Jump to content

Search the Community

Showing results for tags 'zero-day'.

More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...

Found 20 results

  1. Google patches Chrome zero-day vulnerability currently being exploited Google has released an update for Chrome that patches three security bugs, one of which is a zero-day vulnerability that is currently being exploited. The vulnerability, under the identifier CVE-2020-6418, was discovered by Clement Lecigne, a member of Google's Threat Analysis Group, on February 18. While it is known that the vulnerability is being exploited in the wild, information on how it is being used is not public yet. The vulnerability has been patched in Chrome version 80.0.3987.122. The update is rolling out to all Windows, Mac, and Linux users. However, it is not known when an update with the patch will make it to the mobile versions of the browser. As for the vulnerability itself, it is described as a ‘type confusion in V8’. V8 is Chrome’s component responsible for processing JavaScript code. Type confusion refers to a logical bug that occurs when a program accesses resources using an incompatible type, leading to logical errors. The vulnerability, when exploited, can allow attackers to run unrestricted code on the affected applications. The search giant patched Chrome’s first zero-day vulnerability back in March 2019 when it disclosed the security risk along with a vulnerability in Windows 7. Since the patch fixes a zero-day that is currently being exploited in the wild, it is best for users to update their browsers to the latest version (80.0.3987.122). You can download the update using the offline installer here, or head to the three-dot menu on Chrome > Help > About Google Chrome, and force the update. Source: Clement Lecigne (Twitter) via ZDNet Source: Google patches Chrome zero-day vulnerability currently being exploited (Neowin)
  2. IE zero-day under active attack gets emergency patch Denial-of-service flaw in Microsoft Defender also gets unscheduled fix. Enlarge Michael Theis / Flickr Microsoft has released two unscheduled security updates, one of which patches a critical Internet Explorer vulnerability that attackers are actively exploiting in the wild. The IE vulnerability, tracked as CVE-2019-1367, is a remote code execution flaw in the way that Microsoft’s scripting engine handles objects in memory in IE. The vulnerability was found by Clément Lecigne of Google’s Threat Analysis Group, which is the same group that recently detected an advanced hacking campaign that targeted iPhone users. Researchers from security firm Volexity later said the the attackers behind the campaign also targeted users of Windows and Android devices. It’s not clear if the IE vulnerabilities Microsoft is fixing now have any connection to that campaign. Monday’s advisory said attackers could exploit the vulnerability by luring targets to use IE to visit a booby-trapped website. Microsoft officials wrote: The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user... An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. The advisory said the vulnerability is being actively exploited in the wild, but it didn’t elaborate on the attacks. The vulnerability affects IE versions 9, 10, and 11. IE has fallen out of favor since the release of the Edge, which researchers widely agree is more resistant to hacking attacks. IE users who can switch to the latest version of Edge should do so. IE users who are unable to change browsers should install Monday’s out-of-band update immediately. Updates should be available automatically. Those for Windows 10 are also available here. Separately, Microsoft released an additional unscheduled update on Monday to fix a denial-of-service vulnerability in the Microsoft Defender antimalware engine. Formerly known as Windows Defender, the antivirus service ships with Windows 8 and later versions. An advisory Microsoft published Monday said attackers could exploit the flaw to “prevent legitimate accounts from executing legitimate system binaries.” Based on the wording of the advisory, the requirements for exploiting the vulnerability are high. For a DoS to be successful, the advisory said, “an attacker would first require execution on the victim system.” The advisory said there are no indications the flaw is being actively exploited. Indexed as CVE-2019-1255, the vulnerability was privately reported to Microsoft by Charalampos Billinis of F-Secure Countercept and Wenxu Wu of Tencent Security Xuanwu Lab. The update should be updated automatically through the Microsoft Malware Protection Engine in the next 48 hours. Source: IE zero-day under active attack gets emergency patch (Ars Technica)
  3. Study: Majority of zero-day vulnerabilities now failed against Windows 10 Microsoft has proved their latest operating system is the safest around; with only 40% of all Windows zero-days successfully exploited against the latest Windows versions since 2015. Matt Miller, security engineer with the Microsoft Security Response Centre, analysed zero-day exploitation attempts between 2015 and 2019. Back in February, Miller gave a talk at the BlueHat Israel security conference. He showed that Windows vulnerabilities are mostly exploited before a patch is released or when a patch fails months after. Thanks to Control Flow Guard and Device Guard security systems, amongst others, users with an updated OS are mostly safeguarded. In two out of three cases, the zero-days didn’t work against recent versions of Windows because of the mitigations added to the OS. Additionally, his findings show that 70% of all security bugs addressed by Microsoft in the past 12 years were memory management-related issues. Miller’s MSRC colleagues are currently exploring Rust as an alternative to C and C++. The language’s security features could cause a reduction in the number of memory-related bugs. So with these statistics in mind, it seems that attackers are better off keeping zero-days attacks to older Windows versions. Source: Study: Majority of zero-day vulnerabilities now failed against Windows 10 (MSPoweruser)
