zero day | Breaking Cybersecurity News | The Hacker News

Apple on Monday released  security patches  for iOS, iPadOS, macOS, tvOS, watchOS, and Safari web browser to address multiple security flaws, in addition to backporting fixes for two recently disclosed zero-days to older devices. This includes updates for  12 security vulnerabilities  in iOS and iPadOS spanning AVEVideoEncoder, ExtensionKit, Find My, ImageIO, Kernel, Safari Private Browsing, and WebKit.  macOS Sonoma 14.2 , for its part, resolves 39 shortcomings, counting six bugs impacting the  ncurses library . Notable among the flaws is  CVE-2023-45866 , a critical security issue in Bluetooth that could allow an attacker in a privileged network position to inject keystrokes by spoofing a keyboard. The vulnerability was disclosed by SkySafe security researcher Marc Newlin last week. It has been remediated in iOS 17.2, iPadOS 17.2, and macOS Sonoma 14.2 with improved checks, the iPhone maker said. Also released by Apple is  Safari 17.2 , co...

Microsoft has released its Patch Tuesday updates for October 2023, addressing a total of  103 flaws  in its software, two of which have come under active exploitation in the wild. Of the 103 flaws, 13 are rated Critical and 90 are rated Important in severity. This is apart from  18 security vulnerabilities  addressed in its Chromium-based Edge browser since the second Tuesday of September. The two vulnerabilities that have been weaponized as zero-days are as follows - CVE-2023-36563  (CVSS score: 6.5) - An information disclosure vulnerability in Microsoft WordPad that could result in the leak of NTLM hashes CVE-2023-41763  (CVSS score: 5.3) - A privilege escalation vulnerability in Skype for Business that could lead to exposure of sensitive information such as IP addresses or port numbers (or both), enabling threat actors to gain access to internal networks "To exploit this vulnerability, an attacker would first have to log on to the system. An atta...

Apple on Wednesday rolled out security patches to address a new zero-day flaw in iOS and iPadOS that it said has come under active exploitation in the wild. Tracked as  CVE-2023-42824 , the kernel vulnerability could be abused by a local attacker to elevate their privileges. The iPhone maker said it addressed the problem with improved checks. "Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.6," the company  noted  in a terse advisory. While additional details about the nature of the attacks and the identity of the threat actors perpetrating them are currently unknown, successful exploitation likely hinges on an attacker already obtaining an initial foothold by some other means. Apple's latest update also resolves  CVE-2023-5217  impacting the WebRTC component, which Google last week described as a heap-based buffer overflow in the VP8 compression format in libvpx. The patches, iOS 17.0.3 an...

Atlassian has released fixes to contain an actively exploited critical zero-day flaw impacting publicly accessible Confluence Data Center and Server instances. The vulnerability, tracked as  CVE-2023-22515 , is remotely exploitable and allows external attackers to create unauthorized Confluence administrator accounts and access Confluence servers. It does not impact Confluence versions prior to 8.0.0. Confluence sites accessed via an atlassian.net domain are also not vulnerable to this issue. The enterprise software services provider  said  it was made aware of the issue by "a handful of customers." It has been addressed in the following versions of Confluence Data Center and Server - 8.3.3 or later 8.4.3 or later, and 8.5.2 (Long Term Support release) or later The company, however, did not disclose any further specifics about the nature and scale of the exploitation, or the root cause of the vulnerability. Customers who are unable to apply the updates are adv...

Google on Wednesday rolled out fixes to address a new actively exploited zero-day in the Chrome browser. Tracked as  CVE-2023-5217 , the high-severity vulnerability has been described as a  heap-based buffer overflow  in the VP8 compression format in  libvpx , a free software  video codec  library from Google and the Alliance for Open Media (AOMedia). Exploitation of such buffer overflow flaws can result in program crashes or execution of arbitrary code, impacting its availability and integrity. Clément Lecigne of Google's Threat Analysis Group (TAG) has been credited with discovering and reporting the flaw on September 25, 2023, with fellow researcher Maddie Stone  noting  on X (formerly Twitter) that it has been abused by a commercial spyware vendor to target high-risk individuals. No additional details have been disclosed by the tech giant other than to acknowledge that it's "aware that an exploit for CVE-2023-5217 exists in the wild." T...

The  three zero-day flaws  addressed by Apple on September 21, 2023, were leveraged as part of an iPhone exploit chain in an attempt to deliver a spyware strain called  Predator  targeting former Egyptian member of parliament Ahmed Eltantawy between May and September 2023. "The targeting took place after Eltantawy publicly  stated his plans  to run for President in the 2024 Egyptian elections," the Citizen Lab  said , attributing the attack with high confidence to the Egyptian government owing to it being a known customer of the commercial spying tool. According to a joint investigation conducted by the Canadian interdisciplinary laboratory and Google's Threat Analysis Group (TAG), the mercenary surveillance tool is said to have been delivered via links sent on SMS and WhatsApp. "In August and September 2023, Eltantawy's Vodafone Egypt mobile connection was persistently selected for targeting via network injection; when Eltantawy visited certain we...

