ZDNet: Temporary fix available for one of the two Windows zero-days released in December. “In December 2018, a security researcher going by the name of SandboxEscaper published details and proof-of-concept (PoC) demo code for two Windows zero-days. Today, cyber-security firm Acros Security published a temporary patch for the second zero-day, a patch that protects Windows systems against any exploitation attempts.”
The Register: Adobe Flash zero-day exploit… leveraging ActiveX… embedded in Office Doc… BINGO! . “Stop us if you’ve heard this one before: An Adobe Flash zero-day vulnerability is being actively targeted in the wild to hijack victims’ Windows PCs. Researchers with Gigamon Applied Threat Research (ATR) and Qihoo 360 uncovered a phishing campaign that exploits CVE-2018-15982, prompting Adobe to today release an out-of-band emergency update to patch up the flaw.”
Ars Technica: Another Windows 0-day flaw has been published on Twitter. “SandboxEscaper, a researcher who back in August tweeted out a Windows privilege escalation bug, has published another unpatched Windows flaw on Twitter.”
BetaNews: Microsoft Windows task scheduler 0-day outed on Twitter. “A privilege escalation bug has been discovered in Windows’ task scheduler and revealed on Twitter. A proof-of-concept has been published, and the vulnerability has been confirmed to be present in a ‘fully-patched 64-bit Windows 10 system’.”
If you like living dangerously, you might want to check out this third-party patch for a recently-disclosed Windows vulnerability. “A new project going by the name of 0patch has created a ‘0patch’ for a zero-day, addressing the Windows gdi32.dll memory disclosure (CVE-2017-0038) yet to be fixed by Microsoft. As the issue is unlikely to receive an official patch until at least the middle of March, this third-party option is all that’s available for now.”
Does it feel like there are more zero-day security announcements than ever? You’re not wrong. “The number of “zero-day” exploits—a term that was coined because affected software developers have zero days to release a patch that keeps users protected—reached an unprecedented 54, according to researchers at security firm Symantec. That number compared with 24 in 2014, 23 in 2013, and 14 in 2012.”
Dum-de-dum, another emergency Flash patch, anyone? And it’s zero-day, too! “Adobe is working on an emergency patch for its Flash Player after attackers are reportedly exploiting a critical flaw. The vulnerability, CVE-2016-1019, affects Flash Player version 22.214.171.124 on Windows, Mac, Linux and Chrome OS, according to an advisory published on Tuesday.” Have I asked you to turn off Flash lately?