An anonymous reader quotes a report from Bleeping Computer: Microsoft has released an out-of-band security update that fixes an actively exploited vulnerability in Internet Explorer. This vulnerability has been assigned ID CVE-2018-8653 and was discovered by Google's Threat Analysis Group when they saw the vulnerability being used in targeted attacks. According to Microsoft's security bulletin this is vulnerability in how the Internet Explorer scripting engine handles objects in memory. Attackers can use this vulnerability to corrupt memory in such a way that attackers could execute code under the security privileges of the logged in user. This vulnerability can also be used to launch attacks through specially crafted web sites that utilize the exploit code. This means that attackers can utilize this feature in exploit kits or by compromising legitimate sites and adding code that exploits the vulnerability.

"A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer," states Microsoft's advisory. "The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

"A Russian security researcher has published details about a zero-day vulnerability affecting VirtualBox, an Oracle software application for running virtual machines," reports ZDNet. According to a text file uploaded on GitHub, Saint Petersburg-based researcher Sergey Zelenyuk has found a chain of bugs that can allow malicious code to escape the VirtualBox virtual machine (the guest OS) and execute on the underlying (host) operating system. Once out of the VirtualBox VM, the malicious code runs in the OS' limited userspace (kernel ring 3), but Zelenyuk said that attackers can use many of the already known privilege escalation bugs to gain kernel-level access (ring 0). "The exploit is 100% reliable," Zelenyuk said. "It means it either works always or never because of mismatched binaries or other, more subtle reasons I didn't account."

The Russian researcher says the zero-day affects all current VirtualBox releases, works regardless of the host or guest operating system the user is running, and is reliable against the default configuration of newly created VMs. Besides a detailed write-up of the entire exploit chain, Zelenyuk has also published video proof, showing the zero-day in action against an Ubuntu VM running inside VirtualBox on an Ubuntu host OS.
Long-time Slashdot reader Artem Tashkinov warns that the exploit utilizes "bugs in the data link layer of the default E1000 network interface adapter which makes this vulnerability critical for everyone who uses virtualization to run untrusted code." According to ZDNet, the same security researcher "found and reported a similar issue in mid-2017, which Oracle took over 15 months to fix."

"This lengthy and drawn-out patching process appears to have angered Zelenyuk, who instead of reporting this bug to Oracle, has decided to publish details online without notifying the vendor."

Catalin Cimpanu, writing for BleepingComputer: The US Food & Drug Administration plans to ask Congress for more funding and regulatory powers to improve its approach towards medical device safety, including on the cybersecurity front. An FDA document released this week reveals several of the FDA's plans, including the desire to force device makers to include mandatory update systems inside products for the purpose of delivering critical security patches.

In addition, the FDA also plans to force device makers to create a document called "Software Bill of Materials" that will be provided for each medical device and will include software-related details for each product. Hospitals, healthcare units, contractors, or users will be able to consult the medical device's bill of materials and determine how it functions, what software is needed for what feature, and what technologies are used in each device.

Mark Wilson writes: As if the Meltdown and Spectre bug affecting millions of processors was not bad enough, the patches designed to mitigate the problems are introducing issues of their own. Perhaps the most well-known effect is a much-publicized performance hit, but some users are reporting that Microsoft's emergency patch is bricking their computers. We've already seen compatibility issues with some antivirus tools, and now some AMD users are reporting that the KB4056892 patch is rendering their computer unusable. A further issue -- error 0x800f0845 -- means that it is not possible to perform a rollback.

An anonymous reader cites an article on The Mercury News' Silicon Beat tech blog: Female computer programmers make 72 cents for every dollar earned by male programmers. That difference is after researchers adjust for factors such as age, education, years of experience, job title, employer and location, according to a new study by Glassdoor (PDF), the jobs and recruiting marketplace, which looked at salary data of more than 500,000 people over 140 professions. The well-known U.S. wage gender gap is 76 cents for every dollar men earn. But women earn 94.6 cents for every man's dollar after adjusting for all factors other than gender. In other words, the wage gap in the U.S. is about 5.4 percent.