|
Security researchers have disclosed a set of security flaws that they said could let hackers steal sensitive information from nearly every modern computing device containing chips from Intel and AMC.
SAN FRANCISCO — Apple says all of its Macs, iPhones and iPads contain a security flaw that requires an update. It's not alone. Any owner of a PC, tablet or smart phone should make sure that automatic software updates for their operating systems are enabled after security researchers this week revealed a broad flaw in Intel and other chips that could allow hackers to access data previously thought to be secure. What you should do about it?Every major software company has been pushing out updates to fix the problem. Make sure you allow your computers and phones to automatically install software updates and patches as they are released. These will likely be modified as companies craft the best work-arounds, so it’s not likely to be a one-time deal — update early and often! Those on Microsoft products will needs to first determine which version of the Windows operating system they are running, then run a query on the Microsoft support siteasking "update Windows" along with the version they're running. Apple products will automatically update themselves, or at least prompt users to update them. Google Chromebooks self update. Many, but not all, phones running the Android operating system also do, or will ask if the user wants their operating system updated. You can also go to the settings app on the phone, tap About Device and then tap System Updates to see if an update is available. Many security companies are suggesting users also make sure their security software is up to date. As soon as hackers create code to use this new flaw, security software will help flag and possibly stop them. What products are affected?Potentially everything that's got a central processing unit or CPU, which means PCs, Macs, laptops, smart phones and tablets. But patches are coming fast and furious. Microsoft has already pushed out a patch for Windows 10 and other Windows versions will be updated on Tuesday, January 9. If you have auto updates enabled, you should get this upgrade. Apple on Thursday said that it has already released patches in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown, and that Apple Watch is not affected by Meltdown. The upgrades come via auto updates. The company plans to release mitigations in Safari to help defend against Spectre "in the coming days," it said in a blog. The company also said it will continue to develop and test further patches for future updates of its operating system. Google has published a list of all its devices and software that might need updates and what users have to do to install them, though many (like Chromebooks) will self install. Amazon’s AWS cloud computing service expected all its computing systems to be patched by the end of the day Wednesday. Customers were also told to patch their operating systems to be fully secured. What chips are affected? Intel, which makes most of the chips used in PCs, is the most heavily affected. It said Thursday it has already issued updates for the majority of CPUs — the chips that handle the instructions a computer receives from hardware and software, sometimes known as the "brain" of the computer — introduced within the past five years. By the end of next week it expects to have issued updates for more than 90% of processors introduced within the past five years. Chip-maker Advanced Micro Devices, whose products are mostly used in corporate server computers and personal computers, originally said it didn’t believe its products were at risk for the flaw. It has since updated that to say that one of the potential attacks could be used on some of its chips. It encouraged its customers to use safe computing practices, including “not clicking on unrecognized hyperlinks, following strong password protocols, using secure networks, and accepting regular software updates.” ARM, whose chips are primarily used in smart phones and electronic devices such as e-readers, televisions, cable boxes and cars, said that only a small subset of its chips were vulnerable and listed them on its website. It has also published a technical paper outlining how the flaws can be mitigated. How did this happen?There are actually two exploitable flaws, though they’re related. They have been given the James Bond-esque names Meltdown and Spectre. Both use what’s known as a side-channel analysis attack. Basically, malicious code can be written that allows an attacker to see information stored in what was previously believed to be a secure portion of a computer’s central processing unit, or CPU. What's the problem that makes this possible? It’s something no one had realized was an issue for 20-some years. Back in the early 1990s, in an effort to speed up computer processing, computer chip engineers hit on the idea of letting computers guess at what data would be needed next. It was called “speculative execution.” It’s something like a salesperson who sees a man pick out a pair of slacks in a store and so grabs a belt and a jacket that match because they might be what he looks for next. In the computer, it could be that you go to the banking section of your password management program. The speculative execution function then pulls all your banking passwords into the protected memory portion of the CPU because it’s making a good guess you’ll ask for that next. Meltdown allows full access to the protected memory space, so it’s potentially more dangerous. It appears to only affect Intel chips manufactured since 1995. Spectre allows malicious code to trick access random portions of the protected memory. It is believed to affect processors made by Intel, Advanced Micro Devices and ARM. The real issue is that the flaws allow cyber criminals a new set of tools to steal passwords and other critical