Zero-Day Vulnerability | Breaking Cybersecurity News | The Hacker News

An anonymous hacker today publicly revealed details and proof-of-concept exploit code for an unpatched, critical zero-day remote code execution vulnerability in vBulletin—one of the widely used internet forum software, The Hacker News has learned. One of the reasons why the vulnerability should be viewed as a severe issue is not just because it is remotely exploitable, but also doesn't require authentication. Written in PHP, vBulletin is a widely used proprietary Internet forum software package that powers more than 100,000 websites on the Internet, including Fortune 500 and Alexa Top 1 million companies websites and forums. According to details published on the Full Disclosure mailing list, the hacker claims to have found a remote code execution vulnerability that appears to affect vBulletin versions 5.0.0 till the latest 5.5.4. The Hacker News has independently verified that the flaw works, as described, and affects the latest version of vBulletin software, which even

Beware Apple users! Your iPhone can be hacked just by visiting an innocent-looking website, confirms a terrifying report Google researchers released earlier today. The story goes back to a widespread iPhone hacking campaign that cybersecurity researchers from Google's Project Zero discovered earlier this year in the wild, involving at least five unique iPhone exploit chains capable of remotely jailbreaking an iPhone and implanting spyware on it. Those iOS exploit chains were found exploiting a total of 14 separate vulnerabilities in Apple's iOS mobile operating system—of which 7 flaws resided in Safari web browser, 5 in the iOS kernel and 2 separate sandbox escape issues—targeting devices with almost every version in that time-frame from iOS 10 through to the latest version of iOS 12. According to a deep-dive blog post published by Project Zero researcher Ian Beer, only two of the 14 security vulnerabilities were zero-days, CVE-2019-7287 and CVE-2019-7286, and unpat

Identities now transcend human boundaries. Within each line of code and every API call lies a non-human identity. These entities act as programmatic access keys, enabling authentication and facilitating interactions among systems and services, which are essential for every API call, database query, or storage account access. As we depend on multi-factor authentication and passwords to safeguard human identities, a pressing question arises: How do we guarantee the security and integrity of these non-human counterparts? How do we authenticate, authorize, and regulate access for entities devoid of life but crucial for the functioning of critical systems? Let's break it down. The challenge Imagine a cloud-native application as a bustling metropolis of tiny neighborhoods known as microservices, all neatly packed into containers. These microservices function akin to diligent worker bees, each diligently performing its designated task, be it processing data, verifying credentials, or

Important Update (21 June 2019) ➤  The Tor Project on Friday released second update ( Tor Browser 8.5.3 ) for its privacy web-browser that patches the another Firefox zero-day vulnerability patched this week. Following the latest critical update for Firefox, the Tor Project today released an updated version of its anonymity and privacy browser to patch the same Firefox vulnerability in its bundle. Earlier this week, Mozilla released Firefox 67.0.3 and Firefox ESR 60.7.1 versions to patch a critical actively-exploited vulnerability ( CVE-2019-11707 ) that could allow attackers to remotely take full control over systems running the vulnerable browser versions. Besides updating Firefox, the latest Tor Browser 8.5.2 for desktops also includes updated NoScript version 10.6.3 that fixes a few known issues. According to the Tor Project Team, if you are already using Tor browser with "safer" and "safest" security levels, the flaw doesn't affect you. For som

Oracle has released an out-of-band emergency software update to patch a newly discovered critical vulnerability in the WebLogic Server. According to Oracle, the vulnerability—which can be identified as CVE-2019-2729 and has a CVSS score of 9.8 out of 10—is already being exploited in the wild by an unnamed group of attackers. Oracle WebLogic is a Java-based multi-tier enterprise application server that allows businesses to quickly deploy new products and services on the cloud, which is popular across both, cloud environment and conventional environments. The reported vulnerability is a deserialization issue via XMLDecoder in Oracle WebLogic Server Web Services that could allow unauthorized remote attackers to execute arbitrary code on the targeted servers and take control over them. "This remote code execution vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password," the advisor

Less than 24 hours after publicly disclosing an unpatched zero-day vulnerability in Windows 10 , the anonymous hacker going by online alias "SandboxEscaper" has now dropped new exploits for two more unpatched Microsoft zero-day vulnerabilities. The two new zero-day vulnerabilities affect Microsoft's Windows Error Reporting service and Internet Explorer 11. Just yesterday, while releasing a Windows 10 zero-day exploit for a local privilege escalation bug in Task Scheduler utility, SandboxEscaper claimed to have discovered four more zero-day bugs, exploits for two has now been publicly released. AngryPolarBearBug2 Windows Bug One of the latest Microsoft zero-day vulnerabilities resides in the Windows Error Reporting service that can be exploited using a discretionary access control list (DACL) operation—a mechanism that identifies users and groups that are assigned or denied access permissions to a securable object. Upon successful exploitation, an attacker can del

