Edwin Kwan: A popular Windows file archive and compression tool has a high-severity zero-day vulnerability that could allow attackers to gain control of your computer. A specially-crafted RAR file, when open, could give remote attackers the ability to conduct remote code execution on the target system.

Katy Craig: Today we dive into the realm of cybersecurity that unfolded some time ago. It’s with concern that we must address the actions of certain malicious actors who seek to exploit vulnerabilities in our digital infrastructure.

Olimpiu Pop: Not long ago Adobe disclosed three vulnerabilities, each of them with a various degree of criticality from high to very critical. The 120,000 small- to medium-sized organizations from the US that still use it might be more vulnerable than bigger companies with bigger paychecks.

Hillary Coover: Live Facial Recognition (LFR) technology is ” facing” scrutiny in the UK as police forces conduct trials. As facial recognition technology strides forward, so does the dialogue on its responsible integration.

 

The Stories Behind the Cybersecurity Headlines

 

Edwin Kwan
Remote Code Execution Vulnerability in Popular Windows Software

A popular Windows file archive and compression tool has a high-severity zero-day vulnerability that could allow attackers to gain control of your computer.

This is Edwin Kwan from Sydney, Australia.

The flaw is tracked as CVE-2023-40477, and it affects the WinRAR utility. WinRAR is a popular file archiver for Windows. It is used by millions to back up and compress data. A researcher from the Zero Day Initiative discovered that WinRAR did not do sufficient input validation, and that can allow an attacker to access data outside the bounds of an allocated memory buffer. A specially-crafted RAR file, when open, could give remote attackers the ability to conduct remote code execution on the target system.

Even though this is a zero-day vulnerability, it was only given a CVSS score of 7.8 out of 10. This is because the attack requires user interaction, where the attacker will need to trick the victim into opening the malicious RAR file.

The vulnerability has been addressed in the latest version of WinRAR, version 6.23, which was released this month. It is recommended for all users of the utility to immediately upgrade and to be cautious and scan RAR files using an antivirus tool before opening.

Resources
– https://thehackernews.com/2023/08/new-winrar-vulnerability-could-allow.html
– https://www.zerodayinitiative.com/advisories/ZDI-23-1152/
– https://www.win-rar.com/singlenewsview.html

 

Katy Craig
Binding Operational Directive 22-01

Today we dive into the realm of cybersecurity that unfolded some time ago. Computers, as we are well aware, play an integral role in our lives, facilitating a plethora of tasks. However, it’s with concern that we must address the actions of certain malicious actors who seek to exploit vulnerabilities in our digital infrastructure.

This is Katy Craig in San Diego, California.

In response, regulatory measures were enacted to fortify the security of information technology assets across the spectrum, encompassing both public and private sectors. A resolute imperative, Binding Operational Directive 22-01, emerged to curtail the misuse of vulnerabilities by threat actors for their ulterior motives.

This directive culminated in the meticulously curated catalog under the stewardship of the Cybersecurity and Infrastructure Security Agency, or CISA. It cataloged known exploited vulnerabilities that posed a substantial risk to the federal enterprise. The onus was subsequently placed on agencies to expedite the remediation process for these vulnerabilities, based on a predefined timeline stipulated by CISA.

This initiative entailed a concerted review and enhancement of agency internal vulnerability management protocols within a 60-day window from issuance. Further, the directive mandated agencies to uphold transparency by proactively reporting the status of vulnerabilities listed in the repository. It’s noteworthy that the prescribed timelines for remediation were devised in alignment with the gravity of the threat, necessitating swifter action for vulnerabilities assigned Common Vulnerability and Exposures (CVE) identifiers, after 2021. CISA, in its role, assumed the responsibility of maintaining the catalog and promptly disseminating updates to concerned agencies. The thresholds for inclusion in this catalog were underpinned by a rigorous assessment of substantiated evidence of active exploitation, thus ensuring its integrity.

