specifically addressedVulnerability-related.PatchVulnerabilitybugs in Adobe Reader and Acrobat . Allegedly , Adobe December Patch Tuesday Update fixedVulnerability-related.PatchVulnerabilityas much as 86 different vulnerabilities , including 38 critical security flaws . This week , Adobe rolled outVulnerability-related.PatchVulnerabilitythe last scheduled monthly updates for its products . While the previous month ’ s update included bug fixes in Flash Player , the Adobe December Patch Tuesday update bundle remained focused on Adobe Reader and Acrobat . As much as 38 different critical security bugs receivedVulnerability-related.PatchVulnerabilitypatches with this update . The vulnerabilities include 2 buffer errors , 2 Untrusted pointer dereference vulnerabilities , 5 out-of-bounds write vulnerabilities , 3 heap overflow bugs , and 23 use after free vulnerabilities . All these vulnerabilities could allegedly lead to arbitrary code execution by a potential attacker . In addition , 3 security bypass vulnerabilities also receivedVulnerability-related.PatchVulnerabilityfixes with this update . These flaws could allow privilege escalation on the targeted systems . In addition to the above , Adobe also releasedVulnerability-related.PatchVulnerabilityfixes for 48 important security vulnerabilities . These include , 43 out-of-bounds read vulnerabilities , 4 integer overflow bugs , and a single security bypass bug . All these could allegedly result in information disclosure . As stated in Adobe ’ s advisory , the affected software include the following for Windows , Acrobat DC and Acrobat Reader DC ( continuous track ) versions 2019.008.20081 and earlier , Adobe Acrobat 2017 and Acrobat Reader 2017 ( Classic 2017 track ) versions 2017.011.30106 and earlier , Acrobat DC and Acrobat Reader DC ( Classic 2015 track ) versions 2015.006.30457 and earlier . Whereas , in the case of MacOS , the affected programs include , Acrobat DC and Acrobat Reader DC ( continuous track ) versions including and prior to 2019.008.20080 , Adobe Acrobat 2017 and Acrobat Reader 2017 ( track Classic 2017 ) versions 2017.011.30105 and above , Acrobat DC and Acrobat Reader DC ( track Classic 2015 ) versions 2015.006.30456 and above . Adobe has patchedVulnerability-related.PatchVulnerabilityall 86 vulnerabilities in the recently released versions of the respective software . The patched versions include Acrobat DC and Acrobat Reader DC versions 2019.010.20064 ( continuous track ) , Acrobat 2017 and Acrobat Reader DC 2017 ( Classic 2017 ) version 2017.011.30110 , and Acrobat DC and Acrobat Reader DC ( track Classic 2015 ) version 2015.006.30461 . Users of both Windows and MacOS should , therefore , ensure updatingVulnerability-related.PatchVulnerabilitytheir systems and download the latest versions of the affected software to stay protected from these vulnerabilities . This month ’ s scheduled update bundle did not addressVulnerability-related.PatchVulnerabilityany security flaws in Flash Player . Nonetheless , lately , Adobe already patchedVulnerability-related.PatchVulnerabilitya critical Flash vulnerability already disclosedVulnerability-related.DiscoverVulnerabilityto the public .
A critical vulnerability in open source automation tool Jenkins could allow permission checks to be bypassed through the use of specially-crafted URLs . Jenkins uses the Stapler web framework for HTTP request handling , which uses reflection to dispatch incoming web requests to controller code . This means that any public methods that start with get and include string and integer parameters are exposed to the web server . Because this is a common naming convention , this has led to multiple internal Jenkins methods being inadvertently exposed . The precise impact of this isn ’ t clear . The advisory notes that code execution could be a possible outcome – though on closer inspection , this seems to be a worst-case scenario . “ To clarify , the vulnerability we addressedVulnerability-related.PatchVulnerabilityhad nothing to do with arbitrary code execution , but was rather an issue discoveredVulnerability-related.DiscoverVulnerabilityby the Jenkins security team that allowed a small subset of existing Jenkins code to be invoked by a remote client , ” Daniel Beck , Jenkins security officer , told The Daily Swig in an email . “ While the known impact is pretty limited , we felt that the layer at which the vulnerability existed , and its potential warranted a higher score. ” These potential attacks include unauthenticated users being able to invalidate sessions when running with the built-in server , and users with overall/read permissions being able to create new user objects in memory . The advisory reads : “ Given the vast potential attack surface , we fully expect other attacks , that we are not currently aware of , to be possible on Jenkins releases that do not have this fix appliedVulnerability-related.PatchVulnerability. “ This is reflected in the high score we assignedVulnerability-related.DiscoverVulnerabilityto this issue , rather than limiting the score to the impact through known issues. ” Beck added : “ Jenkins users should always keep their instances up to date . In this case , we releasedVulnerability-related.PatchVulnerabilityupdates for two LTS lines simultaneously for the first time , so admins could applyVulnerability-related.PatchVulnerabilitythe update without having to go through a major version jump . “ We strive to fixVulnerability-related.PatchVulnerabilityall security vulnerabilities in Jenkins and plugins in a timely manner. ” Reflection is also used by Apache Struts , via the OGNL library . Struts has sufferedVulnerability-related.DiscoverVulnerabilitya number of serious security flaws in recent years . In 2017 , a vulnerability in the framework was exploitedVulnerability-related.DiscoverVulnerabilityto exposeAttack.Databreachthe details of up to 148 million Equifax customers . Another flaw , revealedVulnerability-related.DiscoverVulnerabilityin August 2018 , could lead to remote code execution . These issues underline the dangers of using reflection with untrusted data , and application architects would do well to avoid this unsafe practice .
