Dolby Zero Day 🔊, Microsoft 365 Mermaid Exfiltration 🧜‍♀️, Malware Targets iOS Exploit Developer 🍏

Researchers from Google's Project Zero discovered a vulnerability in Dolby's Unified Decoder that could lead to remote code execution ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌  ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ 

Sign Up |Advertise|View Online TLDR Together With TLDR Information Security 2025-10-22 Your guide to taming SaaS chaos (Sponsor) IT teams face an uphill battle to secure their company's SaaS apps. There's dealing with on/offboarding, going through access reviews, and manually managing permissions for every app that's not behind SSO. And that's just for the apps you know about. So how can you manage the chaos and finally get full visibility over your SaaS ecosystem? That's where SaaS management solutions come in. 1Password's latest guide explores proven strategies and tools to manage every app -- yes, even shadow IT. Read the guide 🔓 Attacks & Vulnerabilities Over 73,000 WatchGuard Firebox Devices Impacted by Recent Critical Flaw (2 minute read) A critical vulnerability in WatchGuard Firebox devices running certain Fireware OS versions puts over 73,000 network firewalls at risk of unauthenticated remote code execution. Despite patches being released in September, tens of thousands of devices remain unpatched, with the largest concentrations in the US and Europe. Muji's minimalist calm shattered as ransomware takes down logistics partner (3 minute read) A ransomware attack on logistics partner Askul forced Japanese retailer Muji to suspend online orders, affecting customers and disrupting services. With Askul's systems nearly paralyzed, many functions, including shipments and customer support, are down. No ransomware group has claimed responsibility. Vulnerability in Dolby Decoder Can Allow Zero-Click Attacks (2 minute read) Researchers from Google's Project Zero discovered a vulnerability in Dolby's Unified Decoder that could lead to remote code execution. Dolby Decoder is used by Android to locally decode all audio messages and attachments. The vulnerability is caused by a buffer overflow. 🧠 Strategies & Tactics Analysing ClickFix: 3 Reasons Why Copy/Paste Attacks Are Driving Security Breaches (7 minute read) ClickFix attacks trick users into copying and pasting malicious commands from fake CAPTCHA prompts in web browsers, which are then executed locally on their devices, with attacks spreading primarily through SEO poisoning and malvertising rather than email. These attacks exploit three key weaknesses: users lack awareness training for copy-paste threats, detection evasion techniques bypass email scanners and web proxies by using non-email delivery vectors and heavily obfuscated code, and EDR becomes the sole defense layer since malicious clipboard actions occur within the browser sandbox, invisible to traditional security tools. Security professionals should implement browser-based detection for malicious copy-paste operations, enhance user training to recognize fake CAPTCHA prompts, and deploy comprehensive endpoint monitoring since EDR remains the only reliable detection point after users execute the commands. Linux Capabilities Revisited (4 minute read) Linux capabilities enable fine-grained privilege management by dividing root powers into independent units, but attackers can abuse this by setting capabilities like cap_setuid on binaries (e.g., Python) to create stealthy backdoors without traditional SUID bits. Security teams should expand privilege escalation hunting beyond SUID/SGID files to include capability-enabled binaries using getcap -r / and monitor for setcap usage, as capabilities are stored in file inodes under security.capability attributes invisible to standard ls commands. Tools like LinPEAS and Elastic's detection rule for setcap utility usage help identify suspicious capability assignments, while getfattr can reveal hidden extended attributes that getcap decodes into human-readable capability flags. Microsoft 365 Copilot – Arbitrary Data Exfiltration Via Mermaid Diagrams (5 minute read) Microsoft 365 Copilot was vulnerable to a security flaw that allowed sensitive business data, like recent emails, to be exfiltrated using specially crafted documents. Attackers could embed hidden instructions and a fake login button, which used Mermaid diagrams to send encoded company data to servers under their control if a user clicked the button. Microsoft fixed the vulnerability by disabling interactions with dynamic Mermaid diagram content, effectively closing this exfiltration route. 