Security

Twitter Discloses It Wasn't Logging Users Out of Accounts After Password Resets (techcrunch.com) 12

Weeks after Twitter's ex-security chief accused the company of cybersecurity mismanagement, Twitter has now informed its users of a bug that didn't close all of a user's active logged-in sessions on Android and iOS after an account's password was reset. From a report: This issue could have implications for those who had reset their password because they believed their Twitter account could be at risk, perhaps because of a lost or stolen device, for instance. Assuming whoever had possession of the device could access its apps, they would have had full access to the impacted user's Twitter account. In a blog post, Twitter explains that it had learned of the bug that had allowed "some" accounts to stay logged in on multiple devices after a user reset their password voluntarily. Typically, when a password reset occurs, the session token that keeps a user logged into the app is also revoked -- but that didn't take place on mobile devices, Twitter says. Web sessions, however, were not impacted and were closed appropriately, it noted.
Bug

Earth Has 20 Quadrillion Ants, Study Says (washingtonpost.com) 82

An anonymous reader quotes a report from the Washington Post: A new estimate for the total number of ants burrowing and buzzing on Earth comes to a whopping total of nearly 20 quadrillion individuals. That staggering sum -- 20,000,000,000,000,000, or 20,000 trillion -- reveals ants' astonishing ubiquity even as scientists grow concerned a possible mass die off of insects could upend ecosystems. In a paper released Monday by the Proceedings of the National Academy of Sciences, a group of scientists from the University of Hong Kong analyzed 489 studies and concluded that the total mass of ants on Earth weighs in at about 12 megatons of dry carbon. Put another way: If all the ants were plucked from the ground and put on a scale, they would outweigh all the wild birds and mammals put together.

"It's unimaginable," said Patrick Schultheiss, a lead author on the study who is now a researcher at the University of Wurzburg in Germany, in a Zoom interview. "We simply cannot imagine 20 quadrillion ants in one pile, for example. It just doesn't work." Counting all those insects -- or at least enough of them to come up with a sound estimate -- involved combining data from "thousands of authors in many different countries" over the span of a century, Schultheiss added. To tally insects as abundant as ants, there are two ways to do it: Get down on the ground to sample leaf litter -- or set tiny pitfall traps (often just a plastic cup) and wait for the ants to slip in. Researchers have gotten their boots dirty with surveys in nearly every corner of the world, though some spots in Africa and Asia lack data. "It's a truly global effort that goes into these numbers," Schultheiss said.

Iphone

Bug in iPhone 14 Pro Max Causes Camera To Physically Fail, Users Say (theguardian.com) 66

mspohr writes: A major bug in Apple's latest iPhone is causing the camera to physically fail when using apps such as TikTok, Snapchat and Instagram, some owners have reported. The bug in the company's iPhone 14 Pro Max, the most expensive model in the iPhone 14 range, appears to affect the optical image stabilisation (OIS) feature, which uses a motor to eliminate the effects of camera shake when taking pictures. Opening the camera in certain apps causes the OIS motor to go haywire, causing audible grinding sounds and physically vibrating the entire phone. The vibration does not occur when using the built-in camera app, suggesting the problem's roots are in a software fault. However, some have warned affected users to limit their usage of apps that trigger the bug, in case excess vibration causes permanent damage to the OIS system. The company has previously warned users about potential damage to the OIS motor, particularly in situations where their phones are experiencing significant vibration. In January this year, the company published a long warning note for users about the risk of mounting their iPhones near "high-power motorcycle engines."
Security

Uber Investigating Breach of Its Computer Systems (nytimes.com) 27

Uber discovered its computer network had been breached on Thursday, leading the company to take several of its internal communications and engineering systems offline as it investigated the extent of the hack. From a report: The breach appeared to have compromised many of Uber's internal systems, and a person claiming responsibility for the hack sent images of email, cloud storage and code repositories to cybersecurity researchers and The New York Times. "They pretty much have full access to Uber," said Sam Curry, a security engineer at Yuga Labs who corresponded with the person who claimed to be responsible for the breach. "This is a total compromise, from what it looks like."

