Security Blogs Archive 2021

Multiple Vulnerabilities in Google Android OS Could Allow for Remote Code Execution - 11-02-2021

DATE(S) ISSUED:

11/02/2021

SUBJECT:

Multiple Vulnerabilities in Google Android OS Could Allow for Remote Code Execution

OVERVIEW:

Multiple vulnerabilities have been discovered in the Google Android operating system (OS), the most severe of which could allow for remote code execution. Android is an operating system developed by Google for mobile devices, including, but not limited to, smartphones, tablets, and watches. Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution within the context of a privileged process. Depending on the privileges associated with this application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

THREAT INTELLIGENCE:

There are indications that CVE-2021-1048 may be under limited, targeted exploitation.

SYSTEMS AFFECTED:

• Android OS builds utilizing Security Patch Levels issued prior to November 6, 2021.

RISK:

Government:

• Large and medium government entities: High
• Small government entities: High

Businesses:

• Large and medium business entities: High
• Small business entities: High

Home users: Low

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Google Android OS, the most severe of which could allow for remote code execution within the context of a privileged process. Details of these vulnerabilities are as follows:

• Multiple vulnerabilities in Framework that could enable a local attacker to gain access to additional permissions with no user interaction required. (CVE-2021-0799, CVE-2021-0921, CVE-2021-0923, CVE-2021-0926, CVE-2021-0933, CVE-2020-13871, CVE-2021-0653, CVE-2021-0922)
• A vulnerability in Media Framework that could enable a local malicious application to bypass user interaction requirements in order to gain access to additional permissions. (CVE-2021-0928, CVE-2021-0650)
• Multiple vulnerabilities in System could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process. (CVE-2021-0918, CVE-2021-0930, CVE-2021-0434, CVE-2021-0649, CVE-2021-0932, CVE-2021-0925, CVE-2021-0931, CVE-2021-0919)
• Multiple vulnerabilities in Project Mainline components. (CVE-2021-0653, CVE-2021-0650, CVE-2021-0649)
• Multiple vulnerabilities in Kernel components that could result in local escalation of privilege due to a use after free. (CVE-2021-0920, CVE-2021-0924, CVE-2021-0929, CVE-2021-1048)
• Multiple vulnerabilities in Android TV that could enable a proximate attacker to silently pair with a TV and execute arbitrary code with no privileges or user interaction required. (CVE-2021-0889, CVE-2021-0927)
• A high severity vulnerability in MediaTek components. (CVE-2021-0672)
• Multiple critical severity vulnerabilities in Qualcomm closed-source components. (CVE-2021-1924, CVE-2021-1975)
• Multiple high severity vulnerabilities in Qualcomm closed-source components. (CVE-2021-1921, CVE-2021-1973, CVE-2021-1979, CVE-2021-1981, CVE-2021-1982, CVE-2021-30254, CVE-2021-30255, CVE-2021-30259, CVE-2021-30284)

Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution within the context of a privileged process. Depending on the privileges associated with this application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

RECOMMENDATIONS:

We recommend the following actions be taken:

• Apply appropriate updates by Google Android or mobile carriers to vulnerable systems, immediately after appropriate testing.
• Only download applications from trusted vendors in the Play Store.
• Do not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.

REFERENCES:

Google Android:

https://source.android.com/security/bulletin/2021-11-01#2021-11-06-security-patch-level-vulnerability-details

Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution - 10-27-2021

DATE(S) ISSUED:

10/27/2021

SUBJECT:

Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution.

OVERVIEW:

Multiple vulnerabilities have been discovered in Apple Products, the most severe of which could allow for arbitrary code execution.

• iOS is a mobile operating system for mobile devices, including the iPhone, iPad, and iPod touch.
• iPadOS is the successor to iOS 12 and is a mobile operating system for iPads.
• macOS Monterey is the 18th and current major release of macOS.
• macOS Big Sur is the 17th release of macOS.
• macOS Catalina is the 16th major release of macOS
• watchOS is the mobile operating system for Apple Watch and is based on the iOS operating system.
• tvOS is an operating system for fourth-generation Apple TV digital media player.

Successful exploitation of the most severe of these vulnerabilities could result in arbitrary code execution within the context of the application, an attacker gaining the same privileges as the logged-on user, or the bypassing of security restrictions. Depending on the permission associated with the application running the exploit, an attacker could then install programs; view, change, or delete data.

THREAT INTELLIGENCE:

There are no reports of these vulnerabilities being exploited in the wild.                                                                                            

SYSTEMS AFFECTED:

• iOS and iPadOS prior to 15.1
• iOS and iPadOS prior to 14.8.1
• macOS Monterey prior to 12.0.1
• macOS Big Sur prior to 11.6.1
• macOS Catalina prior to security update 2021-007
• watchOS prior to 8.1
• tvOS prior to 15.1

RISK:

Government:

• Large and medium government entities: High
• Small government entities: Medium

Businesses:

• Large and medium business entities: High
• Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Apple Products, the most severe of which could allow for arbitrary code execution in the context of the affected user. Arbitrary code execution is when the attacker is able to execute arbitrary codes or commands on a target machine, this means the attacker is able to execute any command on the target machine.