  4. Oracle has recently addressed a critical vulnerability affecting its WebLogic servers. Users must ensure they update their systems quickly as this WebLogic zero-day bug is presently under active exploitation. The bug, upon exploit, can allow an attacker to hijack a users’ systems. Actively Exploited WebLogic Zero-Day Bug Reportedly, a critical WebLogic zero-day vulnerability has posed a threat to users’ online security. This bug can allow an attacker to take control of the target devices and execute remote code. As stated in Oracle’s advisory, This Security Alert addresses CVE-2019-2729, a deserialization vulnerability via XMLDecoder in Oracle WebLogic Server Web Services. This remote code execution vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. This vulnerability, CVE-2019-2729 has earned a critical severity level, with a CVSS base score of 9.8. According to a study by KnownSec 404 Team, this vulnerability is presently under wild exploits. While they considered this vulnerability a bypass for the patch of a previously known bug (CVE-2019–2725), Oracle clarified that the recent vulnerability is unrelated to it. In a blog post, John Heimann, VP Security Program Management, clarified, Please note that while the issue addressed by this alert is a deserialization vulnerability, like that addressed in Security Alert CVE-2019-2725, it is a distinct vulnerability. Oracle Released A Fix A number of researchers reported the new WebLogic zero-day vulnerability to Oracle. The bug allegedly affects Oracle WebLogic Server versions,, Consequently, the vendors patched the bug and released the fix. Because of the severity of the vulnerability, and the active exploitations, Oracle recommends users to ensure a quick update of their respective systems. Due to the severity of this vulnerability, Oracle recommends that this Security Alert be applied as soon as possible. The KnownSec 404 Team also recommended some temporary solutions to mitigate the flaw. Scenario-1: Find and delete wls9_async_response.war, wls-wsat.war and restart the Weblogic service. Scenario-2: Controls URL access for the /_async/* and /wls-wsat/* paths by access policy control. Source
  5. Mozilla has released a second security update this week to patch a second zero-day that was being exploited in the wild to attack Coinbase employees and other cryptocurrency organizations. Firefox 67.0.4 and Firefox ESR 60.7.2 are now available for Firefox users through the browser's built-in update mechanism. This second bug was used together with another one that Mozilla patched two days ago, through the release of Firefox 67.0.3 and Firefox ESR 60.7.1. The two zero-days The first one was described as a "remote code execution" vulnerability that allowed remote attackers to run malicious code inside Firefox's native process. The bug (CVE-2019-11707) was discovered on April 15 by a Google Project Zero researcher and reported to Mozilla, who only patched it this week after the Coinbase security team reported attacks exploiting the vulnerability, together with a second zero-day (CVE-2019-11708). This second zero-day, which Mozilla described as a "sandbox escape" allowed malicious threat actors to escape from the Firefox protected process and execute code on the underlying operating system. When combined, the two bugs provide a quick avenue for running malicious code from within a website on a visiting user's computer. The two zero-days used in the same attacks As ZDNet broke the news earlier today, these two zero-days were being used by an unknown hacking group in attempts to infect the Coinbase staff. Coinbase employees would receive spear-phishing emails that would contain links to malicious sites. If they clicked the links and visited the sites -- if they used Firefox -- the page would download and run an info-stealer on their systems that would collect and exfiltrate browser passwords, and other data. The attacks were tailored for both Mac and Windows users, with different malware strains delivered for each OS. The attacks have been going on for weeks before being detected, and Coinbase said they also targeted other cryptocurrency organizations, and not just their employees. The Firefox bugfix for the second zero-day is expected to land in the Tor Browser in the coming days. Today, the Tor Browser team updated to version 8.5.2, which includes the fix for the first zero-day. Source
  6. Mozilla releases Firefox 67.0.3 to fix actively exploited zero-day. The Mozilla team has released earlier today version 67.0.3 of the Firefox browser to address a critical vulnerability that is currently being abused in the wild. "A type confusion vulnerability can occur when manipulating JavaScript objects due to issues in Array.pop," Mozilla engineers wrote in a security advisory posted today. "This can allow for an exploitable crash," they added. "We are aware of targeted attacks in the wild abusing this flaw." Samuel Groß, a security researcher with Google Project Zero security team, and the Coinbase Security team were credited with discovering the Firefox zero-day -- tracked as CVE-2019-11707. Outside of the short description posted on the Mozilla site, there are no other details about this security flaw or the ongoing attacks. Based on who reported the security flaw, we can safely assume the security flaw was being exploited in attacks aimed at cryptocurrency owners. Groß did not respond to a request for comment from ZDNet seeking additional details about the attacks. Firefox zero-days are quite rare. The last time the Mozilla team patched a Firefox zero-day was in December 2016, when they fixed a security flaw that was being abused at the time to expose and de-anonymize users of the privacy-first Tor Browser. Fellow browser maker Google patched a zero-day in its browser in March this year. The zero-day was being used together with a Windows 7 zero-day as part of a complex exploit chain. Source
