The two vulnerabilities are critical remote code execution flaws that exist in Vulnerability-related.DiscoverVulnerability Adobe Photoshop CC . Adobe hurried out Vulnerability-related.PatchVulnerability unscheduled patches today for two critical flaws that could enable remote code-execution in Photoshop CC . The patches impact Vulnerability-related.PatchVulnerability two memory corruption vulnerabilities in Adobe Photoshop products , including Photoshop CC 2018 ( v 19.1.6 ) and Photoshop CC 2017 ( v 18.1.6 ) , both for Windows and macOS . The release comes Vulnerability-related.PatchVulnerability only a week after the company fixed Vulnerability-related.PatchVulnerability a slew of glitches last Patch Tuesday . “ Adobe has released Vulnerability-related.PatchVulnerability updates for Photoshop CC for Windows and macOS , ” the company said in a Wednesday security bulletin . “ These updates resolve Vulnerability-related.PatchVulnerability critical vulnerabilities in Photoshop CC 19.1.5 and earlier 19.x versions , as well as 18.1.5 and earlier 18.x versions . Successful exploitation could lead to arbitrary code-execution in the context of the current user. ” Both vulnerabilities ( CVE-2018-12810 ) and ( CVE-2018-12811 ) are critical remote code-execution flaws , according to the advisory , but further details around both flaws are not available . Kushal Arvind Shah of Fortinet ’ s FortiGuard Labs was credited with reporting Vulnerability-related.DiscoverVulnerability the two flaws . Adobe said impacted users need to apply Vulnerability-related.PatchVulnerability the fixes to the affected versions of Photoshop by updating to version 19.1.6 ( via the applications ’ update mechanism ) . Last week , Adobe released Vulnerability-related.PatchVulnerability 11 total fixes for an array of products , including two critical patches for Acrobat and Reader for Windows and macOS . Exploitation of those two vulnerabilities could lead to arbitrary code execution in the context of the current user . Adobe said in an email that it is not aware of any exploits in the wild for the flaws . The update is a priority 3 in severity , meaning that it resolves vulnerabilities in a product that has historically not been a target for attackers , according to the company ’ s ranking system . In this case I would expect there may have been a disclosure deadline and the release did not make this month ’ s typical release cycle but needed to release before September ’ s release cycle . ”

It has not been a good week for PDF programs . We had an Adobe Acrobat & Reader update released Vulnerability-related.PatchVulnerability yesterday that fixed Vulnerability-related.PatchVulnerability 86 vulnerabilities , including numerous critical ones . Not to be beaten , an update for Foxit PDF Reader and Foxit PhantomPDF was released Vulnerability-related.PatchVulnerability last Friday that fixes Vulnerability-related.PatchVulnerability a whopping 116 vulnerabilities , with 18 of them being discovered Vulnerability-related.DiscoverVulnerability by the Cisco Talos group . All of the 18 vulnerabilities found Vulnerability-related.DiscoverVulnerability by Cisco Talos , as well as many others fixed Vulnerability-related.PatchVulnerability by this update , are labeled as critical because they could lead to code execution . This would allow attackers to create Attack.Phishing specially crafted web pages or PDFs that could exploit these vulnerabilities to execute commands or install malware on vulnerable computers . Of the 18 vulnerabilities disclosed Vulnerability-related.DiscoverVulnerability by Cisco , 12 of them could be exploited Vulnerability-related.DiscoverVulnerability simply by visiting a web site when the Foxit PDF browser plugin is enabled . Foxit suggests that all users of Foxit PDF Reader and Foxit PhantomPDF upgrade Vulnerability-related.PatchVulnerability to version 9.3 to resolve Vulnerability-related.PatchVulnerability these vulnerabilities . Foxit PDF Reader 9.3 can be downloaded here and Foxit PhantomPDF can be downloaded here . It is strongly suggested that all users install this update . The full list of patched vulnerabilities is below and more information about who discovered Vulnerability-related.DiscoverVulnerability the vulnerabilities can be found Vulnerability-related.DiscoverVulnerability in Foxit 's security bulletin .

