Microsoft is restricting access to Internet Explorer mode in Edge browser after discovering that hackers exploited zero-day vulnerabilities in the Chakra JavaScript engine to gain remote access to devices. The company has made IE mode activation more deliberate to prevent abuse, while urging users to migrate to more secure, modern technologies. These restrictions do not affect enterprise users who can still configure IE mode via policies.
The price of zero-day exploits, which are hacking tools that exploit unknown vulnerabilities in software, has skyrocketed in recent years as companies like Apple, Google, and Microsoft make it harder to hack their devices and apps. Crowdfense, a startup, is now offering millions of dollars for zero-days to break into iPhones, Android phones, Chrome, Safari, WhatsApp, and iMessage. This increase in prices reflects the growing difficulty in exploiting vulnerabilities, with experts noting that it now requires a team of researchers. The use of zero-days in law enforcement operations and alleged targeting of human rights dissidents and journalists has raised concerns, leading some companies to pledge to respect export controls to limit potential abuses from their customers.
Security researchers at Pwn2Own Automotive 2024 hacked a Tesla Modem and earned $722,500 for three bug collisions and 24 unique zero-day exploits, with Synacktiv Team leading with $100,000 for chaining three zero-day bugs. The competition also saw successful hacks on EV charging stations and infotainment systems, with vendors given 90 days to release security fixes after zero-day bugs are reported. The contest, focusing on automotive technologies, targets Tesla in-vehicle infotainment systems, EV chargers, and car operating systems, offering a top prize of $200,000 and a Tesla car for VCSEC, gateway, or autopilot zero-days.
CISA has issued an emergency directive to Federal agencies to address actively exploited zero-day flaws in Ivanti Connect Secure and Ivanti Policy Secure products, allowing threat actors to execute arbitrary commands and compromise information systems. Ivanti is expected to release an update next week, but has provided a temporary workaround. Organizations are urged to apply mitigations, run integrity checks, and take additional security measures. Cybersecurity firms have observed attacks exploiting the flaws, with as many as 2,100 devices compromised globally. The initial attack wave has been attributed to a Chinese nation-state group, with indications of opportunistic exploitation for financial gain by other threat actors.
Ivanti has disclosed two zero-day vulnerabilities in its Connect Secure and Policy Secure products that are being exploited in the wild, allowing remote attackers to execute arbitrary commands on targeted gateways. The vulnerabilities, reported by Mandiant and Volexity, include an authentication bypass and a command injection flaw. Patches are scheduled for release, but until then, customers can mitigate the zero-days using provided files. The company has confirmed that the zero-days have been exploited in attacks targeting a small number of customers and advises all customers to run an external integrity checker. Additionally, previous instances of zero-day exploits in Ivanti's products have been reported, highlighting the ongoing security challenges faced by the company.
The market for zero-day exploits, particularly for popular messaging app WhatsApp, has seen a significant increase in value, with prices ranging from $1.7 to $8 million. A Russian company recently offered $20 million for chains of bugs that could compromise iOS and Android devices. The high prices can be attributed to the scarcity of researchers willing to work with Russia due to geopolitical tensions. WhatsApp has been a prime target for government hackers, and leaked documents reveal the sale of a "zero click RCE" exploit for around $1.7 million. Exploits targeting WhatsApp are valuable as they allow for spying on specific targets without compromising the entire device.
Apple has released a patch to address two serious vulnerabilities in its iOS platform, one of which has already been exploited as a zero-day in the wild. The exploited kernel vulnerability allows a local attacker to elevate privileges, and Apple has acknowledged that it may have been actively exploited against earlier versions of iOS. This marks the 16th documented zero-day against Apple's iOS, iPadOS, and macOS devices, with many of these attacks attributed to mercenary spyware vendors. The latest updates also address a buffer overflow vulnerability in WebRTC. Apple is urging users to enable Lockdown Mode to reduce exposure to such exploits.
Russian company Operation Zero, which acquires and sells zero-day exploits, is now offering researchers $20 million for hacking tools that can be used to hack iPhones and Android devices. The company, which sells exclusively to non-NATO countries, has increased its payments for zero-days in these platforms from $200,000 to $20 million. The CEO of Operation Zero stated that the high prices are due to the rarity and demand for full chain exploits for mobile phones, which are primarily used by government actors. The market for zero-days is largely unregulated and prices fluctuate, with other companies like Zerodium and Crowdfense also offering significant bounties for similar exploits.
