Language Selection

English French German Italian Portuguese Spanish

Security

Security: Photoshop Holes, Mirai FUD, and OpenSSH FUD

Filed under
Security
  • Adobe Patches 2 Code Execution Vulnerabilities in Photoshop CC 2017 & 2018

    Hot off the discovery board is news of two important vulnerabilities that have been found in Adobe’s Photoshop CC versions 19.1.5 and prior for the 2018 edition and versions 18.1.5 and prior for the 2017 edition. The discovery of these vulnerabilities was made by a Fortinet security researcher, Kushal Arvind Shah, but nothing has been officially released in the level of detail expected for CVE vulnerabilities.

    It appears that a combined update has been rolled out through the Adobe Creative Cloud for the respective editions and versions of Adobe Photoshop CC 2018 / 2017 to patch the two found vulnerabilities. The flaws are seen to impact the said versions of the software on both the Windows operating system and the Apple Mac operating system.

  • New Mirai Variants Leverage Open Source Project [Ed: DarkReading looking to blame "Open Source" because yes, people can craft things with FOSS. Sometimes even malicious things.]

    Mirai, the IoT botnet responsible for enormous DDoS attacks in 2016, has continued to evolve: it's now leveraging an open-source project named Aboriginal Linux to make cross-compiling the malicious code easier, more effective, and less prone to error.

  • Mirai leveraging Aboriginal Linux to target multiple platforms [Ed: Did Steve Ragan copy Catalin Cimpanu (below) or the other way around (almost identical spin)?]
  • Mirai IoT Malware Uses Aboriginal Linux to Target Multiple Platforms
  • Mirai botnet strikes again: This time it's going after a specific open source project [Ed: So, long story short, devices with holes or hand-coded passwords in them are blamed on "Linux" and/or "Open Source"]
  • Vulnerability in OpenSSH “for two decades” (no, the sky isn’t falling!) [Ed: Responding to the likes of Catalin Cimpanu]

    The OpenSSH software came out of the super-security-conscious operating system project OpenBSD, the “free, functional and secure” operating system that boasts on its website that it’s suffered “only two remote holes in the default install, in a heck of a long time!”

    Compared to the average Linux distro, or Windows, or macOS, or pretty much any mobile phone you care to mention, that isn’t an idle boast, even if it’s not the sort of claim a traditional marketing department might go for.

Security: Updates, Windows, Huawei, Election

Filed under
Security

Intel 'gags' Linux distros from revealing performance hit from Spectre patches

Filed under
GNU
Linux
Security

Open-source champion Bruce Perens has called out Intel for adding a new restriction to its software license agreement along with its latest CPU security patches to prevent developers from publishing software benchmark results.

The new clause appears to be a move by Intel to legally gag developers from revealing performance degradation caused by its mitigations for Spectre and Foreshadow or 'L1 Terminal Fault' (L1FT) flaw speculative attacks.

"You will not, and will not allow any third party to ... publish or provide any software benchmark or comparison test results," Intel's new agreement states.

The new term appeared with the fixes for 'L1 Terminal Fault' that were recently delivered to Microsoft and Linux distributions.

Read more

Security: Airmail, Ghostscript, Microsoft Visual Studio

Filed under
Security
  • Airmail 3.6 Fixes Potential URL Scheme Vulnerability

    Airmail has just released an update which patches a known security vulnerability in the e-mailing service. Security analysts recently discovered that the client was vulnerable to malicious exploits that could allow foreign and unauthorized persons to access and read sent and received emails in the context of a victim user. The patch released fixes the vulnerable channels that could have been exploited to gain such unwarranted access.

  • Ghostscript Vulnerability Could Cause Data Security Breach

    A vulnerability in the Ghostscript interpreter used to decipher Adobe Postscript and PDF documents online has come to light after a report by a Google security researcher, Tavis Ormandy, and a bothersome statement by Steve Giguere, an EMEA engineer for Synopsis. As the Ghostcript page descriptive language interpreter is the most commonly employed system in numerous programs and databases, this vulnerability has a mass range of exploit and impact if manipulated.

    [...]

