The Register: Adobe Flash zero-day exploit… leveraging ActiveX… embedded in Office Doc… BINGO! . “Stop us if you’ve heard this one before: An Adobe Flash zero-day vulnerability is being actively targeted in the wild to hijack victims’ Windows PCs. Researchers with Gigamon Applied Threat Research (ATR) and Qihoo 360 uncovered a phishing campaign that exploits CVE-2018-15982, prompting Adobe to today release an out-of-band emergency update to patch up the flaw.”
Ars Technica: Another Windows 0-day flaw has been published on Twitter. “SandboxEscaper, a researcher who back in August tweeted out a Windows privilege escalation bug, has published another unpatched Windows flaw on Twitter.”
BetaNews: Microsoft Windows task scheduler 0-day outed on Twitter. “A privilege escalation bug has been discovered in Windows’ task scheduler and revealed on Twitter. A proof-of-concept has been published, and the vulnerability has been confirmed to be present in a ‘fully-patched 64-bit Windows 10 system’.”
If you like living dangerously, you might want to check out this third-party patch for a recently-disclosed Windows vulnerability. “A new project going by the name of 0patch has created a ‘0patch’ for a zero-day, addressing the Windows gdi32.dll memory disclosure (CVE-2017-0038) yet to be fixed by Microsoft. As the issue is unlikely to receive an official patch until at least the middle of March, this third-party option is all that’s available for now.”
Does it feel like there are more zero-day security announcements than ever? You’re not wrong. “The number of “zero-day” exploits—a term that was coined because affected software developers have zero days to release a patch that keeps users protected—reached an unprecedented 54, according to researchers at security firm Symantec. That number compared with 24 in 2014, 23 in 2013, and 14 in 2012.”
Dum-de-dum, another emergency Flash patch, anyone? And it’s zero-day, too! “Adobe is working on an emergency patch for its Flash Player after attackers are reportedly exploiting a critical flaw. The vulnerability, CVE-2016-1019, affects Flash Player version 18.104.22.168 on Windows, Mac, Linux and Chrome OS, according to an advisory published on Tuesday.” Have I asked you to turn off Flash lately?
The Pwn2Own annual hacking contest is off to a scary start. “On Wednesday, four teams and a researcher who competed on his own made six attempts to hack this year’s targets: Safari running on OS X, Chrome running on Windows, Microsoft Edge running on Windows and Flash Player on Windows. Four attempts were successful, one was only partially successful and one failed.”