Language Selection

English French German Italian Portuguese Spanish

Proprietary Software Security

Filed under
  • OMIGOD: Azure users running Linux VMs need to update now [Ed: They need to abandon Microsoft Azure and get reprimanded by the employer for ever choosing this NSA company as a host in the first place]
  • Microsoft September 2021 Patch Tuesday: Remote code execution flaws in MSHTML, OMI fixed
  • Microsoft Patch Tuesday, September 2021 Edition

    Microsoft today pushed software updates to plug dozens of security holes in Windows and related products, including a vulnerability that is already being exploited in active attacks. Also, Apple has issued an emergency update to fix a flaw that’s reportedly been abused to install spyware on iOS products, and Google‘s got a new version of Chrome that tackles two zero-day flaws. Finally, Adobe has released critical security updates for Acrobat, Reader and a slew of other software.

  • Apple Patches Up Devices In Response To The Exposure Of Yet Another NSO Group Exploit

    Israeli digital arms merchant NSO Group continues to sell its malware to a wide variety of governments. The governments it sells to, which includes a bunch of notorious human rights abusers, continue to use these exploits to target dissidents, activists, journalists, religious leaders, and political opponents. And the manufacturers of the devices exploited by governments to harm people these governments don't like (NSO says "criminals and terrorists," long-term customers say "eh, whoever") continue to patch things up so these exploits no longer work.

  • It's not just you: Emergency software patches are on the rise

    Researchers raised the alarm Monday about a big one: The Israeli spyware company NSO Group, which sells programs for governments to remotely take over people’s smartphones and computers, had figured out a new way into practically any Apple device by sending a fake GIF through iMessage. The only way to guard against it is to install Apple’s emergency software update.

  • Apple Rushes Out Emergency Update to Stop ‘No Click’ Spyware

    The flaw, disclosed Monday by Citizen Lab, allowed a hacker using NSO’s Pegasus malware to gain access to a device owned by an unnamed Saudi activist, according to security researchers. Apple said the flaw could be exploited if a user on a vulnerable device received a “maliciously crafted” PDF file.

More in Tux Machines

Security Leftovers

  • Security updates for Thursday

    Security updates have been issued by Gentoo (aiohttp, faac, isync, motion, and nextcloud), Red Hat (.NET 6.0), SUSE (libnbd, oracleasm, python-codecov, rubygem-tzinfo, sssd, and thunderbird), and Ubuntu (http-parser, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-hwe-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-ibm, linux-kvm, linux-oracle, linux-raspi, linux-intel-iotg, linux-oem-5.14, linux-oem-5.17, and node-moment).

  • CISA Issues Warning on Active Exploitation of UnRAR Software for Linux Systems [Ed: How to distract from the major problem CISA has just pointed out]
  • PyPI Package 'secretslib' Drops Fileless Linux Malware to Mine Monero [Ed: The issue here is not "Linux" but people installing malware on it]
  • The quantum state of Linux kernel garbage collection (Project Zero) []

    The Project Zero blog has posted a detailed look at CVE-2021-0920 in the first of a two-part series on how this bug created a vulnerability that was subsequently exploited.

  • Security requirements for new kernel features []

    The relatively new io_uring subsystem has changed the way asynchronous I/O is done on Linux systems and improved performance significantly. It has also, however, begun to run up a record of disagreements with the kernel's security community. A recent discussion about security hooks for the new uring_cmd mechanism shows how easily requirements can be overlooked in a complex system with no overall supervision. Most of the operations that can be performed within io_uring follow the usual I/O patterns — open a file, read data, write data, and so on. These operations are the same regardless of the underlying device or filesystem that is doing the work. There always seems to be a need for something special and device-specific, though, and io_uring is no exception. For the kernel as a whole, device-specific operations are made available via ioctl() calls. That system call, however, has built up a reputation as a dumping ground for poorly thought-out features, and there is little desire to see its usage spread. In early 2021, io_uring maintainer Jens Axboe floated an idea for a command passthrough mechanism that would be specific to io_uring. A year and some later, that idea has evolved into uring_cmd, which was pulled into the mainline during the 5.19 merge window. There is a new io_uring operation that, in turn, causes an invocation of the underlying device or filesystem's uring_cmd() file_operations function. The actual operation to be performed is passed through to that function with no interpretation in the io_uring layer. The first user is the NVMe driver, which provides a direct passthrough operation.

Oaxaca, Endless OS, and indigenous languages

A rural Mexican state was the setting for an initiative to use the GNOME-based Endless OS to improve education in indigenous communities. Over the last several years, the Endless OS Foundation has teamed up with the Fundación Alfredo Harp Helú Oaxaca (FAHHO) to deliver offline-first computers to those communities, but also to assist these communities in preserving their native languages. In a talk at GUADEC 2022, Rob McQueen provided a look at the project and what it has accomplished. McQueen was not slated to give the talk—he already gave an earlier presentation at the conference—but Sergio Solis, who is from Guadalajara where the conference was held, was unfortunately unable to attend due to his family coming down with COVID. McQueen apologized for flying into Mexico from England to give a talk about Mexico when he had never been to the country before. But, as the CEO of the Endless OS Foundation, McQueen is obviously knowledgeable about the project and was able to step in and pinch-hit for Solis. Read on

xorgproto 2022.2

This release introduces an new "XWAYLAND" extension:

    This extension exists to serve one purpose: reliably identifying
    Xwayland. Previous attempts at doing so included querying root window
    properties, output names or input device names. All these attempts are
    somewhat unreliable. Instead, let's use an extension - where that
    extension is present we have an Xwayland server.

    Clients should never need to do anything but check whether the extension
    exists through XQueryExtension/XListExtensions.

The DRI3 protocol was bumped to 1.3 and has a new DRI3SetDRMDeviceInUse request:

     This request provides a hint to the server about the device
     in use by this window. This is used to provide
     DRI3GetSupportedModifiers with a hint of what device to
     return modifiers for in the window_modifiers return value.
     Using this hint allows for device-specific modifiers to
     be returned by DRI3GetSupportedModifiers, for example
     when an application is renderoffloaded and eligible for
     direct scanout.

The remaining commits are the usual combination of housekeeping and
Read on

How to make app stores friendly to Open Source

Microsoft recently seemed to propose that Open Source software didn’t belong in the Windows app store. Excuse me? After the news broke, Giorgio Sardo, Microsoft’s General Manager of the Microsoft Store, argued on Twitter that it wasn’t Microsoft’s intent. “We absolutely want to support developers distributing successful OSS apps. In fact, there are already fantastic OSS apps in the Store! The goal of this policy is to protect customers from misleading listings.” Read on