STE WILLIAMS

Russian programmer Mark Vartanyan has been sentenced to five years in US federal prison for developing and spreading the Citadel malware that stole $500m (£383m) from bank accounts around the world.

Citadel is a variant of the Zeus banking Trojan, the source code of which leaked online in 2011. These software nasties could infect Windows PCs to loot victims’ online cash accounts. They could also steal people’s personal info for identity thieves to exploit.

From 2012 to 2014, while living in Russia and later Norway, Vartanyan took that leaked code and improved it, building new modules with extra functions, and generally making his crimeware tougher and more resilient to antivirus. He worked with Russian fella Dimitry Belorossov (aka Rainerfox) to maintain and upgrade Citadel for nearly two years. It managed to infect roughly 11 million machines globally, and was responsible for siphoning off over $500m to organized criminals and their cohorts, prosecutors estimated.

Citadel was one of the earliest examples of malware-as-a-service available on dark-web forums. Essentially, crooks bought copies, and flung them at victims via email, drive-by downloads, and so on, directing the stolen cash into their pockets.

At its height, a copy of Citadel and its web-based control panel would have cost you $2,399, along with a $125 monthly fee for code updates. Additional features could be bought: for example, $395 would get you a service whereby the malware was checked against known antivirus signatures and adapted to escape detection.

Belorossov was arrested while on a visit to Spain, and extradited to America. In 2015, he was sentenced to four years and six months in the clink after pleading guilty to conspiracy to commit computer fraud. He’ll be out before his partner in crime, and is likely to be expelled from the US indefinitely.

Vartanyan was extradited to America from Norway in December last year, and in March he too decided to plead guilty to a single charge of conspiracy to commit computer fraud in exchange for a lighter punishment. He could have been sent down for 25 years, but for sparing taxpayers a lengthy trial, he faced a maximum sentence of ten years.

On Wednesday this week, he was thrown in the slammer by Atlanta district Judge Mark Cohen for half that. Vartanyan was given two years of credit for time spent behind bars in Norway awaiting his extradition to the US. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/20/citadel_malware_dev_gets_5yrs/

Gnome developers, take a bow: a bug in your image thumbnailer opens up a (not too scary, thankfully) vector for script injection.

The problem is explained by Nils Dagsson Moskopp here, in his advice for users:

“Delete all files in /usr/share/thumbnailers. Do not use GNOME Files. Uninstall any other software that facilitates automatically executing parts of filenames as code” (emphasis added).

In other words, to create image thumbnails, Gnome Files takes filenames as an executable input – and that’s problematic.

Dagsson Moskopp uses Wine as the basis for his proof-of-concept (because you need something to execute VBScript). Quite simply, he tricks Gnome Files into creating a file called badtaste.txt – and if you can create arbitrary files, you can have all sorts of fun with a Linux environment (even if only in the current user’s context).

“Whenever an icon for a Microsoft Windows executable (EXE), installer (MSI), library (DLL), or shortcut (LNK) should be shown, Gnome Files calls /usr/bin/gnome-exe-thumbnailer to either extract an embedded icon from the file in question or deliver a fallback image for the appropriate filetype.”

He picks out this single line of code in /usr/bin/gnome-exe-thumbnailer as the culprit:

DISPLAY=NONE wine cscript.exe //E:vbs //NoLogo Z:\tmp\${TEMPFILE1##*/}.vbs 2/dev/null 

“Instead of parsing an MSI file to get its version number, this code creates a script containing the filename for which a thumbnail should be shown and executes that using Wine. The script is constructed using a template, which makes it possible to embed VBScript in a filename and trigger its execution.”

Dagsson Moskopp says developers should not use “ad-hoc parsers” to parse files, should “fully recognise inputs before processing them”, and should use unparsers.

As is noted at http://langsec.org/ LANGSEC, which he also references, the: “Internet insecurity epidemic [is] s a consequence of ad hoc programming of input handling at all layers of network stacks, and in other kinds of software stacks”. Try to avoid it. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/20/bug_of_the_week_gnome_pic_parser_can_run_evil_vbscripts/

Apple has today released patches addressing roughly four dozen exploitable security vulnerabilities in iOS, macOS, and WatchOS.

