Search the Community

Apple has released security updates to fix this year's first zero-day vulnerability, tagged as actively exploited in attacks targeting iPhone users. The zero-day fixed today is tracked as CVE-2025-24085 [iOS/iPadOS, macOS, tvOS, watchOS, visionOS] and is a privilege escalation security flaw in Apple's Core Media framework. "A malicious application may be able to elevate privileges. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 17.2," Apple said today. According to the company's official documentation, Core Media "defines the media pipeline used by AVFoundation and other high-level media frameworks found on Apple platforms." Apple has fixed CVE-2024-23222 with improved memory management in iOS 18.3, iPadOS 18.3, macOS Sequoia 15.3, watchOS 11.3, visionOS 2.3, and tvOS 18.3. The list of devices impacted by this zero-day is quite extensive, as the bug affects older and newer models, including: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later macOS Sequoia Apple Watch Series 6 and later Apple TV HD and Apple TV 4K (all models) Apple has yet to attribute the discovery of this security vulnerability to a security researcher and has not published details regarding attacks, even though it disclosed that it is exploited in the wild. While this zero-day bug was likely only exploited in targeted attacks, it is highly advised to install today's security updates as soon as possible to block potentially ongoing attack attempts. Last year, the company fixed a total of six zero-days, the first in January, two in March, a fourth in May, and two more in November, One year before, in 2023, Apple patched 20 zero-day flaws exploited in the wild, including: two zero-days (CVE-2023-42916 and CVE-2023-42917) in November two zero-days (CVE-2023-42824 and CVE-2023-5217) in October five zero-days (CVE-2023-41061, CVE-2023-41064, CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993) in September two zero-days (CVE-2023-37450 and CVE-2023-38606) in July three zero-days (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439) in June three more zero-days (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373) in May two zero-days (CVE-2023-28206 and CVE-2023-28205) in April and another WebKit zero-day (CVE-2023-23529) in February Source Hope you enjoyed this news post. Thank you for appreciating my time and effort posting news every day for many years. News posts... 2023: 5,800+ | 2024: 5,700+ RIP Matrix | Farewell my friend

A high-severity vulnerability in the 7-Zip file archiver allows attackers to bypass the Mark of the Web (MotW) Windows security feature and execute code on users' computers when extracting malicious files from nested archives. 7-Zip added support for MotW in June 2022, starting with version 22.00. Since then, it has automatically added MotW flags (special 'Zone.Id' alternate data streams) to all files extracted from downloaded archives. This flag informs the operating system, web browsers, and other applications that files may come from untrusted sources and should be treated with caution. As a result, when double-clicking risky files extracted using 7-Zip, users will be warned that opening or running such files could lead to potentially dangerous behavior, including installing malware on their devices. Microsoft Office will also check for the MotW flags, and if found, it will open documents in Protected View, which automatically enables read-only mode and disables all macros. Launching a downloaded executable with a MoTW flag (BleepingComputer) However, as Trend Micro explained in an advisory published over the weekend, a security flaw tracked as CVE-2025-0411 can let attackers bypass these security warnings and execute malicious code on their targets' PCs. "This vulnerability allows remote attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of 7-Zip. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file," Trend Micro says. "The specific flaw exists within the handling of archived files. When extracting files from a crafted archive that bears the Mark-of-the-Web, 7-Zip does not propagate the Mark-of-the-Web to the extracted files. An attacker can leverage this vulnerability to execute arbitrary code in the context of the current user." Luckily, 7-Zip developer Igor Pavlov has already patched this vulnerability on November 30, 2024, with the release of 7-Zip 24.09. "7-Zip File Manager didn't propagate Zone.Identifier stream for extracted files from nested archives (if there is open archive inside another open archive)," Pavlov said. Similar flaws exploited to deploy malware However, since 7-Zip doesn't have an auto-update feature, many users are likely still running a vulnerable version that threat actors could exploit to infect them with malware. All 7-Zip users should patch their installs as soon as possible, considering that such vulnerabilities are often exploited in malware attacks. For instance, in June, Microsoft addressed a Mark of the Web security bypass vulnerability (CVE-2024-38213) that DarkGate malware operators have exploited in the wild as a zero-day since March 2024 to circumvent SmartScreen protection and install malware camouflaged as installers for Apple iTunes, NVIDIA, Notion, and other legitimate software. The financially motivated Water Hydra (aka DarkCasino) hacking group has also exploited another MotW bypass (CVE-2024-21412) in attacks targeting stock trading Telegram channels and forex trading forums with the DarkMe remote access trojan (RAT). Source Hope you enjoyed this news post. Thank you for appreciating my time and effort posting news every day for many years. News posts... 2023: 5,800+ | 2024: 5,700+ RIP Matrix | Farewell my friend

