PureVPN has had two vulnerabilities which would allow hackers to retrieve stored passwords through the VPN client . This was confirmed Vulnerability-related.DiscoverVulnerability by Trustwave ’ s security researcher Manuel Nader , and the VPN provider itself . One of the two vulnerabilities were fixed Vulnerability-related.PatchVulnerability in the meantime , while the other one remains active , and PureVPN has , according to Nader , “ accepted the risk ” . The vulnerability that was patched Vulnerability-related.PatchVulnerability saw saved passwords stored in plaintext , on this location : ' C : \ProgramData\purevpn\config\login.conf All users have had the chance to access and read the file by simply opening it through the CMD . This vulnerability has been patched Vulnerability-related.PatchVulnerability in the version 6.1.0. and whoever uses PureVPN is strongly advised to update to the latest version , as soon as possible . The second vulnerability is the one that remains open , and the company has decided to ‘ accept the risk Vulnerability-related.DiscoverVulnerability ’ . So basically , you ’ d need to open the Windows client , open Configuration , User Profile , and click on ‘ Show Password ’ . A spokesperson for PureVPN sent us the following statement . `` This is not a vulnerability rather a feature that we deployed for ease of our users . Back in April 2018 , when Trustwave reported it to us , we assessed the risk , and found it minimally due to how our systems are designed . Our systems work a bit different than most of the other VPN providers . For enhanced security , we use separate passwords for Member Area and VPN access . Member Area password which is more privileged is not shown in apps , it 's the VPN access password that is the subject of this feature . Furthermore , by default , our VPN passwords are system generated and not set by users . This curtails the risk of users using the same password for VPN accounts that they use for their sensitive accounts elsewhere on the Internet . On the other hand , this enhanced security design proved a little difficult for quite a few of our users and hence we offered a way for them to easily retrieve their VPN password . For now the community has raised concerns and is confusing it as a vulnerability , we have temporarily removed the feature and released Vulnerability-related.PatchVulnerability a newer version 6.2.2 . To those users of our who pretty much use this feature to retrieve the separate password for VPN we would like to inform that we plan to redesign the future , keeping these concerns in mind , and release it back in our November 2018 release . We use Bugcrowd , a public Bug Bounty Program that employees some 90,000 ethical hackers to test our product . We remain in heavy collaboration with the InfoSec community and hence have such aggressive and streamlined processes in place to have released Vulnerability-related.PatchVulnerability the new version 6.2.2 within a few hours only . '' Those interested in learning more about VPNs and how they help improve your online privacy , make sure to read our Best VPN article .

Apple has issued Vulnerability-related.PatchVulnerability an update to fix Vulnerability-related.PatchVulnerability a number of issues in macOS Mojave leading to arbitrary code execution , the ability to read restricted memory and access local users Apple IDs among others . All were patched Vulnerability-related.PatchVulnerability with the release of macOS Mojave 10.14 on Sept 24. applePatchapplePatch The first issue , CVE-2018-5383 , impacted Vulnerability-related.DiscoverVulnerability a number of iMac , MacBook Air , Mac Pro and Mac mini server products . An input validation issue existed in Vulnerability-related.DiscoverVulnerability Bluetooth was fixed Vulnerability-related.PatchVulnerability that could have allowed an attacker in a privileged network position to intercept Bluetooth traffic . The App Store also patched Vulnerability-related.PatchVulnerability CVE-2018-4324 , an issue in the handling of Apple ID that could have been exploited Vulnerability-related.DiscoverVulnerability by a malicious application that would expose the Apple ID of the computer ’ s owner . Also , a validation issue that could expose Apple IDs was in Auto Unlock that was patched Vulnerability-related.PatchVulnerability with improved validation of the process entitlement . CVE-2018-4353 impacted Vulnerability-related.DiscoverVulnerability the application firewall where a sandboxed process may be able to circumvent sandbox restrictions , but this was addressed Vulnerability-related.PatchVulnerability by adding additional restrictions . In Crash Reporter a validation issue , CVE-2018-4333 , was addressed Vulnerability-related.PatchVulnerability that if exploited Vulnerability-related.DiscoverVulnerability would allow a malicious application to read restricted memory . Two Kernel problems were fixed Vulnerability-related.PatchVulnerability , CVE-2018-4336 and CVE-2018-4344 , that could let an application may be able to execute arbitrary code with kernel privileges . The final problem , CVE-2016-1777 , effected Security where an attacker could exploit a weaknesses in the RC4 cryptographic algorithm and was fixed Vulnerability-related.PatchVulnerability by removing RC4 .

