News for August 19, 2022

CISA Mandatory Update List
by Artie Kaye

While this list applies to civilian companies that do work with the US government, it would be recommended to update regardless.  Seven new items have been added to the mandatory update list, marking September 8th as the date to patch by.  The patches are available for all listed issues. 

CVE-2022-21971 and





(SAP users must have an account in order to login and access the patch.)

Palo Alto Networks (PAN) 

Again, these are actively exploited, and should be patched.  The full list of known exploits can be found at the CISA link below.

New Android Security Being Circumvented
by Artie Kaye

Restricted Setting was added in the recent Android 13 release.  This focused on preventing malicious installers from using the accessibility interface to sideload programs, which bypassed security.  A new malware, BugDrop, was discovered that’s still being developed which functions on this premise of sideloading, but it obfuscates the files being installed by mirroring a normal function within the software, which bypasses the new security routine.  Avoid untrusted application installs on your phone, check the reviews of a program if you’re concerned or check the net to see if the app you’re looking to get may have more than you want in its install.

Microsoft Office Mail Scam
by Artie Kaye

Scammers in the UK have changed tactics to mailing out official looking Office packages, complete with a USB stick to install from.  Once plugged in, the software on the device will load an error message, warning of malware on the machine and give a number to call.  From there the scam follows the script of having the victim install the actual malware that will let the scammers take control of the machine and steal their information and money.  While this type of attack is not prevalent in the US, it is wise to keep an eye open to the possible threats.  Never connect a device to your machine unless you trust it.

Ring Camera Android App
by Artie Kaye

Amazon’s Ring companion App for Android was found to have a flaw that could allow for personal identifying information to be obtained by an attacker.  The company patched the vulnerability out within a month of being informed of its existence.  If you use Ring products and monitor from an Android device, please make sure the app is up to date.  The company states there has been no evidence of the flaw being exploited.