Bleeping Computer: New Zero-Day Exploit for Bug in Windows 10 Task Scheduler

Bleeping Computer: New Zero-Day Exploit for Bug in Windows 10 Task Scheduler. “Exploit developer SandboxEscaper has quietly dropped a new zero-day exploit for the Windows operating system just a week after Microsoft’s monthly cycle of security updates. This exploit is the fifth in a string that started in late August last year. It achieves local privilege escalation, granting a limited user full control over files reserved for full-privilege users like SYSTEM and TrustedInstaller.”

Threatpost: Microsoft Patches Zero-Day Bug Under Active Attack

Threatpost: Microsoft Patches Zero-Day Bug Under Active Attack. “Among the other critical bugs patched, system administrators are urged to immediately deploy fixes for a Remote Desktop Services remote code-execution vulnerability (CVE-2019-0708). The bug is notable for a number of reasons. One, it’s ‘wormable’ flaw and has the potential to be exploited in a fast-moving malware attack similar to WannaCry. As a testament to its potential for havoc, Microsoft has also gone the extra step in deploying patches to Windows XP and Windows 2003 for the bug, neither of which is still supported via monthly Patch Tuesday updates.”

Digital Trends: Internet Explorer zero-day exploit makes files vulnerable to hacks on Windows PCs

Digital Trends: Internet Explorer zero-day exploit makes files vulnerable to hacks on Windows PCs. “There were already a number of reasons to not use Internet Explorer. But if you needed another one, here it is. According to ZDNet, a security researcher named John Page has published evidence of an Internet Explorer zero-day exploit that renders Windows PCs vulnerable to having their files stolen by hackers.”

Ars Technica: A security researcher with a grudge is dropping Web 0days on innocent users

Ars Technica: A security researcher with a grudge is dropping Web 0days on innocent users. “Over the past three weeks, a trio of critical zeroday vulnerabilities in WordPress plugins has exposed 160,000 websites to attacks that allow criminal hackers to redirect unwitting visitors to malicious destinations. A self-proclaimed security provider who publicly disclosed the flaws before patches were available played a key role in the debacle, although delays by plugin developers and site administrators in publishing and installing patches have also contributed.”

ZDNet: Temporary fix available for one of the two Windows zero-days released in December

ZDNet: Temporary fix available for one of the two Windows zero-days released in December. “In December 2018, a security researcher going by the name of SandboxEscaper published details and proof-of-concept (PoC) demo code for two Windows zero-days. Today, cyber-security firm Acros Security published a temporary patch for the second zero-day, a patch that protects Windows systems against any exploitation attempts.”

The Register: Adobe Flash zero-day exploit… leveraging ActiveX… embedded in Office Doc… BINGO!

The Register: Adobe Flash zero-day exploit… leveraging ActiveX… embedded in Office Doc… BINGO! . “Stop us if you’ve heard this one before: An Adobe Flash zero-day vulnerability is being actively targeted in the wild to hijack victims’ Windows PCs. Researchers with Gigamon Applied Threat Research (ATR) and Qihoo 360 uncovered a phishing campaign that exploits CVE-2018-15982, prompting Adobe to today release an out-of-band emergency update to patch up the flaw.”