Security Bits Logo

Security Bits – Zero-Day on macOS, Facebook Rates User Trustworthiness, Facebook’s VPN Was Tracking Users, Excessive Google Tracking, Teenager Hacks Apple

Followups

  • More speculation-based flaws in Intel Chips (Editorial by Bart: as with other recent Spectre/Meltdown variants, there’s no need for home users to panic, just keep your OSes patched. It’s cloud providers that really need to worry about these flaws.)
    • L1 Terminal Fault AKA L1TF – Intel have released mitigations, and they don’t have significant performance impacts — www.intel.com/…
    • Foreshadow – This new variant is noteworthy because it allows attackers to bypass the security that is supposed to protect SGX (Software Guard eXtensions), Intel’s secure enclave. Again, updated microcode has been released — arstechnica.com/…

Notable Security Updates

  • Patch Tuesday has been and gone with critical security updates being released by Microsoft and Adobe, including patches to zero-day flaws — krebsonsecurity.com/…
  • Adobe released an out-of-band patch to fix a critical vulnerability in Photoshop CC — nakedsecurity.sophos.com/…

Notable News

  • At the DefCon security conference security researchers released details of vulnerabilities in the fax-feature of many network-connected HP multi-function devices that are putting many business and households around the world at risk. If affected devices are connected to both the network and the phone system then a malicious fax can be sent to the device in order to break into the network. HP have released patches. The researchers warn that other vendors are probably similarly vulnerable, so expect more reports and patches soon. (Editorial by Bart: if you have one of these devices and don’t actually need faxing functionality, now might be a good time to just pull the plug!) — blog.checkpoint.com/…
  • Also at the DefCon security conference a researcher released details of a zero-day privilege escalation attack against MacOS. The attack allows malware already running on your Mac to click through security dialogues on your behalf, hence gaining more privileges than they should have. The bug appears not to be present in Mac OS Mojave (Editorial by Bart: no need to panic here, if you have malware already running on your system you have bigger problems!) — nakedsecurity.sophos.com/…
  • A 20-year-old bug with some security implications has been patched in OpenSSH, the most commonly used SSH library. The bug caused SSH to respond at a different speed if authentication failed because a user account did not exist at all, or, did exist but the authentication failed. This allowed attackers to test if a given username exists on a system, and hence speed up brute-force attacks. (Editorial by Bart: no need to panic here, the patch is out, and even on an un-patched device you’re still safe as long as you have a strong password/SSH key.) — nakedsecurity.sophos.com/…
  • Facebook have revealed that they have been working on an algorithm to rate their user’s trustworthiness for many years. The hope is that this algorithm will help them fight so-called fake news on their platform — nakedsecurity.sophos.com/…
  • At Apple’s request, Facebook has removed it’s Onavo VPN app from the iOS App Store. Apple asked for the removal because Facebook’s VPN tracked all user activity carried out over the VPN, something Apple considers a privacy violation — daringfireball.net/…
  • Security researchers have found that alterations made to Android by many hardware makers and cell carriers are adding security vulnerabilities into Android, resulting in millions of brand new Android devices being vulnerable right out of the box — www.wired.com/…
  • Google got into hot water after it was discovered that turning off a setting labelled Location History didn’t actually stop Google storing a history of your locations! Rather than deal with the underlying problem, Google chose to update the text on the setting’s label to explain that it doesn’t do what it says on the proverbial tin:
  • An Australian teenager hacked Apple and stole 90GB of ‘secure files’. Apple say no user data was compromised — nakedsecurity.sophos.com/… & Apple Says Customer Data Wasn’t Compromised in Teen Hacking Case — www.macobserver.com/…
  • 🇺🇸 Microsoft disrupts Fancy Bear election meddlers — nakedsecurity.sophos.com/…

Suggested Reading

Palate Cleansers

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top