    According to Giguere, this causes second tier delay as mitigation of this depends directly upon authors resolving the issue at its core as soon as it arises, firstly, but that on its own is no use if these resolved components are not uploaded to the web servers and applications that make use of them. The issues must be resolved at the core and then updated where they are directly being used for the sake of effective mitigation. As this is a two step process, it could provide malicious attackers with all the time that they need to exploit this type of vulnerability.

  • Microsoft Visual Studio C++ Runtime installers were built to fail

    Security researcher Stefan Kanthak claims the Microsoft Visual C++ Redistributable for Visual Studio 2017 executable installers (x86 and x64) were built with insecure tools from several years ago, creating a vulnerability that could allow privilege escalation.

    In other words, Redmond is distributing to developers executables that install its Visual C++ runtime, and these installer programs are insecure due to being created by outdated tools. They can be exploited by malicious software to execute arbitrary code. It's not the end of the world – it's more embarrassment than anything else, due to the reliance on out-of-date tools.

Security: Updates, OpenSSH, CVE-2018-5390, Meltdown and Linux

Filed under
Security
  • Security updates for Wednesday
  • Vulnerability Affects All OpenSSH Versions Released in the Past Two Decades

    A vulnerability affects all versions of the OpenSSH client released in the past two decades, ever since the application was released in 1999.

    The security bug received a patch this week, but since the OpenSSH client is embedded in a multitude of software applications and hardware devices, it will take months, if not years, for the fix to trickle down to all affected systems.

    [...]

    This bug allows a remote attacker to guess the usernames registered on an OpenSSH server. Since OpenSSH is used with a bunch of technologies ranging from cloud hosting servers to mandate IoT equipment, billions of devices are affected.

    As researchers explain, the attack scenario relies on an attacker trying to authenticate on an OpenSSH endpoint via a malformed authentication request (for example, via a truncated packet).

  • CVE-2018-5390 and "embargoes"

    A kernel bug that allows a remote denial of service via crafted packets was fixed recently and the resulting patch was merged on July 23. But an announcement of the flaw (which is CVE-2018-5390) was not released until August 6—a two-week window where users were left in the dark. It was not just the patch that might have alerted attackers; the flaw was publicized in other ways, as well, before the announcement, which has led to some discussion of embargo policies on the oss-security mailing list. Within free-software circles, embargoes are generally seen as a necessary evil, but delaying the disclosure of an already-public bug does not sit well.

    The bug itself, which Red Hat calls SegmentSmack, gives a way for a remote attacker to cause the CPU to spend all of its time reassembling packets from out-of-order segments. Sending tiny crafted TCP segments with random offsets in an ongoing session would cause the out-of-order queue to fill; processing that queue could saturate the CPU. According to Red Hat, a small amount of traffic (e.g. 2kbps) could cause the condition but, importantly, it cannot be done using spoofed IP addresses, so filtering may be effective, which may blunt the impact somewhat.

  • Meltdown strikes back: the L1 terminal fault vulnerability

    The Meltdown CPU vulnerability, first disclosed in early January, was frightening because it allowed unprivileged attackers to easily read arbitrary memory in the system. Spectre, disclosed at the same time, was harder to exploit but made it possible for guests running in virtual machines to attack the host system and other guests. Both vulnerabilities have been mitigated to some extent (though it will take a long time to even find all of the Spectre vulnerabilities, much less protect against them). But now the newly disclosed "L1 terminal fault" (L1TF) vulnerability (also going by the name Foreshadow) brings back both threats: relatively easy attacks against host memory from inside a guest. Mitigations are available (and have been merged into the mainline kernel), but they will be expensive for some users.

  • Researchers Blame ‘Monolithic’ Linux Code Base for Critical Vulnerabilities

Security and FUD

Filed under
Security

Security: X.Org Server, USBHarpoon, Kubernetes Penetration Testing

Filed under
Security
  • Three New Security Advisories Hit X.Org's X11 Library

    It's been a while since last having any big security bulletins for the X.Org Server even though some of the code-base dates back decades and security researchers have said the security is even worse than it looks and numerous advisories have come up in recent years. But it's not because X11 is bug-free as today three more security bulletins were made public affecting libX11.

    Today's security advisory pertains to three different functions in libX11 that are affected by different issues. The security issues come down to off-by-one writes, a potential out of boundary write, and a crash on invalid reply.

