The two vulnerabilities are critical remote code execution flaws that exist in Vulnerability-related.DiscoverVulnerability Adobe Photoshop CC . Adobe hurried out Vulnerability-related.PatchVulnerability unscheduled patches today for two critical flaws that could enable remote code-execution in Photoshop CC . The patches impact Vulnerability-related.PatchVulnerability two memory corruption vulnerabilities in Adobe Photoshop products , including Photoshop CC 2018 ( v 19.1.6 ) and Photoshop CC 2017 ( v 18.1.6 ) , both for Windows and macOS . The release comes Vulnerability-related.PatchVulnerability only a week after the company fixed Vulnerability-related.PatchVulnerability a slew of glitches last Patch Tuesday . “ Adobe has released Vulnerability-related.PatchVulnerability updates for Photoshop CC for Windows and macOS , ” the company said in a Wednesday security bulletin . “ These updates resolve Vulnerability-related.PatchVulnerability critical vulnerabilities in Photoshop CC 19.1.5 and earlier 19.x versions , as well as 18.1.5 and earlier 18.x versions . Successful exploitation could lead to arbitrary code-execution in the context of the current user. ” Both vulnerabilities ( CVE-2018-12810 ) and ( CVE-2018-12811 ) are critical remote code-execution flaws , according to the advisory , but further details around both flaws are not available . Kushal Arvind Shah of Fortinet ’ s FortiGuard Labs was credited with reporting Vulnerability-related.DiscoverVulnerability the two flaws . Adobe said impacted users need to apply Vulnerability-related.PatchVulnerability the fixes to the affected versions of Photoshop by updating to version 19.1.6 ( via the applications ’ update mechanism ) . Last week , Adobe released Vulnerability-related.PatchVulnerability 11 total fixes for an array of products , including two critical patches for Acrobat and Reader for Windows and macOS . Exploitation of those two vulnerabilities could lead to arbitrary code execution in the context of the current user . Adobe said in an email that it is not aware of any exploits in the wild for the flaws . The update is a priority 3 in severity , meaning that it resolves vulnerabilities in a product that has historically not been a target for attackers , according to the company ’ s ranking system . In this case I would expect there may have been a disclosure deadline and the release did not make this month ’ s typical release cycle but needed to release before September ’ s release cycle . ”

Google disclosed Vulnerability-related.DiscoverVulnerability a flaw in Microsoft Edge earlier this week , after Microsoft failed to patch Vulnerability-related.PatchVulnerability the bug in time . Now Google ’ s Project Zero team of security researchers are disclosing Vulnerability-related.DiscoverVulnerability yet another Windows 10 security flaw that Microsoft has again failed to patch Vulnerability-related.PatchVulnerability before Google ’ s imposed 90-day period . Neowin spotted that Google reported Vulnerability-related.DiscoverVulnerability two bugs to Microsoft in November , but the company only addressed Vulnerability-related.PatchVulnerability one of them with its recent Patch Tuesday fixes . The latest unpatched issue is an Elevation of Privilege which allows a normal user to gain administrator privileges on a system . Microsoft has rated Vulnerability-related.DiscoverVulnerability the flaw as “ important , ” but not “ critical ” as it can ’ t be exploited Vulnerability-related.DiscoverVulnerability remotely . It ’ s still an important issue to fix Vulnerability-related.PatchVulnerability , as an attacker could potentially combine this with a separate unknown remote code execution to gain administrator access , although that ’ s an unlikely scenario unless Microsoft doesn ’ t address Vulnerability-related.PatchVulnerability it promptly . It ’ s not clear when Microsoft intends to address Vulnerability-related.PatchVulnerability the latest security flaw in Windows 10 , and the company still needs to solve Vulnerability-related.PatchVulnerability the Edge vulnerability that was disclosed Vulnerability-related.DiscoverVulnerability by Google earlier this week . Microsoft hit back at Google ’ s approach to security patches last year , after discovering Vulnerability-related.DiscoverVulnerability a Chrome flaw and “responsibly” disclosed Vulnerability-related.DiscoverVulnerability it to Google so the company had enough time to patch Vulnerability-related.PatchVulnerability . Google ’ s policy to disclose after 90 days without a patch is often criticized and applauded in equal measure . There ’ s plenty of evidence to suggest security vulnerabilities are increasing in Windows and across the industry , and Microsoft has clearly struggled to fix Vulnerability-related.PatchVulnerability these two issues with plenty of notice . It can also be argued that Google is making rival software more secure with its efforts , making everyone ’ s software secure . However , Google also has competitive commercial interests , and Project Zero has been unusually aggressive in finding and publishing new vulnerabilities . Reports suggest Google ’ s Project Zero security team originated from the fallout around the 2009 Google hack , an intrusion blamed on an unpatched flaw in Microsoft ’ s Internet Explorer 6 browser . Google makes exceptions to its strict rules , with grace periods , and can even disclose Vulnerability-related.DiscoverVulnerability much sooner if the vulnerability is being actively exploited Vulnerability-related.DiscoverVulnerability . Google disclosed Vulnerability-related.DiscoverVulnerability a major Windows bug back in 2016 just 10 days after reporting Vulnerability-related.DiscoverVulnerability it to Microsoft , and the company has revealed Vulnerability-related.DiscoverVulnerability zero-day bugs in Windows in the past before patches are available Vulnerability-related.PatchVulnerability .