Apple recently patched three zero-day vulnerabilities that were exploited by attackers to install Cytrox's Predator spyware. The bugs were used in attacks targeting former Egyptian MP Ahmed Eltantawy, who had announced plans to join the Egyptian presidential election in 2024. The attackers used decoy SMS and WhatsApp messages, as well as network injection, to redirect Eltantawy to a malicious website and infect his phone. Additionally, Google's Threat Analysis Group (TAG) discovered that the same attackers used a separate exploit chain to drop the Predator spyware on Android devices in Egypt, exploiting a Chrome zero-day vulnerability. Apple users are urged to install emergency security updates and enable Lockdown Mode to protect against these exploits. This marks the 16th zero-day vulnerability addressed by Apple this year.
Apple has released security updates to fix two zero-day exploits that were used to target a member of a civil society organization in Washington, D.C. The vulnerabilities, including a zero-click vulnerability, were part of an exploit chain designed to deliver NSO Group's Pegasus spyware. Citizen Lab, the internet watchdog group that discovered the vulnerabilities, reported them to Apple, which promptly released patches. The vulnerabilities allowed attackers to compromise iPhones running the latest version of iOS without any interaction from the victim. Apple's quick response highlights the role of civil society in serving as an early warning system for global cybersecurity threats.
Apple has urged iPhone and iPad users to update their devices to iOS 16.5 and iPadOS 16.5 immediately to patch three zero-day exploits that are actively being exploited on unpatched devices. The vulnerabilities are related to the WebKit browser engine and could allow unauthorized access to users' data and personal information. The exploits could also lead to arbitrary code execution attacks. The identified devices impacted include all iPad Pro models, iPhone 6s and later models, and Mac workstations and laptops running macOS, Big Sur, Monterey, and Ventura. Users are encouraged to manually update their devices if they have not received automatic updates.
Apple has released emergency security patches for Macs, iPhones, and iPads to address two zero-day vulnerabilities that are actively being exploited. The first vulnerability is in WebKit, which could allow cybercriminals to take control of a user's browser or any app that uses WebKit to display HTML content. The second vulnerability is in Apple's IOSurfaceAccelerator display code, which could allow a booby-trapped local app to inject rogue code into the operating system kernel. Users are advised to update their devices immediately to protect against these vulnerabilities.
On the final day of the Pwn2Own hacking contest, security researchers earned $185,000 by demonstrating five zero-day exploits targeting Windows 11, Ubuntu Desktop, and VMware Workstation. Ubuntu Desktop was hacked three times by three different teams, with three working zero-day exploits. A fully patched Windows 11 system was also hacked, and the STAR Labs team used an exploit chain against VMware Workstation. In total, 27 zero-day exploits were demoed during the three-day event, with Synacktiv earning $530,000 and a Tesla Model 3 car for their exploits. Vendors have 90 days to patch the bugs before technical details are publicly released.
Competitors at Pwn2Own Vancouver 2023 successfully exploited 10 zero-day vulnerabilities in products such as Tesla Model 3, Microsoft Teams, Oracle VirtualBox, and Ubuntu Desktop, earning a total of $475,000. Synacktiv's David Berard and Vincent Dehors won $250,000 and a Tesla Model 3 after hacking the Tesla Infotainment Unconfined Root. The vendors have 90 days to patch the vulnerabilities before they are publicly disclosed. The contest offers a total prize of $1,080,000 and two Tesla Model 3 cars.
On the first day of Pwn2Own Vancouver 2023, security researchers successfully hacked Tesla Model 3, Windows 11, and macOS using zero-day exploits and exploit chains, earning $375,000 and a Tesla Model 3. Other products hacked include Adobe Reader, Microsoft SharePoint, Ubuntu Desktop, and Oracle VirtualBox. The contest will continue for three days, with contestants targeting products in various categories. After the vulnerabilities are disclosed, vendors have 90 days to release security fixes before they are publicly disclosed.