Oracle has released Vulnerability-related.PatchVulnerability a critical patch update addressing Vulnerability-related.PatchVulnerability more than 300 vulnerabilities across several of its products – including one flaw with a CVSS 3.0 score of 10 that could allow the takeover of the company ’ s software package , Oracle GoldenGate . Of the 301 security flaws that were fixed Vulnerability-related.PatchVulnerability in this month ’ s Oracle patch , 45 had a severity rating of 9.8 on the CVSS scale . “ Due to the threat posed by a successful attack , Oracle strongly recommends that customers apply Vulnerability-related.PatchVulnerability Critical Patch Update fixes as soon as possible , ” the company said in its Tuesday advisory . The highest-severity flaw ( CVE-2018-2913 ) lies in Vulnerability-related.DiscoverVulnerability the Monitoring Manager component of Oracle GoldenGate , which is the company ’ s comprehensive software package that allows data to be replicated in heterogeneous data environments . According to the National Vulnerability Database , the glitch is an easily exploitable vulnerability that allows unauthenticated attacker with network access via the TCP protocol to compromise Oracle GoldenGate . The flaw was discovered Vulnerability-related.DiscoverVulnerability by Jacob Baines , a researcher with Tenable . “ CVE-2018-2913 is a stack buffer overflow in GoldenGate Manager , ” Baines told Vulnerability-related.DiscoverVulnerability Threatpost . “ The Manager listens on port 7809 where it accepts GoldenGate Software Command Interface ( GGSCI ) commands . Tenable found that a remote unauthenticated attacker can trigger a stack buffer overflow by sending a GGSCI command that is longer than expected. ” The attack is not complex and a bad actor could be remote and unauthenticated . Making matters worse , an attacker could compromise other products after initially attacking GoldenGate , the advisory warned . “ While the vulnerability is in Oracle GoldenGate , attacks may significantly impact additional products , ” the note said Vulnerability-related.DiscoverVulnerability . “ Successful attacks of this vulnerability can result in takeover of Oracle GoldenGate. ” The flaw impacts Vulnerability-related.DiscoverVulnerability versions 12.1.2.1.0 , 12.2.0.2.0 , and 12.3.0.1.0 in Oracle GoldenGate . Currently no working exploits for the flaw have been discovered Vulnerability-related.DiscoverVulnerability in the wild , according to the release . It should be noted that For Linux and Windows platforms , the flaw ’ s CVSS score is 9.0 because the access complexity is lower ( only rated high , not critical ) ; while for all other platforms , the CVSS score is a critical 10 . Two other flaws were also discovered Vulnerability-related.DiscoverVulnerability in Oracle GoldenGate ( CVE-2018-2912 and CVE-2018-2914 ) , with ratings of 7.5 on the CVSS scale ; those vulnerabilities weren ’ t nearly as severe . “ All of these vulnerabilities may be remotely exploitable without authentication , i.e. , may be exploited Vulnerability-related.DiscoverVulnerability over a network without requiring user credentials . ”

Thousands , if not more , Jenkins servers are vulnerable Vulnerability-related.DiscoverVulnerability to data theft , takeover , and cryptocurrency mining attacks . This is because hackers can exploit two vulnerabilities to gain admin rights or log in using invalid credentials on these servers . Both vulnerabilities were discovered Vulnerability-related.DiscoverVulnerability by security researchers from CyberArk , were privately reported Vulnerability-related.DiscoverVulnerability to the Jenkins team , and received Vulnerability-related.PatchVulnerability fixes over the summer . But despite patches for both issues , there are still thousands of Jenkins servers available Vulnerability-related.PatchVulnerability online . Jenkins is a web application for continuous integration built in Java that allows development teams to run automated tests and commands on code repositories based on test results , and even automate the process of deploying new code to production servers . Jenkins is a popular component in many companies ' IT infrastructure and these servers are very popular with both freelancers and enterprises alike . Over the summer , CyberArk researchers discovered Vulnerability-related.DiscoverVulnerability a vulnerability ( tracked as Vulnerability-related.DiscoverVulnerability CVE-2018-1999001 ) that allows an attacker to provide malformed login credentials that cause Jenkins servers to move their config.xml file from the Jenkins home directory to another location . If an attacker can cause the Jenkins server to crash and restart , or if he waits for the server to restart on its own , the Jenkins server then boots in a default configuration that features no security . In this weakened setup , anyone can