Security News

Google has released Chrome 93.0.4577.82 for Windows, Mac, and Linux to fix eleven security vulnerabilities, two of them being zero-days exploited in the wild. Google Chrome will also automatically check for new updates the next time you restart the browser.

Apple users should immediately update all their devices - iPhones, iPads, Macs and Apple Watches - to install an emergency patch for a zero-click zero-day exploited by NSO Group to install spyware. The security updates, pushed out by Apple on Monday, include iOS 14.8 for iPhones and iPads, as well as new updates for Apple Watch and macOS. The patches will fix at least one vulnerability that the tech behemoth said "May have been actively exploited."

Apple has released security updates to fix two zero-day vulnerabilities that have been seen exploited in the wild to attack iPhones and Macs. The CVE-2021-30860 CoreGraphics vulnerability is an integer overflow bug discovered by Citizen Lab that allows threat actors to create malicious PDF documents that execute commands when opened in iOS and macOS. CVE-2021-30858 is a WebKit use after free vulnerability allowing hackers to create maliciously crafted web page that execute commands when visiting them on iPhones and macOS. Apple states that this vulnerability was disclosed anonymously.

Threat actors are sharing Windows MSHTML zero-day tutorials and exploits on hacking forums, allowing other hackers to start exploiting the new vulnerability in their own attacks. Last Tuesday, Microsoft disclosed a new zero-day vulnerability in Windows MSHTML that allows threat actors to create malicious documents, including Office and RTF docs, to execute commands on a victim's computer remotely.

New details have emerged about the recent Windows CVE-2021-40444 zero-day vulnerability, how it is being exploited in attacks, and the threat actor's ultimate goal of taking over corporate networks. This Internet Explorer MSHTML remote code execution vulnerability, tracked as CVE-2021-40444, was disclosed by Microsoft on Tuesday but with few details as it has not been patched yet.

A critical security vulnerability in the Zoho ManageEngine ADSelfService Plus platform could allow remote attackers to bypass authentication and have free rein across users' Active Directory and cloud accounts. The Zoho ManageEngine ADSelfService Plus is a self-service password management and single sign-on solution for AD and cloud apps, meaning that any cyberattacker able to take control of the platform would have multiple pivot points into both mission-critical apps and other parts of the corporate network via AD. It is, in other words, a powerful, highly privileged application which can act as a convenient point-of-entry to areas deep inside an enterprise's footprint for both users and attackers alike.

The ActiveX code activates the Windows MSHTML component, used for viewing web pages, exploits a bug in it to give itself the same level of control that you yourself would have right from the Windows desktop, and uses it to implant malware of the attacker's choice. MSHTML isn't a full-on browser, like Internet Explorer or Edge, but is a part of the operating system that can be used to create browsers or browser-like applications that need or want to display HTML files.

Both Microsoft and federal cybersecurity officials are urging organizations to use mitigations to combat a zero-day remote control execution vulnerability in Windows that allows attackers to craft malicious Microsoft Office documents. Microsoft has not revealed much about the MSHTML bug, tracked as CVE-2021-40444, beyond that it is "Aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents," according to an advisory released Tuesday.

Attackers are exploiting CVE-2021-40444, a zero-day remote code execution vulnerability in MSHTML, to compromise Windows/Office users in "a limited number of targeted attacks," Microsoft has warned on Tuesday. CVE-2021-40444 is a set of logical flaws that can be leveraged by remote, unauthenticated attackers to execute code on the target system.

Microsoft today shared mitigation for a remote code execution vulnerability in Windows that is being exploited in targeted attacks against Office 365 and Office 2019 on Windows 10. Microsoft is aware of targeted attacks that try to exploit the vulnerability by sending specially-crafted Microsoft Office documents to potential victims, the company says in an advisory today.