The Hacker News Logo
Subscribe to Newsletter

The Hacker News - Cybersecurity News and Analysis: Zero-Day Vulnerability

China's New Law Requires Vendors to Report Zero-Day Bugs to Government

China's New Law Requires Vendors to Report Zero-Day Bugs to Government

July 17, 2021Ravie Lakshmanan
The Cyberspace Administration of China (CAC) has issued new stricter vulnerability disclosure regulations that mandate software and networking vendors affected with critical flaws to mandatorily disclose them first-hand to the government authorities within two days of filing a report. The " Regulations on the Management of Network Product Security Vulnerability " are expected to go into effect starting September 1, 2021, and aim to standardize the discovery, reporting, repair, and release of security vulnerabilities and prevent security risks. "No organization or individual may take advantage of network product security vulnerabilities to engage in activities that endanger network security, and shall not illegally collect, sell or publish information on network product security vulnerabilities," Article 4 of the regulation states. In addition to banning sales of previously unknown security weaknesses, the new rules also forbid vulnerabilities from being disclos
Israeli Firm Helped Governments Target Journalists, Activists with 0-Days and Spyware

Israeli Firm Helped Governments Target Journalists, Activists with 0-Days and Spyware

July 16, 2021Ravie Lakshmanan
Two of the zero-day Windows flaws rectified by Microsoft as part of its Patch Tuesday update earlier this week were weaponized by an Israel-based company called Candiru in a series of "precision attacks" to hack more than 100 journalists, academics, activists, and political dissidents globally. The spyware vendor was also formally identified as the commercial surveillance company that Google's Threat Analysis Group (TAG) revealed as exploiting multiple zero-day vulnerabilities in Chrome browser to target victims located in Armenia, according to a report published by the University of Toronto's Citizen Lab. " Candiru 's apparent widespread presence, and the use of its surveillance technology against global civil society, is a potent reminder that the mercenary spyware industry contains many players and is prone to widespread abuse," Citizen Lab researchers  said . "This case demonstrates, yet again, that in the absence of any international safegua
Google Details iOS, Chrome, IE Zero-Day Flaws Exploited Recently in the Wild

Google Details iOS, Chrome, IE Zero-Day Flaws Exploited Recently in the Wild

July 15, 2021Ravie Lakshmanan
Threat intelligence researchers from Google on Wednesday  shed more light  on four in-the-wild zero-days in Chrome, Safari, and Internet Explorer browsers that were exploited by malicious actors in different campaigns since the start of the year. What's more, three of the four zero-days were engineered by commercial providers and sold to and used by government-backed actors, contributing to an uptick in real-world attacks. The list of now-patched vulnerabilities is as follows - CVE-2021-1879 : Use-After-Free in QuickTimePluginReplacement (Apple WebKit) CVE-2021-21166 : Chrome Object Lifecycle Issue in Audio CVE-2021-30551 : Chrome Type Confusion in V8 CVE-2021-33742 : Internet Explorer out-of-bounds write in MSHTML Both Chrome zero-days — CVE-2021-21166 and CVE-2021-30551 — are believed to have been used by the same actor, and were delivered as one-time links sent via email to targets located in Armenia, with the links redirecting unsuspecting users to attacker-controlled
A New Critical SolarWinds Zero-Day Vulnerability Under Active Attack

A New Critical SolarWinds Zero-Day Vulnerability Under Active Attack

July 12, 2021Ravie Lakshmanan
SolarWinds, the Texas-based company that became the epicenter of a  massive supply chain attack  late last year, has issued patches to contain a remote code execution flaw in its Serv-U managed file transfer service. The fixes, which target Serv-U Managed File Transfer and Serv-U Secure FTP products, arrive after Microsoft notified the IT management and remote monitoring software maker that the flaw was being exploited in the wild. The threat actor behind the exploitation remains unknown as yet, and it isn't clear exactly how the attack was carried out. "Microsoft has provided evidence of limited, targeted customer impact, though SolarWinds does not currently have an estimate of how many customers may be directly affected by the vulnerability," SolarWinds  said  in an advisory published Friday, adding it's "unaware of the identity of the potentially affected customers." Impacting Serv-U versions 15.2.3 HF1 and before, a successful exploitation of the sh
Update‌ ‌Your Chrome Browser to Patch Yet Another 0-Day Exploit‌ed ‌in‌-the‌-Wild

