News Week Ending May 1, 2022

Discord Phishing
by Artie Kaye

Discord is a program used by many to keep in touch on phones or PC.  Because of how Discord runs on these devices, malicious people have found methods of gaining access to other people’s devices through links and images sent over the program.  Usually, there will be a claim for a free game or something else enticing.  The best way to avoid this is to block messages from anyone except people you know.  Avoid clicking links, even ones that look harmless.  If you do click a link and are prompted with a login screen, do not log in.

Chrome Zero-Day
by Artie Kaye

Google has an urgent patch for their browser.  A bug that could allow a forced closure of the browser and execution of code during the process has been fixed.  If you use Chrome or any Chrome-based browsers, please update them.

The flaw is listed as CVE-2022-1364.

Windows Patch
by Artie Kaye

Microsoft patched 128 vulnerabilities in their update in April.  This massive update targets a few critical threats, and many important ones as well.  A few specifics include an endpoint privilege escalation flaw, known to the public, that’s in the Windows User Profile Service.  Of the higher severity issues, 3 were found in the Remote Procedure Calls or RPC.  Two of the flaws can only be executed if the attacker already has access, but the third would only need information sent to a listening port of an unsecured system to gain access.  Microsoft warns that simply blocking the listening port wouldn’t be enough, as the exploit can be leveraged by other protocols.  These flaws have been patched.

WordPress Elementor Security Flaw
by Artie Kaye

WordPress has a history of problems with its plugins.  This time Elementor is at fault.  With version 3.6.0 some security steps were either skipped or ignored as there is no user privilege level defined.  This can potentially allow anyone logged in with the Elementor plugin to gain access to anyone’s site that uses the program.  The exploit can allow an unauthorized user to edit text, upload files, even delete files; it’s a huge oversight.  If you use WordPress and this particular plugin to manage your website, updating to version 3.6.4 is the recommended course of action from the developers.

Google Recording App Ban
by Artie Kaye

On May 11, 2022 Google’s going to be shutting down third-party phone call recording apps on Android devices.  This applies only to apps that were downloaded from the app store.  If the device had one built in when it was purchased, it will remain unaffected.  Many of the apps in question have circumvented Google’s past attempts to prevent recording on the phones.  The upcoming change closes a loophole in the accessibility API’s functionality.  It can be seen as coming in line with Apple’s devices, or the potential legality of recording in states or countries where it is illegal to record without consent.  However, as of this writing (April 27, 2022), there don’t appear to be any changes being made to the Google Phone’s ability to record calls.

Fan Control

A neat piece of software to allow full control over the fans in your computer.  Fan Control V.110.  For the rundown of this, please check out JayzTwoCents video through the link below.

What is OSINT
by Artie Kaye

OSINT stands for Open Source Intelligence. It is the practice of using publicly available information to learn about someone or something.  It could range from looking into a potential employer and finding out who will be the probable interviewer and how to impress them in particular, to actively searching for missing persons.  The data searched comes from many sources, including social media profiles, pictures, public records, blogs, school webpages, etc.  It has become easier to access information as more of our lives are being posted online.  If you are wanting to limit information about yourself that’s out there, it’s possible to restrict social media pages and limit what you post online.  You can’t be completely invisible.  Even if you lived under a rock, someone would come along and photograph the rock and put it on Instagram.  But you can try to limit what is out there by managing your online habits.

Lenovo UEFI Bug
by Artie Kaye

Laptops manufactured by Lenovo have a firmware update that will address defects in the UEFI.  They built backdoors in the firmware that were meant to only exist on the manufacturing floor and be removed from shipped devices.  Lenovo strongly advises updating the firmware on their laptops to solve the problem.

The flaws are listed as CVE-2021-3970, CVE-2021-3971, and CVE-2021-3972.

Ever Surf Wallet Flaw
by Artie Kaye

Ever Surf is a recent crypto wallet developed by Everscale.  It is an online wallet to manage your funds.  Being browser-based led to some security flaws with encryption.  While data sent to the wallet and back is encrypted, the data stored on the user’s device may not be.  Researchers were able to find multiple attack vectors using this unsecured information that could result in the loss of access to the wallet.

Critical Java Patch
by Artie Kaye

A threat has been discovered and patched in Java versions 15-18.  This is a critical patch, as the discovered vulnerabilities allow authentication to be faked.  Any system using the ECDSA signatures can be fooled into believing they’ve been given valid authorization.  This can be done with little effort, which is why the patch is critical.  

The flaw is listed as CVE-2022-21449.