Patch Now: Microsoft Flags Zero-Day & Critical Zero-Click Bugs
Security teams may have a less burdensome rollout in November after October's Goliath Patch Tuesday, but shouldn't wait on a few top-priority fixes.
Zero-click attacks exploit flaws without user interaction, enabling compromise through messages or files; prompt patching and exposure reduction limit risk.
Search across headline titles and summaries.
Background for this topic.
Zero-click describes an exploit that can be triggered without the victim tapping a link, opening a file, or otherwise interacting. Attackers send specially crafted data to software that processes content automatically, such as messaging, calling, email, browser, media, or wireless components. A flaw in a parser or processing service may enable code execution, privilege escalation, or information disclosure, although a zero-click vulnerability is not necessarily remotely exploitable or capable of taking full control.
These attacks matter because they can compromise a device with little visible user activity, making prevention and attribution harder; spyware and unauthorized data access are possible outcomes. Prioritize rapid patching of exposed operating systems, applications, and firmware, and reduce attack surface by disabling unnecessary services or automatic processing where practical. Use least privilege and device isolation to limit impact. Monitoring for unexplained crashes, abnormal processes, or unexpected network connections can support detection, while suspected exploitation should trigger preservation of relevant logs and focused investigation.
Weekly headline count for the current query.
Security teams may have a less burdensome rollout in November after October's Goliath Patch Tuesday, but shouldn't wait on a few top-priority fixes.
A "sophisticated" attack that also exploits an Apple zero-day flaw is targeting a specific group of iPhone users, potentially with spyware.
Zenity CTO Michael Bargury joins the Black Hat USA 2025 News Desk to discuss research on a dangerous exploit, how generative AI technology has "grown arms and legs" —and what that means for cyber risk.
Researchers at Aim Security disclosed a Microsoft Copilot vulnerability of critical severity this week that could have enabled sensitive data exfiltration via prompt injection attacks.
Google addresses patch bypasses for CVE-2024-38272 and CVE-2024-38271, part of the previously announced "QuickShell" silent RCE attack chain against Windows users.
The innocuously named Russian-sponsored cyber threat actor has combined critical and serious vulnerabilities in Windows and Firefox products in a zero-click code execution exploit.
Critical-rated CVE-2024-20017 allows remote code execution (RCE) on a range of phones and Wi-Fi access points from a variety of OEMs.
A researcher bypassed the Calendar sandbox, Gatekeeper, and TCC in a chain attack that allowed for wanton theft of iCloud photos.
The exploit can be accessed on GitHub and makes it easier for the flaw to be exploited by threat actors.
The newly discovered malware, which has so far mainly targeted Turkish telcos and has links to HiatusRat, infects routers and performs DNS and HTTP hijacking attacks on connections to private IP addresses.
35 years after the Morris worm, we're still dealing with a version of the same issue: data overlapping with control.
Vulnerability CVE-2024-23204, affecting Apple's popular Shortcuts app, suggests a critical need for ongoing security awareness in the macOS and iOS ecosystem.
The purveyor of the infamous Pegasus mobile spyware now has a new method for obtaining critical information from target iPhones and other mobile devices.
Attackers can chain the vulnerabilities to gain full remote code execution.
State-sponsored actors continue to exploit CVE-2023-23397, a dangerous no-interaction vulnerability in Microsoft's Outlook email client that was patched in March, in a widespread global campaign.
The exploit is one of many that government and intelligence agencies have to infect target devices with the notorious surveillance tool.
Russia's FSB intelligence agency says the zero-click attacks range far beyond Kaspersky, and it has blamed them on the United States' NSA. Those allegations are thus far uncorroborated.
An investigation concludes that NSO Group was hired in 2022 to deploy Pegasus spyware against human rights workers in Mexico and other targets.
Facebook's parent company has also expanded bug-bounty payouts to include Oculus and other "metaverse" gadgets for AR/VR.
The US Cybersecurity and Infrastructure Security Agency had wanted federal agencies to implement the fix for the RCE flaw in Hikvision cameras by Jan. 24, 2022.