It has not been a good week for PDF programs . We had an Adobe Acrobat & Reader update released Vulnerability-related.PatchVulnerability yesterday that fixed Vulnerability-related.PatchVulnerability 86 vulnerabilities , including numerous critical ones . Not to be beaten , an update for Foxit PDF Reader and Foxit PhantomPDF was released Vulnerability-related.PatchVulnerability last Friday that fixes Vulnerability-related.PatchVulnerability a whopping 116 vulnerabilities , with 18 of them being discovered Vulnerability-related.DiscoverVulnerability by the Cisco Talos group . All of the 18 vulnerabilities found Vulnerability-related.DiscoverVulnerability by Cisco Talos , as well as many others fixed Vulnerability-related.PatchVulnerability by this update , are labeled as critical because they could lead to code execution . This would allow attackers to create Attack.Phishing specially crafted web pages or PDFs that could exploit these vulnerabilities to execute commands or install malware on vulnerable computers . Of the 18 vulnerabilities disclosed Vulnerability-related.DiscoverVulnerability by Cisco , 12 of them could be exploited Vulnerability-related.DiscoverVulnerability simply by visiting a web site when the Foxit PDF browser plugin is enabled . Foxit suggests that all users of Foxit PDF Reader and Foxit PhantomPDF upgrade Vulnerability-related.PatchVulnerability to version 9.3 to resolve Vulnerability-related.PatchVulnerability these vulnerabilities . Foxit PDF Reader 9.3 can be downloaded here and Foxit PhantomPDF can be downloaded here . It is strongly suggested that all users install this update . The full list of patched vulnerabilities is below and more information about who discovered Vulnerability-related.DiscoverVulnerability the vulnerabilities can be found Vulnerability-related.DiscoverVulnerability in Foxit 's security bulletin .

A few days ago , Microsoft issued Vulnerability-related.PatchVulnerability an emergency patch for Internet Explorer to fix Vulnerability-related.PatchVulnerability a zero-day vulnerability in the web browser . The problem affects Vulnerability-related.DiscoverVulnerability versions of Internet Explorer from 9 to 11 across multiple versions of Windows , but it seems that the patch has been causing problems for many people . Specifically , people with some Lenovo laptops have found that after installing Vulnerability-related.PatchVulnerability the KB4467691 patch they are unable to start Windows . When the patch was released Vulnerability-related.PatchVulnerability , it was known that there were a few issues with older versions of Windows 10 -- for example , problems with the .NET framework , and with web links in the Start menu . But since the initial release , Microsoft has updated Vulnerability-related.PatchVulnerability the patch page to indicate Vulnerability-related.DiscoverVulnerability a further potential problem with some Lenovo laptops : After installing KB4467691 , Windows may fail to startup on certain Lenovo laptops that have less than 8 GB of RAM . The company goes on to suggest a couple of possible workarounds for those running into issues : Restart the affected machine using the Unified Extensible Firmware Interface ( UEFI ) . Disable Secure Boot and then restart . If BitLocker is enabled on your machine , you may have to go through BitLocker recovery after Secure Boot has been disabled . Microsoft says that it is `` working with Lenovo and will provide Vulnerability-related.PatchVulnerability an update in an upcoming release '' .

