Main menu (IT)

Security Blogs

Security Alert!


IRS Warns University Students and Staff of Impersonation Email Scam - 4-01-2021

What Happened:

The Internal Revenue Service today warned of an ongoing IRS-impersonation scam that appears to primarily target educational institutions, including students and staff who have “.edu” email addresses.

The IRS’ phishing@irs.gov as well as abuse@csun.edu have received emails about the impersonation scam in recent weeks from people with email addresses ending in “.edu.” The phishing emails appear to target university and college students from both public and private, profit and non-profit institutions.

What Information Was Involved?

The phishing website requests taxpayers provide their:

  • Social Security Number
  • First Name
  • Last Name
  • Date of Birth
  • Prior Year Annual Gross Income (AGI)
  • Driver's License Number
  • Current Address
  • City
  • State/U.S. Territory
  • ZIP Code/Postal Code
  • Electronic Filing PIN

People who receive this scam email should not click on the link in the email, but they can report it to the IRS. For security reasons, save the email using “save as” and then send that attachment to  and abuse@csun.edu.

What This Means To You

Be on the look out for any potential emails that ask for any of the information above. 

If you believe you received a phishing email, please send it as an attachment to abuse@csun.edu.  

What We Recommend

  • Think carefully before clicking on a link or image. Phishing and other malware scams rely on our habit to click first, think later. 
  • Keep programs up-to-date: Most applications on all of your devices have automated update features. Turn them on.
  • Turn off Flash or turn on Ad-blocker. Flash Player is popular with hackers. They exploit Flash by inserting malicious bits of code into ad networks used by well-known businesses.

Despite taking preventive measures, phishing email attacks continue to be sent from compromised faculty and staff accounts. The best method to prevent these attacks is to never provide your CSUN user ID and password in response to an email request and to question the source of the email received.

Visit CSUN's Phishing Examples page to view examples of past phishing attempts. 


Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution - 4-01-2021

DATE(S) ISSUED:

03/31/2021

SUBJECT:

Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution

OVERVIEW:

Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Google Chrome is a web browser used to access the Internet. Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser. Depending on the privileges associated with the application, an attacker could view, change, or delete data. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  • Google Chrome versions prior to 89.0.4389.114

RISK:

Government:

  • Large and medium government entities: High
  • Small government entities: Medium

Businesses:

  • Large and medium business entities: High
  • Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Arbitrary code execution is when the attacker is able to execute arbitrary codes or commands on a target machine, this means the attacker is able to execute any command on the target machine These vulnerabilities can be exploited if a user visits, or is redirected to, a specially crafted web page. Details of the vulnerabilities are as follows:

  • A use-after-free vulnerability that exists in the 'screen capture' component. (CVE-2021-21194)
  • A use-after-free vulnerability that exists in the 'V8' component. (CVE-2021-21195)
  • Heap buffer overflow in TabStrip. (CVE-2021-21196, CVE-2021-21197)
  • Out of bounds read in IPC. (CVE-2021-21198)
  • Use after free in Aura (CVE-2021-21199)

Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser. An attacker can view, change or delete data depending on the privileges associated with the application. If the account is configured to have fewer user rights, exploitations could have a smaller impact than if it was configured with administrative rights.

RECOMMENDATIONS:

We recommend the following actions be taken:

  1. Apply the stable channel update provided by Google to vulnerable systems immediately after appropriate testing.
  2. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  3. Do not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.

REFERENCES:

Google:

https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop_30.html

CVE:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21194

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21195

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21196

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21197

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21198

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21199


State Controller's Office Data Breach - 3-25-2021

We have learned of a data exposure at the California State Controller’s Office (SCO)- Division of Unclaimed Property.

What Happened:

An employee of the SCO had their credentials compromised when they clicked on a phishing email and entered their username and password. This provided a threat actor access to that account for a little less than 24 hours before it was discovered, and remediation occurred.

What Information Was Involved?

The SCO believes that the compromised account had personally identifiable information contained in Unclaimed Property Reports.

What This Means To You As a CSUN Employee

None of your CSUN information associated as an employee was involved in the data exposure.

However, if you as an individual have records associated with Unclaimed Property with the State Controllers Office your data could have been exposed.

What We Recommend

  • Lastly, the State Controller’s Office has received information that some scams and possibly fraud have occurred. I strongly recommend you be on the lookout for suspicious, emails, phone calls and correspondence that might be associated with this incident.

Feel free to reach out to iso@csun.edu if you have any questions or additional concerns.

CSUN will NEVER ask for your password or your personal information such as SSN and bank accounts. Beware of phishing scams that look like employment or internships offers.


Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution - 3-3-2021

SUBJECT:

Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution

OVERVIEW:

Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Google Chrome is a web browser used to access the Internet. Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser. Depending on the privileges associated with the application, an attacker could view, change, or delete data. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  • Google Chrome versions prior to 89.0.4389.72

RISK:

Government:

  • Large and medium government entities: High
  • Small government entities: Medium

Businesses:

  • Large and medium business entities: High
  • Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. These vulnerabilities can be exploited if a user visits, or is redirected to, a specially crafted web page. Details of the vulnerabilities are as follows:

  • Heap buffer overflow in OpenJPEG. [CVE-2020-27844]
  • Heap buffer overflow in TabStrip. [CVE-2021-21159]
  • Heap buffer overflow in WebAudio. [CVE-2021-21160]
  • Heap buffer overflow in TabStrip. [CVE-2021-21161]
  • Use after free in WebRTC. [CVE-2021-21162]
  • Insufficient data validation in Reader Mode. [CVE-2021-21163]
  • Insufficient data validation in Chrome for iOS. [CVE-2021-21164]
  • Object lifecycle issue in audio. [CVE-2021-21165]
  • Object lifecycle issue in audio. [CVE-2021-21166]
  • Use after free in bookmarks. [CVE-2021-21167]
  • Insufficient policy enforcement in appcache. [CVE-2021-21168]
  • Out of bounds memory access in V8. [CVE-2021-21169]
  • Incorrect security UI in Loader. [CVE-2021-21170]
  • Incorrect security UI in TabStrip and Navigation. [CVE-2021-21171]
  • Insufficient policy enforcement in File System API. [CVE-2021-21172]
  • Side-channel information leakage in Network Internals. [CVE-2021-21173]
  • Inappropriate implementation in Referrer. [CVE-2021-21174]
  • Inappropriate implementation in Site isolation. [CVE-2021-21175]
  • Inappropriate implementation in full screen mode. [CVE-2021-21176]
  • Insufficient policy enforcement in Autofill. [CVE-2021-21177]
  • Inappropriate implementation in Compositing. [CVE-2021-21178]
  • Use after free in Network Internals. [CVE-2021-21179]
  • Use after free in tab search. [CVE-2021-21180]
  • Side-channel information leakage in autofill. [CVE-2021-21181]
  • Insufficient policy enforcement in navigations. [CVE-2021-21182]
  • Inappropriate implementation in performance APIs. [CVE-2021-21183]
  • Inappropriate implementation in performance APIs. [CVE-2021-21184]
  • Insufficient policy enforcement in extensions. [CVE-2021-21185]
  • Insufficient policy enforcement in QR scanning. [CVE-2021-21186]
  • Insufficient data validation in URL formatting. [CVE-2021-21187]
  • Use after free in Blink. [CVE-2021-21188]
  • Insufficient policy enforcement in payments [CVE-2021-21189]
  • Uninitialized Use in PDFium. [CVE-2021-21190]

Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser.  Arbitrary code execution is when the attacker is able to execute arbitrary codes or commands on a target machine, this means the attacker is able to execute any command on the target machine. These vulnerabilities can be exploited if the user visits, or is redirected to, a specifically crafted web page. Depending on the privileges associated with the application, an attacker could view, change, or delete data. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

RECOMMENDATIONS:

  1. We recommend the following actions be taken:
  2. Apply the stable channel update provided by Google to vulnerable systems immediately after appropriate testing.
  3. Run all software as a non-privileged user (one without administrative privileges) to diminish Do  not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  4. Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.

REFERENCES:

Google:

https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html


Multiple Vulnerabilities in Google Android OS Could Allow for Remote Code Execution - 3-2-2021

SUBJECT:

Multiple Vulnerabilities in Google Android OS Could Allow for Remote Code Execution

OVERVIEW:

Multiple vulnerabilities have been discovered in the Google Android operating system (OS), the most severe of which could allow for remote code execution. Android is an operating system developed by Google for mobile devices, including, but not limited to, smartphones, tablets, and watches. Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution within the context of a privileged process. The vulnerability may allow the attacker view, change, delete data, or create new accounts with full user rights. If the account is configured to have fewer user rights, exploitations could have a smaller impact than if it was configured with administrative rights.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  • Android OS builds utilizing Security Patch Levels issued prior to March 5, 2021

RISK:

Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: High

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Google Android OS, the most severe of which could allow for remote code execution within the context of a privileged process. Details of these vulnerabilities are as follows:

  • An elevation of privilege vulnerability in Android runtime. (CVE-2021-0395)
  • Multiple elevation of privilege vulnerabilities in Framework. (CVE-2021-0391, CVE-2021-0398)
  • Multiple remote code execution vulnerabilities in System. (CVE-2021-0397, CVE-2017-14491, CVE-2021-0393, CVE-2021-0396)
  • Multiple elevation of privilege vulnerabilities in System. (CVE-2021-0390, CVE-2021-0392, CVE-2021-0394)
  • An information disclosure vulnerabilities in System. (CVE-2021-0394)
  • A vulnerabilities in Google Play system updates (CVE-2021-0390)
  • A high severity vulnerabilities in Kernel components (CVE-2020-0399)
  • Multiple high severity vulnerabilities in Qualcomm components (CVE-2020-11233, CVE-2020-11129, CVE-2020-111308, CVE-2020-11309)
  • Multiple critical severity vulnerabilities in Qualcomm closed-source components (CVE-2020-11192 CVE-2020-11204, CVE-2020-11218, CVE-2020-11227, CVE-2020-11228)
  • Multiple high severity vulnerabilities in Qualcomm closed-source components (CVE-2020-11165, CVE-2020-11166, CVE-2020-11171, CVE-2020-11178, CVE-2020-11186, CVE-2020-11188, CVE-2020-11189, CVE-2020-11190, CVE-2020-11194, CVE-2020-11195, CVE-2020-11198, CVE-2020-11199, CVE-2020-11220, CVE-2020-11221, CVE-2020-11222, CVE-2020-11226, CVE-2020-11299)

Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution within the context of a privileged process. Arbitrary code execution is when the attacker is able to execute arbitrary codes or commands on a target machine, this means the attacker is able to execute any command on the target machine. These vulnerabilities can be exploited if the user visits, or is redirected to, a specifically crafted web page. Depending on the privileges associated with this application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

RECOMMENDATIONS:

We recommend the following actions be taken:

  1. Apply appropriate updates by Google Android or mobile carriers to vulnerable systems, immediately after appropriate testing.
  2. Only download applications from trusted vendors in the Play Store.
  3. Do not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. 

