March 28, 2023

Good morning, everyone!

This week’s critical vulnerabilities: The vulnerability disclosed last week for Outlook has experts worried, as it is easy to exploit and requires no user interaction, making it especially dangerous. WooCommerce Payments WordPress Plugin has a new version available fixing a critical security flaw Adobe ColdFusion should be updated immediately CISA released 8 security advisories this week on industrial control systems equipment from Delta Electronics and Rockwell Automation Patch All the Things!

Introducing aCropalypse

Security folks are really hung up on catchy names for bugs they find, aren't they? This is one that all Android & Windows folks need to be aware of. A bug in Google Pixel's Markup app allows edited images to be restored to their original form. Google has fixed the bug in the app (in Android 13) for future images, but all images edited in the older version of the app (for the last six years or so) are vulnerable to reversion to original state.

In reading some commentary on this, I was reminded of a good practice that I had forgotten about: edit your image, then take a screen capture of the edited image and share that. It not only eliminates vulnerabilities in editing, it cleans out the metadata. You can also use an app to scrub metadata from your images before sharing (I do this every time). This will erase things like geolocation data that you probably don't want shared.

Turns out that aCropalypse also affects Windows 11 Snipping Tool and Windows 10 Snip & Sketch tool.

What's the answer to this one? Screenshotting as described above, or using an actual image editing tool when you need one. Bugs like this often crop up when new features are added to basic tools that weren't originally designed to do the new stuff. Using a tool (from a reliable developer) that was actually designed to do this very thing is always going to be the better option.

Happy cropping!

Glenda R. Snodgrass
grs@theneteffect.com
(251) 433-0196 x107
https://www.theneteffect.com
For information security news & tips, follow me!

Security Awareness Training Available Here, There, Everywhere!

Thanks to COVID-19, lots of things went virtual, including my employee Security Awareness Training. Live training has made a comeback, but many organizations have found virtual training to be useful as well. Wherever you and your employees may be, I can deliver an interesting and informative training session in whatever format you prefer.

Contact me to schedule your employee training sessions. They're fun! ☺