Two zero-day vulnerabilities in current versions of Microsoft Edge and Internet Explorer make it possible for confidential information to be shared between websites.Read More
Several months ago, we disclosed that Pawn Storm was using a then-undiscovered zero-day Java vulnerability to carry out its attacks. At the time, we noted that a separate vulnerability was used to bypass the click-to-play protection that is in use by Java. This second vulnerability has now been patched by Oracle as part of its regular quarterly update.
Click-to-play requires the user to click the space where the Java app would normally be displayed before it is executed. In effect, it asks the user if they are really sure they want to run any Java code.
Bypassing click-to-play protection allows for malicious Java code to run without any alert windows being shown. This was quite useful in Pawn Storm, as it used exploits targeting these vulnerabilities to carry out targeted attacks against North Atlantic Treaty Organization (NATO) members and the White House earlier this year.Read More
Microsoft has released MS15-093, an out-of-band update for all supported versions of Windows. This bulletin fixes a vulnerability in Internet Explorer (designated as CVE-2015-2502) that allowed an attacker to run arbitrary code on a user’s system if they visited a malicious site. A compromised site, spear phishing, and/or malicious ads could all be used to deliver exploits…Read More
2015 has so far been a very busy year for security researchers. The data leaked from Hacking Team shocked many, thanks to the multiple zero-days that were disclosed, as well as emails discussing the unscrupulous trade in exploits and “tools”. Cybercriminals (including exploit kit authors) have been hard at work integrating these newly-discovered flaws into their “products”…Read More
Another zero-day vulnerability has been found by Trend Micro researchers from the Hacking Team trove of data. We reported this vulnerability to Microsoft, and it has been designated as CVE-2015-2426. It has also been patched in an unusual out-of-band patch. It could be used to carry out a Windows local privilege escalation (LPE). By exploiting this vulnerability, attackers…Read More