data. “The scope impacts a large set of the computing devices that we rely on, from PC to phones and back-end services consumers rely upon, such as servers and the cloud,” said McAfee chief technology officer Steve Grobman. How much could the hackers see?The exploit could allow an attacker to open a window that let's them look at what’s being rolled into and out of that protected memory space, says Atiq Raza, chairman and CEO of Virsec Systems, Inc and the former president of AMD. Depending how long the hackers can keep the window open “they could see a very significant amount of data scroll by. Even if it's just for a few seconds, a humongous amount of information could go through,” he said. How did this exist for so long?An excellent question, which hasn't been answered yet. The flaws were discovered over the last several months independently by several teams, including Google’s Project Zero security team, researchers at Graz University of Technology in Austria, the University of Adelaide in Australia and the universities of Pennsylvania and Maryland, along with researchers at security firms Cyberus Technology, Rambus and Data61. The researchers alerted chip and software companies, which began writing patches and fixes. Everything was supposed to be announced on January 9th. As companies started to make changes to their software to allow them to implement the patches, security researchers noticed something was going on. This created buzz in the broader computer security community. When the security news site The Register published a story on January 2, it became impossible to wait and Intel and Google went public with the information. Has anyone actually made use of this exploit yet?Not that we know of. It’s a very complex and rarified attack and one that until a few months ago no one even realized was possible. That said, exploiting this bug wouldn't leave traces so it's difficult to know if it's being used "in the wild," as security researchers say. But the race is now on, says Tony Cole, vice president of global government and critical infrastructure with computer security company FireEye. “I’m sure everybody on the attacker side is busy reading everything that’s out and trying to figure out how to use this. It’s being worked on as we speak.”
0 Comments
 Apple AAPL +0.48% recently confirmed its nasty secret: iOS slows down iPhones. Software enabling the iPhone 6 and iPhone 6S to be throttled was introduced in iOS 10.2.1 and Apple admitted the iPhone 7 was added to that list in early December through iOS 11.2. But new research suggests the most serious iPhone slowdown will be one that hits Apple itself…
In a new research note Barclays' analyst Mark Moskowitz estimates Apple is expected to lose millions of iPhone sales as owners realise they can rejuvenate their existing phone just by replacing the battery. Especially in conjunction with Apple’s 11 month ‘plea bargain’ to reduce the price of battery replacements from $79 to $29. AppleApple iOS 11 Breaking down its figures, Moskowitz states Barclays believes approximately 518 million iPhones (77% of all iPhones in circulation) will be eligible for Apple’s battery promotion, which covers the iPhone 6, iPhone 6S and iPhone 7. In a “base case scenario” Barclays expects over 10% (54M) to take up the offer giving Apple an additional $1.56BN in revenue. The flip side it points out is 30% of those who swap their iPhone battery are predicted to cancel their upgrade plans for 2018 costing Apple $10BN and 16M iPhone sales. To put this in context, Barclays expects Apple to sell 56M iPhones in Q1, though I feel CLSA is closer to the mark when it recently stated sales will be closer to 30M. But the bigger picture is what happens to iPhone sales long term. What happens once the message spreads and even mainstream iPhone owners realise they can ‘rejuvenate’ their iPhone every 12 months for the cost of a new battery? Apple isn’t helping itself here either since the ever spiralling cost of new iPhones (the iPhone X starts from $999, before tax) is making long term ownership essential for any user who struggles to justify living on the hamster wheel of continual upgrades. AppleHow futuristic is the iPhone X if its performance is throttled after 12 months? And what of each latest and greatest iPhone? When users understand that software designed to monitor and throttle it will be released just 12 months after launch, it is likely to take the shine off. After all it isn’t just speed Apple confesses throttled iPhones lose, its official list includes dimmed displays, reduced speaker volume and even disabling the camera flash. None of which accounts for the future sales decisions of iPhone owners who now feel they were duped into unnecessary upgrades. Apple’s response has been to claim it is business as usual. That its practice of slowdowns is a praiseworthy feature for prolonging battery life and one it plans to continue. But this doesn’t wash. Apple’s biggest rivals have fallen over one another to stress such precautions aren’t necessary on their handsets and Samsung even promises 95% battery capacity retention for a minimum of two years. So much for the unavoidable physical limitations of lithium-ion batteries, Apple. All of which means Barclays’ analysis is hugely significant. Not merely because it highlights short term iPhone sales losses, but because it reflects users finding a different path: one of fixing over upgrading that tears open Apple’s famous ‘Reality Distortion Field’. The genie is out the bottle and no amount of ‘magical’ rhetoric is going to put it back in…  Technology companies are working to protect their customers after researchers revealed that major security flaws affecting nearly every modern computer processor could allow hackers to steal stored data — including passwords and other sensitive information — on desktops, laptops, mobile phones and cloud networks around the globe.
