a number of security vulnerabilities on the last scheduled monthly update of this year . All these patches specifically addressedVulnerability-related.PatchVulnerabilitybugs in Adobe Reader and Acrobat . Allegedly , Adobe December Patch Tuesday Update fixedVulnerability-related.PatchVulnerabilityas much as 86 different vulnerabilities , including 38 critical security flaws . This week , Adobe rolled outVulnerability-related.PatchVulnerabilitythe last scheduled monthly updates for its products . While the previous month ’ s update included bug fixes in Flash Player , the Adobe December Patch Tuesday update bundle remained focused on Adobe Reader and Acrobat . As much as 38 different critical security bugs receivedVulnerability-related.PatchVulnerabilitypatches with this update . The vulnerabilities include 2 buffer errors , 2 Untrusted pointer dereference vulnerabilities , 5 out-of-bounds write vulnerabilities , 3 heap overflow bugs , and 23 use after free vulnerabilities . All these vulnerabilities could allegedly lead to arbitrary code execution by a potential attacker . In addition , 3 security bypass vulnerabilities also receivedVulnerability-related.PatchVulnerabilityfixes with this update . These flaws could allow privilege escalation on the targeted systems . In addition to the above , Adobe also releasedVulnerability-related.PatchVulnerabilityfixes for 48 important security vulnerabilities . These include , 43 out-of-bounds read vulnerabilities , 4 integer overflow bugs , and a single security bypass bug . All these could allegedly result in information disclosure . As stated in Adobe ’ s advisory , the affected software include the following for Windows , Acrobat DC and Acrobat Reader DC ( continuous track ) versions 2019.008.20081 and earlier , Adobe Acrobat 2017 and Acrobat Reader 2017 ( Classic 2017 track ) versions 2017.011.30106 and earlier , Acrobat DC and Acrobat Reader DC ( Classic 2015 track ) versions 2015.006.30457 and earlier . Whereas , in the case of MacOS , the affected programs include , Acrobat DC and Acrobat Reader DC ( continuous track ) versions including and prior to 2019.008.20080 , Adobe Acrobat 2017 and Acrobat Reader 2017 ( track Classic 2017 ) versions 2017.011.30105 and above , Acrobat DC and Acrobat Reader DC ( track Classic 2015 ) versions 2015.006.30456 and above . Adobe has patchedVulnerability-related.PatchVulnerabilityall 86 vulnerabilities in the recently released versions of the respective software . The patched versions include Acrobat DC and Acrobat Reader DC versions 2019.010.20064 ( continuous track ) , Acrobat 2017 and Acrobat Reader DC 2017 ( Classic 2017 ) version 2017.011.30110 , and Acrobat DC and Acrobat Reader DC ( track Classic 2015 ) version 2015.006.30461 . Users of both Windows and MacOS should , therefore , ensure updatingVulnerability-related.PatchVulnerabilitytheir systems and download the latest versions of the affected software to stay protected from these vulnerabilities . This month ’ s scheduled update bundle did not addressVulnerability-related.PatchVulnerabilityany security flaws in Flash Player . Nonetheless , lately , Adobe already patchedVulnerability-related.PatchVulnerabilitya critical Flash vulnerability already disclosedVulnerability-related.DiscoverVulnerabilityto the public .
Virgin Media has – perhaps rather belatedly – fixedVulnerability-related.PatchVulnerabilitya series of vulnerabilities in its Super Hub 3.0 home broadband router modem , after they were reportedVulnerability-related.DiscoverVulnerabilitymore than 18 months ago . Balazs Bucsay , managing security consultant at NCC Group , says that after receiving one of the devices as a home customer and examining it for a few hours , he was quickly able to findVulnerability-related.DiscoverVulnerabilitya remote command execution bug . He uncovered many others during the following days . Eventually , he says , he was able to create a full chain of exploits that made it possible to perform a remote authentication as an administrator on the router . This could potentially allow a hacker to take control of millions of these devices , installing backdoors in a way that would be extremely hard to find and investigate . “ After hacking into my own Super Hub 3.0 , I was able to findVulnerability-related.DiscoverVulnerabilitymultiple security flaws within the router ’ s firmware and combine these to create an exploit that could have been hidden within webpages and sent to other unsuspecting owners via scam emails or other methods , ” Bucsay tells The Daily Swig . “ If customers had opened the webpages and activated the exploit , hackers could have gained unauthorized access to their modems and other devices on the victim ’ s home network , enabling them to spy on online activity and even execute their own commands on the devices. ” Bucsay reportedVulnerability-related.DiscoverVulnerabilitythe vulnerabilities to Virgin Media in March 2017 , but says they weren't fixedVulnerability-related.PatchVulnerabilityuntil the end of July this year . “ The proposed roll-out date was postponed many times , ” he says . However , a Virgin Media spokeswoman defended the company ’ s actions . “ The online security of our customers is a top priority for Virgin Media and the issues describedVulnerability-related.DiscoverVulnerabilityby NCC have been fixedVulnerability-related.PatchVulnerability, ” she told The Daily Swig . “ We have seen no evidence that these advanced technical exploits , carried out by NCC as a proof of concept , were used maliciously to impact customers. ” With the patch rolled outVulnerability-related.PatchVulnerabilityin August , Super Hub 3.0 users don ’ t need to do anything extra to protect themselves . “ However , this research should remind consumers that no connected device is inherently secure , and that they should consider additional security measures around their home network , such as using password managers and different passwords for each device and service , ” Bucsay warns . He also urged internet service providers to be more proactive in checking the security of any third-party devices they use .