REFERENCES:

Google Android:

https://source.android.com/security/bulletin/2021-03-01


Multiple Vulnerabilities in Mozilla Firefox and Thunderbird Could Allow for Arbitrary Code Execution - 2-24-2021

DATE(S) ISSUED:

02/24/2021

SUBJECT:

Multiple Vulnerabilities in Mozilla Firefox and Thunderbird Could Allow for Arbitrary Code Execution

OVERVIEW:

Multiple vulnerabilities have been discovered in Mozilla Firefox, Firefox Extended Support Release (ESR) and Mozilla Thunderbird, the most severe of which could allow for arbitrary code execution. Mozilla Firefox is a web browser used to access the Internet. Mozilla Firefox ESR is a version of the web browser intended to be deployed in large organizations. Mozilla Thunderbird is an email client. Successful exploitation of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLIGENCE:

There are currently reports of this vulnerability being exploited in the wild.

SYSTEMS AFFECTED:

  • Mozilla Firefox versions prior to 86
  • Firefox ESR versions prior to 78.8
  • Mozilla Thunderbird versions prior to 78.8

RISK:

Government:

  • Large and medium government entities: High
  • Small government entities: Medium

Businesses:

  • Large and medium business entities: High
  • Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Mozilla Firefox, and Firefox Extended Support Release (ESR), and Mozilla Thunderbird, the most severe of which could allow for arbitrary code execution. Arbitrary code execution is when the attacker is able to execute arbitrary codes or commands on a target machine, this means the attacker is able to execute any command on the target machine.

Details of these vulnerabilities are as follows:

  • As specified in the W3C Content Security Policy draft, when creating a violation report, "User agents need to ensure that the source file is the URL requested by the page, pre-redirects. If that’s not possible, user agents need to strip the URL down to an origin to avoid unintentional leakage." Under certain types of redirects, Firefox incorrectly set the source file to be the destination of the redirects. This was fixed to be the redirect destination's origin. [CVE-2021-23969]
  • Context-specific code was included in a shared jump table; resulting in assertions being triggered in multithreaded wasm code. [CVE-2021-23970]
  • If Content Security Policy blocked frame navigation, the full destination of a redirect served in the frame was reported in the violation report; as opposed to the original frame URI. This could be used to leak sensitive information contained in such URIs. [CVE-2021-23968]
  • The DOMParser API did not properly process <noscript> elements for escaping. This could be used as an mXSS vector to bypass an HTML Sanitizer. [CVE-2021-23974]
  • When processing a redirect with a conflicting Referrer-Policy, Firefox would have adopted the redirect's Referrer-Policy. This would have potentially resulted in more information than intended by the original origin being provided to the destination of the redirect. [CVE-2021-23971]
  • When accepting a malicious intent from other installed apps, Firefox for Android accepted manifests from arbitrary file paths and allowed declaring webapp manifests for other origins. This could be used to gain full screen access for UI spoofing and could also lead to cross-origin attacks on targeted websites.
  • Note: This issue is a different issue from CVE-2020-26954 and only affected Firefox for Android. Other operating systems are unaffected. [CVE-2021-23976]
  • Firefox for Android suffered from a time-of-check-time-of-use vulnerability that allowed a malicious application to read sensitive data from application directories.
  • Note: This issue is only affected Firefox for Android. Other operating systems are unaffected. [CVE-2021-23977]
  • One phishing tactic on the web is to provide a link with HTTP Auth. For example https: . To mitigate this type of attack, Firefox will display a warning dialog; however, this warning dialog would not have been displayed if evil.com used a redirect that was cached by the browser. [CVE-2021-23972]
  • The developer page about :memory has a Measure function for exploring what object types the browser has allocated and their sizes. When this function was invoked we incorrectly called the siz eof function, instead of using the API method that checks for invalid pointers. [CVE-2021-23975]
  • When trying to load a cross-origin resource in an audio/video context a decoding error may have resulted, and the content of that error may have revealed information about the resource. [CVE-2021-23973]
  • Mozilla developers Alexis Beingessner, Tyson Smith, Nika Layzell, and Mats Palmgren reported memory safety bugs present in Firefox 85 and Firefox ESR 78.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. [CVE-2021-23978]
  • Mozilla developers Tyson Smith, Lars T Hansen, Valentin Gosu, and Sebastian Hengst reported memory safety bugs present in Firefox 85. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. [CVE-2021-23979]

Successful exploitation of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

RECOMMENDATIONS:

We recommend the following actions be taken:

  1. Apply appropriate updates provided by Mozilla to vulnerable systems immediately after appropriate testing.
  2. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  3. Do not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.

REFERENCES:

Mozilla:

https://www.mozilla.org/en-US/security/advisories/mfsa2021-07/

https://www.mozilla.org/en-US/security/advisories/mfsa2021-08/

https://www.mozilla.org/en-US/security/advisories/mfsa2021-09/


A Vulnerability in Mozilla Firefox and Firefox ESR Could Allow for Arbitrary Code Execution 2-8-2021

DATE(S) ISSUED:

02/08/2021

SUBJECT:

A Vulnerability in Mozilla Firefox and Firefox ESR Could Allow for Arbitrary Code Execution 

OVERVIEW:

A vulnerability has been discovered in Mozilla Firefox and Firefox ESR, which could allow for arbitrary code execution. Mozilla Firefox is a web browser used to access the internet. Firefox ESR is a version of the web browser intended to be deployed in large organizations. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code in the context of the browser. Depending on the privileges associated with the application, an attacker could view, change, or delete data. If this application has been configured to have fewer user rights on the system, exploitation of the vulnerability could have less impact than if it was configured with administrative rights.

THREAT INTELLIGENCE:

There are currently reports of this vulnerability being exploited in the wild.

SYSTEMS AFFECTED:

  • Mozilla Firefox versions prior to 85.0.1
  • Firefox ESR versions prior to 78.7.1

RISK:

Government:

  • Large and medium government entities: High
  • Small government entities: Medium

Businesses:

  • Large and medium business entities: High
  • Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:

A vulnerability has been discovered in Mozilla Firefox and Firefox ESR, which could allow for arbitrary code execution. . Arbitrary code execution is when the attacker is able to execute arbitrary codes or commands on a target machine, this means the attacker is able to execute any command on the target machine. This vulnerability exists in the Angle graphics library where the depth pitch computations fail to take into account the block size and simply multiplies the row pitch with the pixel height. This causes the load functions to use a very high depth pitch, reading past the end of the user-supplied buffer.

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code in the context of the browser. Depending on the privileges associated with this application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of this vulnerability could have less impact than if it was configured with administrative rights.

RECOMMENDATIONS:

We recommend the following actions be taken:

  1. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  2. Do not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  3. Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.

REFERENCES:

Mozilla:

https://www.mozilla.org/en-US/security/advisories/mfsa2021-06/


A Vulnerability in Google Chrome Could Allow for Arbitrary Code Execution 2-5-2021

DATE(S) ISSUED:

02/05/2021

SUBJECT:

A Vulnerability in Google Chrome Could Allow for Arbitrary Code Execution 

OVERVIEW:

Multiple vulnerabilities have been discovered in Google Chrome. In the most severe cases the vulnerabilities could allow arbitrary code execution. Google Chrome is a web browser commonly used to access the Internet. The vulnerability may allow the attacker to view, change or delete data. If Google Chrome is configured to have fewer user rights, exploitations will have a smaller impact than if it was configured with administrative rights.

THREAT INTELLIGENCE:

There are currently reports of this vulnerability being exploited in the wild.

SYSTEMS AFFECTED:

  • Google Chrome versions prior to 88.0.4324.150

RISK:

Government:

  • Large and medium government entities: High
  • Small government entities: Medium

Businesses:

  • Large and medium business entities: High
  • Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:

A vulnerability has been discovered in Google Chrome, which could allow for arbitrary code execution. This vulnerability exists due to a heap buffer overflow in the ‘V8’ JavaScript engine of Chrome.

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code in the context of the browser. Arbitrary code execution is when the attacker is able to execute arbitrary codes or commands on a target machine, this means the attacker is able to execute any command on the target machine. Depending on the privileges associated with this application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of this vulnerability could have less impact than if it was configured with administrative rights.

RECOMMENDATIONS:

  1. Apply the stable channel update provided by Google to vulnerable systems immediately after appropriate testing.
  2. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  3. Do not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.

REFERENCES:

Google:

https://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop_4.html

CVE:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21148


Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution 1-27-2021

Apple has recently announced the release of their security updates following the recent vulnerabilities found. Below you will find more details regarding this update and what systems it affects. 

DATE(S) ISSUED:

01/27/2021

Apple has recently announced the release of their security updates following the recent vulnerabilities found. Below you will found a more details regarding this update and what systems it affects. 

SUBJECT:

Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution.

OVERVIEW:

Multiple vulnerabilities have been discovered in Apple Products, the most severe of which could allow for arbitrary code execution.

  1. tvOS is an operating system for the fourth-generation Apple TV digital media player.
  2. watchOS is the mobile operating system for the Apple Watch and is based on the iOS operating system.
  3. iPadOS is the successor to iOS 12 and is a mobile operating system for iPads.
  4. iOS is a mobile operating system for mobile devices, including the iPhone, iPad, and iPod touch.
  5. Xcode is an integrated development environment (IDE) for macOS.

