Newly discovered Zero-Day Attack

A zero-day (0day) vulnerability refers to a security vulnerability for which no mitigation or patch is available at the time it is disclosed or made public. Existing software patches are unable to properly defend against zero-day exploits, meaning attacks of this nature present a serious security risk to organizations. Until the underlying vulnerability is mitigated, a zero-day exploit is akin to a pathogen for which no vaccine is available.

Below are few newly discovered Zero-Day Attacks. There are others which is not mentioned in this write up.

1. Google Roulette: Developer console trick can trigger XSS in Chromium browsers.

Malicious actors can stage?cross-site scripting?(XSS) attacks across the subdomains of a website if they can trick users of Chromium browsers into entering a simple JavaScript command in the developer console.

This is according to the findings of security researcher?Micha? Bentkowski?who presented his findings in a blog post published yesterday (November 16) titled Google Roulette.

While the bug is hard to exploit and Google has decided not to patch it, it is an interesting case study on the complexities of browser security.

2.??? New DDoS Attack is Record Breaking: HTTP/2 Rapid Reset Zero-Day Reported by Google, AWS & Cloudflare

A significant security development has come to light, with Google, AWS, and Cloudflare jointly reporting an unprecedented Distributed Denial of Service (DDoS) attack campaign. This campaign is exploiting a recently discovered zero-day vulnerability within the HTTP/2 network protocol, which has been aptly named “HTTP/2 Rapid Reset” and tracked as CVE-2023–44487. This vulnerability, now actively exploited, poses a substantial threat to all organizations and individuals relying on servers that provide HTTP/2 services to the internet. It is worth understanding that HTTP/2 is a vital revision of the HTTP network protocol, designed to enhance the speed, efficiency, and security of web applications. The heart of this attack strategy hinges on the rapid reset feature of HTTP/2, where attackers initiate requests and immediately cancel them, thus launching a Distributed Denial of Service (DDoS) attack. The scale and impact of these attacks are record-breaking, with reported peak attack rates hitting extraordinary levels, as observed by Amazon, Cloudflare, and Google. These attacks serve as a stark reminder of the evolving landscape of cybersecurity threats.

?

3. Apple fixes iOS Kernel zero-day vulnerability on older iPhones

Apple has published security updates for older iPhones and iPads to backport patches?released one week ago, addressing two zero-day vulnerabilities exploited in attacks.

"Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.6,"?the company said?in an advisory.

The first zero-day (tracked as CVE-2023-42824) is a privilege escalation vulnerability caused by a weakness in the XNU kernel that can let local attackers elevate privileges on vulnerable iPhones and iPads.

?

Apple has now also fixed the issue in iOS 16.7.1 and iPad OS 16.7.1 with improved checks, but it has yet to reveal who discovered and reported the flaw.

The second one, a bug identified as CVE-2023-5217, is caused by a heap buffer overflow vulnerability within the VP8 encoding of the open-source libvpx video codec library. This flaw could let threat actors gain arbitrary code execution upon successful exploitation.

?

Source:

1. Ben Dickson: https://portswigger.net/daily-swig/google-roulette-developer-console-trick-can-trigger-xss-in-chromium-browsers
2. Bill Toulas: https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/
3. Sergiu Gatlan: https://www.bleepingcomputer.com/news/security/apple-fixes-ios-kernel-zero-day-vulnerability-on-older-iphones/

?

?