  • USBHarpoon: How “Innocent” USB Cables Can Be Manipulated To Inject Malware

    Back in 2014 Black Hat Conference, crypto specialists Karsten Nohl and Jakob Lell introduced the concept of BadUSB — a USB security flaw which allows attackers to turn a USB into a keyboard which can be used to type in commands.

    Now, a researcher from SYON Security has managed to build a modified USB charging cable that will enable hackers to transfer malware on your PC without you even noticing it. Behind the hood is the BadUSB vulnerability.

    [...]

    While BadUSB is gradually climbing the ladder towards the mainstream cyber attacks, people are also coming up with the corresponding firewalls to tackle the new age attacks.

  • Open Source 'Kube-Hunter' Does Kubernetes Penetration Testing

    Aqua Security released the open source kube-hunter tool for penetration testing of Kubernetes clusters, used for container orchestration.

    "You give it the IP or DNS name of your Kubernetes cluster, and kube-hunter probes for security issues -- it's like automated penetration testing," the company said in an Aug. 15 blog post.

    The tool -- with source code available on GitHub -- is also packaged by the company in a containerized version, which works with the company's kube-hunter Web site where test results can be seen and shared.

Security: Windows Holes, Proprietary Cardiograph Device Vulnerabilities and FOSS Patches

Filed under
Security

Security Things in Linux 4.18 and Embrace of Newer GCC

Filed under
Development
GNU
Linux
Security
  • security things in Linux v4.18

    One of the many ways C can be dangerous to use is that it lacks strong primitives to deal with arithmetic overflow. A developer can’t just wrap a series of calculations in a try/catch block to trap any calculations that might overflow (or underflow). Instead, C will happily wrap values back around, causing all kinds of flaws. Some time ago GCC added a set of single-operation helpers that will efficiently detect overflow, so Rasmus Villemoes suggested implementing these (with fallbacks) in the kernel. While it still requires explicit use by developers, it’s much more fool-proof than doing open-coded type-sensitive bounds checking before every calculation. As a first-use of these routines, Matthew Wilcox created wrappers for common size calculations, mainly for use during memory allocations.

  • Linux 4.19 Raises The GCC Minimum Version Required To Build The Kernel

    Officially the Linux kernel listed GCC 3.2 as the minimum version of the GNU compiler needed. However, with Linux 4.19 that is being raised to GCC 4.6.

    Various architectures on older GCC4 releases had already been failing to cleanly compile the Linux kernel so with Linux 4.19 that minimum version supported is being set at GCC 4.6.

  • Linux 4.19 Kernel Now Requires GCC 4.6 to Build, Due to Compiling Failures on Older Architecture

    For Linux developers working on the kernel, the to-be-released Linux 4.19 kernel raises the GCC minimum version required for kernel building. The official Linux kernel has listed GCC 3.2 as the minimum version of the compiler required for kernel building, but Linux kernel 4.19 is raising that to GCC 4.6.

    This is because various architectures on older GCC4 releases have been failing to cleanly compile the Linux kernel, hence why GCC 4.6 is being set as the minimum. The kernel will also explicitly check for GCC 4.6.0 or newer and if not found, the compiler will error out.

    This is also beneficial for the kernel code, as the kernel devs were able to strip out several dozen lines of code for older GCC workarounds that were aimed at compiler bugs and behavioral differences in the older compiler releases.

Security: Lustre, Aqua Security, Election Security and Reproducible Builds

Filed under
Security
  • Fix for July's Spectre-like bug is breaking some supers

    High-performance computing geeks are sweating on a Red Hat fix, after a previous patch broke the Lustre file system.

    In July, Intel disclosed patches for another Spectre-like data leak bug, CVE-2018-3693.

    Red Hat included its own fixes in an August 14 suite of security patches, and soon after, HPC sysadmins found themselves in trouble.

    The original report, from Stanford Research Computing Center, details a failure in LustreNet – a Lustre implementation over InfiniBand that uses RDMA for high-speed file and metadata transfer.

  • Aqua Security Launches Open-Source Kube-Hunter Container Security Tool

    Aqua Security has made its new Kube-hunter open-source tool generally available, enabling organizations to conduct penetration tests against Kubernetes container orchestration deployments.

