If the relatively cheap, easily available, and totally reliable Blackhole exploit kit is the Toyota Camry of exploit kits, then the Cool exploit kit is the Lexus LS: both kits are reportedly developed by the same crew, but the latter is astronomically more expensive and presumably loaded with better features.
Never underestimate what you can do with a healthy list of advanced operator search terms and a beer budget. That’s mostly what comprises the arsenal of two critical infrastructure protection specialists who have spent close to nine months trying to paint a picture of the number of Internet-facing devices linked to critical infrastructure in the United States.
For the second time in less than a week, the developers of the Ruby on Rails framework are urging users to update their installations as soon possible after the discovery of several critical vulnerabilities. Last week it was a SQL injection vulnerability in Ruby on Rails, and today comes the disclosure of a series of vulnerabilities that could enable an attacker to compromise vulnerable Rails applications.
Adobe has not only joined Microsoft on the Patch Tuesday parade, but it too has critical vulnerabilities being exploited in the wild while a security update is in the works. Two patches were released today for Acrobat/Reader and Flash Player, yet the company has said that fixes for three ColdFusion flaws being exploited will be released Jan. 15.
It’s Microsoft Patch Tuesday, and while there were two critical security updates released today, the concern among IT managers is likely over the patch that isn’t there. Microsoft’s monthly security bulletins do not address a zero-day vulnerability in Internet Explorer that has been actively exploited in a series of watering hole attacks reported around Christmas that have been ongoing for a month.
Facebook has patched a vulnerability that could have allowed a malicious user to bypass certain security restrictions, according to Sow Ching Shiong, an independent security researcher who discovered the flaw on the popular social network earlier this week.
Security researcher Shahin Ramezany developed an XSS proof-of-concept exploit that he claims puts some 400 million Yahoo Mail users at risk of having their accounts taken over.
Nvidia has released a new driver for its graphics cards that includes a security update for a zero-day vulnerability in the Nvidia Display Driver Service that came to light on Christmas day. UK researcher Peter Winter-Smith posted vulnerability details and an exploit to Pastebin describing a stack buffer overflow vulnerability in the service, as well as his exploit, which bypassed DEP and ASLR on Windows machines.
Adobe is recommending ColdFusion users apply a series of mitigations to counter active exploits against vulnerabilities in the application server. An advisory was released late Friday night that the trio of flaws are being targeted by attackers, and that the company would not have a patch available for another week.
Expect amped up pressure aimed in Microsoft’s direction for a patch for the Internet Explorer zero day that surfaced last week, now that researchers at Exodus Intelligence reported today they have developed a bypass for the Fix It that Microsoft released as a temporary mitigation.
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.