Apple has released yet another round of security patches to address three actively exploited zero-day flaws impacting iOS, iPadOS, macOS, watchOS, and Safari, taking the total tally of zero-day bugs discovered in its software this year to 16. The list of security vulnerabilities is as follows - CVE-2023-41991  - A certificate validation issue in the Security framework that could allow a malicious app to bypass signature validation. CVE-2023-41992  - A security flaw in Kernel that could allow a local attacker to elevate their privileges. CVE-2023-41993  - A WebKit flaw that could result in arbitrary code execution when processing specially crafted web content. Apple did not provide additional specifics barring an acknowledgement that the "issue may have been actively exploited against versions of iOS before iOS 16.7." The updates are available for the following devices and operating systems - iOS 16.7 and iPadOS 16.7  - iPhone 8 and later, iPad Pro (all mo...

Adobe's  Patch Tuesday update  for September 2023 comes with a patch for a critical actively exploited security flaw in Acrobat and Reader that could permit an attacker to execute malicious code on susceptible systems. The vulnerability, tracked as CVE-2023-26369, is rated 7.8 for severity on the CVSS scoring system and impacts both Windows and macOS versions of Acrobat DC, Acrobat Reader DC, Acrobat 2020, and Acrobat Reader 2020. Described as an out-of-bounds write, successful exploitation of the bug could lead to code execution by opening a specially crafted PDF document. Adobe did not disclose any additional details about the issue or the targeting involved. "Adobe is aware that CVE-2023-26369 has been exploited in the wild in limited attacks targeting Adobe Acrobat and Reader," the company  acknowledged  in an advisory. CVE-2023-26369 affects the below versions - Acrobat DC (23.003.20284 and earlier versions) - Fixed in 23.006.20320 Acrobat Reader DC (23...

A suspected Chinese-nexus hacking group exploited a  recently disclosed zero-day flaw  in Barracuda Networks Email Security Gateway (ESG) appliances to breach government, military, defense and aerospace, high-tech industry, and telecom sectors as part of a global espionage campaign. Mandiant, which is tracking the activity under the name  UNC4841 , described the threat actor as "highly responsive to defensive efforts" and capable of actively tweaking their modus operandi to maintain persistent access to targets. "UNC4841 deployed new and novel malware designed to maintain presence at a small subset of high priority targets that it compromised either before the patch was released, or shortly following Barracuda's remediation guidance," the Google-owned threat intelligence firm  said  in a new technical report published today. Almost a third of the identified affected organizations are government agencies. Interestingly enough, some of the earliest compromises...

The U.S. Federal Bureau of Investigation (FBI) is warning that Barracuda Networks Email Security Gateway (ESG) appliances patched against a recently disclosed critical flaw continue to be at risk of potential compromise from suspected Chinese hacking groups. It also  deemed  the fixes as "ineffective" and that it "continues to observe active intrusions and considers all affected Barracuda ESG appliances to be compromised and vulnerable to this exploit." Tracked as  CVE-2023-2868  (CVSS score: 9.8), the zero-day bug is said to have been weaponized as early as October 2022, more than seven months before the security hole was plugged. Google-owned Mandiant is tracking the China-nexus activity cluster under the name  UNC4841 . The remote command injection vulnerability, impacting versions 5.1.3.001 through 9.2.0.006, allows for unauthorized execution of system commands with administrator privileges on the ESG product. In the attacks observed so far, a successf...

The U.S. Cybersecurity and Infrastructure Security Agency has  added  a batch of six flaws to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation. This comprises three vulnerabilities that Apple patched this week ( CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439 ), two flaws in VMware ( CVE-2023-20867  and  CVE-2023-20887 ), and one shortcoming impacting Zyxel devices ( CVE-2023-27992 ). CVE-2023-32434 and CVE-2023-32435, both of which allow code execution, are said to have been exploited as zero-days to deploy spyware as part of a years-long cyber espionage campaign that commenced in 2019. Dubbed Operation Triangulation, the activity culminates in the deployment of  TriangleDB  that's designed to harvest a wide range of information from compromised devices, such as creating, modifying, removing, and stealing files, listing and terminating processes, gathering credentials from iCloud Keychain, and tracking a u...

Multiple security flaws uncovered in Sonos One wireless speakers could be potentially exploited to achieve information disclosure and remote code execution, the Zero Day Initiative (ZDI)  said  in a report published last week. The vulnerabilities were demonstrated by three different teams from Qrious Secure, STAR Labs, and DEVCORE at the Pwn2Own hacking contest held in Toronto late last year, netting them $105,000 in monetary rewards. The list of four flaws, which impact Sonos One Speaker 70.3-35220, is below - CVE-2023-27352  and  CVE-2023-27355  (CVSS scores: 8.8)  - Unauthenticated flaws that allow network-adjacent attackers to execute arbitrary code on affected installations. CVE-2023-27353  and  CVE-2023-27354  (CVSS score: 6.5)  - Unauthenticated flaws that allow network-adjacent attackers to disclose sensitive information on affected installations. While CVE-2023-27352 stems from when processing SMB directory query comman...

