Security Alerts & Warnings

Another Zero-Day flaw in the Chrome web browser for Windows, Macintosh, and Linux computers and Microsoft's Chromium-based Edge browser. 

A zero-day flaw has been found in the Chrome web browser used on Windows, Macintosh, and Linux computers. The flaw (CVE-2022-1096) is a high severity flaw on the CVSS vulnerability-rating scale. It is a type confusion weakness in the Chrome V8 JavaScript engine reported by an anonymous security researcher.

Google has released a fix to address this zero-day vulnerability (version 99.0.4844.84).  Shortly after Google released Chrome 99.0.4844.84, Microsoft announced that it has updated its Chromium-based Edge browser to version 99.0.1150.55, to resolve CVE-2022-1096. 

You can checked for new updates in Chrome by going into Chrome menu > Help > About Google Chrome.  Most Chrome and Edge browser will auto-updated AND the update requires the browser to be restarted.  Considering the disclosed vulnerability, you should update your Chrome browser to the latest version (at least 99.0.4844.84) or Microsoft Edge browser to the latest version (at least 99.0.1150.55) as soon as possible.  These web browser will also auto-check for new updates and automatically install them after the next re-start or launch.   

Double-check your browser is up-to-date

Chrome and Edge browsers will in many cases update to its newest version automatically.
However, we recommend you double-check if the update has been applied.

In Chrome, click on Settings  then About Chrome

If an update is available, Chrome will show that here and then start the download process. When it's completed, it will ask to relaunch the browser to complete the update.
If the browser is up-to-date, it will say "Google Chrome is up to date" and list the version number. Make sure it's at least 99.0.4844.84 
Additional Details

With this update, Google addressed the second Chrome zero-day since the start of 2022, the other one (tracked as CVE-2022-0609) patched last month.

(References: https://www.bleepingcomputer.com/news/security/emergency-google-chrome-update-fixes-zero-day-used-in-attacks; https://www.securityweek.com/google-issues-emergency-fix-chrome-zero-day; https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_25.html )

Please see the Chrome Security Page and the Chrome Releases webpages for more information.
 

Zero-Day flaws in the Firefox web browser for Windows, Macintosh, and Linux computers

Two zero-day flaws have been found in the Mozilla Firefox web browser used on Windows, Macintosh, and Linux computers. The flaws (CVE-2022-26485 and CVE-2022-26486) have been described as use-after-free issues impacting the Extensible Stylesheet Language Transformations (XSLT) parameter processing and the WebGPU inter-process communication (IPC) Framework.  Both are critical severity flaws on the CVSS vulnerability-rating scale. 

Mozilla acknowledged that "We have had reports of attacks in the wild" weaponizing the two vulnerabilities.

In light of active exploitation of the flaws, if you have a Firefox browser, it is recommended to upgrade as soon as possible to these versions: Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0, Focus 97.3.0, or Thunderbird 91.6.2. 
Most Firefox browsers will auto-updated and the update requires the browser to be restarted.

Double-check your Firefox  Browser is up-to-date

Firefox will in many cases update to its newest version automatically.
However, we recommend you double-check if the update has been applied.

In Firefox, click on Settings  then General and scroll down to Firefox Updates

If the browser is up-to-date, it will say "Firefox is up to date" and list the version number. Make sure it's at least Firefox 97.0.2, Firefox ESR 91.6.1, or Firefox for Android 97.3.0

Additional Details

One vulnerability (CVE-2022-26485) - Removing an XSLT parameter during processing could lead to an exploitable use-after-free situation.  (Use-after-free bugs – which could be exploited to corrupt valid data and execute arbitrary code on compromised systems.) 
The other vulnerability (CVE-2022-26486) - An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added the two Firefox zero-day vulnerabilities, along with nine other bugs, to its Known Exploited Vulnerabilities Catalog, requiring federal agencies to apply the fixes by March 21, 2022.

(References: https://thehackernews.com/2022/03/2-new-mozilla-firefox-0-day-bugs-under.html,  https://www.bitdefender.com/blog/hotforsecurity/mozilla-firefox-97-0-2-update-addresses-two-actively-exploited-zero-day-flaw,  cert.civis.net/en/index.php?action=alert&param=CVE-2022-26485 and cert.civis.net/en/index.php?action=alert&param=CVE-2022-26486).

Please see the Mozilla Security Advisory webpage for more information.
 

