CyberScotland Bulletin

On January 10th, 2023, Microsoft released its latest Patch Tuesday updates, addressing a total of 98 security flaws across its various products.

One of the most critical vulnerabilities addressed in this round of updates is a privilege escalation flaw in the Windows Advanced Local Procedure Call (CVE-2023-21674, CVSS score: 8.8). This vulnerability, which has been observed in the wild, could be exploited to allow an attacker to gain SYSTEM privileges after escaping from a sandbox.

Other notable vulnerabilities addressed by these updates include further privilege escalation vulnerabilities in the Windows Credential manager (CVE-2023-21726, CVSS score: 7.8) and three others affecting the Print Spooler Component  (CVE-2023-21678, CVE-2023-21760, and CVE-2023-21765).

As always, it’s highly recommended to apply these updates as soon as possible to secure your systems against potential attacks.

A new strain of Linux malware is targeting WordPress sites by exploiting vulnerabilities in 30 different plugins and themes, which include WP Live Chat Support, Yuzo Related Posts, Yellow Pencil Visual CSS Style Editor, and others.

Outdated versions of these plugins lack the crucial fixes to these vulnerabilities. The targeted web pages are injected with malicious JavaScript, causing users to be redirected to other sites when they click on any area of the attacked page.

WordPress users are recommended to keep all components of the platform up to date, including third-party add-ons. Users must make sure to use strong and unique logins and passwords to secure their accounts, and multi-factor authentication wherever possible.

Auth0 recently fixed a flaw in the jsonwebtoken library, widely used in over 22,000 projects and downloaded 10 million times per week, which could lead to remote code execution. The vulnerability, tracked as CVE-2022-23529 (CVSS Score: 7.6), affects all versions below 8.5.1 and was fixed in version 9.0.0.

Exploiting the vulnerability could allow an attacker to execute arbitrary code, access and manipulate data, and gain complete control of a web server.

A group of seven security researchers have discovered multiple vulnerabilities in vehicles from 16 car makers, including bugs that could allow control of various car functions including engine start/stop. They also found vulnerabilities that expose customer and employee information, and allow account takeover. The vulnerabilities were found in telematics and control systems and infrastructure.

The impacted car models include Acura, BMW, Ferrari, Ford, Genesis, Honda, Hyundai, Infiniti, Jaguar, Kia, Land Rover, Mercedes-Benz, Nissan, Porsche, Rolls Royce, and Toyota. Patches were released by manufacturers after being informed of the vulnerabilities in 2022.