The scramble to harden a broad array of devices comes after researchers found two significant vulnerabilities within modern computing hardware, one of which cannot be fully resolved as of yet. Experts say the disclosure of the critical flaws underscores the need to keep up with software updates and security patches and highlights the role independent research plays in prodding tech companies to minimize security weaknesses. On Thursday, Apple confirmed that all Mac systems and iOS devices are affected. Researchers at Google’s Project Zero, academic institutions and private companies published their findings on the vulnerabilities on Wednesday. They said the flaws were discovered last year. The more pervasive flaw of the two, dubbed Spectre, leaves the world's supply of microprocessors potentially vulnerable to attack, the researchers said. Although hackers will find it harder to take advantage of Spectre, it is also more challenging for computer manufacturers to ward off, the researchers said. “As it is not easy to fix, it will haunt us for quite some time,” the researchers said, explaining why they chose to call the flaw Spectre. There's no complete software patch for Spectre right now, said Michael Daly, chief technology officer of cybersecurity and special missions at Raytheon, a defense company. The long-term solution may rely on a hardware redesign, he said, with software patches acting to monitor and stop malicious behavior. In the meantime, criminal actors and nation states could further develop the Spectre vulnerability, making attacks easier to execute. “Right now it's kind of tricky to take advantage of it,” Daly said. “But it's not going to stop there. They will improve on it.” The other flaw, called Meltdown, affects most Intel processors made after 1995. And although security patches exist for devices running Linux, Windows, and OS X, the researchers said, the fix may slow down their performance by as much as 30 percent, according to some estimates. Intel and AMD both said that Google told the companies about the threats last summer. “Intel is committed to responsible disclosure. In this case, the security researchers presented their findings in confidence, and we and other companies worked together to verify their results, develop and validate firmware and operating system updates for impacted technologies, and make them widely available as rapidly as possible,” the company said in a blog post Wednesday. Intel also played down concerns about slowed performance because of the updates, noting that for the “average computer user,” the impact should not be significant and will lessen over time. “Check with your operating system vendor or system manufacturer and apply any available updates as soon as they are available,” the company said. On Thursday, Apple confirmed that all Mac systems and iOS devices are affected, but that no known exploits have impacted its customers. In a post on its website, Apple said updates to its operating systems for iPhones (iOS 11.2), Macs (macOS 10.13.2), and Apple TVs (tvOS 11.2) would defend against Meltdown. The company said it will soon release a new version of its Safari web browser to protect customers against Spectre. Further updates of iOS, macOS, tvOS, and watchOS will be released to limit the threat of the vulnerabilities, Apple said. Microsoft said in a statement Thursday that it is not aware of any of these vulnerabilities being used against its customers. “We are in the process of deploying mitigations to cloud services and released security updates on January 3 to protect Windows customers against vulnerabilities affecting supported hardware chips from Intel, Arm, and AMD,” the company said. Google said in a blog post Wednesday that its popular web browser Chrome, its cloud services and other applications have been or will soon be updated to protect against the newly disclosed vulnerabilities. Amazon said Wednesday in a blog post that “all but a small single-digit percentage of instances” of its EC2 systems, a service under its cloud computing platform, had already been protected, and urged customers to patch their operating systems using available updates. The founder and chief executive of Amazon.com, Jeffrey P. Bezos, also owns The Washington Post. In a post on the company's website Wednesday, AMD said that one variant of the Spectre vulnerability was resolved by software and operating system updates. Another variant of Spectre, the company said, has “a near zero risk of exploitation” on its processors. But AMD also told its customers that “total protection from all possible attacks remains an elusive goal” and encouraged them to regularly update their software. On Thursday, Intel's stock closed down 1.8 percent to $44.43 a share. But AMD jumped more than 5 percent following the publication of the security flaws, to close at $12.12 a share. In a statement Thursday, Arm said that the majority of its processors are not affected by Spectre or Meltdown but confirmed that it has been working with Intel, AMD and other partners to develop defenses against the vulnerabilities. “It's a positive thing that we have independent verification — researchers looking for vulnerabilities,” Daly said. “Most of the software vendors welcome that interaction as long as you see this disclosure in private first, so you have a chance to fix the bugs.”  