The iOS 10.3.3 update resolves 47 flaws for the iPhone, iPad and iPod Touch, including multiple remote code execution holes in the WebKit browser engine. Fixes were also posted for the Apple Watch’s WatchOS firmware.

Of the CVE-listed flaws in the update, 23 were found in WebKit, the browser engine Apple uses for iOS and Safari. Those include 16 memory corruption errors that could be exploited for remote code execution via a malicious webpage.

One of those memory corruption bugs, CVE-2017-7055, was reported to Apple by the UK National Cyber Security Centre, a branch of the GCHQ spying nerve center. As usual, bug hunters with Google’s Project Zero were also well represented, with Ian Beer, lokihardt, and Ivan Fratric credited for discovering multiple flaws.

Other notable vulnerabilities include CVE-2017-7060, a bug in Safari Printing that allows an attacker to freeze the browser by flooding it with print dialogue boxes. Discovery of that bug was credited to Travis Kelley, with the City of Mishawaka, Indiana.

Also addressed were flaws that allow attackers to crash the Messages app (CVE-2017-7063), and bugs in the iOS Kernel that allow an application to remotely execute code or access restricted memory space.

Meanwhile, Mac users will need to update their systems as well, thanks to a fresh crop of security fixes for OS X Sierra, El Capitan, and Yosemite. Those updates include a half-dozen CVE-listed vulnerabilities in the Intel Graphics Driver that allow applications to execute arbitrary code at the kernel level and view restricted memory addresses.

Also included in the update were multiple flaws in the macOS Kernel and a flaw in the Wi-Fi protocol (CVE-2017-9417) for both iOS and OS X that allow an attacker to “execute arbitrary code on the Wi-Fi chip.” That bug, also present on the Apple Watch and Apple TV, was credited to Nitay Artenstein of Exodus Intelligence.

A separate update for the Safari browser on MacOS includes many of the WebKit fixes from the iOS update, including multiple remote code execution flaws that could be exploited via malicious webpages.

Moving on to the less-popular Apple products, the WatchOS, tvOS and Windows versions of iTunes and iCloud also received updates for vulnerabilities, including the WebKit remote code execution flaws.

In short, fire up your software update tool, download, install, reboot. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/19/apple_patches_ios_os_x_flaws/

A vulnerability in Parity’s Ethereum wallet software has been exploited by thieves to rob victims on a massive scale.

A few hours ago, Parity told its users to move their ETH holdings from their in-browser wallets to more secure accounts immediately:

IMPORTANT: SECURITY ALERT: https://t.co/h5vc0KwAxS Move funds in multi-sig wallet created in Parity Wallet 1.5 or higher immediately.

— Parity Technologies (@ParityTech) July 19, 2017

The warning came after three transactions appeared on Etherscan.io, in which accounts were drained of 150,000 coins worth just over US$30 million at the current price. It’s understood a trivial programming blunder in Parity’s code allowed crooks to hijack strangers’ wallets at will.

Coindesk reports 377,000 more Ether were at risk of theft, but were drained into holding accounts by white hats. That gallant action was outlined by Kurt Knudsen on Parity’s Gitter channel:

The White Hat Group were made aware of a vulnerability in a specific version of a commonly used multisig contract. This vulnerability was trivial to execute, so they took the necessary action to drain every vulnerable multisig they could find as quickly as possible. Thank you to the greater Ethereum Community that helped finding these vulnerable contracts. The White Hat account currently holding the rescued funds is [here].

Over at Reddit, the white hats promised the funds will be returned: “We will be creating another multisig for you that has the same settings as your old multisig but with the vulnerability removed and we will return your funds to you there.”

Parity’s security alert points the finger at the multi-sig contract wallet wallet.sol, and says it affected Parity 1.5 implementations or later.

On Twitter, Arkadiy Kukarkin (@parkan) identified the pull request that seems to be the problem:

2000+ line changeset containing critical code merged w/out security review or formal signoff, 1 person commenting. Maybe not best practices https://t.co/a3oLApX41Y

— Arkadiy Kukarkin (@parkan) July 19, 2017

One of the victims of the heist has self-identified as Swarm City. Edgeless Casino and the æternity blockchain were also hit, we’re told.

