Apple has issued Vulnerability-related.PatchVulnerability an update to fix Vulnerability-related.PatchVulnerability a number of issues in macOS Mojave leading to arbitrary code execution , the ability to read restricted memory and access local users Apple IDs among others . All were patched Vulnerability-related.PatchVulnerability with the release of macOS Mojave 10.14 on Sept 24. applePatchapplePatch The first issue , CVE-2018-5383 , impacted Vulnerability-related.DiscoverVulnerability a number of iMac , MacBook Air , Mac Pro and Mac mini server products . An input validation issue existed in Vulnerability-related.DiscoverVulnerability Bluetooth was fixed Vulnerability-related.PatchVulnerability that could have allowed an attacker in a privileged network position to intercept Bluetooth traffic . The App Store also patched Vulnerability-related.PatchVulnerability CVE-2018-4324 , an issue in the handling of Apple ID that could have been exploited Vulnerability-related.DiscoverVulnerability by a malicious application that would expose the Apple ID of the computer ’ s owner . Also , a validation issue that could expose Apple IDs was in Auto Unlock that was patched Vulnerability-related.PatchVulnerability with improved validation of the process entitlement . CVE-2018-4353 impacted Vulnerability-related.DiscoverVulnerability the application firewall where a sandboxed process may be able to circumvent sandbox restrictions , but this was addressed Vulnerability-related.PatchVulnerability by adding additional restrictions . In Crash Reporter a validation issue , CVE-2018-4333 , was addressed Vulnerability-related.PatchVulnerability that if exploited Vulnerability-related.DiscoverVulnerability would allow a malicious application to read restricted memory . Two Kernel problems were fixed Vulnerability-related.PatchVulnerability , CVE-2018-4336 and CVE-2018-4344 , that could let an application may be able to execute arbitrary code with kernel privileges . The final problem , CVE-2016-1777 , effected Security where an attacker could exploit a weaknesses in the RC4 cryptographic algorithm and was fixed Vulnerability-related.PatchVulnerability by removing RC4 .

Oracle released Vulnerability-related.PatchVulnerability its latest Critical Patch Update on July 18 , fixing Vulnerability-related.PatchVulnerability 334 vulnerabilities across the company 's product portfolio . The company rated 61 of the vulnerabilities as having critical impact . Among the products patched Vulnerability-related.PatchVulnerability by Oracle are Oracle Database Server , Oracle Global Lifecycle Management , Oracle Fusion Middleware , Oracle E-Business Suite , Oracle PeopleSoft , Oracle Siebel CRM , Oracle Industry Applications , Oracle Java SE , Oracle Virtualization , Oracle MySQL and Oracle Sun Systems Products Suite . While there are issues of varying severity in the update , Oracle is blaming third-party components as being the cause of the majority of the critical issues . `` It is fair to note that bugs in third-party components make up a disproportionate amount of severe vulnerabilities in this Critical Patch Update , '' Eric Maurice , director of security assurance at Oracle , wrote in a blog post . `` 90 percent of the critical vulnerabilities addressed Vulnerability-related.PatchVulnerability in this Critical Patch Update are for non-Oracle CVEs . '' Of the 334 issues fixed Vulnerability-related.PatchVulnerability in the July Critical Patch Update , 37 percent were for third-party components included in Oracle product distributions . While many flaws were from third-party libraries , there were also flaws in Oracle 's own development efforts . Oracle 's namesake database was patched Vulnerability-related.PatchVulnerability for three issues , one of which is remotely exploitable without user authentication . Oracle 's Financial Services application received Vulnerability-related.PatchVulnerability the highest total number of patches at 56 , with 21 identified as being remotely exploitable without user authentication . Oracle 's Fusion Middleware , on the other hand , got Vulnerability-related.PatchVulnerability 44 new security fixes , with 38 of them rated as being critical . Oracle Enterprise Manager Products were patched Vulnerability-related.PatchVulnerability for 16 issues , all of which are remotely exploitable without authentication . Looking at flaws in Java , Oracle 's July CPU provides Vulnerability-related.PatchVulnerability eight security fixes , though