Intel may have dominated most of the news surrounding the kernel bug in processors, but it’s not just Windows and Macs that are at risk. In addition to Meltdown, there is also a “branch target injection” bug called Spectre that affects mobile ARM processors found in iOS and Android phones, tablets, and other devices that could also expose your data. Here’s everything we know about it so far.
This post has been updated with information from Google about protection against possible Spectre attacks that shouldn’t impact performance. TABLE OF CONTENTS
Apple has been mum on Spectre and how it affects iOS devices, but presumably the risk will be equally small. Your Google Pixel 2 XL was already patched, as long as you have automatic updates turned on. Are any phones at more risk?The newest Android phones are in much better shape than older ones. Google’s latest security patch, which was released in December, “includes mitigations reducing access to high precision timers that limit attacks on all known variants on ARM processors.” That means all Pixel phones have been patched (assuming automatic updates are turned on), as well as Nexus 5X and 6P, as well as the Pixel C tablet. How can it be fixed in non-Google phones?Just like Meltdown, Spectre can only be patched via software. Some newer Android phones (such as the Samsung Galaxy S8 and Note 8) have already been updated, and other manufacturers should start pushing out their own updates within the next few weeks, as well as Apple’s iOS devices. However, many Android phones will likely remain vulnerable. What if my phone doesn’t get updates anymore?A hacker could potentially trick an otherwise safe app on your phone into handing over your personal info such as passwords and encryption keys. However, an attacker would need access to your unlocked phone as Spectre is unlikely to be implemented or triggered remotely. The iPhone 5c could be at risk. Is my iPhone affected by the Spectre CPU flaw?Apple has been mum on this whole issue, but even though it makes its own processors for iOS devices, some are still likely affected. Apple bases its A-series chips on ARM architecture, including some susceptible processors. According to ARM, the following chips and phones may be affected:
Will my phone slow down when the updates are issued?The patch doesn’t appear to have a noticeable effect on performance, but it’s a much harder to measure than on a phone than it is on a PC. Google says it has developed a new mitigation called Retpoline that protects against possible attacks with “negligible impact on performance.” It has deployed the patch on its own systems and shared it with industry partners. Are the iPad and AppleTV affected?The full extent of affected devices won’t be clear until Apple releases some sort of press release, but some of the ARM chips above are used in other Apple devices as well:
 A pair of nasty CPU flaws exposed this week have serious ramifications for home computer users. Meltdown and Spectre let attackers access protected information in your PC’s kernel memory, potentially revealing sensitive details like passwords, cryptographic keys, personal photos and email, or anything else you’ve used on your computer. It’s a serious flaw. Fortunately, CPU and operating system vendors pushed out patches fast, and you can protect your PC from Meltdown and Spectre to some degree. It’s not a quick one-and-done deal, though. They’re two very different CPU flaws that touch every part of your operating system, from hardware to software to the operating system itself. Check out PCWorld’s Meltdown and Spectre FAQ for everything you need to know about the vulnerabilities themselves. We’ve cut through the technical jargon to explain what you need to know in clear, easy-to-read language. We’ve also created an overview of how the Spectre CPU bug affects phones and tablets. The guide you’re reading now focuses solely on protecting your computer against the Meltdown and Spectre CPU flaws. How to protect your PC against Meltdown and Spectre CPU flawsHere’s a quick step-by-step checklist, followed by the full process.