register on the Jenkins server and gain administrator access . With an administrator role in hand , an attacker can access private corporate source code , or even make code modifications to plant backdoors in a company 's apps . This lone issue would have been quite bad on its own , but CyberArk researchers also discovered Vulnerability-related.DiscoverVulnerability a second Jenkins vulnerability -- CVE-2018-1999043 . This second bug , they said Vulnerability-related.DiscoverVulnerability , allowed an attacker to create ephemeral user records in the server 's memory , allowing an attacker a short period when they could authenticate using ghost usernames and credentials . Both vulnerabilities were fixed Vulnerability-related.PatchVulnerability , the first in July and the second in August , but as we 've gotten accustomed to in the past few years of covering security flaws , not all server owners have bothered to install these security updates .

Google 's Project Zero has again called Apple out for silently patching Vulnerability-related.PatchVulnerability flaws . Apple has secretly patched Vulnerability-related.PatchVulnerability a bunch of high-severity bugs reported Vulnerability-related.DiscoverVulnerability to it by Google 's Project Zero researchers . The move has resulted in Google 's Project Zero once again calling Apple out for fixing Vulnerability-related.PatchVulnerability iOS and macOS security flaws without documenting them in public security advisories . While it 's good news that Apple beat Project Zero 's 90-day deadline for patching Vulnerability-related.PatchVulnerability or disclosing Vulnerability-related.DiscoverVulnerability the bugs it finds Vulnerability-related.DiscoverVulnerability , the group 's Ivan Fratric recently argued that the practice endangered users by not fully informing them why an update should be installed . This time the criticism comes from Project Zero 's Ian Beer , who 's been credited by Apple with finding Vulnerability-related.DiscoverVulnerability dozens of serious security flaws in iOS and macOS over the years . Beer posted Vulnerability-related.DiscoverVulnerability a blog about several vulnerabilities in iOS 7 he found Vulnerability-related.DiscoverVulnerability in 2014 that share commonalities with several bugs he has found Vulnerability-related.DiscoverVulnerability in iOS 11.4.1 , some of which he 's now released exploits for . Beer notes Vulnerability-related.DiscoverVulnerability that none of the latest issues is mentioned in the iOS 12 security bulletin even though Apple did fix Vulnerability-related.PatchVulnerability them . The absence of information about them is a `` disincentive '' for iOS users to patch Vulnerability-related.PatchVulnerability , Beer argues . `` Apple are still yet to assign CVEs Vulnerability-related.DiscoverVulnerability for these issues or publicly acknowledge that they were fixed Vulnerability-related.PatchVulnerability in iOS 12 , '' wrote Beer . `` In my opinion a security bulletin should mention the security bugs that were fixed Vulnerability-related.PatchVulnerability . Not doing so provides a disincentive for people to update Vulnerability-related.PatchVulnerability their devices since it appears that there were fewer security fixes than there really were . '' In other instances , such as one macOS bug Beer reported Vulnerability-related.DiscoverVulnerability , Apple did actually assign a CVE Vulnerability-related.DiscoverVulnerability , but it still hasn't updated Vulnerability-related.PatchVulnerability the relevant security bulletin to reflect the fix . Apple similarly allocated Vulnerability-related.DiscoverVulnerability CVE-2018-4337 to another high-severity iOS bug , which was fixed Vulnerability-related.PatchVulnerability in iOS 12 , but is n't currently acknowledged Vulnerability-related.DiscoverVulnerability in the iOS 12 security bulletin . In another case , Apple fixed Vulnerability-related.PatchVulnerability a bug that affected Vulnerability-related.DiscoverVulnerability iOS and macOS but didn't assign Vulnerability-related.DiscoverVulnerability a CVE or mention it in the security bulletins . Not only may it be a disincentive for end-users to patch Vulnerability-related.PatchVulnerability iPhones and Macs , but Beer also points out Vulnerability-related.DiscoverVulnerability in another bug report that the lack of public acknowledgement Vulnerability-related.DiscoverVulnerability by Apple means he has no way of knowing whether the issue is a duplicate that another researcher may have already found Vulnerability-related.DiscoverVulnerability . As he notes Vulnerability-related.DiscoverVulnerability in the blog , many of the bugs he has found Vulnerability-related.DiscoverVulnerability in iOS are very similar or the same as bugs found Vulnerability-related.DiscoverVulnerability by noted jailbreaking hackers Pangu Team .