An Uber spokesman said the company was investigating the breach and contacting law enforcement officials. Uber employees were instructed not to use the company's internal messaging service, Slack, and found that other internal systems were inaccessible, said two employees, who were not authorized to speak publicly. Shortly before the Slack system was taken offline on Thursday afternoon, Uber employees received a message that read, "I announce I am a hacker and Uber has suffered a data breach." The message went on to list several internal databases that the hacker claimed had been compromised.
BleepingComputers adds: According Curry, the hacker also had access to the company's HackerOne bug bounty program, where they commented on all of the company's bug bounty tickets. Curry told BleepingComputer that he first learned of the breach after the attacker left the above comment on a vulnerability report he submitted to Uber two years ago. Uber runs a HackerOne bug bounty program that allows security researchers to privately disclose vulnerabilities in their systems and apps in exchange for a monetary bug bounty reward. These vulnerability reports are meant to be kept confidential until a fix can be released to prevent attackers from exploiting them in attacks.

Curry further shared that an Uber employee said the threat actor had access to all of the company's private vulnerability submissions on HackerOne. BleepingComputer was also told by a source that the attacker downloaded all vulnerability reports before they lost access to Uber's bug bounty program. This likely includes vulnerability reports that have not been fixed, presenting a severe security risk to Uber. HackerOne has since disabled the Uber bug bounty program, cutting off access to the disclosed vulnerabilities.

Security

Retbleed Fix Slugs Linux VM Performance By Up To 70 Percent (theregister.com) 33

VMware engineers have tested the Linux kernel's fix for the Retbleed speculative execution bug, and report it can impact compute performance by a whopping 70 percent. The Register reports: In a post to the Linux Kernel Mailing List titled "Performance Regression in Linux Kernel 5.19", VMware performance engineering staffer Manikandan Jagatheesan reports the virtualization giant's internal testing found that running Linux VMs on the ESXi hypervisor using version 5.19 of the Linux kernel saw compute performance dip by up to 70 percent when using single vCPU, networking fall by 30 percent and storage performance dip by up to 13 percent. Jagatheesan said VMware's testers turned off the Retbleed remediation in version 5.19 of the kernel and ESXi performance returned to levels experienced under version 5.18.

Because speculative execution exists to speed processing, it is no surprise that disabling it impacts performance. A 70 percent decrease in computing performance will, however, have a major impact on application performance that could lead to unacceptable delays for some business processes. VMware's tests were run on Intel Skylake CPUs -- silicon released between 2015 and 2017 that will still be present in many server fleets. Subsequent CPUs addressed the underlying issues that allowed Retbleed and other Spectre-like attacks.

Bug

Scientists Create Cyborg Cockroaches Controlled By Solar-Powered Backpacks (cnet.com) 30

An anonymous reader quotes a report from CNET: In a new study, published Monday in the journal npj Flexible Electronics, an international team of researchers revealed it has engineered a system to remotely control the legs of cockroaches from afar. The system, which is basically a cockroach backpack wired into the creature's nervous system, has a power output about 50 times higher than previous devices and is built with an ultrathin and flexible solar cell that doesn't hinder the roach's movement. Pressing a button sends a shock to the backpack that tricks the roach into moving a certain direction.

Cockroach cyborgs are not a new idea. Back in 2012, researchers at North Carolina State University were experimenting with Madagascar hissing cockroaches and wireless backpacks, showing the critters could be remotely controlled to walk along a track. The way scientists do this is by attaching the backpack and connecting wires to a cockroach's "cerci," two appendages at the end of the abdomen that are basically sensory nerves. One on the left, one on the right. Previous studies have shown electrical impulses to either side can stimulate the roach into moving in that direction, giving researchers some control over locomotion. But to send and receive signals, you need to power the backpack. You might be able to use a battery but, eventually, a battery will run out of power and the cyborg cockroach will be free to disappear into the leaf litter.

The team at Riken crafted the system to be solar-powered and rechargeable. They attached a battery and stimulation module to the cockroach's thorax (the upper segment of its body). That was the first step. The second step was to make sure the solar cell module would adhere to the cockroach's abdomen, the segmented lower section of its body. [T]he Riken team tested a number of thin electronic films, subjecting their roaches to a bunch of experiments and watching how the roaches moved depending on the thickness of the film. This helped them decide on a module about 17 times thinner than a human hair. It adhered to the abdomen without greatly limiting the degree of freedom the roaches had and also stuck around for about a month, greatly outlasting previous systems.
"The current system only has a wireless locomotion control system, so it's not enough to prepare an application such as urban rescue," said Kenjiro Fukuda, an expert in flexible electronics at Japan's Riken. "By integrating other required devices such as sensors and cameras, we can use our cyborg insects for such purposes."