Brad Chacos/IDG Where to update Windows 10. Microsoft pushed out an emergency Windows patch late in the day on January 3. If it didn’t automatically update your PC, head to Start > Settings > Update & Security > Windows Update, then click the Check now button under “Update status.” (Alternatively, you can just search for “Windows Update,” which also works for Windows 7 and 8.) Your system should detect the available update and begin downloading it. Install the update immediately. If you don’t see it for whatever reason, you can download the Windows 10 KB4056892 patch directly here. You’ll need to know whether to grab the 32-bit (x86) or 64-bit (x64) version of the update. To determine if your PC runs a 32- or 64-bit version of Windows, simply type “system” (without the quotation marks) into Windows search and click the top listing. It’ll open a Control Panel window. The “System type” listing will tell you which version of Windows you’re running. Most PCs released in the past decade will be using the 64-bit operating system. Brad Chacos/IDG The System information you’re looking for. Apple quietly worked Meltdown protections into macOS High Sierra 13.10.2, which released in December. If your Mac doesn’t automatically apply updates, force it by going into the App Store’s Update tab. Chromebooks should have already updated to Chrome OS 63 in December. It contains mitigations against the CPU flaws. Linux developers are working on kernel patches. Patches are also available for the Linux kernel. Now for the bad news. The operating system patches will slow down your PC, though the extent varies wildly depending on your CPU and the workloads you’re running. Intel expects the impact to be fairly small for most consumer applications like games or web browsing. You still want to install the updates for security reasons. Check for a firmware updateIntel’s Core i7-8700K CPU is vulnerable to Meltdown and Spectre. Because Meltdown’s CPU exploits exist on a hardware level, Intel is also releasing firmware updates for its processors. “By the end of next week, Intel expects to have issued updates for more than 90 percent of processor products introduced within the past five years,” it said in a statement on January 4. The company also released a detection tool that can help you determine whether you need a firmware update. Actually getting those firmware updates is tricky, because firmware updates aren’t issued directly from Intel. Instead, you need to snag them from the company that made your laptop, PC, or motherboard—think HP, Dell, Gigabyte, et cetera. Intel’s support page dedicated to the vulnerability includes links to support pages for all of its partners, where you can find any available firmware updates and information for your particular PC. Most prebuilt computers and laptops have a sticker with model details somewhere on their exterior. Update your browserYou also need to protect against Spectre, which tricks software into accessing your protected kernel memory. Intel, AMD, and ARM chips are vulnerable to Spectre to some degree. Software applications need to be updated to protect against Spectre. The major PC web browsers have all issued updates as a first line of defense against nefarious websites seeking to exploit the CPU flaw with Javascript. Enabling Site Isolation in Chrome 63. Microsoft updated Edge and Internet Explorer alongside Windows 10. Firefox 57 also wraps in some Spectre safeguards. Chrome 63 made “Site Isolation” an optional experimental feature. You can activate it right now by entering chrome://flags/#enable-site-per-process into your URL bar, then clicking Enable next to “Strict site isolation.” Chrome 64 will have more protections in place when it launches on January 23. Keep your antivirus activeFinally, this ordeal underlines how important it is to keep your PC protected. The Google researchers who discovered the CPU flaws say that traditional antivirus wouldn’t be able to detect a Meltdown or Spectre attack. But attackers need to be able to inject and run malicious code on your PC to take advantage of the exploits. Keeping security software installed and vigilant helps keep hackers and malware off your computer. Plus, “your antivirus may detect malware which uses the attacks by comparing binaries after they become known,” Google says.   This week, two disastrous new processor vulnerabilities spilled out into the open — and the tech world is still coming to terms with the damage. The vulnerabilities, dubbed Meltdown and Spectre, affect nearly every processor made in the last 20 years. Meltdown is the immediate threat, with proof-of-concept exploits already available, but Spectre is much deeper and harder to patch, potentially leading to generations of more subtle exploits in the years to come. The result has left nearly every major technology company scrambling to protect themselves and their customers.