Multiple vulnerabilities have been discovered in Apple Products. In most severe cases the vulnerabilities could allow arbitrary code execution. The vulnerability may allow the attacker view, change or delete data. If google chrome is configured to have fewer user rights, exploitations could have a smaller impact than if it was configured with administrative rights.

THREAT INTELLIGENCE:

These are reports of the following vulnerabilities currently being actively exploited in the wild:

  1. CVE-2021-1782: iOS, iPadOS, tvOS, watchOS vulnerability that enables privilege escalation.
  2. CVE-2021-1870: WebKit vulnerability that enables arbitrary code execution.
  3. CVE-2021-1800: Xcode vulnerability that enables arbitrary file access.

SYSTEMS AFFECTED:

  1. iOS versions prior to iOS 14.4
  2. iPadOS versions prior to iPadOS 14.4
  3. tvOS versions prior to tvOS 14.4
  4. watchOS versions prior to watchOS 7.3
  5. Xcode versions prior to Xcode 12.4

RISK:

Government:

  1. Large and medium government entities: High
  2. Small government entities: Medium

Businesses:

  1. Large and medium business entities: High
  2. Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in iOS, iPadOS, tvOS, watchOS, and Xcode, the most severe of which could allow for arbitrary code execution. Details of these vulnerabilities are as follows:

iPadOS 14.4, iOS 14.4, tvOS 14.4 and watchOS 7.3

  1. A logic issue was addressed with improved restrictions (CVE-2021-1870, CVE-2021-1871)
  2. A race condition was addressed with improved locking. (CVE-2021-1782)

Xcode 12.4

  1. A path handling issue was addressed with improved validation. (CVE-2021-1800)

Multiple vulnerabilities have been found in Apple Products, in the most severe cases these vulnerabilities may allow for arbitrary code execution. Arbitrary code execution is when the attacker is able to execute arbitrary codes or commands on a target machine, this means the attacker is able to execute any command on the target machine. These vulnerabilities can be exploited if the user visits, or is redirected to, a specifically crafted web page. 

RECOMMENDATIONS:

We recommend the following actions be taken:

  1. Apply appropriate patches provided by Apple to vulnerable systems immediately after appropriate testing.
  1. Run all software as a nonprivileged user (one without administrative privileges) to diminish the effects of a successful attack.
  2. Do not to download, accept or execute files from untrusted and unknown sources.
  3. Do not to visit untrusted websites or follow links provided by untrusted or unknown sources.
  4. Evaluate read, write, and execute permissions on all newly installed software.

 

REFERENCES:

Apple:

https://support.apple.com/en-us/HT212146

https://support.apple.com/en-us/HT212149

https://support.apple.com/en-us/HT212148

https://support.apple.com/en-us/HT212153

 

CVE:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1782

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1800

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1870

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1871


Multiple Vulnerabilities in Microsoft Products Could Allow for Remote Code Execution - 1-12-2021

DATE(S) ISSUED:

01/12/2021

SUBJECT:

Critical Patches Issued for Microsoft Products, January 12, 2021

OVERVIEW:

Multiple vulnerabilities have been discovered in Microsoft products. In most severe cases the vulnerabilities could allow remote code execution. Successful exploitation of the most severe of these vulnerabilities could result in an attacker gaining the same privileges as the logged-on user.

The vulnerability may allow the attacker to install programs; view, change or delete data, or create new accounts If the account is configured to have fewer user rights, exploitations could have a smaller impact than if it was configured with administrative rights.

THREAT INTELLIGENCE:

The vulnerability Microsoft Defender Remote Code Execution Vulnerability (CVE-2021-1647) has been seen exploited in the wild, although it has not been disclosed publicly.

SYSTEMS AFFECTED:

  1. Microsoft Windows
  2. Microsoft Edge (EdgeHTML-based)
  3. Microsoft Office and Microsoft Office Services and Web Apps
  4. Microsoft Windows Codecs Library
  5. Visual Studio
  6. SQL Server
  7. Microsoft Malware Protection Engine
  8. .NET Core
  9. .NET Repository
  10. ASP .NET
  11. Azure

RISK:

Government:

  1. Large and medium government entities: High
  2. Small government entities: Medium

Businesses:

  1. Large and medium business entities: High
  2. Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution. Remote code execution is when the cyber attacker gains access and makes changes to a machine owned by another person, without the authorization of the owner and regardless of its geographic location.

A full list of all vulnerabilities can be found at the link below:

https://portal.msrc.microsoft.com/en-us/security-guidance

In severe cases the exploitation of these vulnerabilities could allow an attacker to execute remote code execution in context to the browser. The vulnerability may allow the attacker to install programs; view, change or delete data, or create new accounts. If the account is configured to have fewer user rights, exploitations could have a smaller impact than if it was configured with administrative rights.

RECOMMENDATIONS:

We recommend the following actions be taken:

  1. Apply appropriate patches or appropriate mitigations provided by Microsoft to vulnerable systems immediately after appropriate testing.
  2. Run all software as a non-privileged user (one without administrative rights) to diminish the effects of a successful attack.
  3. Remind all users not to visit untrusted websites or follow links provided by unknown or untrusted sources.
  4. Inform and educate users regarding threats posed by hypertext links contained in emails or attachments especially from untrusted sources.

REFERENCES:

Microsoft:

https://portal.msrc.microsoft.com/en-us/security-guidance

https://msrc.microsoft.com/update-guide/releaseNote/2021-Jan


Multiple Vulnerabilities in Mozilla Firefox Could Allow for Arbitrary Code Execution - 12-16-2020

OVERVIEW:

Multiple vulnerabilities have been discovered in Mozilla Firefox, Firefox Extended Support Release (ESR) and Mozilla Thunderbird, the most severe of which could allow for arbitrary code execution. Mozilla Firefox is a web browser used to access the Internet. Mozilla Firefox ESR is a version of the web browser intended to be deployed in large organizations. Mozilla Thunderbird is an email client. Successful exploitation of these vulnerabilities could allow for arbitrary code execution. The vulnerability may allow the attacker view, change, delete data, or create new accounts with full user rights. If the account is configured to have fewer user rights, exploitations could have a smaller impact than if it was configured with administrative rights..

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  1. Mozilla Firefox versions prior to 84
  2. Mozilla Firefox ESR versions prior to 78.6
  3. Mozilla Thunderbird versions prior to 78.6

RISK:

Government:

  1. Large and medium government entities: High
  2. Small government entities: Medium

Businesses:

  1. Large and medium business entities: High
  2. Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Mozilla Firefox, Firefox Extended Support Release (ESR) and Mozilla Thunderbird, in the most severe cases these vulnerabilities may allow for arbitrary code execution. Arbitrary code execution is when the attacker is able to execute arbitrary codes or commands on a target machine, this means the attacker is able to execute any command on the target machine. These vulnerabilities can be exploited if the user visits, or is redirected to, a specifically crafted web page. 

Details of the vulnerability are as follows:

  1. A heap based buffer-overflow vulnerability. Specifically, this issue occurs due to a boundary error within WebGL component. [CVE-2020-26971]
  2. A security-bypass vulnerability. Specifically, this issue occurs due to insufficient validation of user-supplied input within CSS Sanitizer. [CVE-2020-26973]
  3. A denial-of-service vulnerability. Specifically, this issue occurs due to incorrect casting of the 'StyleGenericFlexBasis' object. [CVE-2020-26974]
  4. A security vulnerability. Specifically, this issue exists due to application does not properly impose security restrictions. A remote attacker can create a specially crafted webpage and send probes to hosts in internal network as well as to services on the user's local machine. [CVE-2020-26978]
  5. An information-disclosure vulnerability. Specifically, this issue exists due to the proxy.onRequest API does not use proxy when viewing source code of the web application. [CVE-2020-35111]
  6. A security vulnerability. Specifically, this issue exists due to the way Firefox processes downloaded files without extensions on Windows operating system. [CVE-2020-35112]
  7. A security vulnerability that occurs due to memory safety bugs. [CVE-2020-35113]

Successful exploitation of these vulnerabilities could allow for arbitrary code execution. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

RECOMMENDATIONS:

We recommend the following actions be taken:

  1. Apply appropriate updates provided by Mozilla to vulnerable systems, immediately after appropriate testing.
  2. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  3. Do not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  4. Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.

REFERENCES:

Mozilla:

https://www.mozilla.org/en-US/security/advisories/mfsa2020-55/

https://www.mozilla.org/en-US/security/advisories/mfsa2020-56/

https://www.mozilla.org/en-US/security/advisories/mfsa2020-54/


Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution - 12-15-2020

OVERVIEW:

Multiple vulnerabilities have been discovered in Apple products, the most severe of which could allow for arbitrary code execution.

  1. iCloud for Windows is a cloud storage service that can be used on Windows computers.
  2. watchOS is a mobile operating system created & developed by Apple to be utilized by its Apple Watch product line.
  3. iOS is a mobile operating system created & developed by Apple to be utilized by its mobile devices such as the iPhone.
  4. Safari is a web browser available for macOS.
  5. tvOS is an operating system based on iOS developed for AppleTV.
  6. macOS Server is a desktop operating system for Macintosh computers.
  7. iPadOS is a mobile operating system created & developed by Apple to be utilized by its iPad product line.

Successful exploitation of the most severe of these vulnerabilities could result in arbitrary code execution within the context of the application, an attacker gaining the same privileges as the logged-on user, or the bypassing of security restrictions. Depending on the permission associated with the application running the exploit, an attacker could then install programs; view, change, or delete data.

