CISA Mandatory Update List
by Artie Kaye
While this list applies to civilian companies that do work with the US government, it would be recommended to update regardless. Seven new items have been added to the mandatory update list, marking September 8th as the date to patch by. The patches are available for all listed issues.
Microsoft
CVE-2022-21971 and
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21971
CVE-2022-26923
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-26923
Apple
CVE-2022-32894
https://support.apple.com/en-gb/HT213412
CVE-2022-32893
https://support.apple.com/en-gb/HT213413
Chrome
CVE-2022-2856
https://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop_16.html
SAP
CVE-2022-22536
(SAP users must have an account in order to login and access the patch.)
https://accounts.sap.com/saml2/idp/sso
Palo Alto Networks (PAN)
CVE-2017-15944
https://security.paloaltonetworks.com/CVE-2017-15944
Again, these are actively exploited, and should be patched. The full list of known exploits can be found at the CISA link below.
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
New Android Security Being Circumvented
by Artie Kaye
Restricted Setting was added in the recent Android 13 release. This focused on preventing malicious installers from using the accessibility interface to sideload programs, which bypassed security. A new malware, BugDrop, was discovered that’s still being developed which functions on this premise of sideloading, but it obfuscates the files being installed by mirroring a normal function within the software, which bypasses the new security routine. Avoid untrusted application installs on your phone, check the reviews of a program if you’re concerned or check the net to see if the app you’re looking to get may have more than you want in its install.
https://thehackernews.com/2022/08/cybercriminals-developing-bugdrop.html
Microsoft Office Mail Scam
by Artie Kaye
Scammers in the UK have changed tactics to mailing out official looking Office packages, complete with a USB stick to install from. Once plugged in, the software on the device will load an error message, warning of malware on the machine and give a number to call. From there the scam follows the script of having the victim install the actual malware that will let the scammers take control of the machine and steal their information and money. While this type of attack is not prevalent in the US, it is wise to keep an eye open to the possible threats. Never connect a device to your machine unless you trust it.
https://www.tomshardware.com/news/scammers-distribute-fake-microsoft-office-usb-sticks-with-malware
https://www.digitaltrends.com/computing/dont-fall-for-this-devious-new-microsoft-office-scam/
https://www.pcmag.com/news/beware-microsoft-office-usb-sticks-that-show-up-in-the-mail-its-a-scam
Ring Camera Android App
by Artie Kaye
Amazon’s Ring companion App for Android was found to have a flaw that could allow for personal identifying information to be obtained by an attacker. The company patched the vulnerability out within a month of being informed of its existence. If you use Ring products and monitor from an Android device, please make sure the app is up to date. The company states there has been no evidence of the flaw being exploited.
https://www.securityweek.com/ring-camera-recordings-exposed-due-vulnerability-android-app
https://thehackernews.com/2022/08/new-amazon-ring-vulnerability-could.html