Security News

Microsoft has fixed 50 security vulnerabilities, six of which are actively exploited zero-days. On this June 2021 Patch Tuesday, Microsoft has splatted 5 critical and 45 important bugs.

"These attacks exploited a chain of Google Chrome and Microsoft Windows zero-day exploits. While we were not able to retrieve the exploit used for remote code execution in the Chrome web browser, we were able to find and analyze an elevation of privilege exploit that was used to escape the sandbox and obtain system privileges," Larin explained. According to Kaspersky, the two Windows flaws were chained to an exploit for a different Chrome vulnerability to plant high-end malware on specific targets running Windows.

Kaspersky security researchers discovered a new threat actor dubbed PuzzleMaker, who has used a chain of Google Chrome and Windows 10 zero-day exploits in highly-targeted attacks against multiple companies worldwide. The zero-day exploit chain deployed in the campaign used a remote code execution vulnerability in the Google Chrome V8 JavaScript engine to access the targeted systems.

Today is Microsoft's June 2021 Patch Tuesday, and with it comes fixes for seven zero-day vulnerabilities and a total of 50 flaws, so Windows admins will be scrambling to get devices secured. Microsoft has fixed 50 vulnerabilities with today's update, with five classified as Critical and forty-five as Important.

Chinese-backed threat actors breached New York City's Metropolitan Transportation Authority network in April using a Pulse Secure zero-day. MTA mitigated the vulnerability on April 21, one day after Pulse Secure issued an advisory, and CISA published an alert on the Pulse Secure zero-day exploited in the attack.

More than 17,000 websites are exposed to attacks targeting a critical zero-day vulnerability in the Fancy Product Designer WordPress plugin, the Wordfence team at WordPress security company Defiant warns. Fancy Product Designer is a premium plugin for online stores that provides users with the ability to customize products with images and PDF files uploaded from various devices.

Exploit acquisition firm Zerodium on Tuesday announced that it is offering $100,000 for severe vulnerabilities in Pidgin for Windows and Linux. On June 1, Zerodium announced that, until August 31, it will be accepting the submission of exploits for unpatched vulnerabilities that affect the latest version of Pidgin on Windows and/or Linux.

Accellion failed to notify customers of a zero-day vulnerability in its file transfer application and related cyber-attacks targeting the security flaw, according to a new report from professional services firm KPMG. FTA is a large file transfer service that was retired at the end of April 2021, after being in use for roughly 20 years. At the time of attack, FTA still had roughly 50 customers, and some already confirmed impact from the incident, including The Reserve Bank of New Zealand, the U.S.-based law firm Jones Day, the Office of the Washington State Auditor, and security and compliance solutions provider Qualys.

Threat actors are scanning for sites running the Fancy Product Designer plugin to exploit a zero-day bug allowing them to upload malware. Fancy Product Designer is a visual product configurator plugin for WordPress, WooCommerce, and Shopify, and it allows customers to customize products using their own graphics and content.

Hewlett Packard Enterprise has fixed a critical zero-day remote code execution flaw in its HPE Systems Insight Manager software for Windows that it originally disclosed in December. HPE SIM is a tool that enables remote support automation and management for a variety of HPE servers, including the HPE ProLiant Gen10 and HPE ProLiant Gen9, as well as for storage and networking products.