Microsoft issued a patch Tuesday for a Windows zero-day vulnerability that security researchers say operators of the QakBot botnet and other hackers actively exploited. U.S. authorities in August dismantled the botnet, also known as Qbot, and told reporters that it “ceased to operate” as a result of an antimalware campaign dubbed Operation Duck Hunt. Malware…

Microsoft released its batch of monthly security updates this month covering 73 vulnerabilities, including two zero-day flaws exploited in the wild. While organizations should prioritize all critical and high-risk issues, there is one critical vulnerability in Outlook that researchers claim could open the door to trivial attacks that result in remote code execution. Dubbed MonikerLink…

Chinese espionage hackers penetrated Dutch military systems in early 2023, using a zero-day exploit in a Fortinet virtual private network to obtain access, Netherlands intelligence agencies disclosed Tuesday. The agencies said the effects had been limited to a segmented network that had fewer than 50 users working on unclassified research and development with two-third party…

Apple released security updates to address a zero-day vulnerability, tracked as CVE-2024-23222, that impacts iPhones, Macs, and Apple TVs. This is the first actively exploited zero-day vulnerability fixed by the company this year. The vulnerability is a type confusion issue that resides in the WebKit, an attacker can exploit this issue by tricking the victims…

Ivanti researchers this week flagged two zero-day vulnerabilities discovered in its products — CVE-2023-46805 and CVE-2024-21887— that are already being actively exploited by threat actors. The vulnerabilities were found in Ivanti Connect Secure (ICS) and Ivanti Policy Secure gateways, and the vulnerabilities affect all supported versions (Version 9.x and 22.x). Volexity assisted in identifying and…

A new zero-day security flaw has been discovered in Apache OfBiz, an open-source Enterprise Resource Planning (ERP) system that could be exploited to bypass authentication protections. The vulnerability, tracked as CVE-2023-51467, resides in the login functionality and is the result of an incomplete patch for another critical vulnerability (CVE-2023-49070, CVSS score: 9.8) that was released…

Apple released emergency security updates to address two zero-day vulnerabilities impacting iPhone, iPad, and Mac devices. The flaws are actively exploited in attacks in the wild, both issues reside in the WebKit browser engine. The first vulnerability, tracked as CVE-2023-42916, is an out-of-bounds read. An attacker can trick a victim into visiting specially crafted web…

Cisco on Monday asked customers to urgently disable the HTTP Server feature on internet-facing systems that was discovered to have a critical vulnerability in its modular operating system’s web interface. Hackers exploited the IOS XE software web user interface feature to gain administrator-level privileges, effectively taking complete control of compromised devices, Cisco Talos said in…