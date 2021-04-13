Security Leftovers
-
Wladimir Palant: Universal XSS in Ninja Cookie extension
The cookie consent screens are really annoying. They attempt to trick you into accepting all cookies, dismissing them without agreeing is made intentionally difficult. A while back I wrote on Twitter than I’m almost at the point of writing a private browser extension to automate the job. And somebody recommended Ninja Cookie extension to me, which from the description seemed perfect for the job.
Now I am generally wary of extensions that necessarily need full access to every website. This is particularly true if these extensions have to interact with the websites in complicated ways. What are the chances that this is implemented securely? So I took a closer look at Ninja Cookie source code, and I wasn’t disappointed. I found several issues in the extension, one even allowing any website to execute JavaScript code in the context of any other website (Universal XSS).
-
[Older] Building a security response team in Alpine
Starting this past month, thanks to the generous support of Google and the Linux Foundation, instead of working on the usual Alpine-related consulting work that I do, I’ve had the privilege of working on various initiatives in Alpine relating to security that we’ve needed to tackle for a long time. Some things are purely technical, others involve formulating policy, planning and recruiting volunteers to help with the security effort.
For example, my work to replace poorly maintained software with better replacements is a purely technical security-related effort, while building a security response team has social aspects as well as designing and building tools for the team to use. Our security issue tracker has gone live and is presently being tested by the community, and with that work we’re already off to a great start at an organized security response.
If you didn’t know what Alpine Linux is already, it is a popular Linux system with over a billion installations on Docker alone. By building on efficient building blocks, such as the musl C library and busybox, Alpine maintains a slim installation image size while also providing the conveniences of a general-purpose Linux distribution. As a result, Alpine has been deployed as the base of many Docker images, has been ported to hundreds of devices as the basis of postmarketOS, has been used to build hundreds of appliances with LinuxKit and has been deployed everywhere from 5G networks to solar farms and oil rigs thanks to the work done by Zededa with Project EVE. With all of this growth in the few years, it’s important to rethink a lot of things in the distribution including our approach to security.
-
What3Words Sends Ridiculous Legal Threat To Security Researcher Over Open Source Alternative
A couple years we wrote about What3Words, and noted that it was a clever system that created an easy way to allow people to better share exact locations in an easily communicated manner (every bit of the globe can be described with just 3 words -- so something like best.tech.blog is a tiny plot near Hanover, Ontario). While part of this just feels like fun, a key part of the company's marketing message is that the system is useful in emergency situations where someone needs to communicate a very exact location quickly and easily.
-
An important Exim security release
There are, it seems, 21 vulnerabilities in the Exim email server that have been fixed in the 4.94.2 release; at least some of these are remotely exploitable for root access. "The current Exim versions (and likely older versions too) suffer from several exploitable vulnerabilities. These vulnerabilities were reported by Qualys via security@exim.org back in October 2020. Due to several internal reasons it took more time than usual for the Exim development team to work on these reported issues in a timely manner." See this advisory from Qualys for the details.
-
Security updates for Tuesday
Security updates have been issued by Debian (bind9, chromium, exim4, and subversion), Fedora (exiv2 and skopeo), openSUSE (gsoap), Oracle (bind, kernel, and sudo), SUSE (bind, ceph, ceph, deepsea, permissions, and stunnel), and Ubuntu (clamav, exim4, openvpn, python-django, and samba).
-
New Spectre vulnerabilities discovered on Intel and AMD processors
The problem with both the original Spectre and these new Spectre vulnerabilities is that they’re built into the hardware. One method could be disabling micro-op cache or halting speculative execution, but as the researchers noted, this fix would “effectively roll back critical performance innovations in most modern Intel and AMD processors, and this just isn’t feasible.”
-
Billions of computers at [cracking] risk: Indian-origin scientist
However, researchers, led by Ashish Venkat at the University of Virginia's School of Engineering and Applied Science, UVA Engineering, discovered that computer processors are open to [crackers] again.
They found a whole new way for [crackers] to exploit something called a "micro-op cache," which speeds up computing by storing simple commands and allowing the processor to fetch them quickly and early in the speculative execution process.
Micro-op caches have been built into Intel computers manufactured since 2011.
-
Don’t Ignore Ransomware. It’s Bad. [iophk: Windows TCO]
My colleague Nicole Perlroth has spent years chronicling the proliferation of cyberattacks, including ransomware. She spoke to me about steps that the U.S. government and individual organizations could take to better prevent it. Nicole tried to be hopeful but she has a discouraging diagnosis of ransomware’s root cause: America has failed to invest in its defense.
