Tag: vulnerability
-
VB2014 preview: keynote and closing panel
Vulnerability disclosure one of the hottest issues in security. In the proceedings of the 24th Virus Bulletin conference , the words ‘vulnerabilty’ and ‘vulnerabilities’ occur more than 200 times. I think there is no better way to demonstrate how important a topic this is. Some approach vulnerabilities from a purely defensive point of view: how…
-
VB2014 preview: The three levels of exploit testing
Richard Ford and Marco Carvalho present an idea for how to test products that claim to detect the unknown. In the weeks running up to VB2014 (the 24th Virus Bulletin International Conference), we are looking at some of the research that will be presented at the event. Today, we look at the paper ‘ The…
-
Google’s Project Zero to hunt for zero-days
Bugs to be reported to the vendor only, and to become public once patched. Google has created a new team, called Project Zero, whose task is to find vulnerabilities in any kind of widely used software and to report them to the respective vendor. Few subjects in security are as controversial as the disclosure of…
-
A week of Heartbleed
OpenSSL vulnerability has kept the security community busy. The ‘Heartbleed’ vulnerability has kept everyone on their toes over the last week or so – hitting the mainstream media, prompting widespread warnings for users to change their passwords, and causing many admins to review the security of their web servers. Bruce Schneier, who is not known…
-
OpenSSL vulnerability lets attackers quietly steal servers’ private keys
Security firm advises regenerating keys and replacing certificates on vulnerable servers. A very serious vulnerability in OpenSSL has caused panic among network administrators: CVE-2014-0160 allows an attacker to read the memory of a vulnerable server and thus obtain private encryption keys, passwords and other kinds of sensitive information. OpenSSL is a widely used open-source implementation…
-
Privilege escalation vulnerability targets Windows XP and Server 2003
Vulnerability being used in the wild in combination with exploit of patched Adobe Reader vulnerability. Researchers at FireEye have discovered a new privilege escalation vulnerability affecting Windows XP and Windows Server 2003 that is being used in the wild. For those US-based system administrators who were hoping to spend the Thanksgiving weekend away from their…
-
Good and bad news for victims of targeted attacks against Microsoft products
Bug bounty program extended; TIFF zero-day used in the wild. This week, Microsoft has good news and bad news for those targeted by zero-day exploits in its products. The bad news is that a new zero-day exploit has been discovered in a graphics library that is used by Office 2010 . To exploit the vulnerability,…
-
Ruby on Rails vulnerability exploited in the wild
Code executed on web servers to cause them to join IRC botnet. A critical vulnerability in Ruby on Rails is currently being exploited to make web servers join an IRC botnet, Ars Technica reports . The vulnerability was discovered and subsequently patched at the beginning of this year, but many website owners haven’t applied the…
-
Microsoft offers fix-it for IE 8 zero-day
CVE-2013-1347 used in watering hole attacks. Following this weekend’s discovery of a new zero-day vulnerability in version 8 of Microsoft ‘s Internet Explorer browser, the company has released a ‘fix-it’ that addresses the known attack vectors. Last week (ironically on Labour Day), researchers at AlienVault discovered that the website of the US Department of Labor…
-
Vulnerabilities could trigger payload in emails upon receiving or opening
Flaws in IBM Notes and Exim/Dovecot easy to mitigate. Two recently discovered vulnerabilities in mail processing software could give an attacker access to a targeted system without the need for any links to be clicked or attachments to be opened. When email security experts talk about “malicious emails”, they usually mean emails with malware attached,…