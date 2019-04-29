Security and Proprietary Software Issues
-
Security updates for Monday
Security updates have been issued by Arch Linux (389-ds-base, consul, containerd, geckodriver, powerdns, vivaldi, webkit2gtk, and wpewebkit), Debian (aspell, condor, libsndfile, linuxptp, and lrzip), and Fedora (bluez, buildah, java-1.8.0-openjdk, java-11-openjdk, java-latest-openjdk, kernel, kernel-tools, mbedtls, mingw-exiv2, mingw-python-pillow, mrxvt, python-pillow, python2-pillow, redis, and seamonkey).
-
Wladimir Palant: Data exfiltration in Keepa Price Tracker
As readers of this blog might remember, shopping assistants aren’t exactly known for their respect of your privacy. They will typically use their privileged access to your browser in order to extract data. For them, this ability is a competitive advantage. You pay for a free product with a privacy hazard.
Usually, the vendor will claim to anonymize all data, a claim that can rarely be verified. Even if the anonymization actually happens, it’s really hard to do this right. If anonymization can be reversed and the data falls into the wrong hands, this can have severe consequences for a person’s life.
Today we will take a closer look at a browser extension called “Keepa – Amazon Price Tracker” which is used by at least two million users across different browsers. The extension is being brought out by a German company and the privacy policy is refreshingly short and concise, suggesting that no unexpected data collection is going on. The reality however is: not only will this extension extract data from your Amazon sessions, it will even use your bandwidth to load various Amazon pages in the background.
-
Cloudflare Vulnerability Enabled Compromise of 12% of All Websites
Cloudflare recently disclosed a vulnerability that could have resulted in successful cyberattacks on the millions of websites (12.7% of ALL websites to be precise) that rely on JavaScript and CSS libraries found on cdnjs, an open-source content delivery network (CDN) hosted by the CDN service provider.
Fortunately, there is no evidence (so far) that cybercriminals have exploited the vulnerability. But the fact that this serious vulnerability was most likely present for quite some time is in itself alarming, to say nothing of the “what-if” scenarios.
-
Google Meet PWA Launches On Windows, Mac, Chrome OS & Linux [Ed: Google acts like it just owns the Internet (it does Vint Cerf) while pushing its proprietary bits into the WWW]
Google Meet is now available as a Progressive Web App (PWA). It’s a standalone app that offers the same features and functionality as the conventional desktop app but in a smaller package.
-
WireGuardNT, a high-performance WireGuard implementation for the Windows kernel [Ed: So basically they don't care about real security]
-
WireGuard Sees Native, High-Performance Port To The Windows Kernel - Phoronix
The excellent WireGuard open-source secure VPN tunnel has been seeing growing adoption on Linux now that it's been in the mainline kernel for a while and also seeing continued progress on the BSDs. While there has been beta WireGuard for Windows in user-space, "WireGuardNT" was announced today as a native high-performance port to the Windows kernel.
This WireGuard port to the Windows NT kernel started as a port of their current Linux kernel code-base but then adapted to better fit with the Windows kernel and its APIs. WireGuard founder Jason Donenfeld commented, "The end result is a deeply integrated and highly performant implementation of WireGuard for the NT kernel, that makes use of the full gamut of NT kernel and NDIS capabilities...For the Windows platform, this project is a big deal to me, as it marks the graduation of WireGuard to being a serious operating system component, meant for more serious usage. It's also a rather significant open source release, as there generally isn't so much (though there is some) open source crypto-NIC driver code already out there that does this kind of thing while pulling together various kernel capabilities in the process."
-
