Search results for chrome zero-day | Breaking Cybersecurity News | The Hacker News

In recent years, the number and sophistication of zero-day vulnerabilities have surged, posing a critical threat to organizations of all sizes. A zero-day vulnerability is a security flaw in software that is unknown to the vendor and remains unpatched at the time of discovery. Attackers exploit these flaws before any defensive measures can be implemented, making zero-days a potent weapon for cybercriminals. A recent example is, for instance, CVE-2024-0519 in Google Chrome: this high-severity vulnerability was actively exploited in the wild and involved an out-of-bounds memory access issue in the V8 JavaScript engine. It allowed remote attackers to access sensitive information or trigger a crash by exploiting heap corruption.  Also, the zero-day vulnerability at Rackspace caused massive trouble. This incident was a zero-day remote code execution vulnerability in ScienceLogic's monitoring application that led to the compromise of Rackspace's internal systems. The breach expose...

Attention readers, if you are using Google Chrome browser on your Windows, Mac, or Linux computers, you need to update your web browsing software immediately to the latest version Google released earlier today. Google released Chrome version 86.0.4240.111 today to patch several security high-severity issues, including a zero-day vulnerability that has been exploited in the wild by attackers to hijack targeted computers. Tracked as CVE-2020-15999 , the actively exploited vulnerability is a type of memory-corruption flaw called heap buffer overflow in Freetype, a popular open source software development library for rendering fonts that comes packaged with Chrome. The vulnerability was discovered and reported by security researcher Sergei Glazunov of Google Project Zero on October 19 and is subject to a seven-day public disclosure deadline due to the flaw being under active exploitation. Glazunov also immediately reported the zero-day vulnerability to FreeType developers, who then ...

NSS Labs issued the report titled " The Known Unknowns " to explain the dynamics behind the market of zero-day exploits. Last week I discussed about the necessity to define a model for " cyber conflict " to qualify the principal issues related to the use of cyber tools and cyber weapons in an Information Warfare context, today I decided to give more info to the readers on cyber arsenals of governments. Governments consider the use of cyber weapons as a coadiuvant to conventional weapons, these malicious application could be used for sabotage or for cyber espionage, they could be used to hit a specifically designed software (e.g. SCADA within a critical infrastructure ) or they could be used for large scale operations infecting thousand of machines exploiting zero-day in common application ( e.g. Java platform, Adobe software ). The zero-day flaw are the most important component for the design of an efficient cyber weapon, governments have recently created dedic...

Attention readers, if you are using Chrome on your Windows, Mac, and Linux computers, you need to update your web browsing software immediately to the latest version Google released earlier today. With the release of Chrome 78.0.3904.87, Google is warning billions of users to install an urgent software update immediately to patch two high severity vulnerabilities, one of which attackers are actively exploiting in the wild to hijack computers. Without revealing technical details of the vulnerability, the Chrome security team only says that both issues are use-after-free vulnerabilities, one affecting Chrome's audio component ( CVE-2019-13720 ) while the other resides in the PDFium ( CVE-2019-13721 ) library. The use-after-free vulnerability is a class of memory corruption issues that allows corruption or modification of data in the memory, enabling an unprivileged user to escalate privileges on an affected system or software. Thus, both flaws could enable remote attackers...

The actively exploited but now-fixed Google Chrome zero-day flaw that came to light at the start of this month was weaponized by an Israeli spyware company and used in attacks targeting journalists in the Middle East. Czech cybersecurity firm Avast linked the exploitation to  Candiru  (aka Saito Tech), which has a history of  leveraging previously unknown flaws  to deploy a Windows malware dubbed DevilsTongue , a modular implant with  Pegasus -like capabilities. Candiru, along with NSO Group, Computer Security Initiative Consultancy PTE. LTD., and Positive Technologies, were  added to the entity list  by the U.S. Commerce Department in November 2021 for engaging in "malicious cyber activities." "Specifically, a large portion of the attacks took place in Lebanon, where journalists were among the targeted parties," security researcher Jan Vojtěšek, who reported the discovery of the flaw,  said  in a write-up. "We believe the attacks were hi...