THREAT INTELLIGENCE:

There are no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  1. watchOS versions prior to 7.2 and 6.3
  2. macOS versions prior to Big Sur 11.1, Security Update 2020-001 Catalina, Security Update 2020-007 Mojave
  3. tvOS versions prior to tvOS 14.3
  4. iOS versions prior to 14.3 and 12.5
  5. iPadOS versions prior to 14.3
  6. macOS Server versions prior to 5.11
  7. Safari versions prior to 14.0.2

RISK:

Government:

  1. Large and medium government entities: High
  2. Small government entities: High

Businesses:

  1. Large and medium business entities: High
  2. Small business entities: High

Home users: Low

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Apple products, the most severe of, which could allow for arbitrary code execution. Details of these vulnerabilities are as follows:

iOS 14.3 and iPadOS 14.3

  1. A logic issue was addressed with improved state management (CVE-2020-29613)
  1. An out-of-bounds write issue was addressed with improved bounds checking (CVE-2020-27948)
  2. An information disclosure issue was addressed with improved state management (CVE-2020-27946)
  3. A memory corruption issue existed in the processing of font files. This issue was addressed with improved input validation (CVE-2020-27943, CVE-2020-27944)
  4. An out-of-bounds read was addressed with improved input validation (CVE-2020-29617, CVE-2020-29619)
  5. An out-of-bounds read was addressed with improved input validation (CVE-2020-29618)
  6. An out-of-bounds write issue was addressed with improved bounds checking (CVE-2020-29611)
  7. Unauthorized code execution may lead to an authentication policy violation (CVE-2020-27951)
  8. A use after free issue was addressed with improved memory management (CVE-2020-15969)

iOS 12.5

  1. Unauthorized code execution may lead to an authentication policy violation (CVE-2020-27951)

watchOS 6.3

  1. Unauthorized code execution may lead to an authentication policy violation (CVE-2020-27951)

watchOS 7.2

  1. An out-of-bounds write issue was addressed with improved bounds checking (CVE-2020-27948)
  2. An information disclosure issue was addressed with improved state management (CVE-2020-27946)
  3. A memory corruption issue existed in the processing of font files. This issue was addressed with improved input validation (CVE-2020-27943, CVE-2020-27944)
  4. An out-of-bounds read was addressed with improved input validation (CVE-2020-29617, CVE-2020-29619)
  5. An out-of-bounds read was addressed with improved input validation (CVE-2020-29618)
  6. An out-of-bounds write issue was addressed with improved bounds checking (CVE-2020-29611)
  7. Unauthorized code execution may lead to an authentication policy violation (CVE-2020-27951)
  8. A use after free issue was addressed with improved memory management (CVE-2020-15969)

macOS Big Sur 11.1, Security Update 2020-001 Catalina, Security Update 2020-007 Mojave

  1. A memory corruption issue was addressed with improved input validation (CVE-2020-27914, CVE-2020-27915)
  2. An application may be able to gain elevated privileges (CVE-2020-27903)
  3. An application may be able to execute arbitrary code with kernel privileges (CVE-2020-27941)
  4. A malicious application may be able to bypass Privacy preferences (CVE-2020-29621)
  5. An out-of-bounds read was addressed with improved input validation (CVE-2020-27910)
  6. An out-of-bounds read was addressed with improved bounds checking (CVE-2020-9943)
  7. An out-of-bounds read was addressed with improved bounds checking (CVE-2020-9944)
  8. An out-of-bounds write was addressed with improved input validation (CVE-2020-27916)
  9. Multiple integer overflows were addressed with improved input validation (CVE-2020-27906)
  10. An out-of-bounds write issue was addressed with improved bounds checking (CVE-2020-27948, CVE-2020-9955)
  11. An out-of-bounds read was addressed with improved input validation (CVE-2020-9960, CVE-2020-27908)
  12. An out-of-bounds write was addressed with improved input validation (CVE-2020-10017)
  13. A logic issue was addressed with improved state management (CVE-2020-27922)
  14. An information disclosure issue was addressed with improved state management (CVE-2020-27946, CVE-2020-9849)
  15. A buffer overflow was addressed with improved size validation (CVE-2020-9962)
  16. An out-of-bounds write was addressed with improved input validation (CVE-2020-27952)
  17. An out-of-bounds read was addressed with improved input validation (CVE-2020-9956)
  18. A memory corruption issue existed in the processing of font files (CVE-2020-27931, CVE-2020-27943, CVE-2020-27944)
  19. A logic issue was addressed with improved state management (CVE-2020-10002)
  20. A memory corruption issue was addressed with improved input validation (CVE-2020-27947)
  21. An out-of-bounds write issue was addressed with improved bounds checking (CVE-2020-29612)
  22. An attacker in a privileged network position may be able to unexpectedly alter application state (CVE-2020-9978)
  23. An out-of-bounds write was addressed with improved input validation (CVE-2020-27919)
  24. A memory corruption issue was addressed with improved input validation (CVE-2020-29616)
  25. An out-of-bounds read was addressed with improved input validation (CVE-2020-27924, CVE-2020-29618)
  26. An out-of-bounds write issue was addressed with improved bounds checking (CVE-2020-29611)
  27. An out-of-bounds read was addressed with improved input validation (CVE-2020-29617, CVE-2020-29619)
  28. An out-of-bounds write was addressed with improved input validation (CVE-2020-27912, CVE-2020-27923)
  29. An out-of-bounds write issue was addressed with improved bounds checking (CVE-2020-10015, CVE-2020-27897)
  30. A memory corruption issue was addressed with improved memory handling (CVE-2020-27907)
  31. A logic issue was addressed with improved state management (CVE-2020-9974)
  32. A memory corruption issue was addressed with improved state management (CVE-2020-10016)
  33. Multiple memory corruption issues were addressed with improved input validation (CVE-2020-9967)
  34. A use after free issue was addressed with improved memory management (CVE-2020-9975, CVE-2020-27899)
  35. A race condition was addressed with improved state handling (CVE-2020-27921)
  36. A malicious application may cause unexpected changes in memory belonging to processes traced by DTrace (CVE-2020-27949)
  37. A malicious application may be able to elevate privileges (CVE-2020-29620)
  38. An integer overflow was addressed through improved input validation (CVE-2020-27911)
  39. A use after free issue was addressed with improved memory management (CVE-2020-27920)
  40. A use after free issue was addressed with improved memory management (CVE-2020-27926)
  41. A parsing issue in the handling of directory paths was addressed with improved path validation (CVE-2020-10014)
  42. A path handling issue was addressed with improved validation (CVE-2020-10010)
  43. An out-of-bounds read was addressed with improved input validation (CVE-2020-13524)
  44. A logic issue was addressed with improved state management (CVE-2020-10004)
  45. A logic issue was addressed with improved restrictions (CVE-2020-27901, CVE-2020-10008)
  46. A logic issue was addressed with improved state management (CVE-2020-10007)
  47. An access issue was addressed with improved access restrictions (CVE-2020-10012)
  48. A path handling issue was addressed with improved validation (CVE-2020-27896)
  49. A logic issue was addressed with improved state management (CVE-2020-10009)
  50. A use after free issue was addressed with improved memory management (CVE-2020-15969)
  51. A denial of service issue was addressed with improved state handling (CVE-2020-27898)
  52. A logic issue was addressed with improved validation (CVE-2020-9971)
  53. An issue existed in the handling of snapshots. The issue was resolved with improved permissions logic (CVE-2020-27900)
  54. The issue was addressed with improved handling of icon caches (CVE-2020-9963)
  55. A validation issue existed in the entitlement verification. This issue was addressed with improved validation of the process entitlement (CVE-2020-9977)
  56. An inconsistent user interface issue was addressed with improved state management (CVE-2020-9942)
  57. This issue was addressed with improved checks (CVE-2020-9991)
  58. This issue was addressed with improved entitlements (CVE-2020-10006)

macOS Server 5.11

  1. An issue existed in the parsing of URLs. This issue was addressed with improved input validation (CVE-2020-9995) 

tvOS 14.3

  1. An out-of-bounds write issue was addressed with improved bounds checking (CVE-2020-27948)
  2. An information disclosure issue was addressed with improved state management (CVE-2020-27946)
  3. A memory corruption issue existed in the processing of font files. This issue was addressed with improved input validation (CVE-2020-27943, CVE-2020-27944)
  4. An out-of-bounds read was addressed with improved input validation (CVE-2020-29617, CVE-2020-29619)
  5. An out-of-bounds read was addressed with improved input validation (CVE-2020-29618)
  6. An out-of-bounds write issue was addressed with improved bounds checking (CVE-2020-29611)
  7. A use after free issue was addressed with improved memory management (CVE-2020-15969)

Safari 14.0.2

  1. A use after free issue was addressed with improved memory management (CVE-2020-15969)

Successful exploitation of the most severe of these vulnerabilities could result in arbitrary code execution within the context of the application, an attacker gaining the same privileges as the logged-on user, or the bypassing of security restrictions. Arbitrary code execution is when the attacker is able to execute arbitrary codes or commands on a target machine, this means the attacker is able to execute any command on the target machine. These vulnerabilities can be exploited if the user visits, or is redirected to, a specifically crafted web page.  Depending on the permission associated with the application running the exploit, an attacker could then install programs; view, change, or delete data.

RECOMMENDATIONS:

We recommend the following actions be taken:

  1. Apply appropriate patches provided by Apple to vulnerable systems immediately after appropriate testing.
  2. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  3. Do not to download, accept, or execute files from un-trusted or unknown sources.
  4. Remind users not to visit untrusted websites or follow links provided by unknown or un-trusted sources.

REFERENCES:

https://support.apple.com/en-us/HT212003

https://support.apple.com/en-us/HT212004

https://support.apple.com/en-us/HT212005

https://support.apple.com/en-us/HT212006

https://support.apple.com/en-us/HT212007

https://support.apple.com/en-us/HT212009

https://support.apple.com/en-us/HT212011

https://support.apple.com/en-us/HT211932

https://support.apple.com/en-us/HT211931


Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution - 12-4-2020

OVERVIEW:

Multiple vulnerabilities have been discovered in Google chrome. In most severe cases the vulnerabilities could allow arbitrary code execution. Google chrome is a web browser commonly used to access the Internet. The vulnerability may allow the attacker view, change or delete data. If google chrome is configured to have fewer user rights, exploitations could have a smaller impact than if it was configured with administrative rights.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  1. Google Chrome versions prior to 87.0.4280.88

RISK:

Government:

  1. Large and medium government entities: High
  2. Small government entities: Medium

Businesses:

  1. Large and medium business entities: High
  2. Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:

Multiple vulnerabilities have been found in Google Chrome, in the most severe cases these vulnerabilities may allow for arbitrary code execution. Arbitrary code execution is when the attacker is able to execute arbitrary codes or commands on a target machine, this means the attacker is able to execute any command on the target machine. These vulnerabilities can be exploited if the user visits, or is redirected to, a specifically crafted web page. 