If you are running an Ubuntu-based operating system such as Ubuntu, Kubuntu, Lubuntu, and even Linux Mint, you really need to apply available updates to patch the rsync package. Fixes have just been issued to address numerous vulnerabilities that allow remote code execution and affect servers and client machines. Highlighting the issues, Canonical says: If you are on Ubuntu 16.04 LTS or above, the unattended-upgrades feature is enabled by default, which means these security updates will be applied within 24 hours of them being available. If you've switched that off or are using another distribution, then you might have to get the update yourself via your update manager or the terminal. To update via the terminal, enter the following command and input your password when requested: sudo apt update && sudo apt upgrade If you can't upgrade all packages and want to just update rsync then you can use the following command: sudo apt update && sudo apt install --only-upgrade rsync If you're wondering whether you really need to update the rsync package now, the answer is yes, you should do it as soon as possible. It can impact both servers and end user computers, and it can all be done remotely. The fixed packages for each Ubuntu release are as follows: Release Package Name Fixed Version Trusty (14.04 LTS) rsync 3.1.0-2ubuntu0.4+esm1 Xenial (16.04 LTS) rsync 3.1.1-3ubuntu1.3+esm3 Bionic (18.04 LTS) rsync 3.1.2-2.1ubuntu1.6+esm1 Focal (20.04 LTS) rsync 3.1.3-8ubuntu0.8 Jammy (22.04 LTS) rsync 3.2.7-0ubuntu0.22.04.3 Noble (24.04 LTS) rsync 3.2.7-1ubuntu1.1 Oracular (24.10) rsync fix not available You can open the terminal and run dpkg -l rsync to check if you have the updated package. If you have a lower version, open up the update manager and look to see if the update is available. This package comes pre-installed on most Ubuntu-based systems so it's important for everyone to check that they're updated. Source Hope you enjoyed this news post. Thank you for appreciating my time and effort posting news every day for many years. News posts... 2023: 5,800+ | 2024: 5,700+ RIP Matrix | Farewell my friend

At the end of last month, Microsoft quietly released a security update for its oldest Windows 10 version, 1507. The update is meant to address a local elevation of privilege (LPE) flaw that could happen as a result of the exploitation of a Group Policy flaw. The patch is deployed via an update to the Remote Server Administration Tools (RSAT) for Windows Server 2016. For those who may not be aware, RSAT is a remote server management tool for IT and system administrators that they can control from a Windows 10 PC, in this case. The security vulnerability has been rated 7.0 as the base score and 6.1 as the temporal score on the CVSS (Common Vulnerability Scoring System), and is tracked under "CVE-2024-20657." In its support document, Microsoft writes: In case you are wondering, the update should be installed automatically via Windows Update. However, users can also download and install it manually from the Microsoft Update catalog website. at this link. It is also available from the Microsoft Download Center website via an update to RSAT. The file size for the 64-bit version is 54.2 MB and that of the 32-bit version is 33 MB. You can install it by downloading it from the Download Center here. Source

