Welcome to The Threat Show for the week of Nov 7th. Today’s special guest is Mike Kavka, known on Twitter as “Silicon Shecky.” Mike is a senior security engineer at one of the country’s largest brokerage firms and regular guest of the Black Hills Security podcast. Today he tells us the one thing that most small businesses overlook when tuning their EDR systems.
CVE-2022-3786 and CVE-2022-3602: Two High-Severity Buffer Overflow Vulnerabilities in OpenSSL Fixed (0:50)
A vulnerability in OpenSSL has been downgraded from a ‘critical threat’ (as announced last week) to ‘high’ alongside the release of a patch. This sent cybersecurity experts into a panic, despite the threat not being as severe as initially thought.
Mitigation: Even with the downgraded threat level, you will want to patch ASAP.
CVEs: CVE-2022-3786, CVE-2022-3602
Google Releases Emergency Chrome 107 Update to Patch Actively Exploited Zero-Day (6:25)
Google has released an emergency patch targeting a new zero-day vulnerability affecting Chromium based browsers including Chrome, Edge, and Safari. This highlights the weaknesses of Javascript and calls into question how secure the limited pool of web browsers available to the public are.
Mitigation: There is a patch from Google that will be automatically applied, you just need to restart your browser.
CVEs: CVE-2022-2294, CVE-2022-3723
Apple iOS and macOS Flaw Could've Let Apps Eavesdrop on Your Conversations with Siri (9:41)
A vulnerability has been discovered that affects Apple devices connected to bluetooth headphones (namely Airpods and Beats, with the possibility of additional brands being affected as well) that can allow rogue apps to record audio. The bug has been dubbed ‘SiriSpy’ because of a vulnerability between Siri and your hardware that enables these attacks to happen.
Mitigation: A software patch has been released, so patch away!
