Microsoft has released a new patch for Internet Explorer. According to the Microsoft Security Advisory, the reason for the out-of-band release was that the vulnerability described in CVE-2010-0806, “Uninitilized Memory Corruption Vulnerability”, was being widely seen in the wild.

On March 10th the exploit was added to the MetaSploit Framework, and instructions on how to use the exploit immediately being spread on many hacker boards. It was first seen on the replacement for Milw0rm, XpltDB: Exploit-DB.com.

You can find some more info at Gary Warner’s blog (from where I got the news) or at Rec-Sec.com.

(more…)

A BIND denial of service (server crash) exploit was found in the wild. Upgrade immediately.

This vulnerability affects all servers that are masters for one or more zones – it is not limited to those that are configured to allow dynamic updates. Access controls will not provide an effective workaround.

More details at ISC.

Found at rec-sec.com:

As of June 1st, the Chinese government demands every personal computer in China to install or be sold with Green Dam Youth Escort Censorware program. Three security researchers – Scott Wolchok, Randy Yao, and J. Alex Halderman from University of Michigan have released an analysis of the Green Dam Censorware system, disclosing multiple vulnerabilities and weaknesses in it. You can read the whole story in the ZDNet Zero Day blog.

The vendor, Jinhui Computer System Engineering Ltd., already patched the vulnerabilities but you can still find vulnerable installations with Google if you want to test it.

One of the vulnerabilities disclosed in the security analysis is a remotely exploitable stack-based buffer overflow vulnerability in the way Green Dam process overly long URLs (OSVDB 55126). seer[N.N.U] posted a simple exploit for this vulnerability on milw0rm.

According to the latest Microsoft Security Intelligence Report, China is the world leading country in Malware distribution so I guess they deserve some pwning :P