Two tech giants are warning their prospects about zero-day vulnerabilities being exploited in assaults.
Apple printed a terse advisory on Wednesday about CVE-2023-42824 – a vulnerability affecting iPhone XS and later in addition to a number of variations of the iPad Professional and Air.
“An area attacker might be able to elevate their privileges. Apple is conscious of a report that this subject might have been actively exploited in opposition to variations of iOS earlier than iOS 16.6,” mentioned Apple, which launched an emergency repair for the difficulty.
The advisory additionally provides a notice about CVE-2023-5217, one other bug sourced again to the libvpx video codec library. Like one other subject found final month, the vulnerability impacts a media processing software embedded inside browsers.
The Cybersecurity and Infrastructure Safety Company (CISA) warned on Monday that hackers are exploiting it and several other browser makers have mentioned their merchandise are affected by it — together with Google’s Chrome browser, Mozilla’s Firefox, Microsoft’s Edge and extra.
Apart from browsers, the code might be discovered in lots of different internet-based platforms, however it’s unclear whether or not the vulnerability impacts something past browsers.
Google researchers first printed details about the bug final week and mentioned it was being exploited by unnamed industrial spyware and adware distributors. Google mentioned it was conserving details about the bug restricted in order that customers had an opportunity to put in a repair.
Initially the flaw solely appeared to have an effect on Google merchandise, however different browser makers recognized the identical drawback, with Mozilla publishing its personal advisory that rated CVE-2023-5217 as crucial.
Australian software program big Atlassian additionally launched an advisory Wednesday on a difficulty with its Confluence Knowledge Middle and Server product. The corporate rated the vulnerability crucial – the very best attainable ranking they’ve.
In a press release to Recorded Future Information, a spokesperson for the corporate mentioned Atlassian was not too long ago made conscious of CVE-2023-22515 and launched a patch addressing it.
“Atlassian has been made conscious of a difficulty reported by a handful of consumers the place exterior attackers might have exploited a beforehand unknown vulnerability in publicly accessible Confluence Knowledge Middle and Server situations to create unauthorized Confluence administrator accounts and entry Confluence situations,” they mentioned.
“Atlassian Cloud websites will not be impacted by this vulnerability. Now we have offered prospects with particulars of affected variations, mitigation steps required and risk detection actions in our Important Safety Advisory.”
The corporate urged prospects to not solely improve to the fastened model but additionally have safety groups look by means of the offered indicators of compromise to see if exploitation occurred.
A number of Atlassian vulnerabilities have been broadly exploited by hackers previously, with not less than one topping CISA’s checklist of the highest 15 routinely exploited vulnerabilities in 2021.
Get extra insights with the
No earlier article
No new articles
Jonathan Greig is a Breaking Information Reporter at Recorded Future Information. Jonathan has labored throughout the globe as a journalist since 2014. Earlier than transferring again to New York Metropolis, he labored for information shops in South Africa, Jordan and Cambodia. He beforehand lined cybersecurity at ZDNet and TechRepublic.