The attack comes hard on the heels of $7 million worth of Ethereum hijacked from Israeli startup CoinDash. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/20/us30_million_below_parity_ethereum_bug_leads_to_big_coin_heist/

Chinese camera-maker Dahua has flicked out a patch to fix a possible remote code execution vulnerability in its Web admin interface.

The company uses a Web interface named as “Sonia”* in this CERT advisory – and there’s a stack buffer overflow to fix.

Unpatched, the advisory states, various versions of the Dahua firmware don’t validate the input data length of the password field.

That lets an attacker submit a POST command with a too-long password; “that may lead to out-of-bounds memory operations and loss of availability or remote code execution.”

The upgraded firmware is here.

Earlier this year, Dahua was pinged for letting anybody get at its cameras’ credentials via a “secret” URL, exposed to the Internet.

It was also one among the many vendors of IP cameras and video recorders to have products recruited into last year’s Mirai botnet. ®

Bootnote

* Because component bugs can flow onto many devices, El Reg usually tries to identify the source of the component. When it comes to Sonia, we confess to being uncertain about what software Dahua is using.

Ruby has a suitable class called Sonia; if, however, readers can identify a better candidate, leave a comment.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/20/dahua_cameras_stung_by_web_interface_bug/

Researchers at Black Hat USA will release a toolset that studies and then cheats specific Android AV apps.

A team of researchers from Georgia Tech built an Android hacking tool that snuck past nearly all of 58 Android AV antivirus programs in tests conducted via VirusTotal.

Their AVPass toolkit includes a query function that vets and probes an Android AV program’s detection capabilities, a malware variant generator that generates multiple variations of a sample, and a data analyzer that analyzes the findings and uses that information to ultimately bypass AV apps on a mobile device.

The researchers plan to release the toolkit at Black Hat USA in Las Vegas next week during their AVPass: Leaking and Bypassing Antivirus Detection Model Automatically session there.

“AVPass is meant to make sure whatever malware you’re sending cannot be screened by antivirus,” says Max Wolotsky, a PhD student and researcher with Georgia Tech. “The entire goal of AVPass is if you scan malware on either VirusTotal or another AV program” it can’t be identified, he says.

Wolotsky and his fellow researchers from Georgia Tech – Chanil Jeon, research associate; Insu Yun, PhD student; Jinho Jung; PhD student; and Taesoo Kim, and assistant professor – say their technique also could work on other platforms, and they plan to test it against Windows desktop machines.

The Python-based AVPass roots out the internal detection methods and code logic of the AV systems, information it then uses to cheat the AV system.

Of the dozens of popular and lesser-known AV programs on the free VirusTotal online scanning site, only AhnLab and WhiteArmour’s AV programs stopped AVPass in its tracks most of the time, the researchers say.

“We can’t say for sure that we can bypass the other 56 AVs 100% of the time; however, in our tests we were almost always able to do so,” Wolotsky says. On average, AVPass-generated apps were detected by AV only six percent of the time, he says.

The researchers also learned a few things about Android AV programs in their project: for one thing, the more complex an AV program’s detection rules, the stronger its ability to catch malware.

Wolotsky says AV apps can defend against an AVPass-type attack by classifying AVPass as malicious. Android AV app vendors, meanwhile, can rate-limit their AV tools and generate “null” responses so the attack can’t glean any intel about the AV program’s capabilities.

AVPass sends a series of phony malware variants to test the AV’s functions in snippets so as not to release the entire malware sample during the recon phase. With the intel in hand, it then alters the malware. “We found that most AVs commonly use a fixed number of detection rules,” Wolotsky says. “For instance, a weak AV can be bypassed only after one feature obfuscation.”

The Bigger Picture

The AVPass project is actually just one of multiple research initiatives at Georgia Tech on vulnerabilities in machine learning algorithms. These projects are studying how malicious attackers could manipulate machine learning algorithms and compromise or disrupt security analytics, search engines, customized news feeds, facial and voice recognition, and fraud detection, for example.