  7. Internet Explorer zero-day lets hackers steal files from Windows PCs Microsoft refused to patch issue so security researcher released exploit code online. A security researcher has published today details and proof-of-concept code for an Internet Explorer zero-day that can allow hackers to steal files from Windows systems. The vulnerability resides in the way Internet Explorer processes MHT files. MHT stands for MHTML Web Archive and is the default standard in which all IE browsers save web pages when a user hits the CTRL+S (Save web page) command. Modern browsers don't save web pages in MHT format anymore, and use the standard HTML file format; however, many modern browsers still support processing the format. AN XEE IN IE 11 Today, security researcher John Page published details about an XEE (XML External Entity)vulnerability in IE that can be exploited when a user opens an MHT file. "This can allow remote attackers to potentially exfiltrate Local files and conduct remote reconnaissance on locally installed Program version information," Page said. "Example, a request for 'c:\Python27\NEWS.txt' can return version information for that program." Because on Windows all MHT files are automatically set to open by default in Internet Explorer, exploiting this vulnerability is trivial, as users only need to double-click on a file they received via email, instant messaging, or another vector. Page said the actual vulnerable code relies on how Internet Explorer deals with CTRL+K (duplicate tab), "Print Preview," or "Print" user commands. This normally requires some user interaction, but Page said this interaction could be automated and not needed to trigger the vulnerability exploit chain. "A simple call to the window.print() Javascript function should do the trick without requiring any user interaction with the webpage," he said. Furthermore, Internet Explorer's security alert system can also be disabled. "Typically, when instantiating ActiveX Objects like 'Microsoft.XMLHTTP' users will get a security warning bar in IE and be prompted to activate blocked content," the researcher said. "However, when opening a specially crafted .MHT file using malicious < xml > markup tags the user will get no such active content or security bar warnings." EXPLOIT WORKS ON WINDOWS 7, 10, SERVER 2012 R2 Page said he successfully tested the exploit in the latest Internet Explorer Browser v11 with all the recent security patches on Windows 7, Windows 10, and Windows Server 2012 R2 systems. Probably the only good news about this vulnerability disclosure is the fact that Internet Explorer's once dominating market share has now shrunk to a meager 7.34 percent, according to NetMarketShare, meaning the browser is seldom used. But, as Windows uses IE as the default app to open MHT files, users don't necessarily have to have IE set as their default browser, and are still vulnerable as long as IE is still present on their systems, and they're tricked into opening an MHT file. MICROSOFT WAS NOTIFIED BUT DECLINED TO PATCH Page said he notified Microsoft about this new IE vulnerability on March 27, but the vendor declined to consider the bug for an urgent security fix in a message sent to the researcher yesterday, April 10. "We determined that a fix for this issue will be considered in a future version of this product or service," Microsoft said, according to Page. "At this time, we will not be providing ongoing updates of the status of the fix for this issue, and we have closed this case." Following Microsoft's firm response, the researcher released details about the zero-day on his site, along with proof-of-concept code and a YouTube demo. This vulnerability should not be taken lightly, despite Microsoft's response. Cybercrime groups have exploited MHT files for spear-phishing and malware distribution in previous years, and MHT files have been a popular way to package and deliver exploits to users' computers. Because they can store malicious code, all MHT files should always be scanned before opening, regardless of if the file was recently received, or it's been standing there on your PC for months. Source
  8. Updated: Google is preparing a patch for late April 2019. Some of the suspicious PDF files exploiting this bug don't appear to be malicious in nature. A security firm said this week that it discovered PDF documents exploiting a Google Chrome browser zero-day. The vulnerability allowed attackers to collect data from users who opened PDF files inside Chrome's built-in PDF viewer. Exploit detection service EdgeSpot, the company that found the files, says the PDF documents would contact a remote domain with information on the users' device --such as IP address, OS version, Chrome version, and the path of the PDF file on the user's computer. This phone-home behavior did not take place when researchers opened the same PDF files in desktop PDF viewer apps, such as Adobe Reader and others, but was limited to Chrome only. The company said it spotted two distinct sets of malicious PDF files exploiting this Chrome bug, with one series of files being circulated circa October 2017, and the second set in September 2018. The first batch of malicious PDF files sent user data back to the "readnotify.com" domain, while the second sent it to "zuxjk0dftoamimorjl9dfhr44vap3fr7ovgi76w.burpcollaborator.net," researchers said. There was no additional malicious code in the PDF files that EdgeSpot discovered. However, collecting data on users who open a PDF file can aid attackers in fine-tuning future attacks and exploits. But in a conversation with ZDNet after the publication of this story, Mac malware security expert Patrick Wardle explained that the first batch of files that EdgeSpot detected weren't meant to be malicious in nature, despite exploiting the Chrome bug. He said they were assembled using ReadNotify's PDF tracking service that lets users track when someone views their PDF files, a service that has been around since 2010. "What the researchers 'uncovered' is just a document tagged by ReadNotify," Wardle told us, "but yes, Chrome should alert the user." There is no information available on the second set of PDF files (the ones circulated in September 2018) and their nature --if they were assembled by a threat actor, if they're just tests, or were generated for benign user tracking purposes. For its part, EdgeSpot said it notified Google over the Christmas holiday, last year, when they first discovered the documents. The Chrome team acknowledged the zero-day and promised a fix for late April. "We decided to release our finding prior to the patch because we think it's better to give the affected users a chance to be informed/alerted of the potential risk, since the active exploits/samples are in the wild while the patch is not near away," researchers said in a blog post yesterday. The blog post also contains samples and indicators of compromise (IOCs) for the PDF files the company discovered. Until a patch is out, EdgeSpot is recommending that users either use a desktop app to view PDF files or disable their internet connection while they open PDF documents in Chrome. In unrelated research, but also connected to the world of PDF documents, earlier this week, security researchers revealed vulnerabilities that allowed them to fake signatures on 21 of 22 desktop PDF viewer apps and 5 out of 7 online PDF digital signing services. Article updated with Wardle's analysis. Source