A privilege escalation flaw in McAfee 's True Key software remains open to exploitation despite multiple attempts to patch Vulnerability-related.PatchVulnerability it . This according to researchers with security shop Exodus Intel , who claim Vulnerability-related.DiscoverVulnerability that CVE-2018-6661 was not fully addressed Vulnerability-related.PatchVulnerability with either of the two patches McAfee released Vulnerability-related.PatchVulnerability for it . The flaw is an elevation of privilege issue in McAfee 's TrueKey password manager . An exploit can be carried out on a guest account by side-loading a specially-crafted DLL into True Key that would then allow for commands and code to be executed with system-level privileges . McAfee 's summary of the flaw , published Vulnerability-related.DiscoverVulnerability on March 30 , lists it as a 'high ' severity issue that was patched Vulnerability-related.PatchVulnerability in version 4.20.110 - which was released Vulnerability-related.PatchVulnerability in April . Exodus says that the April release did n't fully fix Vulnerability-related.PatchVulnerability the bug , however . The researchers explain that McAfee 's patch only addresses Vulnerability-related.PatchVulnerability one of the libraries ( SDKLibAdapter ) that would allow the attack to take place , with another DLL ( NLog logging library ) being left vulnerable Vulnerability-related.DiscoverVulnerability to the same side-loading tactic . `` The patch is incomplete because it overlooks this and hence the nlog.dll can be utilized to allow arbitrary code execution just as the McAfee.TrueKey.SDKLibAdapter.dll could be used in versions prior to the patch , '' Exodus researchers Omar El-Domeiri and Gaurav Baruah said . `` Furthermore , any other McAfee signed binary can be used to exploit the vulnerability as long as the binary depends on a DLL outside the list of known DLLs . '' Exodus said Vulnerability-related.DiscoverVulnerability that it notified Vulnerability-related.DiscoverVulnerability McAfee of the issue back in August , prompting Vulnerability-related.PatchVulnerability a second patch that , unfortunately , also failed to fully remedy Vulnerability-related.PatchVulnerability the issue . `` However , we tested the latest version available ( 5.1.173.1 as of September 7th , 2018 ) and found Vulnerability-related.DiscoverVulnerability that it remains vulnerable Vulnerability-related.DiscoverVulnerability requiring no changes to our exploit . '' To its credit , McAfee acknowledged Vulnerability-related.DiscoverVulnerability the issue and said it is still working to fully resolve Vulnerability-related.PatchVulnerability the flaw . `` McAfee has been working with the researchers to confirm Vulnerability-related.DiscoverVulnerability their findings , and has provided customers mitigation guidance to allow them to protect themselves until the company can address Vulnerability-related.PatchVulnerability the reported issues via automatic product updates , '' McAfee told The Register . In the meantime , McAfee says customers can use the True Key browser extension ( which is not subject to the DLL vulnerability ) rather than the Windows application .

Microsoft 's new Outlook 2010 update ought to provide Vulnerability-related.PatchVulnerability the critical security fixes without the crashes . Microsoft has released Vulnerability-related.PatchVulnerability a new update for Outlook 2010 that should plug Vulnerability-related.PatchVulnerability its critical security flaws without causing crashes . Microsoft earlier this week warned that the 64-bit version of the security update KB 4461529 from its November Patch Tuesday was causing Outlook 2010 crashes . Despite the crashes , Microsoft warned users not to remove the update , which plugged Vulnerability-related.PatchVulnerability four remote code execution flaws that it said were more likely be exploited Vulnerability-related.DiscoverVulnerability . Until a new update was released Vulnerability-related.PatchVulnerability Microsoft recommended users try Outlook Web Access instead . As spotted by Woody Leonhard , Microsoft this week released Vulnerability-related.PatchVulnerability KB 4461585 for Outlook 2010 , which includes patches for the four flaws and should n't trigger crashes . Microsoft confirmed it does fix Vulnerability-related.PatchVulnerability the crash issues caused by KB 4461529 . The fixed update can be downloaded Vulnerability-related.PatchVulnerability from Microsoft 's download center and not the Microsoft Update Catalog . Microsoft cautions the update is only for the .msi edition of Office 2010 and not for Office 365 Home . `` Be aware that the update in the Microsoft Download Center applies to the Microsoft Installer ( .msi ) -based edition of Office 2010 . It does n't apply to the Office 2010 Click-to-Run editions , such as Microsoft Office 365 Home , '' Microsoft notes . Microsoft has set out instructions for checking which edition you have in a blogpost . There are no further updates available Vulnerability-related.PatchVulnerability for the Outlook 2010 non-security updates KB4461522 and KB2863821 , which Microsoft pulled on Vulnerability-related.PatchVulnerability November 15 because they were causing crashes in Access and other apps . Microsoft recommended users uninstall both the updates .

