All Apple Devices, Microsoft, Microsoft Office 365, Grandstream, Google Chrome
Risk 1: High
Issue: Microsoft announced under CW1226324 that a “bug” has been detected in Copilot, their AI platform integrated deeply into Microsoft 365, that has been reading and summarizing e-mails flagged as sensitive with a Data Loss Prevention (DLP) in place. A DLP is designed to prevent access to this data, but Copilot has been bypassing these policies and reading/summarizing; the sensitive e-mails were then made available in Copilot Chat.
Microsoft is working on deploying an update/fix, but has not released a full timeline.
This on the heels of questions surrounding AI access to data through Claude Cowork continue to increase concerns over what these AI platforms have access to and, ultimately, what are they able to do with it?
Resolution: Sadly, there is no current fix. Even disabling Copilot Chat does not stop Copilot from processing this data.
Risk 2: High
Issue: Grandstream VOIP, a growing provider of internet-based telephony services, has acknowledged a flaw allowing remote attackers to listen-in on calls and conversations. The calls can be flagged as one-way increasing the risk that the listener would never be detected.
Resolution: A fix was deployed last week so Grandstream users should apply the most recent update.
Risk 3: Medium
Issue: Google has announced several severe Chrome vulnerabilities that allow both data capture/collection as well as remote system access. At least 4 mild to severe vulnerabilities have been located.
Resolution: Given the gravity of the potential for breach, anybody with Chrome installed (not just users) should apply the recently-released update.
Yes, this means you with the 500 tabs open, apply the update and restart your browser.
Risk 4: Critical
Issue: Microsoft has pushed out a collection of major and minor updates this week including a fix that had stopped Chrome from launching, a correction to Windows Notepad that allowed remote code to be executed on your machine, as well as a final fix to correct the issue with Windows not fully shutting down. Also in the last several days, Microsoft has pushed out an update of over 100 security related items, including 6 zero-day vulnerabilities (which means the vulnerability is already being utilized).
Resolution: Windows users should immediately apply the most recent update. Last week’s updates require a system restart, but this week’s updates may not.
Risk 5: High
Issue: Apple acknowledged a critical vulnerability in their entire suit of platforms (iOS, iPadOS, watchOS, tvOS, visionOS, and macOC) known as a memory corruption issue that would allow for attackers to gain access to a device’s memory and, in turn, execute code remotely impacting the device as well as potentially access the data on that device.
Resolution: Apple corrected the issue and has released an update. Anybody with an Apple device should apply the most recent update to correct the error.
Announced Data Breaches
Figure
Washington Hotel
Odido
Eurail
PayPal
Volvo
Conpet
University of Mississippi Medical Center
Privacy Wins & Updates
Bitwarden, major password management tool, released an update to allow users to securely share a password with a second user, even if outside of their own organization.
Louis Vuitton/Dior/Tiffany fined $25m over recent data breach.
Financial Guardians is a proud member of InCite, the recently launched online community exclusively for tax professionals, bookkeepers, and accountants. InCite members receive a 30% discount.
Financial Guardians has partnered with the California Society of Tax Consultants to provide a 30% access discount as well as many other offers. More info can be found at www.cstcsociety.org
