LONDON — The U.K. agency tasked with fighting cyberthreats on Thursday announced a new process for the public disclosure Vulnerability-related.DiscoverVulnerability of potentially sensitive software flaws , introducing a new level of transparency to its work . The National Cyber Security Centre laid out its new procedure , called the `` Equities Process '' in a blog post that details how it makes decisions on whether to make public Vulnerability-related.DiscoverVulnerability the discovery of new flaws . National security operations sometimes hold back from announcing Vulnerability-related.DiscoverVulnerability the discovery of security flaws in part because the bugs can be used to gather intelligence . “ There ’ s got to be a good reason not to disclose , ” said Ian Levy , technical director at the NCSC . The default position , the NCSC said , is to disclose Vulnerability-related.DiscoverVulnerability those vulnerabilities to the public after fixes have been made Vulnerability-related.PatchVulnerability . The government will only keep them confidential in rare instances , such as if there ’ s an overriding intelligence reason . Levy said withholding release of a bug will require high-level government sign-off . The goal is to prevent cyberattacks Attack.Ransom like “ WannaCry , ” which paralyzed computer systems around the world in May 2017 . The attack , which the U.S. has blamed on North Korea , wrought havoc within the U.K. ’ s National Health Service ( NHS ) by exploiting vulnerabilities in an outdated version of Microsoft Windows . WannaCry underscored the dangers of not patching Vulnerability-related.PatchVulnerability or updating Vulnerability-related.PatchVulnerability software . The NCSC ’ s disclosure policy follows one implemented by the White House in 2017 . The National Security Agency ( NSA ) had come under intense pressure from transparency advocates to disclose more about its work in the wake of WannaCry . “ The best defense against a cyberattack , whether it ’ s by criminals or nation states , is to keep your box up to date , ” said Levy . “ If you patch Vulnerability-related.PatchVulnerability your software , a lot of the stuff that we ’ ve found goes away. ” The vast majority of attacks are carried out by exploiting vulnerabilities already known to the vendors of the technology in question , Levy said . Such was the case when Russian cyberoperatives hacked into British telecoms companies in 2017 . Levy said the primary goal of more transparency is to “ bang the drum ” about basic cybersecurity , like patching Vulnerability-related.PatchVulnerability and secure network setups .

Adobe has patched Vulnerability-related.PatchVulnerability a number of security vulnerabilities on the last scheduled monthly update of this year . All these patches specifically addressed Vulnerability-related.PatchVulnerability bugs in Adobe Reader and Acrobat . Allegedly , Adobe December Patch Tuesday Update fixed Vulnerability-related.PatchVulnerability as much as 86 different vulnerabilities , including 38 critical security flaws . This week , Adobe rolled out Vulnerability-related.PatchVulnerability the last scheduled monthly updates for its products . While the previous month ’ s update included bug fixes in Flash Player , the Adobe December Patch Tuesday update bundle remained focused on Adobe Reader and Acrobat . As much as 38 different critical security bugs received Vulnerability-related.PatchVulnerability patches with this update . The vulnerabilities include 2 buffer errors , 2 Untrusted pointer dereference vulnerabilities , 5 out-of-bounds write vulnerabilities , 3 heap overflow bugs , and 23 use after free vulnerabilities . All these vulnerabilities could allegedly lead to arbitrary code execution by a potential attacker . In addition , 3 security bypass vulnerabilities also received Vulnerability-related.PatchVulnerability fixes with this update . These flaws could allow privilege escalation on the targeted systems . In addition to the above , Adobe also released Vulnerability-related.PatchVulnerability fixes for 48 important security vulnerabilities . These include , 43 out-of-bounds read vulnerabilities , 4 integer overflow bugs , and a single security bypass bug . All these could allegedly result in information disclosure . As stated in Adobe ’ s advisory , the affected software include the following for Windows , Acrobat DC and Acrobat Reader DC ( continuous track ) versions 2019.008.20081 and earlier , Adobe Acrobat 2017 and Acrobat Reader 2017 ( Classic 2017 track ) versions 2017.011.30106 and earlier , Acrobat DC and Acrobat Reader DC ( Classic 2015 track ) versions 2015.006.30457 and earlier . Whereas , in the case of MacOS , the affected programs include , Acrobat DC and Acrobat Reader DC ( continuous track ) versions including and prior to 2019.008.20080 , Adobe Acrobat 2017 and Acrobat Reader 2017 ( track Classic 2017 ) versions 2017.011.30105 and above , Acrobat DC and Acrobat Reader DC ( track Classic 2015 ) versions 2015.006.30456 and above . Adobe has patched Vulnerability-related.PatchVulnerability all 86 vulnerabilities in the recently released versions of the respective software . The patched versions include Acrobat DC and Acrobat Reader DC versions 2019.010.20064 ( continuous track ) , Acrobat 2017 and Acrobat Reader DC 2017 ( Classic 2017 ) version 2017.011.30110 , and Acrobat DC and Acrobat Reader DC ( track Classic 2015 ) version 2015.006.30461 . Users of both Windows and MacOS should , therefore , ensure updating Vulnerability-related.PatchVulnerability their systems and download the latest versions of the affected software to stay protected from these vulnerabilities . This month ’ s scheduled update bundle did not address Vulnerability-related.PatchVulnerability any security flaws in Flash Player . Nonetheless , lately , Adobe already patched Vulnerability-related.PatchVulnerability a critical Flash vulnerability already disclosed Vulnerability-related.DiscoverVulnerability to the public .