A privilege escalation flaw in McAfee 's True Key software remains open to exploitation despite multiple attempts to patch Vulnerability-related.PatchVulnerability it . This according to researchers with security shop Exodus Intel , who claim Vulnerability-related.DiscoverVulnerability that CVE-2018-6661 was not fully addressed Vulnerability-related.PatchVulnerability with either of the two patches McAfee released Vulnerability-related.PatchVulnerability for it . The flaw is an elevation of privilege issue in McAfee 's TrueKey password manager . An exploit can be carried out on a guest account by side-loading a specially-crafted DLL into True Key that would then allow for commands and code to be executed with system-level privileges . McAfee 's summary of the flaw , published Vulnerability-related.DiscoverVulnerability on March 30 , lists it as a 'high ' severity issue that was patched Vulnerability-related.PatchVulnerability in version 4.20.110 - which was released Vulnerability-related.PatchVulnerability in April . Exodus says that the April release did n't fully fix Vulnerability-related.PatchVulnerability the bug , however . The researchers explain that McAfee 's patch only addresses Vulnerability-related.PatchVulnerability one of the libraries ( SDKLibAdapter ) that would allow the attack to take place , with another DLL ( NLog logging library ) being left vulnerable Vulnerability-related.DiscoverVulnerability to the same side-loading tactic . `` The patch is incomplete because it overlooks this and hence the nlog.dll can be utilized to allow arbitrary code execution just as the McAfee.TrueKey.SDKLibAdapter.dll could be used in versions prior to the patch , '' Exodus researchers Omar El-Domeiri and Gaurav Baruah said . `` Furthermore , any other McAfee signed binary can be used to exploit the vulnerability as long as the binary depends on a DLL outside the list of known DLLs . '' Exodus said Vulnerability-related.DiscoverVulnerability that it notified Vulnerability-related.DiscoverVulnerability McAfee of the issue back in August , prompting Vulnerability-related.PatchVulnerability a second patch that , unfortunately , also failed to fully remedy Vulnerability-related.PatchVulnerability the issue . `` However , we tested the latest version available ( 5.1.173.1 as of September 7th , 2018 ) and found Vulnerability-related.DiscoverVulnerability that it remains vulnerable Vulnerability-related.DiscoverVulnerability requiring no changes to our exploit . '' To its credit , McAfee acknowledged Vulnerability-related.DiscoverVulnerability the issue and said it is still working to fully resolve Vulnerability-related.PatchVulnerability the flaw . `` McAfee has been working with the researchers to confirm Vulnerability-related.DiscoverVulnerability their findings , and has provided customers mitigation guidance to allow them to protect themselves until the company can address Vulnerability-related.PatchVulnerability the reported issues via automatic product updates , '' McAfee told The Register . In the meantime , McAfee says customers can use the True Key browser extension ( which is not subject to the DLL vulnerability ) rather than the Windows application .