Fukuda notes the design of the ultrathin solar cell could be applied to other insects, like beetles and cicadas.
Windows

Microsoft Investigates Bug That Mistakenly Flags Chromium-Based Apps as Malware (windowscentral.com) 44

Windows' "Defender" software is supposed to detect malware. But its Microsoft team is now investigating reports that it's mistakenly flagging Electron-based or Chromium-based applications — as malware.

"It's a false positive, and your computer is OK," wites the blog Windows Central: This morning, many people worldwide experienced Microsoft Defender warning them of a recurring virus threat.... People on Reddit are "freaking out" over not just a reported threat from Microsoft Defender but one that keeps popping up and recurring despite the alleged threat being blocked.

The threat is revealed in a pop-up message noting that "Behavior:Win32/Hive.ZY" has been detected and is listed as "severe." However, after taking action to rectify the issue, it does not go away, and the user will keep receiving the same prompt. The reminder may return after 20 seconds, with the cycle repeating endlessly.

This detection appears to be a false positive, according to a Microsoft Support forum... From DaveM121, an Independent Advisor: [I]t is a bug currently being reported by hundreds of people at the moment, it seems to be related to all Chromium based web browsers and Electron based apps like Whatsapp, Discord, Spotify, etc....

Also affected are Google Chrome and even Microsoft Edge, as well as "anything that runs Visual Studio Code," according to the article.

"The problem seems to originate from Defender's Definition/Update Version 1.373.1508.0, meaning Microsoft needs to update that file, and the issue should be resolved."
Crime

Attacks on Linux Servers Rose 75% Over Last Year, Warn Security Researchers (zdnet.com) 70

"There's been a big rise in ransomware attacks targeting Linux," reports ZDNet, "as cyber criminals look to expand their options and exploit an operating system that is often overlooked when businesses think about security." According to analysis by cybersecurity researchers at Trend Micro, Linux servers are "increasingly coming under fire" from ransomware attacks, with detections up by 75% over the course of the last year as cyber criminals look to expand their attacks beyond Windows operating systems.

Linux powers important enterprise IT infrastructure including servers, which makes it an attractive target for ransomware gangs — particularly when a perceived lack of threat to Linux systems compared with Windows means that cybersecurity teams might choose to focus on defending Windows networks against cybercrime. Researchers note that ransomware groups are increasingly tailoring their attacks to focus specifically on Linux systems. For example, LockBit is one of the most prolific and successful ransomware operations of recent times and now offers the option of a Linux-based variant that is designed to target Linux systems and has been used to conduct attacks in the wild....

And it isn't just ransomware groups that are increasingly turning their attentions towards Linux — according to Trend Micro, there's been a 145% increase in Linux-based cryptocurrency-mining malware attacks, where cyber criminals secretly exploit the power of infected computers and servers to mine for cryptocurrency for themselves. One of the ways cyber criminals are compromising Linux systems is by exploiting unpatched vulnerabilities. According to the report, these flaws include CVE-2022-0847 — also known as Dirty Pipe — a bug that affects the Linux kernel from versions 5.8 and up, which attackers can use to escalate their privileges and run code. Researchers warn that this bug is "relatively easy to exploit".

The article recommends installing all security patches as soon as they're available — and implementing multi-factor authentication across your organization.

And yes, it's the real ZDNet. They've just re-designed their web site...
Google

Google's Open-Source Bug Bounty Aims To Clamp Down on Supply Chain Attacks (theverge.com) 3

Google has introduced a new vulnerability rewards program to pay researchers who find security flaws in its open-source software or in the building blocks that its software is built on. It'll pay anywhere from $101 to $31,337 for information about bugs in projects like Angular, GoLang, and Fuchsia or for vulnerabilities in the third-party dependencies that are included in those projects' codebases. From a report: While it's important for Google to fix bugs in its own projects (and in the software that it uses to keep track of changes to its code, which the program also covers), perhaps the most interesting part is the bit about third-party dependencies. Programmers often use code from open-source projects so they don't continuously have to reinvent the same wheel. But since developers often directly import that code, as well as any updates to it, that introduces the possibility of supply chain attacks. That's when hackers don't target the code directly controlled by Google itself but go after these third-party dependencies instead.

As SolarWinds showed, this type of attack isn't limited to open-source projects. But in the past few years, we've seen several stories where big companies have had their security put at risk thanks to dependencies. There are ways to mitigate this sort of attack vector -- Google itself has begun vetting and distributing a subset of popular open-source programs, but it's almost impossible to check over all the code a project uses. Incentivizing the community to check through dependencies and first-party code helps Google cast a wider net.

