Risky Bulletin: Microsoft revamps Edge's "IE Mode" after zero-day attacks

Risky Bulletin: Microsoft Revamps Edge's IE Mode After Zero-Day Attacks

Podcast: Risky Bulletin
Host/Reader: Claire Aird
Date: October 13, 2025
Prepared by: Catalyn Kimpano

Episode Overview

This edition of Risky Bulletin delivers a packed cybersecurity update, focusing on a major security overhaul by Microsoft after zero-day attacks in Edge’s IE Mode. The team also covers major law enforcement actions, company shifts in bug bounty programs, significant arrests related to cybercrime, and new findings about large-scale botnets and data poisoning attacks on AI. All stories are presented in a concise, news-focused style with sharp analysis.

Key Discussion Points and Insights

1. Microsoft Edge's IE Mode Targeted by Zero-Day Attacks

[00:04] Vulnerability Details:
- Threat actors exploited a zero-day in Edge’s legacy Internet Explorer Mode.
- Attackers tricked users to reload malicious sites in IE Mode, leveraging a script engine vulnerability to run arbitrary code.
- Attacks traced as far back as August.
Microsoft Response:
- The “easy button” to relaunch sites in IE Mode has been removed.
- Users now face extra steps to activate IE Mode, mitigating widespread abuse.
- Quote: “Microsoft has removed the one easy button that relaunches sites in Explorer mode– users now need to jump through several hoops.” (Claire, 00:24)

2. Glad.dotnet Zero-Day in File-Sharing Servers

[00:42] Incident Overview:
- New zero-day file read vulnerability in Center Stack and Trio Fox servers.
- Used to steal server Net machine keys, enabling unauthorized code execution.
- Glad.dotnet is working on a patch—this is their second zero-day incident this year.

3. U.S. Cyber Leadership and Government Workforce Developments

[01:14] Cyber Command/NSA Leadership:
- Lt. Gen. William Hartman will not be nominated as chief of Cyber Command and NSA.
- Ongoing debate about “dual hat” arrangement (one head for both agencies).
[01:31] CISA Layoffs:
- Over 4,000 government workers fired last week, including 176 from CISA.
- Some staff reassigned to immigration enforcement; it's the third round of CISA layoffs in 2025.

4. Apple’s Bug Bounty Reward Increase and Security Donation

[01:54] Program Updates:
- Apple doubles bug bounty rewards for serious vulnerabilities to a new maximum of $5 million for remote attacks on Lockdown Mode.
- Expands bounty categories and introduces new rewards starting November.
- Donates 1,000 security-hardened iPhones to civil society orgs for high-risk users.
- Quote: “Apple will double its bug bounty rewards for serious vulnerabilities and exploit chains. Rewards will max out at $5 million for remote attacks on Lockdown Mode.” (Claire, 02:02)

5. NSO Group Acquisition by U.S. Investors

[02:37] Buyout Details:
- Hollywood producer Robert Symons leads the investment group.
- Wired reports the deal is valued at “several tens of millions” (was $1 billion in 2019).
- NSO will remain in Israel, subject to export control; still on the U.S. Treasury’s banned list.

6. FBI Seizes Salesforce Extortion Site

[03:09] Law Enforcement Action:
- FBI takes down an extortion site targeting Salesforce, operated by “Scattered Lapsus Hunters.”
- Seizure occurred just before planned data leak; dark web site still online.
- Group previously released data from Qantas, Vietnam Airlines, and four other companies.

7. Cybercrime Arrests in Argentina, Cambodia, and Spain

[04:13] Argentina/Interpol:
- Arrest of Nigerian man Ikechukwu N. for romance scams; country’s first based on Interpol Red Notice and also linked to the Silver Notice database.
[04:44] Cambodia:
- Cambodian police raid Morgan Tower on repeat for crypto scam activity, arresting 81 people.
[05:04] Spain:
- Spanish authorities arrest “Google Xcoder,” a Brazilian running the GXC Team phishing service.
- The service could bypass 2FA and included Android banking malware.

