Apple iOS:

Apple’s iOS 16.6.1 fixes a vulnerability in image handling. This vulnerability has been reported to be exploited in the wild. Because images are rendered in, e.g., iMessage, this can be exploited without user interaction, aka “Zero-Click Interaction Techniques.” Only devices running in the paranoid “Lockdown Mode” were protected before the updated operating system was released.

Google’s Chrome:

The WebP heap buffer overflow vulnerability is also reported to have been exploited in the wild. This vulnerability affects other Chromium based browsers, like Edge, Vivaldi, Brave, and Opera. The really interesting bit is that it also affects Firefox, which isn’t based on Chromium.

Microsoft:

With CVE-2023-36761, Microsoft Word underscores the latent threat in widely used applications. An actively exploited vulnerability, CVE-2023-36761, allows attackers to obtain NTLM hashes that can be used in NTLM Relay attacks.

And CVE-2023-36802, in Microsoft Windows, which is also actively exploited, allows attackers to elevate their privileges to SYSTEM. Thus increasing the impact of attacks exploiting other vectors in code running in a less privileged context.

Adobe:

Adobe Acrobat and Reader join the fray with the vulnerability labeled as CVE-2023-26369. Which also is reported as being “exploited in the wild in limited attacks”.

Conclusion:

These continuous revelations emphasize the ever-evolving nature of digital threats, stressing the need to use software from professional vendors who act swiftly and responsibly in their handling of reported vulnerabilities, as well as having established in-house mechanisms in place to prioritize and deploy relevant updates in a timely fashion, and finally being able to verify that said updates have been applied. The balance between functionality and security is delicate, demanding unceasing attention and vigilance.

 #CyberSecurity #Patchmananagement #ITSecurityUpdates #ZeroDayExploits #DigitalThreats