Wolotsky and his team’s work on AVPass began with exploring how antivirus tools classify malware, and they used VirusTotal to determine what machine-learning techniques the AV programs employ. Their ultimate goal with the project is to find ways for these AV programs to stop malware in its tracks.

AVPass is basically a proof-of-concept tool mainly aimed at developers, both app and AV, that can be used to study ways to detect variations of malware. The Georgia Tech researchers plan to conduct a live demonstration during their Black Hat talk, in which they will submit a piece of their malware to VirusTotal to show how AVPass can be used to determine how to bypass AV systems.

Related Content:

• Best of Black Hat: 20 Epic Talks in 20 Years
• Apple iOS Malware Growth Outpaces that of Android
• Cloud AV Can Serve as an Avenue for Exfiltration
• Researchers Create Framework to Evaluate Endpoint Security Products

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/avpass-sneaks-malware-past-android-antivirus-apps/d/d-id/1329410?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Think about your social media activity from a decade ago. Do you remember having a Myspace account? Even though Myspace hasn’t been popular for years, Time purchased it in 2016, and the site still gets about 50 million hits per month. If you have an old Myspace account that you haven’t cancelled, Leigh-Anne Galloway discovered a vulnerability that you must know about.

You may have heard the news last year of a major Myspace data breach that affected 360 million accounts. Myspace’s incident response was mainly to invalidate all passwords for accounts created before June 11^th, 2013. Sounds good, right?

Well, when Galloway tried to delete her Myspace account this April, she discovered that it was possible to acquire access to her account without a password. All she needed to input into Myspace’s password recovery form was her full name, username, and date of birth. The form asks for an email address, but it worked when she used an email address that wasn’t registered under her account. Most web services’ password recovery systems require you to at least have access to the email address that has been registered with an account!

There was a time when tens of millions of people, including well known popstars, had active Myspace accounts. It’d be a piece of cake for me to find the full names, usernames and birth dates associated with any of them. It probably wouldn’t even be difficult for me to acquire access to a Myspace account belonging to someone who isn’t famous. I could simply cross reference their public Facebook data. I don’t use my old Facebook account, but you can easily find my full name and birth date on Twitter.

When Galloway sent a detailed email to Myspace support about the vulnerability, she got a very generic form email response.

This is an automated response to let you know we’ve received your message. Someone on our team is reviewing your question and will get back to you soon.

That was the message she received in April. As of her July 17^th blog, she has yet to receive any further response. On July 17^th, The Verge also reported the vulnerability Galloway discovered. They got a response from Myspace saying, “(we’ve) enhanced our process by adding an additional verification step to avoid improper access.” The previous password recovery page has been pulled, and that’s all that can be determined.

If you have accounts you no longer use, on any system, close them. For as long as you keep those accounts hanging around they could be used against you. Even if the systems, sites and platforms are safe and secure now there’s no guarantee that they’ll be kept that way in future and if you don’t need it, why take the risk?

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/og-s5R6UR84/

Every few months, a new vulnerability comes along that gets more publicity than most.

Sometimes that’s because it’s very serious and thus creates widespread concern anyway, and sometimes that’s because it’s what we call a BWAIN – a Bug With An Impressive Name that attracts attention, often with a dedicated website and logo to go along with the catchy title. (Remember Heartbleed?)

And sometimes, to be fair, it’s a bit of both.

The latest BWAIN is an authentication bug with the very fancy name of Orpheus’ Lyre, although we’ll avoid that pesky dangling apostrophe by referring to it as OL from now on.

Amusingly, OL not only has its own website and logo, but even its own theme tune that rather annoyingly autoplays when you visit the OL website. (The theme tune is somewhat worryingly – or perhaps self-deprecatingly – called Crocodile Tears.)

OL is a security hole in a venerable network authentication system called Kerberos, probably best known because it is widely used by Windows for logon and access control.

Kerberos explained

Loosely speaking, Kerberos is what’s known as a ticket-based authentication system.

If client X wants to access server Y, for example, it doesn’t negotiate directly with server Y, but first contacts the Kerberos server and requests an “access ticket”, thus allowing the authentication process to be centralised and carefully managed.

