Security Leftovers
-
LWN ☛ Security updates for Tuesday
Security updates have been issued by Debian (qemu), Mageia (libtiff and thunderbird), Red Hat (kernel, kpatch-patch, postgresql, and rhc-worker-script), SUSE (compat-openssl098, openssl, openssl1, python-Django, python-Django1, and wpa_supplicant), and Ubuntu (accountsservice, libxml2, linux-bluefield, linux-raspi-5.4, linux-xilinx-zynqmp, linux-oem-6.1, openvswitch, postgresql-9.5, and ruby-rack).
-
LWN ☛ Security updates for Wednesday
Security updates have been issued by Fedora (edk2, freeipa, kernel, and liblas), Oracle (kernel), Red Hat (docker, edk2, kernel, kernel-rt, and kpatch-patch), SUSE (axis, fontforge, gnutls, java-1_8_0-openjdk, kernel, python3, sudo, and zabbix), and Ubuntu (dotnet7, dotnet8, libgoogle-gson-java, openssl, and ovn).
-
LWN ☛ A sandbox mode for the kernel
The Linux kernel follows a monolithic design, and that brings a well-known problem: all code in the kernel has access to the entirety of the kernel's address space. As a result, a bug in (for example) an obscure driver may well be exploitable to wreak havoc on core-kernel data structures. Various attempts have been made over the years to increase the degree of isolation within the kernel. The latest of these, "SandBox Mode" proposed by Petr Tesařík, makes it possible for the kernel to run some limited code safely, but it has encountered a bit of a chilly reception.
-
LWN ☛ Herb Sutter on increasing safety in C++
Herb Sutter, chair of the ISO C++ standards committee, writes about the current problems with writing secure C++, and his personal opinion on next steps to address this while maintaining backward compatibility.
If there were 90-98% fewer C++ type/bounds/initialization/lifetime vulnerabilities we wouldn't be having this discussion. All languages have CVEs, C++ just has more (and C still more); so far in 2024, Rust has 6 CVEs, and C and C++ combined have 61 CVEs. So zero isn't the goal; something like a 90% reduction is necessary, and a 98% reduction is sufficient, to achieve security parity with the levels of language safety provided by MSLs [memory-safe languages]… and has the strong benefit that I believe it can be achieved with perfect backward link compatibility (i.e., without changing C++'s object model, and its lifetime model which does not depend on universal tracing garbage collection and is not limited to tree-based data structures) which is essential to our being able to adopt the improvements in existing C++ projects as easily as we can adopt other new editions of C++. — After that, we can pursue additional improvements to other buckets, such as thread safety and overflow safety.
-
Multiple Redis Vulnerabilities Addressed in Ubuntu
Redis is an open-source, in-memory data structure store, often referred to as a key-value store. It is used as a database, cache, and message broker. Redis supports various data structures such as strings, hashes, lists, sets, sorted sets, bitmaps, hyperloglogs, and geospatial indexes, making it extremely versatile. However, like any software, Redis is not immune to vulnerabilities. Recently, several Redis vulnerabilities have been fixed in Debian and Ubuntu systems, posing potential risks to its users.
In this article, we’ll delve into these vulnerabilities, understand their implications, and explore the solutions provided to mitigate them.
-
PIA ☛ Linux Vs. Windows: Which Is More Secure? [Ed: One is trying to hide holes, the other does not.]
The Linux vs Windows debate has been raging for decades, with security being a major focus. Linux zealots are quick with one-liners like “In a world without walls, who needs Gates or Windows?” That may get a chuckle, but is Linux really that much more secure than Windows?
The short answer is, yes, Linux is more secure. But that doesn’t mean Linux is bulletproof, or that Windows is entirely defenseless – it’s a little more nuanced than that. In this post, we’ll take a look at how the two operating systems compare, especially when it comes to security. But first, let’s cover some basic terms.
-
GNU ☛ GNU Guix: Fixed-Output Derivation Sandbox Bypass (CVE-2024-27297)
A security issue has been identified in
guix-daemonwhich allows for fixed-output derivations [...] -
William ☛ William Brown: SSH Key Authentication Basics
SSH Key Authentication Basics
SSH (Secure Shell) allows remotely accessing the command line interface (cli) of a remote machine. This is very useful for administration of a machine that may be in a completely different country or building.