organizations likely need to be cautious when applying Vulnerability-related.PatchVulnerability the patches , as certain functionality has been removed . `` Several actions taken to fix Vulnerability-related.PatchVulnerability Java SE vulnerabilities in the July CPU are likely to break the functionality of certain applications , '' security firm Waratek warned in an advisory . `` Application owners who apply Vulnerability-related.PatchVulnerability binary patches should be extremely cautious and thoroughly test their applications before putting Vulnerability-related.PatchVulnerability patches into production . '' The reason why the Oracle fixes could break application functionality is because Oracle has decided to remove multiple vulnerable components from its Java Development Kit ( JDK ) . At 334 fixed flaws , the July update is larger than last Critical Patch Update released Vulnerability-related.PatchVulnerability on Jan 15 , which provided Vulnerability-related.PatchVulnerability patches for 237 flaws . While the number of patches issues has grown , Matias Mevied , Oracle security researcher at Onapsis , commented that Oracle is working in the right way , fixing Vulnerability-related.PatchVulnerability the reported vulnerabilities and is getting faster every year . `` Unfortunately , based in our experience , the missing part is that the companies still do n't implement the patches as soon as they should be , '' Mevied told eWEEK .

Six months of relative quiet around exploit kits recently changed when a public proof-of-concept attack disclosed Vulnerability-related.DiscoverVulnerability by a Texas startup was integrated into the Sundown Exploit Kit . The proof-of-concept exploit was developed Vulnerability-related.DiscoverVulnerability by Theori , a research and development firm in Austin , which opened its doors last spring . The PoC targets two vulnerabilities , CVE-2016-7200 and CVE-2016-7201 , in Microsoft Edge that were patched Vulnerability-related.PatchVulnerability in November in MS16-129 and privately disclosed Vulnerability-related.DiscoverVulnerability to Microsoft by Google Project Zero researcher Natalie Silvanovich . French researcher Kafeine said on Saturday that he had spotted weaponized versions of the Theori exploits in Sundown two days after they were made public . The payload is most likely the Zloader DLL injector , but Sundown has also moved other malware in the past including banking Trojans such as Zeus Panda and Dreambot , and even Bitcoin mining software . Kafeine said this is the first significant exploit kit activity he ’ s seen in six months . This is the second time a Theori proof-of-concept exploit has ended up in an exploit kit , Kafeine said Vulnerability-related.DiscoverVulnerability , harkening back to CVE-2016-0189 , which was patched Vulnerability-related.PatchVulnerability in May by Microsoft and yet eventually found its way into Neutrino , RIG , Sundown and Magnitude . Kafeine said he expects other exploit kits to quickly integrate this attack as well , but activity could be slowed by Christmas and New Year holidays in the West , and the recently concluded Russian holiday season . A request for comment from researchers at Theori was not returned in time for publication . In the Readme for the exploits posted to Github , Theori said its PoC was tested on the latest version of Edge running on Windows 10 . The vulnerabilities are in the Chakra JavaScript engine developed for Microsoft in Internet Explorer 9 . The Theori exploits trigger information leak and type confusion vulnerabilities in the browser , leading to remote code execution . The bugs were patched Vulnerability-related.PatchVulnerability Nov. 8 by Microsoft in a cumulative update for the Edge browser ; Microsoft characterized Vulnerability-related.DiscoverVulnerability them as memory corruption flaws and rated them both critical for Windows clients and moderate for Windows server . An attacker could also embed an ActiveX control marked ‘ safe for initialization ’ in an application or Microsoft Office document that hosts the Edge rendering engine . The integration of new exploits , however , has slowed significantly since the erasure of Angler and other popular kits from the underground . Angler ’ s disappearance coincided with the June arrests of 50 people in Russia allegedly connected to the development and distribution of the Lurk Trojan . Researchers at Kaspersky Lab who investigated the infrastructure supporting Lurk said there was