Details of the vulnerabilities are as follows:

  1. A security vulnerability due to use after free error. Specifically, this issue affects the clipboard component. (CVE-2020-16037)
  2. A security vulnerability due to use after free error. Specifically, this issue affects the media component. (CVE-2020-16038)
  3. A security vulnerability due to use after free error. Specifically, this issue affects the extensions component. (CVE-2020-16039)
  4. A security vulnerability that occurs because it fails to properly validate data in V8. (CVE-2020-16040)
  5. A security vulnerability due to out of bound read in networking. (CVE-2020-16041)
  6. A security vulnerability due to uninitialized use in V8. (CVE-2020-16042)

In severe cases the exploitation of these vulnerabilities could allow an attacker to execute arbitrary code in context to the browser. An attacker can view, change or delete data depending on the privileges associated with the application. If google chrome is configured to have fewer user right, exploitations could have a smaller impact than if it was configured with administrative rights.

RECOMMENDATIONS:

We recommend the following actions be taken:

  1. Apply the stable channel update provided by Google to vulnerable systems immediately after appropriate testing.
  2. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  3. Do not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.

REFERENCES:

Google:

Read more about this update at https://chromereleases.googleblog.com/2020/12/stable-channel-update-for-desktop.html 


Multiple Vulnerabilities in Mozilla Firefox and Thunderbird Could Allow for Arbitrary Code Execution - 11-18-2020 

OVERVIEW:

A vulnerability has been discovered in Mozilla Firefox, Firefox Extended Support Release (ESR) and Mozilla Thunderbird. In most severe cases the vulnerabilities could allow arbitrary code execution. Mozilla Firefox is a web browser used to access the internet. Mozilla Firefox ESR version of the web browser intended to be deployed in large organizations. Mozilla Thunderbird is an email client. Successful exploitation of these vulnerabilities may result in arbitrary code execution. The vulnerability may allow the attacker view, change, delete data, or create new accounts with full user rights. If the account is configured to have fewer user rights, exploitations could have a smaller impact than if it was configured with administrative rights.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  1. Mozilla Firefox versions prior to 83
  2. Mozilla Firefox ESR versions prior to 78.5
  3. Mozilla Thunderbird versions prior to 78.5

RISK:

Government:

  1. Large and medium government entities: High
  2. Small government entities: Medium

Businesses:

  1. Large and medium business entities: High
  2. Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in in Mozilla Firefox, Firefox Extended Support Release (ESR) and Mozilla Thunderbird, in the most severe cases these vulnerabilities may allow for arbitrary code execution. Arbitrary code execution is when the attacker is able to execute arbitrary codes or commands on a target machine, this means the attacker is able to execute any command on the target machine. These vulnerabilities can be exploited if the user visits, or is redirected to, a specifically crafted web page. 

Details of the vulnerability are as follows:

  1. A parsing and event loading mismatch in Firefox's SVG code could have allowed load events to fire, even after sanitization. An attacker already capable of exploiting an XSS vulnerability in privileged internal pages could have used this attack to bypass our built-in sanitizer. (CVE-2020-26951)
  2. When drawing a transparent image on top of an unknown cross-origin image, the Skia library drawImage function took a variable amount of time depending on the content of the underlying image. This resulted in potential cross-origin information exposure of image content through timing side-channel attacks. (CVE-2020-16012)
  3. It was possible to cause the browser to enter full screen mode without displaying the security UI; thus making it possible to attempt a phishing attack or otherwise confuse the user. (CVE-2020-26953)
  4. In some cases, removing HTML elements during sanitization would keep existing SVG event handlers and therefore lead to XSS. (CVE-2020-26956)
  5. Firefox did not block execution of scripts with incorrect MIME types when the response was intercepted and cached through a ServiceWorker. This could lead to a cross-site script inclusion vulnerability, or a Content Security Policy bypass. (CVE-2020-26958)
  6. During browser shutdown, reference decrementing could have occurred on a previously freed object, resulting in a use-after-free, memory corruption, and a potentially exploitable crash. (CVE-2020-26960)
  7. In Freetype, if PNG images were embedded into fonts, the Load_SBit_Png function contained an integer overflow that led to a heap buffer overflow, memory corruption, and an exploitable crash. (CVE-2020-15999)
  8. When DNS over HTTPS is in use, it intentionally filters RFC1918 and related IP ranges from the responses as these do not make sense coming from a DoH resolver. However when an IPv4 address was mapped through IPv6, these addresses were erroneously let through, leading to a potential DNS Rebinding attack. (CVE-2020-26961)
  9. Mozilla developers Steve Fink, Jason Kratzer, Randell Jesup, Christian Holler, and Byron Campen reported memory safety bugs present in Firefox 82 and Firefox ESR 78.4. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. (CVE-2020-26968)
  10. Incorrect bookkeeping of functions inlined during JIT compilation could have led to memory corruption and a potentially exploitable crash when handling out-of-memory errors. (CVE-2020-26952)
  11. During browser shutdown, reference decrementing could have occured on a previously freed object, resulting in a use-after-free, memory corruption, and a potentially exploitable crash. (CVE-2020-26959)
  12. Cross-origin iframes that contained a login form could have been recognized by the login autofill service, and populated. This could have been used in clickjacking attacks, as well as be read across partitions in dynamic first party isolation. (CVE-2020-26962)
  13. Repeated calls to the history and location interfaces could have been used to hang the browser. This was addressed by introducing rate-limiting to these API calls. (CVE-2020-26963)
  14. If the Remote Debugging via USB feature was enabled in Firefox for Android on an Android version prior to Android 6.0, untrusted apps could have connected to the feature and operated with the privileges of the browser to read and interact with web content. The feature was implemented as a unix domain socket, protected by the Android SELinux policy; however, SELinux was not enforced for versions prior to 6.0. This was fixed by removing the Remote Debugging via USB feature from affected devices. (CVE-2020-26964)
  15. Some websites have a feature "Show Password" where clicking a button will change a password field into a textbook field, revealing the typed password. If, when using a software keyboard that remembers user input, a user typed their password and used that feature, the type of the password field was changed, resulting in a keyboard layout change and the possibility for the software keyboard to remember the typed password. (CVE-2020-26965)
  16. Searching for a single word from the address bar caused an mDNS request to be sent on the local network searching for a hostname consisting of that string; resulting in an information leak. Note: This issue only affected Windows operating systems. Other operating systems are unaffected. (CVE-2020-26966)
  17. When listening for page changes with a Mutation Observer, a malicious web page could confuse Firefox Screenshots into interacting with elements other than those that it injected into the page. This would lead to internal errors and unexpected behavior in the Screenshots code. (CVE-2020-26967)

In severe cases the exploitation of these vulnerabilities could allow an attacker to execute arbitrary code in context to the browser. An attacker can view, change or delete data depending on the privileges associated with the application. If the account is configured to have fewer user rights, exploitations could have a smaller impact than if it was configured with administrative rights.

RECOMMENDATIONS:

We recommend the following actions be taken:

  1. Apply appropriate updates provided by Mozilla to vulnerable systems, immediately after appropriate testing.
  2. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  3. Do not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.

MacOS Big Sur Conflict with Sophos - 11-12-2020

Apple is releasing the latest operating system—MacOS 11 or Big Sur—for Macintosh computers Thursday, November 12. At this time, Sophos is not compatible with Big Sur. If you are using Sophos Home or using the Sophos Endpoint Protection campus license for antivirus/anti-malware, make sure that automatic updates are turned off on your Macintosh computer to avoid issues. 

Here is more information from Sophos. https://community.sophos.com/intercept-x-endpoint/f/recommended-reads/124012/sophos-endpoint-and-apple-macos-11-big-sur


A Vulnerability in Mozilla Firefox Could Allow for Arbitrary Code Execution - 11-12-2020

OVERVIEW:

A vulnerability has been discovered in Mozilla Firefox, Firefox Extended Support Release (ESR) and Mozilla Thunderbird. In most severe cases the vulnerabilities could allow arbitrary code execution. Mozilla Firefox is a web browser used to access the internet. Mozilla Firefox ESR version of the web browser intended to be deployed in large organizations. Mozilla Thunderbird is an email client. Successful exploitation of these vulnerabilities may result in arbitrary code execution. The vulnerability may allow the attacker view, change, delete data, or create new accounts with full user rights. If the account is configured to have fewer user rights, exploitations could have a smaller impact than if it was configured with administrative rights.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  1. Mozilla Firefox versions prior to 82.0.2
  2. Mozilla Firefox ESR versions prior to 78.4.0
  3. Mozilla Thunderbird versions prior to 78.4.1

RISK:

Government:

  1. Large and medium government entities: High
  2. Small government entities: Medium

Businesses:

  1. Large and medium business entities: High
  2. Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:

A vulnerability has been discovered in Mozilla Firefox and Mozilla Firefox ESR, in the most severe cases these vulnerabilities may allow for arbitrary code execution. Arbitrary code execution is when the attacker is able to execute arbitrary codes or commands on a target machine, this means the attacker is able to execute any command on the target machine. These vulnerabilities can be exploited if the user visits, or is redirected to, a specifically crafted web page. 

Details of the vulnerability are as follows:

  1. In certain circumstances, the MCallGetProperty opcode can be emitted with unmet assumptions resulting in an exploitable use-after-free condition. (CVE-2020-26950)

In severe cases the exploitation of these vulnerabilities could allow an attacker to execute arbitrary code in context to the browser. An attacker can view, change or delete data depending on the privileges associated with the application. If the account is configured to have fewer user rights, exploitations could have a smaller impact than if it was configured with administrative rights.

RECOMMENDATIONS:

We recommend the following actions be taken:

  1. Apply appropriate updates provided by Mozilla to vulnerable systems, immediately after appropriate testing.
  2. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  3. Do not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.

