Foxit has patched Vulnerability-related.PatchVulnerability more than 118 vulnerabilities in its PDF reader , some of which could be exploited Vulnerability-related.DiscoverVulnerability to enable full remote code execution . Patches were released Vulnerability-related.PatchVulnerability last week for Foxit Reader 9.3 and Foxit PhantomPDF 9.3 to address Vulnerability-related.PatchVulnerability a huge number of issues in the programs . This security bulletin released by Foxit provides details on the extensive list of vulnerabilities , which were discovered Vulnerability-related.DiscoverVulnerability via internal research , end user reports , and reports from research teams . More than 118 issues were addressed Vulnerability-related.PatchVulnerability , though there was some overlap , and so the number of actual bugs was lower . Vulnerable versions are 9.2.0.9297 and earlier , and only affect Vulnerability-related.DiscoverVulnerability Windows users . A significant number of flaws were classed as ‘ critical ’ and could allow for remote code execution – 18 were reported Vulnerability-related.DiscoverVulnerability by Cisco Talos , all of which were dubbed high in severity . Several were use-after-free flaws , which allows memory to be accessed after it has been freed and can enable hackers to execute arbitrary code and take over the system . Cisco Talos wrote in a report : “ There are a couple of different ways an adversary could leverage this attack including tricking a user to opening a specially crafted , malicious PDF or , if the browser plugin is enabled , the user could trigger the exploit by viewing the document in a web browser. ” Foxit told The Daily Swig that its programs were embedded with security features designed to protect its users from malicious actors . These include a ‘ Safe Mode ’ , which “ prevents suspicious external commands to be executed by Foxit Reader ” , and the option to disable JavaScript . The company also urged its users to update to the latest version . A spokesperson told The Daily Swig : “ Overall , Foxit Reader has had over 525 million downloads , but obviously they are not all active users on the latest release . “ In Foxit Reader , we have a Safe Mode which prevents suspicious external commands to be executed by Foxit Reader . Therefore , we don ’ t know how many folks are running without Safe Mode enabled. ” However , this security feature was bypassed not just once , but twice , by researchers last year . Foxit added : “ For a number of reasons , including bug fixes Vulnerability-related.PatchVulnerability , we always advise users to download and install the latest release . Also , run the product in Safe Mode whenever possible . ”

Virgin Media has – perhaps rather belatedly – fixed Vulnerability-related.PatchVulnerability a series of vulnerabilities in its Super Hub 3.0 home broadband router modem , after they were reported Vulnerability-related.DiscoverVulnerability more than 18 months ago . Balazs Bucsay , managing security consultant at NCC Group , says that after receiving one of the devices as a home customer and examining it for a few hours , he was quickly able to find Vulnerability-related.DiscoverVulnerability a remote command execution bug . He uncovered many others during the following days . Eventually , he says , he was able to create a full chain of exploits that made it possible to perform a remote authentication as an administrator on the router . This could potentially allow a hacker to take control of millions of these devices , installing backdoors in a way that would be extremely hard to find and investigate . “ After hacking into my own Super Hub 3.0 , I was able to find Vulnerability-related.DiscoverVulnerability multiple security flaws within the router ’ s firmware and combine these to create an exploit that could have been hidden within webpages and sent to other unsuspecting owners via scam emails or other methods , ” Bucsay tells The Daily Swig . “ If customers had opened the webpages and activated the exploit , hackers could have gained unauthorized access to their modems and other devices on the victim ’ s home network , enabling them to spy on online activity and even execute their own commands on the devices. ” Bucsay reported Vulnerability-related.DiscoverVulnerability the vulnerabilities to Virgin Media in March 2017 , but says they weren't fixed Vulnerability-related.PatchVulnerability until the end of July this year . “ The proposed roll-out date was postponed many times , ” he says . However , a Virgin Media spokeswoman defended the company ’ s actions . “ The online security of our customers is a top priority for Virgin Media and the issues described Vulnerability-related.DiscoverVulnerability by NCC have been fixed Vulnerability-related.PatchVulnerability , ” she told The Daily Swig . “ We have seen no evidence that these advanced technical exploits , carried out by NCC as a proof of concept , were used maliciously to impact customers. ” With the patch rolled out Vulnerability-related.PatchVulnerability in August , Super Hub 3.0 users don ’ t need to do anything extra to protect themselves . “ However , this research should remind consumers that no connected device is inherently secure , and that they should consider additional security measures around their home network , such as using password managers and different passwords for each device and service , ” Bucsay warns . He also urged internet service providers to be more proactive in checking the security of any third-party devices they use .

