Authenticated (admin+) Reflected Cross-Site Scripting (XSS) vulnerability in Gabe Livan’s Asset CleanUp: Page Speed Booster plugin <= 1.3.8.4 at WordPress.
Daily Archives: October 11, 2022
Microsoft’s October 2022 Patch Tuesday Addresses 84 CVEs (CVE-2022-41033)
Microsoft’s October 2022 Patch Tuesday Addresses 84 CVEs (CVE-2022-41033)
Microsoft addresses 84 CVEs in its October 2022 Patch Tuesday release, including 13 critical flaws.
13Critical
71Important
0Moderate
0Low
Microsoft patched 84 CVEs in its October 2022 Patch Tuesday release, with 13 rated as critical and 71 rated as important.
This month’s update includes patches for:
Active Directory Domain Services
Azure
Azure Arc
Client Server Run-time Subsystem (CSRSS)
Microsoft Edge (Chromium-based)
Microsoft Graphics Component
Microsoft Office
Microsoft Office SharePoint
Microsoft Office Word
Microsoft WDAC OLE DB provider for SQL
NuGet Client
Remote Access Service Point-to-Point Tunneling Protocol
Role: Windows Hyper-V
Service Fabric
Visual Studio Code
Windows Active Directory Certificate Services
Windows ALPC
Windows CD-ROM Driver
Windows COM+ Event System Service
Windows Connected User Experiences and Telemetry
Windows CryptoAPI
Windows Defender
Windows DHCP Client
Windows Distributed File System (DFS)
Windows DWM Core Library
Windows Event Logging Service
Windows Group Policy
Windows Group Policy Preference Client
Windows Internet Key Exchange (IKE) Protocol
Windows Kernel
Windows Local Security Authority (LSA)
Windows Local Security Authority Subsystem Service (LSASS)
Windows Local Session Manager (LSM)
Windows NTFS
Windows NTLM
Windows ODBC Driver
Windows Perception Simulation Service
Windows Point-to-Point Tunneling Protocol
Windows Portable Device Enumerator Service
Windows Print Spooler Components
Windows Resilient File System (ReFS)
Windows Secure Channel
Windows Security Support Provider Interface
Windows Server Remotely Accessible Registry Keys
Windows Server Service
Windows Storage
Windows TCP/IP
Windows USB Serial Driver
Windows Web Account Manager
Windows Win32K
Windows WLAN Service
Windows Workstation Service
Elevation of privilege (EoP) accounted for 46.4% of the vulnerabilities patched this month, followed by remote code execution (RCE) vulnerabilities at 23.8%.
Note: Microsoft has not included patches for the two zero-day vulnerabilities in Microsoft Exchange, CVE-2022-41040 and CVE-2022-41082, that were disclosed on September 28 in this release.
CVE-2022-41033 | Windows COM+ Event System Service elevation of privilege vulnerability
CVE-2022-41033 is an EoP vulnerability in the Windows COM+ Event System Service, which enables system event notifications for COM+ component services. It received a CVSSv3 score of 7.8. An authenticated attacker could exploit this vulnerability to elevate privileges on a vulnerable system and gain SYSTEM privileges.
Microsoft says that this vulnerability has been exploited in the wild, though no additional information was shared.
CVE-2022-37968 | Azure Arc-enabled kubernetes cluster connect elevation of privilege vulnerability
CVE-2022-37968 is an EoP vulnerability in Microsoft’s Azure Arc, affecting the cluster connect feature of Azure Arc-enabled Kubernetes clusters. With a CVSSv3 score of 10, the highest possible rating, an unauthenticated attacker could exploit this vulnerability in order to gain administrative privileges for a Kubernetes cluster. While updates have been released, users that do not have auto-upgrade enabled must take action to manually upgrade Azure Arc-enabled Kubernetes clusters. Microsoft’s security advisory provides additional information and steps to upgrade and how to check your current version. In July, Tenable disclosed a vulnerability in Azure Arc wherein passwords were being logged in plaintext. You can read more about the disclosure on the Tenable Techblog.