Microsoft rolled outVulnerability-related.PatchVulnerability60 patches for its Patch Tuesday release , impacting 19 critical flaws and 39 important flaws . Microsoft has rolled outVulnerability-related.PatchVulnerabilityits August Patch Tuesday fixes , addressingVulnerability-related.PatchVulnerability19 critical vulnerabilities , including fixes for two zero-day vulnerabilities that are under active attack . Overall , the company patchedVulnerability-related.PatchVulnerabilitya total of 60 flaws , spanning Microsoft Windows , Edge , Internet Explorer ( IE ) , Office , .NET Framework , ChakraCore , Exchange Server , Microsoft SQL Server and Visual Studio . Of those , 19 were critical , 39 were rated important , one was moderate and one was rated low in severity . The patch release includes two exploited flaws , CVE-2018-8373 and CVE-2018-8414 , which were previously disclosedVulnerability-related.DiscoverVulnerabilityby researchers . The first zero-day , CVE-2018-8373 , could result in remote code-execution ( RCE ) and grants the same privileges as a logged-in user , including administrative rights . The vulnerability exists inVulnerability-related.DiscoverVulnerabilityIE 9 , 10 and 11 , impactingVulnerability-related.DiscoverVulnerabilityall Windows operating systems from Server 2008 to Windows 10 . Meanwhile , CVE-2018-8414 also enables RCE with the privileges of the logged-in user , and exists onVulnerability-related.DiscoverVulnerabilityWindows 10 versions 1703 and newer , as well as Server 1709 and Server 1803 . “ The two zero-day vulnerabilities are … publicly disclosedVulnerability-related.DiscoverVulnerabilityand exploitedVulnerability-related.DiscoverVulnerability, ” said Chris Goettl , director of product management , security , for Ivanti , in an email . “ CVE-2018-8373 is a vulnerability that exists inVulnerability-related.DiscoverVulnerabilitythe way that the scripting engine handles objects in memory in Internet Explorer . CVE-2018-8414 code-execution vulnerability existsVulnerability-related.DiscoverVulnerabilitywhen the Windows Shell does not properly validate file paths. ” Microsoft also issuedVulnerability-related.PatchVulnerabilityfixes for security issues that don ’ t impact Windows , but the company thought they were important enough to package into its OS updates , dubbed advisories . Microsoft ’ s Patch Tuesday comes after the company found itself in hot water last month after its new update model caused stability issues for Windows operating systems and applications , particularly in July . The model irked customers so much that enterprise patching veteran Susan Bradley wrote an open letter to Microsoft executives expressing the “ dissatisfaction your customers have with the updates releasedVulnerability-related.PatchVulnerabilityfor Windows desktops and servers in recent months . ”
A decade ago , cross-site request forgery ( CSRF , often pronounced “ c-surf ” ) was considered to be a sleeping giant , preparing to wake and inflict havoc on the Worldwide Web . But the doomsday scenario never materialized and you don ’ t even seem to hear much about it anymore . In this blog post , part 1 of 2 , I will explore this idea and try to understand why the CSRF giant never awoke . First we ’ ll cover the overall threat landscape , trends , and some notable CSRF exploits throughout the years , including one from personal experience . As a quick review , CSRF exists because web applications trust the cookies sent by web browsers within an HTTP request . In a CSRF attack , the attacker causes a victim ’ s browser to make a request that results in a change or action which benefits the attacker ( and/or harms the victim ) in some way . Without a specific defense – like a random token in the request body that is validated on the server side – CSRF attacks are possible . After a bit of testing , my suspicions were confirmed . All requests that caused any sort of change could be exploited with CSRF . This included : I contacted the company to let them knowVulnerability-related.DiscoverVulnerabilityabout these security holes . Surprisingly , they didn ’ t seem to be aware there was such a thing as CSRF , but they thanked me anyway and rolled outVulnerability-related.PatchVulnerabilitya fix about a month later . There have been other notable instances of CSRF vulnerabilities with some of them being exploitedVulnerability-related.DiscoverVulnerabilityin the wild . Drive-by pharming is an attack on the DNS