Adobe has posted an update to address Vulnerability-related.PatchVulnerability 85 CVE-listed security vulnerabilities in Acrobat and Reader for both Windows and macOS . The PDF apps have received Vulnerability-related.PatchVulnerability a major update that includes dozens of fixes for flaws that would allow for remote code execution attacks if exploited Vulnerability-related.DiscoverVulnerability . Other possible attacks include elevation of privilege flaws and information disclosure vulnerabilities . Fortunately , Adobe said that none of the bugs was currently being targeted in the wild - yet . For Mac and Windows Acrobat/Reader DC users , the fixes will be present Vulnerability-related.PatchVulnerability in versions 2019.008.20071 . For those using the older Acrobat and Reader 2017 versions , the fix will be labeled Vulnerability-related.PatchVulnerability 2017.011.30105 . Because PDF readers have become such a popular target for email and web-based malware attacks , users and admins alike would do well to test and install the updates as soon as possible . Exploit-laden PDFs have for more than a decade proven to be one of the most reliable ways to put malware on someone 's machine . In total , Adobe credited 19 different researchers with discovering Vulnerability-related.DiscoverVulnerability and reporting Vulnerability-related.DiscoverVulnerability the vulnerabilities . Among the more prolific bug hunters were Omri Herscovici of CheckPoint Software , who was credited for finding Vulnerability-related.DiscoverVulnerability and reporting Vulnerability-related.DiscoverVulnerability 35 CVE-listed bugs , and Ke Liu and Tencent Security Xuanwu Lab , who was credited with finding Vulnerability-related.DiscoverVulnerability 11 of the patched Adobe vulnerabilities . Beihang University 's Lin Wang was given credit for nine vulnerabilities . While we 're on the subject of massive security updates , both users and admins will want to mark their calendars for a week from Tuesday . October 9 is slated to be this month 's edition of the scheduled 'Patch Tuesday ' monthly security update .

Adobe has posted an update to address Vulnerability-related.PatchVulnerability 85 CVE-listed security vulnerabilities in Acrobat and Reader for both Windows and macOS . The PDF apps have received Vulnerability-related.PatchVulnerability a major update that includes dozens of fixes for flaws that would allow for remote code execution attacks if exploited Vulnerability-related.DiscoverVulnerability . Other possible attacks include elevation of privilege flaws and information disclosure vulnerabilities . Fortunately , Adobe said that none of the bugs was currently being targeted in the wild - yet . For Mac and Windows Acrobat/Reader DC users , the fixes will be present Vulnerability-related.PatchVulnerability in versions 2019.008.20071 . For those using the older Acrobat and Reader 2017 versions , the fix will be labeled Vulnerability-related.PatchVulnerability 2017.011.30105 . Because PDF readers have become such a popular target for email and web-based malware attacks , users and admins alike would do well to test and install the updates as soon as possible . Exploit-laden PDFs have for more than a decade proven to be one of the most reliable ways to put malware on someone 's machine . In total , Adobe credited 19 different researchers with discovering Vulnerability-related.DiscoverVulnerability and reporting Vulnerability-related.DiscoverVulnerability the vulnerabilities . Among the more prolific bug hunters were Omri Herscovici of CheckPoint Software , who was credited for finding Vulnerability-related.DiscoverVulnerability and reporting Vulnerability-related.DiscoverVulnerability 35 CVE-listed bugs , and Ke Liu and Tencent Security Xuanwu Lab , who was credited with finding Vulnerability-related.DiscoverVulnerability 11 of the patched Adobe vulnerabilities . Beihang University 's Lin Wang was given credit for nine vulnerabilities . While we 're on the subject of massive security updates , both users and admins will want to mark their calendars for a week from Tuesday . October 9 is slated to be this month 's edition of the scheduled 'Patch Tuesday ' monthly security update .