Apple released emergency security updates to patch a new zero-day security flaw exploited in attacks targeting iPhone and iPad users. "Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.6," the company said in an advisory issued on Wednesday. The zero-day (CVE-2023-42824) is caused by a weakness discovered in the XNU kernel that enables local attackers to escalate privileges on unpatched iPhones and iPads. While Apple said it addressed the security issue with improved checks, it has yet to reveal who found and reported the flaw. The list of impacted devices is quite extensive, and it includes: iPhone XS and later iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later Apple also addressed a zero-day tracked as CVE-2023-5217 and caused by a heap buffer overflow weakness in the VP8 encoding of the open-source libvpx video codec library, which could allow arbitrary code execution following successful exploitation. The libvpx bug was previously patched by Google in the Chrome web browser and by Microsoft in its Edge, Teams, and Skype products. CVE-2023-5217 was discovered by security researcher Clément Lecigne who is part of Google's Threat Analysis Group (TAG), a team of security experts known for often finding zero-days abused in government-backed targeted spyware attacks targeting high-risk individuals. 17 zero-days exploited in attacks fixed this year CVE-2023-42824 is the 17th zero-day vulnerability exploited in attacks that Apple has fixed since the start of the year. Apple also recently patched three other zero-day bugs (CVE-2023-41991, CVE-2023-41992, and CVE-2023-41993) reported by Citizen Lab and Google TAG researchers and exploited in spyware attacks to install Cytrox's Predator spyware. Citizen Lab disclosed two other zero-days (CVE-2023-41061 and CVE-2023-41064)—fixed by Apple last month—abused as part of a zero-click exploit chain (dubbed BLASTPASS) to infect fully patched iPhones with NSO Group's Pegasus spyware. Since January 2023, Apple has addressed a total of 17 zero-days exploited to target iPhones and Macs, including: two zero-days (CVE-2023-37450 and CVE-2023-38606) in July three zero-days (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439) in June three more zero-days (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373) in May two zero-days (CVE-2023-28206 and CVE-2023-28205) in April and another WebKit zero-day (CVE-2023-23529) in February Source

Microsoft has updated Edge Stable today to version 93.0.961.52. The update is an out-of-band update that fixes a serious security issue that was being exploited in the wild. The security update addresses eight vulnerabilities, including CVE 2021 30633, which is a Use After Free in Indexed DB API bug. Microsoft has not released the exact details of the exploit, but it’s severity is rated High. Google fixed the same bug in Chromium 2 days ago. You can download the update simply by restarting your browser. via DesktopModder Microsoft Edge Stable updated to version 93.0.961.52 with important security fix

Microsoft has released a security update to fix the last remaining PrintNightmare zero-day vulnerabilities that allowed attackers to gain administrative privileges on Windows devices quickly. In June, a zero-day Windows print spooler vulnerability dubbed PrintNightmare (CVE-2021-34527) was accidentally disclosed. This vulnerability exploits the Windows Point and Print feature to perform remote code execution and gain local SYSTEM privileges. While Microsoft released two security updates to fix various PrintNightmare vulnerabilities, another vulnerability publicly disclosed by security researcher Benjamin Delpy still allowed threat actors to quickly gain SYSTEM privileges simply by connecting to a remote print server. As demonstrated below, Delpy's vulnerability abused the CopyFiles directive to copy and execute malicious DLL using SYSTEM privileges when a user installed a remote printer. Once the exploit launched the DLL, it would open a console Window where all commands are executed with SYSTEM privileges. To make matters worse, ransomware gangs, such as Vice Society, Magniber, and Conti, began utilizing the bug to gain elevated privileges on compromised devices. This remaining PrintNightmare vulnerability is tracked as CVE-2021-36958 and is attributed to Victor Mata of FusionX, Accenture Security, who privately disclosed the bug to Microsoft in December 2020. New security update fixes PrintNightmare bug In today's September 2021 Patch Tuesday security updates, Microsoft has released a new security update for CVE-2021-36958 that fixes the remaining PrintNightmare vulnerability. Delpy, who tested his exploit against the new security update, confirmed to BleepingComputer that the bug is now fixed. In addition to fixing the vulnerability, Delpy told BleepingComputer that Microsoft has disabled the CopyFiles feature by default and added an undocumented group policy that allows admins to enable it again. This policy can be configured in the Windows Registry under HKLM\Software\Policies\Microsoft\Windows NT\Printers key and by adding a value named CopyFilesPolicy. When set to '1', CopyFiles will be enabled again. However, even when enabled, Delpy told BleepingComputer that it would only allow Microsoft's C:\Windows\System32\mscms.dll file to be used with this feature. Checking the Windows Registry for the CopyFilesPolicy Source: Benjamin Delpy As this change will affect the default behavior of Windows, it is unclear what issues it will cause when printing in Windows. Microsoft has not released any information on this new group policy at this time, and it is not available in the Group Policy Editor. In addition to the PrintNightmare vulnerability, today's updates also fix an actively exploited Windows MSHTML zero-day vulnerability. As both of these vulnerabilities are known to be abused by the threat actors in attacks, it is critical to install today's Patch Tuesday security updates as soon as possible. Microsoft fixes remaining Windows PrintNightmare vulnerabilities