Google 's Project Zero has again called Apple out for silently patching Vulnerability-related.PatchVulnerability flaws . Apple has secretly patched Vulnerability-related.PatchVulnerability a bunch of high-severity bugs reported Vulnerability-related.DiscoverVulnerability to it by Google 's Project Zero researchers . The move has resulted in Google 's Project Zero once again calling Apple out for fixing Vulnerability-related.PatchVulnerability iOS and macOS security flaws without documenting them in public security advisories . While it 's good news that Apple beat Project Zero 's 90-day deadline for patching Vulnerability-related.PatchVulnerability or disclosing Vulnerability-related.DiscoverVulnerability the bugs it finds Vulnerability-related.DiscoverVulnerability , the group 's Ivan Fratric recently argued that the practice endangered users by not fully informing them why an update should be installed . This time the criticism comes from Project Zero 's Ian Beer , who 's been credited by Apple with finding Vulnerability-related.DiscoverVulnerability dozens of serious security flaws in iOS and macOS over the years . Beer posted Vulnerability-related.DiscoverVulnerability a blog about several vulnerabilities in iOS 7 he found Vulnerability-related.DiscoverVulnerability in 2014 that share commonalities with several bugs he has found Vulnerability-related.DiscoverVulnerability in iOS 11.4.1 , some of which he 's now released exploits for . Beer notes Vulnerability-related.DiscoverVulnerability that none of the latest issues is mentioned in the iOS 12 security bulletin even though Apple did fix Vulnerability-related.PatchVulnerability them . The absence of information about them is a `` disincentive '' for iOS users to patch Vulnerability-related.PatchVulnerability , Beer argues . `` Apple are still yet to assign CVEs Vulnerability-related.DiscoverVulnerability for these issues or publicly acknowledge that they were fixed Vulnerability-related.PatchVulnerability in iOS 12 , '' wrote Beer . `` In my opinion a security bulletin should mention the security bugs that were fixed Vulnerability-related.PatchVulnerability . Not doing so provides a disincentive for people to update Vulnerability-related.PatchVulnerability their devices since it appears that there were fewer security fixes than there really were . '' In other instances , such as one macOS bug Beer reported Vulnerability-related.DiscoverVulnerability , Apple did actually assign a CVE Vulnerability-related.DiscoverVulnerability , but it still hasn't updated Vulnerability-related.PatchVulnerability the relevant security bulletin to reflect the fix . Apple similarly allocated Vulnerability-related.DiscoverVulnerability CVE-2018-4337 to another high-severity iOS bug , which was fixed Vulnerability-related.PatchVulnerability in iOS 12 , but is n't currently acknowledged Vulnerability-related.DiscoverVulnerability in the iOS 12 security bulletin . In another case , Apple fixed Vulnerability-related.PatchVulnerability a bug that affected Vulnerability-related.DiscoverVulnerability iOS and macOS but didn't assign Vulnerability-related.DiscoverVulnerability a CVE or mention it in the security bulletins . Not only may it be a disincentive for end-users to patch Vulnerability-related.PatchVulnerability iPhones and Macs , but Beer also points out Vulnerability-related.DiscoverVulnerability in another bug report that the lack of public acknowledgement Vulnerability-related.DiscoverVulnerability by Apple means he has no way of knowing whether the issue is a duplicate that another researcher may have already found Vulnerability-related.DiscoverVulnerability . As he notes Vulnerability-related.DiscoverVulnerability in the blog , many of the bugs he has found Vulnerability-related.DiscoverVulnerability in iOS are very similar or the same as bugs found Vulnerability-related.DiscoverVulnerability by noted jailbreaking hackers Pangu Team .

