2026年6月16日星期二

Microsoft Edge 多個漏洞

Microsoft Edge 多個漏洞

發佈日期: 2026年06月16日

風險: 極高度風險

類型: 用戶端 - 瀏覽器

於 Microsoft Edge 發現多個漏洞。遠端攻擊者可利用這些漏洞,於目標系統觸發遠端執行任意程式碼、阻斷服務狀況、權限提升、繞過保安限制及敏感資料洩露。

 

注意:

CVE-2026-11645 正在被廣泛利用。遠端攻擊者可以利用此漏洞,透過特製的 HTML 頁面在沙箱環境中執行任意程式碼。因此,此漏洞的風險等級被評為極高度風險。

 

影響

  • 資料洩露
  • 阻斷服務
  • 遠端執行程式碼
  • 權限提升
  • 繞過保安限制

受影響之系統或技術

  • Microsoft Edge 149.0.4022.69 之前的版本

解決方案

在安裝軟體之前,請先瀏覽供應商之網站,以獲得更多詳細資料。

安裝軟件供應商提供的修補程式:

  • 更新至 149.0.4022.69 或之後版本

漏洞識別碼

資料來源

相關連結

沒有留言:

Microsoft Edge Multiple Vulnerabilities

Microsoft Edge Multiple Vulnerabilities

Release Date: 16 Jun 2026

RISK: Extremely High Risk

TYPE: Clients - Browsers

Multiple vulnerabilities were identified in Microsoft Edge. A remote attacker could exploit some of these vulnerabilities to trigger remote code execution, denial of service condition, elevation of privilege, security restriction bypass and sensitive information disclosure on the targeted system.

 

 

Note: 

CVE-2026-11645 is being exploited in the wild. A remote attacker could exploit this vulnerability to execute arbitrary code inside a sandbox via a crafted HTML page. Hence, the risk level is rated as Extremely High Risk.

Impact

  • Information Disclosure
  • Denial of Service
  • Remote Code Execution
  • Elevation of Privilege
  • Security Restriction Bypass

System / Technologies affected

  • Microsoft Edge version prior to 149.0.4022.69

Solutions

Before installation of the software, please visit the software vendor web-site for more details.

Apply fixes issued by the vendor:

  • Update to version 149.0.4022.69 or later

Vulnerability Identifier

Source

Related Link

沒有留言:

2026年6月15日星期一

釣魚警報 - 提防利用疑似外洩預訂資料的 Booking.com 釣魚訊息

釣魚警報 - 提防利用疑似外洩預訂資料的 Booking.com 釣魚訊息

發佈日期: 2026年06月15日

類別: 網絡釣魚

網絡釣魚警告

現況及相關趨勢

mickmick.net 提醒市民,小心假冒 Booking.com 及酒店預訂通知的釣魚攻擊。有騙徒利用Booking.com早前流出的真實訂房資料,冒充 Booking.com 平台或酒店向旅客發送電郵及WhatsApp訊息,聲稱預訂出現異常、付款授權失敗,或要求用戶於指定時間內更新付款資料,否則將取消預訂,藉此誘使用戶點擊可疑連結及提交個人資料、帳戶憑證或信用卡資料。

 

根據公開資訊,Booking.com 早前曾出現涉及部分預訂資料被未授權存取的保安事件,受影響資料可能包括住客姓名、電郵地址、電話號碼,以及與住宿提供者之間的通訊內容。海外亦有報道指出,有騙徒利用流出的真實訂房資料,針對日本旅客發送假冒 Booking.com 或酒店的訊息,以進一步進行釣魚詐騙。

 

由於 Booking.com 為本港市民常用的網上旅遊預訂平台之一,香港用戶亦可能面對相同風險。市民如曾透過相關平台預訂酒店、住宿或其他旅遊服務,應提高警覺,慎防受騙。騙徒可能在訊息中附上可疑連結,將用戶導向偽冒的登入、付款或驗證頁面,要求輸入帳戶密碼、信用卡資料、一次性密碼或其他敏感資料。

 

騙徒亦可能透過 WhatsApp 或其他即時通訊平台進一步聯絡受害人,要求重新驗證付款資料或完成所謂預訂確認程序。相關訊息常以訂房資料未齊全為由,誘使用戶點擊可疑連結補交資料,其中更會夾附用戶的真實入住日期、住客全名等資料,以提高可信性。

 