little doubt that the criminals behind Lurk were also responsible for Angler ’ s constant development and profit-making . Since the end of the summer , however , exploit kit development has all but ended while attackers have returned to large-scale spamming campaigns and a resurgence of macro malware to move attacks along . “ Regarding the why , I don ’ t know for sure , ” Kafeine said . “ Either it ’ s harder to code those , [ or ] those who were providing fully working exploits ( for Angler for instance ) are not anymore into this . “ I think [ exploit kits ] have not been so far behind in years ” . Microsoft patched Vulnerability-related.PatchVulnerability this on Nov 8th , bug the huge problem is that whenever you buy a new computer , it doesn ’ t come with that pacth… You have to run the updates once you set up the new computer . And from what I have been finding over the last 6 months , is that the moment you open a brand new laptop with windows 10 and start to try to update it , the vulnerability is wide open for attack . The WORST part is that if you are a regular person not knowing anything about security , and you set up windows 10 with the “ express settings ” the computer is setup to connect to any open wifi hotspot and Bluetooth devices ! So if you live in NYC or any heavy populated area , or your home wifi is already infected by Miria Botnet , you are screwed instantly… I have proof that it is happening to everyone and no one knows it . The internet is going to implode within the next 3-4 months and the government will have to shut it down .

Six months of relative quiet around exploit kits recently changed when a public proof-of-concept attack disclosed Vulnerability-related.DiscoverVulnerability by a Texas startup was integrated into the Sundown Exploit Kit . The proof-of-concept exploit was developed Vulnerability-related.DiscoverVulnerability by Theori , a research and development firm in Austin , which opened its doors last spring . The PoC targets two vulnerabilities , CVE-2016-7200 and CVE-2016-7201 , in Microsoft Edge that were patched Vulnerability-related.PatchVulnerability in November in MS16-129 and privately disclosed Vulnerability-related.DiscoverVulnerability to Microsoft by Google Project Zero researcher Natalie Silvanovich . French researcher Kafeine said on Saturday that he had spotted weaponized versions of the Theori exploits in Sundown two days after they were made public . The payload is most likely the Zloader DLL injector , but Sundown has also moved other malware in the past including banking Trojans such as Zeus Panda and Dreambot , and even Bitcoin mining software . Kafeine said this is the first significant exploit kit activity he ’ s seen in six months . This is the second time a Theori proof-of-concept exploit has ended up in an exploit kit , Kafeine said Vulnerability-related.DiscoverVulnerability , harkening back to CVE-2016-0189 , which was patched Vulnerability-related.PatchVulnerability in May by Microsoft and yet eventually found its way into Neutrino , RIG , Sundown and Magnitude . Kafeine said he expects other exploit kits to quickly integrate this attack as well , but activity could be slowed by Christmas and New Year holidays in the West , and the recently concluded Russian holiday season . A request for comment from researchers at Theori was not returned in time for publication . In the Readme for the exploits posted to Github , Theori said its PoC was tested on the latest version of Edge running on Windows 10 . The vulnerabilities are in the Chakra JavaScript engine developed for Microsoft in Internet Explorer 9 . The Theori exploits trigger information leak and type confusion vulnerabilities in the browser , leading to remote code execution . The bugs were patched Vulnerability-related.PatchVulnerability Nov. 8 by Microsoft in a cumulative update for the Edge browser ; Microsoft characterized Vulnerability-related.DiscoverVulnerability them as memory corruption flaws and rated them both critical for Windows clients and moderate for Windows server . An attacker could also embed an ActiveX control marked ‘ safe for initialization ’ in an application or Microsoft Office document that hosts the Edge rendering engine . The integration of new exploits , however , has slowed significantly since the erasure of Angler and other popular kits from the underground . Angler ’ s disappearance coincided with the June arrests of 50 people in Russia allegedly connected to the development and distribution