A critical vulnerability in Kubernetes open-source system for handling containerized applications can enable an attacker to gain full administrator privileges on Kubernetes compute nodes . Kubernetes makes it easier to manage a container environment by organizing application containers into pods , nodes ( physical or virtual machines ) and clusters . Multiple nodes form a cluster , managed by a master that coordinates cluster-related activities like scaling , scheduling , or updating apps . Each node has an agent called Kubelet that facilitates communication with the Kubernetes master via the API . The number of nodes available in a Kubernetes system can be hundreds and even thousands . Pulling this off is easy on default configurations , where `` all users ( authenticated and unauthenticated ) are allowed to perform discovery API calls that allow this escalation , '' says Jordan Liggitt , staff software engineer at Google . The security bug was discoveredVulnerability-related.DiscoverVulnerabilityby Darren Shepherd , co-founder of Rancher Labs company that provides the Kubernetes-as-a-Service solution called Rancher . Now tracked asVulnerability-related.DiscoverVulnerabilityCVE-2018-1002105 , the flaw is critical , with a Common Vulnerability Scoring System ( CVSS ) score of 9.8 out of 10 . According to the latest version of the vulnerability severity calculator , exploiting the security glitch has low difficulty and does not require user interaction . Red Hat 's OpenShift Container Platform uses Kubernetes for orchestrating and managing containers is also impactedVulnerability-related.DiscoverVulnerabilityby the vulnerability . In an advisory on the matter , the company explains that the flaw can be used in two ways against its products . One involves a normal user with 'exec , ' 'attach , ' or 'portforward ' rights over a Kubernetes pod ( a group of one or more containers that share storage and network resources ) ; they can escalate their privileges to cluster-admin level and execute any process in a container . The second attack method exploits the API extension feature used by ‘ metrics-server ’ and ‘ servicecatalog ’ in OpenShift Container Platform , OpenShift Online , and Dedicated . No privileges are required and an unauthenticated user can get admin rights to any API extension deployed to the cluster . `` Cluster-admin access to ‘ servicecatalog ’ allows creation of service brokers in any namespace and on any node , '' the advisory details . The problem has been addressedVulnerability-related.PatchVulnerabilityin the latest Kubernetes revisions : v1.10.11 , v1.11.5 , v1.12.3 , and v1.13.0-rc.1 . Kubernetes releases prior to these along with the products and services based on them are affectedVulnerability-related.DiscoverVulnerabilityby CVE-2018-1002105 . Red Hat releasedVulnerability-related.PatchVulnerabilitypatches for the OpenShift family of containerization software ( OpenShift Container Platform , OpenShift Online , and OpenShift Dedicated ) and users receivedVulnerability-related.PatchVulnerabilityservice updates they can install at their earliest convenience . The software company warns that a malicious actor could exploit the vulnerability to stealAttack.Databreachdata or inject malicious code , as well as `` bring down production applications and services from within an organization ’ s firewall . ''
Yesterday , Oracle releasedVulnerability-related.PatchVulnerabilityits quarterly critical patch update ( CPU ) for Q3 2018 , the October edition , during which the company fixedVulnerability-related.PatchVulnerability301 vulnerabilities . Of the 301 flaws , 45 had a severity rating of 9.8 ( on a scale of 10 ) and one even received the maximum 10 rating . Vulnerabilities that receive this severity ratings this high can be exploitedVulnerability-related.DiscoverVulnerabilityremotely , with no authentication , and the exploit chain is accessible even to low-skilled attackers , even to those with no in-depth technical knowledge . Oracle 's security team will publish more information about each vulnerability in the coming days . This will give companies more time to updateVulnerability-related.PatchVulnerabilityaffected applications before details about each flaw are generally