Chromium

Debian Replaces Google with DuckDuckGo as Chromium's Default Search Engine (itsfoss.com) 43

An anonymous reader quotes a story from the Linux/Open Source news site It's FOSS: While Firefox is still the default web browser in Debian, you can find the Chromium browser in the repositories. Chromium is the open source project upon which Google has built its Chrome web browser. It is also preferred by many Linux users as it provides almost the same features as Google Chrome.

Earlier, Chromium used Google as the default search engine in Debian. However, Debian is going to use DuckDuckGo as the default search engine for Chromium.

It all started when bug report #956012 was filed in April 2020, stating to use DuckDuckGo as the default search engine for the Chromium package. You can see the decision was not taken in any hurry, as the maintainers took more than two years to close the bug report.

The reason for the change goes as stated in the official package update announcement.

Change default search engine to DuckDuckGo for privacy reasons. Set a different search engine under Settings -> Search Engine (closes: #956012).

Security

Microsoft Finds Critical Hole In ChromeOS (theregister.com) 31

joshuark writes: Microsoft has found a bug in ChromeOS and given it a high vulnerability 9.8 out of 10. The bug was promptly fixed and, about a month later, merged in ChromeOS code then released on June 15, 2022. This is a reversal in that Google usually finds security bugs in software from Microsoft and other vendors after typically 90 days -- even if a patch had not been released -- in the interest of forcing companies to respond to security flaws more quickly. [...] The ChromeOS memory corruption vulnerability -- CVE-2022-2587 -- was particularly severe. As Jonathan Bar Or, a member of the Microsoft 365 Defender research team, explains in his post, the problem follows from the use of D-Bus, an Inter-Process-Communication (IPC) mechanism used in Linux. A D-Bus service called org.chromium.cras (for ChromiumOS Audio Server) provides a way to route audio to newly added peripherals like USB speakers and Bluetooth headsets. The service includes a function called SetPlayerIdentity, which accepts a string argument called identity as its input. And the function's C code calls out to strcpy in the standard library. Yes, strcpy, which is a dangerous function.
NASA

Curiosity Mars Rover Gets 50% Speed Boost From Software Update (newscientist.com) 50

The navigation strategy of NASA's Curiosity rover means it has to stop frequently to check its position, but soon a software update will allow it to move almost continuously. From a report: A new software update will soon give NASA's Curiosity Mars rover a 50 per cent speed boost, allowing it to cover a greater distance and complete more science. But the update very nearly didn't happen because of a mysterious bug in the software that eluded engineers for years. Curiosity, which landed on Mars 10 years ago this month, has already greatly outlived its planned two-year lifespan.
Bug

Google's New Bug Bounties Include Their Custom Linux Kernel's Experimental Security Mitigations (theregister.com) 5

Google uses Linux "in almost everything," according to the leader of Google's "product security response" team — including Chromebooks, Android smartphones, and even Google Cloud.

"Because of this, we have heavily invested in Linux's security — and today, we're announcing how we're building on those investments and increasing our rewards." In 2020, we launched an open-source Kubernetes-based Capture-the-Flag (CTF) project called, kCTF. The kCTF Vulnerability Rewards Program lets researchers connect to our Google Kubernetes Engine (GKE) instances, and if they can hack it, they get a flag, and are potentially rewarded.

All of GKE and its dependencies are in scope, but every flag caught so far has been a container breakout through a Linux kernel vulnerability.

We've learned that finding and exploiting heap memory corruption vulnerabilities in the Linux kernel could be made a lot harder. Unfortunately, security mitigations are often hard to quantify, however, we think we've found a way to do so concretely going forward....

First, we are indefinitely extending the increased reward amounts we announced earlier this year, meaning we'll continue to pay $20,000 — $91,337 USD for vulnerabilities on our lab kCTF deployment to reward the important work being done to understand and improve kernel security. This is in addition to our existing patch rewards for proactive security improvements.

Second, we're launching new instances with additional rewards to evaluate the latest Linux kernel stable image as well as new experimental mitigations in a custom kernel we've built. Rather than simply learning about the current state of the stable kernels, the new instances will be used to ask the community to help us evaluate the value of both our latest and more experimental security mitigations. Today, we are starting with a set of mitigations we believe will make most of the vulnerabilities (9/10 vulns and 10/13 exploits) we received this past year more difficult to exploit. For new exploits of vulnerabilities submitted which also compromise the latest Linux kernel, we will pay an additional $21,000 USD. For those which compromise our custom Linux kernel with our experimental mitigations, the reward will be another $21,000 USD (if they are clearly bypassing the mitigations we are testing). This brings the total rewards up to a maximum of $133,337 USD.