  9. Details are about to emerge about a zero-day remote code execution vulnerability in the Microsoft Edge web browser, as two researchers plan to reveal a proof-of-concept and publish a general write up. Microsoft has not been told the details of this vulnerability. A tweet on November 1 announced that Microsoft Edge had been compromised once more. The proof was an image with the web browser that appeared to launch the popular Windows Calculator app. Exploit developer Yushi Liang informed his followers that the objective was to escape the browser sandbox and that he had teamed up with Alexander Kochkov to work on achieving it. The efforts of the two experts were hampered by a "crash bug in the text editor" Liang was using to write the exploit code. In a conversation with BleepingComputer, Liang said that they were focusing on developing a stable exploit and attaining full sandbox escaping of the code. The duo was also looking for a method to escalate execution privileges to SYSTEM, which would be the equivalent of taking complete control of the machine. The expert found the zero-day bug with the help of the Wadi Fuzzer utility from SensePost. He told us that he has already created the PoC (demo available below) code that validated his findings. Payouts for an Edge RCE exploit The market for 0days is robust and there are plenty of exploit brokers ready to offer attractive compensation to developers of fresh penetration code targeting web browsers. Zerodium pays $50,000 for a remote code execution (RCE) 0day exploit in Edge and doubles the payout for when sandbox escaping is achieved. Coseinc's Pwnorama payout program offers up to $30,000 for a previously undisclosed RCE exploit in Microsoft's browser and increases the reward up to $80,000 if it is accompanied by local privilege escalation. Vulnerability brokers are not the only ones offering juicy payouts for exploits. This year's edition of the Pwn2Own computer hacking contest Trend Micro's ZeroDay Initiative program offered $60,000 for a sandbox escape exploit for Microsoft Edge. Liang's web browser exploits Zero-days in web browsers seem to have captured Liang's focus lately as the developer recently wrote an exploit chain that achieved RCE on Firefox that took advantage of three bugs. The developer said that this proved to be a difficult task to wrap because of a third bug that required more work to get to obtain the coveted result. In another recent project, Liang set sight on Chromium browser where he was able to achieve code execution without sandbox escape, a task he relayed to a friend of his. To show that his PoC works, Liang shared with BleepingComputer the video below. To add a fun twist, the developer made Edge launch Mozilla Firefox and load the download page for Google Chrome: Source
  10. The unpatched flaw allows an attacker to delete any kind of file on a victim machine, including system data. A proof-of-concept exploit for a Windows zero-day that works on full patched Windows 10 machines has been released by a security researcher. It allows an attacker to delete any kind of file on a victim machine, including system data. The flaw (no CVE has been assigned since it was just exposed on Wednesday) is an elevation-of-privilege zero-day vulnerability in Microsoft’s Data Sharing Service (dssvc.dll). This is a local service that runs as a LocalSystem account with extensive privileges, and enables data to be brokered between applications. According to SandboxEscaper, who released the PoC, the bug allows an adversary to delete application libraries (DLL files) – which means that the affected applications will then go look for their libraries elsewhere. If an application finds its way to a user-writeable location, it gives an attacker an opportunity to upload his or her own malicious library, resulting in machine compromise. “This could be exploited to facilitate lateral movement within an organization or even potentially destructive purposes – such as deletion of key system files, rendering a system inoperable,” Tom Parsons, head of research at Tenable, said in an emailed breakdown. To the latter point, in the POC, a program that SandboxEscaper dubbed “Deletebug.exe” deletes a system file – pci.sys – on the target computer, which means a user can no longer restart it. The machine is rendered unbootable. Will Dormann, vulnerability analyst at CERT/CC, and 0patch’s Mitja Kolsec both confirmed the vulnerability and were able to exploit it on fully patched and updated Windows 10 machines. Via Twitter, Dormann added that Data Sharing Service does not seem to be present on Windows 8.1 and earlier systems. Researcher Kevin Beaumont confirmed the exploit as working on “Windows 10 and Server 2016 (and 2019) only.” He added that it “allows non-admins to delete any file by abusing a new Windows service not checking permissions again.” “It reportedly affects the very latest versions of Microsoft operating systems and not older ones, so users may have wrongly assumed they were more secure,” said Parsons. “In addition, given that it affects both server and client operating systems, and with Windows 10 the second-most prevalent MS desktop/client OS after Windows 7, will also make this attractive to attackers.” However, don’t expect a raft of attacks incorporating the exploit just quite yet: SandboxEscaper describes the bug as “low-quality” and a “pain to exploit.” Tenable’s Parsons elaborated: “To put the threat into perspective, an attacker would already need access to the system or to combine it with a remote exploit to leverage the vulnerability,” he said. Beaumont also weighed in on the exploitability, noting that meaningful exploitation would take some doing: While Microsoft has not yet commented on the bug, 0Patch has released a micropatch for the flaw, which it said “successfully blocks the exploit by adding impersonation to the DeleteFileW call… the Delete operation now gets an “ACCESS DENIED” due to impersonation.” Source
