Zero Day Diary
FROM THE EDITORS AT CYBERSECURITY VENTURES
ZeroDayDiary.com — sponsored by Digital Defense — provides chief information security officers (CISOs) and IT security teams with a quarterly list of noteworthy zero day vulnerabilities and exploits to software applications and IoT devices.
Cyber bounty hunters and hackers exposed critical flaws during the final quarter of 2016
Menlo Park, Calif. – Jan. 3, 2017
Microsoft patched several holes while tensions rose in the tech world after Google disclosed a Microsoft zero day before it had been patched. Adobe patched nearly 100 vulnerabilities in the final quarter of 2016, with 83 patches in October alone.
The patches, though, were not released before hackers took advantage of the vulnerability, elevating the critical status to an exploit in the wild, something no developer wants to hear.
An ever-increasing amount of new code and a robust underworld economy will be stoking the market in 2017 for zero-day vulnerabilities, according to Cybersecurity Ventures’ newly released annual Zero Day Report.
ZERO DAY LIST
Dec. 28. The research team at Check Point discovered three zero-day vulnerabilities in the unserialized mechanism in PHP 7, the web programing language used in a large majority of websites.
Dec. 19. Gaining access to programs in Linux can allow hackers to delve deeper into the operating system, which means the exploit has greater potential to result in data exfiltration.
Dec. 19. Noting that criminals can now purchase zero-day exploits, industry leaders face the future of cyberwar and prepare for the unexpected.
Dec. 15. Opening or browsing a music file running on Linux could leave desktops vulnerable. A second zero-day exploit on Fedora 25, released by Chris Evans is said to run as a ‘classic drive-by’.
Dec. 15. Advanced persistent threat groups spy on users in Europe and Turkey using a Wingbird backdoor in a zero-day exploit discovered in FinFisher.
Dec. 13. Another 31 vulnerabilities patched across multiple Microsoft product lines. The Flash zero-day is one of the four zero-day vulnerabilities listed as critical.
Dec. 9. Vulnerabilities and backdoor codes in video cameras from multiple manufacturers continue to raise security concerns as they can potentially become part of IoT botnets and cause massive DDoS attacks.
Dec. 9. Hackers imply that they exploited a zero-day vulnerability when they hacked into the Twitter account of Indian tycoon Vijay Mallya.
Dec. 7. Concerns of vulnerabilities in IoT devices continue to grow, noting that the multiplying number of connected devices that come to market will only increase the attack surface, particularly with zero-day bugs.
Dec. 7. Among the many predictions experts made for 2017, novel zero-day reflection and amplification attacks will appear with more frequency, enabling more sophisticated and targeted attacks.
Dec. 6. Security experts and researchers weigh in on a call for consensus on responsible disclosure guidelines for reporting zero-days.
Dec. 6. The Dutch take issue with the Netherlands after they grant permission for police and secret service agencies to exploit zero-day vulnerabilities, calling it a subterfuge for surveillance programs.
Dec. 6. Vulnerable IP cameras go unpatched as two zero-days are exploited, allowing hackers to spy on computer users and take over the device.
Dec. 5. Hefty competition at HITCON CTF 2016 results in the discovery of three zero-day vulnerabilities and a big win of $10,000 for Korea’s Cykorkinesis.
Dec. 4. In response to the zero-day security issues Adobe Flash has experience, Google Chrome decides to replace Flash with HTML5.
Dec.1. Exploit targeting Tor users deemed a near perfect replica of the zero day bug used by the FBI to identify anonymous users. Some question whether the bug was developed by the Feds.
Nov. 29. The Mac Observer gives Kudos to Apple’s ability to patch zero day exploits, having successful created in a fix for the issues in just ten days.
Nov. 29. Tor users find themselves under attack from a zero-day exploit in the wild that executed malicious code through the Firefox browser.
Nov. 28. ISP customers of Deutsche Telekom and Eircom were targeted through their home routers using Mirai malware, leaving Internet port 7547 open which caused a weekend service outage.
Nov. 28. Senior software engineer, Anotio Sanso, at Adobe disclosed a vulnerability in PayPal’s OAuth that allowed him to override the validation and return a client token.
Nov. 28. Vanity Fair spotlights the evolution of zero-days, going back to the days of old when hackers held onto their discoveries. In telling the story of a grad student who discovered spyware that could control the iPhone, they take a look at how zero day exploits have changed.
Nov. 24. Zeus type malware used to target African and Asian banks, delivering a zero day to users by way of phishing emails and social engineering.
Nov. 16. Dark Reading’s Radio invites leaders in the security industry to engage in a live discussion, debating the benefits and drawbacks of bug bounty programs, responsible disclosure, and the “gray market” in zero day vulnerabilities.
