Items tagged with Zero-Day

Until the web at large adopts the open HTML5 <video> tag, there will still be some sites that continue to use Adobe's proprietary Flash Player runtime. Assuming you have the Flash Player installed, either on your Windows box or Mac machine, be advised that there's a "critical" vulnerability affecting both platforms. "Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system," Adobe stated in a Security Advisory. "We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against... Read more...
We're coming up on the second Tuesday of the month, which is when Microsoft rolls out a collection of security updates for Windows and Internet Explorer. Otherwise known as "Patch Tuesday," the one that's coming up tomorrow will be relatively light compared to previous ones as it contains only five security bulletins, however two of them are deemed Critical and three Important, and several of them require a restart. The first Bulletin addresses a zero-day vulnerability affecting IE versions 9 and 10, along with other security fixes for IE versions 6 through 11. This one is deemed Critical because... Read more...
Google security researchers learn about exploits and zero-day vulnerabilities in third-party software all the time, and for years the company has immediately notified the affected vendors about the issues, worked with them closely to fix the problems, and both notified the public within 60 days of discovering the vulnerabilities and also encouraged vendors to issue patches within that same time frame. Now, Google is shortening that timeline a good bit--to just 7 days. “Based on our experience...we believe that more urgent action -- within 7 days -- is appropriate for critical vulnerabilities... Read more...
Is there a world record for number of software vulnerabilities exposed within the span of a single month? If so, I'm willing to bet that Oracle's Java is the clear winner. We've reported on many Java happenings over the past couple of months, and it doesn't look like the fun is going to end anytime soon. Security firm FireEye is responsible for the latest finding, noting that this zero-day exploit has been successfully executed using Java 1.6 update 41 and the most recent 1.7 update 15. It takes advantage of a vulnerability that might allow someone to overwrite bits of data Java has stored in the... Read more...
Another day, another Adobe Reader vulnerability -- what else is new, right? It just so happens that this latest security hole affects several versions of Adobe Reader, including 10 and 11, both of which are supposed to keep the operating system isolated from attacks through sandbox technology. No dice. "Adobe has identified critical vulnerabilities (CVE-2013-0640, CVE-2013-0641) in Adobe Reader and Acrobat XI (11.0.01 and earlier), X (10.1.5 and earlier) and 9.5.3 and earlier for Windows and Macintosh," Adobe stated in a security bulletin. "These vulnerabilities could cause the application to crash... Read more...
Consider this a PSA: Oracle is going to patch that hole in Java, the one that security pros discovered last week. Cybercriminals were using a zero-day exploit in Oracle’s Java to deliver malware payloads, steal identities, and take over computers to force them to commit nefarious acts. According to Reuters, Oracle said that “A fix will be available shortly”, which of course begs the question of what “shortly” means, exactly. In an hour? A week? A month? In any case, the exploit apparently only affects Java 7, so users with older versions of the software can breathe... Read more...
Here we go again. We're not even halfway through the first month of the New Year, and already we're being warned to disable Java. Not as a general practice, mind you (though that's not a bad idea), but because of yet another zero-day exploit spotted in the wild "There appears to be multiple ad networks redirecting to Blackhole sites, amplifying the mass exploitation problem. We have seen ads from legitimate sites, especially in the UK, Brazil, and Russia, redirecting to domains hosting the current Blackhole implementation delivering the Java  zero-day. These sites include weather sites, news... Read more...