🧑‍💻 Launches & Tools OSINT for Executive Protection: The Flashpoint Guide (Sponsor) Doxxing. Deepfakes. Targeted harassment. Executives are prime targets for cyber and physical attacks—are you equipped to protect them? Read The Complete Guide to OSINT for Executive Protection to learn how to Identify and neutralize digital threats before they escalate, set up real-time alerts, and use AI-powered analysis. Download the guide Terra Security (Product Launch) Terra Security offers an agentic-AI-powered continuous penetration testing platform that deploys swarms of AI agents to simulate real-world attacks, providing tailored and scalable vulnerability assessments so organizations can address risks before attackers exploit them. Sherlock (GitHub Repo) Hunt down social media accounts by username across social networks. Spotter (GitHub Repo) Spotter is a security scanner that uses CEL-based rules to identify security issues in Kubernetes clusters. 🎁 Miscellaneous Network security devices endanger orgs with '90s era flaws (3 minute read) Network edge devices like firewalls, VPNs, and email gateways have become major security liabilities, with nearly one in three of the 75 zero-day vulnerabilities tracked by Google in 2024 targeting these appliances. The exploited vulnerabilities consist primarily of basic 1990s-era flaws such as buffer overflows, command injections, and SQL injections—vulnerability classes that have well-established prevention and detection controls, yet persist in security vendors' mission-critical codebases. Security professionals should prioritize patching network appliances immediately when vulnerabilities are disclosed, implement comprehensive logging and monitoring for edge devices, and pressure vendors to adopt modern secure development practices, including memory-safe languages and rigorous code auditing. Hundreds of masked ICE agents doxxed by hackers, as personal details posted on Telegram (3 minute read) The Com hacking collective leaked personal information of hundreds of US government employees, including 680 DHS officials, over 170 FBI email addresses, and 190+ Department of Justice officials on private Telegram channels, with unclear data origins. The doxxing coincides with DHS warnings about Mexican cartels allegedly targeting ICE and CBP agents with bounties, and hackers claimed interest in million-dollar rewards while threatening to target IRS officials next. Security professionals should implement enhanced operational security for government personnel, monitor dark web channels for leaked PII, and review data handling procedures to identify potential breach sources, particularly given The Com's history of high-profile attacks against MGM Resorts, Coinbase, and others. Apple alerts exploit developer that his iPhone was targeted with government spyware (4 minute read) A former Trenchant (L3Harris subsidiary) iOS exploit developer received an Apple threat notification in March indicating his personal iPhone was targeted with mercenary spyware, potentially marking the first documented case of spyware developers being targeted by their own tools. The developer, pseudonymously called Jay Gibson, was fired from Trenchant weeks earlier after being accused of leaking Chrome zero-days despite working exclusively on iOS exploits, which he and former colleagues deny. Security professionals should note that Apple's threat notification system detects sophisticated targeting even when forensic analysis finds no infection traces, suggesting either failed attack attempts or increasingly stealthy spyware that leaves minimal forensic evidence. ⚡ Quick Links This Halloween, the Scariest Thing Is Unprotected Data (Sponsor) Welcome to HalloVeeam: where cyber threats wear costumes and heroes save the day. Real security. Zero boring. All treats, no tricks. Perfect Halloween timing. October 30th, 2-3pm CET. Costumes encouraged. Register now → Major AWS outage takes down Fortnite, Alexa, Snapchat, and more (1 minute read) A major AWS outage disrupted multiple high-profile services, including Fortnite, Alexa, and Snapchat, highlighting the critical dependency risks and single points of failure that organizations face when relying on centralized cloud infrastructure providers. Hackers could've drained millions from Shopify rival (3 minute read) Indian e-commerce platform Dukaan exposed an unsecured Apache Kafka broker for over two years, leaking payment gateway authentication tokens for Stripe, PayPal, and RazorPay, along with customer data from 3.5 million merchants that could have enabled attackers to drain hundreds of millions of dollars from merchant accounts. Love TLDR? Tell your friends and get rewards! Share your referral link below with friends to get free TLDR swag! https://refer.tldr.tech/dc263000/8 Track your referrals here. Want to advertise in TLDR? 📰 If your company is interested in reaching an audience of cybersecurity professionals and decision makers, you may want to advertise with us. Want to work at TLDR? 💼 Apply here or send a friend's resume to jobs@tldr.tech and get $1k if we hire them! If you have any comments or feedback, just respond to this email! Thanks for reading, Prasanna Gautam, Eric Fernandez & Sammy Tbeile Manage your subscriptions to our other newsletters on tech, startups, and programming. Or if TLDR Information Security isn't for you, please unsubscribe.

a