Security News

Exploit code released for three iOS 0-days that Apple failed to patch
2021-09-24 11:13

Proof-of-concept exploit code for three iOS zero-day vulnerabilities was published on GitHub after Apple delayed patching and failed to credit the researcher.The researcher who found the four zero-days reported them to Apple between March 10 and May 4.

Windows MSHTML 0-Day Exploited to Deploy Cobalt Strike Beacon in Targeted Attacks
2021-09-16 21:50

Microsoft on Wednesday disclosed details of a targeting phishing campaign that leveraged a now-patched zero-day flaw in its MSHTML platform using specially-crafted Office documents to deploy Cobalt Strike Beacon on compromised Windows systems. "These attacks used the vulnerability, tracked as CVE-2021-40444, as part of an initial access campaign that distributed custom Cobalt Strike Beacon loaders," Microsoft Threat Intelligence Center said in a technical write-up.

S3 Ep50: Two 0-days plus another 0-day plus a fast food bug [Podcast]
2021-09-15 18:31

Oh! No! A touchpad user turns right into left, and vice versa. LISTEN NOW. Click-and-drag on the soundwaves below to skip to any point in the podcast.

New 0-Day Attack Targeting Windows Users With Microsoft Office Documents
2021-09-07 21:55

Microsoft on Tuesday warned of an actively exploited zero-day flaw impacting Internet Explorer that's being used to hijack vulnerable Windows systems by leveraging weaponized Office documents. "Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents," the company said.

Microsoft Says Chinese Hackers Were Behind SolarWinds Serv-U SSH 0-Day Attack
2021-09-06 03:12

Microsoft has shared technical details about a now-fixed, actively exploited critical security vulnerability affecting SolarWinds Serv-U managed file transfer service that it has attributed with "High confidence" to a threat actor operating out of China. "The Serv-U SSH server is subject to a pre-auth remote code execution vulnerability that can be easily and reliably exploited in the default configuration," Microsoft Offensive Research and Security Engineering team said in a detailed write-up describing the exploit.

Kaseya Issues Patches for Two New 0-Day Flaws Affecting Unitrends Servers
2021-08-27 02:24

U.S. technology firm Kaseya has released security patches to address two zero-day vulnerabilities affecting its Unitrends enterprise backup and continuity solution that could result in privilege escalation and authenticated remote code execution. The two weaknesses are part of a trio of vulnerabilities discovered and reported by researchers at the Dutch Institute for Vulnerability Disclosure on July 3, 2021.

Kaseya Issues Patches for Two New 0-Day Flaws Affecting Unitrends Servers
2021-08-27 02:24

U.S. technology firm Kaseya has released security patches to address two zero-day vulnerabilities affecting its Unitrends enterprise backup and continuity solution that could result in privilege escalation and authenticated remote code execution. The two weaknesses are part of a trio of vulnerabilities discovered and reported by researchers at the Dutch Institute for Vulnerability Disclosure on July 3, 2021.

S3 Ep43: Apple 0-day, pygmy hippos, hive nightmares and Twitter hacker bust [Podcast]
2021-07-30 18:18

A new sort of Windows nightmare, this one not involving printers. Another new sort of Windows nightmare, also with no printers.

Microsoft researcher found Apple 0-day in March, didn’t report it
2021-07-29 18:20

Like almost all Apple security fixes, the update arrived without any sort of warning, but unlike most Apple updates, only a single bug was listed on the "Fix list," and even by Apple's brisk and efficient bug-listing standards, the information published was thin. All we know is that Apple says that it "Is aware of a report that this issue may have been actively exploited".

Apple Releases Urgent 0-Day Bug Patch for Mac, iPhone and iPad Devices
2021-07-27 04:14

Apple on Monday rolled out an urgent security update for iOS, iPadOS, and macOS to address a zero-day flaw that it said may have been actively exploited, making it the thirteenth such vulnerability Apple has patched since the start of this year. CVE-2021-30661 - Processing maliciously crafted web content may lead to arbitrary code execution.