Microsoft today fixed a high severity zero-day vulnerability actively exploited in targeted attacks against Microsoft Office and Office 365 on Windows 10 computers. The remote code execution (RCE) security flaw, tracked as CVE-2021-40444, was found in the MSHTML Internet Explorer browser rendering engine used by Microsoft Office documents. According to Microsoft, CVE-2021-40444 impacts Windows Server 2008 through 2019 and Windows 8.1 or later, and it has a severity level of 8.8 out of the maximum 10. "Microsoft has released security updates to address this vulnerability," the company said today in an advisory update published as part of this month's Patch Tuesday. "Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately." Security updates released after built-in defenses bypassed The targeted attacks detected by Microsoft tried to exploit the vulnerability by sending specially-crafted Office documents with malicious ActiveX controls to potential victims. Luckily, these attacks were thwarted if Microsoft Office ran with the default configuration, which opens untrusted documents in Protected View mode (or with Application Guard for Office 365 customers). However, as CERT/CC vulnerability analyst Will Dormann later told BleepingComputer, this built-in protection against CVE-2021-40444 exploits would likely be bypassed either by users ignoring Protected View warnings or by attackers delivering the malicious documents bundled within 7Zip archives or ISO containers. If the document is in a container that is processed by something that is not MotW-aware, then the fact that the container was downloaded from the Internet will be moot. For example, if 7Zip opens an archive that came from the Internet, the extracted contents will have no indication that it came from the Internet. So no MotW, no Protected View. Similarly, if the document is in a container like an ISO file, a Windows user can simply double-click on the ISO to open it. But Windows doesn't treat the contents as having come from the Internet. So again, no MotW, no Protected View. This attack is more dangerous than macros because any organization that has chosen to disable or otherwise limit Macro execution will still be open to arbitrary code execution simply as the result of opening an Office document. - Will Dormann Furthermore, Dormann also found that threat actors could exploit this vulnerability using maliciously-crafted RTF files, which don't benefit from Office's Protected View security feature. Word document opened in Protected View How to apply the security updates Today's security updates address the vulnerability for all affected versions of Windows and include a Monthly Rollup, a Security Only update, and an Internet Explorer cumulative update. "Customers running Windows 8.1, Windows Server 2012 R2, or Windows Server 2012 can apply either the Monthly Rollup or both the Security Only and the IE Cumulative updates," according to Microsoft. "The Monthly Rollup for Windows 7, Windows Server 2008 R2, and Windows Server 2008 includes the update for this vulnerability. Customers who apply the Monthly Rollup do not need to apply the IE Cumulative update. "Customers who only apply Security Only updates need to also apply the IE Cumulative update to be protected from this vulnerability." BleepingComputer independently confirmed that known CVE-2021-40444 exploits no longer work after applying today's patches. Those who cannot immediately apply today's security updates should implement Microsoft's workarounds (disabling ActiveX controls via Group Policy and preview in Windows Explorer) to reduce the attack surface. Microsoft fixes Windows CVE-2021-40444 MSHTML zero-day bug