availableVulnerability-related.PatchVulnerabilityto everyone , including the bad guys . For now , little information is known , but the vulnerability that received the 10.0 rating impactsVulnerability-related.DiscoverVulnerabilityOracle GoldenGate , a data replication framework that can work with large quantities of information in real-time . This issue doesn't impactVulnerability-related.DiscoverVulnerabilitystandalone GoldenGate installations , but also the numerous other Oracle product setups where GoldenGate can be deployed as an add-in option , such as the Oracle Database Server , DB2 , MySQL , Sybase , Terradata , and others . As for vulnerabilities rated 9.8 on the severity scale , these were reported affectingVulnerability-related.DiscoverVulnerabilityproducts such as the Oracle Database Server , Oracle Communications , the Oracle Construction and Engineering Suite , the Oracle Enterprise Manager Products Suite , Oracle Fusion Middleware , Oracle Insurance Applications , Oracle JD Edwards , MySQL , Oracle Retail , the Oracle Siebel CRM , and the Oracle Sun Systems Products Suite . Despite the staggering number of patched flaws -- 301 -- , this is n't Oracle 's biggest recorded CPU . That title goes to July 2018 's CPU , which addressedVulnerability-related.PatchVulnerability334 vulnerabilities , 55 of which had a 9.8 severity rating . This was also Oracle 's last CPU for 2018 . According to the folks at ERPScan , in 2018 , Oracle patchedVulnerability-related.PatchVulnerability1119 vulnerabilities , the same number of flaws it patchedVulnerability-related.PatchVulnerabilitylast year in 2017 .
Logitech Options is an app that controls all of Logitech ’ s mice and keyboards . It offers several different configurations like Changing function key shortcuts , Customizing mouse buttons , Adjusting point and scroll behavior and etc . This app containedVulnerability-related.DiscoverVulnerabilitya huge security flaw that was discoveredVulnerability-related.DiscoverVulnerabilityby Tavis Ormandy who is a Google security researcher . It was foundVulnerability-related.DiscoverVulnerabilitythat Logitech Options was opening a WebSocket server on each individual computer Logitech Options was run on . This WebSocket server would open on port 10134 on which any website could connect and send several various commands which would be JSON-encoded . PID Exploit Through this any attacker can get in and run commands just by setting up a web page . The attacker only needs the Process Identifier ( PID ) . However the PID can be guessed as the software has no limit on the amount of try ’ s conducted . Once the attacker has obtained the PID and is in , consequently he can then completely control the Computer and run it remotely . This can also be used for keystroke injection or Rubber Ducky attacks which have been used to take over PC ’ s in the past . After Ormandy got a hold of Logitech ’ s engineers , he reportedVulnerability-related.DiscoverVulnerabilitythe vulnerability privately to them in a meeting between the Logitech ’ s engineering team and Ormandy on the 18th of September . After waiting a total of 90 days , Ormandy saw the company ’ s failure in addressingVulnerability-related.PatchVulnerabilitythe issue publicly or through a patch for the app , Thus Ormandy himself posted his findingVulnerability-related.DiscoverVulnerabilityon the 11th of December making the issue public . As the story gained attention Accordingly Logitech responded with an update for Logitech Options . Logitech releasedVulnerability-related.PatchVulnerabilityOptions version 7.00.564 on the 13th of December . They claim to have fixedVulnerability-related.PatchVulnerabilitythe origin and type checking bugs along with a patch for the security vulnerability . However they have not mentionedVulnerability-related.PatchVulnerabilitythe Security Vulnerability patch on their own website . They told German magazine heise.de that the new version does indeed fixVulnerability-related.PatchVulnerabilitythe vulnerability Travis Ormandy and his team are currently checking the new version of Logitech Options for any signs of Security Vulnerabilities . Everyone with the old version of Logitech Options are advised to upgradeVulnerability-related.PatchVulnerabilityto the new 7.00.564 .
