By: Armando D’Onorio (CISSP, GSLC, GCCC), Ferrilli’s Chief Information Security Officer & Senior Consultant
We’re alerting our higher education community to act quickly and patch the latest vulnerabilities from Google and Microsoft:
- Google Chrome: An exploit for CVE-2022-1364 exists and it is strongly recommended that everyone install the latest Google Chrome update (100.0.4896.127) as soon as possible.
- Microsoft RDP: Critical Windows RPC CVE-2022-26809 flaw raises concerns due to its potential for widespread, significant cyberattacks. Therefore, all organizations need to apply Windows security updates as soon as possible.
Note: While our focus is on getting the academic systems updated, please remind your faculty, staff, and students to patch their personal devices.
More info about the vulnerabilities:
Microsoft RDP: CVSS:3.1 9.8 / 8.5
- Microsoft fixed this vulnerability as part of the April 2022 Patch Tuesday updates and rated it as ‘Critical,’ as it allows unauthorized remote code execution through a bug in the Microsoft Remote Procedure Call (RPC) communication protocol (TCP 445 and 135). If exploited, any commands will be executed at the same privilege level as the RPC server, which in many cases has elevated or SYSTEM level permissions, providing full administrative access to the exploited device. Security researchers believe the bug has the potential to be exploited in widespread attacks, like what we saw with the 2003 Blaster worm and 2017 Wannacry attacks utilizing the Eternal Blue vulnerability. Currently there are over 1.3 million devices exposing port 445 to the Internet, offering a massive pool of targets to exploit. It is important to stress that institutions should apply the patch because it can surface in several configurations of both client and server RPC services. This vulnerability is ideal for spreading laterally in a network and security experts believe we will surely see it used by ransomware gangs in the future.
What Version Should You Be on Google Chrome?
The latest fix will bring Chrome to version 100.0.4896.127 across Windows, Linux, and Mac platforms. Remind your users to close their browsers so the Chrome updates will be applied in the coming days and weeks, as Chrome automatically installs the latest patch when the browser is closed and relaunched.
If you have any questions or need assistance, please click here.