Adobe delivered a security hotfix for its ColdFusion application server today, repairing a host of vulnerabilities being exploited in the wild.The company had recommended a series of mitigations in a Jan. 7 advisory as a stopgap until today’s hotfix was released.
Internet Explorer users, exposed to a zero-day vulnerability in the browser and a faulty temporary Fix It from Microsoft, finally got some relief today when the company, as promised, released an out-of-band patch.Meanwhile, a handful of new telco, manufacturing and human rights sites have been infected and have been serving exploits since the public release of the zero-day, a researcher told Threatpost.
Oracle’s emergency Java update this weekend for a zero-day sandbox bypass vulnerability hasn’t exactly kicked off a love-fest for the company among security experts. Researchers are still cautious about recommending users re-enable the ubiquitous software, despite the availability of the fix for the latest zero-day to target the platform.
The exploit targeting the latest zero-day vulnerability in the Java platform is dropping ransomware, and has been found in another exploit kit. Security experts, including U.S.-CERT last night, advise users and IT managers to disable Java on endpoints and browsers. Meanwhile, Polish security researcher Adam Gowdiak of Security Explorations, said the attacks target a pair of vulnerabilities, one of which was reported to Oracle in September and patched, apparently incompletely, in October.
Enterprise software and services company Sybase has again patched holes in its Adaptive Server Enterprise (ASE) product, fixing a handful of database vulnerabilities that could have allowed a hacker to execute code and bypass security parameters on the company’s main database server product.
Google has patched a huge number of security vulnerabilities in its Chrome browser, fixing 11 high-severity flaws. The release of Chrome 24 also includes patches for a number of other lower-priority vulnerabilities.
A vulnerability exists in the latest build of Foxit Reader, a PDF reader produced by the Foxit Corp., that could allow an attacker to inject malicious code into documents.
UPDATE – Security experts are urging users to disable Java immediately after the discovery of another zero-day exploit that has been incorporated into the Blackhole, Redkit, Cool and Nuclear Pack exploit kits.
Just two days after the disclosure of a string of serious vulnerabilities in Ruby on Rails, researchers have released proof-of-concept exploit code for a couple of the flaws and the team at Metasploit have released a module for the penetration testing framework that exploit one of the bugs, as well.
Nokia mobile devices redirect Web requests to Nokia-owned proxy servers where header information including credentials are stored in clear text, putting anything from banking sessions to social media accounts at risk, a researcher claims.
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.