Oracle releasedVulnerability-related.PatchVulnerabilityits latest Critical Patch Update on July 18 , fixingVulnerability-related.PatchVulnerability334 vulnerabilities across the company 's product portfolio . The company rated 61 of the vulnerabilities as having critical impact . Among the products patchedVulnerability-related.PatchVulnerabilityby Oracle are Oracle Database Server , Oracle Global Lifecycle Management , Oracle Fusion Middleware , Oracle E-Business Suite , Oracle PeopleSoft , Oracle Siebel CRM , Oracle Industry Applications , Oracle Java SE , Oracle Virtualization , Oracle MySQL and Oracle Sun Systems Products Suite . While there are issues of varying severity in the update , Oracle is blaming third-party components as being the cause of the majority of the critical issues . `` It is fair to note that bugs in third-party components make up a disproportionate amount of severe vulnerabilities in this Critical Patch Update , '' Eric Maurice , director of security assurance at Oracle , wrote in a blog post . `` 90 percent of the critical vulnerabilities addressedVulnerability-related.PatchVulnerabilityin this Critical Patch Update are for non-Oracle CVEs . '' Of the 334 issues fixedVulnerability-related.PatchVulnerabilityin the July Critical Patch Update , 37 percent were for third-party components included in Oracle product distributions . While many flaws were from third-party libraries , there were also flaws in Oracle 's own development efforts . Oracle 's namesake database was patchedVulnerability-related.PatchVulnerabilityfor three issues , one of which is remotely exploitable without user authentication . Oracle 's Financial Services application receivedVulnerability-related.PatchVulnerabilitythe highest total number of patches at 56 , with 21 identified as being remotely exploitable without user authentication . Oracle 's Fusion Middleware , on the other hand , gotVulnerability-related.PatchVulnerability44 new security fixes , with 38 of them rated as being critical . Oracle Enterprise Manager Products were patchedVulnerability-related.PatchVulnerabilityfor 16 issues , all of which are remotely exploitable without authentication . Looking at flaws in Java , Oracle 's July CPU providesVulnerability-related.PatchVulnerabilityeight security fixes , though organizations likely need to be cautious when applyingVulnerability-related.PatchVulnerabilitythe patches , as certain functionality has been removed . `` Several actions taken to fixVulnerability-related.PatchVulnerabilityJava SE vulnerabilities in the July CPU are likely to break the functionality of certain applications , '' security firm Waratek warned in an advisory . `` Application owners who applyVulnerability-related.PatchVulnerabilitybinary patches should be extremely cautious and thoroughly test their applications before puttingVulnerability-related.PatchVulnerabilitypatches into production . '' The reason why the Oracle fixes could break application functionality is because Oracle has decided to remove multiple vulnerable components from its Java Development Kit ( JDK ) . At 334 fixed flaws , the July update is larger than last Critical Patch Update releasedVulnerability-related.PatchVulnerabilityon Jan 15 , which providedVulnerability-related.PatchVulnerabilitypatches for 237 flaws . While the number of patches issues has grown , Matias Mevied , Oracle security researcher at Onapsis , commented that Oracle is working in the right way , fixingVulnerability-related.PatchVulnerabilitythe reported vulnerabilities and is getting faster every year . `` Unfortunately , based in our experience , the missing part is that the companies still do n't implement the patches as soon as they should be , '' Mevied told eWEEK .