-
The Cyber Cold War Is Here [iophk: Windows TCO]
I’m thinking about vulnerabilities that lurk in your garage (your car), your house (your computer), and even your pocket (your phone). Like those devices of yours, all connected to the Internet and so [crackable], American businesses, hospitals, and public utilities can also be hijacked from a distance thanks to the software that helps run their systems. And don’t think that the US military and even cybersecurity agencies and firms aren’t seriously at risk, too.
Such vulnerabilities stem from bugs in the programs—and sometimes even the hardware—that run our increasingly wired society. Beware “zero-day” exploits—so named because you have zero days to fix them once they’re discovered—that can attract top-dollar investments from corporations, governments, and even black-market operators. Zero days allow backdoor access to iPhones, personal e-mail programs, corporate personnel files, even the computers that run dams, voting systems, and nuclear power plants.
It’s as if all of America were now protected by nothing but a few old padlocks, the keys to which have been made available to anyone with enough money to buy them (or enough ingenuity to make a set for themselves). And as if that weren’t bad enough, it was America that inadvertently made these keys available to allies, adversaries, and potential blackmailers alike.
-
- Login or register to post comments
- Printer-friendly version
- 470 reads
- PDF version
More in Tux Machines
- Highlights
- Front Page
- Latest Headlines
- Archive
- Recent comments
- All-Time Popular Stories
- Hot Topics
- New Members
Despite many false alarms, Linux malware scares still abound
Despite numerous false alarms from security firms in the past — which have been enthusiastically spread by technology writers — it still appears that all a security firm or group of researchers has to do to gain some headlines is to write a post mentioning Linux and malware in the same sentence. On 28 April, a Chinese research group NetLab published details about what it claimed was a "long live secret backdoor with 0 VT detection". The word Linux was not in the headline, but once one read the first paragraph, there it was in bold text: "A close look at the sample revealed it to be a backdoor targeting Linux X64 systems, a family that has been around for at least 3 years." [emphais as in original] Some basic questions were not answered – and they were asked by someone who posted a response to the blog. This user, who goes by the name John Mellor, asked: "Anyone can write an executable to do nefarious things, but what is the entry path onto the system? What compromise is used to install it? Who uses that package and has it misconfigured to allow this executable to be installed? Without this key information, this admittedly excellent analysis of the payload is useless. What is the CVE number?" Also: A Now-Patched Linux Kernel Vulnerability Could Lead To Data Leaks [Ed: Grossly overrated and mostly hyped up (at one time) by Microsoft-connected media, looking to distract from the back doors Microsoft puts in virtually everything]
Hardware: Arduino and NUC
Peter Robinson: Fedora on the Pinebook Pro
First thing to note here is that this is not limited to the Pinebook Pro, I’m just using it as the example for 64 bit Rockchip devices with SPI flash on Fedora. This post is focused on devices with SPI but I’ll do a separate follow-up post for other devices including details for writing to eMMC over USB. The story of Fedora on the Pinebook Pro, and other Rockchip devices, has been a sordid story of a lack of time, bugs, rabbit holes, more bugs and various other things. Not at all sordid at all really, mostly just a lack of time on my behalf, and nobody else stepping up to assist in a way to benefit all Fedora users, mostly they do one time hacks to sort themselves. Overall the support in Fedora for Rockchip devices has been quite solid for a number of releases. The problem has been with the early boot firmware, notable because without SPI flash it wants to splat itself across the first 8Mb of the disk, and if there was SPI flash it generally wasn’t overly stable/straight forward. Anyway we’re now in a place where devices with SPI flash should mostly work just fine, those devices without it will work with a little manual intervention, and while the support isn’t complete, and will need more polish, they’re all details we can polish with little interruption to users by standard package updates. By default users will have accelerated graphics and from my testing on GNOME 40 it’s by all accounts a pretty decent experience! Also: Community Blog monthly update: April 2021
GNOME 3.38.6 Desktop Environment Released with Various Bug Fixes
Coming one and a half months after GNOME 3.38.5, the GNOME 3.38.6 point release is here to update the Epiphany web browser with the ability to allow launching of external URLs when triggered by user action, as well as to update the File Roller archive manager to skip files with symlinks in parents. It also fixes a huge CPU consumption bug in the Gedit text editor, which occurred when a folder with content is deleted in the filebrower plugin. In addition, Gedit now uses the current document path when opening a new file to address a regression introduced in a previous version.
Critical 21Nails Exim bugs expose millions of servers to attacks
Critical 21Nails Exim bugs expose millions of servers to attacks