Details of these vulnerabilities are as follows:

• An integer overflow was addressed through improved input validation. (CVE-2021-30907)
• A memory corruption issue existed in the processing of ICC profiles. This issue was addressed with improved input validation. (CVE-2021-30917)
• This issue was addressed with improved checks. (CVE-2021-30903, CVE-2021-30906)
• An out-of-bounds read was addressed with improved bounds checking. (CVE-2021-30905, CVE-2021-30910, CVE-2021-30911)
• An out-of-bounds write was addressed with improved input validation. (CVE-2021-30919)
• An input validation issue was addressed with improved memory handling. (CVE-2021-30881)
• An out-of-bounds write issue was addressed with improved bounds checking. (CVE-2021-30900)
• A memory corruption issue was addressed with improved input validation. (CVE-2021-30894, CVE-2021-30914)
• A use after free issue was addressed with improved memory management. (CVE-2021-30886, CVE-2021-30902)
• A memory corruption issue was addressed with improved memory handling. (CVE-2021-30909, CVE-2021-30916)
• A lock screen issue allowed access to contacts on a locked device. This issue was addressed with improved state management. (CVE-2021-30875)
• A logic issue was addressed with improved state management. (CVE-2021-30890, CVE-2021-30915)
• A logic issue was addressed with improved restrictions. (CVE-2021-30887)
• An information leakage issue was addressed. (CVE-2021-30888)
• A buffer overflow issue was addressed with improved memory handling. (CVE-2021-30889)
• A memory corruption issue was addressed with improved memory handling. (CVE-2021-30883)
• A Lock Screen issue was addressed with improved state management. (CVE-2021-30918)
• A logic issue was addressed with improved state management. (CVE-2021-30873)
• An out-of-bounds read was addressed with improved bounds checking. (CVE-2021-30876, CVE-2021-30879, CVE-2021-30877, CVE-2021-30880)
• A race condition was addressed with improved state handling. (CVE-2021-30899)
• A logic issue was addressed with improved restrictions. (CVE-2021-30895)
• A logic issue was addressed with improved restrictions. (CVE-2021-30896)
• A memory corruption issue was addressed with improved state management. (CVE-2021-30824)
• Multiple out-of-bounds write issues were addressed with improved bounds checking. (CVE-2021-30901)
• A memory corruption issue was addressed with improved memory handling. (CVE-2021-30821)
• A logic issue was addressed with improved state management. (CVE-2021-30864)
• This issue was addressed with improved checks. (CVE-2021-30813)
• A permissions issue was addressed with improved validation. (CVE-2021-30920)
• A race condition was addressed with improved locking. (CVE-2021-30868)
• The issue was addressed with improved permissions logic. (CVE-2021-30912, CVE-2021-30913)
• A logic issue was addressed with improved restrictions. (CVE-2021-30823)
• A logic issue was addressed with improved state management. (CVE-2021-30861)
• An authentication issue was addressed with improved state management. (CVE-2021-30908)
• This issue was addressed with improved checks. (CVE-2021-30833)
• An inherited permissions issue was addressed with additional restrictions. (CVE-2021-30892)

Successful exploitation of the most severe of these vulnerabilities could result in arbitrary code execution within the context of the application, an attacker gaining the same privileges as the logged-on user, or the bypassing of security restrictions. Depending on the permission associated with the application running the exploit, an attacker could then install programs; view, change, or delete data.

RECOMMENDATIONS:

We recommend the following actions be taken:

• Apply appropriate patches provided by Apple to vulnerable systems immediately after appropriate testing.
• Run all software as a nonprivileged user (one without administrative privileges) to diminish the effects of a successful attack.
• Do not to download, accept or execute files from untrusted and unknown sources.
• Remind users not to visit untrusted websites or follow links provided by untrusted or unknown sources.

REFERENCES:

Apple:

https://support.apple.com/en-us/HT212868

https://support.apple.com/en-us/HT212869

https://support.apple.com/en-us/HT212872

https://support.apple.com/en-us/HT212871

https://support.apple.com/en-us/HT212874

https://support.apple.com/en-us/HT212867

https://support.apple.com/en-us/HT212876

High Severity dubbed Print Nightmare - 07-1-2021

There is a new high severity vulnerability dubbed Print Nightmare, which exploits a vulnerability in the Print Spooler service. This vulnerability can provide full domain access to a domain controller under a System context. To be able to use this exploit it requires that you authenticate as a domain user.

It should be not be confused with CVE-2021-1675. PrintNightmare is not the same not the same as CVE-2021-1675, which was fixed in the patch in June, there is currently no patch available for PrintNightmare.

This applies to all Windows Server versions (from Windows Server 2008 – 2019), and includes Windows 7 and 10 devices.

For all systems where the print spooler service is not required, (it is enabled by default) disable the service.

Additionally, enable PrintService/Operational logging for any servers/devices that need Print Spooler and and notify Information Security of the device name at iso@csun.edu.

Print Nightmare FAQs

Please visit the Print Nightmare FAQs page for more information. 

Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution 6-18-2021

DATE(S) ISSUED:

06/18/2021

SUBJECT:

Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution

OVERVIEW:

Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Google Chrome is a web browser used to access the Internet. Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLIGENCE:

Google has stated that there is an exploit in the wild for CVE-2021-30554

SYSTEMS AFFECTED:

• Google Chrome versions prior to 91.0.4472.114

RISK:

Government:

• Large and medium government entities: High
• Small government entities: High

Businesses:

• Large and medium business entities: High
• Small business entities: High

Home users: Low

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Details of the vulnerabilities are as follows:                               

• A use after free vulnerability exists in WebGL. (CVE-2021-30554)
• A use after free vulnerability exists in Sharing. (CVE-2021-30555)
• A use after free vulnerability exists in WebAudio. (CVE-2021-30556)
• A use after free vulnerability exists in TabGroups. (CVE-2021-30557)

Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser. Arbitrary code execution is when the attacker is able to execute arbitrary codes or commands on a target machine, this means the attacker is able to execute any command on the target machine. These vulnerabilities can be exploited if the user visits, or is redirected to, a specifically crafted web page. Depending on the privileges associated with the application, an attacker could view, change, or delete data. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

RECOMMENDATIONS:

We recommend the following actions be taken:

• Apply the stable channel update provided by Google to vulnerable systems immediately after appropriate testing.
• Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
• Do not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.

