Our Blog
Would Vulnerabilities That Were Rejected by Microsoft Meet Your Security Bar?
In the last months, our automated vulnerability detection platform has been working continuously, researching different products from various vendors. The platform found very interesting results, including Heap Overflows, Use After Frees, Uninitialized Data Accesses,...
read more
One Month, Five CVEs: Welcome to Patch Tuesday
A very exciting Patch Tuesday for us at Cybellum, with 5 CVEs published for vulnerabilities discovered by our automated vulnerability detection platform. Four of them are in Adobe products, whereas the fifth is byproduct of a decision reversal by Microsoft Security...
read more
CY-2017-011: Type Confusion in Adobe Acrobat
Overview Our vulnerability detection platform had discovered a new Type Confusion vulnerability, which affects the latest version of all Acrobat Readers (Acrobat DC, Acrobat Reader DC, Acrobat 2017, Acrobat Reader 2017, Acrobat XI, Reader XI). ...
read more
Security Solutions Can’t Solve Everything, and That’s Ok
With every passing year, the IT security market gets bigger and bigger. The increase in frequency and scope of attacks, driven by the ever-growing amount of valuable data stored on computers, created a huge demand for defensive solutions. Each of them has a unique...
read more
The Bug Bounty Problem: How Mishandled Bounties Hurt the Industry
Bug bounties are great, aren’t they? A company decides that instead of just testing their product in-house, it will also open the challenge to outside developers, and compensate them for their effort. Crowdsourced security at its best, with more of the attack surface...
read more
CY-2017-022: Type Confusion in Microsoft Word 2016
Introduction This post explores the Type Confusion discovered by Cybellum's automated vulnerability detection platform in Microsoft Word. It was reported to Microsoft on August 21st. Microsoft has confirmed the vulnerability, and patched it as part of October 2017...
read more
DevSecOps Is Important, but Can It Be Done Well?
Ask a DevSecOps evangelist what it’s all about, and they’ll tell you that it’s the mindset that makes everyone care about product security - an idyllic scenario where through changes to company workflows and addition of new tools, products are built in a more secure...
read more
It’s Not About Trust: 3rd Party Software Security Is Complicated, but Necessary
In 2014, Lenovo decided to trust third party software. What became a severe security incident, started when adware from a company named Superfish was installed on Lenovo laptops, ostensibly “to provide users with real-time price comparisons”, but with a nasty...
read more
Microsoft Claims Viewing Page Source Makes Their Browsers Less Secure
Introduction Cybellum is the developer of the first automated vulnerability detection technology on the market. Our platform detects vulnerabilities in compiled code, even when they don’t cause a crash, without performance impact on the tested software. The week of...
read more
CY-2017-021: Type Confusion in Edge/Internet Explorer
Introduction This post explores the Type Confusion discovered by Cybellum's automated vulnerability detection platform in Edge and Internet Explorer. It was reported to Microsoft on August 21st. Microsoft has confirmed the vulnerability. Cybellum's platform discovers...
read more
Fighting Vulnerabilities in 2017: Prioritize Engineering Over Marketing
Cybellum was founded because there's an industry blindspot around vulnerability detection. Software vulnerabilities aren't detected soon enough, assessed for risk well enough, and fixed quickly enough to deal with the rising tide of new threat actors - all of whom are...
read more
DoubleAgent: Taking Full Control Over Your Antivirus
See how Cybellum uses dynamic analysis to detect ulnerabilities in C/C++ closed binaries. Get a free demo. OverviewOur research team has uncovered a new Zero-Day attack for taking full control over major antiviruses and next-generation antiviruses. Instead of hiding...
read more
DoubleAgent: Zero-Day Code Injection and Persistence Technique
See how Cybellum uses dynamic analysis to detect ulnerabilities in C/C++ closed binaries. Get a free demo. Overview We’d like to introduce a new Zero-Day technique for injecting code and maintaining persistency on a machine (i.e. auto-run) dubbed DoubleAgent....
read more
From Heartbleed to Cloudbleed: How The Landscape of Overflow Vulnerabilities Is Unable to Evolve
In 2014, the Heartbleed bug made the data of millions of web-users publicly available to unauthorized third party access. When Cloudbleed leaked user info late last month, it seemed to some like deja-vu. Once again, private information like passwords, chats, hotel...
read more
Be Ready for 2017: The Threat of Ransomware will be Overwhelming
The cyber world has become a dominant entity throughout the world and with it, cyber threats have also increased significantly. Reports suggest that in 2016, Ransomware became a major headache for thousands of people and businesses affecting individuals both at a...
read more
The Zero-Day Kill Chain
The term ‘kill chain’ was originally used as a military concept related to the structure of an attack. In 2011 Lockheed Martin adopted the term for cyber security, modeling network intrusion. In this post we zoom in, model and simplify the Zero-Day kill chain, a chain...
read more