Microsoft issues emergency fix for Internet Explorer zero‑day
Details are sparse about a security hole that Microsoft said is being exploited in targeted attacks
Vulnerability
PowerPool malware exploits ALPC LPE zero‑day vulnerability
Malware from newly uncovered group PowerPool exploits zero-day vulnerability in the wild, only two days after its disclosure
Can cramming code with bugs make it more secure? Some think so
Unbeknownst to exploit writers, the seemingly mouth-watering bugs would be bogus and non-exploitable
Software bugs put nearly 100 million health records at risk of exposure
The slew of vulnerabilities – since patched – were found without the use of automated testing tools
HP offers rewards for hacking its printers
But don’t get too excited just yet: the first-of-its-kind bug bounty program for printers is invite-only for now
Bluetooth bug could expose devices to snoopers
Patches have already been released or are expected to see the light of day soon
Open source code is ubiquitous and so are many vulnerabilities
One-third of audited codebases that contain Apache Struts suffer from the same vulnerability that facilitated the Equifax hack a year ago
A tale of two zero‑days
Double zero-day vulnerabilities fused into one. A mysterious sample enables attackers to execute arbitrary code with the highest privileges on intended targets
One year later: EternalBlue exploit more popular now than during WannaCryptor outbreak
The infamous outbreak may no longer be causing mayhem worldwide but the threat that enabled it is still very much alive and posing a major threat to unpatched and unprotected systems
Drupal releases patch fixing “highly critical” flaw
The update plugs a security hole that exposes a million Drupal websites to attacks
Vulnerabilities reached a historic peak in 2017
In 2017, the number of vulnerabilities smashed records set in previous years. According to CVE Details, more than 14,600 vulnerabilities were reported in 2017, compared to 6447 in 2016.
Some examples of vulnerable code and how to find them
"When looking for vulnerabilities in open-source code, it is advisable to check portions of code that is prone to errors": Useful tips from one of ESET's malware analysts, Matías Porolli, on how to spot vulnerable code.
Adobe warns of Flash zero‑day vulnerability, being actively exploited by online criminals
Adobe Flash users find themselves in danger once again, as they wait for an emergency security patch to fix a vulnerability being actively exploited in the wild.
Thunderstrike! How a radar‑proof rootkit could infect your Mac
A security researcher describes how malware could infect your Mac's boot ROM, and spy on your activities, with little chance of you ever realising.
Two recently patched Adobe Flash vulnerabilities now used in Exploit Kits
Two Flash vulnerabilities that were fixed by Adobe 2 weeks ago are now being used in exploit kits. This is in addition to a third vulnerability, CVE-2014-0556, that was patched in September and that has also been added to Nuclear EK last week.
POODLE Attack – Google uncovers major flaw in SSL 3.0
In an announcement eerily reminiscent of the early phases of the Heartbleed flaw that took internet security by storm earlier in the year, Google has uncovered an exploit that could allow attackers to decode the plaintext traffic of a secure connection.
“I’ve been hacked, and now I’m pregnant!”
An embedded microchip that stops you from becoming pregnant? Would you trust it to protect itself properly from a hacker attack?
Grim warning for bounty hunters – Yahoo pays out paltry $12.50 per vulnerability
Finding vulnerabilities can be a profitable business - even if you work for the right side of the law. Last month, Facebook paid out $12,500 to a researcher for finding a bug - this month, Yahoo! paid out ... $12.50.
The Dynamic Duo for Securing your Android: Common Sense and Security Software
On Thursday, September 12, Duo Security, a young-but-respected vendor of two-factor authentication devices, announced the preliminary results of a study of over 20,000 Android devices from a two month old study they performed. Based on the results, they calculated that over half of Android devices on the market have security vulnerabilities that are, as yet,
CVE2012‑1889: MSXML use‑after‑free vulnerability
As soon as Microsoft had released patches for security bulletin MS12-037 (which patched 13 vulnerabilities for Internet Explorer) Google published information (Microsoft XML vulnerability under active exploitation) about a new zero-day vulnerability (CVE-2012-1889) in Microsoft XML Core Services. Sometimes vulnerabilities are discovered at a rate that outpaces the patching process and so a temporary fix