A free unofficial patch has been released to protect Windows users from all new PrintNightmare zero-day vulnerabilities discovered since June. Technical details and a proof-of-concept (PoC) exploit for a new Windows print spooler vulnerability named 'PrintNightmare' (CVE-2021-34527) was accidentally disclosed in June. This vulnerability allows remote code execution and local privilege escalation by installing malicious printer drivers. While Microsoft released a security update for the remote code execution portion, researchers quickly bypassed the local privilege elevation component. Since then, Security researcher and Mimikatz creator Benjamin Delpy has been devising further vulnerabilities targeting the print spooler that remain unpatched. These are critical vulnerabilities as they allow anyone to gain SYSTEM privileges on a local device, even a Domain Controller, simply by connecting to a remote Internet-accessible print server and installing a malicious print driver. Once a threat actor gains SYSTEM privileges, it is game over for the system. If this is done on a Domain Controller, then the threat actor now effectively controls the Windows Domain. Free PrintNightmare micropatch released Mitigations for the zero-day PrintNightmare vulnerabilities are already available through the 'PackagePointAndPrintServerList' group policy, which allows you to specify a white list of approved print servers that can be used to install a print driver. Enabling this policy, along with a fake server name, will effectively block Delpy's exploits as the print server will be blocked. However, for those who want to install a patch and not try to understand advisories and fiddle with group policies, Mitja Kolsek, co-founder of the 0patch micropatching service, has released a free micropatch that can be used to fix all known PrintNightmare vulnerabilities. "We therefore decided to implement the group policy-based workaround as a micropatch, blocking Point and Print printer driver installation from untrusted servers. This workaround employs Group Policy settings: the "Only use Package Point and Print" first requires every printer driver is in form of a signed package, while the "Package Point and print - Approved servers" limits the set of servers from which printer driver packages are allowed to be installed." Kolsek explains in a blog post. "These settings are configurable via registry. Our patch modifies function DoesPolicyAllowPrinterConnectionsToServer in win32spl.dll such that it believes that PackagePointAndPrintOnly and PackagePointAndPrintServerList values exist and are set to 1, which enables both policies and keeps the list of approved servers empty." You need to register a 0patch account and then install an agent on your Windows device to install the patch. Once installed, 0patch will automatically protect you from the PrintNightmare vulnerability and other unpatched bugs. 0patch protecting against the PrintNightmare vulnerabilities Source: BleepingComputer In a test by BleepingComputer, once installed, if you attempt to install Delpy's malicious PrintNightmare driver, a message will appear stating that a policy has blocked the computer from connecting to the print queue, as shown below. 0patch blocking PrintNightmare vulnerability Source: BleepingComputer While 0patch is an essential tool for blocking unpatched vulnerabilities, Delpy says that, in this particular case, enabling the group policies that blocks exploitation of all known PrintNightmare bugs might be a better approach. "If you push binaries to a computer to push settings … you can also push settings," Delpy told BleepingComputer. "Doing so avoids altering process in memory, always a dangerous stuff that security product don't like (and MS does not support...)." New Windows PrintNightmare zero-days get free unofficial patch

Apple has released Safari 15.6.1 for macOS Big Sur and Catalina to fix a zero-day vulnerability exploited in the wild to hack Macs. The zero-day patched today (CVE-2022-32893) is an out-of-bounds write issue in WebKit that could allow a threat actor to execute code remotely on a vulnerable device. "Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited," warns Apple in a security bulletin released today. An out-of-bounds write vulnerability is when an attacker can supply input to a program that causes it to write data past the end or before the beginning of a memory buffer. This causes the program to crash, corrupt data, or in the worst-case scenario, remote code execution. Apple says they fixed the bug through improved bounds checking. Apple says the vulnerability was disclosed by a researcher who wishes to remain anonymous. This zero-day vulnerability is the same one that was patched by Apple yesterday for macOS Monterey and iPhone/iPads. Apple has not provided details on how the vulnerability is being used in attacks other than saying that it "may have been actively exploited." This is the seventh zero-day vulnerability fixed by Apple in 2022, with the previous bugs outlined below: In March, Apple patched two more zero-day bugs that were used in the Intel Graphics Driver (CVE-2022-22674) and AppleAVD (CVE-2022-22675). In January, Apple patched two more actively exploited zero-days that allowed attackers to execute code with kernel privileges (CVE-2022-22587) and track web browsing activity (CVE-2022-22594). In February, Apple released security updates to fix a new zero-day bug exploited to hack iPhones, iPads, and Macs. Apple releases Safari 15.6.1 to fix zero-day bug used in attacks

