Google disclosed Vulnerability-related.DiscoverVulnerability a flaw in Microsoft Edge earlier this week , after Microsoft failed to patch Vulnerability-related.PatchVulnerability the bug in time . Now Google ’ s Project Zero team of security researchers are disclosing Vulnerability-related.DiscoverVulnerability yet another Windows 10 security flaw that Microsoft has again failed to patch Vulnerability-related.PatchVulnerability before Google ’ s imposed 90-day period . Neowin spotted that Google reported Vulnerability-related.DiscoverVulnerability two bugs to Microsoft in November , but the company only addressed Vulnerability-related.PatchVulnerability one of them with its recent Patch Tuesday fixes . The latest unpatched issue is an Elevation of Privilege which allows a normal user to gain administrator privileges on a system . Microsoft has rated Vulnerability-related.DiscoverVulnerability the flaw as “ important , ” but not “ critical ” as it can ’ t be exploited Vulnerability-related.DiscoverVulnerability remotely . It ’ s still an important issue to fix Vulnerability-related.PatchVulnerability , as an attacker could potentially combine this with a separate unknown remote code execution to gain administrator access , although that ’ s an unlikely scenario unless Microsoft doesn ’ t address Vulnerability-related.PatchVulnerability it promptly . It ’ s not clear when Microsoft intends to address Vulnerability-related.PatchVulnerability the latest security flaw in Windows 10 , and the company still needs to solve Vulnerability-related.PatchVulnerability the Edge vulnerability that was disclosed Vulnerability-related.DiscoverVulnerability by Google earlier this week . Microsoft hit back at Google ’ s approach to security patches last year , after discovering Vulnerability-related.DiscoverVulnerability a Chrome flaw and “responsibly” disclosed Vulnerability-related.DiscoverVulnerability it to Google so the company had enough time to patch Vulnerability-related.PatchVulnerability . Google ’ s policy to disclose after 90 days without a patch is often criticized and applauded in equal measure . There ’ s plenty of evidence to suggest security vulnerabilities are increasing in Windows and across the industry , and Microsoft has clearly struggled to fix Vulnerability-related.PatchVulnerability these two issues with plenty of notice . It can also be argued that Google is making rival software more secure with its efforts , making everyone ’ s software secure . However , Google also has competitive commercial interests , and Project Zero has been unusually aggressive in finding and publishing new vulnerabilities . Reports suggest Google ’ s Project Zero security team originated from the fallout around the 2009 Google hack , an intrusion blamed on an unpatched flaw in Microsoft ’ s Internet Explorer 6 browser . Google makes exceptions to its strict rules , with grace periods , and can even disclose Vulnerability-related.DiscoverVulnerability much sooner if the vulnerability is being actively exploited Vulnerability-related.DiscoverVulnerability . Google disclosed Vulnerability-related.DiscoverVulnerability a major Windows bug back in 2016 just 10 days after reporting Vulnerability-related.DiscoverVulnerability it to Microsoft , and the company has revealed Vulnerability-related.DiscoverVulnerability zero-day bugs in Windows in the past before patches are available Vulnerability-related.PatchVulnerability .

A vulnerability in some versions of the Oracle Solaris enterprise OS could allow attackers to edit code in the memory and exploit Vulnerability-related.DiscoverVulnerability it to gain full root control over a machine . The privilege escalation vulnerability -- now patched Vulnerability-related.PatchVulnerability -- is present in Vulnerability-related.DiscoverVulnerability current versions of Oracle Solaris 10 and 11 running Sun StorageTek Availability Suite ( AVS ) for the filesystem and could be used to access to a low-level user or service account and , from there , gain complete root access to the system . The memory corruption bug has been uncovered and detailed Vulnerability-related.DiscoverVulnerability by researchers at Trustwave -- and its origins go all the way back to 2007 . The original issue was disclosed Vulnerability-related.DiscoverVulnerability in 2009 and apparently fixed Vulnerability-related.PatchVulnerability , but researchers revisited Vulnerability-related.DiscoverVulnerability the code this year only to find Vulnerability-related.DiscoverVulnerability the fix was partial and loopholes still allowed the execution of malicious code . The origins of the exploit , CVE-2018-2892 , lie in Vulnerability-related.DiscoverVulnerability one small fragment of code which contains a number of separate vulnerabilities around the dereferencing pointer , the means of getting values stored in a specific memory location . `` Attackers can exploit Vulnerability-related.DiscoverVulnerability this vulnerability to take access to a low-level user or service account and gain complete root access to the entire system , '' Neil Kettle , application security principal consultant at SpiderLabs at Trustwave , told Vulnerability-related.DiscoverVulnerability ZDNet . An attacker exploiting this vulnerability would need direct access to a user or service account . `` This can be obtained by targeting users with social engineering attacks or by exploiting vulnerabilities in existing services . Once the attacker has access to any account , this vulnerability can be very easily exploited Vulnerability-related.DiscoverVulnerability to gain complete root control over the system , '' said Vulnerability-related.DiscoverVulnerability Kettle . While the original 2007 vulnerability has probably been used in the wild , there 's no confirmation that the new exploit has been used to conduct an attack . Nonetheless , Trustwave disclosed the discovery Vulnerability-related.DiscoverVulnerability to Oracle , which has delivered Vulnerability-related.PatchVulnerability a patch to fix Vulnerability-related.PatchVulnerability the loophole .

