Posts tagged Zero-day

3 min Exploits

New Metasploit 0-day exploit for IE 7, 8 & 9 on Windows XP, Vista, and 7

We have some Metasploit freshness for you today: A new zero-day exploit for Internet Explorer 7, 8, and 9 on Windows XP, Vista and 7. Computers can get compromised simply by visiting a malicious website, which gives the attacker the same privileges as the current user. Since Microsoft has not released a patch for this vulnerability yet, Internet users are strongly advised to switch to other browsers, such as Chrome or Firefox, until a security update becomes available. The exploit had already be

4 min Exploits

Exploit Trends: August Java 0-day

Coming from August's Java 0-day release, there are three new Java exploits among the top 10 most searched Metasploit exploits and auxiliary modules in this month's trend list. The monthly statistics are drawn from our exploit database [http://www.metasploit.com/modules/] by analyzing webserver logs of searches on metasploit.com, not through Metasploit usage which is not tracked for privacy. Check out the top searched exploits and modules below, annotated with Tod Beardley's excellent comments

2 min Java

Weekly Metasploit Update: Java 0-Day, Meterpreter Network Commands, and More!

Time to chalk up one more victory for the forces of goodness and light in our struggle against secret 0-day. Java 0-Day Exploit Shipped If you pay any attention at all to the usual security news, you will have certainly already heard about how Accuvant's Josh "jduck" Drake and the Metasploit dev community pounced on the Java 0-Day [http://krebsonsecurity.com/2012/08/attackers-pounce-on-zero-day-java-exploit/], aka CVE-2012-4681, aka the Java 7 Applet RCE [http://metasploit.com/modules/exploit/m

1 min Metasploit

Let's start the week with a new Java 0-day in Metasploit

On late Sunday night, the Metasploit Exploit team was looking for kicks, and heard the word on the street that someone was passing around a reliable Java 0-day exploit. Big thanks to Joshua J. Drake (jduck), we got our hands on that PoC [https://twitter.com/jduck1337/status/239875285913317376], and then once again, started our voodoo ritual. Within a couple of hours, we have a working exploit. Download Metasploit here [http://www.rapid7.com/downloads/metasploit.jsp], and apply the latest update

4 min Metasploit

Writing a Metasploit Exploit for the Adobe Flash Vulnerability CVE-2012-0779

Ever since the first sightings of a new zero-day attack (CVE-2012-0779 [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0779]) on Adobe Flash last month, the exact path of exploitation has been somewhat of a mystery. The attacks were specifically targeted against defense contractors and other victims as part of a spear phishing attack, and included a Word document with a Flash (SWF) object. The infected machines were observed to contacting malicious servers in China, Korea, and the United

3 min Metasploit

Weekly Metasploit Update: Zero Days, Deprecated Commands, and More!

This week's release sees a quiet vulnerability fix, an exploit against an unpatched vulnerability in Microsoft's XML Core Services, and some helpful new/old commands, as well as the usual pile of exploity goodness you've come to expect from the Metasploit kitchen. Vulnerabilities? In My Metasploit? It's more likely than you think. Like all reasonably complex software packages, Metasploit occasionally ships with security vulnerabilities. Lucky for us, our user base tends to be pretty sophisticat

3 min Metasploit

New Critical Microsoft IE Zero-Day Exploits in Metasploit

We've been noticing a lot of exploit activities against Microsoft vulnerabilities lately. We decided to look into some of these attacks, and released two modules for CVE-2012-1889 [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1889] and CVE-2012-1875 [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1875] within a week of the vulnerabilities' publication for our users to test their systems. Please note that both are very important to any organization using Windows, because one of

2 min Microsoft

Zero-Day Attacks: Don't Believe the Hype

Microsoft Security Intelligence Report Volume 11 [http://www.microsoft.com/security/sir/default.aspx] for the first half of 2011 offers solid evidence to support what security researchers have been shouting feverishly for the last year. This is just more data to confirm that zero-day attacks – while they can certainly cause damage – aren't needed for over 99% of actual attacks. The numbers also show that the top two attacks are user related. The top attack vector was attacks requiring user in