WhatsApp has patched Vulnerability-related.PatchVulnerability a vulnerability in its smartphone code that could have been exploited Vulnerability-related.DiscoverVulnerability by miscreants to crash victims ' chat app simply by placing a call . Google Project Zero whizkid and Tamagotchi whisperer Natalie Silvanovich discovered and reported Vulnerability-related.DiscoverVulnerability the flaw , a memory heap overflow issue , directly to WhatsApp in August . Now that a fix is out Vulnerability-related.PatchVulnerability , Silvanovich can go public Vulnerability-related.DiscoverVulnerability with details on the potentially serious flaw . According to Silvanovich 's report , the bug is triggered when a user receives a malformed RTP packet , triggering the corruption error and crashing the application . In practice , the malformed packet that triggers the crash could be sent via a simple call request . `` This issue can occur when a WhatsApp user accepts a call from a malicious peer , '' Silvanovich explained . `` It affects both the Android and iPhone clients . '' While Silvanovich has not said whether further actions ( like remote code execution ) would be possible to pull off in the wild , the flaw was serious enough to draw the attention of fellow Google researcher Tavis Ormandy . Fortunately , as the bug has been patched Vulnerability-related.PatchVulnerability users will be able to get Vulnerability-related.PatchVulnerability a fix for the flaw by updating Vulnerability-related.PatchVulnerability to the latest version of WhatsApp on Android and iOS . We 're still waiting to hear from Google or Facebook on more details , such as if the desktop app is affected of if RCE is possible , but its PR team has a lot on today . The disclosure will add another to the growing list of apps that will need to be updated thanks to October security patches . Earlier today , Microsoft delivered Vulnerability-related.PatchVulnerability its Patch Tuesday security bundle , with Adobe dropping Vulnerability-related.PatchVulnerability its second major patch bundle in as many weeks and Google having posted Vulnerability-related.PatchVulnerability the Android monthly update last week .

This week , Adobe has released Vulnerability-related.PatchVulnerability its very first Patch Tuesday update bundle for the year 2019 . The Adobe January Patch Tuesday updates brought fixes for security vulnerabilities in Adobe Digital Editions and Adobe Connect . It has also released Vulnerability-related.PatchVulnerability patches for Flash Player , but they are not security fixes . This Tuesday , Adobe has rolled-out Vulnerability-related.PatchVulnerability scheduled monthly updates for its products . However , this time , it has particularly focused on Adobe Digital Editions and Adobe Connect for security fixes . Besides , the update bundle is relatively smaller , unlike the previous updates that addressed Vulnerability-related.PatchVulnerability tens of vulnerabilities . According to the security advisory , Adobe has fixed Vulnerability-related.PatchVulnerability an important security vulnerability in Adobe Digital Editions . Describing the problem , they stated , “ Successful exploitation could lead to information disclosure in the context of the current user. ” Reportedly , it ’ s an out of bounds read flaw ( CVE-2018-12817 ) that affected Vulnerability-related.DiscoverVulnerability the software version 4.5.9 and earlier for all platforms , i.e. , Windows , MacOS , Android and iOS . Users should ensure updating Vulnerability-related.PatchVulnerability their devices with the patched Adobe Digital Editions version 4.5.10 . In addition to the above , another important vulnerability existed in Vulnerability-related.DiscoverVulnerability Adobe Connect that could result in session token exposure . As stated in the advisory , the vulnerability ( CVE-2018-19718 ) could “ lead to exposure of privileges granted to a session. ” The vulnerability affected Vulnerability-related.DiscoverVulnerability the Adobe Connect versions 9.8.1 and earlier for all platforms . Users should , hence , ensure updating Vulnerability-related.PatchVulnerability their systems with the patched version 10.1 . Besides the two security fixes , Adobe have released Vulnerability-related.PatchVulnerability patches for Flash Player as well addressing Vulnerability-related.PatchVulnerability performance issues . As described in the Adobe advisory , “ Adobe has released Vulnerability-related.PatchVulnerability updates for Adobe Flash Player for Windows , macOS , Linux and Chrome OS . These updates address Vulnerability-related.PatchVulnerability feature and performance bugs , and do not include security fixes. ” The patched Flash Player version 32.0.0.114 has been rolled-out to be downloaded Vulnerability-related.PatchVulnerability across all platforms . This time , the update bundle did not address Vulnerability-related.PatchVulnerability security problems in Adobe Reader or Acrobat . However , the vendors already released Vulnerability-related.PatchVulnerability security fixes for them in the previous week . The patch addressed Vulnerability-related.PatchVulnerability two critical vulnerabilities ( CVE-2018-16011 and CVE-2018-16018 ) that could result in arbitrary code execution and privilege escalation respectively .

