Apple Patches Actively Exploited Zero-day Vulnerability in iOS and iPadOS (CVE-2022-42856)

Apple has released an update to address an actively exploited zero-day vulnerability in WebKit. Tracked as CVE-2022-42856, this is a type confusion vulnerability that could allow arbitrary code execution on a vulnerable device.    Clément Lecigne of Google’s Threat Analysis Group has discovered this vulnerability. The advisory says, “This issue may have been actively exploited … Continue reading “Apple Patches Actively Exploited Zero-day Vulnerability in iOS and iPadOS (CVE-2022-42856)”

Apple Releases Security Updates to patch two Zero-Day Vulnerabilities (CVE-2022-32893 and CVE-2022-32894)

Apple has rolled out emergency security updates to patch two zero-day vulnerabilities, known to be under exploitation to hack iPhones, iPads and Macs. The two zero-days are being tracked as CVE-2022-32893 and CVE-2022-32894. The vulnerabilities are known to affect all iPhones, iPads and MacOS. CVE-2022-32893 is an out-of-bounds vulnerability that might lead to arbitrary code … Continue reading “Apple Releases Security Updates to patch two Zero-Day Vulnerabilities (CVE-2022-32893 and CVE-2022-32894)”

Google Chrome Zero-Day Insufficient Input Validation Vulnerability (CVE-2022-2856)

Google has rolled out patches for its chrome browser addressing multiple vulnerabilities, including a high severity zero-day vulnerability (CVE-2022-2856). Google addressed the vulnerability stating, “Google is aware that an exploit for CVE-2022-2856 exists in the wild”. The security update is currently rolling out for Windows, Mac and Linux Operating systems. Google described the zero-day (CVE-2022-2856) … Continue reading “Google Chrome Zero-Day Insufficient Input Validation Vulnerability (CVE-2022-2856)”

Cisco Releases Patch for Zero-day XR Software Health Check Open Port Vulnerability (CVE-2022-20821)

Cisco has released a patch for a zero-day vulnerability that exists in its IOS XR router software. Tracked as CVE-2022-20821, the vulnerability could allow an unauthenticated attacker to access Redis instances running in NOSi docker containers remotely.     The vulnerability was found during the resolution of a Cisco TAC support case. The vulnerability affects Cisco … Continue reading “Cisco Releases Patch for Zero-day XR Software Health Check Open Port Vulnerability (CVE-2022-20821)”

Grafana Releases Fix for Zero-day Vulnerability Exploited in the Wild (CVE-2021-43798)

Grafana Labs released an emergency security upgrade to fix a zero-day flaw that permitted remote access to local files. Security researchers released proof-of-concept code to exploit the flaw over the weekend. Before Grafana Labs gave out patches for affected versions 8.0.0-beta1 through 8.3.0, details regarding the issue became public earlier this week.    Tracked as CVE-2021-43798, this is … Continue reading “Grafana Releases Fix for Zero-day Vulnerability Exploited in the Wild (CVE-2021-43798)”

Microsoft’s New Zero-day Windows Local Privilege Escalation Vulnerability (CVE-2021-41379)

Attackers are actively exploiting a zero-day vulnerability in Windows Installer. The vulnerability was found after a Microsoft patch for another security weakness failed to adequately repair the initial and unrelated bug.    A security researcher found this Windows Installer Elevation of Privilege vulnerability termed as CVE-2021-41379. The vulnerability allows threat actors with limited access to a compromised device to elevate … Continue reading “Microsoft’s New Zero-day Windows Local Privilege Escalation Vulnerability (CVE-2021-41379)”

Palo Alto Networks PAN-OS GlobalProtect Portal and Gateway Interfaces Memory Corruption Vulnerability (CVE-2021-3064)

Palo Alto Networks (PAN) released an update addressing the vulnerability CVE-2021-3064. This vulnerability was discovered and disclosed by Randori. This vulnerability affects PAN firewalls that use the GlobalProtect Portal VPN. This VPN allows for unauthenticated remote code execution on susceptible product installations.     The zero-day vulnerability has a severity rating of 9.8. The vulnerability chain … Continue reading “Palo Alto Networks PAN-OS GlobalProtect Portal and Gateway Interfaces Memory Corruption Vulnerability (CVE-2021-3064)”

Apple Zero-Day Arbitrary Code Execution Vulnerabilities (CVE-2021-30858 and CVE-2021-30860)

Apple released an emergency security release on September 13, 2021 to address two arbitrary code execution vulnerabilities, CVE-2021-30858 and CVE-2021-30860. According to Apple, both vulnerabilities allow maliciously crafted documents to execute arbitrary code on vulnerable devices. Apple addressed the issue saying, “Apple is aware of a report that this issue may have been actively exploited.” … Continue reading “Apple Zero-Day Arbitrary Code Execution Vulnerabilities (CVE-2021-30858 and CVE-2021-30860)”

Google Chrome Zero-Day Type Confusion Vulnerability (CVE-2021-30563)

Another zero-day vulnerability of Google Chrome was in the news in mid-July 2021. The  zero-days prior to this one were as follows: CVE-2021-21148 – February 4th, 2021 CVE-2021-21166 – March 2nd, 2021 CVE-2021-21193 – March 12th, 2021 CVE-2021-21206 – April13th, 2021 CVE-2021-21220 – April 13th, 2021 CVE-2021-21224 – April 20th, 2021 CVE-2021-30551 – June 9th, … Continue reading “Google Chrome Zero-Day Type Confusion Vulnerability (CVE-2021-30563)”

Google Chrome Zero-Day Use-After-Free Vulnerability (CVE-2021-30554)

The seventh zero-day of Google Chrome was talk of the town in mid-June 2021, two weeks after the sixth zero-day was observed in the wild. The earlier six zero-days were: CVE-2021-21148 – February 4th, 2021 CVE-2021-21166 – March 2nd, 2021 CVE-2021-21193 – March 12th, 2021 CVE-2021-21220 – April 13th, 2021 CVE-2021-21224 – April 20th, 2021 … Continue reading “Google Chrome Zero-Day Use-After-Free Vulnerability (CVE-2021-30554)”