風險: 極高度風險
類型: 用戶端 - 瀏覽器
於微軟 Edge 發現一個漏洞。遠端攻擊者可利用此漏洞,於目標系統觸發遠端執行任意程式碼、繞過保安限制及資料篡改。
注意:
CVE-2026-3909 正被廣泛利用。遠端攻擊者可利用此漏洞透過特製的 HTML 頁面執行越界記憶體存取。
因此,此漏洞的風險等級被評為極高度風險。
在安裝軟體之前,請先瀏覽供應商之網站,以獲得更多詳細資料。
安裝軟件供應商提供的修補程式:
RISK: Extremely High Risk
TYPE: Clients - Browsers
A vulnerability was identified in Microsoft Edge. A remote attacker could exploit this vulnerability to trigger remote code execution, security restriction bypass and data manipulation on the targeted system.
Note:
CVE-2026-3909 is being exploited in the wild. A remote attacker could use this flaw to perform out of bounds memory access via a crafted HTML page.
Hence, the risk level is rated as Extremely High Risk.
Before installation of the software, please visit the software vendor web-site for more details.
Apply fixes issued by the vendor:
風險: 中度風險
類型: 操作系統 - LINUX
於 Debian Linux 內核發現多個漏洞。遠端攻擊者可利用這些漏洞,於目標系統觸發阻斷服務狀況、權限提升及洩露敏感資料。
在安裝軟體之前,請先瀏覽供應商之網站,以獲得更多詳細資料。
安裝供應商提供的修補程式:
RISK: Medium Risk
TYPE: Operating Systems - Linux
Multiple vulnerabilities were identified in Debian Linux Kernel. A remote attacker could exploit some of these vulnerabilities to trigger denial of service condition, elevation of privilege and sensitive information disclosure on the targeted system.
Before installation of the software, please visit the vendor web-site for more details.
Apply fixes issued by the vendor:
風險: 中度風險
類型: 操作系統 - 應用程式平台
於Microsoft產品發現一個漏洞。遠端攻擊者可利用這個漏洞,於目標系統觸發洩露敏感資料及篡改。
在安裝軟體之前,請先瀏覽供應商之網站,以獲得更多詳細資料。
安裝軟件供應商提供的修補程式或緩解措施:
RISK: Medium Risk
TYPE: Operating Systems - Application Platforms
A vulnerability was identified in Microsoft products. A remote attacker could exploit this vulnerability to trigger sensitive information disclosure and data manipulation on the targeted system.
Before installation of the software, please visit the software vendor web-site for more details.
Apply fixes or mitigations issued by the vendor:
風險: 極高度風險
類型: 用戶端 - 瀏覽器
於 Microsoft Edge 發現多個漏洞。遠端攻擊者可利用這些漏洞,於目標系統觸發遠端執行任意程式碼、阻斷服務狀況、繞過保安限制、仿冒及洩露敏感資料。
注意:
CVE-2026-3910 正被廣泛利用。遠端攻擊者可利用此漏洞透過特製的 HTML 頁面在沙箱內執行任意程式碼。
因此,此漏洞的風險等級被評為極高度風險。
在安裝軟體之前,請先瀏覽供應商之網站,以獲得更多詳細資料。
安裝軟件供應商提供的修補程式:
RISK: Extremely High Risk
TYPE: Clients - Browsers
Multiple vulnerabilities were identified in Microsoft Edge. A remote attacker could exploit some of these vulnerabilities to trigger remote code execution, denial of service condition, security restriction bypass, spoofing and sensitive information disclosure on the targeted system.
Note:
CVE-2026-3910 is being exploited in the wild. A remote attacker could use this flaw to execute arbitrary code inside a sandbox via a crafted HTML page.
Hence, the risk level is rated as Extremely High Risk.
Before installation of the software, please visit the software vendor web-site for more details.
