Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-30333PUBLISHED: 2022-05-09RARLAB UnRAR before 6.12 on Linux and UNIX allows directory traversal to write to files during an extract (aka unpack) operation, as demonstrated by creating a ~/.ssh/authorized_keys file. NOTE: WinRAR and Android RAR are unaffected.
CVE-2022-23066PUBLISHED: 2022-05-09
In Solana rBPF versions 0.2.26 and 0.2.27 are affected by Incorrect Calculation which is caused by improper implementation of sdiv instruction. This can lead to the wrong execution path, resulting in huge loss in specific cases. For example, the result of a sdiv instruction may decide whether to tra...
CVE-2022-28463PUBLISHED: 2022-05-08ImageMagick 7.1.0-27 is vulnerable to Buffer Overflow.
CVE-2022-28470PUBLISHED: 2022-05-08marcador package in PyPI 0.1 through 0.13 included a code-execution backdoor.
CVE-2022-1620PUBLISHED: 2022-05-08NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 in GitHub repository vim/vim prior to 8.2.4901. NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 allows attackers to cause a denial of service (application crash) via a crafted input.
User Rank: Apprentice
2/17/2016 | 6:58:17 PM
From fake 'demo' disks for 5 1/4" drives to downloads off websites, it's the employee that is the primary entry point for attacks.
How do you educate your employees? How do you justify this kind of training to management? Well, good luck.
Most managers are unaware of the vlunerability of thier groups/division/organization's staff to these attacks. And you will be marked down as a Chicken Little if you push the problem in an open forum.
The best way is to include training and warnings for new hires - it's an 'inoculation' process.
This leaves the 'old guard' to educate - and they are often the most vlunerable. The person who deals with appointments for salespeople, the person who answers the phone (and, by the way, gets all the undeliverable emails....).
Filtering/deleting all the undeliverable emails is a good first line of defense - or you can divert these messages to someone who has more familarity with attacks. But this drains your resources - better to just trash the undeliverables.
But many institutions have staff who have been there since before cell phones were invented - how do you deal with them? I have tried many times and found the 'gaming' strategy works best - build up a collecton of attacks and make it into a game - tell them it's something to play with. When they fall for an attack don't scold, explain. Remember the old country doctor whose 'bedside manner' could settle most problems? Take that approach - you are often the new person on the staff teaching the person with the longest tenure - be humble and explain, explain, explain. If they don't understand it's not their fault - it's yours. Try another approach - you CAN make it work.
And - best of luck.
wb