CISA Updates, Multiple Android Flaws, and Microsoft Malware Call Scam
CISA Mandatory Update List
by Artie Kaye
While this list applies to civilian companies that do work with the US government, it would be recommended to update regardless. Seven new items have been added to the mandatory update list, marking September 8th as the date to patch by. The patches are available for all listed issues.
Company | CVE | Platform | Details |
---|---|---|---|
Apple | CVE-2022-32894 | iPadOS iOS | https://support.apple.com/en-gb/HT213412 |
CVE-2022-32893 | MacOS | https://support.apple.com/en-gb/HT213413 | |
CVE-2022-2856 | Chrome | https://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop_16.html | |
SAP | CVE-2022-22536 | SAP | (SAP users must have an account in order to login and access the patch.) https://accounts.sap.com/saml2/idp/sso |
Palo Alto Networks | CVE-2017-15944 | PAN-OS | https://security.paloaltonetworks.com/CVE-2017-15944 |
For a more comprehensive list of all vulnerabilities, visit cisa.gov (Opens in a new tab/window.)
New Android Security Being Circumvented
by Artie Kaye
Restricted Setting was added in the recent Android 13 release. This focused on preventing malicious installers from using the accessibility interface to sideload programs, which bypassed security. A new malware, BugDrop, was discovered that’s still being developed which functions on this premise of sideloading, but it obfuscates the files being installed by mirroring a normal function within the software, which bypasses the new security routine. Avoid untrusted application installs on your phone, check the reviews of a program if you’re concerned or check the net to see if the app you’re looking to get may have more than you want in its install.
Third-Party references:
Click the links below to learn more details. (Opens in a new tab/window.)
Microsoft Office Mail Scam
by Artie Kaye
Scammers in the UK have changed tactics to mailing out official looking Office packages, complete with a USB stick to install from. Once plugged in, the software on the device will load an error message, warning of malware on the machine and give a number to call. From there the scam follows the script of having the victim install the actual malware that will let the scammers take control of the machine and steal their information and money. While this type of attack is not prevalent in the US, it is wise to keep an eye open to the possible threats. Never connect a device to your machine unless you trust it.
Third-Party references:
Click the links below to learn more details. (Opens in a new tab/window.)
Ring Camera Android App
by Artie Kaye
Amazon’s Ring companion App for Android was found to have a flaw that could allow for personal identifying information to be obtained by an attacker. The company patched the vulnerability out within a month of being informed of its existence. If you use Ring products and monitor from an Android device, please make sure the app is up to date. The company states there has been no evidence of the flaw being exploited.
Third-Party references:
Click the links below to learn more details. (Opens in a new tab/window.)