Adobe 's scheduled October update for its Acrobat and Reader PDF software addresses Vulnerability-related.PatchVulnerability 85 vulnerabilities , including dozens of critical flaws that allow arbitrary code execution . The patches also address Vulnerability-related.PatchVulnerability multiple privilege-escalation and information-disclosure flaws , shoring up Adobe 's PDF software further following a patch for a critical Acrobat and Reader flaw plugged Vulnerability-related.PatchVulnerability two weeks ago . The bugs affect Vulnerability-related.DiscoverVulnerability Acrobat DC and Reader versions 2018.011.20063 and earlier from Adobe 's continuous track , Acrobat 2017 and Acrobat Reader 2017 2017.011.30102 , and Acrobat DC and Reader DC versions 2015.006.30452 and earlier from Adobe 's classic 2015 track . The flaws affect Vulnerability-related.DiscoverVulnerability the software running on Windows and macOS systems . This update Vulnerability-related.PatchVulnerability is the largest set of fixes Adobe 's PDF software since it swatted Vulnerability-related.PatchVulnerability 105 vulnerabilities in July . However , fortunately the company says it is not currently aware Vulnerability-related.DiscoverVulnerability of any exploits in the wild for bugs fixed Vulnerability-related.PatchVulnerability in this update Vulnerability-related.PatchVulnerability . Users and admins nonetheless should install fixed versions , according to Adobe , because if an attacker developed an exploit it could lead to arbitrary code execution in the context of the current user because the software is sandboxed . Since PDFs are still widely used in the enterprise , hackers continue to develop new techniques to break the sandbox by combining PDF attacks with operating system flaws . This happened earlier this year , prompting a warning Vulnerability-related.DiscoverVulnerability from Adobe in May after it was informed Vulnerability-related.DiscoverVulnerability by researchers at ESET and Microsoft that they 'd discovered Vulnerability-related.DiscoverVulnerability a malicious PDF using a zero-day remote code execution flaw in Reader with a sandbox-busting Windows privilege escalation flaw . Adobe credits researchers from Qihoo 360 , Cisco Talos , Beihang University , Palo Alto Networks , and Check Point for reporting Vulnerability-related.DiscoverVulnerability flaws patched Vulnerability-related.PatchVulnerability in the October update . Check Point researcher Omri Herscovici was responsible for reporting Vulnerability-related.DiscoverVulnerability 35 of this month 's bugs , all of which were information disclosure flaws .

Adobe 's scheduled October update for its Acrobat and Reader PDF software addresses Vulnerability-related.PatchVulnerability 85 vulnerabilities , including dozens of critical flaws that allow arbitrary code execution . The patches also address Vulnerability-related.PatchVulnerability multiple privilege-escalation and information-disclosure flaws , shoring up Adobe 's PDF software further following a patch for a critical Acrobat and Reader flaw plugged Vulnerability-related.PatchVulnerability two weeks ago . The bugs affect Vulnerability-related.DiscoverVulnerability Acrobat DC and Reader versions 2018.011.20063 and earlier from Adobe 's continuous track , Acrobat 2017 and Acrobat Reader 2017 2017.011.30102 , and Acrobat DC and Reader DC versions 2015.006.30452 and earlier from Adobe 's classic 2015 track . The flaws affect Vulnerability-related.DiscoverVulnerability the software running on Windows and macOS systems . This update Vulnerability-related.PatchVulnerability is the largest set of fixes Adobe 's PDF software since it swatted Vulnerability-related.PatchVulnerability 105 vulnerabilities in July . However , fortunately the company says it is not currently aware Vulnerability-related.DiscoverVulnerability of any exploits in the wild for bugs fixed Vulnerability-related.PatchVulnerability in this update Vulnerability-related.PatchVulnerability . Users and admins nonetheless should install fixed versions , according to Adobe , because if an attacker developed an exploit it could lead to arbitrary code execution in the context of the current user because the software is sandboxed . Since PDFs are still widely used in the enterprise , hackers continue to develop new techniques to break the sandbox by combining PDF attacks with operating system flaws . This happened earlier this year , prompting a warning Vulnerability-related.DiscoverVulnerability from Adobe in May after it was informed Vulnerability-related.DiscoverVulnerability by researchers at ESET and Microsoft that they 'd discovered Vulnerability-related.DiscoverVulnerability a malicious PDF using a zero-day remote code execution flaw in Reader with a sandbox-busting Windows privilege escalation flaw . Adobe credits researchers from Qihoo 360 , Cisco Talos , Beihang University , Palo Alto Networks , and Check Point for reporting Vulnerability-related.DiscoverVulnerability flaws patched Vulnerability-related.PatchVulnerability in the October update . Check Point researcher Omri Herscovici was responsible for reporting Vulnerability-related.DiscoverVulnerability 35 of this month 's bugs , all of which were information disclosure flaws .