REFERENCES:

Google:

https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop_17.html

BleepingComputer:

https://www.bleepingcomputer.com/news/security/google-fixes-seventh-chrome-zero-day-exploited-in-the-wild-this-year/

CVE:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30554

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30555

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30556

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30557

DATE(S) ISSUED:

06/15/2021

SUBJECT:

Multiple Vulnerabilities in Apple iOS Could Allow for Arbitrary Code Execution

OVERVIEW:

Multiple vulnerabilities have been discovered in Apple iOS that could allow for arbitrary code execution. iOS is a mobile operating system for mobile devices, including the iPhone, iPad, and iPod touch. Successful exploitation of these vulnerabilities could result in arbitrary code execution within the context of the application, an attacker gaining the same privileges as the logged-on user, or the bypassing of security restrictions. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLIGENCE:

Apple is aware that CVE-2021-30761 and CVE-2021-30762 may have been actively exploited.

SYSTEMS AFFECTED:

• iOS versions prior to 12.5.4

RISK:

Government:

• Large and medium government entities: High
• Small government entities: High

Businesses:

• Large and medium business entities: High
• Small business entities: High

Home users: Low

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Apple iOS that could allow for arbitrary code execution. Details of these vulnerabilities are as follows:

• A memory corruption issue in the ASN.1 decoder may lead to arbitrary code execution. (CVE-2021-30737)
• A memory corruption issue in WebKit may lead to arbitrary code execution. (CVE-2021-30761)
• A use after free issue in WebKit may lead to arbitrary code execution. (CVE-2021-30762)

Successful exploitation of these vulnerabilities could result in arbitrary code execution within the context of the application, an attacker gaining the same privileges as the logged-on user, or the bypassing of security restrictions. Arbitrary code execution is when the attacker is able to execute arbitrary codes or commands on a target machine, this means the attacker is able to execute any command on the target machine. These vulnerabilities can be exploited if the user visits, or is redirected to, a specifically crafted web page. 

 Depending on the permission associated with the application running the exploit, an attacker could then install programs; view, change, or delete data.

RECOMMENDATIONS:

We recommend the following actions be taken:

• Apply appropriate patches provided by Apple to vulnerable systems immediately after appropriate testing.

• Run all software as a nonprivileged user (one without administrative privileges) to diminish the effects of a successful attack.
• Do not to download, accept or execute files from untrusted and unknown sources.
• Do not to visit untrusted websites or follow links provided by untrusted or unknown sources.

REFERENCES:

Apple:

https://support.apple.com/en-us/HT212548

TheHackerNews:

https://thehackernews.com/2021/06/apple-issues-urgent-patches-for-2-zero.html

CVE:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30737

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30761

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30762

Scam Emails Demand Bitcoin, Threaten to Blackmail 6-10-2021

Many reports of bitcoin blackmail scams have taken a big jump. These emails usually say they hacked into your computer and recorded you visiting adult websites. They threaten to distribute the video to your friends and family within hours, unless you pay into their bitcoin account. Do not pay anything. Delete the message. It is a scam.

If you receive one of these messages do not be alarmed. The scammers may say they have access to your computer or webcam, or installed malicious software. They do not. If they include one of your old or recent passwords as proof, it is time to update your password on that account. Also consider changing passwords to all other accounts.

Below is an example of a scam email demanding Bitcoin.

---Start of Email---

To:   xxxxx, xxxxx x

Hi!
I have some bad news for you. Two months ago, I received access
to all the electronic devices
that you use to browse the internet.
After that moment I started to track all your activity on the
internet. Now I will reveal to you
how it happened:
I created a fake website for your email service (...) and sent
you an invitation for authorization.
You entered your current email and password. That was how I was
able to obtain your credentials and start
using your email undetectable.
After that, I was able to easily install a Trojan horse on your
device's operating system. (.xx.) Transfer the equivalent of 1000
EURO in Bitcoin to me and as soon as the payment is received, I
will immediately remove
all the evidence I have against you.
I've been working on what you do and your files for two months
and believe me, this was pure fun for me!
If you don't know how to buy and send Bitcoins, then you can
simply use any search engine (Google is enough)
for help.
So, here is my Bitcoin wallet: 1F4d1vHwnxxxxxxxxxxxxxH5dxxxxxxxx
I give you 48 hours to send me money.
Please do not reply to this email, as it does not make any sense.
I created this e-mail in your e-mail and the reply address I
obtained from a single database of e-mails.
It also makes no sense to ask someone for help, as this email
cannot be tracked and Bitcoin transactions are always anonymous.
Everything was deliberately planned. I see all your
conversations, I hear all your calls and I spy on you.
Likewise, if you ever find out that you have told someone about
this email - the video will be immediately
shared on the internet! As soon as I open this email, I will
receive an automatic notification and start
the meter immediately.
Good luck and I hope you never get phishing like this in the
future!

---End of Email---

For further information regarding these scam emails please visit Scam Emails demand Bitcoin, threaten blackmail.

For more examples of phishing emails please visit CSUN's webpage Phishing Examples. 

Critical Patches Issued for Microsoft Products - 6-8-2021

DATE(S) ISSUED:
06/08/2021

06/08/2021 - UPDATED

SUBJECT:
Critical Patches Issued for Microsoft Products, June 8, 2021

OVERVIEW:
Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for arbitrary code execution in the context of the logged on user. The vulnerability may allow the attacker view, change or delete data. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLIGENCE:
There are no reports of these vulnerabilities being exploited in the wild.

June 8 – UPDATED THREAT INTELLIGENCE:
There are six zero-day vulnerabilities that Microsoft has tracked as being actively exploited which include CVE-2021-33742, CVE-2021-33739, CVE-2021-31199, CVE-2021-31201, CVE-2021-31955 and CVE-2021-31956.