Multiple Vulnerabilities in Adobe Acrobat and Adobe Reader Could Allow for Arbitrary Code Execution (APSB20-67) - 11-3-2020

OVERVIEW:

Multiple vulnerabilities have been discovered in Adobe Acrobat and Adobe Reader. In most severe cases the vulnerabilities could allow arbitrary code execution. Adobe Acrobat is a software developed by Adobe Inc. to view, create, manipulate, print, and manage files in PDF format. Adobe reader is the free version within Adobe Acrobat family of the software. Successful exploitation of these vulnerabilities may result in arbitrary code execution. The vulnerability may allow the attacker view, change, delete data, or create new accounts with full user rights. If the account is configured to have fewer user rights, exploitations could have a smaller impact than if it was configured with administrative rights.

THREAT INTELLIGENCE:

There are no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  1. Acrobat DC (Continuous track) for Windows & macOS version 2020.012.20048 and earlier versions
  2. Acrobat Reader DC (Continuous track) for Windows & macOS version 2020.012.20048 and earlier versions
  3. Acrobat 2020 (Classic 2020) for Windows & macOS version 2020.001.30005 and earlier versions
  4. Acrobat Reader 2020 (Classic 2020) for Windows & macOS version 2020.001.30005 and earlier versions
  5. Acrobat 2017 (Classic 2017 track) for Windows & macOS version 2017.011.30175 and earlier versions
  6. Acrobat Reader 2017 (Classic 2017 track) for Windows & macOS version 2017.011.30175 and earlier versions

RISK:

Government:

  1. Large and medium government entities: High
  2. Small government entities: Medium

Businesses:

  1. Large and medium business entities: High
  2. Small business entities: Medium

Home users: Low

Technical Summary:

Multiple vulnerabilities have been found in Adobe Acrobat and Adobe Reader, in the most severe cases these vulnerabilities may allow for arbitrary code execution. Arbitrary code execution is when the attacker is able to execute arbitrary codes or commands on a target machine, this means the attacker is able to execute any command on the target machine. These vulnerabilities can be exploited if the user visits, or is redirected to, a specifically crafted web page. 

Details of the vulnerabilities are as follows:

  1. A Heap-based buffer overflow vulnerabilities that could allow for arbitrary code execution. (CVE-2020-24435)
  2. A Improper access control vulnerability that could allow for local privilege escalation. (CVE-2020-24433)
  3. A Improper input validation vulnerability that could allow for arbitrary JavaScript execution. (CVE-2020-24432)
  4. A Signature validation bypass vulnerability that could allow for minimal (defense-in-depth fix). (CVE-2020-24439)
  5. A Signature verification bypass vulnerability that could allow for local privilege escalation. (CVE-2020-24429)
  6. A Improper input validation vulnerability that could allow for information disclosure. (CVE-2020-24427)
  7. A Security feature bypass vulnerability that could allow for Dynamic library injection. (CVE-2020-24431)
  8. An Out-of-bounds write vulnerability that could allow for arbitrary code execution. (CVE-2020-24436)
  9. Multiple Out-of-bounds read vulnerabilities that could allow for information disclosure. (CVE-2020-24426, CVE-2020-24434)
  10. A Race Condition vulnerability that could allow for local privilege escalation. (CVE-2020-24428)
  11. Multiple Use-after-free vulnerabilities that could allow for arbitrary code execution. (CVE-2020-24430, CVE-2020-24437)
  12. A Use-after-free vulnerability that could allow for information disclosure. (CVE-2020-24438)

In severe cases the exploitation of these vulnerabilities could allow an attacker to execute arbitrary code in context to the browser. An attacker view, change, or delete data; or create new accounts with the privileges associated with the application. If the application is configured to have fewer user right, exploitations could have a smaller impact than if it was configured with administrative rights.

RECOMMENDATIONS:

We recommend the following actions be taken:

  1. Install the updates provided by Adobe immediately after appropriate testing.
  2. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  3. Do not to visit websites or follow links provided by unknown or untrusted sources.

Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution - 11-3-2020

OVERVIEW:

Multiple vulnerabilities have been discovered in Google chrome. In most severe cases the vulnerabilities could allow arbitrary code execution. Google chrome is a web browser commonly used to access the Internet. The vulnerability may allow the attacker view, change or delete data. If google chrome is configured to have fewer user rights, exploitations could have a smaller impact than if it was configured with administrative rights.

THREAT INTELLIGENCE:

While Google is aware of reports that an exploit for CVE-2020-16009 exists, there are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  1. Google Chrome versions prior to 86.0.4240.183

RISK:

Government:

  1. Large and medium government entities: High
  2. Small government entities: Medium

Businesses:

  1. Large and medium business entities: High
  2. Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:

Multiple vulnerabilities have been found in Google Chrome, in the most severe cases these vulnerabilities may allow for arbitrary code execution. Arbitrary code execution is when the attacker is able to execute arbitrary codes or commands on a target machine, this means the attacker is able to execute any command on the target machine. These vulnerabilities can be exploited if the user visits, or is redirected to, a specifically crafted web page. 

Details of the vulnerabilities are as follows:

  1. Use after free in user interface (CVE-2020-16004)
  2. Insufficient policy enforcement in ANGLE (CVE-2020-16005)
  3. Inappropriate implementation in V8 (CVE-2020-16006)
  4. Insufficient data validation in installer (CVE-2020-16007)
  5. Stack buffer overflow in WebRTC (CVE-2020-16008)
  6. Inappropriate implementation in V8 (CVE-2020-16009)
  7. Heap buffer overflow in UI on Windows (CVE-2020-16011)

In severe cases the exploitation of these vulnerabilities could allow an attacker to execute arbitrary code in context to the browser. An attacker can view, change or delete data depending on the privileges associated with the application. If google chrome is configured to have fewer user right, exploitations could have a smaller impact than if it was configured with administrative rights.

RECOMMENDATIONS:

We recommend the following actions be taken:

  1. Apply the stable channel update provided by Google to vulnerable systems immediately after appropriate testing.
  2. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  3. Do not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.

Fake Online Coronavirus Map Delivers Well-Known Malware

Fake Online Coronavirus Map Delivers Well-known Malware Health Sector Cybersecurity Coordination Center (HC3) Date: March 10, 2020

EXECUTIVE SUMMARY:

A malicious website pretending to be the live map for Coronavirus COVID-19 Global Cases by Johns Hopkins University is circulating on the internet waiting for unwitting internet users to visit the website. Visiting the website infects the user with the AZORult trojan, an information stealing program which can exfiltrate a variety of sensitive data. It is likely being spread via infected email attachments, malicious online advertisements, and social engineering. Furthermore, anyone searching the internet for a Coronavirus map could unwittingly navigate to this malicious website.

Threat Details

A sample of the malware being deployed by “corona-virus-map[dot]com” was submitted and analyzed by and received an extremely malicious threat score of 100/100 with Anti-virus (AV) detection at 76%. This sample was labelled by Hybrid-Analysis as a Trojan.

Recommendations

End users should be warned about this cybersecurity risk and security teams should blacklist any indicators associated with this specific threat. IOCs and Analysis may be found here: 

https://blog.reasonsecurity.com/2020/03/09/covid-19-info-stealer-the-map-of-threats-threatanalysis-report/

Requests for Information

Need information on a specific cybersecurity topic? Send your request for information (RFI) to or call us Monday-Friday, between 9am-5pm (EST), at (202) 691-2110


Changes to the Information Security Webpage (09/11/2019)

The Information Security department has redesigned the main page and streamlined navigation for easier information lookup. The items that were previously in the left sidebar have been moved and organized into modules on the homepage. The modules are as follows:

  • Breach & Incident Response – This page contains information about how to report a security incident such as lost or stolen CSUN-owned devices, unauthorized or accidental disclosure of Level 1 and 2 data, and Identity Theft. Selecting the “Submit a Security Incident Response” button will direct you to a form. Please complete this form in the event of a security incident.
  • Security Awareness Training – This page contains information, tips, and guides on how to access the mandatory security awareness training for staff and faculty.
  • Anti-Phishing – This page features tips and guides on how to identify, report, and prevent phishing attempts. Please take 30 seconds to watch the FBI video on phishing emails.
  • Risk Management – This page contains information about CSUN Risk Assessments and walks the user through the entire process. Information such as what is risk assessment and when it is required is also made available.
  • Vulnerability Management – This page contains information about the CSUN Vulnerability Assessments and walks the user through the entire process. Information such as what is vulnerability assessment and when it is required is also made available.
  • Policies & Standards – This page contains a table with links to every CSU and CSUN Information Security policy, standard, procedure, and guideline. Access forms such as Administrative Access and USB Exception and other resources related to our policies can be found here.
  • Tips & Guides – Access information for securing your personal and school devices, as well as learn about ransomware, copyright, certificates (SHA-2 and Intermediate), and other Information Security topics.
  • Security Blog – Access past security alerts and security articles.

Please contact the Information Security office at (818) 677-6100 or send an email at iso@csun.edu for any further inquiries.


 Other Blog Posts  


Back to School Security Tips (08/16/2019)

Typical Scams in the beginning of the year:

  • Phishing email containing “important information about your CSUN account,” or “problems with your enrollment” or “problems with financial aid”
  • Scams specifically designed to cheat students out of money, such as scholarship scams, fake “tuition payment processors”, textbook rental or book-buying scams, housing scams, tutoring scams, and work-from-home scams
  • Tech support call scams impersonating  “the  CSUN Help Desk”, Microsoft, Apple, etc. telling you there’s a problem with your computer
  • IRS impersonators demanding that students or their parents wire money immediately to pay a fake "federal student tax"
  • Messages with links to fake login pages, some containing CSUN logos.
  • Messages asking for your login information. CSUN will never ask for your password.
  • Fake friend requests on Facebook, Instagram or other social media
  • Fake Box, DocuSign, Adobe Sign or Google Doc notices.

How to keep your information safe:

  • Always think twice before clicking on links or opening attachments, even if they look like they're from someone you know. If you’re not sure, contact the sender by a method you know is legitimate to confirm they sent it.
  • Don’t trust contact information in suspicious e-mails or phone calls.Google the establishment and continue communication using the information you find. If you’re on the phone, hang up and call them back.
  • Approach unexpected messages, offers, and phone calls with a healthy skepticism.
  • Use a long, unique password for every account that matters. Reused passwords are a hacker’s dream. Site breaches like Facebook, Roll20, and Instagram’s  take your login information and dump it on the dark web. 8-character passwords can be cracked by a hacker in a few minutes, while a 25-character password would take that same hacker centuries. The longer the password, the more possible combinations there are to consider.
  • Use a password manager. Password managers can randomly generate long, unique passwords and remember them for you. It can save all of your passwords so you only have to remember one, strong password to log in to the app or plug-in.