Yesterday , on Microsoft ’ s Patch Tuesday the company released Vulnerability-related.PatchVulnerability its monthly security patches that fixed Vulnerability-related.PatchVulnerability 62 security flaws . These fixes also included a fix for a zero-day vulnerability that was under active exploitation before these patches were made available Vulnerability-related.PatchVulnerability . Microsoft also announced the re-release of its Windows 10 version 1809 and Windows Server 2019 . Microsoft credited Kaspersky Lab researchers for discovering Vulnerability-related.DiscoverVulnerability this zero-day , which is also known as Vulnerability-related.DiscoverVulnerability CVE-2018-8589 and impacts Vulnerability-related.DiscoverVulnerability the Windows Win32k component . A Kaspersky spokesperson told ZDNet , “ they discovered Vulnerability-related.DiscoverVulnerability the zero-day being exploited Vulnerability-related.DiscoverVulnerability by multiple cyber-espionage groups ( APTs ) . ” The zero-day had been used to elevate privileges on 32-bit Windows 7 versions . This is the second Windows elevation of privilege zero-day patched Vulnerability-related.PatchVulnerability by Microsoft discovered Vulnerability-related.DiscoverVulnerability by Kaspersky researchers . Last month , Microsoft patched Vulnerability-related.PatchVulnerability CVE-2018-8453 , another zero-day that had been used by a state-backed cyber-espionage group known as FruityArmor . However , in this month ’ s Patch Tuesday , Microsoft has not patched Vulnerability-related.PatchVulnerability a zero-day that is affecting Vulnerability-related.DiscoverVulnerability the Windows Data Sharing Service ( dssvc.dll ) . This zero-day was disclosed Vulnerability-related.DiscoverVulnerability on Twitter at the end of October . According to ZDNet , “ Microsoft has published this month a security advisory to instruct users on how to properly configure BitLocker when used together with solid-state drives ( SSDs ) . ” As reported by Microsoft , the Windows 10 October 2018 update caused user ’ s data loss post updating . Due to this , the company decided to pause the update . However , yesterday , Microsoft announced that it is re-releasing Windows 10 version 1809 . John Cable , the director of Program Management for Windows Servicing and Delivery at Microsoft said , “ the data-destroying bug that triggered that unprecedented decision , as well as other quality issues that emerged during the unscheduled hiatus , have been thoroughly investigated and resolved. ” Microsoft also announced the re-release of Windows Server 2019 , which was affected Vulnerability-related.DiscoverVulnerability by the same issue . According to ZDNet , “ The first step in the re-release is to restore the installation files to its Windows 10 Download page so that “ seekers ” ( the Microsoft term for advanced users who go out of their way to install a new Windows version ) can use the ISO files to upgrade PCs running older Windows 10 versions. ” Michael Fortin , Windows Corporate Vice President , in a blog post , offered some context behind the recent issues and announced changes to the way the company approaches communications and also the transparency around their process . Per Fortin , “ We obsess over these metrics as we strive to improve product quality , comparing current quality levels across a variety of metrics to historical trends and digging into any anomaly. ” To know more about this in detail , visit Microsoft ’ s official blog post .

Cisco 's Talos says they 've observed Vulnerability-related.DiscoverVulnerability active attacks against a Zero-Day vulnerability in Apache 's Struts , a popular Java application framework . Cisco started investigating Vulnerability-related.DiscoverVulnerability the vulnerability shortly after it was disclosed Vulnerability-related.DiscoverVulnerability , and found Vulnerability-related.DiscoverVulnerability a number of active attacks . In an advisory issued on Monday , Apache says Vulnerability-related.DiscoverVulnerability the problem with Struts exists within the Jakarta Multipart parser . `` It is possible to perform a RCE attack with a malicious Content-Type value . If the Content-Type value is n't valid an exception is thrown which is then used to display an error message to a user , '' the warning explained . `` If you are using Jakarta based file upload Multipart parser , upgrade Vulnerability-related.PatchVulnerability to Apache Struts version 2.3.32 or 2.5.10.1 . You can also switch to a different implementation of the Multipart parser . '' The alternative is the Pell parser plugin , which uses Jason Pell 's multipart parser instead of the Common-FileUpload library , Apache explains . In addition , administrators concerned about the issue could just apply the proper updates , which are currently available Vulnerability-related.PatchVulnerability . In a blog post , Cisco said they discovered a number of attacks that seem to be leveraging a publicly released proof-of-concept to run various commands . Such commands include simple ones ( 'whoami ' ) as well as more sophisticated ones , including pulling down malicious ELF executable and running it . An example of one attack , which attempts to copy the file to a harmless directory , ensure the executable runs , and that the firewall is disabled is boot-up , is below : Both Cisco and Apache urge administrators to take action , either by patching Vulnerability-related.PatchVulnerability or ensuring their systems are not vulnerable . This is n't the first time the Struts platform has come under attack . In 2013 , Chinese hackers were using an automated tool to exploit known vulnerabilities in order to install a backdoor .