最近 mickmick.net 亦有處理涉及 Booking.com 及 Klook 等網上旅遊預訂平台的釣魚個案。個案顯示,騙徒會針對與旅遊預訂相關的平台,設立釣魚網站誘使用戶提交帳戶資料或付款資訊。

 

以下為相關個案中的釣魚網站頁面:

 

圖:假冒 Booking.com 的釣魚網站,聲稱用戶需輸入信用卡資料以進行預訂。

 

圖:假冒網上旅遊預訂平台的釣魚網站頁面。

 

圖:假冒網上旅遊預訂平台付款驗證頁面的釣魚網站。

 

mickmick.net 呼籲市民,不應單憑訊息中載有自己的姓名、酒店名稱、預訂資料或行程內容,便判斷其為真確。任何涉及帳戶、付款或預訂異常的通知,均應透過官方渠道核實,以保障個人及財務安全。

 

對公眾的安全建議

mickmick.net 提醒市民:

 

  • 仔細核對發件人電郵地址及網站完整網址,不應只憑顯示名稱判斷真偽;
  • 如收到與預訂、付款或帳戶安全有關的通知,應直接透過官方 App 或手動輸入官方網址查閱;
  • 切勿點擊來歷不明或未經核實訊息中的連結;
  • 切勿於可疑網站輸入帳戶密碼、信用卡資料、一次性密碼或其他敏感資料;
  • 如有懷疑,應透過官方網站、App 或酒店已公開的聯絡方式自行核實;
  • 建議使用強度高的密碼,並啟用多重認證,以加強帳戶保護;
  • 定期檢查銀行戶口及信用卡交易紀錄,留意是否出現異常活動。

 

如曾提交資料,應立即採取以下行動

如市民懷疑曾於可疑網站輸入個人資料、帳戶憑證或信用卡資料,應盡快採取以下措施:

 

  • 立即停止與對方聯絡,切勿再提供任何個人、帳戶或財務資料;
  • 立即更改相關平台帳戶密碼,以及其他使用相同或相似密碼的帳戶密碼;
  • 立即聯絡相關銀行或信用卡發卡機構,通報事件並要求採取適當保護措施;
  • 密切留意銀行戶口及信用卡交易紀錄,檢查是否出現未經授權交易;
  • 保留相關紀錄,包括可疑電郵、訊息截圖、網址、網站畫面及交易紀錄,以便日後跟進或報案之用。
沒有留言:

Phishing Alert - Beware of Booking.com Phishing Messages Exploiting Suspected Leaked Booking Data

Phishing Alert - Beware of Booking.com Phishing Messages Exploiting Suspected Leaked Booking Data

Release Date: 15 Jun 2026

Type: Phishing

Phishing Alert

Current Status and Related Trends

mickmick.net reminds the public to stay alert to phishing attacks impersonating Booking.com and hotel booking notifications. Fraudsters are using what appears to be genuine booking information previously leaked from Booking.com to impersonate the Booking.com platform or hotels, sending travellers emails and WhatsApp messages claiming that there is an issue with their reservation, that payment authorization has failed, or that they must update their payment details within a specified time or their booking will be cancelled. The aim is to lure users into clicking suspicious links and submitting personal information, account credentials, or credit card details.

 

According to public information, Booking.com previously experienced a security incident involving unauthorized access to certain booking data. The affected information may have included guests’ names, email addresses, phone numbers, and communications between guests and accommodation providers. Overseas reports have also indicated that fraudsters have used leaked genuine booking data to send fake Booking.com or hotel messages targeting Japanese travellers as part of further phishing scams.

 

As Booking.com is one of the online travel booking platforms commonly used by Hong Kong residents, local users may also face the same risk. Anyone who has used the platform to book hotels, accommodation, or other travel services should remain vigilant and beware of fraud. Fraudsters may include suspicious links in their messages, directing users to fake login, payment, or verification pages and asking them to enter account passwords, credit card details, one-time passwords, or other sensitive information.

 

Fraudsters may also contact victims through WhatsApp or other instant messaging platforms, asking them to re-verify payment details or complete a so-called booking confirmation process. Such messages often claim that booking information is incomplete and urge users to click suspicious links to provide the missing details. To make the scam appear more convincing, the messages may include genuine information such as the user’s actual check-in date and full guest name.

 

Recently, mickmick.net has also handled phishing cases involving online travel booking platforms such as Booking.com and Klook. These cases show that fraudsters target platforms related to travel bookings by setting up phishing websites to trick users into submitting account details or payment information.

 

The following are phishing website pages from related cases:

 

Image: A phishing website impersonating Booking.com, claiming that users must enter credit card details to proceed with the booking.

