Security Leftovers and Windows TCO

posted by Roy Schestowitz on May 15, 2024

• LWN ☛ Security updates for Tuesday

  Security updates have been issued by Debian (glib2.0 and shim), Fedora (glib2, gnome-shell, tcpdump, tpm2-tools, tpm2-tss, and uriparser), Mageia (mutt), Oracle (git-lfs, glibc, kernel, kernel-container, nodejs:18, nodejs:20, and pcp), SUSE (apache2, opensc, openssl-1_1, openssl-3, perl, python-Pillow, python-pyOpenSSL, python-Werkzeug, SUSE Manager Client Tools Beta, tpm2-0-tss, and tpm2.0-tools), and Ubuntu (sqlparse and strongswan).

• Dhole Moments ☛ It’s Time for Furries to Stop Using Telegram

  I have been a begrudging user of Telegram for years simply because that’s what all the other furries use, despite their cryptography being legendarily bad. When I signed up, I held my nose and expressed my discontent at Telegram by selecting a username that’s a dig at MTProto’s inherent insecurity against chosen ciphertext attacks: IND_CCA3_Insecure.

• OpenSSF (Linux Foundation) ☛ Call for Proposals: Submit to Speak at SOSS Community Day Europe

  Join us in Vienna, Austria, for the Secure Open Source Software (SOSS) Community Day Europe 2024, an enriching gathering where members from across the security and open source ecosystem converge to exchange ideas and advancements. Formerly known as OpenSSF Days, SOSS Community Days reflect our broader commitment to fortifying the security of open source software. This event offers an invaluable opportunity to learn about the capabilities that sustainably secure the development, maintenance, and consumption of open source software (OSS).Call for Proposals are now open. The Call for Proposals (CFPs) is open until June 16.

• Trail of Bits ☛ A peek into build provenance for Homebrew

  By Joe Sweeney and William Woodruff Last November, we announced our collaboration with Alpha-Omega and OpenSSF to add build provenance to Homebrew. Today, we are pleased to announce that the core of that work is live and in public beta: homebrew-core is now cryptographically attesting to all bottles built in the official Homebrew CI.

• Bruce Schneier ☛ Another Chrome Vulnerability

  Google has patched another Chrome zero-day:

  On Thursday, Surveillance Giant Google said an anonymous source notified it of the vulnerability. The vulnerability carries a severity rating of 8.8 out of 10. In response, Surveillance Giant Google said, it would be releasing versions 124.0.6367.201/.202 for macOS and backdoored Windows and 124.0.6367.201 for GNU/Linux in subsequent days.

  “Google is aware that an exploit for CVE-2024-4671 exists in the wild,” the company said.

• Security Week ☛ Google Patches Second Chrome Zero-Day in One Week

  Google has patched CVE-2024-4761, the second exploited vulnerability addressed by the company within one week.

• Silicon Angle ☛ Christie’s auction house suffers cyberattack, disrupting art auction schedule

  British auction house Christie’s has been targeted by a cyberattack that knocked its website offline during its marquee annual art auction week. >

• Internet Society ☛ The US Makes a Big Step Toward Better Routing Security

  The US Department of Commerce began implementing better routing security practices—a step in the right direction for wider MANRS adoption.

• Federal News Network ☛ Cybersecurity challenges persist, but CISA is up to the task [Ed: Well, no, it is not!]

  There are hundreds of thousands of discovered vulnerabilities in software, but only a small fraction of these vulnerabilities are actively exploited.

• Security Week ☛ Adobe Patches Critical Flaws in Reader, Acrobat

  Adobe documents multiple code execution flaws in a wide range of products, including the widely deployed Adobe Acrobat and Reader software.

• Security Week ☛ SAP Patches Critical Vulnerabilities in CX Commerce, NetWeaver

  SAP has released 14 new and three updated security notes on its May 2024 Security Patch Day.

• Security Week ☛ VMware Patches Vulnerabilities Exploited at Pwn2Own 2024

  VMware has patched three vulnerabilities exploited earlier this year at the Pwn2Own hacking competition.

• Security Week ☛ Attackers Use DNS Tunneling to Track Victim Activity, Scan Networks

  Threat actors are using DNS tunneling to track victims’ interaction with spam and to scan network infrastructures.

• Security Week ☛ Student, Personnel Information Stolen in City of Helsinki Cyberattack

  The City of Helsinki says usernames, email addresses, and personal information was stolen in a recent cyberattack.

• Bert Hubert ☛ Cyber Security: A Pre-War Reality Check

  This is a lightly edited transcript of my presentation today at the ACCSS/NCSC/Surf seminar ‘Cyber Security and Society’. I want to thank the organizers for inviting me to their conference & giving me a great opportunity to talk about something I worry about a lot. Here are the original slides with notes, which may be useful to view together with the text below. In the notes there are also additional URLs that back up the claims I make in what follows.

• Windows TCO

  • YLE ☛ Major data breach could affect up to 120k pupils, guardians and city workers in Helsinki

    "The amount of information that needs to be clarified is huge. Unfortunately, we cannot yet assess with certainty which information reached the perpetrator of the data breach. However, we will now tell you what risks exist so that the customers and staff of education and training services can prepare for the situation. This is the method of operation in accordance with [Finland's] data protection legislation," said Satu Järvenkallas, Helsinki's education division executive director.

  • IT Wire ☛ Microsoft patches two zero-days, 57 other CVEs on Patch Tuesday

    “CVE-2024-30051 is used as part of post-compromise activity to elevate privileges as a local attacker. Typically, zero-day exploitation of an elevation of privilege flaw is often associated with targeted attack campaigns. However, we know that post-patch, threat actors continue to find success using privilege escalation flaws. For instance, a recent joint cyber security advisory about the Black Basta ransomware group from CISA, FBI, HHS and MS-ISAC noted the use of multiple privilege escalation flaws by Black Basta affiliates as part of their ransomware activity."

  • SANS ☛ Microsoft May 2024 Patch Tuesday, (Tue, May 14th)

    This month we got patches for 67 vulnerabilities. Of these, 1 are critical, and 1 is being exploited according to Microsoft.

  • Security Week ☛ Microsoft Warns of Active Zero-Day Exploitation, Patches 60 backdoored Windows Vulnerabilities

    Patch Tuesday: Abusive Monopolist Microsoft documents 60 security flaws in multiple software products and flags an actively exploited backdoored Windows zero-day for urgent attention.

  • Bleeping Computer ☛ Microsoft May 2024 Patch Tuesday fixes 3 zero-days, 61 flaws

    Today is Microsoft’s May 2024 Patch Tuesday, which includes security updates for 61 flaws and three actively exploited or publicly disclosed zero days. This Patch Tuesday only fixes one critical vulnerability, a Microsoft SharePoint Server Remote Code Execution Vulnerability.

  • Krebs On Security ☛ Patch Tuesday, May 2024 Edition

    Microsoft today released updates to fix more than 60 security holes in Windows computers and supported software, including two “zero-day” vulnerabilities in Windows that are already being exploited in active attacks. There are also important security patches available for macOS and Adobe users, and for the Chrome Web browser, which just patched its own zero-day flaw.