If you own a Google Pixel or Google Pixel XL , you ’ re probably wondering where your November security patch update is . Although most Google devices — including older Nexus devices — received Vulnerability-related.PatchVulnerability the patch at the beginning of the month as detailed below , the original Pixel lineup was left high and dry . Today , finally , the patch is here . You can wait for the OTA to hit your device , or you can use the links below to manually install . We ’ re not quite sure why this took so long , but hopefully , the December patch will be a bit more uniform . Right on schedule , Google has released Vulnerability-related.PatchVulnerability Android ’ s October security patch . As it ’ s the first update to make its way to the Pixel 3 and Pixel 3 XL , it should include some bug fixes . Unfortunately , it won ’ t resolve Vulnerability-related.PatchVulnerability the memory issues just yet . The November patch itself includes fixes for 17 security vulnerabilities . The most severe bugs included an issue in the media framework and the ability for a remote attacker to execute arbitrary code through a crafted file . Fortunately , Google doesn ’ t believe that either of these were used to harm users . The November security patch includes several bug fixes and improvements specifically for Pixel devices . As Google notes , this update should help with notification stability on Pixel 2 and Pixel 3 handsets as well as improve picture-in-picture performance on the four handsets . Sadly , the November security patch will likely be the last update pushed Vulnerability-related.PatchVulnerability to the Pixel C , Nexus 6P , and Nexus 5X . As Google only guarantees firmware upgrades for two years after a device is released and security patches for three , the search giant is no longer obligated to support the two phone or tablet . Of course , this doesn ’ t mean that your devices are no longer usable . Even if you no longer get official support from Google , there are large developer communities that build ROMs that brings Vulnerability-related.PatchVulnerability the latest security patches and Android features to all of Google ’ s abandoned devices . If you don ’ t want to wait for the November security patch to make its way to your phone , you can download the latest factory image or OTA file from the links below . From there , you can either flash a fresh build to your phone or sideload the OTA update . The November security patch is also making its way to the Essential Phone . In addition to the resolved issues addressed Vulnerability-related.PatchVulnerability above , this update brings support for the company ’ s Audio Adapter HD module .

Microsoft has released Vulnerability-related.PatchVulnerability an emergency security update to patch Vulnerability-related.PatchVulnerability below-reported crazy bad remote code execution vulnerability in its Microsoft Malware Protection Engine ( MMPE ) that affects Vulnerability-related.DiscoverVulnerability Windows 7 , 8.1 , RT and 10 computers , as well as Windows Server 2016 operating systems . Google Project Zero 's security researchers have discovered Vulnerability-related.DiscoverVulnerability another critical remote code execution ( RCE ) vulnerability in Microsoft ’ s Windows operating system , claiming that it is something truly bad . Tavis Ormandy announced during the weekend that he and another Project Zero researcher Natalie Silvanovich discovered Vulnerability-related.DiscoverVulnerability `` the worst Windows remote code [ execution vulnerability ] in recent memory . This is crazy bad . Report on the way . '' Ormandy did not provide Vulnerability-related.DiscoverVulnerability any further details of the Windows RCE bug , as Google gives a 90-day security disclosure deadline to all software vendors to patch Vulnerability-related.PatchVulnerability their products and disclose Vulnerability-related.DiscoverVulnerability it to the public . This means the details of the new RCE vulnerability in Windows will likely be disclosed Vulnerability-related.DiscoverVulnerability in 90 days from now even if Microsoft fails to patch Vulnerability-related.PatchVulnerability the issue . However , Ormandy later revealed Vulnerability-related.DiscoverVulnerability some details of the Windows RCE flaw , clarifying that : The vulnerability they claimed to have discovered Vulnerability-related.DiscoverVulnerability works against default Windows installations . The attacker does not need to be on the same local area network ( LAN ) as the victim , which means vulnerable Windows computers can be hacked remotely . The attack is `` wormable , '' capability to spread itself . Despite not even releasing any technical details on the RCE flaw , some IT professionals working for corporates have criticized the Google Project Zero researcher for making the existence of the vulnerability public , while Twitter 's infosec community is happy with the work . `` If a tweet is causing panic or confusion in your organization , the problem is n't the tweet , the problem is your organization , '' Project Zero researcher Natalie Silvanovich tweeted . This is not the first time when Google 's security researchers have discovered Vulnerability-related.DiscoverVulnerability flaws in Microsoft ’ s products . Most recently in February , Google researchers disclosed Vulnerability-related.DiscoverVulnerability the details of an unpatched vulnerability impacting Vulnerability-related.DiscoverVulnerability Microsoft 's Edge and Internet Explorer browsers . Microsoft released Vulnerability-related.PatchVulnerability a patch as part of its next Patch Tuesday but criticized Google for making all details public , exposing millions of its Windows users at risk of being hacked . Microsoft has not yet responded to the latest claims , but the company has its May 2017 Patch Tuesday scheduled tomorrow , May 9 , so hopefully , it will include a security patch to resolve Vulnerability-related.PatchVulnerability this issue .