This week , Adobe has released Vulnerability-related.PatchVulnerability its very first Patch Tuesday update bundle for the year 2019 . The Adobe January Patch Tuesday updates brought fixes for security vulnerabilities in Adobe Digital Editions and Adobe Connect . It has also released Vulnerability-related.PatchVulnerability patches for Flash Player , but they are not security fixes . This Tuesday , Adobe has rolled-out Vulnerability-related.PatchVulnerability scheduled monthly updates for its products . However , this time , it has particularly focused on Adobe Digital Editions and Adobe Connect for security fixes . Besides , the update bundle is relatively smaller , unlike the previous updates that addressed Vulnerability-related.PatchVulnerability tens of vulnerabilities . According to the security advisory , Adobe has fixed Vulnerability-related.PatchVulnerability an important security vulnerability in Adobe Digital Editions . Describing the problem , they stated , “ Successful exploitation could lead to information disclosure in the context of the current user. ” Reportedly , it ’ s an out of bounds read flaw ( CVE-2018-12817 ) that affected Vulnerability-related.DiscoverVulnerability the software version 4.5.9 and earlier for all platforms , i.e. , Windows , MacOS , Android and iOS . Users should ensure updating Vulnerability-related.PatchVulnerability their devices with the patched Adobe Digital Editions version 4.5.10 . In addition to the above , another important vulnerability existed in Vulnerability-related.DiscoverVulnerability Adobe Connect that could result in session token exposure . As stated in the advisory , the vulnerability ( CVE-2018-19718 ) could “ lead to exposure of privileges granted to a session. ” The vulnerability affected Vulnerability-related.DiscoverVulnerability the Adobe Connect versions 9.8.1 and earlier for all platforms . Users should , hence , ensure updating Vulnerability-related.PatchVulnerability their systems with the patched version 10.1 . Besides the two security fixes , Adobe have released Vulnerability-related.PatchVulnerability patches for Flash Player as well addressing Vulnerability-related.PatchVulnerability performance issues . As described in the Adobe advisory , “ Adobe has released Vulnerability-related.PatchVulnerability updates for Adobe Flash Player for Windows , macOS , Linux and Chrome OS . These updates address Vulnerability-related.PatchVulnerability feature and performance bugs , and do not include security fixes. ” The patched Flash Player version 32.0.0.114 has been rolled-out to be downloaded Vulnerability-related.PatchVulnerability across all platforms . This time , the update bundle did not address Vulnerability-related.PatchVulnerability security problems in Adobe Reader or Acrobat . However , the vendors already released Vulnerability-related.PatchVulnerability security fixes for them in the previous week . The patch addressed Vulnerability-related.PatchVulnerability two critical vulnerabilities ( CVE-2018-16011 and CVE-2018-16018 ) that could result in arbitrary code execution and privilege escalation respectively .