Update‌ ‌Your Chrome Browser to Patch Yet Another 0-Day Exploit‌ed ‌in‌-the‌-Wild

June 17, 2021Ravie Lakshmanan
Google has rolled out yet another update to Chrome browser for Windows, Mac, and Linux to fix four security vulnerabilities, including one zero-day flaw that's being exploited in the wild. Tracked as  CVE-2021-30554 , the high severity flaw concerns a  use after free vulnerability  in WebGL (aka Web Graphics Library), a JavaScript API for rendering interactive 2D and 3D graphics within the browser. Successful exploitation of the flaw could mean corruption of valid data, leading to a crash, and even execution of unauthorized code or commands. The issue was reported to Google anonymously on June 15, Chrome technical program manager Srinivas Sista  noted , adding the company is "aware that an exploit for CVE-2021-30554 exists in the wild." While it's usually the norm to limit details of the vulnerability until a majority of users are updated with the fix, the development comes less than 10 days after Google addressed another zero-day vulnerability exploited in act
New Chrome 0-Day Bug Under Active Attacks – Update Your Browser ASAP!

New Chrome 0-Day Bug Under Active Attacks – Update Your Browser ASAP!

June 09, 2021Ravie Lakshmanan
Attention readers, if you are using Google Chrome browser on your Windows, Mac, or Linux computers, you need to update it immediately to the latest version Google released earlier today. The internet services company has rolled out an urgent update to the browser to address 14 newly discovered security issues, including a zero-day flaw that it says is being actively exploited in the wild. Tracked as  CVE-2021-30551 , the vulnerability stems from a type confusion issue in its V8 open-source and JavaScript engine. Sergei Glazunov of Google Project Zero has been credited with discovering and reporting the flaw. Although the search giant's Chrome team issued a terse statement acknowledging "an exploit for CVE-2021-30551 exists in the wild," Shane Huntley, Director of Google's Threat Analysis Group,  hinted  that the vulnerability was leveraged by the same actor that abused  CVE-2021-33742 , an actively exploited remote code execution flaw in Windows MSHTML platform t
Hackers‌ ‌Actively‌ ‌Exploiting‌ ‌0-Day‌ ‌in WordPress Plugin Installed on Over ‌17,000‌ ‌Sites

Hackers‌ ‌Actively‌ ‌Exploiting‌ ‌0-Day‌ ‌in WordPress Plugin Installed on Over ‌17,000‌ ‌Sites

June 02, 2021Ravie Lakshmanan
Fancy Product Designer, a WordPress plugin installed on over 17,000 sites, has been discovered to contain a critical file upload vulnerability that's being actively exploited in the wild to upload malware onto sites that have the plugin installed. Wordfence's threat intelligence team, which discovered the flaw, said it reported the issue to the plugin's developer on May 31. While the flaw has been acknowledged, it's yet to be addressed. Fancy Product Designer is a tool that enables businesses to offer customizable products, allowing customers to design any kind of item ranging from T-shirts to phone cases by offering the ability to upload images and PDF files that can be added to the products. "Unfortunately, while the plugin had some checks in place to prevent malicious files from being uploaded, these checks were insufficient and could easily be bypassed, allowing attackers to upload executable PHP files to any site with the plugin installed," Wordfence
Apple‌ Issues Patches to Combat Ongoing 0-Day Attacks on macOS, tvOS

Apple‌ Issues Patches to Combat Ongoing 0-Day Attacks on macOS, tvOS

May 24, 2021Ravie Lakshmanan
Apple on Monday rolled out security updates for  iOS ,  macOS ,  tvOS ,  watchOS , and  Safari  web browser to fix multiple vulnerabilities, including an actively exploited zero-day flaw in macOS Big Sur and expand patches for two previously disclosed zero-day flaws.  Tracked as CVE-2021-30713, the zero-day concerns a permissions issue in Apple's Transparency, Consent, and Control ( TCC ) framework in macOS that maintains a database of each user's consents. The iPhone maker acknowledged that the issue may have been exploited in the wild but stopped short of sharing specifics. The company noted that it rectified the problem with improved validation. However, in a separate report, mobile device management company Jamf said the bypass flaw was being actively exploited by XCSSET, a malware that's been out in the wild since August 2020 and known to propagate via modified  Xcode IDE projects  hosted on GitHub repositories and plant malicious packages into legitimate apps ins
Android Issues Patches for 4 New Zero-Day Bugs Exploited in the Wild