    Aqua released Kube-hunter on Aug.17, and project code is freely available on GitHub. Rather than looking for vulnerabilities inside of container images, Kube-hunter looks for exploitable vulnerabilities in the configuration and deployment of Kubernetes clusters. The project code is open-source and can be run against an organization's own clusters, with additional online reporting capabilities provided by Aqua Security.

  • Election Security Bill Without Paper Records and Risk Limiting Audits? No Way.

    The Senate is working on a bill to secure election infrastructure against cybersecurity threats, but, unless amended, it will widely miss the mark. The current text of the Secure Elections Act omits the two most effective measures that could secure our elections: paper records and automatic risk limiting audits.

    Cybersecurity threats by their very nature can be stealthy and ambiguous. A skillful attack can tamper with voting machines and then delete itself, making it impossible to prove after the fact that an election suffered interference. Paper records ensure that it is possible to detect and quickly correct for such interference. Automatic audits ensure that such detection actually happens.

  • Reproducible Builds: Weekly report #173
Syndicate content

More in Tux Machines

Andrew Crouthamel: How I Got Involved in KDE

Since this blog is starting after the beginning of my contributions to KDE, the first few regular posts will be explaining my prior contributions, before moving into the present. Read more

Security: Debian LTS, Linux Potential Local Privilege Escalation Bug, Australia Wants to Mandate Back Doors, Equifax Breach the Fault of Equifax

Graphics: NVIDIA and Gallium3D

  • NVIDIA Vulkan Beta Adds New KHR_driver_properties & KHR_shader_atomic_int64
    Not to be confused with the new NVIDIA Linux/Windows drivers that should be out today for RTX 2070/2080 "Turing" support and also initial RTX ray-tracing support, there is also out a new Vulkan beta driver this morning. The NVIDIA 396.54.06 driver is this new Vulkan beta and as implied by the version number is still on the current stable branch and not in the Turing era. But this driver release is quite exciting as it does bring support for two new extensions... These extensions are very fresh and not yet in the official Vulkan specification: VK_KHR_driver_properties and VK_KHR_shader_atomic_int64.
  • GeForce RTX 2080 Ti Linux Benchmarks Coming Today, NVIDIA Driver Bringing Vulkan RTX
    NVIDIA's review/performance embargo has now lifted on the GeForce RTX 2080 series ahead of the cards shipping tomorrow. I should have out initial Linux benchmarks later today, assuming Linux driver availability. As wrote about yesterday, just yesterday I ended up receiving the GeForce RTX 2080 Ti for Linux benchmarking. But, unfortunately, no Linux driver yet... But I am told it will be posted publicly soon with the Windows driver. Assuming that happens within the hours ahead, I'll still have initial RTX 2080 Ti benchmarks on Ubuntu Linux out by today's end -- thanks to the Phoronix Test Suite and recently wrapping up other NVIDIA/AMD GPU comparison tests on the current drivers.
  • Intel's New Iris Gallium3D Driver Picks Up Experimental Icelake Bits, GL Features
    One of the talks we are most interested in at XDC2018 is on the Intel "Iris" Gallium3D driver we discovered last month was in development. We stumbled across the Iris Gallium3D driver that's been in development for months as a potential replacement to their "i965" classic Mesa driver. But they haven't really detailed their intentions in full, but we should learn more next week. This is particularly exciting the prospects of an official Intel Gallium3D driver as the company is also expected to introduce their discrete GPUs beginning in 2020 and this new driver could be part of that plan.

Survey: Console Based Linux File Managers

The term ‘file management functions’ refers to the functions used to manage files, such as creating, deleting, opening, closing, reading from, and writing to files. In the field of system administration, Linux has bags of graphical file managers. However, some users prefer managing files from the shell, finding it the quickest way to navigate the file system and perform file operations. This is, in part, because console based file managers are more keyboard friendly, enabling users to perform file operations without using a mouse, and make it quicker to navigate the filesystem and issue commands in the console at the same time. A console application is computer software which can be used with a text-only computer interface, the command line interface, or a text-based interface included within a graphical user interface operating system, such as a terminal emulator. Whereas a graphical user interface application generally involves using the mouse and keyboard (or touch control), with a console application the primary (and often only) input method is the keyboard. Many console applications are command line tools, but there is a wealth of software that has a text-based user interface making use of ncurses, a library which allow programmers to write text-based user interfaces. Read more