Musings tagged as security

Microsoft has decided to pull the latest update for Windwos 10. The statement reads

We have paused the rollout of the Windows 10 October 2018 Update for all users as we investigate isolated reports of users missing some files after updating.

There are, of course, numerous reports of international companies with dominance over the OS market to pull updates just because of a few isolated reports from some users. ^^

In reality, there were serious issues like incompatibilities with Intel Display Audio device drivers, the task manager not reporting the correct CPU usage (maybe a conspiracy with Intel for their meltdown patches? ^^), and

*drumroll*

Deletion of user files located in C:\Users\[username]\Documents\.

A user reported losing 220 GB worth of personal files. You can find many more reports in the same thread. Whohooow! Go Microsoft!

There is a new attack out there that allows you to reboot iOS or freeze macOS simply by visiting a webpage containing HTML and CSS. It does not need Javascript to be enabled so it also works while viewing HTML E-Mail (which you should never do anyway but tell that to the hipsters).

The following excerpt is especially exciting

Haddouche has told BleepingComputer that he has created an additional attack using HTML, CSS, and JavaScript that will totally freeze macOS computers. He has not released it as it persists after reboot and macOS will relaunch Safari with the malicious page as well, making the computer freeze again.

After Apple’s botched last year in regards to miserable security and ridiculous vulnerabilities one would assume they had gotten off their asses and shifted resources to fixing their swiss cheese of an operating system. But then again, pumping out new iPhones seems to be more important. Got to please the hipsters. I actually find it very much interesting how Apple and their operating systems went from “expensive but secure” to “expensive and utter garbage with more holes than a swiss cheese” over the recent three or so years. It is a perfect example what happens if you prioritize new products (quantity) over fixing your shit and delivering a well developed product (quality).

In a shady move, Intel has added some small print to the latest license agreement on its updated CPU microcode. After the last debacle with microcode patches designed to mitigate Spectre and Meltdown vulnerabilities, which - depending on your use case - led to severe drops in performance, Intel is now trying to keep you from publishing benchmarks. The new license post-update contains the following lines:

You will not, and will not allow any third party to
*Snip*
(v) publish or provide any Software benchmark or comparison test results.

You can read this as “And if our firmware patches fuck up your CPU performance even more then you are not allowed to talk about it while we still claim in advertisements that our CPUs are blazingly fast.”

Luckily, Debian GNU/Linux is not having it and has decided not to publish microcode updates till the license issue is taken care of. Here is the corresponding bug tracker entry where new updates to the issue might also appear. One thing to take away from this is that apparently Intel wants to be able to tell you what kind of things you are allowed to use your CPU for. Luckily, with the recently launched Ryzen 2 lineup and the new Threadripper 2 CPUs that are due for release this month, AMD is already a great alternative, even for gaming. In light of Intels license fuckups this decision has just been made even simpler.

Update: Intel is now backpedaling and changing its license once again. The Streisand effect got to them first though and now the news is out. Having to disable hyperthreading in order for the fix to work is bound to have a huge performance impact and Intels foolish try to suppress their customers certainly did not help their credibility. Once again: AMD Threadripper, here I come :)

Snake oil vendor Avast has pulled v5.45 of its CCleaner suite over privacy controversy. Apparently the latest update made some “minor” changes which resulted in a bit of an outcry. Active monitoring - which translates to yes please send information about me and my system to your servers - could no longer be switched off. Also you could no longer shut down CCleaner anymore. You had to kill the process as there was no way to exit the software normally. Free users got another special treat as sharing your data with 3rd parties could no longer be disabled and was mandatory.

According to ungleich.ch, Mozilla is planning to introduce a new method for resolving DNS queries that could actually end up negatively impacting your privacy.

Dubbed Trusted Recursive Resolver (TRR) this new resolving method actually results in Firefox ignoring your DNS server and instead uses Cloudflares DNS servers instead. This is awesome, especially because Cloudflare is a company from the US and they then know which sites you connect to. Essentially this would mean that one company has all the information on all users of Firefox.

This is utterly stupid. Collecting data in one place makes Cloudflare a prime target for surveillance and it also stores your connection metadata in the US. Essentially they are adding a single point of failure for the whole Firefox ecosystem.

Thankfully, ungleich.ch offers some advice:

  • enter about:config in the address bar
  • search for network.trr
  • set network.trr.mode = 5 to completely disable this feature

The other modes for network.trr.mode are described in usejournal.com.

Apparently Mozilla wants to set the new resolver feature as a default beginning with the September patch. Be sure to check your settings again then. Oh and why the fuck does Mozilla insist on fucking up Firefox?

FileZilla, the formerly easy-to-recommend FTP/SFTP client for private and enterprise use has fallen from grace and included adware in their installers. With security professionals already recommending uninstalling FileZilla, its author Tim Kosse is trying hard to reframe the issue, claiming that ad-supported installers are necessary and have been around for a long time.

This does not change the fact, however, that some of the “offers” available via the ad-laden installer are downloading unsigned executables to your pc. Including some really shady ones that download seperate data files which later get concatenated into an executable. The best guess is that this would be an attempt at avoiding detection by malware blockers.

This is a terrible move by FileZilla and I too suggest uninstalling it if you still use it. A good alternative for Windows users is WinSCP. Free, open source, what is not to like?

More Intel CPU Flaws Surface

Thu, Jun 14, 2018

While the latest CPU iteration of Intel still is affected by Meltdown, another vulnerability was discovered in their CPUs. It is also based on speculative execution and apparently allows floating point registers to be leaked from another process. Dubbed Lazy FP state restore this bug of course affects all systems based on Intel processors which are vulnerable. Linux and the latest flavours of BSD are already fixed or immune anyway. Windows Server 2008 however is still vulnerable.

1
2
3
4
5