BIOS Updates Begin Appearing For New Intel Privilege Escalation Vulnerabilities - Phoronix
OEMs have begun releasing updated BIOS/firmware revisions to address new security vulnerabilities disclosed this week by Intel. Most pressing are potential security vulnerabilities within the BIOS reference code used by various Intel CPUs that could lead to privilege escalation by local users and ranked a "high" impact severity.
INTEL-SA-00562 was made public on Tuesday around security vulnerabilities in the BIOS reference code for processors ranging from 3rd Gen Xeon Scalable to 11th Gen Core to Celeron and Pentium processors... Rather broad exposure across Intel CPU product lines for recent generations and going back to at least the likes of the 7th Gen Core processors.
The vulnerabilities in the BIOS reference code could lead to privilege escalation of local users and carries a CVSS base score of "high" at 8.2 for both CVEs. CVE-2021-0157 is tracking insufficient control flow management in this BIOS firmware and CVE-2021-0158 is for improper input validation by the BIOS firmware.
VMware Releases Security Advisory
VMware has released a security advisory to address a privilege escalation vulnerability in vCenter Server and Cloud Foundation. An attacker could exploit this vulnerability to take control of an affected system.
Apple Releases Security Update for iCloud for Windows 13 | CISA
Apple has released a security update to address multiple vulnerabilities in iCloud for Windows 13. An attacker could exploit these vulnerabilities to take control of an affected system.
What Happens If Time Gets Hacked
BusyBox flaws highlight need for consistent IoT updates | CSO Online
Security researchers have found and reported 14 vulnerabilities in the BusyBox userspace tool that's used in millions of embedded devices running Linux-based firmware. While the flaws don't have high criticality, some of them do have the potential to result in remote code execution (RCE).
BusyBox is a software utilities suite that its creators describe as the Swiss army knife of embedded Linux. It contains implementations of the most common Linux command-line tools, together with a shell and a DHCP client and server, all packaged as a single binary. BusyBox has become a de facto standard in the embedded Linux userspace, its standalone binary having support for over 300 common Linux commands.
Devices: Axiomtek, Renesas, and Amlogic
Browsers: Microsoft Plays Dirty and Mozilla Distracts From the Spying
Twelve Years of Go
Today we celebrate the twelfth birthday of the Go open source release. We have had an eventful year and have a lot to look forward to next year. The most visible change here on the blog is our new home on go.dev, part of consolidating all our Go web sites into a single, coherent site. Another part of that consolidation was replacing godoc.org with pkg.go.dev. In February, the Go 1.16 release added macOS ARM64 support, added a file system interface and embedded files, and enabled modules by default, along with the usual assortment of improvements and optimizations. In August, the Go 1.17 release added Windows ARM64 support, made TLS cipher suite decisions easier and more secure, introduced pruned module graphs to make modules even more efficient in large projects, and added new, more readable build constraint syntax. Under the hood, Go 1.17 also switched to a register-based calling convention for Go functions on x86-64, improving performance in CPU-bound applications by 5–15%. Over the course of the year, we published many new tutorials, a guide to databases in Go, a guide to developing modules, and a Go modules reference. One highlight is the new tutorial “Developing a RESTful API with Go and Gin”, which is also available in interactive form using Google Cloud Shell. We’ve been busy on the IDE side, enabling gopls by default in VS Code Go and delivering countless improvements to both gopls and VS Code Go, including a powerful debugging experience powered by Delve. Also: Via LWN, a discussion place