Android Issues Patches for 4 New Zero-Day Bugs Exploited in the Wild

May 19, 2021Ravie Lakshmanan
Google on Wednesday updated its May 2021 Android Security Bulletin to disclose that four of the security vulnerabilities that were patched earlier this month by Arm and Qualcomm may have been exploited in the wild as zero-days. "There are indications that CVE-2021-1905, CVE-2021-1906, CVE-2021-28663 and CVE-2021-28664 may be under limited, targeted exploitation," the search giant  said  in an updated alert. The four flaws impact  Qualcomm Graphics  and  Arm Mali GPU Driver  modules — CVE-2021-1905  (CVSS score: 8.4) - A use-after-free flaw in Qualcomm's graphics component due to improper handling of memory mapping of multiple processes simultaneously. CVE-2021-1906  (CVSS score: 6.2) - A flaw concerning inadequate handling of address deregistration that could lead to new GPU address allocation failure. CVE-2021-28663  (CVSS score: NA) - A vulnerability in Arm Mali GPU kernel that could permit a non-privileged user to make improper operations on GPU memory, leading
Apple Releases Urgent Security Patches For Zero‑Day Bugs Under Active Attacks

Apple Releases Urgent Security Patches For Zero‑Day Bugs Under Active Attacks

May 03, 2021Ravie Lakshmanan
Apple on Monday released security updates for  iOS ,  macOS , and  watchOS  to address three zero-day flaws and expand patches for a fourth vulnerability that the company said might have been exploited in the wild. The weaknesses all concern WebKit, the browser engine which powers Safari and other third-party web browsers in iOS, allowing an adversary to execute arbitrary code on target devices. A summary of the three security bugs are as follows - CVE-2021-30663:  An integer overflow vulnerability that could be exploited to craft malicious web content, which may lead to code execution. The flaw was addressed with improved input validation. CVE-2021-30665:  A memory corruption issue that could be exploited to craft malicious web content, which may lead to code execution. The flaw was addressed with improved state management. CVE-2021-30666:  A buffer overflow vulnerability that could be exploited to craft malicious web content, which may lead to code execution. The flaw was addr
Update Your Chrome Browser ASAP to Patch a Week Old Public Exploit

Update Your Chrome Browser ASAP to Patch a Week Old Public Exploit

April 21, 2021Ravie Lakshmanan
Google on Tuesday released an update for Chrome web browser for Windows, Mac, and Linux, with a total of seven security fixes, including one flaw for which it says an exploit exists in the wild. Tracked as CVE-2021-21224 , the flaw concerns a type confusion vulnerability in V8 open-source JavaScript engine that was reported to the company by security researcher Jose Martinez on April 5 According to security researcher  Lei Cao , the bug [ 1195777 ] is triggered when performing integer data type conversion, resulting in an out-of-bounds condition that could be used to achieve arbitrary memory read/write primitive. "Google is aware of reports that exploits for CVE-2021-21224 exist in the wild," Chrome's Technical Program Manager Srinivas Sista  said  in a blog post. The update comes after proof-of-concept (PoC) code exploiting the flaw published by a researcher named " frust " emerged on April 14 by taking advantage of the fact that the issue was addressed
3 Zero-Day Exploits Hit SonicWall Enterprise Email Security Appliances

3 Zero-Day Exploits Hit SonicWall Enterprise Email Security Appliances

April 20, 2021Ravie Lakshmanan
SonicWall has addressed three critical security vulnerabilities in its hosted and on-premises email security (ES) product that are being actively exploited in the wild. Tracked as CVE-2021-20021 and CVE-2021-20022, the  flaws  were discovered and reported to the company by FireEye's Mandiant subsidiary on March 26, 2021, after the cybersecurity firm detected post-exploitation web shell activity on an internet-accessible system within a customer's environment that had SonicWall's ES application running on a Windows Server 2012 installation. A third flaw (CVE-2021-20023) identified by FireEye was disclosed to SonicWall on April 6, 2021. FireEye is tracking the malicious activity under the moniker UNC2682. "These vulnerabilities were executed in conjunction to obtain administrative access and code execution on a SonicWall ES device," researchers Josh Fleischer, Chris DiGiamo, and Alex Pennino  said . The adversary leveraged these vulnerabilities, with intimate
Update Your Chrome Browser to Patch 2 New In-the-Wild 0-Day Exploits

