Updated The popular Vanilla Forums software needs patching against a remote code execution zero-day first reported to the developers in December 2016. Published by ExploitBox, the zero-day “can be exploited by unauthenticated remote attackers to execute arbitrary code and fully compromise the target application when combined with Host …

Canada Revenue Agency (CRA) says its website was attacked by hackers exploiting an Apache Struts 2 vulnerability. The site was taken offline to patch the security bug, and only publicly accessible information was lifted from the compromised web servers, we're told. The flaw in the Struts 2 framework is trivial to exploit: …

Infosec researchers have found a “dire” zero-day in Apache Struts 2, and it's under active attack. If you're a sysadmin using the Jakarta-based file upload Multipart parser under Apache Struts 2, Nick Biasini of Cisco's Talos advises applying the latest upgrade immediately. CVE-2017-5638 is documented at Rapid7's Metasploit …

Google has slung a grenade at Microsoft by disclosing a Windows vulnerability before Redmond has a patch ready. The bug can be exploited by malware on a machine to gain administrator-level access. According to this blog post by Neel Mehta and Billy Leonard of the Chocolate Factory's Threat Analysis Group, the reason for going …

Security researchers have shone fresh light on the allegedly Russian state-sponsored hacking crew blamed for ransacking the US Democratic National Committee's computers. Sednit – also known as APT28, Fancy Bear and Sofacy – has been operating since 2004. The cyber-mob has reportedly infiltrated machines operated by targets as …

Google security man Tavis Ormandy has revealed a dangerous remote zero day vulnerability in Kaspersky kit that grants attackers system privileges. The bug is a remote "zero interaction" buffer overflow affecting default installation configurations of the latest anti-virus software versions. "So, about as bad as it gets," …

Updated Microsoft has run out of time to fix four critical security vulnerabilities in the mobile edition of Internet Explorer – prompting HP's Zero Day Initiative (ZDI) to disclose their existence without revealing any damaging details. All four of the flaws present a remote code execution (i.e. malicious code injection on a Windows …

New research from the Global Commission on Internet Governance has reached a surprising conclusion: cyberspace is actually getting safer. The report [PDF] starts from a simple enough premise: while we are constantly told that incidents of cyberattacks and online security threats are increasing, are they growing relative to the …

Trend Micro has issued predictable-but-sensible advice that Java should be switched off, because there's a zero-day being exploited in the wild. Trend malware researchers Brooks Li and Feike Hacquebord said the exploit will hose systems running the latest Java platform. Because there's no patch, they added users should disable …

Updated Two more serious Adobe Flash vulnerabilities have emerged from the leaked Hacking Team files, ones which allow malefactors to take over computers remotely – and crooks are apparently already exploiting at least one of them to infect machines. The use-after-free() programming flaws, for which no patches exist, are identified as …

Adobe has issued yet another update for Flash Player to patch a critical vulnerability revealed in documents leaked from spyware maker Hacking Team. The update patches 36 CVE-listed flaws, including the hacking Team's CVE-2015-5119 bug – which can be exploited by a malicious Flash file to run malware on a victim's system. Some …

So it's confirmed: the Adobe Flash vulnerability revealed in the Hacking Team hack is out in the wild being used, and there's no patch yet. Flash users beware! Two sources, Malwarebytes and Malware Don't Need Coffee, have documented updates to the Neutrino exploit kit and Angler exploit kit, respectively. Both kits, which are …

A hacking group probably backed by Russia has been making use of two zero-day exploits to target foreign governments. The so-called "Operation RussianDoll" attackers used zero-day exploits in Adobe Flash and Windows to target a specific foreign government organisation. Security firm FireEye says the pattern of the attacks …

The Electronic Frontiers Foundation reckons America's spooks aren't living up to the Obama administration's 2014 statement that it would disclose more vulnerabilities than it hoarded. In April 2014, the administration told the world it would only keep vulnerabilities back where its spooks thought it was vital for intelligence …

Germany's spooks have come under fire for reportedly seeking funds to find bugs – not to fix them, but to hoard them. According to The Süddeutsche Zeitung, the country's BND – its federal intelligence service – wants €300 million in funding for what it calls the Strategic Technical Initiative. The Local says €4.5 million of …

Hackers are exploiting a zero-day vulnerability in Windows using malicious PowerPoint documents, Microsoft and security firms warn. An advisory from Microsoft warns that the as-yet-unpatched flaw is present in all supported versions of Windows except Windows Server 2003 and has already been abused in "limited, targeted attacks …

Get patching, sysadmins, there's a zero-day in Symantec Endpoint Protection (SEP). This US-CERT advisory is alerting anyone who ignored Symatec's note about the issue. CVE-2014-3434 is a local access vulnerability with a public exploit. A client buffer overflow can cause a blue-screen-of-death on the client, which could also …

A newly uncovered attack specifically targeting out-of-support Windows XP machines running Internet Explorer 8 is being used to hack potential victims in multiple industries across Europe and North America, according to security researchers. This is the first “in the wild” attack spotted against Windows XP after Microsoft …