SYSTEMS AFFECTED:

• .NET Core & Visual Studio
• 3D Viewer
• Microsoft DWM Core Library
• Microsoft Intune
• Microsoft Office
• Microsoft Office Excel
• Microsoft Office Outlook
• Microsoft Office SharePoint
• Microsoft Scripting Engine
• Microsoft Windows Codecs Library
• Paint 3D
• Role: Hyper-V
• Visual Studio Code - Kubernetes Tools
• Windows Bind Filter Driver
• Windows Common Log File System Driver
• Windows Cryptographic Services
• Windows DCOM Server
• Windows Defender
• Windows Drivers
• Windows Event Logging Service
• Windows Filter Manager
• Windows HTML Platform
• Windows Installer
• Windows Kerberos
• Windows Kernel
• Windows Kernel-Mode Drivers
• Windows Network File System
• Windows NTFS
• Windows NTLM
• Windows Print Spooler Components
• Windows Remote Desktop
• Windows TCP/IP

RISK:
Government:

• Large and medium government entities: High
• Small government entities: Medium

Businesses:

• Large and medium business entities: High
• Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for arbitrary code execution. Arbitrary code execution is when the attacker is able to execute arbitrary codes or commands on a target machine, this means the attacker is able to execute any command on the target machine. These vulnerabilities can be exploited if the user visits, or is redirected to, a specifically crafted web page. 

A full list of all vulnerabilities can be found at the link below:

https://msrc.microsoft.com/update-guide/en-us

Successful exploitation of the most severe of these vulnerabilities could result in an attacker gaining the same privileges as the logged-on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

RECOMMENDATIONS:
We recommend the following actions be taken:

1. Apply appropriate patches or appropriate mitigations provided by Microsoft to vulnerable systems immediately after appropriate testing.
2. Run all software as a non-privileged user (one without administrative rights) to diminish the effects of a successful attack.
3. Do not to visit untrusted websites or follow links provided by unknown or untrusted sources.

REFERENCES:
Microsoft:

• https://msrc.microsoft.com/update-guide
• https://msrc.microsoft.com/update-guide/releaseNote/2021-Jun
• UPDATED - https://www.zdnet.com/article/microsoft-june-2021-patch-tuesday-50-vulnerabilities-patched-including-six-zero-days-exploited-in-the-wild/

President Joe Biden's Executive Order to Improve the Cybersecurity of the United States - 05-17-2021

U.S President Joe Biden has signed an executive order to improve the cybersecurity of the United States. The Executive Order seeks to improve efforts to identify protect, deter, detect, and respond to any threat action and/or actors.

1. Remove Barriers to threat information sharing between government and the private sector

The Executive Order ensures IT providers can share information with the government and requires them to share certain breach information. Providers are usually hesitant or unable to share information about a compromise but are now obligated to.

2. Modernize and Implement Stronger Cybersecurity Standards in the Federal Government

The Executive Order will help move the federal government to secure cloud services, a zero-trust architecture, and mandate deployment of multifactor authentication and encryption within a specific time. 

3. Improve Software Supply Chain Security

The Executive Order will ensure the security of any software by establishing a baseline security standard for the development of software sold to the government. This includes requiring developers to maintain greater visibility into their software and making security data publicly available.

4. Establish a Cybersecurity Safety Review Board

The Executive Order establishes a Cybersecurity Safety Review Board that may convene following a significant cyber incident to analyze what happened and make recommendations for improving cybersecurity.

5. Create a Standard Playbook for Responding to Cyber Incidents

The Executive Order will call to compose a standardized playbook and set definitions for cyber incident response by federal departments and agencies.

6. Improve Detection of Cybersecurity Incidents on Federal Government Networks

The Executive Order improves the ability to detect malicious cyber activity on Federal networks by enabling a government-wide endpoint detection and response system and improve information sharing within the Federal government.

7. Improve Investigative and Remediation Capabilities

The Executive Order creates cybersecurity event log requirements for federal departments and agencies. Poor logging hampers an organization’s ability to detect intrusions, mitigate those in progress, and determine the extent of an incident after the fact.

For more information regarding the New Executive Order please visit President Biden signs executive order to strengthen U.S cybersecurity defenses.

IRS Warns University Students and Staff of Impersonation Email Scam - 4-1-2021

What Happened:

The Internal Revenue Service today warned of an ongoing IRS-impersonation scam that appears to primarily target educational institutions, including students and staff who have “.edu” email addresses.

The IRS’ phishing@irs.gov as well as abuse@csun.edu have received emails about the impersonation scam in recent weeks from people with email addresses ending in “.edu.” The phishing emails appear to target university and college students from both public and private, profit and non-profit institutions.

What Information Was Involved?

The phishing website requests taxpayers provide their:

• Social Security Number
• First Name
• Last Name
• Date of Birth
• Prior Year Annual Gross Income (AGI)
• Driver's License Number
• Current Address
• City
• State/U.S. Territory
• ZIP Code/Postal Code
• Electronic Filing PIN

People who receive this scam email should not click on the link in the email, but they can report it to the IRS. For security reasons, save the email using “save as” and then send that attachment to    and abuse@csun.edu.

What This Means To You

Be on the look out for any potential emails that ask for any of the information above. 

If you believe you received a phishing email, please send it as an attachment to abuse@csun.edu.  

What We Recommend

• Think carefully before clicking on a link or image. Phishing and other malware scams rely on our habit to click first, think later. 
• Keep programs up-to-date: Most applications on all of your devices have automated update features. Turn them on.
• Turn off Flash or turn on Ad-blocker. Flash Player is popular with hackers. They exploit Flash by inserting malicious bits of code into ad networks used by well-known businesses.

Despite taking preventive measures, phishing email attacks continue to be sent from compromised faculty and staff accounts. The best method to prevent these attacks is to never provide your CSUN user ID and password in response to an email request and to question the source of the email received.

Visit CSUN's Phishing Examples page to view examples of past phishing attempts. 

Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution - 4-1-2021

DATE(S) ISSUED:

03/31/2021

SUBJECT:

Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution

OVERVIEW:

Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Google Chrome is a web browser used to access the Internet. Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser. Depending on the privileges associated with the application, an attacker could view, change, or delete data. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

• Google Chrome versions prior to 89.0.4389.114

RISK:

Government:

• Large and medium government entities: High
• Small government entities: Medium

Businesses:

• Large and medium business entities: High
• Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Arbitrary code execution is when the attacker is able to execute arbitrary codes or commands on a target machine, this means the attacker is able to execute any command on the target machine These vulnerabilities can be exploited if a user visits, or is redirected to, a specially crafted web page. Details of the vulnerabilities are as follows:

• A use-after-free vulnerability that exists in the 'screen capture' component. (CVE-2021-21194)
• A use-after-free vulnerability that exists in the 'V8' component. (CVE-2021-21195)
• Heap buffer overflow in TabStrip. (CVE-2021-21196, CVE-2021-21197)
• Out of bounds read in IPC. (CVE-2021-21198)
• Use after free in Aura (CVE-2021-21199)

Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser. An attacker can view, change or delete data depending on the privileges associated with the application. If the account is configured to have fewer user rights, exploitations could have a smaller impact than if it was configured with administrative rights.

RECOMMENDATIONS:

We recommend the following actions be taken:

1. Apply the stable channel update provided by Google to vulnerable systems immediately after appropriate testing.
2. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
3. Do not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.

REFERENCES:

Google:

https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop_30.html

CVE:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21194

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21195

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21196

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21197

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21198

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21199

State Controller's Office Data Breach - 3-25-2021

We have learned of a data exposure at the California State Controller’s Office (SCO)- Division of Unclaimed Property.

What Happened:

An employee of the SCO had their credentials compromised when they clicked on a phishing email and entered their username and password. This provided a threat actor access to that account for a little less than 24 hours before it was discovered, and remediation occurred.

What Information Was Involved?

The SCO believes that the compromised account had personally identifiable information contained in Unclaimed Property Reports.

What This Means To You As a CSUN Employee

None of your CSUN information associated as an employee was involved in the data exposure.

However, if you as an individual have records associated with Unclaimed Property with the State Controllers Office your data could have been exposed.

What We Recommend

• You may access information about the exposure at this link:
• https://www.sco.ca.gov/upd_msg.html
• You can check to see if you have an unclaimed property records at a link on that page and also here:
• https://ucpi.sco.ca.gov/UCP/Default.aspx
• Place fraud alerts on your credit accounts if you do not already do so. Information for this process is on the SCO breach notification page.

• Lastly, the State Controller’s Office has received information that some scams and possibly fraud have occurred. I strongly recommend you be on the lookout for suspicious, emails, phone calls and correspondence that might be associated with this incident.

Feel free to reach out to iso@csun.edu if you have any questions or additional concerns.

CSUN will NEVER ask for your password or your personal information such as SSN and bank accounts. Beware of phishing scams that look like employment or internships offers.

Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution - 3-3-2021

SUBJECT:

Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution

OVERVIEW:

Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Google Chrome is a web browser used to access the Internet. Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser. Depending on the privileges associated with the application, an attacker could view, change, or delete data. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

• Google Chrome versions prior to 89.0.4389.72

RISK:

Government:

• Large and medium government entities: High
• Small government entities: Medium

Businesses:

• Large and medium business entities: High
• Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. These vulnerabilities can be exploited if a user visits, or is redirected to, a specially crafted web page. Details of the vulnerabilities are as follows:

• Heap buffer overflow in OpenJPEG. [CVE-2020-27844]
• Heap buffer overflow in TabStrip. [CVE-2021-21159]
• Heap buffer overflow in WebAudio. [CVE-2021-21160]
• Heap buffer overflow in TabStrip. [CVE-2021-21161]
• Use after free in WebRTC. [CVE-2021-21162]
• Insufficient data validation in Reader Mode. [CVE-2021-21163]
• Insufficient data validation in Chrome for iOS. [CVE-2021-21164]
• Object lifecycle issue in audio. [CVE-2021-21165]
• Object lifecycle issue in audio. [CVE-2021-21166]
• Use after free in bookmarks. [CVE-2021-21167]
• Insufficient policy enforcement in appcache. [CVE-2021-21168]
• Out of bounds memory access in V8. [CVE-2021-21169]
• Incorrect security UI in Loader. [CVE-2021-21170]
• Incorrect security UI in TabStrip and Navigation. [CVE-2021-21171]
• Insufficient policy enforcement in File System API. [CVE-2021-21172]
• Side-channel information leakage in Network Internals. [CVE-2021-21173]
• Inappropriate implementation in Referrer. [CVE-2021-21174]
• Inappropriate implementation in Site isolation. [CVE-2021-21175]
• Inappropriate implementation in full screen mode. [CVE-2021-21176]
• Insufficient policy enforcement in Autofill. [CVE-2021-21177]
• Inappropriate implementation in Compositing. [CVE-2021-21178]
• Use after free in Network Internals. [CVE-2021-21179]
• Use after free in tab search. [CVE-2021-21180]
• Side-channel information leakage in autofill. [CVE-2021-21181]
• Insufficient policy enforcement in navigations. [CVE-2021-21182]
• Inappropriate implementation in performance APIs. [CVE-2021-21183]
• Inappropriate implementation in performance APIs. [CVE-2021-21184]
• Insufficient policy enforcement in extensions. [CVE-2021-21185]
• Insufficient policy enforcement in QR scanning. [CVE-2021-21186]
• Insufficient data validation in URL formatting. [CVE-2021-21187]
• Use after free in Blink. [CVE-2021-21188]
• Insufficient policy enforcement in payments [CVE-2021-21189]
• Uninitialized Use in PDFium. [CVE-2021-21190]

Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser.  Arbitrary code execution is when the attacker is able to execute arbitrary codes or commands on a target machine, this means the attacker is able to execute any command on the target machine. These vulnerabilities can be exploited if the user visits, or is redirected to, a specifically crafted web page. Depending on the privileges associated with the application, an attacker could view, change, or delete data. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

RECOMMENDATIONS:

1. We recommend the following actions be taken:
2. Apply the stable channel update provided by Google to vulnerable systems immediately after appropriate testing.
3. Run all software as a non-privileged user (one without administrative privileges) to diminish Do  not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
4. Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.