8. Fast Track Online Gambling Data Breach

[05:38] Incident Details:
- Hackers target cryptocurrency casinos Shuffle and Rubet via a Fast Track breach.
- Stolen data includes personal details and betting history.

9. Apple’s Age Verification in Texas

[06:01] Regulatory Response:
- To comply with new Texas laws, users under 18 must join a family plan.
- Apple expands age verification tools to app developers.

10. Aesuru DDoS Botnet Record and Activity

[06:23] Growth/Impacts:
- Aesuru botnet infects 300,000+ systems, mostly US-based now.
- Holds record for largest DDoS attacks; coordinated scanning of 100,000 RDP endpoints since Oct. 8.
- Identified by Greynoise after anomaly in Brazil.

11. Oracle’s Emergency Security Patch

[07:15] Update:
- Out-of-band patch for a critical unauthenticated access vulnerability in Oracle E-Business Suite.
- Second emergency patch for EBS this month.

12. Google Chrome to Revoke Notification Permissions

[07:36] User Security Improvement:
- Chrome to revoke notification permissions for sites not visited recently to cut notification spam.

13. Data Poisoning Attacks on LLMs More Feasible Than Thought

[07:50] Research Highlight:
- New academic study shows as few as 250 poisoned documents can significantly affect LLM output.
- Anthropic AI comments this upends earlier beliefs about required data volume for attacks.
- Quote: “Researchers say data poisoning attacks on LLMs are more practical than previously thought... as few as 250 malicious documents could poison an LLM’s output.” (Claire, 07:51)

Notable Quotes & Memorable Moments

“Microsoft has removed the one easy button that relaunches sites in Explorer mode– users now need to jump through several hoops.” (Claire, 00:24)
“Apple will double its bug bounty rewards for serious vulnerabilities and exploit chains. Rewards will max out at $5 million for remote attacks on Lockdown Mode.” (Claire, 02:02)
“Researchers say data poisoning attacks on LLMs are more practical than previously thought... as few as 250 malicious documents could poison an LLM’s output.” (Claire, 07:51)

Timestamps for Important Segments

00:04 – Microsoft Edge IE Mode zero-day attacks and response
00:42 – Glad.dotnet file-sharing zero-day
01:14 – Cyber leadership changes and CISA layoffs
01:54 – Apple bug bounty upgrades and security donations
02:37 – NSO Group acquisition by US investors
03:09 – FBI’s seizure of Salesforce extortion site
04:13 - 05:04 – Cybercrime arrests in Argentina, Cambodia, Spain
05:38 – Fast Track gambling data breach
06:01 – Apple age verification for Texas users
06:23 – Aesuru DDoS botnet growth and attacks
07:15 – Oracle EBS zero-day security patch
07:36 – Chrome notification permissions update
07:50 – Feasibility of LLM data poisoning attacks

Podcast Tone & Style

Claire maintains a fast-paced, factual tone packed with details, giving listeners succinct updates with minimal editorializing, and focusing on the actionable implications of each story.

This episode is a comprehensive rundown of major cybersecurity events, policy changes, and evolving technical threats, providing listeners with critical insights and direct quotes from the field’s breaking stories.

Transcript

A (0:04)