This directive underscored a dedicated endeavor to not only bolster the security of our digital infrastructure, but also to instill a culture of vigilance and accountability in the face of evolving cyber threats. It is a testament to the proactive stance that the government assumes to ensure the confidentiality, integrity, and availability of our digital landscape.

This is Katy Craig. Stay safe out there.

Resources
– https://www.cisa.gov/news-events/directives/bod-22-01-reducing-significant-risk-known-exploited-vulnerabilities

 

Olimpiu Pop
Remember Cold Fusion? So do Adversaries

Cold Fusion is a technology that slowly dies. Actually, I don’t know if it was at any point more than a niche technology.

Not long ago Adobe disclosed three vulnerabilities, each of them with a various degree of criticality from high to very critical. All in all, this trio would allow an attacker to bypass security features or even execute code remotely.

Why talk about it if their marketshare is so narrow? The 120,000 small- to medium-sized organizations from the US that still use it might be more vulnerable than bigger companies with bigger paychecks.

Just a reminder, the NotPetya malware that disrupted the operation of the freight shipping giant, Maersk, started from a very modest Ukrainian accounting software company. The cost was in the realm of hundreds of millions of dollars.

Around mid-July, multiple exploits chaining these vulnerabilities were observed in the wild, mostly allowing PowerShell scripts to be executed on the server. Adobe moved fast and released the needed patches, but like usual, patching software is far from an exact science- especially if the correct approach means killing backwards compatibility. The trio became a four-tuple: a zero-day vulnerability was found that allowed circumventing to fix.

What you need to know if you’re using Cold Fusion versions 2023, 2021, and 2018 is that you need to upgrade them to Update 1, Update 7, and Update 17. Hopefully, this would be the end of the story.

On 505updates.com, you can find the corresponding resources and more.

Olimpiu Pop reported from Transylvania, Romania.

Resources
– https://securityboulevard.com/2023/07/adobe-coldfusion-vulnerabilities-exploited-in-wild/
– https://blog.projectdiscovery.io/adobe-coldfusion-rce/
– https://cwe.mitre.org/data/definitions/502.html
– https://nvd.nist.gov/vuln/detail/CVE-2023-29298#match-9409303
– https://nvd.nist.gov/vuln/detail/CVE-2023-38203
– https://nvd.nist.gov/vuln/detail/CVE-2023-29298
– https://nvd.nist.gov/vuln/detail/CVE-2023-29301
– https://nvd.nist.gov/vuln/detail/CVE-2023-29300

 

Hillary Coover
Live Facial Recognition Facing Scrutiny in UK

Facial recognition technology is causing more frowns than a bad passport photo. As facial recognition technology strides forward, so does the dialogue on its responsible integration.

Hi, this is Hillary Coover in Washington, DC.

Live Facial Recognition (LFR) technology is ” facing” scrutiny in the UK as police forces conduct trials. LFR, also known as automatic facial recognition, identifies individuals in real-time video by comparing their faces to a database of reference photographs. Cameras scan public spaces, and if a match is detected, the software highlights it. In the context of law enforcement, that’s a database of individuals who have outstanding warrants.

The technology’s been used since 2015. If a match occurs, police decide whether to approach the person. Unmatched faces are deleted immediately, and matched images are retained only for 30 days. This oversight is a perfect example of responsible implementation of facial recognition technology. However, the legality of LFR remains a concern. The UK lacks regulations specifically addressing facial recognition technology, and the House of Commons Science and Technology Committee has actually called for a moratorium on its use until proper legislation is enacted.

Concerns about LFR include its effectiveness and potential biases. Bias arises when databases used for training favor specific demographics, leading to higher error rates for other groups. For instance, MIT found that Amazon’s Rekognition had 0% error rate for light-skinned men, but over 30% for dark-skinned women. Human oversight can address this concern though.

Resources
– https://www.sciencefocus.com/future-technology/live-facial-recognition-how-is-it-used