Week of 22 March 2019

Small Businesses Cyber Security Alerts

As always, we try to summarize and break down what some of these cyber attacks can mean to you in the context of general small business use. This week, while Apple didn’t report any new security updates, Microsoft did for their monthly ‘patch Tuesday’, addressing many security issues. The popular web browsers also had some significant updates in regards to security.

 

Microsoft Windows:

Microsoft is recommending to people to avoid shared or common Window’s log-on accounts, especially on the same physical machine. They, as well as us, consider this a significant security risk, as there is no “security boundary between sessions using the same user account” on the same system!

There are also some Windows updates addressing:

  • Preventing attackers from peering into portions of computer memory (like passwords you’ve typed in or saved) via malicious document or visiting an untrusted webpage.
    • References: 1, 2,
  • Preventing attackers from gathering computer system information through a malicious program that could be downloaded in an email, through usb drives, or authentication. They could use this sensitive technical information to find a way into your computer systems.
    • References: 12, 3, 4, 5, 6
    • References: 1 and 2
  • Preventing attackers from viewing sensitive print spooler information in computer memory. This kind of information could disclose any past or present private documents you print to an attacker that has physical access to your computers.
    • Reference: 1
  • Additionally, there are more security updates for the following pieces of software:
    • Adobe Flash Player
    • Internet Explorer
    • Microsoft Edge
    • Microsoft Office and Microsoft Office SharePoint
    • Skype for Business

Please let Windows completely update itself upon reboot, force it to update, or manually download the updates yourself. Read more about updating Windows here.

Android-powered devices:

Earlier this month, new updates for Android devices were released to address various security vulnerability issues. The most severe issue for Android devices for the moment is a cyber vulnerability enabling a remote attacker to use a specially crafted malicious file (that perhaps you download through email and open) that will allow them to run a custom (and likely malicious) program that can do what it wants (like spy on what you do or passwords you type in, etc.), as if it has high privileges on your device.

While they have no reports of any cyber criminals exploiting this vulnerability, it does exist until your devices are updated.

Your device manufacturer should be on top of updates and should show a notification on your device (if you occasionally connect it to the internet) to update it to a newer version of Android or to install a security patch, etc. Be sure to check with your device manufacturer or provider if you feel you haven’t got the latest updates. If you have a Google-manufactured device, you can read their guides here.

Adobe Software:

Recent “Adobe Digital Editions” software for Windows this month have had security issues related to a cyber attacker potentially being able to run malicious software code while you’re running the software. This would allow a cyber attacker, in a limited fashion, to do what they want with your machine while the software is running.

  • You can update Adobe Digital Editions here to fix the issue.

There is also another bulletin for the same issue, but for the popular Photoshop CC (Creative Cloud) for Windows and MacOS.

  • You can update Photoshop CC here to fix the issue.

Keep in mind, Adobe regards these updates as “critical”, so we suggest updating your software as soon as possible.

Chrome:

There is a new version of the Chrome browser for desktop (& laptop) computers as well as an update for Chrome OS and Chrome Browser for Android in the past couple of weeks. Chrome Browser 73 was released on March 12, with at least 60 cyber security fixes ranging from stopping attackers from potentially being able to fake browser interfaces (possibly leading to you clicking or downloading things you didn’t mean to) to malicious running of attackers program code (possibly being able to steal your data). Chrome OS and Chrome Browser for Android also have address various amounts of similar security issues.

These fixes are updated in the latest versions of Chrome OS, Chrome Browser for Android, and Desktop Chrome (73.0.3683.86).

  • Learn to update desktop and mobile Chrome here
  • Learn to update Chrome OS here

Firefox:

There was an update recently to the recently released Firefox 66 called 66.0.1. It addresses numerous critical security issues ranging from various memory corruption issues (allowing a website that you visit to crash and run malicious code that can potentially lead to stealing of your private information as you browse) to browser crashes (that can lead to the unauthorized reading and writing of information on your machine).

  • Learn to update Firefox here.