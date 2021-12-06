Security Leftovers
Microsoft confirms they were hacked by Lapsus$ extortion group [Ed: Microsoft cannot even protect its own systems. Microsoft booster Lawrence Abrams will help deflect blame (blame the attacker, not the system)]
Microsoft has confirmed that one of their employees was compromised by the Lapsus$ hacking group, allowing the threat actors to access and steal portions of their source code.
Last night, the Lapsus$ gang released 37GB of source code stolen from Microsoft's Azure DevOps server. The source code is for various internal Microsoft projects, including for Bing, Cortana, and Bing Maps.
Matthew Garrett: AMD's Pluton implementation seems to be controllable [Ed: Nobody but Microsoft needs this thing there in the first place]
So, we have two mechanisms to disable Pluton - the PSP can tell it to turn itself off, or the x86 firmware can simply never speak to it or admit that it exists. Both of these imply that Pluton has started executing before it's shut down, so it's reasonable to wonder whether it can still do stuff.
A new source of trust for your platform - Dasharo with Intel TXT support
Intel Trusted Execution Technology is a feature of Intel CPUs and chipsets to perform trusted measurement of the operating system software defined in Trusted Computing Group D-RTM architecture specification. Dell OptiPlex 7010 / 9010 is Intel TXT capable. All you need is an Intel TXT capable CPU (you may quickly check the Intel Trusted Execution Technology capability on Intel ARK for your processor).
Anatomy of a ghost CVE
On March 16 2022, the curl security team received an email in which the reporter highlighted an Apple web page. What can you tell us about this?
I hadn’t seen it before. On this page with the title “About the security content of macOS Monterey 12.3”, said to have been published just two days prior, Apple mentions recent package upgrades and the page lists a bunch of products and what security fixes that were done for them in this update. Among the many products listed, curl is mentioned.