With Kerberos, you don’t need to have tens or hundreds of servers each storing, managing and validating lists of passwords – a task that is surprisingly easy to do badly, and that can quickly lead to inconsistencies, misconfigurations and security holes.

The Kerberos concept is much like the way train tickets work: the platform barriers that open to let you get on your train don’t need to be able to accept payments, issue tickets, give change, or help you select from the options available for your chosen journey; instead, they just need to know how to validate the ticket you already bought at a ticket machine or the ticket office.

Kerberos tickets use strong cryptography so that they can’t be hacked or modified after they’ve been issued, at least in theory.

If attackers could undetectably modify some of the data fields in a security ticket, they might be able to extend the time that the ticket remained valid, pretend to be a different user, or switch the ticket to be valid on a different sever – one they might not normally be allowed to access.

Repeated data in Kerberos

Unfortunately – perhaps because its design dates back to the 1980s, before cybercrime became the problem it is today – Kerberos doesn’t encrypt everything that it stores in the access tickets it generates.

Some of the data fields in a Kerberos ticket appear twice – once in plaintext form, and again in encrypted form.

There’s an acceptable reason for this redundancy: if the encryption is there not for secrecy but to prevent unauthorised modification and to preserve integrity, repeated data can be convenient.

Again, the concept is similar to the way that train tickets (in the UK, at any rate) usually have your destination and travel date printed smudgily on the front, for a fast and informal check, but also have a unique ticket number that can be used to validate the purchase more rigorously if needed.

You can see where this is going.

The researchers who found the OL vulnerability realised, in more than one widely-used implementation of Kerberos, that the programmers had been inconsistent.

There was a place where the software relied on the hackable, unencrypted server name in the access ticket, instead of looking at the tamper-protected encrypted version

That’s a bit like an inspector on a train from central London asking to see your ticket, where the destination EALING BROADWAY is clearly printed, but nevertheless taking your word for it when you insist that the ticket is, in fact, valid all the way to EDINBURGH. (Edinburgh is up in Scotland, a destination more than 50 times further away than Ealing and perhaps 15 times more expensive to reach.)

In other words, you could tweak the server name in an existing Kerberos ticket, and the server that verified the ticket wouldn’t spot the treachery.

Fixing the bug

Here’s how a popular open source Kerberos implementation called Heimdal somewhat ungrammatically describes the surprisingly simple patch:

In _krb5_extract_ticket() the KDC-REP service name must be obtained from encrypted version stored in enc_part instead of the unencrypted version stored in ticket. Use of the unencrypted version provides an opportunity for successful server impersonation and other attacks.

Without the technical jargon, this means: when you extract information from replies sent out by the Kerberos authentication server, only ever use tamper-protected data fields. Ignore any unencrypted Kerberos data – it can be modified undetectably, so you can’t trust it.

What to do?

The Windows implementation of Kerberos used to be vulnerable, but was fixed in Microsoft’s July 2017 security update under the designation CVE-2017-8495, so make sure you’ve installed the latest Windows patches.

Numerous open source implementations, such as those in various Linux distributions, in the Samba file server software, and in FreeBSD, have been patched, so apply updates to affected open source Kerberos components as soon as you can.

It’s 2017, not 1987, so if you are planning to encrypt something, try encrypting everything instead – that way, you won’t have to worry that there was something you didn’t encrypt, and you won’t accidentally end up in the same position as if you hadn’t encrypted anything.

If Kerberos had only ever stored the server name once, in encrypted form, the error that led to this vulnerability would have been impossible to make.

Follow @NakedSecurity
Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/EsZc2onkXbc/

Your daily round-up of some of the other stories in the news

Moving Segway hacked

Security researchers have discovered that Segway’s Ninebot MiniPRO, a so-called “hover board” can be hacked and controlled remotely.

The attack is made possible by two major oversights: every Ninebot MiniPRO has the same PIN code and none bothers to check the authenticity of its firmware. According to IOActive, the company who discovered the vulnerability:

Even though the rider could set a PIN, the hoverboard did not actually change its default pin … This allowed me to connect over Bluetooth while bypassing the security controls. I could also document the communications between the app and the hoverboard, since they were not encrypted.

