I know I am in the minority of this, and the only people that will reply are the ones that agree with me, but the term "zeroday" aka "0day" applies to an exploitable bug that has been publicly known about for exactly zero days. If there is a known flaw in that the attack has been reversed engineered and the info has been made public, not a 0day. If a patch exists, not a 0day. No this isn't major, but I find it irritating when I hear it. I guess as an old schooler, I remember when 0days had value particularly if you were trading them with your hacker friends in some dark corner of the Internet, and if admins or the vendor knew about it, it had diminished value, and that influences my thinking.
One other point, that's a number at the beginning of the term 0day, not a letter, so don't pronounce it "oh day", show some respect and call it "zero day".
Chromium 120.0.6099.129 for which the source code was released two days ago repairs a zero-day vulnerability.
Zero-day means that the vulnerability is already actively exploited in the wild. Hopefully the last time this year, but it is already the 8th zero-day which was reported and fixed in Chromium. The new
📨 Latest issue of my curated #cybersecurity and #infosec list of resources for week #43/2023 is out! It includes the following and much more:
➝ 🇺🇸 🎰 Hackers that breached Las Vegas casinos rely on violent threats, research shows
➝ 🔓 🇺🇸 University of Michigan employee, student data stolen in #cyberattack
➝ 🔓 #1Password discloses security incident linked to #Okta breach
➝ 🇺🇸 Cyber attacks hit NY state #casino operation, two Hudson Valley hospitals
➝ 🇺🇸 🗳️ D.C. Board of Elections: Hackers may have breached entire voter roll
➝ 🔓 🇮🇪 Thousands of drivers have sensitive data exposed to hackers in major IT #breach
➝ 🇷🇺 📨 Pro-Russia hackers target inboxes with #0day in webmail app used by millions
➝ 🇫🇷 🇷🇺 #France says Russian state hackers breached numerous critical networks
➝ 🇳🇬 Nigerian Police dismantle #cybercrime recruitment, mentoring hub
➝ 🇵🇸 💸 #Palestine#crypto donation scams emerge amid Israel-Hamas war
➝ 🇪🇸 👮🏻♂️ #Spain arrests 34 #cybercriminals who stole data of 4 million people
➝ 🇨🇦 🇨🇳 #Canada: Lawmakers Targeted by China-Linked ‘#Spamouflage’ Disinformation
➝ 🇺🇸 🇷🇺 Ex-NSA Employee Pleads Guilty to Leaking Classified Data to #Russia
➝ 🦠 🇰🇵 N. Korean #Lazarus Group Targets Software Vendor Using Known Flaws
➝ 🦠 🇮🇷 Iranian Group #Tortoiseshell Launches New Wave of IMAPLoader #Malware Attacks
➝ 🦠 🪰 #StripedFly malware framework infects 1 million #Windows, #Linux hosts
➝ 🦠 📱 #iOS Zero-Day Attacks: Experts Uncover Deeper Insights into Operation Triangulation
➝ 🔓 📱 #Samsung Galaxy S23 hacked two more times at #Pwn2Own Toronto
➝ 🔓 Critical #OAuth Flaws Uncovered in #Grammarly, #Vidio, and #Bukalapak Platforms
➝ 🔓 🩺 Critical Flaw in NextGen's Mirth Connect Could Expose #Healthcare Data
➝ 🔓 #F5 Warns of Critical Remote Code Execution Vulnerability in BIG-IP
➝ 🔓 🍏 Hackers can force iOS and #macOS browsers to divulge #passwords and much more
➝ 🩹 #Citrix warns admins to patch #NetScaler CVE-2023-4966 bug immediately
➝ 🔓 ✌🏻 #Cisco Finds Second Zero-Day as Number of Hacked Devices Apparently Drops
➝ 🔓 Critical RCE flaws found in #SolarWinds access audit solution
📚 This week's recommended reading is: "Click Here to Kill Everybody: Security and Survival in a Hyper-connected World" by Bruce Schneier
Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end ⬇️
PSA: @signalapp writes on #Twitter (where there is fewer and fewer public to announce to) that «After responsible investigation we have no evidence that suggests this vulnerability is real»
I would seriously consider disabling "Generate Link Previews" feature in any critical communication applications you use. Such feature typically leaks some information about your device (typically at least the IP address). Such features also increase the attack surface for little practical benefit. #advice#privacy#infosec#foreshadowing
UPDATE: According to Signal there is no 0-day vulnerability:
"After responsible investigation we have no evidence that suggests this vulnerability is real nor has any additional info been shared via our official reporting channels."
source: https://nitter.net/signalapp/status/1713789255359619171
-- Original message follows --
Okay the cat is out of the bag: Signal app is said to have 0day in "Generate Link Previews" feature. Disable this feature until the fix is available. #0day#signalapp#vulnerability#infosec
It's times like these, when there's allegedly a vulnerability is a popular secure messaging app when users might realize that having a software monoculture is probably not a good thing.
If different Signal clients were allowed to connect to the central Signal severs, it's possible at least some of their users might not be affected.
Apple released emergency security updates to patch a new zero-day security flaw exploited in attacks targeting iPhone and iPad users. #apple#security#update#iphone#0day
I suppose I won’t ask the silly question of Monday. If a bug bounty program paid security researchers at the time of disclosure, sit on the vulnerability with minimal effort to reach out the software authors during 12 months and finally disclose.