Articles about exploit

Miscreants tripled output of proof of concept exploits in 2015

Hackers collectively tripled the production of Proof-of-Concept exploits last year, according to a new study out on Thursday. Researchers and black hats develop proof-of-concept (PoC) exploits for research or demonstration purposes. These PoCs are developed for a various reasons – to demonstrate that software is vulnerable, …
John Leyden, 5 May 2016

Researchers find hole in SIP, Apple’s newest protection feature

Security researchers have discovered a vulnerability that creates a means for hackers to circumvent Apple’s newest protection feature, System Integrity Protection (SIP). SIP is designed to prevent potentially malicious software from modifying protected files and folders. The technology is designed to protect the system from …
John Leyden, 24 Mar 2016

How to evade Apple's anti-malware Gatekeeper in OS X and really ruin a fanboy's week

The myth that Macs are inherently more secure than Windows PCs has taken another hit. Patrick Wardle, a former NSA staffer who now heads up research at crowdsourced security intelligence firm Synack, has found a new route around Apple's defensive Gatekeeper technology. Apple's Gatekeeper utility is built into OS X, and is …
John Leyden, 1 Oct 2015

North Korea exploits 0-day in Seoul's favourite word processor

FireEye researchers Genwei Jiang and Josiah Kimble say attackers from North Korea exploited a zero day vulnerability in a word processor popular with the South Korea's government. The attackers went after the vulnerability (CVE-2015-6585) in the Hangul Word Processor prior to a patch issued last Monday. Accurate attribution …
Darren Pauli, 10 Sep 2015

Hacking Team Flash exploit leak revealed lightning reflexes of malware toolkit crafters

Black Hat 2015 When the Italian surveillanceware maker Hacking Team got hacked last month, the intruders unwittingly set the groundwork for a very interesting research project. Tracking the time from a vulnerability being found in some software to seeing it exploited in the wild is tricky – malware writers don't often publicize their …
Iain Thomson, 5 Aug 2015

Major web template flaw lets miscreants break out of sandboxes

Black Hat 2015 A serious fresh category of web security vulnerability creates the potential for all sorts of mischief, security researchers warn. Template engines are widely used by web applications in order to present dynamic data via web pages and emails. The technology offers a server-side sandbox. The commonplace practice of allowing …
John Leyden, 5 Aug 2015
Locutus of Borg, aka Patrick Stewart aka Jean Luc Picard

Borg patches enterprise ASR router DoS hole

Cisco has closed a hole in its ASR 1000 line of enterprise and service provider-grade routers that could trigger denial of service. Attackers can exploit the hole by crafting a series of packets that cause the routers to reload and cut net services. The Borg says it has not witnessed attacks in the wild. "A vulnerability in …
Darren Pauli, 31 Jul 2015
Venomous snake

VENOM virtual vuln proves less poisonous than first feared

Analysis A newly discovered vulnerability in many popular virtual machine platforms is serious, but nowhere near as bad as last year’s Heartbleed vulnerability, according to security experts. Dubbed VENOM (Virtualized Environment Neglected Operations Manipulation), the zero-day flaw takes advantage of the “virtual floppy disk …
John Leyden, 14 May 2015

Sysadmins, patch now: HTTP 'pings of death' are spewing across web to kill Windows servers

The SANS Institute has warned Windows IIS web server admins to get patching as miscreants are now exploiting a flaw in the software to crash websites. The security bug (CVE-2015-1635) allows attackers to knock web servers offline by sending a simple HTTP request. Microsoft fixed this denial-of-service vulnerability on Tuesday …
Iain Thomson, 16 Apr 2015
picard

Android SDK nonce flaw lets hackers fiddle with your Dropbox privates

IBM's security team has found an unsettling flaw that can leave the Dropbox accounts of mobile users wide open to snooping by attackers. The researchers spotted some sloppy coding in Dropbox's SDK Version 1.5.4 for Android. Applications that link to Dropbox accounts using the SDK may be vulnerable, owing to a flaw that can …
Iain Thomson, 11 Mar 2015
Don't Panic towel

WinShock PoC clocked: But DON'T PANIC... It's no Heartbleed

Security researchers have released a proof-of-concept exploit against the SChannel crypto library flaw patched by Microsoft last week. The release of a PoC for the MS14-066 vulnerability through the Canvas tool from Immunity Inc underlines the need to patch. The flaw opens the door to remote code execution on unpatched …
John Leyden, 17 Nov 2014

DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides

Hackers are exploiting a zero-day vulnerability in Windows using malicious PowerPoint documents, Microsoft and security firms warn. An advisory from Microsoft warns that the as-yet-unpatched flaw is present in all supported versions of Windows except Windows Server 2003 and has already been abused in "limited, targeted attacks …
John Leyden, 22 Oct 2014

Microsoft hardens EMET security tool: OK, it's not invulnerable, but it's free

Microsoft has beefed up its Enhanced Mitigation Experience Toolkit (EMET), adding features designed to block more exploits. The release of the technical review (beta) version of the tool, EMET 5.0, follows the discovery of new attacks against earlier versions of the technology. EMET 5.0 beta comes with a feature called Attack …
John Leyden, 26 Feb 2014

Fiendish Internet Explorer 10 zero-day targets US soldiers

Cyberspies have used an unpatched vulnerability in Internet Explorer 10 in an exploit which appears to target US military personnel. Among three high-priority updates in the most recent Patch Tuesday (11 February) was a cumulative fix for Explorer which addressed a whopping two dozen different memory corruption vulnerabilities …
John Leyden, 14 Feb 2014

Feeling twitchy about nasty IE 0-day? Microsoft promises relief today

An unpatched flaw in Internet Explorer that become the topic of a high-profile warning over the weekend will be patched later on Tuesday, Microsoft promises. The CVE-2013-3918 vulnerability, affecting an Internet Explorer ActiveX Control, shipped up in active attacks detected by net security firm FireEye, sparking a high- …
John Leyden, 12 Nov 2013

Yet ANOTHER IE 0-day hole found: Malware-flingers already using it for drive-by badness

Security researchers have discovered new zero-day vulnerabilities in Internet Explorer that are already being harnessed by hackers to run a new type of drive-by attack. FireEye, the security firm that discovered the attack method, said that the flaw is present in various versions of Internet Explorer 7, 8, 9 and 10, while …
John Leyden, 11 Nov 2013

Windows, Office zero-day vuln must wait for next Patch Tuesday, says MS

Microsoft is lining up eight bulletins for the November edition of patch Tuesday (12 November), including three critical fixes, but there's no relief in sight for a zero-day vulnerability in how Office handles .TIFF graphics files. Hackers are exploiting a zero-day vulnerability in a graphics library that is used by Microsoft …
John Leyden, 8 Nov 2013
bug on keyboard

Microsoft hands out $28K to bug-hunters

Microsoft's first ever bug bounty programme has resulted in payouts totalling $28,000 to security researchers who found flaws in the preview release of Internet Explorer 11. Redmond offers a maximum reward of $11,000 to researchers who found security vulnerabilities in pre-release versions of IE 11 during the period of the bug …
John Leyden, 8 Oct 2013

Create a news alert about exploit, or find more stories about exploit.

Biting the hand that feeds IT © 1998–2017