Security News

Apple has released security updates to fix a zero-day vulnerability exploited in the wild by attackers to hack into iPhones and Macs running older iOS and macOS versions. The zero-day patched today [1, 2] was found in the XNU operating system kernel and was reported by Erye Hernandez and Clément Lecigne of Google Threat Analysis Group, and Ian Beer of Google Project Zero.

Apple has released security updates to fix three zero-day vulnerabilities exploited in the wild by attackers to hack into iPhones and Macs running older iOS and macOS versions. Based on the info shared by Apple in today's security advisories [1, 2] at least one of the bugs was likely used to deploy NSO Pegasus spyware on hacked devices.

For those not in the Apple camp, the macOS Finder is the default file manager and GUI front-end used on all Macintosh operating systems. It's the first thing users see upon booting, and it governs the launching of other applications and the overall user management of files, disks and network volumes.

Security researchers disclosed today a new vulnerability in Apple's macOS Finder, which makes it possible for attackers to run arbitrary commands on Macs running any macOS version up to the latest release, Big Sur. The bug, found by independent security researcher Park Minchan, is due to the way macOS processes inetloc files which inadvertently causes it to run any commands embedded by an attacker inside without any warnings or prompts.

Google on Monday released security updates for Chrome web browser to address a total of 11 security issues, two of which it says are actively exploited zero-days in the wild. Tracked as CVE-2021-30632 and CVE-2021-30633, the vulnerabilities concern an out of bounds write in V8 JavaScript engine and a use after free flaw in Indexed DB API respectively, with the internet giant credited anonymous researchers for reporting the bugs on September 8.

A flaw in the MSHTML engine that lets an attacker use a malicious Office document to install malware is currently being used against the energy, industrial, banking, medical tech, and other sectors. A recently reported security vulnerability in Microsoft's MSHTML browser engine is being found all over the world, and Kaspersky said it "Expects to see an increase in attacks using this vulnerability."

Four Microsoft zero-day vulnerabilities in the Azure cloud platform's Open Management Infrastructure - a software that many don't know is embedded in a host of services - show that OMI represents a significant security blind spot, researchers said. Though Microsoft patched them this week in its monthly Patch Tuesday raft of updates, their presence in OMI highlights the risk for the supply chain when companies unknowingly run code - particularly open-source code - on their systems that allows for exploitation, researchers said.

A day after Apple and Google rolled out urgent security updates, Microsoft has pushed software fixes as part of its monthly Patch Tuesday release cycle to plug 66 security holes affecting Windows and other components such as Azure, Office, BitLocker, and Visual Studio, including an actively exploited zero-day in its MSHTML Platform that came to light last week. Of the 66 flaws, three are rated Critical, 62 are rated Important, and one is rated Moderate in severity.

In September's Patch Tuesday crop of security fixes, Microsoft released patches for 66 CVEs, three of which are rated critical, and one of which - the Windows MSHTML zero-day - has been under active attack for nearly two weeks. Microsoft said last week that the flaw could let an attacker "Craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine," after which "The attacker would then have to convince the user to open the malicious document." Unfortunately, malicious macro attacks continue to be prevalent: In July, for example, legacy users of Microsoft Excel were being targeted in a malware campaign that used a novel malware-obfuscation technique to disable malicious macro warnings and deliver the ZLoader trojan.

Microsoft today fixed a high severity zero-day vulnerability actively exploited in targeted attacks against Microsoft Office and Office 365 on Windows 10 computers. According to Microsoft, CVE-2021-40444 impacts Windows Server 2008 through 2019 and Windows 8.1 or later, and it has a severity level of 8.8 out of the maximum 10.