Adobe has resolved Vulnerability-related.PatchVulnerability six critical updates in the company 's latest round of security fixes . On Tuesday , Adobe said in a security advisory that the update impacts Vulnerability-related.DiscoverVulnerability ColdFusion version 11 , as well as the 2016 and 2018 releases of the web application development platform . In total , six of the security flaws are deemed Vulnerability-related.DiscoverVulnerability critical . The first set of vulnerabilities -- CVE-2018-15965 , CVE-2018-15957 , CVE-2018-15958 , and CVE-2018-15959 -- relate to the deserialization of untrusted data . In addition , CVE-2018-15961 is a security flaw which permits unrestricted file uploads in the software , and the final critical bug , CVE-2018-15960 , is described as Vulnerability-related.DiscoverVulnerability `` use of a component with a known vulnerability '' which can cause arbitrary file overwrite . If exploited Vulnerability-related.DiscoverVulnerability , all of the above security flaws can lead to arbitrary code execution . Three other bugs in ColdFusion have also been resolved Vulnerability-related.PatchVulnerability . CVE-2018-15962 is a flaw within directory listings that can lead to information disclosure ; CVE-2018-15963 is a security bypass bug which could permit attackers to create arbitrary folders , and CVE-2018-15964 is another security flaw caused by the use of a component with a known vulnerability which may cause data leaks . Adobe also released Vulnerability-related.PatchVulnerability a fix for Adobe Flash Player on desktop Windows , macOS , and Linux machines , as well as Flash for Google Chrome on Windows , macOS , Linux , and Chrome OS , versions 30.0.0.154 and earlier . This security flaw , CVE-2018-15967 is listed Vulnerability-related.DiscoverVulnerability as an `` important '' privilege escalation bug which could lead to information disclosure . Originally , Microsoft listed Vulnerability-related.DiscoverVulnerability the same vulnerability as critical and one which enabled attackers to perform remote code execution attacks . However , Microsoft has now amended its advisory to reflect Adobe 's severity rating . Adobe is not aware of any reports suggesting Vulnerability-related.DiscoverVulnerability the vulnerabilities have been exploited Vulnerability-related.DiscoverVulnerability in the wild but recommends Vulnerability-related.PatchVulnerability that users accept the automatic updates as soon as possible . The tech giant thanked researchers including Matthias Kaiser of Code White GmbH , Gsrc from Venustech-Adlab , and Nick Bloor of Cognitous for reporting Vulnerability-related.DiscoverVulnerability the vulnerabilities . This month 's security fixes build Vulnerability-related.PatchVulnerability upon Adobe 's August patch update , in which 11 security flaws were resolved Vulnerability-related.PatchVulnerability , including critical vulnerabilities in Adobe Acrobat 2017 , Acrobat DC , and Acrobat Reader DC on Windows and macOS machines . In the same month , the tech giant also released Vulnerability-related.PatchVulnerability an out-of-schedule patch for Adobe Photoshop CC . The security update tackled Vulnerability-related.PatchVulnerability memory corruption bugs in the creative software which , if exploited Vulnerability-related.DiscoverVulnerability , could lead to code execution .

A Windows zero-day bug has made the news . By zero-day , it means that a vulnerability has been exposed Vulnerability-related.DiscoverVulnerability but it is not yet patched Vulnerability-related.PatchVulnerability . Darren Allan in TechRadar was one of the tech watchers reporting Vulnerability-related.DiscoverVulnerability on the vulnerability , which could occur through a privilege escalation bug . `` The user linked to a page on GitHub which appears to contain a proof-of-concept ( PoC ) for the vulnerability , '' said Charlie Osborne in ZDNet . `` CERT/CC ( the US cybersecurity organization which looks to counter emerging threats ) has confirmed Vulnerability-related.DiscoverVulnerability that this vulnerability can be leveraged against a 64-bit Windows 10 PC which has been fully patched Vulnerability-related.PatchVulnerability up to date , `` said TechRadar , in turn referring to a story in The Register , Richard Chergwin , The Register , had reported Vulnerability-related.DiscoverVulnerability that `` CERT/CC vulnerability analyst Will Dormann quickly verified Vulnerability-related.DiscoverVulnerability the bug . '' CERT/CC did a formal investigation , and posted an advisory . `` 'Microsoft Windows task scheduler contains Vulnerability-related.DiscoverVulnerability