CVE-2022-38028 | Windows Print Spooler elevation of privilege vulnerability
CVE-2022-38028 is an EoP vulnerability in Windows Print Spooler components that received a CVSSv3 score of 7.8 and was rated “Exploitation More Likely” according to Microsoft’s Exploitability Index. Exploitation would allow an attacker to gain SYSTEM privileges. The flaw was disclosed to Microsoft by the National Security Agency. This marks the third EoP vulnerability in Windows Print Spooler credited to the NSA this year, following CVE-2022-29104 and CVE-2022-30138 in May.
CVE-2022-38053, CVE-2022-41036, CVE-2022-41037 and CVE-2022-41038 | Microsoft SharePoint Server remote code execution vulnerability
CVE-2022-38053, CVE-2022-41036, CVE-2022-41037 and CVE-2022-41038 are RCE vulnerabilities in Microsoft SharePoint Server that all received a CVSSv3 score of 8.8. All except CVE-2022-41037 were rated “Exploitation More Likely,” and CVE-2022-41038 is the only one that has a critical rating. To exploit these vulnerabilities, a network-based attacker would need to be authenticated to the target SharePoint site with permission to use Manage Lists.
CVE-2022-37988, CVE-2022-37990, CVE-2022-37991, CVE-2022-37995, CVE-2022-38022, CVE-2022-38037, CVE-2022-38038 and CVE-2022-38039 | Windows Kernel elevation of privilege vulnerability
CVE-2022-37988, CVE-2022-37990, CVE-2022-37991, CVE-2022-37995, CVE-2022-38022, CVE-2022-38037, CVE-2022-38038 and CVE-2022-38039 are EoP vulnerabilities in the Windows Kernel. With the exception of CVE-2022-38022, all the CVEs received CVSSv3 scores of 7.8 and could allow an attacker to elevate their privileges to SYSTEM. CVE-2022-38022 was scored CVSSv3 of 2.5 and would only allow an attacker to delete empty folders as SYSTEM. The attacker would not be able to view or edit files, nor delete folders that were not empty.
CVE-2022-41043 | Microsoft Office information disclosure vulnerability
CVE-2022-41043 is an information disclosure vulnerability affecting Microsoft Office for Mac. While exploitation requires local access to the host, this was the only publicly disclosed vulnerability patched this month. It is credited to Cody Thomas with SpecterOps.
CVE-2022-37976 | Active Directory Certificate Services elevation of privilege vulnerability
CVE-2022-37976 is an EoP vulnerability affecting Active Directory Certificate Services. According to the advisory, a malicious Distributed Component Object Model (DCOM) client could be used to entice a DCOM server to authenticate to the client, allowing an attacker to perform a cross-protocol attack and gain domain administrator privileges. While Microsoft rates this as “Exploitation Less Likely,” ransomware groups often seek out vulnerabilities and misconfigurations in Active Directory to leverage for spreading malicious payloads across an organization’s network. As highlighted in Tenable’s Ransomware Ecosystem report, Active Directory plays a pivotal role in ransomware attacks.
Tenable Solutions
Users can create scans that focus specifically on our Patch Tuesday plugins. From a new advanced scan, in the plugins tab, set an advanced filter for Plugin Name contains October 2022.
With that filter set, click the plugin families to the left and enable each plugin that appears on the right side. Note: If your families on the left say Enabled, then all the plugins in that family are set. Disable the whole family before selecting the individual plugins for this scan. Here’s an example from Tenable.io:
A list of all the plugins released for Tenable’s October 2022 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.
Get more information
Microsoft’s October 2022 Security Updates
Tenable plugins for Microsoft October 2022 Patch Tuesday Security Updates
Join Tenable’s Security Response Team on the Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.
Get a free 30-day trial of Tenable.io Vulnerability Management.
CISOs Tell All: Everything You’ve Ever Wanted To Know About CISOs in 2022
You’ve got questions and they’ve got answers. A global survey provides a snapshot of what it’s like to sit in the CISO chair, as these cybersecurity leaders face increasingly sophisticated cyber threats and heightened expectations from their organizations.
They’re questions that most cybersecurity professionals have about their CISOs. Which career path do they take on their way to becoming cyber chiefs? How long do they stay at their jobs? How much do they earn? And, most importantly, what keeps a CISO up at night?
The third annual global survey of CISOs from executive search firm Heidrick & Struggle takes a deep dive into the organizational structure and compensation data from top cybersecurity leaders around the world.