Oracle releasedVulnerability-related.PatchVulnerabilityits latest Critical Patch Update on July 18 , fixingVulnerability-related.PatchVulnerability334 vulnerabilities across the company 's product portfolio . The company rated 61 of the vulnerabilities as having critical impact . Among the products patchedVulnerability-related.PatchVulnerabilityby Oracle are Oracle Database Server , Oracle Global Lifecycle Management , Oracle Fusion Middleware , Oracle E-Business Suite , Oracle PeopleSoft , Oracle Siebel CRM , Oracle Industry Applications , Oracle Java SE , Oracle Virtualization , Oracle MySQL and Oracle Sun Systems Products Suite . While there are issues of varying severity in the update , Oracle is blaming third-party components as being the cause of the majority of the critical issues . `` It is fair to note that bugs in third-party components make up a disproportionate amount of severe vulnerabilities in this Critical Patch Update , '' Eric Maurice , director of security assurance at Oracle , wrote in a blog post . `` 90 percent of the critical vulnerabilities addressedVulnerability-related.PatchVulnerabilityin this Critical Patch Update are for non-Oracle CVEs . '' Of the 334 issues fixedVulnerability-related.PatchVulnerabilityin the July Critical Patch Update , 37 percent were for third-party components included in Oracle product distributions . While many flaws were from third-party libraries , there were also flaws in Oracle 's own development efforts . Oracle 's namesake database was patchedVulnerability-related.PatchVulnerabilityfor three issues , one of which is remotely exploitable without user authentication . Oracle 's Financial Services application receivedVulnerability-related.PatchVulnerabilitythe highest total number of patches at 56 , with 21 identified as being remotely exploitable without user authentication . Oracle 's Fusion Middleware , on the other hand , gotVulnerability-related.PatchVulnerability44 new security fixes , with 38 of them rated as being critical . Oracle Enterprise Manager Products were patchedVulnerability-related.PatchVulnerabilityfor 16 issues , all of which are remotely exploitable without authentication . Looking at flaws in Java , Oracle 's July CPU providesVulnerability-related.PatchVulnerabilityeight security fixes , though organizations likely need to be cautious when applyingVulnerability-related.PatchVulnerabilitythe patches , as certain functionality has been removed . `` Several actions taken to fixVulnerability-related.PatchVulnerabilityJava SE vulnerabilities in the July CPU are likely to break the functionality of certain applications , '' security firm Waratek warned in an advisory . `` Application owners who applyVulnerability-related.PatchVulnerabilitybinary patches should be extremely cautious and thoroughly test their applications before puttingVulnerability-related.PatchVulnerabilitypatches into production . '' The reason why the Oracle fixes could break application functionality is because Oracle has decided to remove multiple vulnerable components from its Java Development Kit ( JDK ) . At 334 fixed flaws , the July update is larger than last Critical Patch Update releasedVulnerability-related.PatchVulnerabilityon Jan 15 , which providedVulnerability-related.PatchVulnerabilitypatches for 237 flaws . While the number of patches issues has grown , Matias Mevied , Oracle security researcher at Onapsis , commented that Oracle is working in the right way , fixingVulnerability-related.PatchVulnerabilitythe reported vulnerabilities and is getting faster every year . `` Unfortunately , based in our experience , the missing part is that the companies still do n't implement the patches as soon as they should be , '' Mevied told eWEEK .
Cisco has resolvedVulnerability-related.PatchVulnerabilitya set of critical vulnerabilities in Policy Suite which permit attackers to cause havoc in the software 's databases . This week , the tech giant releasedVulnerability-related.PatchVulnerabilitya security advisory detailing four vulnerabilities which could place enterprise users at risk of information leaks , account compromise , database tampering , and more . The first vulnerability , CVE-2018-0374 , has earned a CVSS base score of 9.8 . Described asVulnerability-related.DiscoverVulnerabilityan unauthenticated bypass bug , the security flaw `` could allow an unauthenticated , remote attacker to connect directly to the Policy Builder database , '' according to Cisco . The bug has been caused by a simple lack of authentication and as there is no requirement for identity verification , Policy Builder databases can be accessed and tampering with without limitation . Cisco Policy Suite releases prior to 18.2.0 are affectedVulnerability-related.DiscoverVulnerability. The second vulnerability , CVE-2018-0375 , is a default password error . The CVSS 9.8 bug is present inVulnerability-related.DiscoverVulnerabilitythe Cluster Manager of Cisco Policy Suite and could allow an unauthenticated , remote attacker to log in to a vulnerable system using a root account . The serious security problem has emergedVulnerability-related.DiscoverVulnerabilitydue to the use of undocumented , static user credentials for root accounts . If a hacker has knowledge of these credentials , they can become a root user and are able to execute arbitrary commands . Versions of the software prior to 18.2.0 are vulnerableVulnerability-related.DiscoverVulnerabilityto exploit . The third bug , CVE-2018-0376 , is another unauthenticated access problem and is also caused by a lack of authentication measures . `` A successful exploit could allow the attacker to make changes to existing repositories and create new repositories , '' Cisco saysVulnerability-related.DiscoverVulnerability. Cisco Policy Suite versions prior to 18.2.0 are affectedVulnerability-related.DiscoverVulnerability. The fourth security flaw , CVE-2018-0377 , affectsVulnerability-related.DiscoverVulnerabilitythe Open Systems Gateway initiative ( OSGi ) interface of Cisco Policy Suite . There is a lack of authentication within the OSGi interface which permits attackers to circumvent security processes and directly connect to the interface , access any files contained within they wish , and modify any content which is accessible through the process . This vulnerability impactsVulnerability-related.DiscoverVulnerabilityPolicy Suite versions prior to 18.1.0 . There are no workarounds to circumvent these vulnerabilities . However , patches have been issued to addressVulnerability-related.PatchVulnerabilitythem and Cisco says that no reports have been received which indicate the bugs are being exploitedVulnerability-related.DiscoverVulnerabilityin the wild . In addition , Cisco has revealedVulnerability-related.DiscoverVulnerabilityseven now-patched bugs affectingVulnerability-related.DiscoverVulnerabilitySD-WAN solutions . The vulnerabilities included command injection security flaws , a remote code execution bug , and arbitrary file overwrite issues .