a vulnerability in the handling of ALPC , which can allow a local user to gain SYSTEM privileges , ' the alert stated . '' This can be leveraged to gain SYSTEM privileges . We have confirmed Vulnerability-related.DiscoverVulnerability that the public exploit code works on 64-bit Windows 10 and Windows Server 2016 systems . We have also confirmed Vulnerability-related.DiscoverVulnerability compatibility with 32-bit Windows 10 with minor modifications to the public exploit code . Compatibility with other Windows versions is possible with further modifications . '' Should we worry ? Allan said it is a local bug . The attacker would have to be already logged into the PC to exploit it , or be running code on the machine . But wait . Though local , Ars Technica 's Peter Bright let its readers know what the flaw allows one to do . Not pretty . Bright wrote that `` The flaw allows anyone with the ability to run code on a system to elevate their privileges to 'SYSTEM ' level , the level used by most parts of the operating system and the nearest thing that Windows has to an all-powerful superuser . '' Osborne in ZDNet said that while the impact was limited , `` the public disclosure of a zero-day is still likely a headache for the Redmond giant . ''

Adobe has resolved Vulnerability-related.PatchVulnerability 11 security flaws in this month 's patch update on the heels of a far larger security round last month in which over a hundred bugs were squashed Vulnerability-related.PatchVulnerability . The patch release impacts Vulnerability-related.PatchVulnerability Adobe Flash , Acrobat and Reader , Experience Manager , and Creative Cloud . Two of the vulnerabilities disclosed Vulnerability-related.DiscoverVulnerability in the release are described Vulnerability-related.DiscoverVulnerability as critical and affect Vulnerability-related.DiscoverVulnerability Acrobat and Reader . In July , Adobe issued Vulnerability-related.PatchVulnerability a security update which patched Vulnerability-related.PatchVulnerability a total of 112 vulnerabilities . The majority of bugs were uncovered Vulnerability-related.DiscoverVulnerability in Adobe Acrobat , but a critical code execution flaw was also resolved Vulnerability-related.PatchVulnerability in Adobe Flash . The critical bugs in this release impact Vulnerability-related.DiscoverVulnerability Adobe Acrobat 2017 , Acrobat DC , and Acrobat Reader DC on Windows and macOS machines . The tech giant says Vulnerability-related.DiscoverVulnerability that exploitation of the security flaws , an out of bounds write issue ( CVE-2018-12808 ) and an untrusted pointer dereference problem ( CVE-2018-12799 ) can lead to arbitrary code execution . The vulnerabilities resolved Vulnerability-related.PatchVulnerability include five bugs in Adobe Flash . An out of bounds read flaw ( CVE-2018-12824 ) , a security bypass error ( CVE-2018-12825 ) , two information disclosure vulnerabilities ( CVE-2018-12826 , CVE-2018-12827 ) , and a privilege escalation flaw ( CVE-2018-12828 ) have all been patched Vulnerability-related.PatchVulnerability . A reflected cross-site scripting flaw ( CVE-2018-12806 ) , input validation bypass ( CVE-2018-12807 ) , and cross-site scripting ( XSS ) bug ( CVE-2018-5005 ) have been patched Vulnerability-related.PatchVulnerability in Adobe Experience Manager versions 6.0 -- 6.4 on all platforms . If exploited Vulnerability-related.DiscoverVulnerability , the security flaws can facilitate sensitive information disclosure and data modification . In addition , a single bug in Adobe Creative Cloud Desktop affecting Vulnerability-related.DiscoverVulnerability versions 4.5.0.324 and earlier versions on Windows systems has been resolved Vulnerability-related.PatchVulnerability . The DLL hijacking vulnerability ( CVE-2018-5003 ) can be exploited Vulnerability-related.DiscoverVulnerability in order for an attacker to escalate privileges on an account . Adobe recommends that users update their software as quickly as possible . Researchers from Trend Micro 's Zero Day Initiative , Palo Alto Networks , Google Project Zero , TenCent , and Cognizant Technology Solutions , among others , were thanked for reporting Vulnerability-related.DiscoverVulnerability the bugs . On Tuesday , Microsoft 's latest round of patches tackled Vulnerability-related.PatchVulnerability a total of 60 vulnerabilities , 19 of which were deemed critical . Two severe security flaws resolved Vulnerability-related.PatchVulnerability in the update are zero-day vulnerabilities which are being actively exploited Vulnerability-related.DiscoverVulnerability in the wild .