settings of home routers and modems and often leverages CSRF as a key element . The web UIs on these devices are the culprit , because they allow users to edit configuration settings . In one attack from 2008 , banking customers in Mexico who owned 2Wire DSL modems were targeted . Victims received an email with an embedded image tag with a CSRF attack that changed the DNS settings on their modem . In another instance , tens of thousands of Twitter users fell victim to a CSRF worm in 2010 when developers failed to implement anti-CSRF measures for tweets . The vulnerability was discoveredVulnerability-related.DiscoverVulnerabilityand exploitedVulnerability-related.DiscoverVulnerabilityin a rather distasteful but harmless way . When authenticated Twitter users visited the web page containing the exploit , they unknowingly posted two tweets – one with a link to the same page and another with a message about goats . Anyone who clicked on the link in the first tweet also posted the same two tweets . The worm spread like wildfire before it was fixed by Twitter . In 2012 Facebook ’ s App Center was vulnerableVulnerability-related.DiscoverVulnerabilityto CSRF and the security researcher who discoveredVulnerability-related.DiscoverVulnerabilitythe flaw was awarded $ 5000 as a bounty . Interestingly , in this case the HTTP request included an anti-CSRF token that appeared at first glance to provide protection , but the token was not being validated by the server-side application when the request was received . A Qualys researcher found other examples where anti-CSRF tokens were not properly validated . And similar to the Facebook issue mentioned above , PayPal in 2016 did not validate the anti-CSRF token in paypal.me . An attacker could only change a user ’ s profile photo in that case however .
Remember that giant poster that Apple put up in Las Vegas during the recent Consumer Electronics Show that stated what happens on your iPhone , stays on your iPhone ? I 'm willing to bet many at Apple are trying hard to forget it right now as news breaksVulnerability-related.DiscoverVulnerabilityof a vulnerability in the group functionality of its FaceTime application that allows users to eavesdrop on the people being called , even if they did n't pick up the call ! The shockingly simple exploit works with any pair of iOS devices running iOS 12.1 or later . `` The bug lets you call anyone with FaceTime , and immediately hear the audio coming from their phone - before the person on the other end has accepted or rejected the incoming call '' according to Benjamin Mayo at 9to5Mac who first broke the story and adds `` there 's a second part to this which can expose video too ... '' The exploit really is stupidly easy to pull off , essentially just requiring the caller to add their own number while a call is dialing in order to start a group chat that includes themselves and the audio of the person being called . It does n't matter if the recipient has accepted the call or not , all audio captured while the iPhone is ringing can be heard by the caller . If the recipient presses the power button from the lockscreen , used to accept or reject the incoming FaceTime chat , then video is also sent to the caller . One user , @ Jessassin , tweeted that if you join the call using your invitation on another iPhone then you also get the video stream despite the call not being answered on the destination device . What 's more , the bug is n't limited to iPhone users and if the recipient is using a Mac then , as it rings for a longer default than a handset , the eavesdroppingAttack.Databreachcan potentially continue for a longer period . This is particularly worrying as a Mac user may well be away from the device for a long , certainly more so than we are from our smartphones , and during that time anyone could be listening in on whatever was happening in that house or office . So , what do you need to do now ? The good news is that Apple has responded by temporarily suspending the Group FaceTime functionality until a permanent fix can be rolled outVulnerability-related.PatchVulnerability. An Apple spokesperson told BuzzFeed that a fix `` will be releasedVulnerability-related.PatchVulnerabilityin a software update later this week . '' However , there have been reportsVulnerability-related.DiscoverVulnerabilityof some users still able to exploit the eavesdropping vulnerability even after Apple made this announcement , 9to5Mac being among them .