REFERENCES:

Google:

https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html

Multiple Vulnerabilities in Google Android OS Could Allow for Remote Code Execution - 3-2-2021

SUBJECT:

Multiple Vulnerabilities in Google Android OS Could Allow for Remote Code Execution

OVERVIEW:

Multiple vulnerabilities have been discovered in the Google Android operating system (OS), the most severe of which could allow for remote code execution. Android is an operating system developed by Google for mobile devices, including, but not limited to, smartphones, tablets, and watches. Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution within the context of a privileged process. The vulnerability may allow the attacker view, change, delete data, or create new accounts with full user rights. If the account is configured to have fewer user rights, exploitations could have a smaller impact than if it was configured with administrative rights.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

• Android OS builds utilizing Security Patch Levels issued prior to March 5, 2021

RISK:

Government:

• Large and medium government entities: High
• Small government entities: High

Businesses:

• Large and medium business entities: High
• Small business entities: High

Home users: High

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Google Android OS, the most severe of which could allow for remote code execution within the context of a privileged process. Details of these vulnerabilities are as follows:

• An elevation of privilege vulnerability in Android runtime. (CVE-2021-0395)
• Multiple elevation of privilege vulnerabilities in Framework. (CVE-2021-0391, CVE-2021-0398)
• Multiple remote code execution vulnerabilities in System. (CVE-2021-0397, CVE-2017-14491, CVE-2021-0393, CVE-2021-0396)
• Multiple elevation of privilege vulnerabilities in System. (CVE-2021-0390, CVE-2021-0392, CVE-2021-0394)
• An information disclosure vulnerabilities in System. (CVE-2021-0394)
• A vulnerabilities in Google Play system updates (CVE-2021-0390)
• A high severity vulnerabilities in Kernel components (CVE-2020-0399)
• Multiple high severity vulnerabilities in Qualcomm components (CVE-2020-11233, CVE-2020-11129, CVE-2020-111308, CVE-2020-11309)
• Multiple critical severity vulnerabilities in Qualcomm closed-source components (CVE-2020-11192 CVE-2020-11204, CVE-2020-11218, CVE-2020-11227, CVE-2020-11228)
• Multiple high severity vulnerabilities in Qualcomm closed-source components (CVE-2020-11165, CVE-2020-11166, CVE-2020-11171, CVE-2020-11178, CVE-2020-11186, CVE-2020-11188, CVE-2020-11189, CVE-2020-11190, CVE-2020-11194, CVE-2020-11195, CVE-2020-11198, CVE-2020-11199, CVE-2020-11220, CVE-2020-11221, CVE-2020-11222, CVE-2020-11226, CVE-2020-11299)

Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution within the context of a privileged process. Arbitrary code execution is when the attacker is able to execute arbitrary codes or commands on a target machine, this means the attacker is able to execute any command on the target machine. These vulnerabilities can be exploited if the user visits, or is redirected to, a specifically crafted web page. Depending on the privileges associated with this application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

RECOMMENDATIONS:

We recommend the following actions be taken:

1. Apply appropriate updates by Google Android or mobile carriers to vulnerable systems, immediately after appropriate testing.
2. Only download applications from trusted vendors in the Play Store.
3. Do not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. 

REFERENCES:

Google Android:

https://source.android.com/security/bulletin/2021-03-01

Multiple Vulnerabilities in Mozilla Firefox and Thunderbird Could Allow for Arbitrary Code Execution - 2-24-2021

DATE(S) ISSUED:

02/24/2021

SUBJECT:

Multiple Vulnerabilities in Mozilla Firefox and Thunderbird Could Allow for Arbitrary Code Execution

OVERVIEW:

Multiple vulnerabilities have been discovered in Mozilla Firefox, Firefox Extended Support Release (ESR) and Mozilla Thunderbird, the most severe of which could allow for arbitrary code execution. Mozilla Firefox is a web browser used to access the Internet. Mozilla Firefox ESR is a version of the web browser intended to be deployed in large organizations. Mozilla Thunderbird is an email client. Successful exploitation of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLIGENCE:

There are currently reports of this vulnerability being exploited in the wild.

SYSTEMS AFFECTED:

• Mozilla Firefox versions prior to 86

• Firefox ESR versions prior to 78.8
• Mozilla Thunderbird versions prior to 78.8

RISK:

Government:

• Large and medium government entities: High
• Small government entities: Medium

Businesses:

• Large and medium business entities: High
• Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Mozilla Firefox, and Firefox Extended Support Release (ESR), and Mozilla Thunderbird, the most severe of which could allow for arbitrary code execution. Arbitrary code execution is when the attacker is able to execute arbitrary codes or commands on a target machine, this means the attacker is able to execute any command on the target machine.

Details of these vulnerabilities are as follows:

• As specified in the W3C Content Security Policy draft, when creating a violation report, "User agents need to ensure that the source file is the URL requested by the page, pre-redirects. If that’s not possible, user agents need to strip the URL down to an origin to avoid unintentional leakage." Under certain types of redirects, Firefox incorrectly set the source file to be the destination of the redirects. This was fixed to be the redirect destination's origin. [CVE-2021-23969]
• Context-specific code was included in a shared jump table; resulting in assertions being triggered in multithreaded wasm code. [CVE-2021-23970]
• If Content Security Policy blocked frame navigation, the full destination of a redirect served in the frame was reported in the violation report; as opposed to the original frame URI. This could be used to leak sensitive information contained in such URIs. [CVE-2021-23968]
• The DOMParser API did not properly process <noscript> elements for escaping. This could be used as an mXSS vector to bypass an HTML Sanitizer. [CVE-2021-23974]
• When processing a redirect with a conflicting Referrer-Policy, Firefox would have adopted the redirect's Referrer-Policy. This would have potentially resulted in more information than intended by the original origin being provided to the destination of the redirect. [CVE-2021-23971]
• When accepting a malicious intent from other installed apps, Firefox for Android accepted manifests from arbitrary file paths and allowed declaring webapp manifests for other origins. This could be used to gain full screen access for UI spoofing and could also lead to cross-origin attacks on targeted websites.
• Note: This issue is a different issue from CVE-2020-26954 and only affected Firefox for Android. Other operating systems are unaffected. [CVE-2021-23976]
• Firefox for Android suffered from a time-of-check-time-of-use vulnerability that allowed a malicious application to read sensitive data from application directories.
• Note: This issue is only affected Firefox for Android. Other operating systems are unaffected. [CVE-2021-23977]
• One phishing tactic on the web is to provide a link with HTTP Auth. For example https: . To mitigate this type of attack, Firefox will display a warning dialog; however, this warning dialog would not have been displayed if evil.com used a redirect that was cached by the browser. [CVE-2021-23972]
• The developer page about :memory has a Measure function for exploring what object types the browser has allocated and their sizes. When this function was invoked we incorrectly called the siz eof function, instead of using the API method that checks for invalid pointers. [CVE-2021-23975]
• When trying to load a cross-origin resource in an audio/video context a decoding error may have resulted, and the content of that error may have revealed information about the resource. [CVE-2021-23973]
• Mozilla developers Alexis Beingessner, Tyson Smith, Nika Layzell, and Mats Palmgren reported memory safety bugs present in Firefox 85 and Firefox ESR 78.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. [CVE-2021-23978]
• Mozilla developers Tyson Smith, Lars T Hansen, Valentin Gosu, and Sebastian Hengst reported memory safety bugs present in Firefox 85. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. [CVE-2021-23979]

Successful exploitation of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

RECOMMENDATIONS:

We recommend the following actions be taken:

1. Apply appropriate updates provided by Mozilla to vulnerable systems immediately after appropriate testing.
2. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
3. Do not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.

REFERENCES:

Mozilla:

https://www.mozilla.org/en-US/security/advisories/mfsa2021-07/

https://www.mozilla.org/en-US/security/advisories/mfsa2021-08/

https://www.mozilla.org/en-US/security/advisories/mfsa2021-09/

A Vulnerability in Mozilla Firefox and Firefox ESR Could Allow for Arbitrary Code Execution 2-8-2021

DATE(S) ISSUED:

02/08/2021

SUBJECT:

A Vulnerability in Mozilla Firefox and Firefox ESR Could Allow for Arbitrary Code Execution 

OVERVIEW:

A vulnerability has been discovered in Mozilla Firefox and Firefox ESR, which could allow for arbitrary code execution. Mozilla Firefox is a web browser used to access the internet. Firefox ESR is a version of the web browser intended to be deployed in large organizations. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code in the context of the browser. Depending on the privileges associated with the application, an attacker could view, change, or delete data. If this application has been configured to have fewer user rights on the system, exploitation of the vulnerability could have less impact than if it was configured with administrative rights.

THREAT INTELLIGENCE:

There are currently reports of this vulnerability being exploited in the wild.

SYSTEMS AFFECTED:

• Mozilla Firefox versions prior to 85.0.1
• Firefox ESR versions prior to 78.7.1

RISK:

Government:

• Large and medium government entities: High
• Small government entities: Medium

Businesses:

• Large and medium business entities: High
• Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:

A vulnerability has been discovered in Mozilla Firefox and Firefox ESR, which could allow for arbitrary code execution. . Arbitrary code execution is when the attacker is able to execute arbitrary codes or commands on a target machine, this means the attacker is able to execute any command on the target machine. This vulnerability exists in the Angle graphics library where the depth pitch computations fail to take into account the block size and simply multiplies the row pitch with the pixel height. This causes the load functions to use a very high depth pitch, reading past the end of the user-supplied buffer.

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code in the context of the browser. Depending on the privileges associated with this application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of this vulnerability could have less impact than if it was configured with administrative rights.

RECOMMENDATIONS:

We recommend the following actions be taken:

1. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
2. Do not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
3. Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.

REFERENCES:

Mozilla:

https://www.mozilla.org/en-US/security/advisories/mfsa2021-06/

A Vulnerability in Google Chrome Could Allow for Arbitrary Code Execution 2-5-2021

DATE(S) ISSUED:

02/05/2021

SUBJECT:

A Vulnerability in Google Chrome Could Allow for Arbitrary Code Execution 

OVERVIEW:

Multiple vulnerabilities have been discovered in Google Chrome. In the most severe cases the vulnerabilities could allow arbitrary code execution. Google Chrome is a web browser commonly used to access the Internet. The vulnerability may allow the attacker to view, change or delete data. If Google Chrome is configured to have fewer user rights, exploitations will have a smaller impact than if it was configured with administrative rights.

THREAT INTELLIGENCE:

There are currently reports of this vulnerability being exploited in the wild.

SYSTEMS AFFECTED:

• Google Chrome versions prior to 88.0.4324.150

RISK:

Government:

• Large and medium government entities: High
• Small government entities: Medium

Businesses:

• Large and medium business entities: High
• Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:

A vulnerability has been discovered in Google Chrome, which could allow for arbitrary code execution. This vulnerability exists due to a heap buffer overflow in the ‘V8’ JavaScript engine of Chrome.

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code in the context of the browser. Arbitrary code execution is when the attacker is able to execute arbitrary codes or commands on a target machine, this means the attacker is able to execute any command on the target machine. Depending on the privileges associated with this application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of this vulnerability could have less impact than if it was configured with administrative rights.

RECOMMENDATIONS:

1. Apply the stable channel update provided by Google to vulnerable systems immediately after appropriate testing.
2. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
3. Do not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.

REFERENCES:

Google:

https://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop_4.html

CVE:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21148

Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution 1-27-2021

Apple has recently announced the release of their security updates following the recent vulnerabilities found. Below you will find more details regarding this update and what systems it affects. 

DATE(S) ISSUED:

01/27/2021

Apple has recently announced the release of their security updates following the recent vulnerabilities found. Below you will found a more details regarding this update and what systems it affects. 