The 2022 Global Chief Information Security (CISO) Survey polled 327 CISOs from the U.S., Europe and Asia-Pacific. While most respondents were predominantly from the U.S., other countries such as Australia, Belgium, France, Germany, the Netherlands, Singapore, South Korea, and the U.K. were also represented.
What CISOs had to say
The survey revealed some significant findings in the following areas:
Most significant threats facing their organizations. Most CISOs listed ransomware (67%) as their organization’s top threat, followed by insider threats (32%), nation/state attacks (31%) and malware attacks (21%).
Tenure length. In an encouraging trend for job stability, 77% of respondents said they’ve been at their current position for at least three years, up from 5% of respondents in 2021’s survey. Additionally, almost two-thirds of CISOs who have been in their current role for less than a year came from a previous CISO role, highlighting a broader trend that CISO roles are often terminal.
An increase in cash compensation. In the U.S., CISO’s reported median cash compensation rose from $509,000 to $584,000, a 15% increase from last year and a 23% increase from 2020. Total compensation, including equity grants and other incentives, has increased to $971,000 from $936,000 in 2021.
Team size. In comparison to last year, CISOs’ team size grew, with the share of CISOs with the smallest teams dropping from 38% to 31% while the share with the largest teams rose from 18% to 21%. Team-size growth reflects increased investment by organizations in cybersecurity. And with burnout being a key concern among CISOs, larger teams may, over time, help to reduce it.
Organizational visibility. CISOs reported having significant visibility with their board of directors, with 88% of CISOs saying that they present to either the full board or to a board committee. However, regionally, U.S. CISOs most often present to the full board while CISOs in APAC and the Middle East most often present to a committee with reporting to the audit committee typically being more frequent.
Personal risks. CISOs reported burnout, stress and higher-than-usual staff turnover as the highest personal risks associated with this role. It is recommended that organizations succession or retention plans so that CISOs do not make unnecessary exits.
(Source: “2022 Global Chief Information Security Officer (CISO) Survey” from Heidrick & Struggles, August 2022.)
Where do CISOs see themselves in the future?
The majority of CISOs desire to be something other than a CISO with more than half wanting to be board members. Regionally, 56% of CISOs in the U.S. desire to be board members while only 40% of CISOs in Europe expressed the same desire.
Although there’s an increased focus and investment in cybersecurity, the study found that there is still not enough interest from organizations in having CISOs become board members, though this could change in the future. Outside of board roles, the career path of a CISO still remains tricky. Despite 38% of CISOs globally reporting to their CIO, only 13% see that as an ideal next role. Therefore, the career path for CISOs moving forward still remains unclear.
Learn more:
“Cybersecurity on the board: How the CISO role is evolving for a new era” (TechMonitor)
“7 best reasons to be a CISO” (CSO)
“Effective Board Communication for CISOs” (CISO Street)
“7 mistakes CISOs make when presenting to the board” (CSO)
Cybersecurity Snapshot: 6 Things That Matter Right Now
Google Unifies Recent Acquisitions Under New Cloud Security Offering
Toyota Reveals Data Leak of 300,000 Customers
The leak was caused by an access key being made publicly available on GitHub for almost five years
57 Million Users Compromised in Uber Leak: Protect Your Digital Privacy and Identity
“I’ll just Uber home.”
Who hails a taxi anymore? These days, city streets are full of double-parked sedans with their hazards on, looking for their charges. Uber is synonymous with ridesharing and has made it so far into our culture that it’s not just a company name but a verb.
Uber’s reputation has ebbed and flowed since its creation in 2009, and it’s taken another hit recently as more details are coming to light about a massive 2016 cybersecurity breach and the chief security officer’s attempts to cover it up.
What Happened in the 2016 Uber Breach?
In 2016, a ransomware group trawled the internet and gathered Uber’s credentials that opened the door into the company’s server database. The cybercriminals then stole the information of customers and drivers alike and held it for a $100,000 Bitcoin ransom. Joe Sullivan, Uber’s chief security officer at the time, paid the ransom and the criminal group agreed to delete the information they uncovered. While it’s not uncommon for large corporations to give in to cybercriminals and dole out huge ransom payments, Sullivan is facing potential jail time because he didn’t report the incident to the Federal Trade Commission. He was recently found guilty of wire fraud and concealing a felony from authorities.