Microsoft and Google have been bitter rivals for at least a decade , and the pair have had several disagreements over security vulnerability disclosure Vulnerability-related.DiscoverVulnerability in recent years . Google is stoking those disagreements again this week by disclosing Vulnerability-related.DiscoverVulnerability a Microsoft Edge security flaw before a patch is available Vulnerability-related.PatchVulnerability . Neowin spotted that Google disclosed Vulnerability-related.DiscoverVulnerability the security flaw to Microsoft back in November , and the company provided 90 days for Microsoft to fix Vulnerability-related.PatchVulnerability it before going public Vulnerability-related.DiscoverVulnerability as it ’ s rated “ medium ” in terms of severity . Google also provided Microsoft with an additional 14-day grace period to have a fix available Vulnerability-related.PatchVulnerability for its monthly Patch Tuesday release in February , but Microsoft missed Vulnerability-related.PatchVulnerability this goal because “ the fix is more complex than initially anticipated. ” It ’ s not clear when Microsoft will have a fix available Vulnerability-related.PatchVulnerability , and the Google engineer responsible for reporting Vulnerability-related.DiscoverVulnerability the security flaw says because of the complexity of the fix Microsoft “ do not yet have a fixed date set as of yet. ” The public disclosure will likely anger Microsoft , once again . The software giant hit back at Google ’ s approach Vulnerability-related.PatchVulnerability to security patches last October , after discovering Vulnerability-related.DiscoverVulnerability a Chrome flaw and “responsibly” disclosed Vulnerability-related.DiscoverVulnerability it to Google so the company had enough time to patch Vulnerability-related.PatchVulnerability . At the heart of the issue is whether Google ’ s policy to disclose after 90 days without a patch is reasonable . Google makes exceptions to this hard rule , with grace periods , and can even disclose Vulnerability-related.DiscoverVulnerability much sooner if the vulnerability is being actively exploited Vulnerability-related.DiscoverVulnerability . Google disclosed Vulnerability-related.DiscoverVulnerability a major Windows bug back in 2016 just 10 days after reporting Vulnerability-related.DiscoverVulnerability it to Microsoft , and the company has revealed Vulnerability-related.DiscoverVulnerability zero-day bugs in Windows in the past before patches are available Vulnerability-related.PatchVulnerability . Two big and obvious exceptions to Google ’ s security disclosure rules were the recent Meltdown and Spectre bugs . Google engineers discovered Vulnerability-related.DiscoverVulnerability the CPU flaws and Intel , AMD , and others had around six months to fix Vulnerability-related.PatchVulnerability the problems before the flaws were publicly disclosed Vulnerability-related.DiscoverVulnerability earlier this year . Chrome OS and Android devices were also affected Vulnerability-related.DiscoverVulnerability by the processor flaws , along with Windows , Linux , macOS , and iOS . Google wants the industry to adopt its aggressive disclosure policies , but Microsoft has so far resisted rather publicly . This latest episode isn ’ t as critical as some of the past disclosures , but it will likely reignite the debate over whether Google , a company with competitive commercial interests , should be leading the way security flaws in rival operating systems are disclosed Vulnerability-related.DiscoverVulnerability in the public interest .

Microsoft and Google have been bitter rivals for at least a decade , and the pair have had several disagreements over security vulnerability disclosure Vulnerability-related.DiscoverVulnerability in recent years . Google is stoking those disagreements again this week by disclosing Vulnerability-related.DiscoverVulnerability a Microsoft Edge security flaw before a patch is available Vulnerability-related.PatchVulnerability . Neowin spotted that Google disclosed Vulnerability-related.DiscoverVulnerability the security flaw to Microsoft back in November , and the company provided 90 days for Microsoft to fix Vulnerability-related.PatchVulnerability it before going public Vulnerability-related.DiscoverVulnerability as it ’ s rated “ medium ” in terms of severity . Google also provided Microsoft with an additional 14-day grace period to have a fix available Vulnerability-related.PatchVulnerability for its monthly Patch Tuesday release in February , but Microsoft missed Vulnerability-related.PatchVulnerability this goal because “ the fix is more complex than initially anticipated. ” It ’ s not clear when Microsoft will have a fix available Vulnerability-related.PatchVulnerability , and the Google engineer responsible for reporting Vulnerability-related.DiscoverVulnerability the security flaw says because of the complexity of the fix Microsoft “ do not yet have a fixed date set as of yet. ” The public disclosure will likely anger Microsoft , once again . The software giant hit back at Google ’ s approach Vulnerability-related.PatchVulnerability to security patches last October , after discovering Vulnerability-related.DiscoverVulnerability a Chrome flaw and “responsibly” disclosed Vulnerability-related.DiscoverVulnerability it to Google so the company had enough time to patch Vulnerability-related.PatchVulnerability . At the heart of the issue is whether Google ’ s policy to disclose after 90 days without a patch is reasonable . Google makes exceptions to this hard rule , with grace periods , and can even disclose Vulnerability-related.DiscoverVulnerability much sooner if the vulnerability is being actively exploited Vulnerability-related.DiscoverVulnerability . Google disclosed Vulnerability-related.DiscoverVulnerability a major Windows bug back in 2016 just 10 days after reporting Vulnerability-related.DiscoverVulnerability it to Microsoft , and the company has revealed Vulnerability-related.DiscoverVulnerability zero-day bugs in Windows in the past before patches are available Vulnerability-related.PatchVulnerability . Two big and obvious exceptions to Google ’ s security disclosure rules were the recent Meltdown and Spectre bugs . Google engineers discovered Vulnerability-related.DiscoverVulnerability the CPU flaws and Intel , AMD , and others had around six months to fix Vulnerability-related.PatchVulnerability the problems before the flaws were publicly disclosed Vulnerability-related.DiscoverVulnerability earlier this year . Chrome OS and Android devices were also affected Vulnerability-related.DiscoverVulnerability by the processor flaws , along with Windows , Linux , macOS , and iOS . Google wants the industry to adopt its aggressive disclosure policies , but Microsoft has so far resisted rather publicly . This latest episode isn ’ t as critical as some of the past disclosures , but it will likely reignite the debate over whether Google , a company with competitive commercial interests , should be leading the way security flaws in rival operating systems are disclosed Vulnerability-related.DiscoverVulnerability in the public interest .