of the Lurk Trojan . Researchers at Kaspersky Lab who investigated the infrastructure supporting Lurk said there was little doubt that the criminals behind Lurk were also responsible for Angler ’ s constant development and profit-making . Since the end of the summer , however , exploit kit development has all but ended while attackers have returned to large-scale spamming campaigns and a resurgence of macro malware to move attacks along . “ Regarding the why , I don ’ t know for sure , ” Kafeine said . “ Either it ’ s harder to code those , [ or ] those who were providing fully working exploits ( for Angler for instance ) are not anymore into this . “ I think [ exploit kits ] have not been so far behind in years ” . Microsoft patched Vulnerability-related.PatchVulnerability this on Nov 8th , bug the huge problem is that whenever you buy a new computer , it doesn ’ t come with that pacth… You have to run the updates once you set up the new computer . And from what I have been finding over the last 6 months , is that the moment you open a brand new laptop with windows 10 and start to try to update it , the vulnerability is wide open for attack . The WORST part is that if you are a regular person not knowing anything about security , and you set up windows 10 with the “ express settings ” the computer is setup to connect to any open wifi hotspot and Bluetooth devices ! So if you live in NYC or any heavy populated area , or your home wifi is already infected by Miria Botnet , you are screwed instantly… I have proof that it is happening to everyone and no one knows it . The internet is going to implode within the next 3-4 months and the government will have to shut it down .

A series of remotely exploitable vulnerabilities exist in Vulnerability-related.DiscoverVulnerability a popular web-based SCADA system made by Honeywell that make it easy to expose passwords and in turn , give attackers a foothold into the vulnerable network . The flaws exist in Vulnerability-related.DiscoverVulnerability some versions of Honeywell ’ s XL Web II controllers , systems deployed across the critical infrastructure sector , including wastewater , energy , and manufacturing companies . An advisory from the Department of Homeland Security ’ s Industrial Control Systems Cyber Emergency Response Team ( ICS-CERT ) warned about Vulnerability-related.DiscoverVulnerability the vulnerabilities Thursday . The company has developed a fix , version 3.04.05.05 , to address Vulnerability-related.PatchVulnerability the issues but users have to call their local Honeywell Building Solutions branch to receive Vulnerability-related.PatchVulnerability the update , according to the company . The controllers suffer from five vulnerabilities in total but the scariest one might be the fact that passwords for the controllers are stored in clear text . Furthermore , if attackers wanted to , they could disclose Attack.Databreach that password simply by accessing a particular URL . An attacker could also carry out a path traversal attack by accessing a specific URL , open and change some parameters by accessing a particular URL , or establish a new user session . The problem with starting a new user session is that the controllers didn ’ t invalidate any existing session identifier , something that could have made it easier for an attacker to steal any active authenticated sessions . Maxim Rupp , an independent security researcher based in Germany , dug up Vulnerability-related.DiscoverVulnerability the bugs and teased them on Twitter at the beginning of January . Rupp has identified Vulnerability-related.DiscoverVulnerability bugs in Honeywell equipment before . Two years ago he discovered Vulnerability-related.DiscoverVulnerability a pair of vulnerabilities in Tuxedo Touch , a home automation controller made by the company , that could have let an attacker unlock a house ’ s doors or modify its climate controls . It ’ s unclear how widespread the usage of Honeywell ’ s XL Web II controllers is . While Honeywell is a US-based company , according to ICS-CERT ’ s advisory the majority of the affected products are used in Europe and the Middle East . When reached on Friday , a spokesperson for Honeywell confirmed that the affected controllers are used in Europe and the Middle East . The company also stressed that the vulnerabilities were patched Vulnerability-related.PatchVulnerability in September 2016 after they were reported Vulnerability-related.DiscoverVulnerability in August .