Warning for Adobe users! Another zero-day vulnerability has been discovered in Adobe Flash Player   that is actively being exploited by cyber crooks in drive-by download attacks, security researchers warned today. This is for the third time in last few weeks when Adobe is dealing with a zero day vulnerability in Flash Player. The Adobe Flash Player Vulnerability identified as CVE-2015-0313 , exists in the latest version of Flash Player, i.e. version 16.0.0.296 and earlier. In late January, Adobe released an updated version of its Flash player software that patches zero-day vulnerability, tracked as CVE-2015-0311 , spotted by French security researcher Kafeine. This Adobe Flash Player Vulnerability was also being actively exploited via Malvertisement and drive-by-download attacks. In case of a "drive-by-download" attack, an attacker downloads a malicious software to a victim's computer without their knowledge or explicit consent. As a result, the flaw cou...

Threat intelligence researchers from Google on Wednesday  shed more light  on four in-the-wild zero-days in Chrome, Safari, and Internet Explorer browsers that were exploited by malicious actors in different campaigns since the start of the year. What's more, three of the four zero-days were engineered by commercial providers and sold to and used by government-backed actors, contributing to an uptick in real-world attacks. The list of now-patched vulnerabilities is as follows - CVE-2021-1879 : Use-After-Free in QuickTimePluginReplacement (Apple WebKit) CVE-2021-21166 : Chrome Object Lifecycle Issue in Audio CVE-2021-30551 : Chrome Type Confusion in V8 CVE-2021-33742 : Internet Explorer out-of-bounds write in MSHTML Both Chrome zero-days — CVE-2021-21166 and CVE-2021-30551 — are believed to have been used by the same actor, and were delivered as one-time links sent via email to targets located in Armenia, with the links redirecting unsuspecting users to attacker-contro...

FinSpy —the infamous surveillance malware is back and infecting high-profile targets using a new Adobe Flash zero-day exploit delivered through Microsoft Office documents. Security researchers from Kaspersky Labs have discovered a new zero-day remote code execution vulnerability in Adobe Flash, which was being actively exploited in the wild by a group of advanced persistent threat actors, known as BlackOasis . The critical type confusion vulnerability, tracked as CVE-2017-11292 , could lead to code execution and affects Flash Player 21.0.0.226 for major operating systems including Windows, Macintosh, Linux and Chrome OS. Researchers say BlackOasis is the same group of attackers which were also responsible for exploiting another zero-day vulnerability ( CVE-2017-8759 ) discovered by FireEye researchers in September 2017. Also, the final FinSpy payload in the current attacks exploiting Flash zero-day (CVE-2017-11292) shares the same command and control (C&C) server as the...

Two days ago, The Hacker News (THN) reported about the Zero-day vulnerability in the freshly patched Adobe Flash Player . The vulnerability was exploited in the wild by a well-known group of Russian hackers, named " Pawn Storm ," to target several foreign affairs ministries worldwide. The zero-day flaw allowed hackers to have complete control of the users' machine, potentially putting all the Flash Player users at a potentially high risk. Since then, there was no patch available to make flawed utility safe. However, Adobe has now patched the zero-day vulnerability, along with some critical vulnerabilities whose details are yet to be disclosed. Yesterday, the company published a post on their official security bulletin ( APSB15-27 ) detailing the risks associated with the zero-day and how a user can get rid of them. The critical vulnerabilities are assigned following CVE numbers: CVE-2015-7645 CVE-2015-7647 CVE-2015-7648 Also, Adobe is kn...

Google has patched a second actively exploited zero-day flaw in the Chrome browser in two weeks, along with addressing nine other security vulnerabilities in its latest update. The company  released  86.0.4240.183 for Windows, Mac, and Linux, which it said will be rolling out over the coming days/weeks to all users. The zero-day flaw, tracked as  CVE-2020-16009 , was reported by Clement Lecigne of Google's Threat Analysis Group (TAG) and Samuel Groß of Google Project Zero on October 29. The company also warned that it "is aware of reports that an exploit for CVE-2020-16009 exists in the wild." Google hasn't made any details about the bug or the exploit used by threat actors public so as to allow a majority of users to install the updates and prevent other adversaries from developing their own exploits leveraging the flaw. But Ben Hawkes, Google Project Zero's technical lead,  said  CVE-2020-16009 concerned an "inappropriate implementation" of its ...

Google has revealed that it observed 75 zero-day vulnerabilities exploited in the wild in 2024, down from 98 in 2023 but an increase from 63 the year before. Of the 75 zero-days, 44% of them targeted enterprise products. As many as 20 flaws were identified in security software and appliances. "Zero-day exploitation of browsers and mobile devices fell drastically, decreasing by about a third for browsers and by about half for mobile devices compared to what we observed last year," the Google Threat Intelligence Group (GTIG) said in a report shared with The Hacker news. "Exploit chains made up of multiple zero-day vulnerabilities continue to be almost exclusively (~90%) used to target mobile devices." While Microsoft Windows accounted for 22 of the zero-day flaws exploited in 2024, Apple's Safari had three, iOS had two, Android had seven, Chrome had seven, and Mozilla Firefox had one flaw that were abused during the same period. Three of the seven zero-days ...