Microsoft has seenVulnerability-related.DiscoverVulnerabilityits share of issues as of late , and now a seemingly simple patch is causing serious issues to certain laptops running the 2016 Anniversary Update . The update was originally releasedVulnerability-related.PatchVulnerabilityto prevent a zero-day attack on IE . Per Microsoft , this was the issue being fixedVulnerability-related.PatchVulnerability: A remote code execution vulnerability exists inVulnerability-related.DiscoverVulnerabilitythe way that the scripting engine handles objects in memory in Internet Explorer . The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user . An attacker who successfully exploitedVulnerability-related.DiscoverVulnerabilitythe vulnerability could gain the same user rights as the current user . If the current user is logged on with administrative user rights , an attacker who successfully exploitedVulnerability-related.DiscoverVulnerabilitythe vulnerability could take control of an affected system . An attacker could then install programs ; view , change , or delete data ; or create new accounts with full user rights . In a web-based attack scenario , an attacker could host a specially crafted website that is designedAttack.Phishingto exploit the vulnerability through Internet Explorer and then convinceAttack.Phishinga user to view the website , for example , by sendingAttack.Phishingan email . The security update addressesVulnerability-related.PatchVulnerabilitythe vulnerability by modifying how the scripting engine handles objects in memory . But now that fix is causing a pretty big problem of its own : it ’ s preventing certain laptops from booting . The affected machines are part of a pretty small bunch—only Lenovo laptops with less than 8 GB of RAM running the 2016 Anniversary Update ( 1607 ) —but it ’ s still a pretty bad problem to have . Fortunately , there ’ s a way to bypass the failed boot by restarting into the UEFI and disabling Secure Boot . It ’ s also noted that if BitLocker is enabled that you may have to go through BitLocker recovery after disabling Secure Boot . On the upside , Microsoft is working with Lenovo to correctVulnerability-related.PatchVulnerabilitythe issue and will releaseVulnerability-related.PatchVulnerabilitya fix sometime in the future . I just wouldn ’ t count on it before the end of the year . Until then , be careful when updating devices , especially if they happen to be Lenovo laptops with limited RAM .
The Bitcoin Core team yesterday releasedVulnerability-related.PatchVulnerabilitya patch for a DDoS vulnerability that could prove fatal to the Bitcoin network . The patch note urged miners to shut down their older versions urgently and replaceVulnerability-related.PatchVulnerabilitythem with the new version , Bitcoin Core 0.16.3 . The announcement , first reported on Hacked , revealedVulnerability-related.DiscoverVulnerabilitythat all the recent Bitcoin Core versions could be vulnerableVulnerability-related.DiscoverVulnerabilityto Distributed Denial-of-Service attack . An attack of such kind typically involves multiple compromised systems to flood a single system ( or network ) – similar to zombies encircling an uninfected person and disabling his movements . DDoS perpetrators could attack a Bitcoin network by either flooding the block with duplicate transactions , thus jamming the transaction confirmation of other people , or by flooding the nodes on Bitcoin ’ s peer-to-peer network , thus over-utilizing the bandwidth through malicious transaction relays . The recent DDoS vulnerability , termed asVulnerability-related.DiscoverVulnerabilityCVE-2018-17144 , tried to attempt the latter – flooding full node operators with traffic . Hacked reports : “ The way the potential exploit could work was by allowing anyone who was capable of mining a sufficient number of proof of work blocks to crash Bitcoin Cores running software versions 0.14.0 to 0.16.2. ” It also means that the miners who occasionally run Bitcoin Core were not vulnerableVulnerability-related.DiscoverVulnerabilityto the attack . Still , developers recommendedVulnerability-related.PatchVulnerabilityall the miners to go ahead with the latest update to stay safe . Also , the patch fixedVulnerability-related.PatchVulnerabilitysome other minor bugs related to consensus , RPC , invalid flag errors , and documentation . It is worth noticing that Bitcoin is not the only cryptocurrency that is on the DDoS attackers ’ hitlist . Flaws have been foundVulnerability-related.DiscoverVulnerabilityin other cryptocurrency clients as well , including Bitcoin Cash and Ethereum . An effective attack on the Ethereum network lasted more than a month and created million of dead accounts . In response , developers had to go through two on-chain forks and one off-chain process to clean up the mess . In another DDoS attack that slowed down the Ethereum network , miners had to increase gas fees to repel the attackers . There was no consensus failure . DDoS continues to be a global problem that impacts all spheres of the internet . Europol in its latest investigative report noted : “ Criminals continue to use Distributed-Denial-of-Service ( DDoS ) attacks as a tool against private business and the public sector . Such attacks are used not only for financial gains but the ideological , political or purely malicious reason . This type of attack is not only one of the most frequent ( second only to malware in 2017 ) ; it is also becoming more accessible , low-cost and low-risk. ” Meanwhile , decentralized networks like Bitcoin are still more secure against such attacks purely because single entities would not be able to bring them down . Also , because the people , including the attackers themselves , are heavily invested in Bitcoin , a coordinated attack would just rip them off their bitcoin validation commissions .
