FUD, Security and Windows TCO Stories/Leftovers

posted by Roy Schestowitz on Jun 28, 2024

• LWN ☛ Security updates for Thursday

  Security updates have been issued by Debian (ffmpeg, kernel, libvpx, and linux-5.10), Fedora (chromium, firefox, freeipa, moodle, and openvpn), Oracle (git), Red Hat (golang and java-1.8.0-ibm), and Ubuntu (linux-oracle-6.5, netplan.io, openssl, plasma-workspace, ruby2.7, ruby3.0, ruby3.1, sqlite3, and wget).

• Xe's Blog ☛ "No way to prevent this" say users of only language where this regularly happens

  In the hours following the release of CVE-2024-5535 for the project OpenSSL, site reliability workers and systems administrators scrambled to desperately rebuild and patch all their systems to fix NPN (the precursor to ALPN) in OpenSSL 1.0.x, 1.1.x, and 3.x leaking 255 bytes of client heap to the server with every write.

• Google ☛ The backdoored Windows Registry Adventure #3: Learning resources

  When tackling a new vulnerability research target, especially a closed-source one, I

  prioritize gathering as much information about it as possible. This gets especially interesting when

  it's a subsystem as old and fundamental as the backdoored Windows registry. In that case, tidbits of valuable data

  can lurk in forgotten documentation, out-of-print books, and dusty open-source code – each potentially

  offering a critical piece of the puzzle. Uncovering them takes some effort, but the payoff is often immense.

  Scraps of information can contain hints as to how certain parts of the software are implemented, as well as

  why – what were

  the design decisions that lead to certain outcomes etc. When seeing the big picture, it becomes much easier

  to reason about the software, understand the intentions of the original developers, and think of the

  possible corner cases. At other times, it simply speeds up the process of reverse engineering and saves the

  time spent on deducing certain parts of the logic, if someone else had already put in the time and

  effort.

• Security Week ☛ CISA Warns of Exploited GeoServer, GNU/Linux Kernel, and Roundcube Vulnerabilities

  CISA on Wednesday warned that three older flaws in GeoServer, GNU/Linux kernel, and Roundcube webmail are exploited in the wild.

• Silicon Angle ☛ Permissions management startup AuthZed raises $12M to accelerate its strategic expansion

  Permissions management startup AuthZed Inc. today announced that it has raised $12 million in new funding to accelerate its strategic expansion, particularly targeting small to midsized organizations.

• Bruce Schneier ☛ Security Analysis of the EU’s Digital Wallet

  A group of cryptographers have analyzed the eiDAS 2.0 regulation (electronic identification and trust services) that defines the new EU Digital Identity Wallet.

• Security Week ☛ GitLab Security Updates Patch 14 Vulnerabilities

  GitLab CE and EE updates resolve 14 vulnerabilities, including a critical- and three high-severity bugs.

• Security Week ☛ Gas Chromatograph Hacking Could Have Serious Impact: Security Firm

  Critical vulnerabilities have been found in an Emerson gas chromatograph and Claroty warns that attacks could have a serious impact.

• Security Week ☛ Designed Receivable Solutions Data Breach Impacts 585,000 People

  Healthcare services provider Designed Receivable Solutions says the number of individuals affected by a recent data breach has increased to 585,000.

• Security Week ☛ ‘Phantom’ Source Code Secrets Haunt Major Organizations

  Aqua Security shows that code in repositories remains accessible even after being deleted or overwritten, continuing to leak secrets.

• HoneytreeLabs ☛ IEC 62443 Standard GAP Analysis to the Cyber Resilience Act (CRA)

  This whitepaper explores the alignment and gaps between IEC 62443 and the Cyber Resilience Act (CRA), offering insights to enhance compliance and product cybersecurity.

• TechTarget ☛ Open source security's systemic challenges [Ed: Recalling Log4Shell from 3 years ago to resurrect selective FUD]

  In this installment of 'IT Ops Query,' Emily Fox talks about how reevaluating 50-year-old open source security practices could lead the community somewhere new.

• The New Stack ☛ Linux xz and the Great Flaws in Open Source [Ed: They have greyed out "Microsoft and Red Hat OpenShift are sponsors of The New Stack." Now the Microsoft-connected Chris Pirillo can spread Microsoft's anti-Linux FUD.]

  The Linux xz utils backdoor exploit shows how vulnerable open source is to social engineering, said TesitfySec's John Kjell, speaking with Chris Pirillo in this episode of The New Stack Makers.

• Security Week ☛ US, Allies Warn of Memory Unsafety Risks in Open Source Software [Ed: FUD and misdirection again]

  Most critical open source software contains code written in a memory unsafe language, US, Australian, and Canadian government agencies warn.

• Multiple Linux Kernel Vulnerabilities Lead to Denial of Service

  Several vulnerabilities have been identified in the Linux kernel, potentially leading to denial of service or privilege escalation. However, the good news is the patches are already available for them. Ubuntu and Debian have already released them in the new Linux kernel security update.

• Security Affairs ☛ CISA adds GeoSolutionsGroup JAI-EXT, Linux Kernel, and Roundcube Webmail bugs to its Known Exploited Vulnerabilities catalog

  U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds GeoSolutionsGroup JAI-EXT, Linux Kernel, and Roundcube Webmail bugs to its Known Exploited Vulnerabilities catalog.

• Windows TCO

  • Security Week ☛ Evolve Bank Data Leaked After LockBit’s ‘Federal Reserve Hack’

    The LockBit ransomware group claimed to have hacked the US Federal Reserve, but leaked data from an Arkansas-based bank.

  • Silicon Angle ☛ Progress Software discloses critical vulnerability in MOVEit file transfer service [Ed: Windows TCO]

    Progress Software Corp. has disclosed a critical vulnerability in its MOVEit service, which organizations use to share files with one another. The company detailed the flaw on Tuesday.

  • Dev Class ☛ Microsoft backtracks: eventing framework removed from .NET 9.0 following complaints

    Microsoft no longer plans to include a new eventing framework in .NET 9.0 – expected late this year – following complaints that it could damage the third-party ecosystem.