Update Your Chrome Browser to Patch 2 New In-the-Wild 0-Day Exploits

April 13, 2021Ravie Lakshmanan
Google on Tuesday released a new version of Chrome web-browsing software for Windows, Mac, and Linux with patches for two newly discovered security vulnerabilities for both of which it says exploits exist in the wild, allowing attackers to engage in active exploitation. One of the two flaws concerns an insufficient validation of untrusted input in its V8 JavaScript rendering engine (CVE-2021-21220), which was demonstrated by Dataflow Security's Bruno Keith and Niklas Baumstark at the  Pwn2Own 2021  hacking contest last week. While Google moved to fix the flaw quickly, security researcher Rajvardhan Agarwal published a  working exploit  over the weekend by reverse-engineering the patch that the Chromium team pushed to the open-source component, a factor that may have played a crucial role in the release. UPDATE:   Agarwal, in an email to The Hacker News, confirmed that there's one more vulnerability affecting Chromium-based browsers that has been patched in the latest vers
NSA Discovers New Vulnerabilities Affecting Microsoft Exchange Servers

NSA Discovers New Vulnerabilities Affecting Microsoft Exchange Servers

April 13, 2021Ravie Lakshmanan
In its April slate of patches, Microsoft rolled out fixes for a total of  114 security flaws , including an actively exploited zero-day and four remote code execution bugs in Exchange Server. Of the  114 flaws , 19 are rated as Critical, 88 are rated Important, and one is rated Moderate in severity. Chief among them is  CVE-2021-28310 , a privilege escalation vulnerability in Win32k that's said to be under active exploitation, allowing attackers to elevate privileges by running malicious code on a target system.  Cybersecurity firm Kaspersky, which discovered and reported the flaw to Microsoft in February, linked the zero-day exploit to a threat actor named Bitter APT, which was found exploiting a similar flaw ( CVE-2021-1732 ) in attacks late last year. "It is an escalation of privilege (EoP) exploit that is likely used together with other browser exploits to escape sandboxes or get system privileges for further access," Kaspersky researcher Boris Larin  said . NS
CISA Issues Emergency Directive on In-the-Wild Microsoft Exchange Flaws

CISA Issues Emergency Directive on In-the-Wild Microsoft Exchange Flaws

March 04, 2021Ravie Lakshmanan
Following Microsoft's release of out-of-band patches to address multiple zero-day flaws in on-premises versions of Microsoft Exchange Server, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has  issued  an emergency directive warning of " active exploitation " of the vulnerabilities. The alert comes on the heels of Microsoft's  disclosure  that China-based hackers were exploiting unknown software bugs in Exchange server to steal sensitive data from select targets, marking the second time in four months that the U.S. has scrambled to address a widespread hacking campaign believed to be the work of foreign threat actors. While the company mainly attributed the campaign to a threat group called HAFNIUM, Slovakian cybersecurity firm ESET  said  it found evidence of CVE-2021-26855 being actively exploited in the wild by several cyber espionage groups, including LuckyMouse, Tick, and Calypso targeting servers located in the U.S., Europe, Asia, and the
URGENT — 4 Actively Exploited 0-Day Flaws Found in Microsoft Exchange

URGENT — 4 Actively Exploited 0-Day Flaws Found in Microsoft Exchange

March 02, 2021Ravie Lakshmanan
Microsoft has  released emergency patches  to address four previously undisclosed security flaws in Exchange Server that it says are being actively exploited by a new Chinese state-sponsored threat actor with the goal of perpetrating data theft. Describing the attacks as "limited and targeted," Microsoft Threat Intelligence Center (MSTIC) said the adversary used these vulnerabilities to access on-premises Exchange servers, in turn granting access to email accounts and paving the way for the installation of additional malware to facilitate long-term access to victim environments. The tech giant primarily attributed the campaign with high confidence to a threat actor it calls HAFNIUM, a state-sponsored hacker collective operating out of China, although it suspects other groups may also be involved. Discussing the tactics, techniques, and procedures (TTPs) of the group for the first time, Microsoft paints HAFNIUM as a "highly skilled and sophisticated actor" that m
New Chrome 0-day Bug Under Active Attacks – Update Your Browser ASAP!

