By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy

A vulnerability exists in the Windows operating system's JScript component that can allow an attacker to execute malicious code on a user's computer. Responsible for discovering this bug is Dmitri Kaslov of Telspace Systems, who passed it along to Trend Micro's Zero-Day Initiative (ZDI), a project that intermediates the vulnerability disclosure process between independent researchers and larger companies. ZDI experts reported the issue to Microsoft back in January, but Microsoft has yet to release a patch for this vulnerability. Yesterday, ZDI published a summary containing light technical details about the bug. JScript bug leads to RCE
According to this summary, the vulnerability allows remote attackers to execute malicious code on users' PCs. Because the vulnerability affects the JScript component (Microsoft custom implementation of JavaScript), the only condition is that the attacker must trick the user into accessing a malicious web page, or download and open a malicious JS file on the system (typically executed via the Windows Script Host —wscript.exe).... read more on our Forum

Apple has released security updates this week for seven products —macOS, iOS, watchOS, iTunes for Windows, tvOS, iCloud for Windows, and Safari. Out of all the vulnerabilities patched this week, two stands out, mainly because they affect the kernels of macOS, iOS, watchOS, and tvOS alike. Two vulnerabilities stand out. The vulnerabilities are CVE-2018-4241 and CVE-2018-4243, both discovered by Google security engineer Ian Beer. Neither Beer nor Apple has released expansive details about these two bugs. Both issues are buffer overflows in the kernel code that can lead to an attacker executing malicious code within the context of the kernel, giving him full access to a device. But these are all the details currently available. In fact, Apple is currently still hiding the changelog of the iOS, watchOS, and tvOS security patches in an attempt to allow users to update without giving attackers a clue to what's hiding inside. Patches with links are posted on OUR FORUM.

An Internet Explorer zero-day vulnerability that came to light last month has now been incorporated in the RIG exploit kit, a web-based toolkit that malware authors use to infect a site's visitors with malware. The vulnerability in question is CVE-2018-8174. This vulnerability affects VBScript, the Visual Basic scripting engine that's included with Internet Explorer and Microsoft Office. On April 20, Bleeping Computer learned from a Chinese security researcher that a cyber-espionage group was using this vulnerability to infect users via Internet Explorer, as part of a series of attacks conducted by what later proved to be a North Korean state-sponsored hacking group. Security researchers from Qihoo 360, who first spotted these attacks, reported the vulnerability to Microsoft, and the company patched the bug in the May 2018 Patch Tuesday security updates, released on May 8. More details can be found on OUR FORUM.
 
  

Latest Articles