zero-day

Microsoft warns of zero-day IE hole on Patch Tuesday

Microsoft warned of a new vulnerability in Internet Explorer 6 and IE 7 that has been targeted in attacks, and released fixes for eight holes in Windows and Office as part of Patch Tuesday.

The company issued Security Advisory 981374, which addresses a privately disclosed vulnerability. The hole could allow an attacker to take control of a machine if a user visited a malicious Web site, Microsoft said.

There are some features that could mitigate the effects of an attack. For instance, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML e-mail messages in the … Read more

Microsoft warns of zero-day hole for older Windows

Microsoft warned of a new hole on Monday that could be exploited by attackers to take control of older Windows systems running Internet Explorer and for which proof-of-concept exploit code has been released publicly.

The vulnerability affects Windows 2000-, XP- and Server 2003-based systems. It exists in the way that Visual Basic Scripting, or VBScript, interacts with Windows Help files, Microsoft said in its security advisory. VBScript is an Active Scripting language for executing functions embedded in Web pages.

In an attack scenario, victims would somehow be lured to visit a malicious Web site that displays a specially crafted dialog … Read more

Mozilla patches critical flaws

Mozilla has released fixes for five security holes in older versions of Firefox, while a security company has warned of a zero-day flaw in the latest version of the popular browser.

Mozilla issued patches Wednesday for versions 3.5.8 and 3.0.18 of the browser, sending out fixes for the latter even though it had said it would stop supporting Firefox 3.0 in January. In its security bulletin, the company said the vulnerabilities had previously been resolved in Firefox 3.6, which was launched on January 21. The five flaws addressed by Mozilla included three the company … Read more

McAfee: China attacks a 'watershed moment'

The China-based cyberattacks on Google and other companies were "a watershed moment in cybersecurity," according to an executive at computer security company McAfee.

"I believe this is the largest and most sophisticated cyberattack we have seen in years targeted at specific corporations," McAfee Chief Technology Officer George Kurtz wrote on his blog Sunday. "While the malware was sophisticated, we see lots of attacks that use complex malware combined with zero day exploits."

"What really makes this is a watershed moment in cybersecurity is the targeted and coordinated nature of the attack with the … Read more

Microsoft, Adobe prep critical security patches

Microsoft will issue one bulletin on Patch Tuesday next week that is rated "critical" for Windows 2000.

The patch is designed to address a vulnerability that could allow an attacker to take control of a computer by remotely executing code on it, according to an advisory released Thursday. It is rated "low" severity for Windows 7, Vista, XP, Server 2003, and Server 2008 operating systems.

Meanwhile, Adobe Systems is scheduled to release a patch for a vulnerability in Adobe Reader and Acrobat on Tuesday that was discovered in mid-December and which is being exploited by attacks … Read more

Symantec confirms zero-day Acrobat, Reader attack

Symantec on Tuesday confirmed a vulnerability in Adobe Acrobat and Reader and said it was being exploited by a Trojan hidden in e-mail attachments.

The malicious Adobe Acrobat PDF file is distributed via an e-mail attachment that "drops and executes when opened on a fully patched system with either Adobe Acrobat or Reader installed," Symantec said in a statement.

Symantec identified the file as Trojan Pidief.H, which targets Windows 98, 95, XP, Windows Me, Vista, NT, 2000 and Server 2003.

The rate of infection is extremely limited and the risk assessment level is very low, according to … Read more

Microsoft plugs zero-day IE hole

Microsoft released fixes on Tuesday for critical vulnerabilities in Internet Explorer, including one for which exploit code has been released.

Adobe, meanwhile, was scheduled to release a critical update affecting Flash Player and Adobe AIR, following news of exploit code being released for a vulnerability in Illustrator CS3 and CS4 on Windows and Mac last week.

Microsoft's regular Patch Tuesday release includes six security bulletins addressing 12 vulnerabilities in IE, Windows, Windows Server, and Office.

However, priority should be given to the cumulative IE bulletin, which affects all major Windows versions including Windows 7, IE 6, IE 7, and … Read more

Microsoft probing Windows 7 zero-day hole

Microsoft said on Wednesday it is looking into a report of a vulnerability in Windows 7 and Server 2008 Release 2 that could be used by an attacker to remotely crash the computer.

The company is investigating claims of a "possible denial-of-service vulnerability in Windows Server Message Block (SMB)," the Microsoft spokesperson said, adding that the company was unaware of any attacks trying to exploit the hole.

The bug triggers an infinite loop on the Server Message Block (SMB) protocol used for sharing files in Windows, researcher Laurent Gaffié wrote in a posting on the Full-Disclosure mailing list … Read more

Zero-day flaw found in Web encryption

A zero-day flaw in the TLS and SSL protocols, which are commonly used to encrypt Web pages, has been made public.

Security researchers Marsh Ray and Steve Dispensa unveiled the TLS (Transport Layer Security) flaw on Wednesday, following the disclosure of separate, but similar, security findings. TLS and its predecessor, SSL (Secure Sockets Layer), are typically used by online retailers and banks to provide security for Web transactions.

Ray, who works with Dispensa at two-factor authentication company PhoneFactor, explained in a blog post this week that he had initially discovered the flaw in August and demonstrated a working exploit to … Read more