Multiple Vulnerabilities in Apache HTTP Server Affecting Cisco Products

On September 16, 2021, the Apache Software Foundation disclosed five vulnerabilities affecting the Apache HTTP Server (httpd) 2.4.48 and earlier releases. For a description of these vulnerabilities, see the Apache HTTP Server 2.4.49 section of the Apache HTTP Server 2.4 Read More …

SonicWall ‘strongly urges’ customers to patch critical SMA 100 bugs

SonicWall ‘strongly urges’ organizations using SMA 100 series appliances to immediately patch them against multiple security flaws rated with CVSS scores ranging from medium to critical. The bugs (reported by Rapid7’s Jake Baines and NCC Group’s Richard Warren) impact SMA Read More …

Two Birds With One Stone: An Introduction To V8 And JIT Exploitation

In this special blog series, ZDI Vulnerability Researcher Hossein Lotfi looks at the exploitation of V8 – Google’s open-source high-performance JavaScript and WebAssembly engine – through the lens of a bug used during Pwn2Own Vancouver 2021. The contest submission from Read More …

Unpatched HiveNightmare/SeriousSAM Windows Zero-Day Allows Privileged File Access

An unpatched Windows security vulnerability could allow information disclosure and local privilege escalation (LPE), researchers have warned. The issue (CVE-2021-24084) has yet to get an official fix, making it a zero-day bug – but a micropatch has been rolled out Read More …

Attackers Actively Target Windows Installer Zero-Day

Attackers are actively exploiting a Windows Installer zero-day vulnerability that was discovered when a patch Microsoft issued for another security hole inadequately fixed the original and unrelated problem. Over the weekend, security researcher Abdelhamid Naceri discovered a Windows Installer elevation-of-privilege Read More …

Attackers Hijack Email Threads Using ProxyLogon/ProxyShell Flaws

Attackers are gnawing on the ProxyLogon and ProxyShell vulnerabilities in Microsoft Exchange Server to hijack email chains, by malspamming replies to ongoing email threads, researchers say. What’s still under discussion: whether the offensive is delivering SquirrelWaffle, the new email loader Read More …

FBI: An APT Group Exploiting a 0-day in FatPipe WARP, MPVPN, and IPVPN Software

As of November 2021, FBI forensic analysis indicated exploitation of a 0-day vulnerability in the FatPipe MPVPN® device software1 going back to at least May 2021. The vulnerability allowed APT actors to gain access to an unrestricted file upload function Read More …

High-Severity Intel Processor Bug Exposes Encryption Keys

A security vulnerability in Intel chips opens the door for encrypted file access and espionage, plus the ability to bypass copyright protection for digital content. That’s according to Positive Technologies (PT), which found that the vulnerability (CVE-2021-0146) is a debugging Read More …

Security company faces backlash for waiting 12 months to disclose Palo Alto 0-day

There has been considerable debate within the cybersecurity community about Randori, a security firm that waited one year before disclosing a critical buffer overflow bug it discovered in Palo Alto Networks’ GlobalProtect VPN. The zero-day — which has a severity Read More …