Microsoft today released security updates to fix at least 117 security holes in Windows computers and other software, including two vulnerabilities that are already seeing active attacks. Also, Adobe plugged 52 security holes across a range of products, and Apple has addressed a bug in its new macOS 15 "Sequoia" update that broke many cybersecurity tools. One of the zero-day flaws stems from a security weakness in MSHTML, the proprietary engine of Microsoft's Internet Explorer web browser. READ MORE...
A hacker has stolen a massive database of users' interactions with their sexual partner chatbots, according to 404 Media. The breached service, Muah.ai, describes itself as a platform that lets people engage in AI-powered companion NSFW chat, exchange photos, and even have voice chats. As you can imagine, data like this is very sensitive, so the site assures customers that communications are encrypted and says it doesn't sell any data to third parties. READ MORE...
Hackers stole sensitive employee data from a software-as-a-service company that advises consumers on trade credit and provides supply chain risk monitoring, according to a Securities and Exchange Commission filing. CreditRiskMonitor.com said on Tuesday that hackers got away with an unspecified amount of data between July 9 and July 17. The pilfered files included personally identifiable information of employees and independent contractors, but does not include customer data, CreditRiskMonitor noted. READ MORE...
Microsoft's October security update addressed a substantial 117 vulnerabilities, including two actively exploited flaws and three publicly disclosed but as yet unexploited bugs. The update is the third largest so far this year in terms of disclosed CVEs, after April's 147 CVEs and July's set of 139 flaws. A plurality of the bugs (46) enables remote code execution (RCE), and 28 others give threat actors a way to elevate privileges. READ MORE...
Researchers have unearthed two sophisticated toolsets that a nation-state hacking group-possibly from Russia-used to steal sensitive data stored on air-gapped devices, meaning those that are deliberately isolated from the Internet or other networks to safeguard them from malware. One of the custom tool collections was used starting in 2019 against a South Asian embassy in Belarus. A largely different toolset created by the same threat group infected an EU government organization three years later. READ MORE...
Foreign influence campaigns, or information operations, have been widespread in the run-up to the 2024 US presidential election. Influence campaigns are large-scale efforts to shift public opinion, push false narratives, or change behaviors among a target population. Russia, China, Iran, Israel, and other nations have run these campaigns by exploiting social bots, influencers, media companies, and generative AI. READ MORE...
American IT software company Ivanti has released security updates to fix three new Cloud Services Appliance (CSA) zero-days tagged as actively exploited in attacks. As Ivanti revealed on Tuesday, attackers are chaining the three security flaws with another CSA zero-day patched in September. Successful exploitation of these vulnerabilities can let remote attackers run SQL statements via SQL injection, execute arbitrary code via command injection, and more. READ MORE...
70% of customer-facing APIs are secured using HTTPS, leaving nearly one-third of these APIs completely unprotected, according to F5. This is a stark contrast to the 90% of web pages that are now accessed via HTTPS, following the push for secure web communications over the past decade. The average organization now manages 421 different APIs, with most hosted in public cloud environments. READ MORE...