Michael Mimoso

Out-of-Band IE Patch Released as More Sites Attacked

Internet Explorer users, exposed to a zero-day vulnerability in the browser and a faulty temporary Fix It from Microsoft, finally got some relief today when the company, as promised, released an out-of-band patch.Meanwhile, a handful of new telco, manufacturing and human rights sites have been infected and have been serving exploits since the public release of the zero-day, a researcher told Threatpost.

Emergency Zero-Day Patch Does Not Quiet Calls to Disable Java

Oracle’s emergency Java update this weekend for a zero-day sandbox bypass vulnerability hasn’t exactly kicked off a love-fest for the company among security experts. Researchers are still cautious about recommending users re-enable the ubiquitous software, despite the availability of the fix for the latest zero-day to target the platform. 

Rocra Espionage Malware Campaign Uncovered After Five Years of Activity

For five years, it hid in the weeds of networks used by Eastern European diplomats, government employees and scientific research organizations, stealing data and infecting more machines in an espionage campaign rivaling Flame and others of its ilk. The campaign, called Rocra or Red October by researchers at Kaspersky Lab, focused not only on workstations, but mobile devices and networking gear to gain a foothold inside strategic organizations. Once inside, attackers pivoted internally and stole everything from files on desktops, smartphones and FTP servers, to email databases using exploits developed in China and Russian malware, Kaspersky researchers said.


The exploit targeting the latest zero-day vulnerability in the Java platform is dropping ransomware, and has been found in another exploit kit. Security experts, including U.S.-CERT last night, advise users and IT managers to disable Java on endpoints and browsers. Meanwhile, Polish security researcher Adam Gowdiak of Security Explorations, said the attacks target a pair of vulnerabilities, one of which was reported to Oracle in September and patched, apparently incompletely, in October.

A rash of politically and socially motivated distributed denial-of-service attacks against major U.S. banks has been able to intermittently disrupt online and mobile banking services. The attackers have been able to fire unprecedented amounts of traffic at the likes of Wells Fargo, Bank of America, PNC and many others, temporarily denying customers access to their accounts online.

Never underestimate what you can do with a healthy list of advanced operator search terms and a beer budget. That’s mostly what comprises the arsenal of two critical infrastructure protection specialists who have spent close to nine months trying to paint a picture of the number of Internet-facing devices linked to critical infrastructure in the United States.

Adobe has not only joined Microsoft on the Patch Tuesday parade, but it too has critical vulnerabilities being exploited in the wild while a security update is in the works. Two patches were released today for Acrobat/Reader and Flash Player, yet the company has said that fixes for three ColdFusion flaws being exploited will be released Jan. 15.

It’s Microsoft Patch Tuesday, and while there were two critical security updates released today, the concern among IT managers is likely over the patch that isn’t there. Microsoft’s monthly security bulletins do not address a zero-day vulnerability in Internet Explorer that has been actively exploited in a series of watering hole attacks reported around Christmas that have been ongoing for a month.