  11. The same day Apple released its latest macOS Mojave operating system, a security researcher demonstrated a potential way to bypass new privacy implementations in macOS using just a few lines of code and access sensitive user data. On Monday, Apple started rolling out its new macOS Mojave 10.14 operating system update to its users, which includes a number of new privacy and security controls, including authorization prompts. Mojave 10.14 now pops up authorization prompts that require direct and real user interaction before any unprivileged third-party application can tap into users' sensitive information, such as address books, location data, message archives, Mail, and photos. Patrick Wardle, an ex-NSA hacker and now chief research officer at Digita Security, discovered a zero-day flaw that could allow an attacker to bypass authorization prompts and access users' personal information by using an unprivileged app. Wardle tweeted a video Monday showing how he was able to bypass the permission requirements on a dark-themed Mojave system by running just a few lines of code simulating a malicious app called "breakMojave," which allowed him to access to the address book and copy it to the macOS desktop. However, Wardle goes on to say that not just Mojave's Dark Mode, but all modes are affected by the privacy bypass vulnerability. Well, the privacy bypass flaw in Mojave seems to be concerning due to its simplicity of carrying out personal data pilfering, with no permissions required. It should be noted that the flaw does not work with all of the new privacy protection features implemented by Apple in macOS Mojave, and hardware-based components, like the webcam and microphone, are not affected. Since there is no public macOS bounty program to report the vulnerabilities, Wardle said on Twitter that he's still looking for a way to report the flaw to Apple. Wardle has not released details beyond just the proof-of-concept video until the company patches the issue in order to prevent abuse. Until then, Mojave users are recommended to be cautious about what apps they run. Wardle is set to release more technical details of the vulnerability in his upcoming Mac Security conference in November. Last month, Wardle publicly disclosed a different macOS zero-day flaw that could allow a malicious application installed on a targeted Mac system running Apple's High Sierra operating system to virtually "click" objects without any user interaction or consent, leading to full system compromise. Source
  12. The security flaw, an out-of-bounds (OOB) write in the JET Database Engine that could be exploited for remote code execution, was reported to the vendor in early May. ZDI disclosed the issue publicly as 120 days had passed after they notified the vendor, although a patch hadn’t been released. The bug resides in the manner in which indexes are managed in JET. Crafted data in a database file can trigger a write past the end of an allocated buffer and an attacker could exploit this to execute code under the context of the current process. Exploitation, however, requires user interaction. Despite not being considered critical, attackers could use social engineering to trick users into opening malicious files capable of triggering the exploit. Now, 0patch, a community project focused on resolving software vulnerabilities by delivering tiny fixes to users worldwide, says they were able to devise a patch for the bug less than a day after ZDI went public with their findings. In a blog post detailing the fix, ACROS Security CEO Mitja Kolsek explains that, with JET only working on 32-bit systems, the proof-of-concept (PoC) code provided by ZDI would cause an error message on 64-bit systems, unless launched with wscript.exe. Because it attempts to write past the allocated memory block, the PoC causes a crash in wscript.exe, and this is where the security researchers started from when building their patch. Kolsek notes that a micro-patch was ready for Windows 7 only 7 hours after ZDI had published their PoC and that the fix would work on all platform iterations sharing the exact same version of msrd3x40.dll as Windows 7. Windows 10, however, has a slightly different msrd3x40.dll, and the security researchers had to make a small tweak to the initial micro-patch to address the issue in this platform iteration as well. According to Kolsek, they used the exact same source code, just a different file hash. “These two micropatches for a published 0day were then issued less than 24 hours after the 0day was dropped, and distributed to our users' computers within 60 minutes, where they were automatically applied to any running process with vulnerable msrd3x40.dll loaded. Which nicely demonstrates the speed, simplicity and user-friendliness of micropatching when it comes to fixing vulnerabilities,” Kolsek notes. The patches are free for everyone. Users interested in getting them only need to install and register the 0patch Agent. Even with these micro-patches, however, users are still advised to install Microsoft’s official fixes once they arrive. Source
  13. A company that sells exploits to government agencies drops Tor Browser zero-day on Twitter after recent Tor Browser update renders exploit less valuable. Zerodium, a company that buys and sells vulnerabilities in popular software, has published details today on Twitter about a zero-day vulnerability in the Tor Browser, a Firefox-based browser used by privacy-conscious users for navigating the web through the anonymity provided by the Tor network. In a tweet, Zerodium said the vulnerability is a full bypass of the "Safest" security level of the NoScript extension that's included by default with all Tor Browser distributions. NoScript is a browser extension that uses a whitelist approach to let the user decide from what domains the browser can execute JavaScript, Flash, Java, or Silverlight content. It is included with all Tor Browser distributions because it provides an extra layer of security for Tor Browser users. Zerodium's Tor zero-day basically allows malicious code to run inside the Tor Browser by bypassing NoScript's script-blocking ability. According to Zerodium, the zero-day affects only the Tor Browser 7.x series. The Tor Browser 8.x branch, released last week, is not affected. The reason is that the Tor Browser 8.x series switched its