A bug in the way that Mobile Safari handles pop-up dialogs has been abused to scare iOS users into paying a “fine” Attack.Ransom in the form of an iTunes pre-paid card . “ This attack was initially reported to Lookout ’ s Support desk by one of our users running iOS 10.2 . “ The user provided a screenshot showing a ransomware message from pay-police [ . ] com , with an overlaid ‘ Can not Open Page ’ dialog from Safari . Each time he tapped ‘ OK ’ he would be prompted to tap ‘ OK ’ again , effectively putting the browser into an infinite loop of dialog prompts that prevented him from using the browser ” . The scammers have purchased a large number of different domains , and equipped them with obfuscated JavaScript code that would trigger the bug in Mobile Safari . The intended targets were mostly from English-speaking countries : the US , the UK , Ireland , Australia and New Zealand . The attack was contained within Safari ’ s sandbox , so the victims ’ devices were not actually compromised.The attackers banked on users ’ fear and shame to pull the scam off . Lookout notified Apple of the attack , and the iThings manufacturer fixed Vulnerability-related.PatchVulnerability the abused flaw in iOS 10.3 , which was released Vulnerability-related.PatchVulnerability on Monday . “ The pop-up window error dialog on newer versions of iOS is actually the result of Mobile Safari not being able to find a local URL lookup , so it fails , but keeps presenting the dialog message due to the infinite loop in the code , ” the researchers explained . “ The attack , based on its code , seems to have been developed for older versions of iOS , such as iOS 8 . However , the abuse of pop-ups in Mobile Safari was still possible until iOS 10.3 ” . With the new iOS version , these pop-ups won ’ t be locking the entire browser , but just that one tab , which can be simply closed and the user can continue using the browser like nothing happened . Users are advised to update their iOS-running iThings to version 10.3 to close up this particular attack vector

In a string of attacks that have escalated over the past 48 hours , hackers are actively exploiting a critical vulnerability that allows them to take almost complete control of Web servers used by banks , government agencies , and large Internet companies . The code-execution bug resides in Vulnerability-related.DiscoverVulnerability the Apache Struts 2 Web application framework and is trivial to exploit . Although maintainers of the open source project patched Vulnerability-related.PatchVulnerability the vulnerability on Monday , it remains under attack by hackers who are exploiting it to inject commands of their choice into Struts servers that have yet to install the update , researchers are warning Vulnerability-related.DiscoverVulnerability . Making matters worse , at least two working exploits are publicly available . `` We have dedicated hours to reporting to companies , governments , manufacturers , and even individuals to patch Vulnerability-related.PatchVulnerability and correct the vulnerability as soon as possible , but the exploit has already jumped to the big pages of 'advisories , ' and massive attempts to exploit the Internet have already been observed . '' Researchers at Cisco Systems said they are seeing a `` high number of exploitation events '' by hackers attempting to carry out a variety of malicious acts . One series of commands that attackers are injecting into webpages stops the firewall protecting the server and then downloads and executes malware of the attacker 's choice . The payloads include `` IRC bouncers , '' which allow the attackers to hide their real IP address during Internet chats ; denial-of-service bots ; and various other packages that conscript a server into a botnet . `` These are several of the many examples of attacks we are currently observing and blocking , '' Cisco 's Nick Biasini wrote . `` They fall into two broad categories : probing and malware distribution . The payloads being delivered vary considerably , and to their credit , many of the sites have already been taken down and the payloads are no longer available . '' The vulnerability resides in Vulnerability-related.DiscoverVulnerability what 's known as the Jakarta file upload multipart parser , which according to official Apache Struts 2 documentation is a standard part of the framework and needs only a supporting library to function . Apache Struts versions affected by Vulnerability-related.DiscoverVulnerability the vulnerability include Struts 2.3.5 through 2.3.31 , and 2.5 through 2.5.10 . Servers running any of these versions should upgrade to Vulnerability-related.PatchVulnerability 2.3.32 or 2.5.10.1 immediately . It 's not clear why the vulnerability is being exploited Vulnerability-related.DiscoverVulnerability so widely 48 hours after a patch was released Vulnerability-related.PatchVulnerability . One possibility is that the Apache Struts maintainers did n't adequately communicate the risk . Although they categorize Vulnerability-related.DiscoverVulnerability the vulnerability security rating as high , they also describe Vulnerability-related.DiscoverVulnerability it as posing a `` possible remote code execution '' risk . Outside researchers , meanwhile , have said the exploits are trivial to carry out , are highly reliable , and require no authentication . It 's also easy to scan the Internet for vulnerable servers . It 's also possible to exploit the bug even if a Web application does n't implement file upload functionality . Update 3/9/2017 10:07 California time : In a comment to this post , Ars Technology Editor Peter Bright provides Vulnerability-related.PatchVulnerability a much more plausible explanation for the delay in patching Vulnerability-related.PatchVulnerability this highly critical vulnerability . Most bug fixes Vulnerability-related.PatchVulnerability , he pointed out , require downloading and installing a patch , possibly rebooting a machine , and being done with it .