Feedback & Followups
The UK’s secret campaign to compel Apple to break its iCloud Advanced Data Protection feature is reportedly continuing apace (still without official confirmation), with a hearing having apparently taken place in a secret court on Friday. Meanwhile, US lawmakers from both parties have formally complained to the UK and asked that the hearings be opened up to the public, and US government officials have reportedly been in contact with their British counterparts to raise their concerns — daringfireball.net/… & www.macobserver.com/…
“Given the significant technical complexity of this issue, as well as the important national security harms that will result from weakening cybersecurity defenses, it is imperative that the U.K.’s technical demands of Apple — and of any other U.S. companies — be subjected to robust, public analysis and debate by cybersecurity experts. Secret court hearings featuring intelligence agencies and a handful of individuals approved by them do not enable robust challenges on highly technical matters.” — from the letter sent by US Senators
- Those VSCode plugins reported as being malicious that we praised Microsoft for removing from the VS Code Marketplace so quickly have turned out not to be malicious after all, just a little neglected — www.bleepingcomputer.com/…
- The suspicious code was from an outdated dependency left in the project by mistake. It was obfuscated, which is utterly inappropriate for a plugin to an IDE, but not malicious
- The developer has released completely rewritten versions of the plugins that remove the dependency entirely
- Microsoft have restored both the developer’s access to the marketplace, and re-listed the plugins
- Microsoft have apologised to the developer for their ‘overreaction’
- Microsoft is also updating their policies on obfuscated code
- Editorial by Bart: I hope Microsoft don’t learn the wrong lesson
— the problem is not that they acted quickly to remove the plugins, it’s that they jumped straight to accusations of malice before they had done enough investigation. They should suspend plugins immediately on suspicion, not accuse the developer of anything at that point, investigate, and then either restore or remove the plugins and the developer account depending on their findings.
Deep Dive(s)
Action Alerts
- Another Patch Tuesday has been and gone, Microsoft patched just 57 vulnerabilities, but an above average 7 were zero-days, so patch ASAP — www.bleepingcomputer.com/… & isc.sans.edu/…
- One of the zero-days has been around a while
: Microsoft patches Windows Kernel zero-day exploited since 2023 — www.bleepingcomputer.com/…
- One of the zero-days has been around a while
- Apple have patched just about everything: Apple seeds security updates for iOS 18.3.2, iPadOS 18.3.2, macOS 15.3.2, visionOS 2.3.2 — appleinsider.com/…
- One of the patches is particularly important, hardening a recent fix of a zero-day that had been discovered in the wild being used by presumed nation state actors in very targeted attacks. The bug was so deep in Webkit that it was still present in Google’s Chrome which forked off from Webkit a decade or more ago, so Google had to patch it too — www.intego.com/…
- Android Users who can Patch: Google have released the March patches for Android, fixing 43 vulnerabilities, including a zero-day being actively exploited by Serbian authorities to break into compromised phones — www.bleepingcomputer.com/…
- NosiallaCastaways running servers: make sure that if you have the FreeType font libraries installed they’re patched — thehackernews.com/…
Worthy Warnings
- Browser Plugin Users beware that cybersecurity researchers have demonstrated a new technique that allows a malicious browser extension to mimic legitimate extensions like password managers to steal credentials – the proof of concept was on Chrome, but in principle it could happen on any platform — www.bleepingcomputer.com/…
- Editorial by Bart: yet another reason to minimise your use of browser plugins. Personally, I’ve decided to limit as many of my plugins as possible to Safari, because those plugins go through a full App Store Review like a regular app, which is definitely a step above what happens in the other browser plugin stores/market places
- Apple Users: beware of a wave of smishing (phishing over SMS) attacks targeting Apple users with subjects like “Apple Approval Notice” or “Apple Pay Verification” pretending to be notifications about expensive purchases and offering a number to call if you did not make the purchase. Remember, never call a number given in a text or email, use a number you sourced from somewhere trustworthy — www.macobserver.com/…
- iOS Users: beware of a new trick attackers have started to use to work around Apple’s link-blocking feature in messages – Google redirects — www.intego.com/…
- As described before, Apple’s Messages app does not permit links in messages received from first-time contacts, unless they are to well-trusted domains
- As we recently discussed, attackers had already started to work around this by telling users to reply
Yand then click the link, because replying tells Messages this is someone you want to communicate with, so it lowers its shields - This new approach abuses Apple’s trust in Google. To their credit, Google does not blindly redirect, it gives the user a standard interception page clearly stating they are being redirected. But if the user believes the SMS message, they are likely to click past the page, and the attackers have succeeded in making it possible for victims to click a link and land on the target phishing page
- US Residents: beware of a huge spike in smishing attacks related to unpaid parking fees targeting area codes around major US cities — www.bleepingcomputer.com/… (a new variant on the ever popular “unpaid tolls” trope that seems to plague most of the western world, even little old Ireland where the much hated M50 tolls are an evergreen lure.)
Notable News
Undocumented commands have been found in a cheap Bluetooth controller chip used in billions of IoT devices, but despite initial over-the-top headlines, these are not a ‘back door’, nor are they malicious — www.bleepingcomputer.com/…
- The vendor, Espressif, have formally responded, and their response confirms the more sober analyses that were already competing with the shouty over-the-top headlines — www.espressif.com/…
- These are completely normal debugging commands that can only be accessed from internally within the device, not over the Bluetooth radio
- There does not seem to be any kind of attack vector that does not start with “if you have root access on the device …” or “if you can connect to the physical pins on the chip …”
- Maybe this will develop into a real vulnerability when researchers study it more, but it doesn’t look that way, and for now there is definitely no need for NosillaCastaways to worry about this at all!
- The GSMA (GSM Association, the body that oversees the GSM standard) has formally approved an open cross-platform standard for End-to-End Encryption over the RCS messaging protocol (based on the open MLS protocol) — thehackernews.com/…
- Apple have said they will add it to their Messages app in an upcoming update — arstechnica.com/…
- Google are continuing to leverage AI in their fight against scammers — their latest Android update adds an on-device AI model that scans messages from senders not in the user’s contact list for common scam patterns and warns users if a conversation looks like it might be a scam — thehackernews.com/…
Palate Cleansers
- From Allison: Mind the Gap: Will Tiny Discrepancies Derail Cosmology? — www.worldsciencefestival.com/…
Legend
When the textual description of a link is part of the link, it is the title of the page being linked to, when the text describing a link is not part of the link, it is a description written by Bart.
| Emoji | Meaning |
|---|---|
 |
A link to audio content, probably a podcast. |
|
A call to action. |
| flag | The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country. |
 |
A link to graphical content, probably a chart, graph, or diagram. |
|
A story that has been over-hyped in the media, or, “no need to light your hair on fire”  |
 |
A link to an article behind a paywall. |
 |
A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future. |
 |
A tip of the hat to thank a member of the community for bringing the story to our attention. |
 |
A link to video content. |
Glad to see US lawmakers stepping up to challenge the UK’s secretive proceedings. Cybersecurity is a global issue, and weakening security measures in one country can affect everyone. Transparency is key if we want to ensure these decisions are in the public’s best interest.