Hot on the heels of this month’s security bulletin , a new vulnerability exploit surfaces with a malware in tow. The new zero-day vulnerability, as described in a previous post, prompted Microsoft to release Security Advisory (981374) while investigations are still underway

See the original post:
New IE Zero-Day Exploit (CVE-2010-0806)

Microsoft schedules its security updates on the second Tuesday of the month. Adobe recently began following this schedule as well, and while there are no Adobe updates today, there was an out-of-cycle security update two weeks ago.

Originally posted here:
PDF Based Targeted Attacks are Increasing

Another Proof-of-Concept (POC) Revealed The changing threat landscape has brought about more sophisticated Web threats, and left the online population clamoring for better security features in the systems and applications that they use. This has pushed Microsoft to develop security mechanisms within its applications like Windows’ Data Execution Protection (DEP) and Address Space Layout Randomization (ASLR) . Both DEP and ASLR are security mechanisms that Microsoft included in its latest Windows releases starting with XP SP2 and Vista, respectively, which should ideally protect systems from being attacked by exploit codes.

Excerpt from:
New Exploit Bypasses DEP

Asking for help in Windows could lead to more trouble. A newly discovered vulnerability in Internet Explorer (IE) leverages the ability of a Visual Basic script to invoke a .HLP (Windows Help file format) file, which could give a remote attacker the ability to run arbitrary code on an affected system. Visual Basic uses the following syntax to call the MsgBox function , which is used to display message boxes: MsgBox(prompt[,buttons][,title][,helpfile,context]) However, if a specially crafted .HLP file passes as a variable, remote users would be able to run arbitrary code on an affected system

View original post here:
Calling Windows for Help May Lead to Vulnerability

Within days of Adobe’s release of out-of-band security updates for both Acrobat and Reader, word now comes from security researcher Aviv Raff, of another new vulnerability in an Adobe product. The flaw was found in Adobe Download Manager (DLM), an application Adobe uses to deliver common applications (e.g., Flash and Reader ) to users’ systems.

View original post here:
New Adobe Download Manager Bug

Since the beginning of the year, Adobe and Microsoft have been under a bad light since most of the most recent attacks notably exploited the two companies’ software vulnerabilities. Adobe Reader and Acrobat, in particular, are currently cybercriminals’ favorite targets.

Read the original:
Adobe Releases Out-of-Band Patch for Adobe Reader and Acrobat

A recent study published by 7Safe, UK Security Breach Investigations Report , analyzed 62 cybercrime breach investigation and states that in “86% of all attacks, a weakness in a web interface was exploited ” (vs 14% infrastructure) and the attackers were predominately external (80%). These results are largely consistent with the US-based Verizon Data Breach Incident Report (2008) which tracks over 500 cases

See original here:
Infrastructure vs. Application Security Spending

As previously announced in the Microsoft Security Bulletin Advance Notification released last week, this month’s patch cycle includes 13 bulletins intended to patch 26 vulnerabilities in several versions of Windows OS and Office . The record release is a far cry from last month’s lone patch . The long list includes five bulletins rated “critical,” which specifically patch nine vulnerabilities that could lead to remote code execution

Originally posted here:
February Patch Tuesday—13 Security Bulletins for 26 Vulnerabilities Plus a FAKEAV

Just the other day, news of an exploit used to target a 0-day vulnerability in Internet Explorer ( BID 37815 ) was announced.

Every year the Web security community produces dozens of new hacking techniques documented in white papers, blog posts, magazine articles, mailing list emails, etc. Not to be confused with individual vulnerability instances brandishing CVE numbers, nor intrusions / incidents, but actual new methods of Web attack. Some techniques target websites, others Web browsers, and the rest somewhere in between.

More:
Top Ten Web Hacking Techniques of 2009 (Official)