From: Package Info <noreply [at] productshipping-hub9.co>
 Subject: Service Update for 24th Feb #GEESQ-24-14295109
 Date: February 24, 2022 at 3:11:38 PM EST
 To: "mst3k [at] virginia.edu" <mst3k [at] virginia.edu
 
 Your services has been renewed
 This emails confirms the renewal of your services with G-Squad. We are glad to inform you that your plan with us has been renewed for $395.49. Please review the summary of your renewal:
 Renewal ID
 GEESQ-24-14295109
 Renewal date
 24-Feb-2022 09:15:55 EST
 
 Registered Email – confirmed
 [email protected] <mailto:[email protected]    
 
 Description    Users    Qty    Amount
 Geek Secure Premium
 04    01    395.49 USD
 Subtotal    395.49 USD
 Total    395.49 USD
 Payment    395.49 USD
 
 Method used
 Credit/Debit Card
 Issues with this Email?
 You have 24Hrs. from the date of the renewal to cancel your plan.
 
 Help-Desk: +1 (xxx) 300-0118
 
 Please do not reply to this email. To get in touch, reach Help-Desk
 Not sure why you received this email? Learn more
 unsubscribe

From: "Garland, Maran K (mkg9d)" <mkg9d [at] virginia.edu>
Date: Friday, February 18, 2022 at 10:16 AM
To: "User, Typical (mst3k)" <mst3k [at] virginia.edu>
Subject: Personal Assistant Position

Dear Student Faculty and Staff,

  There is an open position a business executive is currently out of the states for conference and business purposes he is in need of a very honest person to assist him during this period.

Duties:

Monitor Calls and reply to emails.

Receive and make payment to business clients.

Flight booking.

Payment : $400

Location: USA

Applicants must be 18 and above.

CLICK HERE<hxxp://harp-primrose-4hrt.squarespace.com/> To submit an application.

Maran K. Garland
434.964.7150

From: virginia.edu:12/29/2021 <info [at] rkvalve.com>
Sent: Wednesday, December 29, 2021 5:59:55 AM
To: User, Typical S <mst3k [at] virginia.edu>
Subject: virginia.edu_Notification:(Wednesday, December 29, 2021)

virginia.edu WEBMAIL

Hello mst3k,

Your mst3k [at] virginia.edu password is set to Expire today,

Wednesday, December 29, 2021

You can change your password or continue using same password below

Keep Same Password <hxxp://xn.54nl7.everesthimalayansd.com/.#.aHR0cDovL3JheWFubGFuLmNvbS93cC1hZG1pbi9pbWFnZXMvc3l1LyNhbGc2bkB2aXJnaW5pYS5lZHU=>

virginia.edu Support

From: Virginia -053100 <kazash [at] gvsu.edu> 
Sent: Thursday, November 18, 2021 3:36 PM
To: Typical User mst3k [at] virginia.edu>
Subject: Covid Test#56470
Importance: High

Attached copy of your test result.
Thanks.

Hi mst3k,

Due to new terms of our user agreement, we inform you that we made recent updates in our website to ensure safety while using our services. Follow the link below to update your mailbox and follow the steps to check your email.
 

More Zero-Day flaws in the Chrome web browser for Windows, Macintosh, and Linux computers

More zero-day flaws have been found in the Chrome web browser used on Windows, Macintosh, and Linux computers. The flaws (CVE-2021-37975 and CVE-2021-37976) are a high and medium severity flaw (respectively) on the CVSS vulnerability-rating scale.  Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code on the system or obtain sensitive information. 

Google has released an emergency Chrome fix to address these two zero-day vulnerabilities (version  94.0.4606.71). Most Chrome browser will auto-updated and the update requires the browser to be restarted.
Considering the disclosed vulnerabilities, you should update your Chrome browser to the latest version (at least 94.0.4606.71) as soon as possible.  This update addresses these two security flaws.

Double-check your Chrome Browser is up-to-date

Chrome will in many cases update to its newest version automatically.
However, we recommend you double-check if the update has been applied.

In Chrome, click on Settings  then About Chrome

If an update is available, Chrome will show that here and then start the download process. When it's completed, it will ask to relaunch the browser to complete the update.
If the browser is up-to-date, it will say "Google Chrome is up to date" and list the version number. Make sure it's at least 89.0.4389.128 

Additional Details

One vulnerability (CVE-2021-37975) could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in V8. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.
The other vulnerability (CVE-2021-37976) could allow a remote attacker to obtain sensitive information, caused by an information leak in core.  By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to obtain sensitive information.

(References: https://www.bleepingcomputer.com/news/security/google-pushes-emergency-chrome-update-to-fix-two-zero-days/,   https://cert.civis.net/en/index.php?action=alert&param=CVE-2021-37975 and https://cert.civis.net/en/index.php?action=alert&param=CVE-2021-37976 ).

Please see the Chrome Security Page and the Chrome Releases webpages for more information.