Security News

Apple fixes WebKit 0-days under attackApple has released security updates for iOS and iPadOS, macOS, tvOS and watchOS, delivering fixes for many vulnerabilities but, most importantly, for CVE-2023-32409, a WebKit 0-day that "May have been actively exploited." Enhancing open source security: Insights from the OpenSSF on addressing key challengesIn this Help Net Security interview, we meet a prominent industry leader.

Apple has released security updates for iOS and iPadOS, macOS, tvOS and watchOS, delivering fixes for many vulnerabilities but, most importantly, for CVE-2023-32409, a WebKit 0-day that "May have been actively exploited." The notes accompanying the updates also revealed that Apple's first Rapid Security Response update, which was pushed out earlier this month, contained fixes for two WebKit 0-days.

Apple's App Store rules mean that all browsers on iPhones and iPads must use WebKit, making this sort of bug a truly cross-browser problem for mobile Apple devices.Kernel code execution bugs are inevitably much more serious than app-level bugs, because the kernel is responsible for managing the security of the entire system, including what permissions apps can acquire, and how freely apps can share files and data between themselves.

Google has just revealed a fourfecta of critical zero-day bugs affecting a wide range of Android phones, including some of its own Pixel models. The four bugs we're talking about here are known as baseband vulnerabilities, meaning that they exist in the special mobile phone networking firmware that runs on the phone's so-called baseband chip.

Last month, Microsoft dealt with three zero-days, by which we mean security holes that cybercriminals found first, and figured out how to abuse in real-life attacks before any patches were available. Intriguingly for a bug that was discovered in the wild, albeit one reported rather blandly by Microsoft as Exploitation Detected, the Outlook flaw is jointly credited to CERT-UA, Microsoft Incident Response, and Microsoft Threat Intelligence.

VMware on Monday said it found no evidence that threat actors are leveraging an unknown security flaw, i.e., a zero-day, in its software as part of an ongoing ransomware attack spree worldwide. The company is further recommending users to upgrade to the latest available supported releases of vSphere components to mitigate known issues and disable the OpenSLP service in ESXi.

A suspected China-nexus threat actor exploited a recently patched vulnerability in Fortinet FortiOS SSL-VPN as a zero-day in attacks targeting a European government entity and a managed service provider located in Africa. The intrusion vector in question relates to the exploitation of CVE-2022-42475, a heap-based buffer overflow vulnerability in FortiOS SSL-VPN that could result in unauthenticated remote code execution via specifically crafted requests.

Glaringly obvious at the very top of the list are the names in the Product column of the first nine entries, dealing with an elevation-of-privilege patch denoted CVE-2013-21773 for Windows 7, Windows 8.1, and Windows RT 8.1. Windows 8.1, which is remembered more as a sort-of "Bug-fix" release for the unlamented and long-dropped Windows 8 than as a real Windows version in its own right, never really caught on.

Another month, another Microsoft Patch Tuesday, another 48 patches, another two zero-days. An astonishing tale about a bunch of rogue actors who tricked Microsoft itself into giving their malicious code an official digital seal of approval.

No sooner had we stopped to catch our breath after reviewing the latest 62 patches dropped by Microsoft on Patch Tuesday. Neither bug is reported with Apple's typical zero-day wording along the lines that the company "Is aware of a report that this issue may have been actively exploited", so there's no suggestion that these bugs are zero-days, at least inside Apple's ecosystem.