School principal resigns after writing $100,000 check to Elon Musk impersonator
ALSO: DJI forgets the 'B' in 'BCC,' and this week's critical known exploits
In Brief The principal of a Florida science and technology charter school has resigned after allegedly writing a $100,000 check to an Elon Musk impersonator using school funds.
Dr Jan McGee, who is listed as a founding board member of Burns Science and Technology Charter in Oak Hill, Florida, told the school's board of directors that she had been fooled by the fake Musk after being "groomed" (in her words) for months.
"I am a very smart lady. Well educated. I fell for a scam," McGee told the board, according to local news reports. McGee reportedly cut a $100k check to a person she believed was an associate of Musk's to kickstart additional investments of up to $6 million.
Because McGee was only allowed to write checks up to $50k, the school's business manager noticed and prevented the check from being processed. According to WESH Orlando, McGee had for years wanted to get Musk involved in funding the school, and someone appears to have picked up her ambition. Others testified at the meeting that McGee had been warned by staff she was being scammed.
Minutes from a March 9 meeting of the Burns Sci-Tech Charter School Board indicate that McGee's actions were already being reviewed at the time, with one board member requesting a performance review of McGee at the next meeting – the one at which she resigned.
McGee apologized at the March 28 board meeting, but three school administrators said they planned to resign if McGee did not, prompting her resignation.
This week's critical vulnerabilities and active exploits
We've already told you about a whole tree full of Apple vulnerabilities that were patched this week, and just yesterday PBX communications company 3CX was revealed to have a serious supply chain exploit embedded in its desktop client.
Those aren't the only problems that have been identified in the past five days, though – Even Internet Explorer rose from its grave to trouble those who have yet to eliminate the out-of-support browser from their systems.
But first let's get to everything else, which this week consists of known bugs that have been found exploited in the wild:
- CVSS: 9.8 – CVE-2017-7494: Open source SMB implementation Samba contains an RCE vulnerability in all versions between 3.5.0 and 4.6.4, 4.5.10 and 4.4.14. An attacker could use the flaw to upload a library to a writable share, then force the server to execute it.
- CVSS 9.8 – CVE-2022-42948: Pentesting suite Cobalt Strike v.4.7.1 improperly escapes HTML tags. When they are displayed on Swing components, an attacker could inject malicious code to remotely execute commands in Cobalt Strike's UI.
- CVSS 8.8 – CVE-2022-38181: Arm's Mali GPU kernel drivers are mishandling memory operations, opening freed memory up to unprivileged users. This affects several versions of the Bifrost, Valhall and Midgard architectures.
- CVSS 8.8 – CVE-2022-3038: Google Chrome's Network Service in versions prior to 105.0.5195.52 (which was released last August) contains a use after free bug that an attacker could use to exploit heap corruption with malicious HTML.
And then there's Internet Explorer. A pair of exploits with scores of 9.3 and 10 on CVSS version 2 are under active exploit and targeting IE versions 8 through 10 and 6 through 11 – the former a memory corruption vulnerability and the latter a use-after–free issue.
As we noted in February when IE's final call was issued for some older versions of Windows 10, it's no longer possible to install the dated browser on all but the oldest versions of Windows (7.1, 8 and a few particular Win 10 distros). Edge is available for those older unsupported OSes too, so update ASAP.
Oops: DJI forgets to BCC customers on marketing email
Drone maker DJI flubbed a marketing email this week when it put hundreds of customer email addresses into the "to" field instead of BCCing them. Customers took to Reddit to express their dissatisfaction, and a Reg reader tipped us off to the occurrence.
Redditor MyAnonID told us there were "819 email addresses disclosed in the one I received," and added: "They gave me a $20 credit in my DJI account after a quick complaint via chat." Well, that's something.
Other customers reported the emails they received – which were directed at recent buyers of the drone maker's Avata model – exposed similar numbers of email addresses, suggesting that several such emails went out. DJI replied in the thread, but only to apologize for the inconvenience, which it said was due to "a glitch in our email distribution system."
Several Redditors suggested the mistake could be a violation of the GDPR. While that's not immediately clear, Ireland's Data Protection Commission says that such incidents should still be reported to it. The severity of such an incident could determine if it's punishable. ®