The focus so far has been on personal devices, with a flood of patches already available this morning, but many experts think the most severe damage is likely to come when the exploits are turned on cloud services. “These vulnerabilities will allow one tenant to peer into the data of another co-hosted tenant,” says Mounir Hahad, the head of threat research at Juniper Networks. “This is the reason many organizations steer clear of hosted services when it comes to processing sensitive information.” THE SPECTRE ATTACK IS MUCH MORE POWERFUL IN THE CLOUDBoth Meltdown and Spectre deal with data leaking from one part of the computer to another, which makes them particularly dangerous when a single device is shared between users. With lots of commands running in parallel, the attacks found a way to extract data from the processor cache through a complex timing attack, sidestepping the usual privileges. Executed right, that could let a low-level process like a web plugin get access to passwords or other sensitive data held in a more secure part of your computer. On a personal computer, that attack would be most useful for privilege escalation: a hacker running low-level malware could use a Spectre bug to own your whole computer. But there are already lots of ways to take over a computer once you’ve got a foothold, and it’s not clear how much a new processor attack would change things. But privilege escalation is much scarier in the cloud, where the same server could be working for dozens of people at once. Platforms like Amazon Web Services and Google Cloud let online companies spread a single program across thousands of servers in data centers across the world, sharing hardware the same way you’d share an airplane or a subway car. Collective hardware isn’t a security problem because even when different users are on the same server, they’re in different software instances, with no way to jump from one instance to another. Spectre could change that, letting attackers steal data from anyone sharing the same chip. If a hacker wanted to perform that kind of attack, all they’d have to do is start their own instance and run the program. Cloud services are also a lucrative target for anyone hoping to cash in on Spectre. Lots of midsize businesses run their entire infrastructure on AWS or Google Cloud, often trusting the platform with sensitive and potentially lucrative information. Bitcoin exchanges, chat apps, even government agencies all keep passwords and other sensitive data on cloud servers. If you’re running a modern web service, there’s simply no other choice. If someone did set a new exploit running on a cloud instance, there’s no telling what kind of data might shake out. RESEARCHERS WILL BE FINDING NEW VARIANTS AND EXPLOITS FOR YEARSSo far, cloud platforms are taking the threat seriously, and doing everything they can to contain it. Amazon Web Services, Google Cloud, and Microsoft Azure all immediately deployed patches against the Meltdown attack, and there’s no indication that the available exploits could work against any of those platforms. Where there have been lingering vulnerabilities, it’s because companies are waiting on patches from third parties, like the Windows-based instances of Amazon EC2. The major platforms have handled the immediate response well, and there’s no reason to think we’re headed toward a cloud catastrophe in the days immediately to come. (Reached by The Verge, a Google representative said the company’s cloud services had been protected against both Meltdown and Spectre, although they declined to elaborate on the Spectre protections. Amazon did not respond to a request for comment.) What’s more worrying is what happens in the next few years. Deeply rooted vulnerabilities like Spectre can be hard to stamp out. Researchers will be finding new variants and exploits for years — much like we saw with Stagefright — and not all of the new tricks will be as well-publicized as Spectre and Meltdown were. It’s easy to imagine an undiscovered Spectre exploit falling into criminal hands six months from now — and when it does, platforms like AWS and Google Cloud will be extremely tempting targets. It’s particularly daunting because those platforms undergird almost all of what we think of as the internet. They run nearly every program on your phone, stream your songs and shows. It’s hard to think of a piece of information on the internet that doesn’t pass through those servers at some point, even just for caching. In a material sense, they are the internet. And while they’re staffed by some of the best security teams in the world, the attack surface is almost unlimited. Dealing with the fallout from Spectre will be one of the hardest security problems the system has ever faced — and it’s a problem that won’t go away anytime soon  Microsoft has been bundling a password manager that features a dangerous flaw with some versions of Windows 10, a Google security researcher has revealed. Tavis Ormandy noticed that his copy of Windows 10 included Keeper, which he had previously found to be injecting privileged UI into pages.
