Displaying items by tag: ZeroDay

Google pushed out a n Out-of-band patch for Chrome due to a high-severity on Friday (March 25th, 2022). The patch was pushed out quickly as the vulnerability, tracked as CVE-2022-1096 is being actively exploited in the wild. CVE-2022-1096 is a type confusion vulnerability that exists in the JavaScript Engine used by Chrome and was reported to Google by an Anonymous researcher last week.

Google has announced the release of a new version of Chrome. The new version comes with fixes for eight vulnerabilities. Once of these vulnerabilities CVE-2022-0609, which is describes as a user-after-free vulnerability is already being exploited in the wild. This has led them to advise users to updated Chrome as soon as possible to avoid compromise. The flaws were found by Google’s own Threat Analysis Group.

The current threat landscape has user account compromise and endpoint takeover as the most common first acts in a security event. The methods used to accomplish this are varied but include such blockbusters as poisoned websites and URLs embedded in email. Once the website is processed the exploit kicks off and things tend to go downhill from there. The most common item abused in your web browser is its ability to process scripts (especially JavaScript). Now Microsoft says they have a way to knock out as much as 45% of exploit attempts related to JavaScript and WebAssembly when using their Chromium based Edge browser.

The world lives in fear of zero-day exploits although the average person does not even know it. A zero-day exploit is a bug or a flaw that has not been discovered by the developers yet, but is known to someone outside. This can be good guys, bad guys or other, but it is still a flaw that can be used to do harm to a computer system and no one has a patch for it yet. When the good guys (security researchers) know about them they work with companies to patch them. When the bad guys know about these things get very ugly indeed. But what happens if someone knows about one (or a bunch of them) and does not tell anyone at all?

Microsoft is joining the ranks of Symantec and McAfee in a very special group. This is a group of companies whose anti-malware products can be/have been attacked directly. According to a security update Microsoft says that a specifically crafted file can stop the service from working until manually removed.

In the browser wars there is always going to be the argument over which browser is “better”. You will hear people talk about how fast, secure, cool, feature rich their favorite browser is, but in the end all of them really fall short of where they should be. Oddly enough it is Microsoft’s Internet Explorer that gets the brunt of the jokes and jabs (in many cases rightly so). However at this year’s Pwn2Own it was Mozilla’s FireFox that got tossed around like a rag doll.

It looks like there is another security flaw in Flash. The often beleaguered web animation/video player has been the vector of attack for more than one piece of malware in the last few years. Adobe has been working hard to keep up with all of the reported security issued with the browser plug-in as well as to find ones that have not been reported.

Google’s previously unassailable Chrome web browser has now been hacked three times in only two days. The first two we have already told you about in a previous article. Vupen a French research company found a 0-day exploit that allowed them to jump out of Google’s Sand Box and then another that allowed them to execute arbitrary code on the OS that Chrome was installed on (in this case Windows). Vupen did this as part of the Pwn2Own competition held every year.

Although not incredibly big news it looks like Microsoft’s Internet Explorer 9 has fallen to exploits on Thursday during the Pwn2Own competition. Once again it was Vupen that managed the exploit. Interestingly enough as with Chrome it took two separate attacks to get past the security in place for IE 9. One is something that has been present in every version of Internet Explorer since IE6 and the other is a non-disclosed 0-day exploit to get past the protected mode available in IE.

A new Zero-Day flaw has been found in Microsoft’s Windows 7 OS, but it only applies to a very limited set of circumstances. In this case the system in question needs to be running the 64-bit version of the OS and have Apple’s Safari Browser installed. This combination is probably fairly common as Apple pushes Safari at you with any download of iTunes or QuickTime.