Michael Mimoso

Expect the roar from security experts urging users to abandon Java to reach ear-splitting levels after reports this morning that new sandbox bypass vulnerabilities are present in the latest Java update.

The Red October espionage malware campaign is providing security researchers with a deep dive into the complexity of targeted attacks, which in this case made use of more than 1,000 malware modules for everything from reconnaissance on targets to exfiltration of data to command and control servers.

Microsoft can take some solace that it is not alone in sending out security updates that don’t fully address a zero-day vulnerability. A researcher at Immunity Inc., put Oracle on a similar hot seat this week when he reported that a recent out-of-band Java update repaired only one of two Java flaws being actively exploited.

Just when you thought phishers had exhausted all avenues of innovation, a new tactic has emerged in attacks against financial institutions bringing the level of targeting and geo-filtering to precise new levels. Dubbed bouncer list phishing by RSA Security, these attack kits are built off stolen email lists that are filtered for particular targets, such as a regional bank. 

This week’s relentless onslaught of security patches continued late Tuesday afternoon when Oracle released its quarterly Critical Patch Update, a healthy dose of 86 security updates across all major product lines including Oracle Database and MySQL Server.

Adobe delivered a security hotfix for its ColdFusion application server today, repairing a host of vulnerabilities being exploited in the wild.The company had recommended a series of mitigations in a Jan. 7 advisory as a stopgap until today’s hotfix was released.

Red October, the espionage campaign uncovered by Kaspersky Lab this week after attackers spent five years actively spying on diplomats, scientists, and governments worldwide, is using a Java exploit to infect its victims, bringing the exploit count to four in this campaign.