Archive for the ‘Zero day’ Category

Seven zero-days in 2021 developed commercially and sold to governments

Google: Seven zero-days in 2021 developed commercially and sold to governments Google’s Threat Analysis Group (TAG) released a new report on Thursday chronicling an Italian spyware vendor selling technology used on victims in Italy and Kazakhstan. The report mirrors another from cybersecurity company Lookout that was published last week covering “Hermit” – a brand of surveillanceware developed […]

Leave a Comment

Microsoft shared workarounds for the Microsoft Office zero-day dubbed Follina

Microsoft released workarounds for a recently discovered zero-day vulnerability, dubbed Follina, in the Microsoft Office productivity suite. Microsoft has released workarounds for a recently discovered zero-day vulnerability, dubbed Follina and tracked as  CVE-2022-30190  (CVSS score 7.8), in the Microsoft Office productivity suite. “On Monday May 30, 2022, Microsoft issued  CVE-2022-30190  regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability.” reads […]

Leave a Comment

Zero-day bug in uClibc library could leave IoT devices vulnerable to DNS poisoning attacks

A zero-day vulnerability in uClibc and uClibc-ng, a popular C standard library, could enable a malicious actor to launch DNS poisoning attacks on vulnerable IoT devices. The bug, tracked as ICS-VU-638779, which has yet to be patched, could leave users exposed to attack, researchers have warned. DNS poisoning In a DNS poisoning attack, the target domain name […]

Leave a Comment

Mysterious disclosure of a zero-day RCE flaw Spring4Shell in Spring

An unauthenticated zero-day RCE vulnerability in the Spring Core Java framework called ‘Spring4Shell’ has been publicly disclosed. Researchers disclosed a zero-day vulnerability, dubbed Spring4Shell, in the Spring Core Java framework called ‘Spring4Shell.’ An unauthenticated, remote attacker could trigger the vulnerability to execute arbitrary code on the target system. The framework is currently maintained by Spring.io […]

Leave a Comment

CISA urges to fix actively exploited Firefox zero-days by March 21

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added recently disclosed Firefox zero-days to its Known Exploited Vulnerabilities Catalog. The Cybersecurity and Infrastructure Security Agency (CISA) added two critical security vulnerabilities in Mozilla firefox, tracked as  CVE-2022-26485  and  CVE-2022-26486 , to its Known Exploited Vulnerabilities Catalog. The US agency has ordered federal civilian agencies to address […]

Leave a Comment

Google fixes a Chrome zero-day flaw actively exploited in attacks

Google fixed a high-severity zero-day flaw, tracked as CVE-2022-0609, actively exploited with the release of Chrome emergency update for Windows, Mac, and Linux. This is the first Chome zero-day fixed this year by Google. The zero-day is a use after free issue that resides in Animation, the bug was reported by Adam Weidemann and Clément Lecigne of […]

Leave a Comment

Google Project Zero discloses details of two Zoom zero-day flaws

Google Project Zero researchers Natalie Silvanovich disclosed details of two zero-day vulnerabilities in Zoom clients and Multimedia Router (MMR) servers. An attacker could have exploited the now-fixed issues to crash the service, execute malicious code, and even leak the content of portions of the memory. The researcher focused its search for bugs in the Zoom client […]

Leave a Comment

Resecurity discovered 0-day vulnerability in TP-Link Wi-Fi 6 devices

Resecurity, a Los Angeles-based cybersecurity company has identified an active a zero-day vulnerability in the TP-Link device with model number TL-XVR1800L (Enterprise AX1800 Dual Band Gigabit Wi-Fi 6 Wireless VPN Router), which is primarily suited to enterprises. The identified vulnerability enables Remote Code Execution (RCE) which grants the ability to takeover of the device and […]

Leave a Comment

STILL ALIVE! iOS 12 gets 3 zero-day security patches – update now

If you’ve already listened to this week’s Naked Security Podcast you’ll know that we had finally concluded that iOS 12, the version before the version before the latest-and-greatest iOS 15, which arrived this Monday… …had been dumped forever by Apple. Apple notoriously won’t tell you anything about the security situation in its products unless and until it […]

Leave a Comment

Apple products vulnerable to FORCEDENTRY zero-day attack – patch now!

