Security News

Mozilla has released security updates for multiple products to address zero-day vulnerabilities exploited during the Pwn2Own Vancouver 2022 hacking contest. If exploited, the two critical flaws can let attackers gain JavaScript code execution on mobile and desktop devices running vulnerable versions of Firefox, Firefox ESR, Firefox for Android, and Thunderbird.

In these attacks, part of three campaigns that started between August and October 2021, the attackers used zero-day exploits targeting Chrome and the Android OS to install Predator spyware implants on fully up-to-date Android devices. The government-backed malicious actors who purchased and used these exploits to infect Android targets with spyware are from Egypt, Armenia, Greece, Madagascar, Côte d'Ivoire, Serbia, Spain, and Indonesia, according to Google's analysis.

Cisco on Friday rolled out fixes for a medium-severity vulnerability affecting IOS XR Software that it said has been exploited in real-world attacks. Tracked as CVE-2022-20821, the issue relates to an open port vulnerability that could be abused by an unauthenticated, remote attacker to connect to a Redis instance and achieve code execution.

Cisco has addressed a zero-day vulnerability in its IOS XR router software that allowed unauthenticated attackers to remotely access Redis instances running in NOSi Docker containers. The IOS XR Network OS is deployed on multiple Cisco router platforms, including NCS 540 & 560, NCS 5500, 8000, and ASR 9000 series routers.

Google's Threat Analysis Group on Thursday pointed fingers at a North Macedonian spyware developer named Cytrox for developing exploits against five zero-day flaws, four in Chrome and one in Android, to target Android users. "The 0-day exploits were used alongside n-day exploits as the developers took advantage of the time difference between when some critical bugs were patched but not flagged as security issues and when these patches were fully deployed across the Android ecosystem," TAG researchers Clement Lecigne and Christian Resell said.

A new report from Google's Threat Analysis Group exposes the use of five different zero-day vulnerabilities targeting Chrome browser and Android operating systems. Google assesses with high confidence that these exploits have been packaged by a single commercial surveillance company named Cytrox.

The bug fixes for iPhones and iPads include remote code execution flaws in components from the kernel itself to Apple's image rendering library, graphics drivers, video processing modules and more. Several of these bugs warn that "a malicious application may be able to execute arbitrary code with kernel privileges".

Apple has released security updates to address a zero-day vulnerability that threat actors can exploit in attacks targeting Macs and Apple Watch devices. In security advisories issued on Monday, Apple revealed that they're aware of reports this security bug "May have been actively exploited."

Microsoft has revealed 73 new patches for May's monthly update of security fixes, including a patch for one flaw-a zero-day Windows LSA Spoofing Vulnerability rated as "Important"-that is currently being exploited with man-in-the-middle attacks. The software giant's monthly update of patches that comes out every second Tuesday of the month-known as Patch Tuesday-also included fixes for seven "Critical" flaws, 65 others rated as "Important," and one rated as "Low."

Microsoft on Tuesday rolled out fixes for as many as 74 security vulnerabilities, including one for a zero-day bug that's being actively exploited in the wild. The updates are in addition to 36 flaws patched in the Chromium-based Microsoft Edge browser on April 28, 2022.