June 6, 2022
Cybersecurity: Microsoft 0-day Flaw
Last week after experts expressed concern about exploiting Microsoft Support Diagnostic Tool (MSDT) to remotely control affected devices, the tech giant released guidance for the Remote Control Execution (RCE) flaw or CVE-2022-3019. A day after US Cybersecurity and Infrastructure Security Agency (CISA) released a statement urging users to apply the necessary workaround and describing the issue as a "remote, unauthenticated attacker could exploit this vulnerability to take control of an affected system".
According to security researchers, the vulnerability exists in all currently supported Windows versions and attackers are actively exploiting it through Microsoft Office versions 2013 through Office 2019, Office 2021, Office 365, and Office ProPlus.
As of writing, there is no patch released yet but Microsoft recommends that the users that were affected should disable the MSDT URL. The company said that what they released "prevents troubleshooters being launched as links including links throughout the operating system".
Privacy: Tim Hortons’ App Violated Laws
Two years after the Office of the Privacy Commissioner of Canada (OPC) launched the investigation with federal privacy authorities in British Columbia, Quebec, and Alberta, they found the Coffee chain guilty of breaching privacy laws through its mobile app. The company's 3rd party service provider, the US company Radar Labs Inc. is a co-defendant in two of the lawsuits.
In May 2019, the Tim Hortons has updated its app, and users were led to believe that it will only gather information while they are using it. However, in the commissioner's report, they said that the language in the contractual clauses was "vague and permissive," that Tim Hortons did not adequately inform customers about location tracking and there was no “meaningful consent.”
From 2019 to 2020, with 4 million users the data collected was vast, the app collected location data every 2.5 to 6 minutes once it detects movement from the user. The company has agreed to delete all location data and to have third-party service providers do so as well, as per recommendations from the privacy authorities.
InfiniGlobe is a software and consulting services company. With over 20+ years of legal industry experience, our team brings subject matter expertise to an array of challenges. Request a demo and contact us at info@infiniglobe.com or at (833) LGL-TECH.