Nov. 10. In only 18 seconds, South Korean security researchers hacked two different vulnerabilities in Microsoft Edge at PwnFest2016 in Seoul.
Nov. 9. Pawn Storm cast a wide net in its attempt to exploit a zero day vulnerability discovered in Adobe Flash. Between late October and early November, the espionage group targeted several governments world-wide with spear-phishing campaigns trying to capitalize on the combined vulnerabilities in Flash and Windows.
Nov. 9. In response to the criticism over the time it took for Microsoft to respond to the zero-day vulnerability exploited by Fancy Bear, security experts debate over responsible disclosure.
Nov. 8. After nearly two weeks of internally testing solutions to the zero-day Flash and Windows Kernel vulnerabilities, Microsoft released a patch for their troublesome duo of flaws.
Nov. 7. Belkin home products issue updates for the firmware flaws discovered in WeMo devices.
Nov. 3. Invincea Labs presented at Black Hat Europe 2016 sharing how they detected two zero-day vulnerabilities in an Android phone application, a first in IoT security research.
Nov. 2. Apple challenges the reporting time frame of Google’s Project Zero program, which aims to not only identify but fix zero-day vulnerabilities in popular software.
Nov. 2. Tensions rise in the tech industry as two of the largest enterprises disagree on the timing of when the Microsoft vulnerability was made public.
Nov. 1. After Microsoft still had not issued a fix, Google went public about the vulnerability issue as users were under attack by a group formerly tied to Russia’s prestigious intelligence agency.
Nov. 1. Microsoft issues an advisory recognizing that the same group that hacked the DNC was exploiting the win32k.sys vulnerability identified by Google.
Oct. 31. Nearly 10 days after Google privately reported a flaw in the Windows kernel, the zero-day vulnerability was used in attacks.
Oct. 27. After Google fully patched the vulnerability on its Nexus 6P, security researchers at the 2016 mobile Pwn2Own event in Tokyo were able to exploit it and other fully patched devices.
Oct. 27. Few in the tech industry were surprised to learn of yet another vulnerability discovered in Flash Player that allows attackers to remotely execute code and take control of a compromised system.
Oct. 26. Urgent call for Windows users to update asap as malware exploits newly discovered vulnerability.
Oct. 26. Art reflects reality in the debut of VICELAND’s series CYBERWAR. The first episode of the new season, “The Zero-day Market” fictionalizes the reality of the growing market of zero-days.
Oct. 24. Ruxton hacking confab in Melbourne reveals flaws in wireless keyboard and mouse that can’t be patched, but will be updated in newer versions.
Oct. 21. ESET reveals the extensive hacking activity of the group, sometimes knowns as Fancy Bear and Pawn Storm among other names. In addition to having a minimum of six zero-day exploits to hack the DNC, they’ve also targeted embassies, academics, and political groups worldwide.
Oct. 17. A $5,000,000 happy birthday celebration for Facebook’s bug bounty program seems a little pricey, but over the past five years researchers have earned hefty sums for discovering more than 900 bugs and zero day vulnerabilities.
Oct. 17. Censorship questions over reporting issues were tweeted out after IBM asked researcher, Maurizio Agazzini, to refrain from releasing sections of his disclosure that list the exploits.
Oct. 12. Internet Explorer vulnerability serves as a reminder to take caution when clicking as the flaw CVE-2016-3298, requires that the bad actors trick targets into opening attachments or visiting malicious websites.
Oct. 12. Hackers get busy exploiting four of Microsoft’s zero day vulnerabilities using malvertising campaigns and avoid researchers by checking target systems.
Oct. 11. Of the 45 vulnerabilities that Microsoft addressed using its new update technology for October’s Patch Tuesday, five were rated critical for zero-day flaws.
Oct. 3. Dell EMC customers were issued patches after Digital Defense discovered five zero-day vulnerabilities in Dell EMC’s vApp Manager for Unisphere for VMAX, a web application used to manage all of EMC’s storage platforms.
Oct. 2. A JPEG 2000 image file format vulnerability reported by Cisco Talos security experts posed risks that, if exploited, could have had serious impacts. The file format used to share pictures in a variety of file types through several different hosts, making it possible for attackers to exploit the flaw through email and cloud storage.
Stay tuned for the Q1 2017 edition of the Zero Day Diary.
– Kacy Zurkus is a freelance writer for Cybersecurity Ventures and has contributed to several other publications. She covers a range of cybersecurity and cybercrime topics.
© 2016-2017 Cybersecurity Ventures. All rights reserved. Federal copyright law prohibits unauthorized reproduction of this Report by any means and imposes fines up to $150,000 for violations. Reproduction in whole or in part in any form or medium without expressed written permission of Cybersecurity Ventures is prohibited.