Exactly a month after  patching  an actively exploited zero-day flaw in Chrome, Google today rolled out fixes for yet another zero-day vulnerability in the world's most popular web browser that it says is being abused in the wild. Chrome 89.0.4389.72, released by the search giant for Windows, Mac, and Linux on Tuesday, comes with a total of 47 security fixes, the most severe of which concerns an "object lifecycle issue in audio." Tracked as CVE-2021-21166, the security flaw is one of the two bugs reported last month by Alison Huffman of Microsoft Browser Vulnerability Research on February 11. A separate object lifecycle flaw, also identified in the audio component, was reported to Google on February 4, the same day the stable version of Chrome 88 became available. With no additional details, it's not immediately clear if the two security shortcomings are related. Google acknowledged that an exploit for the vulnerability exists in the wild but stopped short of s...

Google has disclosed details of a new zero-day privilege escalation flaw in the Windows operating system that's being actively exploited in the wild. The elevation of privileges (EoP) vulnerability, tracked as  CVE-2020-17087 , concerns a buffer overflow present since at least Windows 7 in the Windows Kernel Cryptography Driver ("cng.sys") that can be exploited for a sandbox escape. "The bug resides in the cng!CfgAdtpFormatPropertyBlock function and is caused by a 16-bit integer truncation issue," Google's Project Zero researchers Mateusz Jurczyk and Sergei Glazunov noted in their technical write-up. The security team made the details public following a seven-day disclosure deadline because of evidence that it's under active exploit. Project Zero has shared a proof-of-concept exploit (PoC) that can be used to corrupt kernel data and crash vulnerable Windows devices even under default system configurations. What's notable is that the exploit ch...

Last week, Apple finally announced a bug bounty program for researchers and white hat hackers to find and get paid for reporting details of zero-day vulnerabilities in its software and devices. The company offers the biggest payout of $200,000, which is 10 times the maximum reward that Google offers and double the highest bounty paid by Microsoft. But now Apple is going to face competition from a blackhat company named, Exodus Intelligence. Exodus Intelligence is offering more than double Apple's maximum payout for zero-day vulnerabilities affecting the newest versions of iOS. The company is willing to pay more than $500,000 for zero-day vulnerabilities and exploits affecting iOS 9.3 and above. Although Exodus labeled itself as ‘ Research Sponsorship Program ,’ the company actually makes money by buying and selling zero-day vulnerabilities and exploits. On Wednesday, Exodus launched its new bonus structure for the acquisition of details and exploits for zero-day vu...

The Recent Cyber Attack that exposed 400GB of corporate data belonging to surveillance software firm Hacking Team has revealed that the spyware company have already discovered an exploit for an unpatched zero-day vulnerability in Flash Player. Security researchers at Trend Micro claim that the leaked data stolen from Hacking Team , an Italian company that sells surveillance software to government agencies, contains a number of unpatched and unreported Adobe flaws. Hacking Team has Unpatched Flash Bug  While analyzing the leaked data dump, researchers discovered at least three software exploits – two for Adobe Flash Player and one for Microsoft's Windows kernel. Out of two, one of the Flash Player vulnerabilities, known as Use-after-free vulnerability with CVE-2015-0349 , has already been patched. However, the Hacking Team described the other Flash Player exploit, which is a zero-day exploit with no CVE number yet, as "the most beautiful Flash bug for ...

Google on Friday released security updates for its Chrome browser to address a security flaw that it said has been exploited in the wild. The high-severity vulnerability, tracked as CVE-2026-2441 (CVSS score: 8.8), has been described as a use-after-free bug in CSS. Security researcher Shaheen Fazim has been credited with discovering and reporting the shortcoming on February 11, 2026. "Use after free in CSS in Google Chrome prior to 145.0.7632.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page," according to a description of the flaw in the NIST's National Vulnerability Database (NVD). Google did not disclose any details about how the vulnerability is being exploited in the wild, by whom, or who may have been targeted, but it acknowledged that "an exploit for CVE-2026-2441 exists in the wild." While Google Chrome is no stranger to actively exploited vulnerabilities, the development once again highlights how bro...