Security News

We advised everyone to look for a Chrome or Chromium version number ending in.111, given that the previous mainstream version turned out to include a buffer overflow bug that was already known to cybercriminals. The ultimate sort of crack - the gold-medal-with-a-laurel-wreath version - was one that came out with a zero-day delay, where the game and its revenue-busting crack appeared on the very same day.

Cisco has disclosed today a zero-day vulnerability in the Cisco AnyConnect Secure Mobility Client software with proof-of-concept exploit code publicly available. While security updates are not yet available for this arbitrary code execution vulnerability, Cisco is working on addressing the zero-day, with a fix coming in a future AnyConnect client release.

For the third time in two weeks, Google has patched Chrome zero-day vulnerabilities that are being actively exploited in the wild: CVE-2020-16009 is present in the desktop version of the browser, CVE-2020-16010 in the mobile version. The former was found and reported by Clement Lecigne of Google's Threat Analysis Group and Samuel Groß of Google Project Zero, the latter by Maddie Stone, Mark Brand, and Sergei Glazunov of Google Project Zero.

The vulnerability exists in the Oracle Solaris Pluggable Authentication Module and allows an unauthenticated attacker with network access via multiple protocols to exploit and compromise the operating system. "In mid-2020, we observed UNC1945 deploy EVILSUN-a remote-exploitation tool containing a zero-day exploit for CVE-2020-14871 - on a Solaris 9 server," said researchers with FireEye, in a Monday analysis.

A threat actor has been observed targeting Oracle Solaris operating systems for over two years, including with an exploit for a recently addressed zero-day vulnerability, FireEye reported on Monday. In late 2018, the threat actor was observed compromising a Solaris server that had the SSH service exposed to the Internet, to install the SLAPSTICK backdoor on it, in order to steal credentials.

Google has patched a second actively exploited zero-day flaw in the Chrome browser in two weeks, along with addressing nine other security vulnerabilities in its latest update. The zero-day flaw, tracked as CVE-2020-16009, was reported by Clement Lecigne of Google's Threat Analysis Group and Samuel Groß of Google Project Zero on October 29.

Google's Project Zero has discovered and published a buffer overflow vulnerability in the Windows Kernel Cryptography Driver. Attackers were combining an exploit for it with a separate one targeting a recently fixed flaw in Chrome.

Google today released Chrome 86.0.4240.183 for Windows, Mac, and Linux to address 10 security vulnerabilities including a remote code execution zero-day exploited in the wild. Today, Google patched another zero-day in Chrome for Android exploited in the wild, a sandbox escape vulnerability tracked as CVE-2020-16010.

A high-severity Windows driver bug is being exploited in the wild as a zero-day. The security vulnerability was disclosed by Google Project Zero just seven days after it was reported, since cybercriminals are already exploiting it, according to researchers.

Google researchers have made public a Windows kernel zero day vulnerability that is being exploited in the wild in tandem with a Google Chrome flaw that has been patched on October 20. CVE-2020-17087 is a vulnerability in the Windows Kernel Cryptography Driver, and "Constitutes a locally accessible attack surface that can be exploited for privilege escalation."