Update: HP clarified that the vulnerabilities apply only to Internet Explorer Mobile for the Windows phone.

Original: HP’s Zero Day Initiative (ZDI) just published four critical 0-day vulnerabilities in Internet Explorer: ZDI-15-359, 360, 361 and 362. All of them can result in Remote Code Execution. Microsoft overstayed the 120 day fix limit that ZDI enforces on such vulnerability disclosures.

It is unlikely that exploit code exists at the moment and difficult to reverse engineer the vulnerabilities as details are sparse. There is not much you can do at the moment, except refrain from using Internet Explorer. Stay tuned for updates.

Update: we have released QID 38602, a remote check for the OpenSSL issues. For a full list of QIDs (remote and authenticated) see QIDs for OpenSSL Security Advisory [05 Jun 2014]

Original: It’s the Thursday before June’s Patch Tuesday, and Microsoft’s Advance Notice just has gone live. In addition, there was an advisory about new fixes for OpenSSL, which comes quite soon after the Heartbleed vulnerability and the numerous exploits it enabled.

Continue reading …

Yesterday the Zero Day Initiative (ZDI) made good on their stated Vulnerability Disclosure policy and published an advisory for a remote code execution vulnerability in Internet Explorer 8. ZDI had submitted the vulnerability to Microsoft in October 2013 and waited 180 days before going public. In this case 180 days meant April 9, 2014, the day after April Patch Tuesday.

Continue reading …