Tuesday , September 10 2024

Microsoft Releases Updates for October 2023 to Patch 2 Actively Exploited Zero-Days

Microsoft released its October 2023 Patch Tuesday updates, fixing a total of 103 software flaws. Two of these flaws were actively exploited in the wild.

Out of the 103 flaws, 13 are classified as Critical and 90 as Important. This is in addition to the 18 security vulnerabilities that were fixed in the Chromium-based Edge browser since the second Tuesday of September.

Hacker to exploite GeoServer Vulnerability to Deploy Malware

Researchers at Fortinet unveiled hackers to exploit GeoServer RCE vulnerability deploying malware relating to the vulnerability tracked as “CVE-2024-36401, has...
Read More
Hacker to exploite GeoServer Vulnerability to Deploy Malware

IMB unveils multiple vulnerabilities in it’s webMethods Integration

Multiple vulnerabilities have been published by IBM in its webMethods Integration Server which cloud allow attackers to execute arbitrary commands...
Read More
IMB unveils multiple vulnerabilities in it’s webMethods Integration

Progress LoadMaster exposed to a critical 10/10 vulnerability

Progress Software released an emergency fix for a critical vulnerability (10/10) in its Loadmaster and LoadMaster Multi-Tenant Hypervisor products, which...
Read More
Progress LoadMaster exposed to a critical 10/10 vulnerability

Cisco released security updates for two critical security flaws

CISCO released security updates for two critical security flaws impacting its smart Licensing Utility that could allow unauthenticated, remote attackers...
Read More
Cisco released security updates for two critical security flaws

OpenBAS: Cutting-edge breach and attack simulation platform

OpenBAS is a platform that helps organizations to plan, schedule, and conduct crisis exercises, adversary simulations, and breach simulations. OpenBAS...
Read More
OpenBAS: Cutting-edge breach and attack simulation platform

Critical Security Flaws Patched in Zyxel Networking Devices

Zyxel has released software updates to fix a serious security issue in certain access point (AP) and security router versions....
Read More
Critical Security Flaws Patched in Zyxel Networking Devices

CVE-2024-38811: CEV In VMware Fusion Unveiled

VMware released a security advisory for a major vulnerability in the VMware Fusion product. This vulnerability could be exploited by...
Read More
CVE-2024-38811: CEV In VMware Fusion Unveiled

CERT-IN Warns Vulnerabilities in Palo Alto Networks applications

Indian Computer Emergency Response Team (CERT-IN) issued advisories about multiple vulnerabilities in various Palo Alto Networks applications. Attackers could exploit...
Read More
CERT-IN Warns Vulnerabilities in Palo Alto Networks applications

How Malaysia’s Data Centre Industry Poised for Growth

Malaysia is quickly becoming a leading choice for investing in data centers. It aims to generate RM3.6 billion (US$781 million)...
Read More
How Malaysia’s Data Centre Industry Poised for Growth

RansomHub exfiltrated data over 210 victims: US alert

US authorities have issued a cybersecurity advisory about a ransomware group called RansomHub. The group is thought to have stolen data...
Read More
RansomHub exfiltrated data over 210 victims: US alert

ALSO READ:

Microsoft 365 admins warned about new Google anti-spam rules

The two vulnerabilities that been weaponized as zero-days are as follows –

CVE-2023-36563 (CVSS score: 6.5) – An information disclosure vulnerability in Microsoft WordPad that could result in the leak of NTLM hashes

CVE-2023-41763 (CVSS score: 5.3) – A privilege escalation vulnerability in Skype for Business that could lead to exposure of sensitive information such as IP addresses or port numbers (or both), enabling threat actors to gain access to internal networks

An attacker would need to log into the system and then run a specific application to exploit this vulnerability and take control of an affected system, according to Microsoft’s advisory for CVE-2023-36563. “Additionally, an attacker could trick a local user into opening a harmful file.”

Also, there are numerous vulnerabilities in Microsoft Message Queuing (MSMQ) and Layer 2 Tunneling Protocol that may result in remote code execution and denial-of-service (DoS).

A security update fixes a serious bug in Windows IIS Server (CVE-2023-36434, CVSS score: 9.8). This bug could enable an attacker to pretend to be another user and log in using a brute-force attack.

The tech giant released an update for CVE-2023-44487, also known as the HTTP/2 Rapid Reset attack. It has been exploited by unknown actors as a zero-day for DDoS attacks.

The DDoS attack may affect the availability of the service, but it does not result in customer data compromise. So far, there is no evidence of customer data being compromised.

Microsoft announced that VBScript (Visual Basic Script), which is commonly used for malware distribution, is being deprecated. In future Windows releases, VBScript will be available as a feature on demand before being completely removed from the operating system.

Check Also

TD Bank

Bank employee accessed customer data: affect 41 bank clients

A bank employee accesses the personal information of several dozen customers. The person did that …

Leave a Reply

Your email address will not be published. Required fields are marked *