A bloke has told how he discovered Vulnerability-related.DiscoverVulnerability a bug in Valve 's Steam marketplace that could have been exploited Vulnerability-related.DiscoverVulnerability by thieves to steal game license keys and play pirated titles . Researcher Artem Moskowsky told The Register earlier this week that he stumbled Vulnerability-related.DiscoverVulnerability across the vulnerability – which earned him a $ 20,000 bug bounty for reporting Vulnerability-related.DiscoverVulnerability it – by accident while looking over the Steam partner portal . That 's the site developers use to manage the games they make available for download from Steam . A professional bug-hunter and pentester , Moskowsky said he has been doing security research since he was in school , and for the past several years , he has made a career out of finding and reporting Vulnerability-related.DiscoverVulnerability flaws . In this case , while looking through the Steam developer site , he noticed it was fairly easy to change parameters in an API request , and get activation keys for a selected game in return . Those keys , also known as CD keys , can be used to activate and play games downloaded from Steam . The API is provided so developers and their partners can obtain license keys for their titles to pass onto gamers . `` This bug was discovered Vulnerability-related.DiscoverVulnerability randomly during the exploration of the functionality of a web application , '' Moskowsky explained Vulnerability-related.DiscoverVulnerability . `` It could have been used by any attacker who had access to the portal . '' Essentially , anyone who had an account on the developer portal would be able to access the game activation keys for any other game Steam hosted , and sell or distribute them for pirates to use to play games from Steam . Fetching from the /partnercdkeys/assignkeys/ API with a zero key count returned a huge bunch of activation keys . `` To exploit the vulnerability , it was necessary to make only one request , '' Moskowsky told El Reg . `` I managed to bypass the verification of ownership of the game by changing only one parameter . After that , I could enter any ID into another parameter and get any set of keys . '' How severe was the flaw ? Moskowski says that , in one case , he entered a random string into the request , to pick a title at random , and in return he got 36,000 activation keys for Portal 2 , a game that still retails for $ 9.99 in the Steam store . Fortunately for Valve , Moskowsky opted to privately come forward with the flaw via HackerOne . The programming blunder has since been fixed Vulnerability-related.PatchVulnerability . As the HackerOne entry for the vulnerability shows , Moskowsky first submitted the report Vulnerability-related.DiscoverVulnerability on the flaw in early August . Three days later , Valve handed out the $ 15,000 bounty as well as a $ 5,000 bonus for the find , though Valve only allowed the report to go public on October 31 . The researcher told us this is a pretty good turnaround , and Valve in particular is very good with handling researcher requests and paying out bug bounties . Impressively , this $ 20,000 bounty is n't even the biggest payout Moskowsky has received from the games service . Back in July he was given a cool $ 25,000 for weeding out Vulnerability-related.DiscoverVulnerability a SQL Injection bug in the same developer portal .

Ormandy has reported Vulnerability-related.DiscoverVulnerability several critical security flaws in the password manager during the past week , and this weekend he has managed to discover Vulnerability-related.DiscoverVulnerability a new one . “ I had an epiphany in the shower this morning and realized how to get codeexec in LastPass 4.1.43 . Full report and exploit on the way , ” he stated in his tweet . Ah-ha , I had an epiphany in the shower this morning and realized how to get codeexec in LastPass 4.1.43. pic.twitter.com/vQn20D9VCy — Tavis Ormandy ( @ taviso ) March 25 , 2017 This member of Google ’ s Project Zero security team is already well known for his abilities to locate and report Vulnerability-related.DiscoverVulnerability serious vulnerabilities in many widely used services , and even in the password manager that was supposed to be safe . The comment from LastPass states that the flaw is “ unique and highly sophisticated ” . So far , they have not shared any details that could be exploited Vulnerability-related.DiscoverVulnerability before fixing Vulnerability-related.PatchVulnerability is complete , but this is the second weekend in a row that LastPass security team is on a bug fixing Vulnerability-related.PatchVulnerability duty . They thanked Tavis and others like him for reporting Vulnerability-related.DiscoverVulnerability these sort of problems and helping them make online security even better for the rest of their users . Not everyone was happy about Ormandy ’ s newest twitter news . Some even called him on sharing Vulnerability-related.DiscoverVulnerability the news about the latest bug problem , believing that his actions only cause fear and uncertainty . What they fail to realize Vulnerability-related.DiscoverVulnerability is that all services have to face vulnerabilities from time to time , and all of them get patched up Vulnerability-related.PatchVulnerability as soon as they are discovered Vulnerability-related.DiscoverVulnerability . Most if not all online services have had their fair share Vulnerability-related.DiscoverVulnerability of security issues , and most of them managed to get discovered Vulnerability-related.DiscoverVulnerability and fixed Vulnerability-related.PatchVulnerability by people like Ormandy .