Microsoft revamps Edge IE mode after zero day attacks. The FBI seizes the extortion site targeting Salesforce. A new round of layoffs hits CISA and Apple doubles its bug bounty rewards. This is the risky bulletin prepared by Catalyn Kimpano and read by me, Claire aird. Today is the 13th of October and and this podcast episode is brought to you by Nebuloc. Threat actors are exploiting a zero day in the legacy Internet Explorer mode of Microsoft's Edge browser. Hackers trick users into reloading a malicious site in Internet Explorer mode and then use a script engine zero day to run code. Attacks have been observed as far back as August. Microsoft has removed the one easy button that relaunches sites in Explorer mode to Users now need to jump through several hoops. In other news, hackers are exploiting a zero day in two software products from Glad dotnet. The flaw is a file read vulnerability in Center Stack and Trio Fox file sharing servers. It's being used to steal a server's Net machine key, which is leveraged for deserialization and code execution. Glad dotnet is working on a patch. This is the second Glad dotnet zero day this year. The Trump administration will not nominate Army Lt. Gen. William Hartman for chief of Cyber Command and the National Security Agency. General Hartman has been acting head of both agencies since April, when he replaced Air Force General Timothy Hawg, one source told the Record the White House may still want to end the dual hat arrangement and split the role. Meantime, the White House fired more than 4,000 government workers last week, including 176 from CISA. Some Some CISA employees were also reassigned to help other agencies with immigration enforcement. This is the third round of CISA layoffs this year. Apple will double its bug bounty rewards for serious vulnerabilities and exploit chains. Rewards will Max out at $5 million for remote attacks on lockdown mode. The new scheme will go into effect in November. The company will also add new bounty categories. Apple will also donate 1000 security hardened iPhones to civil society organisations distribute amongst high risk users. A group of US investors has acquired Israeli spyware maker NSO Group. The investors are led by Hollywood producer Robert Symons, who previously attempted to acquire the company in 2023. Wired reports. The deal is worth several tens of millions of dollars. In 2019, the company was valued at roughly $1 billion. NSO will continue to operate out of Israel and remain subject to the country's export control. In 2021, the US Treasury Department added NSO Group to its list of banned entities The FBI has seized a website that was being used to extort Salesforce and its customers. The site was seized two days before hackers were expected to leak data stolen from Salesforce. It was operated by a group calling itself Scattered Lapsus Hunters and was named after the former Breach forum's hacking community. The dark web version of the site remains active. The group has released data from six companies including Qantas and Vietnam Airlines. Argentinian officials have arrested a Nigerian man wanted by Interpol for alleged romance scam operations. The man, identified as Ikechukwu? N, is Argentina's first arrest based on an Interpol Red Notice. The suspect was also listed in Interpol's Silver Notice database, a new project aimed recovering criminal assets. Cambodian police have raided a Cyberscam compound in Phnom penh. Authorities arrested 76 foreigners and five locals. The group operated out of the Morgan Tower building, which was raided for similar crypto scam activity earlier this year. Spanish authorities have arrested a Brazilian national suspected of operating a major phishing platform. The 25 year old suspect used the online handle Google Xcoder. He allegedly ran an online phishing service named GXC Team that served the Spanish speaking cybercrime underground. The Service could bypass 2fa and came with ready made Android malware for targeting banks and crypto. The suspect was living in Spain on a digital nomad visa. Hackers have breached online gambling platform Fast Track and stolen data from two of its customers. The targets were two cryptocurrency casinos Shuffle and Rubet. The stolen data is believed to include names, emails, home addresses and betting history. The breach occurred earlier this month. Apple is introducing age verification checks for users in Texas to comply with upcoming state laws, all users under 18 will be required to join a family plan in order to use Apple products. Apple is also releasing age verification tools for its developer ecosystem. Texas New age verification law enters into effect next year the Aesuru DDoS botnet has grown to more than 300,000 infected systems. The botnet launched in August last year and was discovered by Chinese security firms after IT infected local ISPs and cloud providers. According to Crebs on Security, most bots are now located on US networks. Isuru currently holds the record for the largest DDoS attack a botnet has launched coordinated scanning of RDP endpoints in the U.S. more than 100,000 unique IPs have participated in the attack since October 8th. The botnet is using timing information in an attempt to identify valid usernames. Greynoise first discovered the botnet in Brazil after noticing an unusual spike in Internet traffic. Oracle has released an out of band security update to patch another critical vulnerability in its E Business suite. The latest bug allows remote attackers to access the platform without authentication. Oracle has not confirmed if the bug was exploited in the wild. This is the second E biz patch the company has released this month. Google Chrome will revoke notification permissions for websites that users haven't visited recently. The change is designed to reduce notification spam. Chrome already does the same thing for camera access or location information. And finally, researchers say data poisoning attacks on LLMs are more practical than previously thought. A recent academic study said as few as 250 malicious documents could poison an LLM's output. Anthropic AI says this challenges previous assumptions that attackers would need to control a significant amount of training data. And that is all for this podcast edition. Today's show was brought to you by our sponsor Nebuloc. Find them@nebuloc IO. Thanks for your company.