The version that Microsoft was including with Windows 10 featured the same bug. What does this mean? In short, it allows any website to steal passwords from you. Keeper was included in some Windows 10 installations as a browser plugin, and it included the very same vulnerability that Ormandy had reported nearly a year and half earlier. With little more than a couple of very easily implemented tweaks, he found that it was possible to steal passwords that are stored within Keeper. Ormandy shared details of the vulnerability on Twitter: Tavis Ormandy✔@tavisoI created a new Windows 10 VM with a pristine image from MSDN, and noticed a third party password manager is now installed by default. It didn't take long to find a critical vulnerability. 11:43 AM - Dec 15, 2017He also posted on the Project Zero page, saying: I recently created a fresh Windows 10 VM with a pristine image from MSDN, and found that a password manager called "Keeper" is now installed by default. I'm not the only person who has noticed this: https://www.reddit.com/r/Windows10/comments/6dpj78/keeper_password_manager_comes_preinstalled_now/ I assume this is some bundling deal with Microsoft. I've heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages ( issue 917 ). I checked and, they're doing the same thing again with this version. I think I'm being generous considering this a new issue that qualifies for a ninety day disclosure, as I literally just changed the selectors and the same attack works. Nevertheless, this is a complete compromise of Keeper security, allowing any website to steal any password. Having been made aware of the problem, the developers of Keeper issued a patch within 24 hours, saying: This potential vulnerability requires a Keeper user to be lured to a malicious website while logged into the browser extension, and then fakes user input by using a 'clickjacking' technique to execute privileged code within the browser extension. There have been no reports of the vulnerability having been exploited.  Wow, this is a bad one. On Macs running the latest version of High Sierra — 10.13.1 (17B48) — it appears that anyone can log in just by putting “root” in the user name field. This is a huge, huge problem. Apple will fix it probably within hours but holy moly. Do not leave your Mac unattended until this is resolved.
The bug is most easily accessed by going to Preferences and then entering one of the panels that has a lock in the lower left-hand corner. Normally you’d click that to enter your user name and password, which are required to change important settings like those in Security & Privacy. No need to do that any more! Just enter “root” instead of your user name and hit enter. After a few tries, it should log right in. There’s no need to do this yourself to verify it. Doing so creates a “root” account that others may be able to take advantage of if you don’t disable it. The bug appears to have been first noticed by Lemi Orhan Ergin, founder of Software Craftsman Turkey, who noted it publicly on Twitter. Needless to say, this is incredibly, incredibly bad. Once you log in, you’ve essentially authenticated yourself as the owner of the computer. You can add administrators, change critical settings, lock out the current owner, and so on. Do not leave your Mac unattended until this is resolved. So far this has worked on every preference panel we’ve tried, and when I used “root” at the login screen it immediately created and pulled up a new user with system administrator privileges. It didn’t work on a 10.13 (17A365) machine, but that one is also loaded up with Aol bloatware — sorry, Oath bloatware — which may affect things. A potential fix is to log into the “root” account and change its password to… well, anything. But the safest thing is to not expose your device to any unfamiliar environments until the bug is fixed. We’ve asked Apple for comment, but I’m guessing they’re pretty busy. We hope they have a fix soon because no one should leave their Mac unattended until this is resolved. Chatbots. They’re usually a waste of your time, so why not have them waste someone else’s instead? Better yet: why not have them waste an email scammer’s time. That’s the premise behind Re:scam, an email chatbot operated by New Zealand cybersecurity firm Netsafe. Next time you get a dodgy email in your inbox, says Netsafe, forward it on to me@rescam.org, and a proxy email address will start replying to the scammer for you, doing its very utmost to waste their time. You can see a few sample dialogues in the video above, or check out a longer back-and-forth below. It looks infuriatingly effective. Using chatbots to give email scammers a taste of their own medicine isn’t that new. And although Netsafe has made a very fancy looking video promo for their bot, the technology behind it is relatively simple; relying more on pre-programmed