Security Leftovers: CISA Mindset, Patches, Qt, and EFB

posted by Tux Machines on Jul 27, 2022

• Securing Open-Source Software [Ed: Diversion away from the urgent need to get rid of back-doored proprietary software; in recent years, in the name of "critical infrastructure", the military tried to take more and more control over Free software, e.g. by letting Microsoft "manage" it in GitHub and subjecting it to more autocracy, developer 'culls']

• Open-Source Security: How Digital Infrastructure Is Built on a House of Cards - Lawfare

  Open source is free software built collaboratively by a community of developers, often volunteers, for public use. Google, iPhones, the national power grid, surgical operating rooms, baby monitors, and military databases all run on this unique asset.

  However, open source has an urgent security problem. Open source is more ubiquitous and susceptible to persistent threats than ever before. Proprietary software has responded to threats by implementing thorough institutional security measures. The same care is not being given to open-source software—primarily due to misaligned incentives.

• Security updates for Wednesday [LWN.net]

  Security updates have been issued by Debian (kernel and openjdk-17), Fedora (ceph, lua, and moodle), Oracle (java-1.8.0-openjdk), Red Hat (grafana), SUSE (git, kernel, libxml2, nodejs16, and squid), and Ubuntu (imagemagick, protobuf-c, and vim).

• Security advisory: FreeType in Qt

  There have been three vulnerabilities found in FreeType recently and they have been assigned the CVE ids CVE-2022-27404, CVE-2022-27405, CVE-2022-27406. This has been fixed in the latest version of FreeType – v2.12.1

  These effects configurations of Qt that have been built against the bundled version of FreeType. If you are using a pre-built version of Qt then this will be using the bundled version of FreeType by default, otherwise you will be using the system version by default, in which case you should check if the system needs to be updated or not. If the system needs to be updated, then updating it is enough to solve the issue. There is no need to rebuild Qt in that case.

• Attacking EFB updates | Pen Test Partners

  When considering the ‘installed’ EFB then the chances are software will originate from a combination of the aircraft manufacturer, the device manufacturer, and any specifically approved software. These will have gone through various stages of testing and will likely have been developed by a well-known company with an established and proven security methodology/framework for software development.

  This is primarily as an installed EFB is considered to be ‘part’ of the aircraft and subject to the same safety and security regime as the aircraft itself.

  But what about the ‘portable’ EFBs, many of which are allocated to specific crew members as personal devices? In this case, the variety of software installed is likely to be much greater than the installed EFBs and thus will have a much greater range of possibilities for the origin of installed software. Many airlines which assign their pilots with EFBs that are classed as portable allow their pilots to install 3rd party applications on their devices without approval from the airline (however they will generally be restricted to only installing applications from an approved application store).

  It is common for portable EFBs to contain other applications e.g. games and social media applications, as well as publicly available 3rd party tools for pilots e.g. weather apps and unit conversion apps.