You know what we’re going to say, so we’ll say it right away. Patch early, patch often. Canadian privacy and cybersecurity activist group The Citizen Lab just announced a zero-day security hole in Apple’s iPhone, iPad and Macintosh operating systems. They’ve given the attack the nickname FORCEDENTRY, for rather obvious reasons, though its official designation is CVE-2021-30860. Citizen Lab […]

Leave a Comment

Windows zero-day MSHTML attack

Details are scarce so far, but Microsoft is warning Office users about a bug that’s dubbed  CVE-2021-40444 , and described as Microsoft MSHTML Remote Code Execution Vulnerability. The bug doesn’t have a patch yet, so it’s what’s known as a zero-day, shorthand for “the Good Guys were zero days ahead of the Bad Guys with a patch for […]

Leave a Comment

Trend Micro warns customers of zero-day attacks against its products

Security firms Trend Micro is warning its customers of attacks exploiting zero-day vulnerabilities in its Apex One and Apex One as a Service products. On July 28, Trend Micro released security patches for multiple incorrect permission assignment privilege escalation, incorrect permission preservation authentication bypass, arbitrary file upload, and local privilege escalation vulnerabilities in Apex One […]

Leave a Comment

China Taking Control of Zero-Day Exploits

Countdown to #ZeroDay: #Stuxnet and the Launch of the World’s First #DigitalWeapon

Leave a Comment

Hacker deposited $1M in a popular cybercrime marketplace to buy zero-day exploits

A threat actor that goes online with the name “integra” has deposited 26.99 Bitcoins on one of the cybercrime forums with the intent to purchase zero-day Exploits from other forum members, researchers from threat intelligence firm Cyble. According to the experts, the member “integra” has joined the cybercrime forum in September 2012 and has gained a high reputation over the course of time. The threat actor is also a member […]

Leave a Comment

Critical 0day in the Fancy Product Designer WordPress plugin actively exploited

Researchers from the Wordfence team at WordPress security company Defiant warn that a critical zero-day vulnerability, tracked as CVE-2021-24370, in the Fancy Product Designer WordPress plugin is actively exploited in the wild. Fancy Product Designer is a premium plugin that allows customers to design and customize any kind of product in their online stores, it is […]

Leave a Comment

Google’s Project Zero Finds a Nation-State Zero-Day Operation

Google’s Project Zero discovered, and caused to be patched, eleven zero-day exploits against Chrome, Safari, Microsoft Windows, and iOS. This seems to have been exploited by “Western government operatives actively conducting a counterterrorism operation”: The exploits, which went back to early 2020 and used never-before-seen techniques, were “watering hole” attacks that used infected websites to deliver malware to visitors. […]

Leave a Comment

Microsoft says China-backed hackers are exploiting Exchange zero-days

Leave a Comment

A threat actor exploited 11 zero-day flaws in 2020 campaigns

Google researchers observed two separate waves of attacks that took place in February and October 2020, respectively. Threat actors set up malicious sites in a series of watering hole attacks that were redirecting visitors to exploit servers hosting exploit chains for Android, Windows, and iOS devices. “In October 2020, Google Project Zero discovered seven 0-day […]

Leave a Comment

Exchange Servers targeted via zero-day exploits, have yours been hit?

Microsoft has released out-of-band security updates for seven bugs affecting Microsoft Exchange Servers, four of which are zero-day vulnerabilities being exploited by attackers in the wild to plunder on-premises machines. Source: The zero-day bugs affecting Exchange Servers

Leave a Comment

Security researchers warn of critical zero-day flaws in ‘age gap’ dating app Gaper

Critical zero-day vulnerabilities in Gaper, an ‘age gap’ dating app, could be exploited to compromise any user account and potentially extort users, security researchers claim. The absence of access controls, brute-force protection, and multi-factor authentication in the Gaper app mean attackers could potentially exfiltrate sensitive personal data and use that data to achieve full account takeover within just […]

Leave a Comment