underlying codebase from an older Firefox core to the new Firefox Quantum platform, which uses a new add-ons API. The NoScript add-on was rewritten at the end of last year to work on the new Firefox Quantum platform, hence the reason why the zero-day revealed today does not work on the new Tor Browser 8.x series. In an interview with ZDNet, Giorgio Maone, the author of the NoScript extension, said the zero-day was caused by a workaround for NoScript blocking the Tor Browser's in-browser JSON viewer. Maone was not aware of the vulnerability before ZDNet contacted him earlier today. After successfully reproducing the issue, Maone promised an update to the NoScript add-on for later today, to mitigate the zero-day's effects. "I'm gonna release the update within 24 hours or less, like I always did in the past," Maone told ZDNet. The Tor Project replied to ZDNet's request for comment but was not prepared to issue an official statement before this article's publication. In an email exchange with ZDNet, Zerodium CEO Chaouki Bekrar provided more details about today's zero-day. "We've launched back in December 2017 a specific and time-limited bug bounty for Tor Browser and we've received and acquired, during and after the bounty, many Tor exploits meeting our requirements," Bekrar told ZDNet. "This Tor Browser exploit was acquired by Zerodium many months ago as a zero-day and was shared with our government customers. "We have decided to disclose this exploit as it has reached its end-of-life and it's not affecting Tor Browser version 8 which was released last week. We also wanted to raise awareness about the lack (or insufficient) security auditing of major components bundled by default with Tor Browser and trusted by millions of users. "The exploit by itself does not reveal any data as it must be chained to other exploits, but it circumvents one of the most important security measures of Tor Browser which is provided by NoScript component. "If a user sets his Tor browser security level to "Safest" aiming to block all JavaScript from all websites e.g. to prevent exploits, the disclosed bug would allow a website or a hidden service to bypass all NoScript restrictions and execute any JavaScript code, making the 'Safest' security level useless against browser exploits," Bekrar added. ZDNet advises Tor Browser 7.x users to update to Tor Browser 8.x, or at least make sure to install the NoScript update that Maone promised for later today. The current NoScript version included with Tor Browser 7.5.6 is NoScript UPDATE: Minutes after this article's publication, Maone released NoScript "Classic" version, which fixes the zero-day's exploitation vector. The patch came exactly two hours after Zerodium released details on Twitter. Maone also told ZDNet that the bug was introduced in NoScript 5.0.4, released on May the 11th 2017. Source
  14. Ponting

    AppGuard v4.1

    New Generation Protection Against Malware AppGuard is a revolutionary new software product that stops computer viruses and malware – even zero-day malware – from harming you and your PC. Developed by Blue Ridge Networks using patented cybersecurity technology, AppGuard provides advanced protection without scanning and updates. It isolates and contains malicious code, allowing users to work, bank, shop and surf online without concern about exposure to viruses on the public internet or on trusted websites. Numerous studies have confirmed there are literally dozens of new viruses and malicious software (zero-day malware) attacking users every minute. Current antivirus tools are unable to detect and stop these attacks for days during which time users are exposed to data theft, ID theft, and disruption. Until updates are downloaded to the antivirus software, users continue to be exposed to harmful exploits. AppGuard doesn’t need to identify the threat, scan for viruses, update its software, or disrupt your activities to provide its protection. It easily and transparently extends its protection to your complete computing and network environment including documents, attachments, downloads from the web, social network applications, and removable media like thumb drives, without disrupting their use. It is also compatible with most antivirus and whitelisting software which you can continue to use for off-line maintenance eliminating the need for burdensome real-time scanning overhead that offers no real protection from zero-day malware. AppGuard’s protection methods have been proven through several years of use by government, enterprises, and consumers without any reported failures. A leading IT industry analysis firm recently named AppGuard to its best practice Containment category for protection against malware. Get AppGuard if you want the peace of mind that you have the best zero-day malware protection in the marketplace. Changelog: Homepage: http://www.appguardus.com/index.php/Home Download Link for 30 days trial: http://www.appguardus.com/support/products/AG4/files/AppGuardSetup.exe Download Link for Quick Start Guide: http://www.appguardus.com/support/products/AG4/files/AppGuard%20Quick%20Start%20Guide%20v4_1.pdf For FAQ: http://www.appguardus.com/index.php/appguard/faqs For Support: http://www.appguardus.com/index.php/support/appguard-support AppGuard Review by Reyes: http://www.tipradar.com/contest-appguard.html Note: Please read the Quick Start Guide thoroughly and then install the software