-
Pen Test Partners ☛ The big play of autonomous vehicles
TL;DR The benefits of autonomous vehicles may not yet be for us consumers
-
Troy Hunt ☛ Welcoming the Liechtenstein Government to Have I Been Pwned
Over the last 6 years, we've been very happy to welcome dozens of national governments to have unhindered access to their domains in Have I Been Pwned, free from cost and manual verification barriers.
-
Security Week ☛ CISA’s OT Attack Response Team Understaffed: GAO
GAO study finds that CISA does not have enough staff to respond to significant OT attacks in multiple locations at the same time.
-
Security Week ☛ EquiLend Ransomware Attack Leads to Data Breach
EquiLend is informing its employees that their personal information was compromised in a January ransomware attack.
-
SANS ☛ Microsoft Patch Tuesday - March 2024, (Tue, Mar 12th)
-
Security Week ☛ Adobe Patches Critical Flaws in Enterprise Products
Patch Tuesday: Adobe ships a hefty batch of security updates to fix critical-severity vulnerabilities in multiple enterprise-facing products.
-
Techdirt ☛ NSO Group Ordered To Turn Over Spyware Code To WhatsApp
The time has come to pay the discovery piper for NSO Group. The phone exploit firm formed by former Israeli spies was supported unilaterally by the Israeli government as it courted human rights abusers and autocrats. The Israeli government apparently felt selling powerful phone exploits to its enemies got caught with its third-party pants down when numerous news agencies exposed just how often NSO’s customers abused its powerful spyware to target journalists, activists, lawyers, dissidents, religious leaders, and anyone else who annoyed its customers.
-
Security Week ☛ SAP Patches Critical Command Injection Vulnerabilities
Enterprise software maker SAP documents multiple critical-severity issues and warns of risk of command injection attacks.
-
Federal News Network ☛ CISA eyes staff, tech upgrades to support cyber incident reporting
CISA is expected to answer some key questions about the "CIRCIA" cyber incident reporting law in its forthcoming rulemaking.
-
Security Week ☛ Patch Tuesday: Abusive Monopolist Microsoft Flags Major Bugs in HyperV, Exchange Server
Microsoft ships patches for at least 60 security vulnerabilities in the backdoored Windows ecosystem and warned of remote code execution risks.
-
Security Week ☛ ICS Patch Tuesday: Siemens Ruggedcom Devices Impacted by 45 Fortinet Vulnerabilities
Siemens and Schneider Electric publish March 2024 Patch Tuesday advisories to inform customers about over 200 vulnerabilities.
-
Geoff Huston ☛ KeyTrap!
The language of the press release is certainly dramatic, with “devasting consequences” and the threat to “completely disable large parts of the worldwide Internet.” If this is really so devastating then perhaps we should look at this in a little more detail to see what’s going on, how this vulnerability works, and what the response has been.
-
LWN ☛ Huston: KeyTrap!
Geoff Huston digs into the
details of the KeyTrap DNS vulnerability, which was disclosed in February.
-
LWN ☛ Today's hardware vulnerability: register file data sampling
The mainline kernel has just received a set of commits addressing the
"register file data sampling" hardware vulnerability.
-
Security Week ☛ Google Paid Out $10 Million via Bug Bounty Programs in 2023 [Ed: This is not about generosity, it's about managing bug doors]
Google paid out $10 million via its bug bounty programs in 2023, bringing the total to nearly $60 million since 2010.
-
Florida Legislature Passes Data Breach Immunity Legislation
DataBreaches suspects that some of these legislative developments in Florida and other states may come as a surprise to some readers. Do these bills actually protect consumers by reducing the risk of data breaches because companies invest more and comply more with data security, or do they just give entities protection from being held accountable while consumers suffer the consequences of breaches? In Florida’s case, Florida also has a law that bans state agencies and county or municipalities experiencing a ransomware incident from paying or otherwise complying with a ransom demand in the event of a ransomware attack. Threat actors might presumably have less motivation to attack Florida government entities if the entities cannot pay any ransom. And now threat actors would not be able to really pressure victims to pay with the threat that consumers or patients will start class action lawsuits.