Thursday 21st November 2024
Aidan Dickenson
Business Development Manager // Tailored solutions to enhance security, improve efficiency, and drive growth.
Good morning everyone and thank you for joining me for the latest instalment of Cyber Daily. Today, we’ve got Apple squashing zero-day bugs, Oracle urging Agile PLM users to plug security gaps, and Ford proving that not every data breach is as bad as it sounds.
Whether you’re updating your devices, marveling at how third-party leaks can spark big headlines, or just learning why you should double-check your network defenses, we’ve got the news to keep you informed. Enjoy!
Apple patches critical zero-day flaws—update now
Apple’s been busy patching two actively exploited zero-day vulnerabilities that could let hackers wreak havoc on your devices. The security fixes span iOS, iPadOS, macOS, visionOS, and Safari. If you haven’t updated yet, consider this your nudge.
Here’s the breakdown:
- CVE-2024-44308: A JavaScriptCore flaw allowing arbitrary code execution from malicious web content.
- CVE-2024-44309: A WebKit cookie management vulnerability that could lead to cross-site scripting (XSS).
The flaws—spotted by Google’s Threat Analysis Group—may have been used in highly targeted spyware campaigns, particularly on Intel-based Mac systems.
Updates are available for iPhones (iOS 18.1.1 and 17.7.2), iPads, macOS Sequoia, Safari 18.1.1, and even the visionOS for Apple Vision Pro. Apple credited improved checks and state management for squashing these bugs.
This brings Apple’s tally of zero-day patches in 2024 to four. Users should update ASAP to protect against exploitation. Stay safe, update often.
Oracle’s Agile PLM zero-day exploited in the wild
Oracle is urging users to patch a high-severity vulnerability (CVE-2024-21287) in Agile Product Lifecycle Management (PLM) after confirming it’s been actively exploited. This flaw, which scored a 7.5 on the CVSS scale, allows remote, unauthenticated attackers to access sensitive files under the PLM application’s privileges.
Here’s the situation:
Exploiting this vulnerability could give attackers access to critical data—or even full access to Agile PLM framework files. Oracle recommends immediate application of the provided patches.
Agile PLM, first introduced two decades ago, is nearing the end of its lifecycle with premier support slated to end by 2027. Meanwhile, Oracle and CrowdStrike are keeping details about the attack methods under wraps.
Ford hackers fumble—no customer data stolen
Ford has closed the book on a hacking claim that had customers worried. Hackers IntelBroker and EnergyWeaponUser recently boasted on a cybercrime forum about stealing 44,000 Ford customer records. But Ford’s investigation says otherwise.
Here’s the real story:
The company reassured everyone that no sensitive customer information was compromised. This marks yet another exaggerated claim from IntelBroker, a hacker known for targeting major organisations but often overstating their successes.
While Ford dodged a bullet this time, the incident highlights how third-party suppliers can inadvertently expose non-critical data. Cybersecurity is a team effort, and even public info can spark unnecessary panic.
Senior Security Program Manager | Leading Cybersecurity Initiatives | Driving Strategic Security Solutions| Cybersecurity Excellence | Cloud Security
6 天前Thanks for sharing this essential update, Aidan Dickenson! Keeping up with the latest vulnerabilities is crucial for maintaining security.