conversational misdirects than sophisticated artificial intelligence. Really, though, that’s all it takes. Another famous chatbot time-waster is “Lenny,” which is designed to waste telemarketers’ time, and does so without any AI or speech recognition component. Instead, Lenny uses just 16 pre-recorded snippets of dialogue, each of which is as vague and ambiguous as possible. Lenny simply waits until there’s a gap in the conversation, then plays one of its bits of dialogue, cycling through all 16 in various patterns. The technique is surprisingly effective, as the video below shows. (You’ll feel sorry for the caller before long.) But let’s just wait until the scammers have their own bots, too. That’ll be the future of cybersecurity: millions of bots battling back and forth behind-the-scenes, running interference for us. That is, until the bots stop fighting one another and decide to take on their common enemy instead. Let’s hope we can waste their time just a little longer. With a crop of non-security Office updates due today, a big dose of security patches expected in a week, and a known bug in the KB 4041686 Win7 Preview, now’s a good time to make sure you have Automatic Update set so it won’t deal you a nasty surprise.Last month we had no end of problems with Microsoft’s Windows and Office patches. If your machine was attached to a corporate Windows Update server, and your admin approved Windows patches for immediate distribution, your PC may have joined a sea of blue screens. There were lots and lots of additional gotchas.
This month, we already know that KB 4041686, the 2017-10 Win7 Preview of a Monthly Rollup, has a retrograde bug in it that clobbers SFC scans. It’s not at all clear if Microsoft is going to fix that bug before the Preview becomes the for-real Monthly Rollup. We also know that last Thursday's attempt to fix a bug introduced in the October security patches failed miserably, with Microsoft surreptitiously pulling KB 4052233, 4052234, and 4052235 and erasing them from the KB list, the catalog, and even the update histories. Heaven only knows if the next iteration of that abomination will succumb to a similar fate. Later today, we should see a dozen or more non-security patches for Office. You don’t need any of them right away. A week from now, the security fixes should roll out. As I’ve argued many times before, it just makes sense to hold off installing Windows and Office updates until the major first-round bugs get shaken out. Let the unpaid beta testers sacrifice their machines first. If your PC is attached to a Windows Update server, buy your admin a cup o’ coffee and gently make sure they don’t have WSUS or SCCM set to automatically approve updates as soon as Microsoft dishes them out. If you’re running Win7 or 8.1, the method for blocking updates isn’t difficult. Disable Automatic Update in Vista, Win7 or 8.1 If you’re running Windows 10 Pro Creators Update (version 1703) or Fall Creators Update (1709), the method’s even easier: telling Auto Update to back off just takes a couple of clicks. See Steps 7 and 8 in 8 steps to install Windows 10 patches like a pro. But if you have any other version of Win10, you aren’t so lucky. Win10 Home users, and those with earlier versions of Pro, are considered fair fodder for the unpaid beta-testing cannons. Take a minute right now and make sure Automatic Update is turned off. |
Archives
May 2021
Legal Disclaimer:
Thecomputerheale.com makes no claims about the efficacy of the information contained in the documents and related graphics published on this website for any purpose. All information, documents and graphics are provided "as is" without any kind of guarantee of effectiveness. Thecomputerhealer.com hereby disclaims all responsibility for the manner in which the information offered on this website is used by you. In no event shall Thecomputerhealeronline.com be liable for any special, indirect or consequential damages or any damages whatsoever resulting from the loss of use, data or profits arising out of or in connection with the use or performance of information available from this website. The documents and related graphics published on this website may include technical inaccuracies or typographical errors. Changes are periodically added to the information on this website. Thecomputerhealer.com reserves the right, at its discretion, to change or modify all or any part of this agreement and the content on website at any time, effective immediately upon publication of this notice. Your continued use of this website constitutes your binding acceptance of these terms and conditions, including any changes or modifications made by Thecomputerhealer.com as permitted above. If, at any time, the terms and conditions of this agreement are no longer acceptable to you, you should immediately cease using this website. |
RSS Feed