An exploration of zero-click attack surface for the popular video conferencing solution Zoom has yielded two previously undisclosed security vulnerabilities that could have been exploited to crash the service, execute malicious code, and even leak arbitrary areas of its memory. Natalie Silvanovich of Google Project Zero, who  discovered  and reported the  two   flaws  last year, said the issues impacted both Zoom clients and Multimedia Router (MMR) servers, which transmit audio and video content between clients in  on-premise deployments . The weaknesses have since been addressed by Zoom as part of  updates  shipped on November 24, 2021. The goal of a zero-click attack is to stealthily gain control over the victim's device without requiring any kind of interaction from the user, such as clicking on a link. While the specifics of the exploit will vary depending on the nature of vulnerability being exploited, a key trait of zero-click hacks is...

Apache has issued patches to address two security vulnerabilities, including a path traversal and file disclosure flaw in its HTTP server that it said is being actively exploited in the wild. "A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root," the open-source project maintainers  noted  in an advisory published Tuesday. "If files outside of the document root are not protected by 'require all denied' these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts." The flaw, tracked as  CVE-2021-41773 , affects only Apache HTTP server version 2.4.49. Ash Daulton and cPanel Security Team have been credited with discovering and reporting the issue on September 29, 2021. Source: PT SWARM Also resolved by Apache is a null pointer dereference vulnerability observed during pr...

Apple on Monday rolled out an urgent security update for  iOS, iPadOS , and  macOS  to address a zero-day flaw that it said may have been actively exploited, making it the thirteenth such vulnerability Apple has patched since the start of this year. The updates, which arrive less than a week after the company released iOS 14.7, iPadOS 14.7, and macOS Big Sur 11.5 to the public, fixes a memory corruption issue ( CVE-2021-30807 ) in the IOMobileFrameBuffer component, a kernel extension for managing the screen  framebuffer , that could be abused to execute arbitrary code with kernel privileges. The company said it addressed the issue with improved memory handling, noting it's "aware of a report that this issue may have been actively exploited." As is typically the case, additional details about the flaw have not been disclosed to prevent the weaponization of the vulnerability for additional attacks. Apple credited an anonymous researcher for discovering and reporting...

A malvertising group known as "ScamClub" exploited a zero-day vulnerability in WebKit-based browsers to inject malicious payloads that redirected users to fraudulent websites gift card scams. The attacks, first spotted by ad security firm Confiant in late June 2020, leveraged a bug (CVE-2021–1801) that allowed malicious parties to bypass the iframe sandboxing policy in the browser engine that powers Safari and Google Chrome for iOS and run malicious code. Specifically, the technique exploited the manner how WebKit handles JavaScript event listeners , thus making it possible to break out of the sandbox associated with an ad's inline frame element despite the presence of "allow-top-navigation-by-user-activation" attribute that explicitly forbids any redirection unless the click event occurs inside the iframe. To test this hypothesis, the researchers set about creating a simple HTML file containing a cross-origin sandboxed iframe and a button outside it that...

Apple on Tuesday released updates for iOS, iPadOS, and tvOS with fixes for three security vulnerabilities that it says may have been actively exploited in the wild. Reported by an anonymous researcher, the three  zero-day   flaws  — CVE-2021-1782, CVE-2021-1870, and CVE-2021-1871 — could have allowed an attacker to elevate privileges and achieve remote code execution. The iPhone maker did not disclose how widespread the attack was or reveal the identities of the attackers actively exploiting them. While the privilege escalation bug in the kernel (CVE-2021-1782) was noted as a race condition that could cause a malicious application to elevate its privileges, the other two shortcomings — dubbed a "logic issue" — were discovered in the WebKit browser engine (CVE-2021-1870 and CVE-2021-1871), permitting an attacker to achieve arbitrary code execution inside Safari. Apple said the race condition and the WebKit flaws were addressed with improved locking and restrictions, ...

The Shadow Brokers , a notorious hacking group that leaked US cyberweapons — which were also abused by the recent ransomware disasters WannaCry and Petya or NotPetya — has now threatened to unmask the identity of a former hacker who worked for the NSA. Besides this, the Shadow Brokers group has also doubled the price for its monthly subscription model of NSA's built hacking tools and zero-day exploits from 100 ZEC (Zcash) to 200 ZEC, which is around $64,400 USD. Moreover, the hacking group has also announced a VIP service for people, who will be entertained by the group for their queries on the leaked hacking tools and exploits. To subscribe to the VIP service, one has to make a one-time payment of 400 ZEC (around US$128,800). Last month, the Shadow Brokers announced to release more zero-days exploits and hacking tools  developed by the US spy agency every month from June 2017, but only to private members who will subscribe for receiving exclusive access to the futur...