A severe WordPress vulnerability which has been left a year without being patched Vulnerability-related.PatchVulnerability has the potential to disrupt countless websites running the CMS , researchers claim Vulnerability-related.DiscoverVulnerability . At the BSides technical cybersecurity conference in Manchester on Thursday , Secarma researcher Sam Thomas said Vulnerability-related.DiscoverVulnerability the bug permits attackers to exploit the WordPress PHP framework , resulting in a full system compromise . If the domain permits the upload of files , such as image formats , attackers can upload a crafted thumbnail file in order to trigger a file operation through the `` phar : // '' stream wrapper . In turn , the exploit triggers eXternal Entity ( XXE -- XML ) and Server Side Request Forgery ( SSRF ) flaws which cause unserialization in the platform 's code . While these flaws may only originally result in information disclosure and may be low risk , they can act as a pathway to a more serious remote code execution attack . The security researcher says Vulnerability-related.DiscoverVulnerability the core vulnerability , which is yet to receive a CVE Vulnerability-related.DiscoverVulnerability number , is within the wp_get_attachment_thumb_file function in /wpincludes/post.php and when attackers gain control of a parameter used in the `` file_exists '' call , '' the bug can be triggered . Unserialization occurs when serialized variables are converted back into PHP values . When autoloading is in place , this can result in code being loaded and executed , an avenue attackers may exploit in order to compromise PHP-based frameworks . `` Unserialization of attacker-controlled data is a known critical vulnerability , potentially resulting in the execution of malicious code , '' the company says . The issue of unserialization was first uncovered Vulnerability-related.DiscoverVulnerability back in 2009 , and since then , vulnerabilities have been recognized Vulnerability-related.DiscoverVulnerability in which the integrity of PHP systems can be compromised , such as CVE-2017-12934 , CVE-2017-12933 , and CVE-2017- 12932 . The WordPress content management system ( CMS ) is used by millions of webmasters to manage domains , which means the vulnerability potentially has a vast victim pool should the flaw being exploited Vulnerability-related.DiscoverVulnerability in the wild . `` I 've highlighted that the unserialization is exposed to a lot of vulnerabilities that might have previously been considered quite low-risk , '' Thomas explainde . `` Issues which they might have thought were fixed Vulnerability-related.PatchVulnerability with a configuration change or had been considered quite minor previously might need to be reevaluated in the light of the attacks I demonstrated . '' According to Secarma , the CMS provider was made aware Vulnerability-related.DiscoverVulnerability of the security issue in February 2017 , but `` is yet to take action . '' TechRepublic : The need for speed : Why you should optimize your CMS Technical details have been provided in a white paper ( .PDF ) . `` This research continues a worrying recent trend , in demonstrating that object ( un ) serialization is an integral part of several modern languages , '' Thomas said . `` We must constantly be aware of the security impact of such mechanisms being exposed to attackers . '' No reports have been received which suggest the exploit is being actively used in the wild . The vulnerability was originally reported Vulnerability-related.DiscoverVulnerability through the WordPress HackerOne bug bounty program last year . The issue was confirmed Vulnerability-related.DiscoverVulnerability after several days and Thomas was credited for his findings . However , a Secarma spokesperson told ZDNet that while there was `` some attempt to fix Vulnerability-related.PatchVulnerability the issue '' in May 2017 , this did not address Vulnerability-related.PatchVulnerability the problem . `` Communication then went dead for a number of months and has only recently begun again , '' the spokesperson added . ZDNet has reached out to WordPress and will update if we hear back .

