This Week in Cyber 12th May 2023

Microsoft's May 2023 Patch - Critical Flaws and Zero-Day Exploits

Microsoft's May 2023 Patch Tuesday updates address 38 security flaws, including an actively exploited zero-day vulnerability. Of the vulnerabilities, six are rated Critical, while 32 are Important. One concerning flaw (CVE-2023-29336) grants attackers SYSTEM privileges. Urgent remediation is advised, and the U.S. CISA has included it in their Known Exploited Vulnerabilities catalogue. Two publicly known vulnerabilities require attention: a critical remote code execution flaw (CVE-2023-29325) and a Secure Boot bypass (CVE-2023-24932). Prompt installation of updates and following mitigation recommendations are crucial for system security.

Western Digital Confirms Data Breach - Customer Information Compromised

Digital storage giant Western Digital has experienced a data breach where an unauthorized third party gained access to its systems. Customer information from the company's online store was stolen, including names, addresses, emails, and phone numbers. Encrypted hashed passwords and partial credit card numbers were also compromised. The exact number of affected customers remains undisclosed. The breach follows a previous security incident reported by Western Digital in March 2023. The attackers, known as ALPHV (aka BlackCat) ransomware actors, allegedly possess around 10 terabytes of data and demanded a significant ransom from Western Digital. The group has published screenshots on the dark web, suggesting continued access to the company's systems. The company is actively investigating the incident and enhancing its security measures to prevent future breaches.

Critical Vulnerability in WordPress Plugin Exposes Websites to Privilege Escalation

A security vulnerability has been discovered in the popular WordPress plugin Essential Addons for Elementor, which could potentially lead to elevated privileges on affected sites. The vulnerability, tracked as CVE-2023-32243, has been addressed in version 5.7.2 of the plugin released on May 11, 2023. With over one million active installations, this issue has significant implications. The vulnerability allows unauthenticated users to escalate their privileges on WordPress sites, potentially resetting the passwords of arbitrary users. This flaw has existed since version 5.4.0 of the plugin and could be exploited to gain control of websites, particularly by compromising administrator accounts. The Essential Addons for Elementor plugin maintainers have acted promptly to address the vulnerability, urging website administrators to update to version 5.7.2 to protect against potential attacks.

Google Unveils New Privacy and Security Features at Google I/O 2023

Google unveiled a range of new privacy, safety, and security features at its annual developer conference, Google I/O. These initiatives aim to protect users from cyber threats, including phishing attacks and malicious websites, while providing greater control and transparency over their personal data. Among the newly introduced features, the first is improved data control and transparency. Google has updated its Android operating system to allow users better control over location sharing through installed apps. Users will be notified in permission requests if an app shares their information with third parties for advertising purposes, empowering them to approve or decline location sharing for each app and remain in control of their data. Additionally, Google expanded its dark web scan reports to all Gmail users in the U.S. This feature scans the dark web for personally identifiable information like names, addresses, emails, phone numbers, and Social Security numbers. Users are alerted if their sensitive data is found on sites not indexed by search engines, enabling them to take appropriate action. Other notable features include an AI-powered Safe Browsing API that helps protect users from malicious websites and phishing attacks, as well as an expansion of the Content Safety API to detect and block abusive content or potentially harmful files in services like Google Drive. These new features prioritize user privacy, safety, and control over personal data, providing enhanced protection against online threats and greater transparency in data handling.

Tech Industry Leaders Warn of AI's Potential for Scams and Misinformation

Apple co-founder Steve Wozniak has raised concerns about the potential risks associated with artificial intelligence (AI), particularly in relation to scams and misinformation. Wozniak emphasized that "bad actors" could exploit the intelligence of AI technology to deceive people. He stressed the importance of clearly labelling AI-generated content and advocated for regulation within the industry. In March, Wozniak joined Elon Musk in signing a letter calling for a pause in the development of the most powerful AI models. While recognizing the benefits of AI, Wozniak expressed concerns about its potential to enhance the persuasiveness of malicious actors. He highlighted the sophistication of AI systems, such as ChatGPT, which can generate text that sounds remarkably intelligent. Wozniak believes that those who publish AI-generated content should assume responsibility for its consequences, emphasizing the need for accountability among major tech companies. This viewpoint correlates with the rise of sophisticated phishing attempts where malicious actors can use AI to sound incredibly convincing and legitimate.