 

Image: A phishing webpage impersonating an online travel booking platform.

 

Image: A phishing website impersonating an online travel booking platform’s payment verification page.

 

mickmick.net urges the public not to assume that a message is genuine simply because it contains their name, hotel name, booking details, or itinerary information. Any notification involving account issues, payment issues, or abnormal booking activity should always be verified through official channels in order to protect personal and financial security.

 

Security Advice for the Public

mickmick.net reminds the public to:

 

  • Carefully verify the sender’s email address and the full website URL, and not rely solely on the displayed name to judge authenticity;
  • If you receive a notification related to booking, payment, or account security, check it directly through the official app or by manually entering the official website address;
  • Never click on links in messages from unknown or unverified sources;
  • Never enter account passwords, credit card details, one-time passwords, or other sensitive information on suspicious websites;
  • If in doubt, verify the matter independently through the official website, app, or publicly available contact details of the hotel;
  • Use strong passwords and enable multi-factor authentication to enhance account protection;
  • Regularly review bank account and credit card transaction records for any unusual activity.

 

If You Have Already Submitted Information, Take the Following Actions Immediately

If members of the public suspect that they have entered personal information, account credentials, or credit card details on a suspicious website, they should take the following steps as soon as possible:

 

  • Immediately stop all contact with the other party and do not provide any further personal, account, or financial information;
  • Change the password of the relevant platform account immediately, as well as the passwords of any other accounts using the same or similar password;
  • Contact the relevant bank or credit card issuer immediately, report the incident, and request appropriate protective measures;
  • Closely monitor bank account and credit card transaction records for any unauthorized transactions;
  • Keep all relevant records, including suspicious emails, message screenshots, URLs, website screenshots, and transaction records, for follow-up or reporting purposes.
沒有留言:

2026年6月12日星期五

GitLab 多個漏洞

GitLab 多個漏洞

發佈日期: 2026年06月12日

風險: 中度風險

類型: 伺服器 - 其他伺服器

於 GitLab 發現多個漏洞。遠端攻擊者可利用這些漏洞,於目標系統觸發跨網站指令碼、阻斷服務狀況、權限提升、洩露敏感資料、繞過保安限制及資料篡改。 

影響

  • 跨網站指令碼
  • 阻斷服務
  • 權限提升
  • 繞過保安限制
  • 資料洩露
  • 篡改

受影響之系統或技術

  • GitLab Community Edition (CE) 19.0.2, 18.11.5, 18.10.8 以前的版本
  • GitLab Enterprise Edition (EE) 19.0.2, 18.11.5, 18.10.8 以前的版本

解決方案

在安裝軟體之前,請先瀏覽供應商之網站,以獲得更多詳細資料。

 

安裝供應商提供的修補程式:

漏洞識別碼

資料來源

相關連結

沒有留言:

GitLab Multiple Vulnerabilities

GitLab Multiple Vulnerabilities

Release Date: 12 Jun 2026

RISK: Medium Risk

TYPE: Servers - Other Servers

Multiple vulnerabilities were identified in GitLab. A remote attacker could exploit some of these vulnerabilities to trigger cross-site scripting, denial of service condition, elevation of privilege, sensitive information disclosure, security restriction bypass and data manipulation on the targeted system.

Impact

  • Cross-Site Scripting
  • Denial of Service
  • Elevation of Privilege
  • Security Restriction Bypass
  • Information Disclosure
  • Data Manipulation

System / Technologies affected

  • GitLab Community Edition (CE) versions prior to 19.0.2, 18.11.5, 18.10.8
  • GitLab Enterprise Edition (EE) versions prior to 19.0.2, 18.11.5, 18.10.8

Solutions

Before installation of the software, please visit the vendor web-site for more details.

 

Apply fixes issued by the vendor:

Vulnerability Identifier

Source

Related Link

沒有留言:

Google Chrome 多個漏洞

Google Chrome 多個漏洞

發佈日期: 2026年06月12日

風險: 中度風險

類型: 用戶端 - 瀏覽器

於 Google Chrome 發現多個漏洞。遠端攻擊者可利用這些漏洞,於目標系統觸發遠端執行任意程式碼、阻斷服務狀況、繞過保安限制及敏感資料洩露。

 

影響

  • 資料洩露
  • 阻斷服務
  • 遠端執行程式碼
  • 繞過保安限制

受影響之系統或技術

  • Google Chrome 149.0.7827.114 (Linux) 之前的版本
  • Google Chrome 149.0.7827.114/.115 (Mac) 之前的版本
  • Google Chrome 149.0.7827.114/.115 (Windows) 之前的版本

