PayPal is the latest company to join the ranks of software vendors and Web properties that offer bounties to security researchers who privately disclose new bugs to them. The company isn’t saying how much it will pay for each bug, just that its security team will determine the severity of each flaw as well as the ultimate payout.
Browsing Tag: vulnerabilities
In case you thought that the mass exodus of researchers from TippingPoint’s Zero Day Initiative in recent months meant that the demand for third-party vulnerability markets was waning, fear not. Several former members of the ZDI team have come back together to form a new firm called Exodus Intelligence that will have its own vulnerability purchasing program, among other offerings.
Less than a week after Microsoft released a patch for a critical vulnerability in Internet Explorer, attack code has become publicly available in the form of a module for the Metasploit Framework. The bug is serious one that enables an attacker to bypass both ASLR and DEP, the two main anti-exploit technologies in IE, and run arbitrary code on the victim’s machine.
In the June 2012 edition of Patch Tuesday, Microsoft shipped seven security bulletins, of which, only three were deemed worthy of a critical rating.
Two researchers say they’ve found a security hole in Tumblr, one of the most popular sites on the Internet, that could steal users’ authentication cookies to break into their accounts.
Aditya Gupta and Subho Halder say they’ve tried to contact Tumblr about the vulnerability by using mail and Twitter, but so far no one has responded. The social sharing site hosts 59.4 million micro blogs and has published almost 25 billion posts.
There is a trivially exploitable vulnerability in MySQL that enables an attacker to gain root access to the database server. The bug, which recently was patched, stems from an error in the way that MySQL and MariaDB handle passwords, giving an attacker a chance of getting root access by supplying any password to an affected server.
By Alexander GostevThe Flame malware uses several methods to replicate itself. The most interesting one is the use of the Microsoft Windows Update service. This is implemented in Flame’s “SNACK”, “MUNCH” and “GADGET” modules. Being parts of Flame, these modules are easily reconfigurable. The behavior of these modules is controlled by Flame’s global registry, the database that contains thousands of configuration options.
Mozilla has fixed seven security vulnerabilities in its flagship Firefox browser, including four critical bugs. The fixes are included in Firefox 13, which was released Tuesday.
Making good on its promise to offer free updates for older versions of some of its most popular products, Adobe pushed out patches for its Photoshop and Illustrator products yesterday, fixing nine vulnerabilities, several which could allow remote code execution.
Security researcher and Google employee Michal Zalewski is warning of a potentially serious security hole that affects the three major Web browsers, Internet Explorer, Firefox and Google’s Chrome browser and that could make it easy for attackers to push malicious downloads from domains other than that being visited by unsuspecting Web users.