Polish security expert Dawid Golunski has discovered a zero-day in the WordPress password reset mechanism that would allow an attacker to obtain the password reset link, under certain circumstances.
The saga of CVE-2017-0199, a recently patched zero-day vulnerability affecting Microsoft Office and WordPad, just got a little stranger yesterday after cyber-security firm FireEye revealed the vulnerability was used by both cyber-criminals pushing mundane malware, and also by state-sponsored cyber-espionage groups.
The operators of the Dridex botnet are using the recently disclosed Microsoft Office zero-day to spread a version of their malware, the infamous Dridex banking trojan.
Cyber-security firms McAfee and FireEye have both disclosed in-the-wild attacks with a new Microsoft Office zero-day that allows attackers to silently execute code on targeted machines and secretly install malware.
For more than a month, at least ten groups of attackers have been compromising systems running applications built with Apache Struts and installing backdoors, DDoS bots, cryptocurrency miners, or ransomware, depending if the machine is running Linux or Windows.
Since July 2016, attackers have been using a zero-day in IIS 6.0 to compromise and take over Windows servers. The vulnerability only affects IIS 6.0, which was released in November 2010, and shipped with Windows Server 2003 and Windows XP Professional x64 Edition.
Without making too much fuss about it, Microsoft patched a zero-day vulnerability used in live attacks by a cyber-espionage group named Zirconium. The zero-day, tracked as CVE-2017-0005, affects the Windows Win32k component in the Windows GDI (Graphics Device Interface), included in all Windows OS versions.
Microsoft has patched a zero-day vulnerability that was used in the massive AdGholas malvertising campaign and later integrated into the Neutrino exploit kit.
Mozilla engineers released Firefox 52.0.1 to patch a security flaw that came to light last Friday, in the Pwn2Own 2017 hacking contest.
Over 300 Cisco products are affected by a zero-day vulnerability Cisco discovered last week, and for which no patch is available at the time of writing.
A new remote access tool (RAT) targeting macOS users is currently being advertised on Russian underground hacking forums, a custom website, and through YouTube videos, security researchers from Sixgill have discovered.
Multiple Western Digital MyCloud Networked Attached Storage (NAS) devices are affected by several security flaws, varying in severity, that allow attackers to bypass authentication, execute code on the device, and upload or download user data.
Google has gone public with details of a second unpatched vulnerability in Microsoft products, this time in Edge and Internet Explorer, after last week they've published details about a bug in the Windows GDI (Graphics Device Interface) component.
For the second time in three months, Google engineers have disclosed a bug in the Windows OS without Microsoft having released a fix before Google's announcement.
In a short announcement posted on its blog today, Microsoft announced it was delaying today's Patch Tuesday security updates indefinitely until its engineers address a last minute issue the company expected to cause problems for customers, if deployed today.
Proof-of-concept code for a zero-day in the SMB (Server Message Block) protocol that affects several Windows versions has been published online today, sending sysadmins into a frenzy to protect vulnerable machines.
The WordPress security team revealed yesterday they've secretly fixed a zero-day vulnerability in the WordPress CMS, which wasn't initially included in the official announcement.
Zimperium, the mobile security company that discovered the Stagefright bug in the summer of 2015, announced yesterday its intention to buy fully-working exploits for former Android and iOS zero-days.