Uber account holders had their personally identifiable information in nefarious hands without their knowledge. The cybercriminals allegedly downloaded the names, email addresses and phone numbers of 57 million Uber customers and drivers, plus the license plate numbers of 600,000 drivers.1
Why It’s Important for Companies to Report Leaks
Organizations have a responsibility to their customers to report any cyberbreaches. With a full name, email address, and phone number, cybercriminals can inflict a lot of damage on an innocent person’s credit, steal money from online accounts, or invade someone’s digital privacy. Customers must act swiftly to put the proper safeguards in place, but they can’t do that if they don’t even know a breach has happened! The longer a cybercriminal has to poke and prod someone’s digital footprint, the more havoc they can wreak and profits they can gain.
How to Protect Your Personal Information Before and After a Breach
Acting swiftly is key to keeping your personally identifiable information (PII) private after a breach, though there are a few measures you can take right now that could prevent your information from being compromised. Here’s what you can do before and after a breach.
Preventive measures
One way to shrink your attack surface – or the number of possible entry points into your digital life – is to regularly vet your online accounts and apps. For example, when you’re cleaning your closet, it’s common to donate or trash any clothing you haven’t worn in a year. The same method works for your digital life. If you haven’t logged into a shopping site or mobile gaming app in over a year, it’s unlikely that you will use them anytime soon, so it’s time to say goodbye and delete it.
McAfee credit lock and security freeze are other preventive measures that can keep your credit safe in case your PII is ever compromised. These services make it easy to prevent one or all three major credit bureaus from accessing your credit. In turn, this prevents anyone other than you from opening a bank account, applying for a loan, or making a substantial purchase. If you’re not planning on needing a credit report, it’s a great practice to freeze your credit.
Reactive measures
When you first hear of a company’s data leak with which you have an account, the first step you should take is to change your account password. Login and password combinations are often compromised in a data breach. Make sure your new password is strong and is not a duplicate of a password you use elsewhere.
Next, consider running a Personal Data Cleanup scan. Personal Data Cleanup checks risky data broker sites and alerts you if your information appears on any of them. From there, you can take steps to remove your information.
Finally, for the next few weeks, keep close tabs on your financial, online, and email accounts. Watch for suspicious activities like purchases you didn’t make, electronic receipts, notifications, or mailing lists that you didn’t sign up for. McAfee+ Ultimate can help you here with its identity monitoring and full-service Personal Data Cleanup. McAfee+ gives you a partner to alert you and help you recover if your digital privacy is compromised.
Constant Vigilance and Digital Confidence-Boosting Assets
Protecting your identity and digital privacy is a two-way street. While identity and privacy protection tools go a long way, individuals also have a responsibility to remain vigilant and take quick action if they suspect their information is compromised. And the ultimate responsibility lies with companies to alert the authorities and their customers after a data leak and to take serious steps to shore up their security to make sure it never happens again.
1The Verge, “Former Uber security chief found guilty of covering up massive 2016 data breach”
The post 57 Million Users Compromised in Uber Leak: Protect Your Digital Privacy and Identity appeared first on McAfee Blog.
A New Wave of PayPal Invoice Scams Using Crypto Disguise
Trend Micro found evidence of new PayPal scammers impersonating crypto-related businesses
vim-9.0.720-1.fc35
FEDORA-2022-fff548cfab
Packages in this update:
vim-9.0.720-1.fc35
Update description:
The newest upstream commit
Security fixes for CVE-2022-3256, CVE-2022-3324, CVE-2022-3352, CVE-2022-3235, CVE-2022-3234, CVE-2022-3296, CVE-2022-3297, CVE-2022-3278.
vim-9.0.720-1.fc36
FEDORA-2022-40161673a3
Packages in this update:
vim-9.0.720-1.fc36
Update description:
The newest upstream commit
Security fixes for CVE-2022-3256, CVE-2022-3324, CVE-2022-3352, CVE-2022-3235, CVE-2022-3234, CVE-2022-3296, CVE-2022-3297, CVE-2022-3278.
dbus-1.12.24-1.fc35
FEDORA-2022-7a963a79d1
Packages in this update:
dbus-1.12.24-1.fc35
Update description:
Update to 1.12.24
Fix CVE-2022-42010, CVE-2022-42011, CVE-2022-42012