Tag Archives: Zero Day

Hack of Adobe Conducted Via Zero-Day IE Flaw

0
Posted by Tech Paranoia on January 14, 2010 – 2:22 pm
Filed under Hacks, Zero Day, exploit
Tagged as , , , , ,

The recent hack attack on Adobe occurred through exploitation of a zero-day vulnerability that affects all versions of Internet Explorer, according to a security researcher with a leading anti-virus firm.

Microsoft learned about the vulnerability only Wednesday evening and is planning to release an announcement about the vulnerability later today, said the researcher, who asked not to be identified because he’s not authorized to speak with the press.

The vulnerability, for which there is currently no patch, is a memory corruption flaw that causes the browser to internally misfire in a way that allows the hacker to inject malware on the user’s computer.

“It’s pretty targeted so the reality is that it’s only currently being used against these targeted companies,” the researcher said. He couldn’t say how many of the other 33 companies hit in the hack attack were breached in this way.

Zero day vulnerabilities are security flaws in software for which there is currently no patch. Researchers discovered a memory corruption flaw in IE in December, which Microsoft patched on Dec. 9. The researcher, however, said the one that affected Adobe is believed to be a new and different one.

Google announced on Tuesday that it had been the target of a “highly sophisticated” and coordinated hack attack against its corporate network, and that the hackers had stolen intellectual property and sought access to the Gmail accounts of human rights activists.

Minutes later, Adobe acknowledged in a blog post that it discovered Jan. 2 that it had been the target of a “sophisticated, coordinated attack against corporate network systems managed by Adobe and other companies.”

Neither Google nor Adobe provided details about how the hacks occurred.

Full article at: Threat Level

Frustrated bug hunters to expose a flaw a day for a month

0
Posted by Tech Paranoia on January 12, 2010 – 2:00 pm
Filed under Software, exploit
Tagged as , ,

A Russian security firm has pledged to release details of previously undisclosed flaws in enterprise applications it has discovered every day for the remainder of January.

Intevydis intends to publish advisories on zero-day vulnerabilities in products such as Zeus Web Server, MySQL, Lotus Domino and Informix and Novell eDirectory between 11 January and 1 February, security blogger Brian Krebs reports.

As an opener, Intevydis published a crash bug in Sun Directory Server 7.0, along with exploit code. The final line-up of zero-days is still being finalised, but the MySQL buffer overflows and IBM DB2 root vulnerability flaws on the provisional menu sound much tastier than Intevydis’s somewhat bland opener. Advisories are due to be published on the Intevydis blog here.

Intevydis said it launched its campaign after becoming more and more disillusioned with foot-dragging by vendors when confronted by security flaws in their products. “After working with the vendors long enough, we’ve come to conclusion that, to put it simply, it is a waste of time,” Evgeny Legerov, a founder of Intevydis told Krebs. “Now, we do not contact with vendors and do not support so-called ‘responsible disclosure’ policy.”

Only one software vendor, Zeus, reportedly worked with Intevydis in developing a patch to be released at the same time as an upcoming advisory from the Russian security firm. Intevydis’s stance is likely to reboot the long running debate about the responsible disclosure of security vulnerabilities.

Full article at: The Register

Microsoft knew of just-patched IE zero-day for months

0
Posted by Tech Paranoia on December 11, 2009 – 12:30 pm
Filed under Patches
Tagged as , , ,

Microsoft may not have hustled as fast as researchers thought when the company patched a zero-day bug in Internet Explorer (IE) just 18 days after exploit code went public.

According to VeriSign iDefense, Microsoft had information about the browser bug nearly six months before the researcher dubbed “K4mr4n” posted attack code to the Bugtraq security mailing list on Nov. 20.

iDefense’s Zero Day Initiative (ZDI), one of the two best-known bug bounty programs, reported the vulnerability to Microsoft on June 9, 2009, iDefense noted in an advisory published Wednesday.

IE6 and IE7, two versions of Microsoft’s browser that collectively accounted for approximately 39% of all browsers used last month, were the only editions affected by the vulnerability. The ancient IE 5.01 and the new IE8 were immune from the threat.

Three days after K4mr4n publicized the exploit proof-of-concept, Microsoft confirmed that the attack code worked, and issued a security advisory that provided some information about the bug. At no time, however, did it acknowledge it knew of the vulnerability, only going as far as to say it was investigating the issue.

Source: Computerworld

Exploit Released for Adobe Illustrator Zero Day Flaw

0
Posted by Tech Paranoia on December 4, 2009 – 11:00 am
Filed under Software, Zero Day
Tagged as ,

Adobe’s security response team is scrambling to deal with the release of exploit code for what appears to be a critical zero-day flaw in the Adobe Illustrator CS4 software product.

The vulnerability is caused due to an error in the parsing of Encapsulated Postscript Files (.eps) and can be exploited to corrupt memory when a user opens a specially crafted .eps file. Successful exploitation allows execution of arbitrary code.

The flaw is confirmed in version CS3 13.0.0 and CS4 14.0.0. Other versions may also be affected.

Full article at: Threat Post

MS to Patch Critical IE Zero-Day Flaw

0
Posted by Tech Paranoia on December 4, 2009 – 9:00 am
Filed under Patches, Software
Tagged as , , ,

Just two weeks after the release of exploit code for a critical (remotely exploitable) security hole in its Internet Explorer browser, Microsoft says a fix will be included in this month’s batch of Patch Tuesday updates.

Microsoft has already issued an advisory to confirm the severity of the issue, which affects users of Internet Explorer 6 and Internet Explorer 7 on Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. [More...]

In all, Microsoft plans to release six security bulletins next Tuesday (December 8, 2009) to fix security flaws affected IE, Microsoft Office and the Windows operating system.

Three of the six bulletins will be rated “critical,” Microsoft’s highest severity rating.

Source: Threat Post

Zero-day vulnerabilities in Firefox extensions discovered

0
Posted by Tech Paranoia on November 20, 2009 – 2:00 pm
Filed under Software, Zero Day
Tagged as ,

One of the reasons behind Firefox’s popularity is the availability of a vast library of extensions. Users use them to modify the browser to their liking and make their browsing experience easier and more pleasant. The problem is, unbeknown to them, these extensions are exposing them to risk.

At the SecurityByte & OWASP AppSec Conference in India, Roberto Suggi Liverani and Nick Freeman, security consultants with security-assessment.com, offered insight into the substantial danger posed by Firefox extensions.

Mozilla doesn’t have a security model for extensions and Firefox fully trusts the code of the extensions. There are no security boundaries between extensions and, to make things even worse, an extension can silently modify another extension.

Any Mozilla application with the extension system is vulnerable to same type of issues. Extensions vulnerabilities are platform independent, and can result in full system compromise.

Full article at Net Security