An anonymous hacker with an online alias "SandboxEscaper" today released proof-of-concept (PoC) exploit code for a new zero-day vulnerability affecting Windows 10 operating system—that's his/her 5th publicly disclosed Windows zero-day exploit [ 1 , 2 , 3 ] in less than a year. Published on GitHub , the new Windows 10 zero-day vulnerability is a privilege escalation issue that could allow a local attacker or malware to gain and run code with administrative system privileges on the targeted machines, eventually allowing the attacker to gain full control of the machine. The vulnerability resides in Task Scheduler, a utility that enables Windows users to schedule the launch of programs or scripts at a predefined time or after specified time intervals. SandboxEscaper's exploit code makes use of SchRpcRegisterTask, a method in Task Scheduler to register tasks with the server, which doesn't properly check for permissions and can, therefore, be used to set an arb

A team of cybersecurity researchers today published a post warning enterprises of an unpatched, highly critical zero-day vulnerability in Oracle WebLogic server application that some attackers might have already started exploiting in the wild. Oracle WebLogic is a scalable, Java-based multi-tier enterprise application server that allows businesses to quickly deploy new products and services on the cloud. It's popular across both, cloud environment and conventional environments. Oracle WebLogic application reportedly contains a critical deserialization remote code execution vulnerability that affects all versions of the software, which can be triggered if the "wls9_async_response.war" and "wls-wsat.war" components are enabled. The vulnerability, spotted by the researchers from KnownSec 404, allows attackers to remotely execute arbitrary commands on the affected servers just by sending a specially crafted HTTP request—without requiring any authorization.

Exclusive — A security researcher today publicly disclosed details and proof-of-concept exploits for two 'unpatched' zero-day vulnerabilities in Microsoft's web browsers after the company allegedly failed to respond to his responsible private disclosure. Both unpatched vulnerabilities—one of which affects the latest version of Microsoft Internet Explorer and another affects the latest Edge Browser —allow a remote attacker to bypass same-origin policy on victim's web browser. Same Origin Policy (SOP) is a security feature implemented in modern browsers that restricts a web-page or a script loaded from one origin to interact with a resource from another origin, preventing unrelated sites from interfering with each other. In other words, if you visit a website on your web browser, it can only request data from the same origin [domain] the site was loaded from, preventing it from making any unauthorized request on your behalf in order to steal your data, from othe

A zero-day vulnerability has been discovered and reported in the Microsoft's Windows operating system that, under a certain scenario, could allow a remote attacker to execute arbitrary code on Windows machine. Discovered by security researcher John Page (@hyp3rlinx), the vulnerability was reported to the Microsoft security team through Trend Micro's Zero Day Initiative (ZDI) Program over 6 months ago, which the tech giant has refused to patch, at least for now. The vulnerability, which has not been assigned any CVE number, actually resides within the processing of a vCard file—a standard file format for storing contact information for a person or business, which is also supported by Microsoft Outlook. According to the researcher, a remote attacker can maliciously craft a VCard file in a way that the contact's website URL stored within the file points to a local executable file, which can be sent within a zipped file via an email or delivered separately via drive-b

A security researcher with Twitter alias SandboxEscaper today released proof-of-concept (PoC) exploit for a new zero-day vulnerability affecting Microsoft's Windows operating system. SandboxEscaper is the same researcher who previously publicly dropped exploits for two Windows zero-day vulnerabilities, leaving all Windows users vulnerable to the hackers until Microsoft patched them. The newly disclosed unpatched Windows zero-day vulnerability is an arbitrary file read issue that could allow a low-privileged user or a malicious program to read the content of any file on a targeted Windows computer that otherwise would only be possible via administrator-level privileges. The zero-day vulnerability resides in "MsiAdvertiseProduct" function of Windows that's responsible for generating "an advertise script or advertises a product to the computer and enables the installer to write to a script the registry and shortcut information used to assign or publish a prod

Microsoft today issued an out-of-band security update to patch a critical zero-day vulnerability in Internet Explorer (IE) Web browser that attackers are already exploiting in the wild to hack into Windows computers. Discovered by security researcher Clement Lecigne of Google's Threat Analysis Group, the vulnerability, tracked as CVE-2018-8653, is a remote code execution (RCE) flaw in the IE browser's scripting engine. According to the advisory, an unspecified memory corruption vulnerability resides in the scripting engine JScript component of Microsoft Internet Explorer that handles execution of scripting languages. If exploited successfully, the vulnerability could allow attackers to execute arbitrary code in the context of the current user. "If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change,

Microsoft today, on its year-end December Patch Tuesday, released security updates to patch a total 39 vulnerabilities its Windows operating systems and applications—10 of which are rated as critical and other important in severity. One of the security vulnerabilities patched by the tech giant this month is listed as publicly known at the time of release, and one is a zero-day reported as being actively exploited in the wild by multiple hacking groups, including FruityArmor and SandCat APTs. Discovered and reported by security researchers at Kaspersky, the zero-day attack exploits an elevation-of-privilege (EoP) bug in the Windows Kernel (ntoskrnl.exe) that could allow malicious programs to execute arbitrary code with higher privileges on the targeted systems. The vulnerability, tracked as CVE-2018-8611  and classified important in severity, resides in the Kernel Transaction Manager, which occurs due to improper processing of transacted file operations in kernel mode. The flaw