Researchers were able to use these flaws to install their own firmware and then make merry with the hacked non-hovering not-boards: shutting them down, changing the colours of their lights, disabling safety mechanisms or just driving (not flying) them off.

It’s been understood for many years that hard-coded or default passcodes are a bad idea but discovering that something as shiny and new as a Ninebot MiniPRO has one isn’t the surprise it should be. The ‘PRO is part of the IoT (Internet of Things) and the IoT has recently given giving hard-coded passwords, and many other bad old ideas, a new lease of life.

Google Glass resurrected

A year and a half after pulling the plug on Google Glass, the search giant has brought the wearable tech back from the dead. Which is rather interesting, because few seemed sad to see it go away.

Google said it’s designing an upgraded and more comfortable version of the Glass headset with a longer battery life. The revised headset, called Glass Enterprise Edition, will be targeted at industries such as healthcare and manufacturing where users can benefit from hands-free information as they work.

Jay Kothari, lead of the Glass project at Google, told the UK Telegraph:

Glass, as you might remember, is a very small, lightweight wearable computer with a transparent display that brings information into your line of sight … In a work setting, you can clip it onto glasses or industry frames like safety goggles so you don’t have to switch focus between what you’re doing with your hands and the content you need to see to do your job.

In its previous four-year existence, Google Glass received a fair amount of ridicule. In some cases, people took their disdain too far. In 2014, for example, Sarah Slocum, a social media consultant, posted about being attacked in a bar called Molotov in San Francisco, over her face contraption.

Oracle releases its largest Critical Patch Update yet

Oracle’s critical patch update for July comes with a mammoth 308 bug fixes, reports SC Magazine.

Updates cover vulnerabilities across more than 90 Oracle products, including Oracle Enterprise Manager, Oracle Hyperion, Oracle E-Business Suite, Oracle Fusion Middleware and Oracle Java SE and products used by retail and financial organisations.

But, it was Oracle’s Hospitality Applications that received the most updates, with 48 patches. Of which, 11 of these are “remotely exploitable without authentication”.

In their Critical Patch Update Advisory, the company explains that, though they have previously released the patches, they still receive reports of efforts to exploit security holes and, as such, urge customer to apply these latest fixes “without delay”.

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/KMRbVSNGNXg/

Oracle’s emitted its quarterly patch dump. As usual it’s a whopper, with 308 security fixes to consider.

Oracle uses the ten-point Common Vulnerability Scoring System Version 3.0, on which critical bugs score 9.0 or above. The Register counts 30 such bugs in this release.

Not all can be laid at Oracle’s door. For example, a glibc glitch is hardly Oracle’s fault. Nor are the Apache Tomcat and Struts bugs that MySQL users need to squash.

But a few others are Big Red boo-boos, such as CVE-2017-3632, a mess that means a remote user can exploit a flaw in the Solaris CDE Calendar component to gain elevated privileges. Lesser Solaris bugs allow DDOSing and unauthorised data alterations.

Java SE has 10 critical flaws, nine of them rated 9.6. Most allow remote users to do things you’d rather they couldn’t. Oracle says 28 of 32 Java vulnerabilities “may be remotely exploitable without authentication”.

Oracle Retail Customer Insights and Oracle WebLogic also have critical vulns, the latter the only product to earn a perfect 10.0 severity rating for CVE-2017-10137 which allows a remote user to obtain elevated privileges.

We could go on and explore the other 278 patches rated 8.9 or lower, but by now you get the idea: there’s something terrifying for almost every Oracle user because even a bug rated a wimpy 5.3, such as CVE-2017-10244 discovered by Onapsis, means “attackers to exfiltrate sensitive business data without requiring a valid user account” in Oracle E-Business suite.

Next steps? View Oracle’s list here then use your Oracle login to get more details here before figuring out what can be fixed now, what can wait for your next scheduled change window and what needs a new change window scheduled ASAP. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/07/19/oracle_critical_patch_update_advisory_july_2017/