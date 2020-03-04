Security Leftovers
FDA warns patients about Bluetooth flaws affecting pacemakers, glucose monitors
Pacemakers and glucose-monitoring systems are among the critical medical equipment that could be affected by new security vulnerabilities in wireless technology, the Food and Drug Administration and Department of Homeland Security warned this week.
The set of flaws in a popular wireless protocol known as Bluetooth Low Energy (BLE), which impact microchipped devices in a range of industries, could allow a hacker within radio range of a device to disrupt its communications, forcing it to restart.
A major new Intel processor flaw could defeat encryption and DRM protections
Security firm Positive Technologies discovered the flaw, and is warning that it could break apart a chain of trust for important technology like silicon-based encryption, hardware authentication, and modern DRM protections. “This vulnerability jeopardizes everything Intel has done to build the root of trust and lay a solid security foundation on the company’s platforms,” explains security researcher Mark Ermolov.
The root of the flaw is Intel’s Converged Security Management Engine (CSME), the part of Intel’s chips that’s responsible for securing all firmware that runs on Intel-powered machines. Intel has previously patched vulnerabilities in the CSME, but the researchers warn the CSME firmware is unprotected early on when a system boots so it’s still vulnerable to attacks.
“The problem is not only that it is impossible to fix firmware errors that are hard-coded in the Mask ROM of microprocessors and chipsets,” warns Ermolov. “The larger worry is that, because this vulnerability allows a compromise at the hardware level, it destroys the chain of trust for the platform as a whole.”
Researchers discover that Intel chips have an unfixable security flaw
The chips are vulnerable during boot-up, so they can't be patched with a firmware update.
Security researchers have discovered another flaw in recent Intel chips that, while difficult to exploit, is completely unpatchable. The vulnerability is within Intel's Converged Security and Management Engine (CSME), a part of the chip that controls system boot-up, power levels, firmware and, most critically, cryptographic functions. Security specialists Positive Technologies have found that a tiny gap in security in that module that could allow attackers to inject malicious code and, eventually, commandeer your PC.
The vulnerability is another in a string of Intel chip flaws that have damaged the chipmaker's reputation of late. In 2018, Intel faced heavy criticism over the Meltdown and Spectre flaws in Intel chips that could have allowed attackers to steal data.
A cross-browser code library for security/privacy extensions. Interested?
Google's "Manifest V3" ongoing API changes are severely hampering browser extensions in their ability to block unwanted content and to enforce additional security policies, threatening the usefulness, if not to the very existence, of many popular privacy and security tools. uBlock's developer made clear that this will cause him to cease supporting Chromium-based browsers. Also EFF (which develops extensions such as HTTPS Everywhere and Privacy Badger) publicly stigmatized Google's decisions, questioning both their consequences and their motivations.
NoScript is gravely affected too, although its position is not as dire as others': in facts, I've finished porting it to Chromium-based browsers in the beginning of 2019, when Manifest V3 had already been announced. Therefore, in the late stages of that project and beyond, I've spent considerable time researching and experimenting alternate techniques, mostly based on standardized Web Platform APIs and thus unaffected by Manifest V3, allowing to implement comparable NoScript functionality albeit at the price of added complexity and/or performance costs. Furthermore Mozilla developers stated that, even though staying as much compatible as possible with the Chome extensions API is a goal of theirs, they do not plan to follow Google in those choices which are more disruptive for content blockers (such as the deprecation of blocking webRequest).
Firefox to Get an Additional Sandbox Layer
Starting with Firefox 74, the open source web browser will include the new RLBox security feature.
The Firefox web browser already runs on top of a sandbox which separates the browser from the operating system. But with attack vectors growing more and more sophisticated (and many shared libraries not up to modern security demands), the Mozilla developers decided it was time to take the isolation of the browser further.
With the release of Firefox 74, a new sandbox technology, called RLBox, will be added. RLBox was developed as a joint effort between Mozilla, the University of California San Diego, the University of Texas at Austin, and Stanford University.
According to Bobby Holley, principle engineer with Mozilla, RLBox is a “big deal”. With this new sandbox layer, it’s easy to isolate existing chunks of code at an unheard of granularity. With RLBox in place, the Firefox developers are able to separate third-party libraries from the Firefox core engine. By making this separation, bugs and exploits within third-party libraries will be unable to impact other applications that use the same library.
Linux PPPD Has A 17 Year Old Vulnerability That Could Lead To Remote Code Execution
It turns out the Point-to-Point Protocol Daemon (PPPD) used for dial-up models, DSL, and other point-to-point network setups on Linux has been bugged for the past seventeen years with a buffer overflow vulnerability that could lead to remote code execution at the system level.
Going back to PPPD 2.4.2 in 2003 up through PPPD 2.4.8 as the latest stable release is subject to a buffer overflow in the EAP packet processing code. Due to an incorrect bounds check, there is the possibility of arbitrary code execution within this high profile Linux daemon.