D-Link has fixed critical vulnerabilities in three popular wireless router models that allow remote attackers to execute arbitrary code or access the devices using hardcoded credentials. The impacted models are popular in the consumer networking market, especially among users looking for high-end WiFi 6 routers (DIR-X) and mesh networking systems (COVR). The bulletin lists five vulnerabilities, three of which are rated critical, in the following firmware: COVR-X1870 (non-US) firmware versions v1.02 and below, DIR-X4860 (worldwide) on v1.04B04_Hot-Fix and older, and DIR-X5460 (worldwide) running firmware v1.11B01_Hot-Fix or older. The five flaws and their associated advisories are listed below: CVE-2024-45694 (9.8 critical): Stack-based buffer overflow, allowing unauthenticated remote attackers to execute arbitrary code on the device. CVE-2024-45695 (9.8 critical): Another stack-based buffer overflow allowing unauthenticated remote attackers to execute arbitrary code. CVE-2024-45696 (8.8 high): Attackers can forcibly enable the telnet service using hard-coded credentials within the local network. CVE-2024-45697 (9.8 critical): Telnet service is enabled when the WAN port is plugged in, allowing remote access with hard-coded credentials. CVE-2024-45698 (8.8 high): Improper input validation in the telnet service allows remote attackers to log in and execute OS commands with hard-coded credentials. To fix the flaws, D-Link recommends customers upgrade to v1.03B01 for COVR-X1870, v1.04B05 for DIR-X4860, and DIR-X5460A1_V1.11B04 for DIR-X5460. D-Link says it learned of the flaws from the country's CERT (TWCERT) on June 24 but was not given the standard 90-day period to fix the flaws before they were disclosed. "When D-Link became aware of the reported security issues, we promptly started investigating and developing security patches," D-Link stated in its security bulletin. "The third-party publicly disclosed the problem before the patches were available on our standard 90-day security patch release schedule. We do not recommend that security researchers act in this manner, as they expose end-users to further risks without patches being available from the manufacturer." BleepingComputer has not been able to find any previous public disclosure of these vulnerabilities and has contacted D-Link to learn more. D-Link has not reported any in-the-wild exploitation of the flaws, but as D-Link is commonly targeted by malware botnets, installing the security updates remains crucial. Source RIP Matrix | Farewell my friend Hope you enjoyed this news post. Thank you for appreciating my time and effort posting news every single day for many years. 2023: Over 5,800 news posts | 2024 (till end of August): 3,792 news posts Forum etiquette: A post that interests you enough for a comment, also deserves a reaction.

A cybersecurity researcher is urging users to upgrade Adobe Acrobat Reader after a fix was released yesterday for a remote code execution zero-day with a public in-the-wild proof-of-concept exploit. The flaw is tracked as CVE-2024-41869 and is a critical use after free vulnerability that could lead to remote code execution when opening a specially crafted PDF document. A "use after free" bug is when a program tries to access data in a memory location that has already been freed or released. This causes unexpected behavior, such as a program crashing or freezing. However, if a threat actor is able to store malicious code in that memory location, and the program subsequently accesses it, it could be used to execute malicious code on the targeted device. The flaw has now been fixed in the latest Acrobat Reader and Adobe Acrobat versions. PoC exploit discovered in June The Acrobat Reader zero-day was discovered in June through EXPMON, a sandbox-based platform created by cybersecurity researcher Haifei Li to detect advanced exploits such as zero-days or hard-to-detect (unknown) exploits. "I created EXPMON because I noticed that there were no sandbox-based detection and analysis systems specifically focusing on detecting threats from an exploit or vulnerability perspective," Li told BleepingComputer. "All the other systems do detection from a malware perspective. The exploit/vulnerability perspective is much needed if you want to go more advanced (or, early) detection." "For example, if no malware is dropped or executed due to certain conditions, or if the attack does not use any malware at all, those systems would miss such threats. Exploits operate quite differently from malware, so a different approach is needed to detect them." The zero-day was discovered after a large number of samples from a public source were submitted to EXPMON for analysis. These samples included a PDF containing a proof-of-concept exploit that caused a crash. While the PoC exploit is a work in progress and contains no malicious payloads, it was confirmed to exploit a "user after free" bug, which could be used for remote code execution. After Li disclosed the flaw to Adobe, a security update was released in August. However, the update did not fix the flaw and could still be triggered after closing various dialogs. "We tested the (exactly the same) sample on the "patched" Adobe Reader version, it displayed additional dialogs, but if the user clicked/closed those dialogs, the app still crashed! Same UAF bug!," tweeted the EXPMON X account. Yesterday, Adobe released a new security update that fixes the bug, now tracked as CVE-2024-41869. Li will be releasing details on how the bug was detected on EXPMON's blog and further technical information in an upcoming Check Point Research report. Source RIP Matrix | Farewell my friend Hope you enjoyed this news post. Thank you for appreciating my time and effort posting news every single day for many years. 2023: Over 5,800 news posts | 2024 (till end of August): 3,792 news posts