New Chrome 0-day Bug Under Active Attacks – Update Your Browser ASAP!

March 02, 2021Ravie Lakshmanan
Exactly a month after  patching  an actively exploited zero-day flaw in Chrome, Google today rolled out fixes for yet another zero-day vulnerability in the world's most popular web browser that it says is being abused in the wild. Chrome 89.0.4389.72, released by the search giant for Windows, Mac, and Linux on Tuesday, comes with a total of 47 security fixes, the most severe of which concerns an "object lifecycle issue in audio." Tracked as CVE-2021-21166, the security flaw is one of the two bugs reported last month by Alison Huffman of Microsoft Browser Vulnerability Research on February 11. A separate object lifecycle flaw, also identified in the audio component, was reported to Google on February 4, the same day the stable version of Chrome 88 became available. With no additional details, it's not immediately clear if the two security shortcomings are related. Google acknowledged that an exploit for the vulnerability exists in the wild but stopped short of s
Hackers Exploiting Critical Zero-Day Bug in SonicWall SMA 100 Devices

Hackers Exploiting Critical Zero-Day Bug in SonicWall SMA 100 Devices

February 01, 2021Ravie Lakshmanan
SonicWall on Monday warned of active exploitation attempts against a zero-day vulnerability in its Secure Mobile Access (SMA) 100 series devices. The flaw, which affects both physical and virtual SMA 100 10.x devices (SMA 200, SMA 210, SMA 400, SMA 410, SMA 500v), came to light after the NCC Group on Sunday  alerted  it had detected "indiscriminate use of an exploit in the wild." Details of the exploit have not been disclosed to prevent the zero-day from being misused further, but a patch is expected to be available by the end of day on February 2, 2021. "A few thousand devices are impacted," SonicWall  said  in a statement, adding, "SMA 100 firmware prior to 10.x is unaffected by this zero-day vulnerability." On January 22, The Hacker News exclusively  revealed  that SonicWall had been breached as a consequence of a coordinated attack on its internal systems by exploiting "probable zero-day vulnerabilities" in its SMA 100 series remote acc
Google Hacker Details Zero-Click 'Wormable' Wi-Fi Exploit to Hack iPhones

Google Hacker Details Zero-Click 'Wormable' Wi-Fi Exploit to Hack iPhones

December 01, 2020Ravie Lakshmanan
Google Project Zero white-hat hacker Ian Beer on Tuesday disclosed details of a now-patched critical "wormable" iOS bug that could have made it possible for a remote attacker to gain complete control of any device in the vicinity over Wi-Fi. The exploit makes it possible to "view all the photos, read all the email, copy all the private messages and monitor everything which happens on [the device] in real-time,"  said  Beer in a lengthy blog post detailing his six-month-long efforts into building a proof-of-concept single-handedly. The  flaw  (tracked as  CVE-2020-3843 ) was addressed by Apple in a series of security updates pushed as part of  iOS 13.3.1 ,  macOS Catalina 10.15.3 , and  watchOS 5.3.7  earlier this year. "A remote attacker may be able to cause unexpected system termination or corrupt kernel memory," the iPhone maker noted in its advisory, adding the "memory corruption issue was addressed with improved input validation." The v
Microsoft Releases Windows Security Updates For Critical Flaws

Microsoft Releases Windows Security Updates For Critical Flaws

November 11, 2020Ravie Lakshmanan
Microsoft formally released fixes for 112 newly discovered security vulnerabilities as part of its  November 2020 Patch Tuesday , including an actively exploited zero-day flaw disclosed by Google's security team last week. The rollout addresses flaws, 17 of which are rated as Critical, 93 are rated as Important, and two are rated Low in severity, once again bringing the patch count over 110 after a drop last month. The security updates encompass a range of software, including Microsoft Windows, Office and Office Services and Web Apps, Internet Explorer, Edge, ChakraCore, Exchange Server, Microsoft Dynamics, Windows Codecs Library, Azure Sphere, Windows Defender, Microsoft Teams, and Visual Studio. Chief among those fixed is  CVE-2020-17087  (CVSS score 7.8), a buffer overflow flaw in Windows Kernel Cryptography Driver ("cng.sys") that was  disclosed on October 30  by the Google Project Zero team as being used in conjunction with a Chrome zero-day to compromise Window
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.