The vulnerability already has been added to commercially available attack toolkits, such as BlackHole and Nuclear Pack.
A new report highlights just how little is known about zero-day attacks, even after the flaws are made public.
The most critical flaw could lead to the installation of the backdoor trojan Poison Ivy on victims' machines.
Researchers have discovered that a majority of the infected machines enlisted in a botnet capable of stealing up to $100,000 per day are based in the United States.
Security firm Security Explorations discovered the new vulnerability, which, when combined with other still-unpatched weaknesses in Java, could allow for a complete bypass of the Java Virtual Machine sandbox in the environment of the latest Java SE software.
Hours after the company that maintains Java released a much-anticipated patch for a widespread malware attack, Polish firm Security Explorations said it discovered a new vulnerability in the software platform.
In light of the fast-spreading Java 7 exploit, Mozilla has become the first browser maker to suggest users disable Java functionality.
A new Java exploit is expected to become more widespread now that proof-of-concept code has been published. Oracle isn't scheduled to update Java until October.
Google is raising the stakes for researchers who can show exploits and discover vulnerabilities in its Chrome browser.
The commercially available and automated BlackHole exploit kit has been updated to include exploit functionality for a recently patched Java vulnerability, and attacks are now happening in the wild.
Thirteen security vulnerabilities were fixed this week when Mozilla released Firefox 13.
Adobe on Friday issued an emergency patch for a critical bug in its Flash Player software that is being used in targeted malware attacks.
One of the most prolific Chrome researchers has netted Google's top prize in its inaugural Pwnium competition. Google promptly patched the bug.
The malicious file spreads thanks to a vulnerability in the popular Adobe Flash software.
Google has issued an official update to its Chrome browser to fill 20 security holes, one of which is deemed "critical" and eight of which are considered "high" in severity.
Eighty-five percent of all malware is web-based, and some 30,000 websites are newly infected with malicious code each day, according to Sophos' "Security Threat Report 2012."
Adobe warned Tuesday of an unpatched vulnerability in its Reader and Acrobat software after catching wind of active exploits by cybercriminals.
A new exploit, which has made its way into the Metasploit framework, underscores the danger posed by Java vulnerabilities, which are responsible for many of today's enterprise malware threats.
Most spam messages sent in recent days have been delivered with subject lines containing fake order or ticket numbers, delivery invoices, payment notices or tax information, according to researchers from security firm Websense.
Microsoft on Tuesday patched one "critical" vulnerability, plus three other less-severe flaws. Not patched, as expected, is a bug related to the Duqu trojan.
Much of the surge can be blamed on SQL injection and the use of exploit toolkits, according to researchers at Dell SecureWorks.
A free copy of the BlackHole exploit kit is available on several file-sharing sites, lowering the cost of entry for budding cybercriminals, experts warned this week.
Software products used to manage critical infrastructure facilities contain a vulnerability that could allow an attacker to take control of affected systems, the ICS-CERT warned.
As if Zeus wasn't already a torment, the insidious banking trojan may become even more prolific now that its source code has been leaked on at least two underground forums, according to researchers at Denmark-based CSIS. Peter Kruse, writing on the company's blog, said the source code for the Zeus toolkit is "freely available for inspection, inspiration or perhaps to be compiled and used in future attacks." He expects the leakage to cause the trojan to become more pervasive. One likely can expect the price to fall too. McAfee researchers in September said the Zeus builder toolkit was going for between $700 and $1,500.
Adobe has sped up the planned release of updates to its Reader and Acrobat software, good news for customers now that reports of public exploits have emerged. The updates, released Thursday but not expected until next week, shore up two critical vulnerabilities, one of which has been leveraged in in-the-wild attacks, according to a revised bulletin. Reader X for Mac and Acrobat X for Windows and Mac received updates, as did Reader/Acrobat 9.4.3 for Windows and Mac. Reader X for Windows won't receive a new version until June 14, a scheduled quarterly update, because the "Protected Mode" capability prevents against exploit. The flaw being used in attacks also was present in Flash Player, but that software was patched last week.
System flaws and exploits dramatically jumped last year, but the news is not all bad, as many of the bugs were discovered by their creators.
Attack toolkits have been refined to the point where they are producing high success rates for their criminal users.
Google's latest version of Chrome warns users if they are attempting to run a plug-in that is out of date.
End-users may be the weakest link, but technology exists to take security out of their hands.
Sign up to our newsletters
SC Magazine Articles
- UK hacker Lauri Love fights extradition to US
- Microsoft fixes critical IE vulnerabilities, other bugs on Patch Tuesday
- Email incident affects 9,400 Schwab Retirement Plan Services participants
- Fraudsters exploit weak SSL certificate security to set up hundreds of phishing sites
- European aviation body warns of cyber-attack risk against aircraft