In this week's Security Advisory
- Security Patch Released to Fix Vulnerabilities in KnowBe4's Phish Alert Button for Outlook
- Severe Vulnerability in 'R Programming Language' Could Lead to Malicious Code Execution
- Critical Vulnerability in WordPress Plugin 'WP Automatic' Exploited in the Wild
- Security Patch Released in Google Chrome Desktop Browser
Security Patch Released to Fix Vulnerabilities in KnowBe4's Phish Alert Button for Outlook
KnowBe4 has issued an advisory regarding two (2) vulnerabilities discovered in the Phish Alert Button (PAB) for Windows Outlook tracked as CVE-2024-29210 and CVE-2024-29209. The Phish Alert Button is a security tool that allows a user to report suspected phishing emails to their IT department for analysis and sanitation. The vulnerabilities can be used by threat actors to escalate privilege and cause remote code execution. Customers should verify the version of their Phish Alert Button is up to date, and running on the latest security patch available.
Affected Versions:
1.10.0 - 1.10.11
More Reading/Information
- https://support.knowbe4.com/hc/en-us/articles/7142051893011-Microsoft-Outlook-EXE-Version-Phish-Alert-Button-PAB-Product-Manual
- https://support.knowbe4.com/hc/en-us/articles/115003416867-Phish-Alert-Button-PAB-Change-Log
Severe Vulnerability in 'R Programming Language' Could Lead to Malicious Code Execution
A vulnerability in the R programming language has been discovered that can allow attackers to execute arbitrary code when custom RDS (R Data Serialization) files are loaded. This vulnerability is currently being tracked as, CVE-2024-27322 with a CVSS rating of 8.8 out of a possible 10. Threat actors can further exploit this flaw by distributing malicious packages through open-source R repositories, potentially compromising unsuspecting developers who download and load them.
More Reading/Information
- https://www.bleepingcomputer.com/news/security/r-language-flaw-allows-code-execution-via-rds-rdx-files/
- https://www.prnewswire.com/news-releases/hiddenlayer-uncovers-deserialization-vulnerability-in-open-source-programming-language-r-302129915.html
- https://www.theregister.com/2024/05/01/r_programming_language_ace_vuln/
- https://www.darkreading.com/application-security/r-programming-language-exposes-orgs-to-supply-chain-risk
Critical Vulnerability in WordPress Plugin 'WP Automatic' Exploited in the Wild
A critical vulnerability has been discovered in the WordPress plugin, WP Automatic, and is currently being tracked as CVE-2024-27956 (CVSS rating of 9.9 out of a possible 10). WP Automatic is a plugin tool that automates the process of fetching and publishing content from online sources. CVE-2024-27956 is a critical SQL injection flaw that can allow attackers to gain access to websites and create user accounts with administrator privileges for full control. This vulnerability is actively being exploited in the wild at a high volume.
Affected Versions:
- 3.92.0 and earlier
More Reading/Information
- https://www.bleepingcomputer.com/news/security/wp-automatic-wordpress-plugin-hit-by-millions-of-sql-injection-attacks/
- https://securityaffairs.com/162364/hacking/wordpress-automatic-critical-flaw.html
- https://cybersecuritynews.com/hackers-wp-automatic-vulnerability/
- https://www.techspot.com/news/102782-wordpress-plugin-vulnerability-poses-severe-security-risks.html
Security Patch Released in Google Chrome Desktop Browser
Google Chrome has issued a security update addressing two (2) high-rated vulnerabilities that impact Windows, Mac, and Linux operating systems.
More Reading/Information
Recommendations
Please review your environment to ensure the above-mentioned issues are patched in a timely manner. It is security best practice to regularly update and/or patch software to the latest versions. The vulnerabilities above highlight the security benefits of limiting deployed software to "vendor-supported versions" only. This dramatically increases the likelihood that new vulnerabilities have a patch issued for them. Likewise, Cybersafe strongly encourages maintaining an inventory of current software in your environment, which helps ensure and inform your patch and vulnerability management program.
![[Press Release] Rosana Filingeri Recognized on CRN's 2024 Women of the Channel Power 100 Solution Provider List](https://www.cybersafesolutions.com/hubfs/Blog/CybersafeSolutions-Press-Release-Rosana-Filingeri-Recognized-on-CRNs-2024-Women-of-the-Channel-Power-100-Solution-Provider-List-v2.jpg)
