#1 Trusted Cybersecurity News Platform Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Cloud Security

Microsoft Edge | Breaking Cybersecurity News | The Hacker News

Microsoft Edge Bug Could Have Allowed Attackers to Silently Install Malicious Extensions

Microsoft Edge Bug Could Have Allowed Attackers to Silently Install Malicious Extensions
Mar 27, 2024 Vulnerability / API Security
A now-patched security flaw in the Microsoft Edge web browser could have been abused to install arbitrary extensions on users' systems and carry out malicious actions.  "This flaw could have allowed an attacker to exploit a private API, initially intended for marketing purposes, to covertly install additional browser extensions with broad permissions without the user's knowledge," Guardio Labs security researcher Oleg Zaytsev  said  in a new report shared with The Hacker News. Tracked as  CVE-2024-21388  (CVSS score: 6.5), it was addressed by Microsoft in Edge stable version 121.0.2277.83 released on January 25, 2024, following responsible disclosure in November 2023. The Windows maker credited both Zaytsev and Jun Kokatsu for reporting the issue. "An attacker who successfully exploited this vulnerability could gain the privileges needed to install an extension," Microsoft said in an advisory for the flaw, adding it "could lead to a browser sandbo

Zero-Day Alert: Apple Rolls Out iOS, macOS, and Safari Patches for 2 Actively Exploited Flaws

Zero-Day Alert: Apple Rolls Out iOS, macOS, and Safari Patches for 2 Actively Exploited Flaws
Dec 01, 2023 Spyware / Threat Analysis
Apple has  released  software updates for iOS, iPadOS, macOS, and Safari web browser to address two security flaws that it said have come under active exploitation in the wild on older versions of its software. The vulnerabilities, both of which reside in the WebKit web browser engine, are described below - CVE-2023-42916  - An out-of-bounds read issue that could be exploited to leak sensitive information when processing web content. CVE-2023-42917  - A memory corruption bug that could result in arbitrary code execution when processing web content. Apple said it's aware of reports exploiting the shortcomings "against versions of iOS before iOS 16.7.1," which was released on October 10, 2023. ClĂ©ment Lecigne of Google's Threat Analysis Group (TAG) has been credited with discovering and reporting the twin flaws. The iPhone maker did not provide additional information regarding ongoing exploitation, but previously disclosed zero-days in iOS have been used to  de

GenAI: A New Headache for SaaS Security Teams

GenAI: A New Headache for SaaS Security Teams
Apr 17, 2024SaaS Security / AI Governance
The introduction of Open AI's ChatGPT was a defining moment for the software industry, touching off a GenAI race with its November 2022 release. SaaS vendors are now rushing to upgrade tools with enhanced productivity capabilities that are driven by generative AI. Among a wide range of uses, GenAI tools make it easier for developers to build software, assist sales teams in mundane email writing, help marketers produce unique content at low cost, and enable teams and creatives to brainstorm new ideas.  Recent significant GenAI product launches include Microsoft 365 Copilot, GitHub Copilot, and Salesforce Einstein GPT. Notably, these GenAI tools from leading SaaS providers are paid enhancements, a clear sign that no SaaS provider will want to miss out on cashing in on the GenAI transformation. Google will soon launch its SGE "Search Generative Experience" platform for premium AI-generated summaries rather than a list of websites.  At this pace, it's just a matter of a short time befo

Microsoft Edge Bug Could've Let Hackers Steal Your Secrets for Any Site

Microsoft Edge Bug Could've Let Hackers Steal Your Secrets for Any Site
Jun 28, 2021
Microsoft last week rolled out updates for the Edge browser with  fixes for two security issues , one of which concerns a security bypass vulnerability that could be exploited to inject and execute arbitrary code in the context of any website. Tracked as  CVE-2021-34506  (CVSS score: 5.4), the weakness stems from a universal cross-site scripting (UXSS) issue that's triggered when automatically translating web pages using the browser's  built-in feature via Microsoft Translator . Credited for discovering and reporting CVE-2021-34506 are Ignacio Laurence as well as Vansh Devgan and Shivam Kumar Singh with CyberXplore Private Limited.  "Unlike the common XSS attacks, UXSS is a type of attack that exploits client-side vulnerabilities in the browser or browser extensions in order to generate an XSS condition, and execute malicious code," CyberXplore researchers  said  in a write-up shared with The Hacker News. "When such vulnerabilities are found and exploited,

Today's Top 4 Identity Threat Exposures: Where To Find Them and How To Stop Them

cyber security
websiteSilverfort Identity Protection / Attack Surface
Explore the first ever threat report 100% focused on the prevalence of identity security gaps you may not be aware of.

Over a Dozen Chrome Extensions Caught Hijacking Google Search Results for Millions

Over a Dozen Chrome Extensions Caught Hijacking Google Search Results for Millions
Feb 03, 2021
New details have emerged about a vast network of rogue extensions for Chrome and Edge browsers that were found to hijack clicks to links in search results pages to arbitrary URLs, including phishing sites and ads. Collectively called " CacheFlow " by Avast, the 28 extensions in question — including Video Downloader for Facebook, Vimeo Video Downloader, Instagram Story Downloader, VK Unblock — made use of a sneaky trick to mask its true purpose: Leverage  Cache-Control  HTTP header as a covert channel to retrieve commands from an attacker-controlled server. All the  backdoored browser add-ons  have been taken down by Google and Microsoft as of December 18, 2020, to prevent more users from downloading them from the official stores. According to telemetry data gathered by the firm, the top three infected countries were Brazil, Ukraine, and France, followed by Argentina, Spain, Russia, and the U.S. The CacheFlow sequence began when unsuspecting users downloaded one of the
Cybersecurity Resources