SUBJECT:

Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution.

OVERVIEW:

Multiple vulnerabilities have been discovered in Apple Products, the most severe of which could allow for arbitrary code execution.

1. tvOS is an operating system for the fourth-generation Apple TV digital media player.
2. watchOS is the mobile operating system for the Apple Watch and is based on the iOS operating system.
3. iPadOS is the successor to iOS 12 and is a mobile operating system for iPads.
4. iOS is a mobile operating system for mobile devices, including the iPhone, iPad, and iPod touch.
5. Xcode is an integrated development environment (IDE) for macOS.

Multiple vulnerabilities have been discovered in Apple Products. In most severe cases the vulnerabilities could allow arbitrary code execution. The vulnerability may allow the attacker view, change or delete data. If google chrome is configured to have fewer user rights, exploitations could have a smaller impact than if it was configured with administrative rights.

THREAT INTELLIGENCE:

These are reports of the following vulnerabilities currently being actively exploited in the wild:

1. CVE-2021-1782: iOS, iPadOS, tvOS, watchOS vulnerability that enables privilege escalation.
2. CVE-2021-1870: WebKit vulnerability that enables arbitrary code execution.
3. CVE-2021-1800: Xcode vulnerability that enables arbitrary file access.

SYSTEMS AFFECTED:

1. iOS versions prior to iOS 14.4
2. iPadOS versions prior to iPadOS 14.4
3. tvOS versions prior to tvOS 14.4
4. watchOS versions prior to watchOS 7.3
5. Xcode versions prior to Xcode 12.4

RISK:

Government:

1. Large and medium government entities: High
2. Small government entities: Medium

Businesses:

1. Large and medium business entities: High
2. Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in iOS, iPadOS, tvOS, watchOS, and Xcode, the most severe of which could allow for arbitrary code execution. Details of these vulnerabilities are as follows:

iPadOS 14.4, iOS 14.4, tvOS 14.4 and watchOS 7.3

1. A logic issue was addressed with improved restrictions (CVE-2021-1870, CVE-2021-1871)
2. A race condition was addressed with improved locking. (CVE-2021-1782)

Xcode 12.4

3. A path handling issue was addressed with improved validation. (CVE-2021-1800)

Multiple vulnerabilities have been found in Apple Products, in the most severe cases these vulnerabilities may allow for arbitrary code execution. Arbitrary code execution is when the attacker is able to execute arbitrary codes or commands on a target machine, this means the attacker is able to execute any command on the target machine. These vulnerabilities can be exploited if the user visits, or is redirected to, a specifically crafted web page. 

RECOMMENDATIONS:

We recommend the following actions be taken:

1. Apply appropriate patches provided by Apple to vulnerable systems immediately after appropriate testing.

1. Run all software as a nonprivileged user (one without administrative privileges) to diminish the effects of a successful attack.
2. Do not to download, accept or execute files from untrusted and unknown sources.
3. Do not to visit untrusted websites or follow links provided by untrusted or unknown sources.
4. Evaluate read, write, and execute permissions on all newly installed software.

REFERENCES:

Apple:

https://support.apple.com/en-us/HT212146

https://support.apple.com/en-us/HT212149

https://support.apple.com/en-us/HT212148

https://support.apple.com/en-us/HT212153

CVE:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1782

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1800

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1870

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1871

Multiple Vulnerabilities in Microsoft Products Could Allow for Remote Code Execution - 1-12-2021

DATE(S) ISSUED:

01/12/2021

SUBJECT:

Critical Patches Issued for Microsoft Products, January 12, 2021

OVERVIEW:

Multiple vulnerabilities have been discovered in Microsoft products. In most severe cases the vulnerabilities could allow remote code execution. Successful exploitation of the most severe of these vulnerabilities could result in an attacker gaining the same privileges as the logged-on user.

The vulnerability may allow the attacker to install programs; view, change or delete data, or create new accounts If the account is configured to have fewer user rights, exploitations could have a smaller impact than if it was configured with administrative rights.

THREAT INTELLIGENCE:

The vulnerability Microsoft Defender Remote Code Execution Vulnerability (CVE-2021-1647) has been seen exploited in the wild, although it has not been disclosed publicly.

SYSTEMS AFFECTED:

1. Microsoft Windows
2. Microsoft Edge (EdgeHTML-based)
3. Microsoft Office and Microsoft Office Services and Web Apps
4. Microsoft Windows Codecs Library
5. Visual Studio
6. SQL Server
7. Microsoft Malware Protection Engine
8. .NET Core
9. .NET Repository
10. ASP .NET
11. Azure

RISK:

Government:

1. Large and medium government entities: High
2. Small government entities: Medium

Businesses:

1. Large and medium business entities: High
2. Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution. Remote code execution is when the cyber attacker gains access and makes changes to a machine owned by another person, without the authorization of the owner and regardless of its geographic location.

A full list of all vulnerabilities can be found at the link below:

https://portal.msrc.microsoft.com/en-us/security-guidance

In severe cases the exploitation of these vulnerabilities could allow an attacker to execute remote code execution in context to the browser. The vulnerability may allow the attacker to install programs; view, change or delete data, or create new accounts. If the account is configured to have fewer user rights, exploitations could have a smaller impact than if it was configured with administrative rights.

RECOMMENDATIONS:

We recommend the following actions be taken:

1. Apply appropriate patches or appropriate mitigations provided by Microsoft to vulnerable systems immediately after appropriate testing.
2. Run all software as a non-privileged user (one without administrative rights) to diminish the effects of a successful attack.
3. Remind all users not to visit untrusted websites or follow links provided by unknown or untrusted sources.
4. Inform and educate users regarding threats posed by hypertext links contained in emails or attachments especially from untrusted sources.

REFERENCES:

Microsoft:

https://portal.msrc.microsoft.com/en-us/security-guidance

https://msrc.microsoft.com/update-guide/releaseNote/2021-Jan