Cybersecurity researchers have discovered a new zero-day vulnerability in Adobe Flash Player that hackers are actively exploiting in the wild as part of a targeted campaign appears to be attacking a Russian state health care institution. The vulnerability, tracked as CVE-2018-15982 , is a use-after-free flaw resides in Flash Player that, if exploited successfully, allows an attacker to execute arbitrary code on the targeted computer and eventually gain full control over the system. The newly discovered Flash Player zero-day exploit was spotted last week by researchers inside malicious Microsoft Office documents, which were submitted to online multi-engine malware scanning service VirusTotal from a Ukrainian IP address. The maliciously crafted Microsoft Office documents contain an embedded Flash Active X control in its header that renders when the targeted user opens it, causing exploitation of the reported Flash player vulnerability. According to cybersecurity researchers, neit

At Pwn2Own 2018 mobile hacking competition held in Tokyo on November 13-14, white hat hackers once again demonstrated that even the fully patched smartphones running the latest version of software from popular smartphone manufacturers can be hacked. Three major flagship smartphones—iPhone X, Samsung Galaxy S9, and Xiaomi Mi6—were among the devices that successfully got hacked at the annual mobile hacking contest organized by Trend Micro's Zero Day Initiative (ZDI), earning white hat hackers a total of $325,000 in reward. Teams of hackers participated from different countries or representing different cybersecurity companies disclosed a total of 18 zero-day vulnerabilities in mobile devices made by Apple, Samsung, and Xiaomi, as well as crafted exploits that allowed them to completely take over the targeted devices. Apple iPhone X Running iOS 12.1 — GOT HACKED! A team of two researchers, Richard Zhu and Amat Cama, who named themselves Fluoroacetate, discovered and managed to

It's Patch Tuesday once again…time for another round of security updates for the Windows operating system and other Microsoft products. This month Windows users and system administrators need to immediately take care of a total of 63 security vulnerabilities, of which 12 are rated critical, 49 important and one moderate and one low in severity. Two of the vulnerabilities patched by the tech giant this month are listed as publicly known at the time of release, and one flaw is reported as being actively exploited in the wild by multiple cybercriminal groups. Zero-Day Vulnerability Being Exploited by Cyber Criminals The zero-day vulnerability, tracked as CVE-2018-8589 , which is being exploited in the wild by multiple advanced persistent threat groups was first spotted and reported by security researchers from Kaspersky Labs. The flaw resides in the Win32k component (win32k.sys), which if exploited successfully, could allow a malicious program to execute arbitrary code

An independent exploit developer and vulnerability researcher has publicly disclosed a zero-day vulnerability in VirtualBox —a popular open source virtualization software developed by Oracle—that could allow a malicious program to escape virtual machine (guest OS) and execute code on the operating system of the host machine. The vulnerability occurs due to memory corruption issues and affects Intel PRO / 1000 MT Desktop (82540EM) network card (E1000) when the network mode is set to NAT (Network Address Translation). The flaw is independent of the type of operating system being used by the virtual and host machines because it resides in a shared code base. VirtualBox Zero-Day Exploit and Demo Video Released Sergey Zelenyuk published Wednesday a detailed technical explanation of the zero-day flaw on GitHub, which affects all current versions (5.2.20 and prior) of VirtualBox software and is present on the default Virtual Machine (VM) configuration. According to Zelenyuk, t

Logged out from your Facebook account automatically? Well you're not alone… Facebook just admitted that an unknown hacker or a group of hackers exploited a zero-day vulnerability in its social media platform that allowed them to steal secret access tokens for more than 50 million accounts. UPDATE:  10 Important Updates You Need To Know About the Latest Facebook Hacking Incident . In a brief blog post published Friday, Facebook revealed that its security team discovered the attack three days ago (on 25 September) and they are still investigating the security incident. The vulnerability, whose technical details has yet not been disclosed and now patched by Facebook, resided in the "View As" feature—an option that allows users to find out what other Facebook users would see if they visit your profile. According to the social media giant, the vulnerability allowed hackers to steal secret access tokens that could then be used to directly access users' private in

Zerodium, the infamous exploit vendor that earlier this year offered $1 million for submitting a zero-day exploit for Tor Browser , today publicly revealed a critical zero-day flaw in the anonymous browsing software that could reveal your identity to the sites you visit. In a Tweet, Zerodium shared a zero-day vulnerability that resides in the NoScript browser plugin comes pre-installed with the Mozilla Firefox bundled in the Tor software. NoScript is a free browser extension that blocks malicious JavaScript, Java, Flash and other potentially dangerous content on all web pages by default, though users can whitelist sites they trust. According to Zerodium, NoScript "Classic" versions 5.0.4 to 5.1.8.6--with 'Safest' security level enabled--included in Tor Browser 7.5.6 can be bypassed to run any JavaScript file by changing its content-type header to JSON format. In other words, a website can exploit this vulnerability to execute malicious JavaScript on victim