  15. Security researchers at Microsoft have unveiled details of two critical and important zero-day vulnerabilities that had recently been discovered after someone uploaded a malicious PDF file to VirusTotal, and get patched before being used in the wild. In late March, researchers at ESET found a malicious PDF file on VirusTotal, which they shared with the security team at Microsoft "as a potential exploit for an unknown Windows kernel vulnerability." After analyzing the malicious PDF file, the Microsoft team found that the same file includes two different zero-day exploits—one for Adobe Acrobat and Reader, and the other targeting Microsoft Windows. Since the patches for both the vulnerabilities were released in the second week of May, Microsoft released details of both the vulnerabilities today, after giving users enough time to update their vulnerable operating systems and Adobe software. According to the researchers, the malicious PDF including both the zero-days exploit was in the early development stage, "given the fact that the PDF itself did not deliver a malicious payload and appeared to be proof-of-concept (PoC) code." It seems someone who could have combined both the zero-days to build an extremely powerful cyber weapon had unintentionally and mistakenly lost the game by uploading his/her under-development exploit to VirusTotal. The zero-day vulnerabilities in question are a remote code execution flaw in Adobe Acrobat and Reader (CVE-2018-4990) and a privilege escalation bug in Microsoft Windows (CVE-2018-8120). The Adobe Acrobat and Reader exploit was incorporated in a PDF document as a maliciously crafted JPEG 2000 image containing the JavaScript exploit code, which triggers a double-free vulnerability in the software to run shellcode. Leveraging shellcode execution from the first vulnerability, the attacker uses the second Windows kernel exploit to break the Adobe Reader sandbox and run it with elevated privileges. Since this malicious PDF sample was under development at the time of detection, it apparently included a simple PoC payload that dropped an empty vbs file in the Startup folder. Microsoft and Adobe have since released corresponding security updates for both the vulnerabilities in May. For more technical details of the exploits, you can head on to Microsoft and ESET blogs. Source
  16. If you have already uninstalled Flash player, well done! But if you haven't, here's another great reason for ditching this application for better security of your devices. Adobe has released a security patch update for a critical vulnerability in its Flash Player software that is actively being exploited in the wild by hackers in targeted attacks against Windows users. Independently discovered last week by several security firms—including ICEBRG, Qihoo 360 and Tencent—the Adobe Flash player zero-day attacks have primarily been targeting users in the Middle East using a specially crafted Excel spreadsheet. The stack-based buffer overflow vulnerability, tracked as CVE-2018-5002, impacts Adobe Flash Player and earlier versions on Windows, MacOS, and Linux, as well as Adobe Flash Player for Google Chrome, and can be exploited to achieve arbitrary code execution on targeted systems. The vulnerability resides in the interpreter code of the Flash Player that handles static-init methods, which fails to correctly handle the exceptions for try/catch statements. The registration date for a web domain, mimicking a job search website in the Middle East, used as the command and control (C&C) server for zero-day attacks suggests that hackers have been making preparations for the attack since February. Besides the patch for CVE-2018-5002, Adobe also rolled out security updates for two "important" vulnerabilities—including Integer Overflow bug (CVE-2018-5000) and an Out-of-bounds read issue (CVE-2018-5001)—both of which lead to information disclosure. So, users are highly recommended to immediately update their Adobe Flash Player to versions via their update mechanism within the software or by visiting the Adobe Flash Player Download Center. Source
  17. ViRobot APT Shield 2.0 is the best PC security program to block attacks of vulnerabilities(include Zero-Day vulnerabilities and Drive-by download vulnerabilities) in applications and Windows OS(include Windows XP) in advance, and it is compatible with anti-malware programs.Especially, ViRobot APT Shield 2.0 will be the best choice for PCs which can not be upgraded Windows XP to higher version of Windows. Features 1. Response to variety attacks of application vulnerabilities. It blocks attacks that use vulnerabilities in advance for applications such as document programs(MS Office, Adobe Reader, ...), Web brewers(IE, Firefox, Chrome, ...), Media players, Messengers, Compression software, and etc. 2. Blocking vulnerabilities due to the end of Windows XP support. It prevents attacks that use vulnerabilities in advance for Windows which cannot be applied security patches. 3. Complementing in accordance with the limits of Signature-based anti-virus. By behavior-based technology, it blocks creation and execution of malicious code that exploits vulnerabilities, and it also doesn't need pattern update. 4. Blocking the acceleration of document leak for many unspecified targets. Recently, malicious code is using social engineering to exfiltrate important document from companies, but this product blocks it completely. 5. Handling systems which are difficult to update Windows security patches. It's a very light product, because it requires only minimal resources of Hardware. It's suitable for various environments which are difficult to update Windows security patches in enterprise. Functions 1. Enhanced detection for malicious code It can block Zero-Day attacks in advance.It's not necessary to concern about False/Positive, because it detects abnormal behaviors of applications.It's possible to detect malicious code in real time.2. Flexible scalability and low costs It's compatible with anti-malware products all around the world, it ensures flexible scalability.It can save cost compared to network-based detection solutions. (No extra charge excepted license fee)3. Management efficiency It's possible to control security systems by connection with integrated log equipment(e.g. ESM).Monitoring service is provided through installation of Web log server.4. Usability Pattern update is not required.It's simple to install(The installation takes less than 10 seconds.)The portion of end users' direct control is minimized.It uses minimum resource. (e.g. Memory usage : less than 10MB)Screenshots Blocking malicious code that exploits vulnerabilities in applications. Document program -MS office, Adobe reader, Ichitaro, etc. Web browser - IE, Firefox, Chrome, Safari, Opera, Java, Flash, ActiveX, etc. Media player - Real player, QuickTime player, Winamp, etc. Messenger - Skype, Yahoo, Google, . etc. Compression software -WinZip, WinRAR, 7-Zip, etc. Homepage: http://www.aptshield.net/ Download link: http://www.aptshield.net/apt_individual_download.html Requirements: CPU:Intel Pentium III 500MHz or Above RAM:512 MB or Above HDD:Free space more than 500 MB OS: Windows XP / Windows Vista / Windows 7 / Windows 8/Windows Server 2003 / Windows Server 2008 / Windows Server 2012 -x86 and x64.
