Researchers say that one of the attack groups using the two new Java zero-day vulnerabilities is the same group that was behind an earlier targeted attack campaign from 2011. That group was traced back to China and was essentially running a spear-phishing campaign, but now the crew, known as Nitro, is using the Java vulnerabilities in Web-based attacks that install the Poison Ivy remote-access tool.
Browsing Tag: vulnerabilities
Researchers who have dug into the exploit for the new Java CVE-1012-4681 vulnerability found that there are actually two previously unknown security bugs in Java 7 and that the exploit, which has been tied to attackers in China, is using both of them to get full control of vulnerable machines.
As attacks on the new Java zero-day vulnerability continue and researchers look for ways to mitigate the flaw, they are encouraging users to disable Java in their browsers. There is now a site that users can visit that will detect whether their browser is running a vulnerable version of Java.
More details about the new Java zero day vulnerability are emerging, and as the seriousness of the problem has become clear, researchers have recommended that users disable Java altogether for the time being if they don’t have a specific need for it.
There is a newly discovered zero day vulnerability in Java 7 that is being used in some targeted attacks right now. The vulnerability works against Internet Explorer and Firefox and researchers say that attackers are exploiting in the wild and installing a version of the Poison Ivy RAT on compromised systems.
The Apache Software Foundation has fixed two vulnerabilities in its ubiquitous Web server, including a cross-site scripting bug that could enable an attacker to upload files to a remote server. The new version of the Apache HTTP Server also includes updates that resolve dozens of other, non-security related bugs.
Google’s recent announcements that the company is doubling some of the rewards in its Chromium Vulnerability Reward Program and will also be committing up to $2 million for another round of the Pwnium contest in a couple of months brought a round of cheers from the security research community. The Google rewards programs have been quite successful in drawing submissions from researchers, as have similar programs from Mozilla, Facebook, Barracuda, PayPal and others, but the question around all of these programs is whether they actually succeed in making software, and by extension, the Web, safer.
Google has been handing out rewards to researchers who discover vulnerabilities in the company’s products and Web properties for several years now, both through its Chrome bug bounty program and its Pwnium contest at this year’s CanSecWest conference. Company officials say that the programs have been quite successful at finding and fixing bugs, so much so, in fact, that the number of new submissions have been dropping off lately. Instead of closing down the reward program, however, Google this week said it will pay even more for some bugs and also announced that is reprising the Pwnium contest at Hack in the Box in Malaysia this Fall, offering up to $2 million in rewards.
Google officials say that they will be handing out bonuses on top of existing rewards to security researchers who report especially troublesome flaws as part of their bug bounty program.
The DHS and ICS-CERT are warning users of some popular Tridium Niagara AX industrial control system software about a series of major vulnerabilities in the applications that are remotely exploitable and could be used to take over vulnerable systems. The bugs, discovered by researchers Billy Rios and Terry McCorkle, are just the latest in a series of vulnerabilities found in the esoteric ICS software packages that control utilities and other critical systems.