Apply fixes issued by the vendor:
近日有騙徒冒充水務署,以短訊或電郵方式向市民發送訛稱「用水帳戶資料更新提示」通知,並列出所謂 「欠款」,誘使收件人點擊連結進入釣魚網站,並要求輸入個人資料或信用卡資料以繳交費用。mickmick.net 近日亦接獲並處理多宗相關個案,翻查個案處理紀錄,假冒水務署的詐騙手法其實在兩年前已出現(相關保安警報),近日的個案反映此類以政府公共服務名義進行的釣魚攻擊近期又再度活躍起來。
相關釣魚訊息一般以「用水帳戶近期帳務資料已更新」、「建議您登入水務署服務平台查閱帳戶資料及帳單紀錄」等字眼作招徠,並附上文字超連結,連結至看似官方的釣魚網站,聲稱可直接前往登入「水務署服務平台」或「水務署官方網站」頁面查閱帳戶資料及帳單紀錄。一旦點擊相關連結會進入假冒水務署登入頁面的釣魚網站;釣魚網站會以真實機構標誌及版面設計混淆視聽,令用戶在不知情下輸入資料。市民應提高警覺,切勿因「暫停供水」等訊息而急於點擊及提交信用卡號碼等個人資料。
近期釣魚訊息常見特徵(示例):
假冒水務署的釣魚電郵及釣魚網站攻擊流程
(上圖為分別兩封不同內容的釣魚電郵)
假冒旅遊熱點售票網站
除針對水務署外,騙徒亦假冒香港知名景點的官方售票網站,透過搜尋廣告、社交平台及即時通訊工具來散播聲稱有限時折扣或超低價的優惠,誘導市民購買門票並提交個人資料。
(上圖為假冒知名景點售票網站的釣魚網站)
mickmick.net 呼籲公眾提高警覺,切勿在可疑網站輸入任何資料或進行付款。如收到懷疑假冒水務署名義發出的短訊或電郵,切勿點擊連結或提供任何個人及付款資料;如需查閱賬單或繳費,應自行於瀏覽器輸入水務署官方網站或使用官方流動應用程式,並採取以下措施防範相關釣魚攻擊:
如已輸入信用卡資料到釣魚網站:
Recently, scammers have been impersonating the Water Supplies Department (WSD), sending SMS messages or emails to the public under the guise of a “Water account information update notice.” These messages list alleged “arrears” to lure recipients into clicking links to phishing websites, where they are prompted to enter personal details or credit card information to make payment. mickmick.net has received and handled multiple related cases in recent days. A review of case handling records shows that phishing impersonating the Water Supplies Department actually emerged as early as two years ago (see the relevant security alert). Recent cases indicate that this type of phishing attack conducted in the name of government public services has become active again lately.
These phishing messages commonly use phrases such as “Your water account’s recent billing information has been updated” and “Please log into the WSD service platform to review your account details and billing records.” They include hyperlinked text that leads to phishing sites designed to look like official pages, claiming to take users directly to the “WSD Service Platform” or the “WSD official website” to review account and bill information. Once the link is clicked, users are taken to a fake WSD login page. The phishing site uses genuine-looking logos and layouts to deceive users into entering their information unknowingly. The public should remain vigilant and not be rushed into clicking links or submitting personal data, such as credit card numbers, by messages mentioning “water supply suspension.”
Common characteristics observed in recent phishing messages (examples):
Attack Flow of the Phishing Emails and Websites Impersonating the Water Supplies Department
(The images above showed two phishing emails with different contents.)
Fake tourist hotspot ticketing websites
In addition, scammers also impersonate the official ticketing websites of famous Hong Kong attractions, spreading claims of limited-time discounts or super low prices through search engine ads, social media platforms, and instant messaging tools to lure citizens into purchasing tickets and submitting their personal information.
(The image above showed a fake ticketing site of a well-known attraction)
mickmick.net urges the public to remain vigilant and never enter any information or make payments on suspicious websites. If you receive suspicious SMS messages or emails purporting to be from WSD, do not click on any links and do not provide personal or payment information. If you need to check your bill or make a payment, enter the official website address directly in your browser or use the official mobile application. To guard against related phishing attacks, please take the following measures:
If you have already entered your credit card details on a phishing website, you should:
風險: 中度風險
類型: 保安軟件及應用設備 - 保安軟件及應用設備
於思科 IOS XR 發現多個漏洞。遠端攻擊者可利用這些漏洞,於目標系統觸發阻斷服務狀況及遠端執行任意程式碼。
請參考供應商發佈的連結以了解受影響的設備:
在安裝軟體之前,請先瀏覽供應商之網站,以獲得更多詳細資料。
安裝供應商提供的修補程式:
RISK: Medium Risk
TYPE: Security software and application - Security Software & Appliance
Multiple vulnerabilities were identified in Cisco IOS XR. A remote attacker could exploit some of these vulnerabilities to trigger denial of service condition and remote code execution on the targeted system.
