So it seems that an Internet Explorer zero day vulnerability allowed the back door to be opened that resulted in the [URL="http://www.daniweb.com/news/story252590.html"]hack attack on Google[/URL] and many others that has received such publicity this week. According to [URL="http://siblog.mcafee.com/cto/operation-%E2%80%9Caurora%E2%80%9D-hit-google-others/"]McAfee[/URL] it has identified an Internet Explorer vulnerability as being one of the attack vectors but the security vendor also warns that targeted attacks such as this often use "a cocktail of zero-day vulnerabilities combined with sophisticated social engineering scenarios" so it is possible, likely even, that other as yet unidentified attack vectors were also involved. However, McAfee dismisses some early reports which …

Member Avatar
Member Avatar
+0 forum 4

Feedly app left attack window open for malicious JavaScript hackers according to one security researcher. Security consultant and blogger Jeremy S [revealed](http://breaktoprotect.blogspot.in/2014/04/feedly-android-application-zero-day.html) that the Feedly Android app, or at least the version prior to the update on March 17th 2014, had been subject to a zero-day JavaScript code injection vulnerability. Jeremy reported the discovery to the Feedly developers who patched the vulnerability within 24 hours, ethical disclosure working at its best if you ask me. The Singapore based researcher explained that the code injection was possible from an RSS feed into the app itself as the Feedly app didn't sanitize …

Member Avatar
+0 forum 0

Java vulnerabilities have hardly been out of the news during the last year. Here at DaniWeb we've covered a number of the stories as they surfaced: [Java in the cross-hairs: the security debate rolls on](http://www.daniweb.com/software-development/java/news/445532/java-in-the-cross-hairs-the-security-debate-rolls-on), [Is Java 7 still insecure? Oracle Patch doesn't fix underlying vulnerability](http://www.daniweb.com/software-development/java/threads/432479/is-java-7-still-insecure-oracle-patch-doesnt-fix-underlying-vulnerability), [Update my insecure Java plug-in? Meh, say 72% of users](http://www.daniweb.com/software-development/java/threads/446989/update-my-insecure-java-plug-in-meh-say-72-of-users) and [WARNING: New zero-day for Java 6u41 and Java 7u15](http://www.daniweb.com/software-development/java/threads/449198/warning-new-zero-day-for-java-6u41-and-java-7u15). It's the latter two that are pertinent as to why I'm covering the whole Java exploits story again. It would appear that the CVE-2013-2463 vulnerability in the Java 2D subcomponent is still problematical, even …

Member Avatar
Member Avatar
+3 forum 1

Microsoft has published an [advance notification](http://technet.microsoft.com/en-us/security/bulletin/ms13-jan) for vulnerabilities that will be patched in the January 2013 'Patch Tuesday' security bulletin due next week. However, anyone hoping for a permanent fix to deal with the Internet Explorer zero-day exploit that surfaced during the seasonal holiday period is going to be disappointed. There is no IE patch in this bunch, and while that might be a bit of a surprise to some given that IE security bulletins have become a very regular experience of late, the truth is that to expect a zero-day fix from Microsoft just a week or so after …

Member Avatar
Member Avatar
+0 forum 3

FireEye security researchers are warning that they have [detected a new zero-day vulnerability](http://blog.fireeye.com/research/2013/02/yaj0-yet-another-java-zero-day-2.html) that is being used successfully in the wild against browser clients with both Java 6u41 and Java 7u15 installed. Given that the Java 7 update was only released a couple of weeks ago, this is yet more bad news for Oracle and for users of the Java browser plug-in. bad news, but not exactly surprising as security researchers have been finding flaws in the update since it was made available. The difference here is that this isn't just a lab-based, theoretical, vulnerability: this is, it would appear, …

Member Avatar
Member Avatar
+3 forum 11

The good news is that security savvy Windows users will, more than likely, have already disabled the AutoRun and AutoPlay features. The bad news is that a new zero-day vulnerability could care less, and executes automatically anyway. [attach]15918[/attach]The zero-day vulnerability in question was first spotted by Sergey Ulase, a researcher with security vendor VirusBlokAda, who when [URL="http://anti-virus.by/en/tempo.shtml"]talking about some new malware samples he had been analysing noted[/URL] "You should take into consideration that virus infects Operation System in unusual way through vulnerability in processing lnk-files (without usage of autorun.inf file). So you just have to open infected USB storage device …

Member Avatar
+0 forum 0

Still using Adobe Acrobat or Adobe Reader? Maybe it is time to switch to something that's not glowing red on the bad guy radar, or which is more securely coded depending upon how you look at these things. Yes, Adobe has admitted that there is yet another possible zero-day vulnerability in Adobe Acrobat and Reader, oh deep joy. David Lenoe of Adobe [URL="http://blogs.adobe.com/psirt/2009/12/new_adobe_reader_and_acrobat_v.html"]confirms[/URL] "...Adobe received reports of a vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions being exploited in the wild" adding that the company is "currently investigating this issue and assessing the risk to our customers" and …

Member Avatar
+0 forum 0

The End.