By: Armando D’Onorio (CISSP, GSLC, GCCC), Ferrilli’s Chief Information Security Officer & Senior Consultant

We’re alerting our higher education community to act quickly and patch the latest vulnerabilities from Google and Microsoft:

• Google Chrome: An exploit for CVE-2022-1364 exists and it is strongly recommended that everyone install the latest Google Chrome update (100.0.4896.127) as soon as possible.
• Microsoft RDP: Critical Windows RPC CVE-2022-26809 flaw raises concerns due to its potential for widespread, significant cyberattacks. Therefore, all organizations need to apply Windows security updates as soon as possible.

Note: While our focus is on getting the academic systems updated, please remind your faculty, staff, and students to patch their personal devices.

More info about the vulnerabilities: 

​​​​Google Chrome

• Google officials did not release many details about the flaw, saying that information and links about the bug are being restricted until most users are updated. The emergency updates the company issued this week impacted almost 3 billion users of its Chrome browser as well as those using other Chromium-based browsers, such as Microsoft Edge, Brave and Vivaldi. They will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on but have not yet fixed. The vulnerability is a so-called “confusion” weakness in Chrome’s V8 JavaScript engine. This type of flaw often leads to browser crashes, but the high severity label for this specific vulnerability suggests that it could be the rarer kind that allows attackers to execute damaging code depending on the privileges associated with the application. An attacker could view, change, or delete data, according to the Center for Internet Security.

Microsoft RDP: CVSS:3.1 9.8 / 8.5

• Microsoft fixed this vulnerability as part of the April 2022 Patch Tuesday updates and rated it as ‘Critical,’ as it allows unauthorized remote code execution through a bug in the Microsoft Remote Procedure Call (RPC) communication protocol (TCP 445 and 135). If exploited, any commands will be executed at the same privilege level as the RPC server, which in many cases has elevated or SYSTEM level permissions, providing full administrative access to the exploited device. Security researchers believe the bug has the potential to be exploited in widespread attacks, like what we saw with the 2003 Blaster worm and 2017 Wannacry attacks utilizing the Eternal Blue vulnerability. Currently there are over 1.3 million devices exposing port 445 to the Internet, offering a massive pool of targets to exploit. It is important to stress that institutions should apply the patch because it can surface in several configurations of both client and server RPC services. This vulnerability is ideal for spreading laterally in a network and security experts believe we will surely see it used by ransomware gangs in the future.

What Version Should You Be on Google Chrome?
The latest fix will bring Chrome to version 100.0.4896.127 across Windows, Linux, and Mac platforms. Remind your users to close their browsers so the Chrome updates will be applied in the coming days and weeks, as Chrome automatically installs the latest patch when the browser is closed and relaunched.

If you have any questions or need assistance, please click here.