For affected devices, please refer to the link issued by the vendor:
Before installation of the software, please visit the vendor web-site for more details.
Apply fixes issued by the vendor:
風險: 中度風險
類型: 伺服器 - 網站伺服器
於 Erlang/OTP 發現多個漏洞。遠端攻擊者可利用這些漏洞,於目標系統觸發阻斷服務狀況及洩露敏感資料。
在安裝軟體之前,請先瀏覽供應商之網站,以獲得更多詳細資料。
安裝供應商提供的修補程式:
RISK: Medium Risk
TYPE: Servers - Web Servers
Multiple vulnerabilities were identified in Erlang/OTP. A remote attacker could exploit some of these vulnerabilities to trigger denial of service condition and sensitive information disclosure on the targeted system.
Before installation of the software, please visit the vendor web-site for more details.
Apply fixes issued by the vendor:
風險: 高度風險
類型: 用戶端 - 瀏覽器
於 Google Chrome 發現多個漏洞。遠端攻擊者可利用這些漏洞,於目標系統觸發繞過保安限制及資料篡改。
注意:
CVE-2026-3909 正被廣泛利用。攻擊者可利用此漏洞觸發資料篡改。
CVE-2026-3910 正被廣泛利用。攻擊者可利用此漏洞觸發繞過保安限制。
因此,風險等級被評為高風險。
在安裝軟體之前,請先瀏覽供應商之網站,以獲得更多詳細資料。
安裝軟件供應商提供的修補程式:
RISK: High Risk
TYPE: Clients - Browsers
Multiple vulnerabilities were identified in Google Chrome. A remote attacker could exploit some of these vulnerabilities to trigger security restriction bypass and data manipulation on the targeted system.
Note:
CVE-2026-3909 is being exploited in the wild. An attacker could use this flaw to trigger data manipulation.
CVE-2026-3910 is being exploited in the wild. An attacker could use this flaw to trigger security restriction bypass.
Hence, the risk level is rated as High Risk.
Before installation of the software, please visit the software vendor web-site for more details.
Apply fixes issued by the vendor:
風險: 中度風險
類型: 伺服器 - 其他伺服器
於 GitLab 發現多個漏洞。遠端攻擊者可利用這些漏洞,於目標系統觸發阻斷服務狀況、跨網站指令碼、資料篡改、敏感資料洩露及繞過保安限制。
在安裝軟體之前,請先瀏覽供應商之網站,以獲得更多詳細資料。
安裝供應商提供的修補程式:
RISK: Medium Risk
TYPE: Servers - Other Servers
Multiple vulnerabilities were identified in GitLab. A remote attacker could exploit some of these vulnerabilities to trigger denial of service condition, cross-site scripting, data manipulation, information disclosure and security restriction bypass on the targeted system.
Before installation of the software, please visit the vendor web-site for more details.
Apply fixes issued by the vendor:
風險: 中度風險
類型: 操作系統 - Network
於 Fortinet 產品發現多個漏洞。遠端攻擊者可利用這些漏洞,於目標系統觸發遠端執行任意程式碼、洩露敏感資料及繞過保安限制。
FortiAnalyzer
FortiAnalyzer Cloud
FortiManager
FortiManager Cloud
在安裝軟體之前,請先瀏覽供應商之網站,以獲得更多詳細資料。
安裝供應商提供的修補程式:
RISK: Medium Risk
TYPE: Operating Systems - Networks OS
Multiple vulnerabilities were identified in Fortinet Products. A remote attacker could exploit some of these vulnerabilities to trigger remote code execution, sensitive information disclosure and security restriction bypass on the targeted system.
FortiAnalyzer
FortiAnalyzer Cloud
FortiManager
FortiManager Cloud
Before installation of the software, please visit the vendor web-site for more details.
Apply fixes issued by the vendor:
風險: 中度風險
類型: 用戶端 - 瀏覽器
於 Mozilla Firefox 發現多個漏洞。遠端攻擊者可利用這些漏洞,於目標系統觸發繞過保安限制及遠端執行任意程式碼。
以下版本之前的版本﹕
在安裝軟體之前,請先瀏覽供應商之官方網站,以獲得更多詳細資料。
更新至版本:
