-->
ROOM ZKE
USAComment.com
Zicutake USA Comment | Search Articles



#History (Education) #Satellite report #Arkansas #Tech #Poker #Language and Life #Critics Cinema #Scientific #Hollywood #Future #Conspiracy #Curiosity #Washington
 Smiley face
PROXY LIST

[Calculate SHA256 hash]
 Smiley face
Zicutake BROWSER
 Smiley face Encryption Text and HTML
Aspect Ratio Calculator
[HTML color codes]
 Smiley face Conversion to JavaScript
[download YouTube videos in MP4, FLV, 3GP, and many more formats]

 Smiley face Mining Satoshi | Payment speed
CALCULATOR DIMENSIONS AND RECTANGLE

 Smiley face
CREATE ADDRESS BITCOIN
Online BitTorrent Magnet Link Generator
[PERCENTAGE CALCULATOR]
JOURNAL WORLD:

SEARCH +8 MILLIONS OF LINKS ZICUTAKE STATE

#Security

#Security


AMD and Microsoft release microcode and operating system updates against Spectre flaw

Posted: 11 Apr 2018 03:52 AM PDT

AMD released patches for Spectre Variant 2 attack that includes both microcode and operating system updates. AMD and Microsoft worked together to issue the updates on Tuesday.

AMD and Microsoft released the microcode and security updates for Spectre vulnerabilities.

The Meltdown and Spectre attacks could be exploited by attackers to bypass memory isolation mechanisms and access target sensitive data.

The Meltdown attack could allow attackers to read the entire physical memory of the target machines stealing credentials, personal information, and more.

The Meltdown exploits the speculative execution to breach the isolation between user applications and the operating system, in this way any application can access all system memory.

The Spectre attack allows user-mode applications to extract information from other processes running on the same system. It can also be exploited to extract information from its own process via code, for example, a malicious JavaScript can be used to extract login cookies for other sites from the browser's memory.

The attack breaks the isolation between different applications, allowing to leak information from the kernel to user programs, as well as from virtualization hypervisors to guest systems.

amd spectre flaw

Meltdown attacks trigger the CVE-2017-5754 vulnerability, while Spectre attacks the CVE-2017-5753 (Variant 1) and CVE-2017-5715 (Variant 2). According to the experts, only Meltdown and Spectre Variant 1 can be addressed via software, while Spectre Variant 2 required an update of the microcode for the affected processors. Software mitigations include.

AMD released patches for Spectre Variant 2 attack that includes both microcode and operating system updates. AMD and Microsoft worked together to issue the updates on Tuesday.

“Today, AMD is providing updates regarding our recommended mitigations for Google Project Zero (GPZ) Variant 2 (Spectre) for Microsoft Windows users. These mitigations require a combination of processor microcode updates from our OEM and motherboard partners, as well as running the current and fully up-to-date version of Windows.” reads the announcement published by AMD. “For Linux users, AMD recommended mitigations for GPZ Variant 2 were made available to our Linux partners and have been released to distribution earlier this year.”

Microsoft initially released Spectre security patches for AMD-based systems in January, but it was forced to suspend them due to instability issues.

AMD experts highlighted that is quite difficult to exploit the Spectre Variant 2 on AMD chips, for this reason, it worked with partners to provide a combination of microcode and OS updates.

"While we believe it is difficult to exploit Variant 2 on AMD processors, we actively worked with our customers and partners to deploy the above described combination of operating system patches and microcode updates for AMD processors to further mitigate the risk," continues the announcement.

AMD customers can install the microcode by downloading BIOS updates provided by manufacturers, while Windows 10 updates are included in the Microsoft April Patch Tuesday.

Windows 10 updates released by Microsoft on Tuesday include Spectre Variant 2 mitigationsfor AMD devices. According to AMD, the support for these mitigations for AMD processors in Windows Server 2016 is expected to be available following final validation and testing.

For Linux systems, AMD states that mitigations for GPZ Variant 2 were made available to its Linux partners and have been released to distribution earlier this year.

Pierluigi Paganini

(Security Affairs – Microsoft, Spectre)

The post AMD and Microsoft release microcode and operating system updates against Spectre flaw appeared first on Security Affairs.

Microsoft April Patch Tuesday – Update your system now to avoid being hacked by visiting a site

Posted: 11 Apr 2018 01:36 AM PDT

 

Microsoft has released April Patch Tuesday security updates that address 66 vulnerabilities, five of them could be exploited by an attacker to compromise a PC by just tricking the victims into visiting a website or opening a specifically crafted file.

Hackers can compromise your computer just visiting a malicious website or clicking a malicious link.

Microsoft has released April Patch Tuesday that addresses 66 vulnerabilities, 24 of which are rated critical and five of them could be exploited by an attacker to compromise a PC by just tricking the victims into visiting a website or opening a specifically crafted file.

Microsoft April Patch Tuesday includes the fix for five critical remote code execution vulnerabilities in Windows Graphics Component (CVE-2018-1010-1012-1013-1015-1016) that are related to improper handling of embedded fonts by the Font Library.

“In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website,” reads the advisory for the CVE-2018-1013.

“An attacker could also embed an ActiveX control marked ‘safe for initialization’ in an application or Microsoft Office document that hosts the IE rendering engine.”

The flaws were discovered by Hossein Lotfi, a security researcher at Flexera Software. and affect all versions of Windows OS to date.

Microsoft also addressed a denial of service vulnerability in Windows Microsoft Graphics that could be exploited by an attacker to cause a targeted system to stop responding. This vulnerability tied the way Windows handles objects in memory.

Microsoft April Patch Tuesday also addressed a critical RCE vulnerability, tracked as CVE-2018-1004, that resides in the Windows VBScript Engine and affects all versions of Windows.

"An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," read the security advisory published by Microsoft.

April Patch Tuesday

Microsoft security updates also address a total of six vulnerabilities in Adobe Flash Player, three of which were rated critical.

Users need to apply security updates as soon as possible to protect their systems.

Pierluigi Paganini

(Security Affairs – Microsoft April Patch Tuesday, hacking)

The post Microsoft April Patch Tuesday – Update your system now to avoid being hacked by visiting a site appeared first on Security Affairs.

Adobe April Security Bulletin Tuesday fixed 4 critical flaws in Flash

Posted: 10 Apr 2018 10:59 PM PDT

Adobe April Security Bulletin Tuesday is out, the company has addressed four critical vulnerabilities in the Flash Player.

Adobe April Security Bulletin has addressed a total of 19 vulnerabilities in its products, including Flash Player, Experience Manager, InDesign CC, Digital Editions, ColdFusion and the PhoneGap Push plugin.

The company has released the Flash Player version 29.0.0.140 that fixed four critical flaws and two issues rated as important.

The flaws addressed with the Adobe April Security Bulletin Tuesday include a use-after-free, out-of-bounds read, out-of-bounds write and heap overflow bugs that could be exploited by remote attackers to execute arbitrary code on the target system and that could lead information disclosure.

“Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. These updates address critical vulnerabilities in Adobe Flash Player 29.0.0.113 and earlier versions. Successful exploitation could lead to arbitrary code execution in the context of the current user.” reads the security advisory published by Adobe.

Below the vulnerability details

Vulnerability Category Vulnerability Impact Severity CVE Number
Use-After-Free Remote Code Execution Critical CVE-2018-4932
Out-of-bounds read Information Disclosure Important CVE-2018-4933
Out-of-bounds read Information Disclosure Important CVE-2018-4934
Out-of-bounds write Remote Code Execution Critical CVE-2018-4935
Heap Overflow Information Disclosure Important CVE-2018-4936
Out-of-bounds write Remote Code Execution Critical CVE-2018-4937

Adobe acknowledged Google white hat hackers Mateusz Jurczyk and Natalie Silvanovich of Google Project Zero for reporting the CVE-2018-4936, CVE-2018-4935, CVE-2018-4934, CVE-2018-4937 flaw.

Adobe April Security Bulletin Tuesday

The CVE-2018-4933 vulnerability was reported by willJ of Tencent PC Manager, while the CVE-2018-4932 flaw was reported by Lin Wang of Beihang University.

The good news is that according to Adobe, there is no evidence of malicious exploitation in the wild.

Adobe also addressed three moderate and important cross-site scripting (XSS) flaws in the Experience Manager.

Adobe also fixed a critical memory corruption flaw (CVE-2018-4928) in Adobe InDesign CC that was reported by Honggang Ren of Fortinet's FortiGuard Labs. Ren discovered a memory corruption flaw that could be exploited for arbitrary code execution.

Adobe also fixed an out-of-bounds read vulnerability and a stack overflow issue in Adobe Digital Editions and five flaws in ColdFusion.

The last issue covered by the company is a same-origin method execution bug in the Adobe PhoneGap Push plugin.

Pierluigi Paganini

(Security Affairs – Adobe April Security Bulletin Tuesday, hacking)

The post Adobe April Security Bulletin Tuesday fixed 4 critical flaws in Flash appeared first on Security Affairs.