  18. Further investigation into an exploit kit known as "Elderwood" shows the attackers using it are more numerous and possibly better funded than previously thought, according to new research from Symantec. Elderwood is a hacking platform that has attack code which abuses software vulnerabilities in programs such as Adobe Systems' Flash multimedia program and Microsoft's Internet Explorer browser in order to spy on computers. Symantec has been tracking Elderwood since 2012, noting that exploits contained in it have been used against defense-related companies, people involved in human rights campaigns and IT and supply-chain firms in the so-called "Operation Aurora" attacks. The company thought a single group controlled Elderwood, although the security company's latest findings indicate a more diversified operation. Symantec doesn't say in which country it believes the attackers are located, but the Operation Aurora attacks are suspected to have originated in China. After Operation Aurora came to light, Google came forward in early 2010. In an unprecedented move, it publicly said the attacks against its network originated in China, which fueled a diplomatic row with the U.S. Google said the attacks were aimed at compromising the Gmail accounts of human rights activists. The U.S. and China subsequently clashed over cybersecurity issues, with U.S. companies becoming increasingly vocal over what they hold are technically sophisticated long-term infiltration campaigns originating from within China. Symantec now thinks several hacking groups are using Elderwood, indicating that its developer may be selling the platform. Another possibility is that the core Elderwood hackers are developing exploits for their own in-house teams, the company wrote in a blog post Thursday. "The attack groups are separate entities with their own agendas," Symantec wrote. A sub-group called "Hidden Lynx" targets the defense industry and Japanese users. "Vidgrab" prefers targeting Uyghur dissidents in the western China region. Another group known as "Linfo" or "Icefog" goes after manufacturing firms, while "Sakurel" focuses on aerospace companies. At the start of this year, the Elderwood exploit kit contained three zero-day vulnerabilities, which are software flaws that do not have a patch ready. Those vulnerabilities included one for Flash (CVE-2014-0502) and two for Internet Explorer (CVE-2014-0322 and CVE-2014-0324). Another clue that all of the groups may be closely connected is the use of shared infrastructure. The Flash exploit and one for Internet Explorer, CVE-2014-0322, were hosted on the same server but used by all four groups, Symantec wrote. Creating attack code for those vulnerabilities isn't cheap, which suggests if hacking groups are purchasing the exploits from Elderwood's developer, those organizations "must have substantial financial resources." If all Elderwood-related attacks come from a larger group split into teams, then "these employees are either being well compensated for their work or have some other motivating factor that prevents them from selling exploits on the open market themselves." Source
  19. UPDATE – Researchers at Websense said today they may have isolated two components within the VGX library that are being exploited by attackers targeting the latest Internet Explorer zero-day vulnerability. By combing through millions of Windows crash reports sent via the Windows Error Reporting feature, researchers have discovered a spike in VGX.DLL crashes in two particular spots. Application crashes are indicators of exploit activity in some cases, and researchers believe that either one could be what is being exploited in the wild. Researcher Alex Watson said more details on the vulnerable components could be available soon, and would fill in some gaps left open by advisories from Microsoft and FireEye that were scant in details about the exploits. “We are searching those [two] and taking a deep look at our feeds to find other indicators of compromise,” Watson said. Watson said researchers combed through six months of crash reports, close to 20 million in total, and found fewer than 40 crashes in IE 6 through IE 11 inside VGX; 13 of those happened in February, 9 in March and 12 this month. Two stood out. The first affected IE 9 running on a Windows 7 machine, which is the same setup exploited in the attacks currently in the wild. Other matching crash reports indicate possible failed exploit activity in the U.S. between March 22 and mid-April, Websense said. The second possible vulnerability affects IE 8, the researchers said. Two different versions of IE 8 running on Windows 7 indicate a buffer overflow vulnerability is present in VGX as early as Feb. 17, Websense said. “It is somewhat unusual to see such a large percentage of application crashes being triggered via buffer overflow,” Watson said, calling it suspicious. “While it has not been reported that IE 8 has been targeted via CVE-2014-1776 in the wild, errors like this are consistent with exploits that corrupt and overwrite memory.” The IE zero day set off alarm bells since it can be exploited all the way back to versions of IE compatible with Windows XP, which is no longer supported by Microsoft as of April 8. Microsoft issued an advisory and warned users that hackers were actively exploiting the use-after-free vulnerability in limited targeted attacks, although only in IE 9 through IE 11. Researchers at FireEye also shared details on the exploit and said that it is used in conjunction with an Adobe Flash exploit to cause memory corruption and allow an attacker to run code remotely on the compromised computer. The vulnerability in IE is specific to the browser’s handling of the Vector Markup Language and vector graphics rendering. Microsoft advised as a temporary mitigation that admins disable the VGX.DLL; the library is crucial for proper graphics rendering and is used by IE as well as Office applications. “When we looked at this DLL, we found it is not used often and likely shouldn’t be used at all,” Watson said. “It’s a deprecated vector processing library.” Watson said researchers were prompted by news of the active exploits and started searching crash reports for evidence of exploit activity in the VGX library. Starting in February, spikes in crashes in IE 8 and IE 9 began, in particular from targets in the U.S., U.K., and Brazil, including telecoms, financial services organizations and municipal governments, Websense said. Websense researchers use application crash reports from computers running Windows XP, Vista, 7 and 8 sent through the Windows Error Reporting framework to investigate the possibility of advanced attacks against organizations. Exploits often cause applications to crash and these reports, also known as Dr. Watson reports, are sent in the clear to Microsoft so that bugs can be prioritized and addressed, as well as user experience issues. The reports are triggered not only by crashes, but also when applications fail to update or when hardware changes are detected on a network. This article was updated at 4 p.m. with clarifications throughout. Source
  20. It’s unusual to see a report come through on the weekend, but based on how quickly communication has been ramped-up, this one is serious enough to warrant some weekend work. A new zero-day flaw is being reported that affects Internet Explorer versions 6 through 11, with IE9 through IE11 being actively targeted. When enacted, the vulnerability has the potential to take over the computer. Of course, as with the majority of vulnerabilities like this, it assumes the capabilities of the logged on user, which means if a user has administrative rights to the computer, the exploit will enjoy full control. I can’t reiterate enough that administrative rights for normal users is a no-no and cases like this should be enough to convince management to revoke administrative rights across the board. Microsoft is working on a fix, however, it’s important to keep in mind that whatever patch comes available, it will not cover Windows XP. By all appearances, this is a serious flaw, and will be a first major test for unpatched Windows XP computers. The fix, once issued, will not be available publicly for Windows XP. Here’s the applicable information about this new zero-day flaw: Microsoft Security Advisory 2963983 More Details about Security Advisory 2963983 IE 0day FireEye: New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks The flaw uses a hole in Adobe Flash. For workarounds, Microsoft is promoting EMET with a specific configuration and also suggesting disabling VML in Internet Explorer and running IE in "Enhanced Protected Mode." Source
  • Create New...