Microsoft on Tuesday fixed a critical vulnerability in a component of Office, SQL Server and other widely deployed applications that attackers already are using in targeted attacks. The flaw in the Microsoft Common Controls component, which was one of the 26 vulnerabilities fixed in nine bulletins issued today, can be exploited remotely and Microsoft said that attackers have been using malicious RTF files sent via email to take advantage of the bug.
Browsing Tag: vulnerabilities
Oracle is warning customers about a vulnerability in the ubiquitous Oracle Database Server that can allow an attacker to gain complete control of the affected server. The CVE-2012-3132 vulnerability is not remotely exploitable by an unauthenticated user.
A security researchers has discovered a pair of methods that enable him to bypass the protections offered by Microsoft’s EMET anti-exploit technology. The Enhanced Mitigation Experience Toolkit, which Microsoft updated late last month to include one of the three technologies that were finalists in the company’s BlueHat Prize competition, is designed to prevent certain kinds of exploits from hitting software vulnerabilities. But now a researcher has developed two techniques that can bypass the protections.
Microsoft has released a public version of its internal Attack Surface Analyzer tool, which helps organizations identify changes to a system’s attack surface as new applications are added. The tool has been in beta for a few months, but this is the first official release.
The Java CVE-2012-1723 vulnerability is suddenly the golden child of bugs. The flaw, which Oracle patched in June, has been the target of several pieces of malware and Web-based attacks of late, and now researchers say there is a phishing scam targeting payroll and HR employees that involves and exploit for the Java bug, as well.
SQL injection attacks have been going on for years, and the vulnerabilities and exploitation techniques are well-understood and widely discussed. However, they’re still quite prevalent and are used in a variety of scenarios. One recent example is the attack on a Yahoo site that resulted in a breach of 450,000 usernames and passwords. In this video, Ryan O’Boyle of Veracode discusses the nature of SQL injection attacks and how to defend against them.
There are new versions of the Opera browser available, a small update to version 12.01, but they include a number of important security fixes, notably a patch for a vulnerability that could lead to remote code execution.
Officials at Huawei Technologies say that they’re looking into claims by security researchers made at DEF CON last week that there are a handful of serious security vulnerabilities in some of the company’s routers. Saying it employs “rigorous security strategies and policies” Huawei is trying to verify the flaws discovered by researchers Felix “FX” Lindner and Gregor Kopf.
Microsoft gave its users steps earlier this week to sidestep a vulnerability in one of Oracle’s Outside In libraries. The company published some mitigations for the bug, but said it isn’t aware of any active attacks against it yet.
Apple’s iOS and Google’s Android have been on opposite ends of the security continuum for the last few years, with iOS remaining resistant to malware and Android becoming a frequent target for attackers and malware authors. Google has been taking steps to change that in recent releases, and the latest version of its mobile operating system, Android 4.1 Jelly Bean, includes several new exploit mitigations and a more extensive implementation of ASLR to help defeat many kinds of exploits.