-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Metasploit Multiple Directory Traversal Vulnerabilities
Nexpose Information Disclosure and DLL Loading Remote Code Execution Vulnerabilities
Google Android Audioserver Multiple Privilege Escalation Vulnerabilities

Enlarge (credit: Heather Katsoulis)

Contestants at this year's Pwn2Own hacking competition in Vancouver just pulled off an unusually impressive feat: they compromised Microsoft's heavily fortified Edge browser in a way that escapes a VMware Workstation virtual machine it runs in. The hack fetched a prize of $105,000, the highest awarded so far over the past three days.

According to a Friday morning tweet from the contest's organizers, members of Qihoo 360's security team carried out the hack by exploiting a heap overflow bug in Edge, a type confusion flaw in the Windows kernel and an uninitialized buffer vulnerability in VMware, contest organizers reported Friday morning on Twitter. The result was a "complete virtual machine escape."

"We used a JavaScript engine bug within Microsoft Edge to achieve the code execution inside the Edge sandbox, and we used a Windows 10 kernel bug to escape from it and fully compromise the guest machine," Qihoo 360 Executive Director Zheng Zheng wrote in an e-mail. "Then we exploited a hardware simulation bug within VMware to escape from the guest operating system to the host one. All started from and only by a controlled a website."

Read 7 remaining paragraphs | Comments

Rapid7 AppSpider CVE-2017-5233 DLL Loading Remote Code Execution Vulnerability
Google Android NFC CVE-2017-0481 Privilege Escalation Vulnerability
Google Android Qualcomm IPA Driver Multiple Privilege Escalation Vulnerabilities
Google Android Networking Driver Multiple Privilege Escalation Vulnerabilities
Google Android Kernel ION Subsystem Multiple Privilege Escalation Vulnerabilities
Google Android Qualcomm Camera Driver Multiple Privilege Escalation Vulnerabilities
django-epiceditor CVE-2017-6591 Cross Site Scripting Vulnerability
Google Android HTC Sensor Hub Driver Multiple Privilege Escalation Vulnerabilities
b2evolution CVE-2017-6902 Arbitrary File Upload Vulnerability
Easy File Sharing FTP Server CVE-2017-6510 Directory Traversal Vulnerability
Linux Kernel CVE-2017-6951 Local Denial of Service Vulnerability
QEMU 'virtio-gpu-3d.c' Denial of Service Vulnerability
Microsoft Windows Uniscribe CVE-2016-7274 Remote Code Execution Vulnerability
Internet Storm Center Infocon Status