Security researchers from Neseso are sounding the alarm on a vulnerability they 've discovered Vulnerability-related.DiscoverVulnerability in Samsung smart TVs that Samsung declined to fix Vulnerability-related.PatchVulnerability . The security flaw affects Vulnerability-related.DiscoverVulnerability Wi-Fi Direct , a Wi-Fi standard that enables devices to connect with each other without requiring a wireless access point . Smasung uses Wi-Fi Direct with its smart TVs to allow TV owners to connect to the TV via their phones , laptops , or tablets , directly , and not through the local access point . Neseso researchers claim Vulnerability-related.DiscoverVulnerability that Samsung has failed Vulnerability-related.DiscoverVulnerability in the implementation of this standard , as Samsung TVs only use MAC addresses to authenticate users . Other vendors use more solid authentication systems based on a Push-Button or PIN . Because anyone can sniff and spoof MAC addresses , this vulnerability opens the user 's TV to getting hacked by anyone in the range of the TV 's Wi-Fi Direct coverage . `` Once connected , the attacker has access to all the services provided by the TV , such as remote control service or DNLA screen mirroring , '' Neseso researchers wrote in their report . The dangers are palpable for companies , as most have smart TVs in their offices , employee lounges , customer waiting rooms , or board rooms . Worse is that the Samsung smart TV Wi-Fi Direct feature is enabled by default every time the device boots up . Users are notified on screen when a whitelisted device connects to the TV via Wi-Fi Direct , but those warnings could be misinterpreted by TV owners , or missed altogether if nobody 's watching the TV . Contacted by Neseso in mid-March , Samsung answered it does n't view this feature as a security risk and declined to provide Vulnerability-related.PatchVulnerability a firmware update , telling Neseso they do n't view this issue as a `` security threat . '' Researchers tested their attack on Samsung UN32J5500 Firmware version 1480 , but say that other versions are most likely vulnerable Vulnerability-related.DiscoverVulnerability as well . There is currently no workaround for protecting against attacks via Wi-Fi Direct except turning off the feature every time you boot/reboot your device . Earlier this month , at the Security Analyst Summit 2017 , security expert Amihai Neiderman disclosed Vulnerability-related.DiscoverVulnerability about the presence of 40 zero-day vulnerabilities in Tizen , the operating system that runs on Samsung smart TVs . The flaws were all unpatched Vulnerability-related.PatchVulnerability at the time they were reported Vulnerability-related.DiscoverVulnerability .

A series of remotely exploitable vulnerabilities exist in Vulnerability-related.DiscoverVulnerability a popular web-based SCADA system made by Honeywell that make it easy to expose passwords and in turn , give attackers a foothold into the vulnerable network . The flaws exist in Vulnerability-related.DiscoverVulnerability some versions of Honeywell ’ s XL Web II controllers , systems deployed across the critical infrastructure sector , including wastewater , energy , and manufacturing companies . An advisory from the Department of Homeland Security ’ s Industrial Control Systems Cyber Emergency Response Team ( ICS-CERT ) warned about Vulnerability-related.DiscoverVulnerability the vulnerabilities Thursday . The company has developed a fix , version 3.04.05.05 , to address Vulnerability-related.PatchVulnerability the issues but users have to call their local Honeywell Building Solutions branch to receive Vulnerability-related.PatchVulnerability the update , according to the company . The controllers suffer from five vulnerabilities in total but the scariest one might be the fact that passwords for the controllers are stored in clear text . Furthermore , if attackers wanted to , they could disclose Attack.Databreach that password simply by accessing a particular URL . An attacker could also carry out a path traversal attack by accessing a specific URL , open and change some parameters by accessing a particular URL , or establish a new user session . The problem with starting a new user session is that the controllers didn ’ t invalidate any existing session identifier , something that could have made it easier for an attacker to steal any active authenticated sessions . Maxim Rupp , an independent security researcher based in Germany , dug up Vulnerability-related.DiscoverVulnerability the bugs and teased them on Twitter at the beginning of January . Rupp has identified Vulnerability-related.DiscoverVulnerability bugs in Honeywell equipment before . Two years ago he discovered Vulnerability-related.DiscoverVulnerability a pair of vulnerabilities in Tuxedo Touch , a home automation controller made by the company , that could have let an attacker unlock a house ’ s doors or modify its climate controls . It ’ s unclear how widespread the usage of Honeywell ’ s XL Web II controllers is . While Honeywell is a US-based company , according to ICS-CERT ’ s advisory the majority of the affected products are used in Europe and the Middle East . When reached on Friday , a spokesperson for Honeywell confirmed that the affected controllers are used in Europe and the Middle East . The company also stressed that the vulnerabilities were patched Vulnerability-related.PatchVulnerability in September 2016 after they were reported Vulnerability-related.DiscoverVulnerability in August .