Microsoft Patch Tuesday Fixes Nearly 120 Vulnerabilities; Mozilla Fixes Critical Flaw in Firefox; Microsoft: Cyberthreats are Compounded at Educational Institutions

Microsoft's Patch Tuesday for October 2024 includes fixes for nearly 120 security issues, including at least two that are being actively exploited. One of the already-exploited vulnerabilities is a high-severity improper neutralization issue in Microsoft Management Console that can be exploited to achieve remote code execution. The second is a moderate severity improper input neutralization vulnerability in Windows MSHTML Platform that could lead to spoofing.

Mozilla has updated Firefox and Firefox ESR to address a critical use-after-free vulnerability in Animation timelines. Mozilla says the flaw is being actively exploited. The vulnerability is fixed in Firefox 131.0.2, Firefox ESR 115.16.1, and Firefox ESR 128.3.1. The vulnerability has prompted national cybersecurity centers in Canada, Italy, and the Netherlands to issue advisories.

Nearly every quality of educational institutions puts them at "compounded" risk for cyberattack, according to an article by Microsoft Threat Intelligence. The breadth of data they process and services they provide; massive diversity in user age, IT literacy, profession, and level of involvement in various digital resources; and links to unsecure personal networks and devices, are only a few of the fundamental security challenges making education the "third-most targeted industry" for cyberattacks. The article also pinpoints the prevalence and ease of QR code phishing, an "openness and lack of controls" in email systems, and the risks of AI's place in school IT. Higher education presents unique "value and vulnerability" to attackers: "university presidents are effectively CEOs of healthcare organizations, housing providers, and large financial organizations," and universities often work with valuable intellectual property and sensitive research materials connected to government and defense applications. The authors note that defense is "more than a technology problem," and recommend "maintaining and scaling core cyberhygiene;" stressing the importance of risk awareness; exercising caution with QR codes; implementing protective domain name service; and educating users of all types while strengthening authentication practices.

This year, the SANS Holiday Hack Cybersecurity Challenge runs from November 7 through January 3. You can find more details about Holiday Hack Challenge 2024: Snow-maggedon here:

https://www.sans.org/mlp/holiday-hack-challenge-2024/

An October report from OpenAI details investigators' observation of ChatGPT and other AI tools in use by threat actors, allowing the company to both "disrupt" the activity and gain intelligence about intended techniques and targets. The report is an overview of case studies in which OpenAI models were used, sometimes by suspected state-affiliated hacking groups, for a wide assortment of "activity [that] ranged from debugging malware, to writing articles for websites, to generating content that was posted by fake personas on social media accounts," in many cases with intent to interfere in politics. Threat actors also prompted ChatGPT to suggest phishing lures designed to engage government employees, file names that would pass filters, and information about vulnerabilities in apps and "infrastructure belonging to a prominent car manufacturer.' OpenAI's disruption tactics amounted to banning accounts, monitoring for policy violations, building safeguards into models to refuse certain prompts, and sharing threat information. The company minimizes inherent security risk in the technology -- alleging it provides "shortcuts" rather than "novel capabilities" -- yet emphasizes the need for collaboration and "multi-layered defenses" against malicious use of AI models.

At two recent events in Washington, DC, CISA chief AI officer Lisa Einstein spoke to the need for human processes while using AI tools. At the NVIDIA AI Summit, Einstein said: 'These tools are not magic, they are still imperfect, and they still need to have a human in the loop and need to be used in the context of mature cybersecurity processes.' And at the Recorded Future's Predict 2024 event, she noted: 'AI learns from data, and humans historically are really bad at building security into their code ~ The human processes for all of these security inputs are going to be the most important thing. Your software assurance processes, it's not going to be just fixed with some magical, mystical AI tool.'

Fidelity has begun notifying more than 77,000 people that an unauthorized third party stole their personal information several weeks ago. The data thief created two accounts and used them to access the information between August 17 and 19. A Fidelity spokesperson said the incident was not a ransomware attack and that no funds were taken.

Pending its passage in parliament, a new bill would be the first 'Standalone Cybersecurity Act' in Australia. The overall aim is to 'bring Australia in line with international best practice,' referencing and building on the 2023-2030 Australian Cyber Security Strategy and the Security of Critical Infrastructure Act 2018. Among other provisions, the bill notably directs manufacturers of smart devices to comply with new security standards, obliges companies to report any ransom payment in the event of ransomware attack, establishes a 'Cyber Incident Review Board," and orients government communication channels and resources to better address cybersecurity issues.

Qualcomm's October 2024 Security Bulletin includes fixes for 20 vulnerabilities in their chipsets' firmware, including one that is being actively exploited. The high-severity use-after-free flaw in DSP service (CVE-2024-43047) was initially reported in July. The issue was detected by Google Project Zero and by researchers from Amnesty International, which indicates the vulnerability may have been exploited by state-sponsored threat actors and/or commercial surveillance tools. Other vulnerabilities addressed in the October release include a critical input validation flaw in the LAN resource manager (CVE-2024-33066) and two high-severity memory corruption flaws (CVE-2024-23369 and CVE-2024-33065).

Marriott International and their subsidiary Starwood Hotels have agreed to a proposed consent order that would serve as a settlement for several data breaches that affected more than 344 million people. Within 180 days of the effective date of the order, Marriott and Starwood must 'establish, implement and maintain a comprehensive information security program ('Information Security Program') that protects the security, confidentiality, and integrity of' customer data. In a separate, related action, Marriott has agreed to pay $52 million as part of a settlement with US states' Attorneys General.

A breach of the Internet Archive has compromised authentication information, including email addresses, screen names, and password hashes of 31 million users. Shortly after the breach was discovered, the site became the target of distributed denial-of-service (DDoS) attacks. The Internet Archive's founder Brewster Kahle posted on social media that they have disabled the JS library, scrubbed their systems, and are upgrading security.