CSUN will be implementing multi-factor authentication (MFA) for students this year. Look for announcements.

Additional Information About Specific Scams:

Tech support scams

Info from the IRS about fake "federal student tax" (from 2016, still relevant)

Scholarship scams 

CSUN Phishing Examples

Tuition payment processor scams (from 2016, still relevant) 

Fake login page scam specifically targeting university login pages


 

CamScanner App Discovered to be Trojan Malware (08/28/2019)

An app in the Google Play store was discovered to be Trojan malware. Trojan malware is a malicious program that disguises itself as something harmless or useful, so the user believes that the app is safe to provide sensitive information and access. CamScanner was considered a useful scanning and document management app and had been downloaded 100 million times before it was discovered to be a Trojan. An update to the app contained malicious ads that opened vulnerabilities. The developers of CamScanner are able to download and execute programs without restriction on the infected devices. Since the discovery, Google has removed the CamScanner app from its app store. If you still have the app downloaded, it is highly recommended that you uninstall the application.

As a rule of thumb, always read reviews and research the app before downloading it. Be cautious of permissions the app is requesting for use of microphone, contacts, camera, etc.

Source: IBTimes


 

Ransomware Attacks on Government Systems (08/23/2019)

In the past few months, state and local government agencies have been hit with targeted ransomware attacks. Ransomware is a malicious software that blocks access to a computer’s system or files so an attacker can demand “ransom” or money for it to be unlocked. Sometimes the ransomware can be disguised as an anti-virus software that won’t “remove viruses” until a sum is paid. New types of ransomware are discovered every year.

Local and state governments have been incidental victims of ransomware in the past, however this appears to be the first time where a string of them have been specifically targeted. Hackers are actively looking for vulnerabilities in government systems, and the number of government targeted ransomware is on the rise.

Some tips to protect yourself from ransomware:

  • Be wary of e-mail attachments from unfamiliar sources. If you are asked to “enable macros” to view attachments from an unknown source, delete the e-mail.
  • Back up data with an external drive or cloud service.
  • Keep software updated, including your operating system. Outdated systems and software are most vulnerable to attacks.
  • Don’t pay the ransom. Ransomware attackers are criminals, so there is no guarantee they will unlock your device or give back your information after they are paid. They may ask you to pay another sum, and another, and then never release your data.
  • Contact the authorities. Call the Information Security Office at (818) 677-6100 and your local FBI office.

For more information, please refer to our Ransomware page.

Source: Threatpost


 

Back to School Security Tips (08/16/2019)

Typical Scams in the beginning of the year:

  • Phishing email containing “important information about your CSUN account,” or “problems with your enrollment” or “problems with financial aid”
  • Scams specifically designed to cheat students out of money, such as scholarship scams, fake “tuition payment processors”, textbook rental or book-buying scams, housing scams, tutoring scams, and work-from-home scams
  • Tech support call scams impersonating  “the  CSUN Help Desk”, Microsoft, Apple, etc. telling you there’s a problem with your computer
  • IRS impersonators demanding that students or their parents wire money immediately to pay a fake "federal student tax"
  • Messages with links to fake login pages, some containing CSUN logos.
  • Messages asking for your login information. CSUN will never ask for your password.
  • Fake friend requests on Facebook, Instagram or other social media
  • Fake Box, DocuSign, Adobe Sign or Google Doc notices.

How to keep your information safe:

  • Always think twice before clicking on links or opening attachments, even if they look like they're from someone you know. If you’re not sure, contact the sender by a method you know is legitimate to confirm they sent it.
  • Don’t trust contact information in suspicious e-mails or phone calls.Google the establishment and continue communication using the information you find. If you’re on the phone, hang up and call them back.
  • Approach unexpected messages, offers, and phone calls with a healthy skepticism.
  • Use a long, unique password for every account that matters. Reused passwords are a hacker’s dream. Site breaches like Facebook, Roll20, and Instagram’s  take your login information and dump it on the dark web. 8-character passwords can be cracked by a hacker in a few minutes, while a 25-character password would take that same hacker centuries. The longer the password, the more possible combinations there are to consider.
  • Use a password manager. Password managers can randomly generate long, unique passwords and remember them for you. It can save all of your passwords so you only have to remember one, strong password to log in to the app or plug-in.

CSUN will be implementing multi-factor authentication (MFA) for students this year. Look for announcements.

Additional Information About Specific Scams:

Tech support scams

Info from the IRS about fake "federal student tax" (from 2016, still relevant)

Scholarship scams 

CSUN Phishing Examples

Tuition payment processor scams (from 2016, still relevant) 

Fake login page scam specifically targeting university login pages 


 

Google Play Store Apps and Malware (08/14/2019)

Many apps in the Google Play Store (app store for Android phones) are actually malware or are bundled with malware. These apps have been downloaded and installed more than 100 million times. The malware is hidden or bundled with common apps such as dictionaries, online maps, audio players, and bar code scanners. The suspected app is developed with such sophistication that a user is unable to identify apps that contain malware from legitimate apps. The malware is designed to start its attack approximately 8 hours after the app launch. Google also found that millions of Android phones come with pre-installed malware posing as legitimate apps. These apps download other apps and plug-ins in the background without the phone owner’s permission, send costly text messages, and generate ad fraud.

In an attempt to fight malicious apps, Google has developed and built Google Play Protect. Play Protect regularly checks the apps and device for harmful behavior, and if any security risks are found, it will notify the phone owner. For more information on how to use Google Play Protect refer to the Google Help Page

How to Protect my Phone:

  1. Make sure that Google Play Protect is enabled.
  2. Only download apps that have the “Verified by Play Protect” tag.
  3. If there are any pre-installed applications on your device that you don’t need or find suspicious, uninstall or disable them. Be careful to not uninstall or disable any Android operating system services, as this can cause your phone to not function properly. Research the app/service name before you disable or uninstall.
  4. Understand what you are giving permission to. When you first install an app, it will most likely request permission to access phone components such as camera, location, microphone, and storage. If a calculator app is requesting permission to access your phone camera, then that is a red flag.
  5. Always keep your phone up to date with the latest updates. These updates can contain monthly security updates.

Getting Started in Cybersecurity (08/9/2019)

Have an interest in information security and not sure where to start? Certificates are a great way to get your foot in the door. There are several road-maps online that detail what order you should complete the training courses for your desired cybersecurity path, but one thing each path has in common is that you should start with the beginner CompTIA Security+ certificate.

Security+ evaluates baseline, hands on security and network skills needed to start in the IT and Security industry.

CSUN offers free access to LinkedIn Learning (formerly Lynda.com) which offers CompTIA resources. There are a variety of courses and learning plans offered by contributors to help you figure out your path and get started. Affordable books for CompTIA prep can also be found on Amazon.

Other ways to expand your knowledge:

  • Join Layer8 – CSUN's Cybersecurity club that offers lectures, courses, and participates in competitions like CCDC
  • Apply for a job – There are on-campus and off-campus opportunities for jobs and internships in Information Technology
  • Study at home – Set up a lab at home with virtual machines, watch YouTube videos, and follow industry professionals on Twitter
  • Participate in beginner cybersecurity competitions – National Cyber League offers registry yearly. The competition is beginner friendly and has training and learning opportunities.

Emails Impersonating Staff and Faculty (8/7/2019)

CSUN continues to be targeted by phishing emails due to compromised accounts. Phishing is the fraudulent act of impersonating a well-known establishment or contact to obtain personal information such as passwords and credit card numbers. The most recent phishing attempts at CSUN are emails impersonating a member of staff or faculty, offering a paid job or an internship. As soon as Information Security is informed of the fraudulent emails, the compromised account of the faculty or staff is suspended and the compromised account holder's password is reset.

Phishing e-mails impersonating staff typically have the following characteristics:

  • Poor grammar and spelling
  • Vagueness
  • E-mail address and name of sender are inconsistent
  • Offers that seem too good to be true
  • Request to continue correspondence elsewhere (asked for personal e-mail, home address, phone number)

If you receive a suspicious e-mail, forward it to abuse@csun.edu to ensure we take the appropriate steps. If you were a victim of fraud that resulted from the compromised account, please contact the CSUN Department of Police Services at (818)-677-1200. Please also refer to our phishing page for more examples and tips on avoiding e-mail scams.


 

Equifax Breach Settlement (07/30/2019)

The Equifax Data Breach of 2017 involved hackers accessing client information like social security numbers and driver’s license. If your personal data was among those exposed, you may now get back money spent on services purchased to protect yourself from identity theft, like credit monitoring services. Payouts are capped at 20,000 per person and credit monitoring services alone can have a claim filed to receive up to $125. The deadline to file a claim is 01/22/2020.

To submit a claim:

  1. Check to see if your information was impacted by the security breach. You will need to provide your last name and the last six digits of your SSN.
  2. File a claim on the Equifax Data Breach Settlement page. Multiple claims may be submitted.
  3. Gather documents showing proof of expenses lost due to the breach and other relevant information or losses, including protection services paid for, fraudulent charges, and freezing accounts.

Zoom Video Conference Software Vulnerability (07/10/2019)

Two vulnerabilities in the Zoom video conference software have been discovered, which if exploited affects a user’s privacy. A hacker can disguise a Zoom video conference link with a website URL or include it within an advertisement. When clicked on, it will forcibly join the user to the hacker’s call without their permission. When users connect to the hacker’s call, it will also automatically enable the user’s video camera. Another vulnerability allows a hacker to perform a local Denial of Service (DoS) attack that affects the user’s ability to use their machine by sending them an endless number of meeting requests. Deleting Zoom software does not fix the issue because the uninstallation process does not remove all the Zoom components (local web server) from the computer.

Am I Affected?

Mac users running Zoom software version 4.4.2 or earlier are affected. If you have previously installed and uninstalled Zoom software, your computer will still have the Zoom local web server installed, which can reinstall the Zoom software without any interaction from you besides clicking on the malicious URL.

