Items tagged with Zero-Day

A vulnerability researcher at Google is giving props to Microsoft for issuing a quick fix to what he described as a "crazy bad" remote code exploit in the company's malware protection engine. He also said it was the worst of its kind in recent memory, and that is because prior to the patch, a remote attacker could gain full control of a PC simply by sending a malicious email. The recipient needn't even open the communication for this nasty zero-day bug to work. "The update addresses a vulnerability that could allow remote code execution if the Microsoft Malware Protection Engine scans a specially... Read more...
As always, be wary of opening email attachments, especially from untrusted sources. Security outfits FireEye and McAfee have both observed malicious Microsoft Office RTF documents in the wild that are exploiting a zero-day vulnerability in Microsoft Windows and Office that has not yet been patched. The samples observed are organized as RTF files with the .doc extension and appear as Word files. The vulnerability allows an attacker to execute a malicious Visual Basic script when the user opens the document containing an embedded exploit. FireEye says it has seen several Office documents exploiting... Read more...
When WikiLeaks revealed the Central Intelligence Agency’s (CIA’s) hacking arsenal to the world, it was made clear that the agency is capable of snooping on Samsung Smart TVs thanks to various security exploits. However, it’s not just Samsung Smart TVs that are susceptible, a new report suggests that a number of Samsung devices running the Tizen OS are at risk due to unpatched exploits. Tizen is Samsung’s homegrown operating system that can be found on its low-end smartphones, smartwatches and of course smart TVs. Like Android, it’s based on the Linux kernel. However, unlike Android, it isn’t nearly... Read more...
  Newer versions of Windows, including Windows 10 are vulnerable right now to a new Server Message Block (SMB) zero-day exploit that has been shown as a proof-of-concept. The vulnerability was first demonstrated by @PythonResponder and requires a user to connect to a SMBv3 server for a successful attack. Given the severity of the exploit, the U.S. Computer Emergency Readiness Team (US-CERT) has already published an emergency advisory, officially labeling it VU#867968. US-CERT describes the memory corruption vulnerability in detail, noting: Microsoft Windows fails to properly handle traffic... Read more...
Microsoft has often said that Windows 10 offers the best security features and malware protection of any Windows OS to date. In case anyone doubts that claim, the Redmond outfit explained how Windows 10 with the Anniversary Update installed was able to thwart a pair of potentially dangerous zero-day exploits months before it had released a patch that dealt with them directly. The Anniversary Update that rolled out in August introduced a bunch of security upgrades to Windows 10, including improvements to Windows Defender. Many of the upgrades are intended to help Windows 10 identify and neutralize... Read more...
Once again Google and Microsoft are at odds over the former's decision to disclose a zero-day vulnerability affecting the latter's Windows operating system. Google alerted both Adobe and Microsoft on October 21, 2016, of previously disclosed security flaws it discovered and in the time that has passed Adobe has issued patch (CVE-2016-7855) and Microsoft has not. Google's policy on zero-day and other critical vulnerabilities it believes are being actively exploited in the wild is to give software makers seven days to issue a patch or advisory. Once that time period elapses, Google discloses the... Read more...
Adobe recently published a security advisory APSA16-03, which details a vulnerability in Adobe Flash Player version 21.0.0.242 and earlier versions for Windows, Macintosh, Linux, and Chrome OS. This comes after a patch for a zero day exploit was released in early April. Adobe believes the attackers are a group called “ScarCruft”. ScarCruft is a relatively recently APT group that has launched attacks in countries such as Russia, Nepal, South Korea, China, India, Kuwait, and Romania. The group recently has taken advantage of two Adobe Flash and one Microsoft Internet Explorer exploits. ScarCruft... Read more...
In the "vast majority of cases," when the U.S. government is made aware of a software vulnerability, it discloses that information to the vendor so that it can issue a patch to the public. What constitutes a "vast majority?" Nine times out of 10, or 91 percent of the time, according to the U.S. National Security Agency's own books. What about the other 9 percent of the time? The zero-day threats the NSA doesn't disclose are those that the vendors fixed before they were notified or, simply put, don't get disclosed in the interest of national security. "The National Security Council has an interagency... Read more...
Until the web at large adopts the open HTML5 <video> tag, there will still be some sites that continue to use Adobe's proprietary Flash Player runtime. Assuming you have the Flash Player installed, either on your Windows box or Mac machine, be advised that there's a "critical" vulnerability affecting both platforms. "Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system," Adobe stated in a Security Advisory. "We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against... Read more...
We're coming up on the second Tuesday of the month, which is when Microsoft rolls out a collection of security updates for Windows and Internet Explorer. Otherwise known as "Patch Tuesday," the one that's coming up tomorrow will be relatively light compared to previous ones as it contains only five security bulletins, however two of them are deemed Critical and three Important, and several of them require a restart. The first Bulletin addresses a zero-day vulnerability affecting IE versions 9 and 10, along with other security fixes for IE versions 6 through 11. This one is deemed Critical because... Read more...
Google security researchers learn about exploits and zero-day vulnerabilities in third-party software all the time, and for years the company has immediately notified the affected vendors about the issues, worked with them closely to fix the problems, and both notified the public within 60 days of discovering the vulnerabilities and also encouraged vendors to issue patches within that same time frame. Now, Google is shortening that timeline a good bit--to just 7 days. “Based on our experience...we believe that more urgent action -- within 7 days -- is appropriate for critical vulnerabilities... Read more...
Is there a world record for number of software vulnerabilities exposed within the span of a single month? If so, I'm willing to bet that Oracle's Java is the clear winner. We've reported on many Java happenings over the past couple of months, and it doesn't look like the fun is going to end anytime soon. Security firm FireEye is responsible for the latest finding, noting that this zero-day exploit has been successfully executed using Java 1.6 update 41 and the most recent 1.7 update 15. It takes advantage of a vulnerability that might allow someone to overwrite bits of data Java has stored in the... Read more...
Another day, another Adobe Reader vulnerability -- what else is new, right? It just so happens that this latest security hole affects several versions of Adobe Reader, including 10 and 11, both of which are supposed to keep the operating system isolated from attacks through sandbox technology. No dice. "Adobe has identified critical vulnerabilities (CVE-2013-0640, CVE-2013-0641) in Adobe Reader and Acrobat XI (11.0.01 and earlier), X (10.1.5 and earlier) and 9.5.3 and earlier for Windows and Macintosh," Adobe stated in a security bulletin. "These vulnerabilities could cause the application to crash... Read more...
Consider this a PSA: Oracle is going to patch that hole in Java, the one that security pros discovered last week. Cybercriminals were using a zero-day exploit in Oracle’s Java to deliver malware payloads, steal identities, and take over computers to force them to commit nefarious acts. According to Reuters, Oracle said that “A fix will be available shortly”, which of course begs the question of what “shortly” means, exactly. In an hour? A week? A month? In any case, the exploit apparently only affects Java 7, so users with older versions of the software can breathe... Read more...
1 2 Next