A Warwick company ’ s managing director is warning other businesses to protect themselves from cyber criminals after being held to ransom Attack.Ransom . Kettell Video Productions was targeted by tech scammers who infected its IT systems with viruses before demanding Attack.Ransom £1,000 in online currency Bitcoins or the files would be permanently deleted . Luckily , owner Stuart Kettell routinely backs up all his company ’ s systems so nothing was lost but he warned others to do the same to avoid disaster . “ It was scary : I had no idea about cyber-attacks before and really didn ’ t know what to do , ” he said . “ Critical files , including images and videos for clients , were wiped out along with a lifetime of personal memories . “ The affected files were lost for good – the only way to recover them was with the key code held by the blackmailer – but luckily I back-up everything to an external data cartridge . “ In the end it was more an inconvenience…but it could have threatened the business . “ I would strongly urge all business owners to back-up their essential files. ” Mr Kettell acted quickly when he realised the audio-visual specialists in Arlescote Close were under attack by the web sharks in December , 2015 . “ I noticed all my photos , videos and pdf files ghosting to white with a new filename… it attacked my desktop first then it wormed its way into folders one file at a time every few seconds , ” he said . “ I ’ ve no idea how the malware was introduced as we use software that ’ s designed to prevent against such attacks . “ And the demand for payment Attack.Ransom seemed very professional : I was given links where I could buy Bitcoins and even offered the chance to decrypt one file for free . “ I unplugged my computer , isolated it from the internet , and ran some anti-malware software to stop the virus spreading further. ” Latest figures from the Crime Survey for England & Wales estimated there were 1.3m computer virus offences and 667,000 hacking related offences committed in the year ending September 2016 . Sergeant Gary Sirrell from the cybercrime team at West Midlands Regional Organised Crime Unit said commercial web attacks are increasingly being committed against smaller firms and not big multi-nationals . “ Small and medium sized companies are easier targets : they often don ’ t have the resources or expertise to protect against cyberattacks , ” he said . “ And if they are targeted , the impact can be devastating . “ But there are steps business owners can take to mitigate the risk . “ A really effective tactic involves ‘ layering ’ defences to include a firewall , anti-malware software , staff training and regular re-training ) around phishing email awareness , and finally to plug Vulnerability-related.PatchVulnerability any holes in your defences by updating Vulnerability-related.PatchVulnerability software patches and updates Vulnerability-related.PatchVulnerability in a timely manner . “ By exercising good cyber hygiene , and having a strong backup policy , Stuart avoided the dilemma of whether to see his business significantly damaged , or to have to hand over a ransom Attack.Ransom to organised crime gangs to get his data unlocked . “ If more businesses in the West Midlands proactively took such steps there would be significantly fewer crimes victims . ”

A flaw in unpatched versions of Window 10 could leave machines vulnerable Vulnerability-related.DiscoverVulnerability to EternalBlue , the remote kernel exploit behind the recent WannaCry ransomware attack Attack.Ransom . WannaCry targeted a Server Message Block ( SMB ) critical vulnerability that Microsoft patched Vulnerability-related.PatchVulnerability with MS17-010 on March 14 , 2017 . While WannaCry damage Attack.Ransom was mostly limited to machines running Windows 7 , a different version of EternalBlue could infect Windows 10 . Researchers at RiskSense stripped the original leaked version of EternalBlue down to its essential components and deemed parts of the data unnecessary for exploitation . They found they could bypass detection rules recommended by governments and antivirus vendors , says RiskSense senior security researcher Sean Dillon . This version of EternalBlue , an exploit initially released by Shadow Brokers earlier this year , does not use the DoublePulsar payload common among other exploits leaked by the hacker group . DoublePulsar was the main implant used in WannaCry Attack.Ransom and a key focus for defenders . `` That backdoor is unnecessary , '' says Dillon , noting how it 's dangerous for businesses to only focus on DoublePulsar malware . `` This exploit could directly load malware onto the system without needing to install the backdoor . '' EternalBlue gives instant un-credentialed remote access to Windows machines without the MS17-010 patch update . While it 's difficult to port EternalBlue to additional versions of Windows , it 's not impossible . Unpatched Windows 10 machines are at risk , despite the fact that Microsoft 's newest OS receives exploit mitigations that earlier versions do n't . The slimmed-down EternalBlue can be ported to unpatched versions of Windows 10 and deliver stealthier payloads . An advanced malware would be able to target any Windows machine , broadening the spread of an attack like WannaCry , Dillon explains . It 's worth noting WannaCry was a blatant , obvious attack , he says , and other types of malware , like banking spyware and bitcoin miners , could more easily fly under the radar . `` These can infect a network and you wo n't know about it until years later , '' he says . `` It 's a threat to organizations that have been targets , like governments and corporations . Attackers may try to get onto these networks and lay dormant … then steal Attack.Databreach intellectual property or cause other damage . '' Dillon emphasizes the importance of updating Vulnerability-related.PatchVulnerability to the latest version of Windows 10 , but says patching Vulnerability-related.PatchVulnerability alone wo n't give complete protection from this kind of threat . Businesses with SMB facing the Internet should also put up firewalls , and set up VPN access for users who need external access to the internal network . Businesses should have a good inventory of software and devices on their networks , along with processes for identifying and deploying Vulnerability-related.PatchVulnerability patches as they are released Vulnerability-related.PatchVulnerability , says Craig Young , computer security researcher for Tripwire 's Vulnerability and Exposures Research Team ( VERT ) . This will become even more critical as attackers move quickly from patch to exploit . There will always be a window of opportunity for attackers before the right patches are installed Vulnerability-related.PatchVulnerability , Young notes . EternalBlue is a `` very fresh vulnerability '' given that most breaches that use exploits leverage flaws that have been publicly known Vulnerability-related.DiscoverVulnerability for an average of two years or more . `` EternalBlue is a particularly reliable exploit that gives access to execute code at the very highest privilege level , so I would expect that hackers and penetration testers will get a lot of use out of it for years to come , '' he says .