Microsoft releasedVulnerability-related.PatchVulnerabilitya security update designed to patchVulnerability-related.PatchVulnerabilityremote code execution ( RCE ) and information disclosure vulnerabilities in its Microsoft Exchange Server 2019 , 2016 , and 2013 products . The RCE security issue is being tracked asVulnerability-related.DiscoverVulnerabilityCVE-2019-0586 and according to Microsoft 's advisory it exists because `` the software fails to properly handle objects in memory . '' Attackers can run code as System user Following a successful attack of a vulnerable Microsoft Exchange Server installations , potential attackers would be able to take advantage of System user permissions . An attacker who successfully exploitedVulnerability-related.DiscoverVulnerabilitythe vulnerability could run arbitrary code in the context of the System user . An attacker could then install programs ; view , change , or delete data ; or create new accounts . In order to exploit the CVE-2019-0586 vulnerability , attackers have to sendAttack.Phishingmaliciously crafter emails to a vulnerable Exchange server . The issue has been addressedVulnerability-related.PatchVulnerabilityby changing the way Microsoft Exchange handles objects in memory . The information disclosure Microsoft Exchange Server vulnerability was assignedVulnerability-related.DiscoverVulnerabilitythe CVE-2019-0588 tracking id and it is caused by the way Microsoft Exchange 's `` PowerShell API grants calendar contributors more view permissions than intended . '' To exploit this vulnerability , an attacker would need to be granted contributor access to an Exchange Calendar by an administrator via PowerShell . The attacker would then be able to view additional details about the calendar that would normally be hidden . The CVE-2019-0588 , security vulnerability was fixedVulnerability-related.PatchVulnerabilityby correcting the way Exchange 's PowerShell API grants permissions to contributors . Microsoft rated the two vulnerabilities as 'Important ' Microsoft assigned an Important severity level to both security issues and , until their public disclosure , no mitigation factors or workarounds have been found . On servers that are using user account control ( UAC ) the update may fail to install if the update packages are run without Administrator privileges .
Yesterday , on Microsoft ’ s Patch Tuesday the company releasedVulnerability-related.PatchVulnerabilityits monthly security patches that fixedVulnerability-related.PatchVulnerability62 security flaws . These fixes also included a fix for a zero-day vulnerability that was under active exploitation before these patches were made availableVulnerability-related.PatchVulnerability. Microsoft also announced the re-release of its Windows 10 version 1809 and Windows Server 2019 . Microsoft credited Kaspersky Lab researchers for discoveringVulnerability-related.DiscoverVulnerabilitythis zero-day , which is also known asVulnerability-related.DiscoverVulnerabilityCVE-2018-8589 and impactsVulnerability-related.DiscoverVulnerabilitythe Windows Win32k component . A Kaspersky spokesperson told ZDNet , “ they discoveredVulnerability-related.DiscoverVulnerabilitythe zero-day being exploitedVulnerability-related.DiscoverVulnerabilityby multiple cyber-espionage groups ( APTs ) . ” The zero-day had been used to elevate privileges on 32-bit Windows 7 versions . This is the second Windows elevation of privilege zero-day patchedVulnerability-related.PatchVulnerabilityby Microsoft discoveredVulnerability-related.DiscoverVulnerabilityby Kaspersky researchers . Last month , Microsoft patchedVulnerability-related.PatchVulnerabilityCVE-2018-8453 , another zero-day that had been used by a state-backed cyber-espionage group known as FruityArmor . However , in this month ’ s Patch Tuesday , Microsoft has not patchedVulnerability-related.PatchVulnerabilitya zero-day that is affectingVulnerability-related.DiscoverVulnerabilitythe Windows Data Sharing Service ( dssvc.dll ) . This zero-day was disclosedVulnerability-related.DiscoverVulnerabilityon Twitter at the end of October . According to ZDNet , “ Microsoft has published this month a security advisory to instruct users on how to properly configure BitLocker when used together with solid-state drives ( SSDs ) . ” As reported by Microsoft , the Windows 