解決方案

在安裝軟體之前,請先瀏覽供應商之網站,以獲得更多詳細資料。

安裝軟件供應商提供的修補程式:

  • 更新至 149.0.7827.114 (Linux) 或之後版本
  • 更新至 149.0.7827.114/.115 (Mac) 或之後版本
  • 更新至 149.0.7827.114/.115 (Windows) 或之後版本

漏洞識別碼

資料來源

相關連結

沒有留言:

Google Chrome Multiple Vulnerabilities

Google Chrome Multiple Vulnerabilities

Release Date: 12 Jun 2026

RISK: Medium Risk

TYPE: Clients - Browsers

Multiple vulnerabilities were identified in Google Chrome. A remote attacker could exploit some of these vulnerabilities to trigger remote code execution, denial of service condition, security restriction bypass and sensitive information disclosure on the targeted system.

Impact

  • Information Disclosure
  • Denial of Service
  • Remote Code Execution
  • Security Restriction Bypass

System / Technologies affected

  • Google Chrome prior to 149.0.7827.114 (Linux)
  • Google Chrome prior to 149.0.7827.114/.115 (Mac)
  • Google Chrome prior to 149.0.7827.114/.115 (Windows)

Solutions

Before installation of the software, please visit the software vendor web-site for more details.

Apply fixes issued by the vendor:

  • Update to version 149.0.7827.114 (Linux) or later
  • Update to version 149.0.7827.114/.115 (Mac) or later
  • Update to version 149.0.7827.114/.115 (Windows) or later

Vulnerability Identifier

Source

Related Link

沒有留言:

Splunk 產品多個漏洞

Splunk 產品多個漏洞

發佈日期: 2026年06月12日

風險: 中度風險

類型: 保安軟件及應用設備 - 保安軟件及應用設備

於 Splunk 產品發現多個漏洞。遠端攻擊者可利用這些漏洞,於目標系統觸發洩露敏感資料、繞過保安限制及跨網站指令碼。

影響

  • 繞過保安限制
  • 資料洩露
  • 跨網站指令碼

受影響之系統或技術

  • 以下 Splunk Enterprise 的之前版本
    • 10.0.7
    • 10.2.4
    • 9.3.13
    • 9.4.12
  • 以下 Splunk Cloud Platform 的之前版本
    • 9.3.2411.131
    • 9.3.2411.132
    • 10.0.2503.14
    • 10.1.2507.22
    • 10.1.2507.23
    • 10.2.2510.14
    • 10.2.2510.15
    • 10.3.2512.11
    • 10.3.2512.12
    • 10.3.2512.13
    • 10.4.2604.0
    • 10.4.2604.3

解決方案

在安裝軟體之前,請先瀏覽供應商之網站,以獲得更多詳細資料。

 

安裝供應商提供的修補程式:

漏洞識別碼

資料來源

相關連結

沒有留言:

Splunk Products Multiple Vulnerabilities

Splunk Products Multiple Vulnerabilities

Release Date: 12 Jun 2026

RISK: Medium Risk

TYPE: Security software and application - Security Software & Appliance

Multiple vulnerabilities were identified in Splunk products. A remote attacker could exploit some of these vulnerabilities to trigger sensitive information disclosure, security restriction bypass and cross-site scripting on the targeted system.

Impact

  • Security Restriction Bypass
  • Information Disclosure
  • Cross-Site Scripting

System / Technologies affected

  • Splunk Enterprise versions below
    • 10.0.7
    • 10.2.4
    • 9.3.13
    • 9.4.12
  • Splunk Cloud Platform versions below 
    • 9.3.2411.131
    • 9.3.2411.132
    • 10.0.2503.14
    • 10.1.2507.22
    • 10.1.2507.23
    • 10.2.2510.14
    • 10.2.2510.15
    • 10.3.2512.11
    • 10.3.2512.12
    • 10.3.2512.13
    • 10.4.2604.0
    • 10.4.2604.3

Solutions

Before installation of the software, please visit the vendor web-site for more details.

 

Apply fixes issued by the vendor:

Vulnerability Identifier

Source

Related Link

沒有留言:
訂閱: 文章 (Atom)

Microsoft Edge 多個漏洞

Microsoft Edge 多個漏洞 發佈日期: 2026年06月16日 風險: 極高度風險 類型: 用戶端 - 瀏覽器 於 Microsof...