What Should I Do?

  1. Make sure your Zoom software is the latest version. Versions prior to 4.4.2 are affected. A CSUN-owned device that is managed centrally by IT will automatically receive an update. All personal computers should be updated manually to the latest version. You can download the latest version from the Zoom Downloads page.
  2. Check the “Turn off my video when joining a meeting” option from Zoom settings. This will disable the video camera when you join a meeting until you give Zoom permission to access your camera.

More information about the vulnerability is available at the Zoom Blog and the Medium page. If you need assistance with updating your Zoom application please contact the IT Help Center.

World Password Day (05/02/2019)

May 2nd is known as World Password Day—a day to raise awareness of the importance of strong login credentials. However, passwords in general are no longer a secure way to protect your accounts. Here is why:

Too many easy, reused passwords - Passwords are needed for almost everything, meaning we must keep track of several unique combinations of letters and symbols. A common solution to this task is making something easy to remember and reusable. "123456," "123456789," "qwerty," and "password" remain the most popular password choices. More than 50% of users rely on the same password across multiple accounts. Reusing passwords leaves you vulnerable to Credential Stuffing: an attack where previously breached username and passwords are used to gain access to multiple websites where the user has the same credentials. It is one of the most common techniques to take-over user accounts.

Phishing attacks - Phishing, fake e-mails that impersonate a known business and urgently request you verify your credentials, remains the leading method of attack. CSUN has had several instances of attackers attempting to hijack student accounts through impersonation. For more about Phishing attacks, refer to our information page on Fraud E-mails.

Corporate negligence - Every year there are cases of compromised accounts due to corporate negligence. Big companies like Facebook, who compromised millions of Instagram passwords just this year, are not immune. Billions of e-mails and millions of passwords are stored on hacker forums.

Protect your account by looking out for phishing attacks, setting up multi-factor verification when available, and using a password manager. Password managers are a secure way to store and autofill all of your credentials with one master password. They can even generate strong, unique passwords for the user that they never need to memorize.

If you think your data may be compromised, please file an Incident Report with Information Security. 


 

Fraudulent Email from Wells Fargo (04/01/2019)

An email from Wells Fargo Advisors was received by some campuses on April 1st 2019. The email message indicated that there is a security update and requires the email recipient to click on the link provided in the email, to update their information to keep the account active.

If you receive an email from Wells Fargo Advisors, do not click on any links in the email. If you feel the need to contact Wells Fargo, please do not use the phone number listed in the email. Instead, visit www.wellsfargo.com directly and call the customer service number listed on the website.

This email is a phishing scam that attempts to lure users to click on a link and give up their information. For more phishing examples, visit the Phishing Examples page.


 

Chegg Breach (09/26/2018)

Chegg, a textbook rental and online tutoring company based in Santa Clara, plans to reset passwords for 40 million users following the discovery of a breach dating back to April 2018. From Chegg's web site: "An unauthorized party gained access to a Company database that hosts user data for chegg.com and certain of the Company's family of brands such as EasyBib."  Chegg said the hacker(s) "may have" gained access to user data such as names, email addresses, shipping addresses, Chegg.com usernames, and Chegg.com passwords.

Although passwords were hashed which should mean they are protected, it is important to change your password in Chegg and in any other application where you used the same or similar password. Always remember to use a separate password for each application or site you are enrolled in.


 

Spam Calls From ‘405’ Area Code Hitting Campus (08/30/18)

Calls from a ‘405’ area code phone number, 405-549-9807, were received by some campus phones on August 30, 2018. The recorded message indicated that a lawsuit had been filed and requested your immediate attention.

If you see a call from this number come through, do not answer it. If a voicemail is left, delete the message and do not call them back at the number provided. This call is an attempt to gain your personal information and should be ignored.


 

Back to School Security Tips (08/27/2018)

Welcome back to school. Here are some security tips to keep your data safe as you start a new semester at CSUN.

  • Stop.Think.Click. Phishing and other malware scams rely on our habit to click first, think later. Phishing scams can be incredibly believable. We have many examples on our phishing web site. Please have a look. Hackers can be very clever. 
  • Be careful with social media: Make sure you understand who can see your posts. 
  • Place a fraud alert on your credit report: This will limit the damage caused by identity theft. 
  • Turn off Flash: Flash Player is popular with hackers. They exploit Flash by inserting malicious bits of code into ad networks used by well-known businesses. 
  • Check your apps: Mobile applications can only do what you let them do. Review permissions on your apps. 
  • Keep programs up-to-date: Most applications on all of your devices have automated update features. Turn them on.
  • Use unique passwords: A single password used on all of your sites is a hackers best friend. A password can be stolen from an unimportant game with lax security site can then be used to hack into your bank account and other important sites, only to be used to break into one's bank accounts. Unique passwords limit the damage to one site. Also consider using a password manager.
  • Think before you click. - see #1. It's important.

Extortionware/Doxware (07/12/18)

We are receiving information from our higher education information security intelligence sources that there is a blackmail/phishing scam hitting multiple higher edu institutions around the country including the UC. We have not been advised of any attempts against CSU campuses so far.

This particular attempt is a form of what is known as “Sextortion.” The scam, in most cases, displays a password that may appear to be or actually be a user’s password that the sender claims to have been obtained from an adult content website. The passwords were actually harvested from breaches of companies in the past, some as long as a decade ago and hackers have posted the credentials on the DarkWeb or sites like PasteBin.  These are sites used by hackers to trade, sell and display credentials they have compromised.

The current scam purports to have obtained the user's password from an adult (porn) site and threatens to reveal the users online behavior to others unless a ransom is paid in Bitcoin (internet currency).

The FBI advises:

  • Never send compromising images of yourself to anyone, no matter who they are — or who they say they are.
  • Don’t open attachments from people you don’t know, and in general be wary of opening attachments even from those you do know unless they are expected.
  • Turn off [and/or cover] any web cameras when you are not using them.

Please report the receipt of any of these messages or similar phishing attempts to the Support Center: itsupportcenter@calstate.edu

The CSU’s Responsible Use policy can be found in ICSUAM 8105 located online at https://www2.calstate.edu/policies


 

Change Your Twitter Password (5/3/2018)

Twitter is telling its users to consider changing their passwords. The company discovered that it was logging user passwords in clear text and blogged about in a post by Twitter's CTO. CSUN recommends that you change your Twitter password. If you used your CSUN userid and password for your twitter account please also change your CSUN password.


 

Post Office Mail Scam (2/26/2018)

The USPS has a service that allows you to see a preview of your snail mail on-line. Unfortunately when the USPS rolled this out their identity verification was lax and there was no notification sent to the mail owner that someone signed up. Therefore, it was easy for scammers to sign up to get a preview of your mail and know when credit cards, bank statements or checks were delivered. The USPS has implemented a new notification system to alert you when someone signs up. It is suggested that you sign up for this notification process.


 

Chase Bank Mobile Glitch Exposes Customer Data (2/25/2018)

JP Morgan Chase & Co. suffered a glitch that gave some customers logging in to on line  systems access to other clients’ accounts instead of their own. This software glitch occurred last week. if you logged into your account on line or via the mobile app it is suggested that you monitor your account closely. 


 

W-2 Scam Alert (2/22/18)

The Internet Crime Complaint Center (IC3) has issued an alert on the increase in W-2-related phishing campaigns. Hackers often use tax-related phishing to get individuals to give up personally identifiable data (PII), click on a malicious link, open a malware infested attachment or pay a ransom. Note that the IRS does not initiate contact via email. if it looks suspicious or you are asked to give up PII it is more than likely a phishing email.


 

Chrome Browser Scam/Ransomware (2/8/2018)

Security researchers are reporting that hackers are exploiting a bug in Chrometo try to extort money from unsuspecting users. The way it works is that upon navigating to a hacked or invalid web site, your browser may display a message telling you to call a number and then lock up the browser and eventually your Windows machine. If you do encounter this issue on Windows you may use Task Manager to kill the Chrome browser or you can reboot your machine. On MacOS your Mac will eventually tell you that your browser is unresponsive. Under no circumstances should you call the number popping up on your machine. Chrome has not yet issued a patch.


 

Another Flash Exploit (2/1/2018)

Adobe issued a security warning that attackers are exploiting a new security hole in its Flash Player software to hack into Microsoft Windows computers. Adobe said it will issue a fix in the next few days. Adobe is recommending that users turn on protected view in Windows to mitigate this issue. We recommend that all users turn on protected view on their computers.


 

File Taxes Early to Prevent Fraud (1/29/18)

Today January 29th is the first day you can file your 2017 tax return. A favorite tactic of scammers and hackers is to file a false tax return using your stolen identity and receive a large tax return. Tax return fraud impacts hundreds of thousands of US taxpayers annually and is expected to climb this year due to the Equifax breach. One way to prevent this fraud is to not wait until April 15th but file as early as possible.

If you were a victim of the Equifax breach you should should consider submitting an Identity Theft Affidavit (Form 14039) to the IRS. Also be aware that if you froze your credit due to the Equifax breach and you are required by the IRS to use a PIN to file electronically you have some extra steps to perform. 


 

Malware Bytes Update Causes Major Problems (1/29/18)

Malwarebytes released a production update on Saturday that can cause spikes in CPU use, resulting in slow performing or crashed computers. If you are using Malwarebytes please see the Malwarebytes Forum for remediation steps. 


 

Major Flaw in Hardware Leaves Computers, iPads and iPhones Vulnerable (1/08/18) 

Two major flaws in computer chips have left a huge number of computers, iPads and smartphones vulnerable to hackers. These flaws have been titledSpectre and Meltdown. The flaws are specific to Intel chips. 

The flaws could potentially allow an attacker to read confidential data stored in computer or mobile device memory such as passwords, or sensitive data. Although the flaws are hardware based the fixes to make your device secure are software based.

The fixes are listed below. Please apply as soon as possible to devices in your department. We will pushing out many of these via SCCM and Jamf.

Microsoft

Red Hat

For Macs and iOS devices please make sure you have taken the latest patches

Google Devices and Chrome

AWS

Mozilla/Firefox