10 October 2018 update caused user ’ s data loss post updating . Due to this , the company decided to pause the update . However , yesterday , Microsoft announced that it is re-releasing Windows 10 version 1809 . John Cable , the director of Program Management for Windows Servicing and Delivery at Microsoft said , “ the data-destroying bug that triggered that unprecedented decision , as well as other quality issues that emerged during the unscheduled hiatus , have been thoroughly investigated and resolved. ” Microsoft also announced the re-release of Windows Server 2019 , which was affectedVulnerability-related.DiscoverVulnerabilityby the same issue . According to ZDNet , “ The first step in the re-release is to restore the installation files to its Windows 10 Download page so that “ seekers ” ( the Microsoft term for advanced users who go out of their way to install a new Windows version ) can use the ISO files to upgrade PCs running older Windows 10 versions. ” Michael Fortin , Windows Corporate Vice President , in a blog post , offered some context behind the recent issues and announced changes to the way the company approaches communications and also the transparency around their process . Per Fortin , “ We obsess over these metrics as we strive to improve product quality , comparing current quality levels across a variety of metrics to historical trends and digging into any anomaly. ” To know more about this in detail , visit Microsoft ’ s official blog post .
Microsoft rolled outVulnerability-related.PatchVulnerability60 patches for its Patch Tuesday release , impacting 19 critical flaws and 39 important flaws . Microsoft has rolled outVulnerability-related.PatchVulnerabilityits August Patch Tuesday fixes , addressingVulnerability-related.PatchVulnerability19 critical vulnerabilities , including fixes for two zero-day vulnerabilities that are under active attack . Overall , the company patchedVulnerability-related.PatchVulnerabilitya total of 60 flaws , spanning Microsoft Windows , Edge , Internet Explorer ( IE ) , Office , .NET Framework , ChakraCore , Exchange Server , Microsoft SQL Server and Visual Studio . Of those , 19 were critical , 39 were rated important , one was moderate and one was rated low in severity . The patch release includes two exploited flaws , CVE-2018-8373 and CVE-2018-8414 , which were previously disclosedVulnerability-related.DiscoverVulnerabilityby researchers . The first zero-day , CVE-2018-8373 , could result in remote code-execution ( RCE ) and grants the same privileges as a logged-in user , including administrative rights . The vulnerability exists inVulnerability-related.DiscoverVulnerabilityIE 9 , 10 and 11 , impactingVulnerability-related.DiscoverVulnerabilityall Windows operating systems from Server 2008 to Windows 10 . Meanwhile , CVE-2018-8414 also enables RCE with the privileges of the logged-in user , and exists onVulnerability-related.DiscoverVulnerabilityWindows 10 versions 1703 and newer , as well as Server 1709 and Server 1803 . “ The two zero-day vulnerabilities are … publicly disclosedVulnerability-related.DiscoverVulnerabilityand exploitedVulnerability-related.DiscoverVulnerability, ” said Chris Goettl , director of product management , security , for Ivanti , in an email . “ CVE-2018-8373 is a vulnerability that exists inVulnerability-related.DiscoverVulnerabilitythe way that the scripting engine handles objects in memory in Internet Explorer . CVE-2018-8414 code-execution vulnerability existsVulnerability-related.DiscoverVulnerabilitywhen the Windows Shell does not properly validate file paths. ” Microsoft also issuedVulnerability-related.PatchVulnerabilityfixes for security issues that don ’ t impact Windows , but the company thought they were important enough to package into its OS updates , dubbed advisories . Microsoft ’ s Patch Tuesday comes after the company found itself in hot water last month after its new update model caused stability issues for Windows operating systems and applications , particularly in July . The model irked customers so much that enterprise patching veteran Susan Bradley wrote an open letter to Microsoft executives expressing the “ dissatisfaction your customers have with the updates releasedVulnerability-related.PatchVulnerabilityfor Windows desktops and servers in recent months . ”