Apple has posted the annual full overhaul of the Mac operating system , this time focusing on a redesign of the look and feel of the interface . The 10.14 incarnation of macOS , known as Mojave , has been released Vulnerability-related.PatchVulnerability into general availability . It includes new features , interface updates , and security patches – though at least one hole was left unpatched Vulnerability-related.PatchVulnerability . Apple is touting a set of interface improvements with the update , most notably the addition of a `` Dark Mode '' color scheme option and a Dynamic Desktop background that changes the image with the time of day . In more useful features , there 's the Stacks utility that organizes messy desktops by grouping files into categories . Apple also added a set of new News , Stocks , Voice Memos , and Home applications for macOS , porting the tools from iOS , while the Mac Continuity Camera app will let users snap and share pictures from their iOS device . Apple also redesigned the macOS version of the App Store service . Nestled into the Mojave update was a patch bundle that addresses Vulnerability-related.PatchVulnerability more than a half-dozen security holes . Mojave will include fixes for eight CVE-listed vulnerabilities . These include two remote code execution flaws in the kernel ( CVE-2018-4336 , CVE-2018-4344 ) and weak RC4 encryption ( CVE-2016-1777 ) . That '4344 flaw was discovered Vulnerability-related.DiscoverVulnerability by eggheads at the UK government 's eavesdropping nerve center , GCHQ . Other flaws include a traffic intercept flaw in Bluetooth ( CVE-2018-5383 ) , a sandbox escape in the operation firewall ( CVE-2018-4353 ) , a restricted memory access flaw in Crash Reporter ( CVE-2018-4333 ) , and flaws in both Auto Unlock ( CVE-2018-4321 ) and App Store ( CVE-2018-4324 ) that would allow an attacker to access the user 's Apple ID . Seemingly , these patches are only available Vulnerability-related.PatchVulnerability for macOS 10.14 – however , previous versions of the operating system were fixed Vulnerability-related.PatchVulnerability up last week . It did n't take long for at least one researcher to blast holes in the security features of the new operating system . Shortly after Mojave arrived , macOS guru Patrick Wardle dropped word of a vulnerability he discovered Vulnerability-related.DiscoverVulnerability that would allow an attacker to bypass the privacy safeguards in Mojave that would normally prevent an unauthorized app from accessing things like users ' contact details . Here 's a video of the exploit ... Wardle said Vulnerability-related.DiscoverVulnerability he has reported Vulnerability-related.DiscoverVulnerability the bug to Apple , but will not release details beyond the proof-of-concept video until a fix can be released Vulnerability-related.PatchVulnerability . More technical details are due to be released in November .

On Friday , a cache of hacking tools allegedly developed by the US National Security Agency was dumped online . The news was explosive in the digital security community because the tools contained methods to hack computers running Windows , meaning millions of machines could be at risk . Security experts who tested the tools , leaked by a group called the Shadow Brokers , found that they worked . They were panicked : This is really bad , in about an hour or so any attacker can download simple toolkit to hack into Microsoft based computers around the globe . — Hacker Fantastic ( @ hackerfantastic ) April 14 , 2017 But just hours later , Microsoft announced that many of the vulnerabilities were addressed Vulnerability-related.PatchVulnerability in a security update released Vulnerability-related.PatchVulnerability a month ago . “ Today , Microsoft triaged a large release of exploits made publicly available by Shadow Brokers , ” Philip Misner , a Microsoft executive in charge of security wrote in a blog post . “ Our engineers have investigated the disclosed exploits , and most of the exploits are already patched Vulnerability-related.PatchVulnerability . ” Misner ’ s post showed that three of nine vulnerabilities from the leak were fixed Vulnerability-related.PatchVulnerability in a March 14 security update . As Ars Technica pointed out , when security holes are discovered Vulnerability-related.DiscoverVulnerability , the individual or organization that found Vulnerability-related.DiscoverVulnerability them is usually credited in the notes explaining the update . No such acknowledgment was found in the March 14 update . Here ’ s a list of acknowledgments for 2017 , showing credit for finding security problems in almost every update . One theory among security practitioners is that the NSA itself reported Vulnerability-related.DiscoverVulnerability the vulnerabilities to Microsoft , knowing that the tools would be dumped publicly . Microsoft told ZDNet that it might not list individuals who discover Vulnerability-related.DiscoverVulnerability flaws for a number of reasons , including by request from the discoverer . The US government has not commented on this leak , though previous leaks by the Shadow Brokers claiming to be NSA hacking tools were confirmed at least in part by affected vendors and NSA whistleblower Edward Snowden .