CyberScotland Bulletin

On 8 November, Microsoft announced its monthly security updates. This round of updates fixed 6 zero-days and 68 vulnerabilities. 11 of these vulnerabilities are classified as ‘Critical’. This includes CVE-2022-41125, a vulnerability in the Windows CNG Key Isolation Service which allowed attackers to escalate to SYSTEM privileges.

Other fixes included CVE-2022-41082, a remote code execution vulnerability in Microsoft Exchange rated 8.0. This could be exploited by an attacker to take complete control of an Exchange server. No action is required for customers using the Exchange Emergency Mitigation Services (EEMS) relating to this vulnerability, however, Microsoft recommends patching the other vulnerabilities in this release as soon as possible.

Dropbox has recently suffered a data breach after an attacker gained access to a developer’s GitHub account. The attacker used a phishing email imitating CircleCI with a fake login page to harvest GitHub credentials, then cloned approximately 130 public and private repositories.

Dropbox confirmed in a statement that no personal data such as passwords or payment information was accessed and that “the risk to customers is minimal” with “no evidence of successful abuse”

On 27 October Google released a patch for a high-severity zero-day exploit in the Chrome browser.

CVE-2022-3723 is a confusion-type error with Google Chrome’s V8 JavaScript engine. Attackers typically exploit this type of error to execute malicious code which could lead to gaining control of an affected system.

Google recommends ensuring Chrome is updated to at least Version 107.0.5304.87 or 107.0.5304.88 for Windows users and 107.0.5304.87 for Mac and Linux users.