Thursday 21st November 2024

Good morning everyone and thank you for joining me for the latest instalment of Cyber Daily. Today, we’ve got Apple squashing zero-day bugs, Oracle urging Agile PLM users to plug security gaps, and Ford proving that not every data breach is as bad as it sounds.

Whether you’re updating your devices, marveling at how third-party leaks can spark big headlines, or just learning why you should double-check your network defenses, we’ve got the news to keep you informed. Enjoy!

Apple patches critical zero-day flaws—update now

Apple’s been busy patching two actively exploited zero-day vulnerabilities that could let hackers wreak havoc on your devices. The security fixes span iOS, iPadOS, macOS, visionOS, and Safari. If you haven’t updated yet, consider this your nudge.

Here’s the breakdown:

- CVE-2024-44308: A JavaScriptCore flaw allowing arbitrary code execution from malicious web content.

- CVE-2024-44309: A WebKit cookie management vulnerability that could lead to cross-site scripting (XSS).

The flaws—spotted by Google’s Threat Analysis Group—may have been used in highly targeted spyware campaigns, particularly on Intel-based Mac systems.

Updates are available for iPhones (iOS 18.1.1 and 17.7.2), iPads, macOS Sequoia, Safari 18.1.1, and even the visionOS for Apple Vision Pro. Apple credited improved checks and state management for squashing these bugs.

This brings Apple’s tally of zero-day patches in 2024 to four. Users should update ASAP to protect against exploitation. Stay safe, update often.

Oracle’s Agile PLM zero-day exploited in the wild

Oracle is urging users to patch a high-severity vulnerability (CVE-2024-21287) in Agile Product Lifecycle Management (PLM) after confirming it’s been actively exploited. This flaw, which scored a 7.5 on the CVSS scale, allows remote, unauthenticated attackers to access sensitive files under the PLM application’s privileges.

Here’s the situation:

• The bug affects Agile PLM version 9.3.6 and can be exploited via HTTP without user authentication.
• CrowdStrike researchers Joel Snape and Lutz Wolf discovered the flaw, and Oracle has confirmed its use in real-world attacks.

Exploiting this vulnerability could give attackers access to critical data—or even full access to Agile PLM framework files. Oracle recommends immediate application of the provided patches.

Agile PLM, first introduced two decades ago, is nearing the end of its lifecycle with premier support slated to end by 2027. Meanwhile, Oracle and CrowdStrike are keeping details about the attack methods under wraps.

Ford hackers fumble—no customer data stolen

Ford has closed the book on a hacking claim that had customers worried. Hackers IntelBroker and EnergyWeaponUser recently boasted on a cybercrime forum about stealing 44,000 Ford customer records. But Ford’s investigation says otherwise.

Here’s the real story:

• The supposed data leak? Just dealer business addresses, which are already publicly available.
• Ford confirmed its systems weren’t breached; the leaked data came from a third-party supplier.

The company reassured everyone that no sensitive customer information was compromised. This marks yet another exaggerated claim from IntelBroker, a hacker known for targeting major organisations but often overstating their successes.

While Ford dodged a bullet this time, the incident highlights how third-party suppliers can inadvertently expose non-critical data. Cybersecurity is a team effort, and even public info can spark unnecessary panic.