Polish security expert Dawid Golunski has discovered Vulnerability-related.DiscoverVulnerability a zero-day in the WordPress password reset mechanism that would allow an attacker to obtain the password reset link , under certain circumstances . The researcher published his findings Vulnerability-related.DiscoverVulnerability yesterday , after reporting Vulnerability-related.DiscoverVulnerability the flaw to the WordPress security team last July . After more than ten months and no progress , Golunski decided to go public and inform Vulnerability-related.DiscoverVulnerability WordPress site owners of this issue so they could protect their sites by other means . The issue , tracked Vulnerability-related.DiscoverVulnerability via the CVE-2017-8295 identifier , affects Vulnerability-related.DiscoverVulnerability all WordPress versions and is related to how WordPress sites put together the password reset emails . According to Golunski , an attacker can craft a malicious HTTP request that triggers a tainted password reset operation by injecting a custom SERVER_NAME variable , such as `` attacker-domain.com '' . This means that when the WordPress site puts together the password reset email , the `` From '' and `` Return-Path '' values will be in the form of `` wordpress @ attacker-domain.com '' . Most users would think this zero-day is useless , as the attacker would n't achieve anything more than sending Attack.Phishing a password reset email to the legitimate site owner , but from the wrong Sender address . These complex exploitation scenarios are most likely the main reason why the WordPress team has not prioritized patching Vulnerability-related.PatchVulnerability this issue until now . The same opinion is shared by security experts from Sucuri , a vendor of web-based security products , recently acquired by GoDaddy . `` The vulnerability exists Vulnerability-related.DiscoverVulnerability , but is not as critical as advertised for several reasons , '' said Sucuri vulnerability researcher Marc Montpas . `` The whole attack relies on the fact that the victim 's email is not accessible at the time the attack is occurring , which greatly reduces the chance of a successful attack . '' His colleague , Denis Sinegubko , also shared his thoughts on the issue . `` After a brief reading and assuming the attack works , it has limited impact as it requires an individual site to be accessible by IP address , so will not work for most sites on shared servers . Only for poorly configured dedicated servers . '' `` The whole attack scenario is theoretically possible but in practice , I do n't see thousands of sites getting hacked because of this vulnerability any time soon , '' Montpas added . But if some users are not willing to take risks , webmasters managing high-value sites looking for a way to prevent exploitation of this zero-day have some options at their dispossable . `` As a temporary solution users can enable UseCanonicalName to enforce [ a ] static SERVER_NAME value , '' Golunski proposes . On Reddit , other users also recommended that site owners `` create a dummy vhost that catches all requests with unrecognized Host headers . '' Depending on your technical prowess , you can also experiment with other mitigations discussed in this Reddit thread , at least until the WordPress team patches Vulnerability-related.PatchVulnerability this issue .

A hacker that goes by the nickname of Cipher0007 has hacked the Sanctuary Dark Web marketplace . The hacker announced the breach a few hours ago and also posted proof of his intrusion . According to Cipher0007 , the hack took place after he found Vulnerability-related.DiscoverVulnerability an SQL injection flaw in the market 's database . The hacker claims Vulnerability-related.DiscoverVulnerability he used the SQL injection flaw to upload a shell on the market 's server . He then used this backdoor to access Attack.Databreach various parts of the backend and dumped Attack.Databreach the private key used to generate the market 's .onion URL . Cipher0007 also says he used the market 's phpMyAdmin installation to dump Attack.Databreach details on the database configuration and other login information . At the time of writing , the market 's phpMyAdmin login page was still exposed to external connections . To prove his claims , the hacker posted online a screengrab while uploading the shell to the Sanctuary market 's server , the market 's 1024 bit RSA private key , and the market 's root account database login information . The Sanctuary market is a small Dark Web market , and one of the few places where digital products such as data dumps , malware , and others , are far more prevalent than drugs and weapons . The admin of the Sanctuary market did not respond to a request for comment from Bleeping Computer in time for this article 's publication . Cipher0007 has a reputation in the hacking underground already . In January , the hacker collected an unspecified Bitcoin reward for reporting Vulnerability-related.DiscoverVulnerability a bug to the AlphaBay staff that would have allowed an attacker access to over 218,000 private messages . AlphaBay is today 's biggest Dark Web market , and access to those PMs would have allowed an attacker insight into the operations of many sellers and vendors .