We hope this will allow us to learn more about how hard (or easy) it is to bypass our experimental mitigations.....

With the kCTF VRP program, we are building a pipeline to analyze, experiment, measure and build security mitigations to make the Linux kernel as safe as we can with the help of the security community. We hope that, over time, we will be able to make security mitigations that make exploitation of Linux kernel vulnerabilities as hard as possible.

"We don't care about vulnerabilities; we care about exploits," Vela told the Register. "We expect the vulnerabilities are there, they will get patched, and that's nice and all. But the whole idea is what do to beyond just patching a couple of vulnerabilities." In total, Google paid out $8.7 million in rewards to almost 700 researchers across its various VPRs last year. "We are just one actor in the whole community that happens to have economic resources, financial resources, but we need the community to help us make the Kernel better," Vela said.

"If the community is engaged and helps us validate the mitigations that we have, then, we will continue growing on top of that. But the whole idea is that we need to see where the community wants us to go with this...."

[I]t's not always about the cash payout, according to Vela, and different bug hunters have different motivations. Some want money, some want fame and some just want to solve an interesting problem, Vela said. "We are trying to find the right combination to captivate people."

Communications

The Hacking of Starlink Terminals Has Begun (wired.com) 48

AmiMoJo shares a report from Wired: Since 2018, ELON Musk's Starlink has launched more than 3,000 small satellites into orbit. This satellite network beams internet connections to hard-to-reach locations on Earth and has been a vital source of connectivity during Russia's war in Ukraine. Thousands more satellites are planned for launch as the industry booms. Now, like any emerging technology, those satellite components are being hacked. Today, Lennert Wouters, a security researcher at the Belgian university KU Leuven, will reveal one of the first security breakdowns of Starlink's user terminals, the satellite dishes (dubbed Dishy McFlatface) that are positioned on people's homes and buildings. At the Black Hat security conference in Las Vegas, Wouters will detail how a series of hardware vulnerabilities allow attackers to access the Starlink system and run custom code on the devices.

To access the satellite dish's software, Wouters physically stripped down a dish he purchased and created a custom hacking tool that can be attached to the Starlink dish. The hacking tool, a custom circuit board known as a modchip, uses off-the-shelf parts that cost around $25. Once attached to the Starlink dish, the homemade printed circuit board (PCB) is able to launch a fault injection attack -- temporarily shorting the system -- to help bypass Starlink's security protections. This 'glitch' allows Wouters to get into previously locked parts of the Starlink system. The researcher notified Starlink of the flaws last year and the company paid Wouters through its bug bounty scheme for identifying the vulnerabilities. Wouters says that while SpaceX has issued an update to make the attack harder (he changed the modchip in response), the underlying issue can't be fixed unless the company creates a new version of the main chip. All existing user terminals are vulnerable, Wouters says.
Wouters is making his hacking tool open source on GitHub. Following his presentation, Starlink says it plans to release a "public update" to address the issue but additional details were not shared.
Security

Researchers Find Vulnerability In Software Underlying Discord, Microsoft Teams, and Other Apps (vice.com) 23

An anonymous reader quotes a report from Motherboard: A group of security researchers found a series of vulnerabilities in the software underlying popular apps like Discord, Microsoft Teams, Spotify and many others, which are used by tens of millions of people all over the world. At the Black Hat cybersecurity conference in Las Vegas on Thursday, the researchers presented their findings, detailing how they could have hacked people who use Discord, Microsoft Teams, and the chat app Element by exploiting the software underlying all of them: Electron, which is a framework built on the open source Chromium and the cross-platform javascript environment Node JS. In all these cases, the researchers submitted vulnerabilities to Electron to get them fixed, which earned them more than $10,000 in rewards. The bugs were fixed before the researchers published their research.

Aaditya Purani, one of the researchers who found these vulnerabilities, said that "regular users should know that the Electron apps are not the same as their day-to-day browsers," meaning they are potentially more vulnerable. In the case of Discord, the bug Purani and his colleagues found only required them to send a malicious link to a video. With Microsoft Teams, the bug they found could be exploited by inviting a victim to a meeting. In both cases, if the targets clicked on these links, hackers would have been able to take control of their computers, Purani explained in the talk. For him, one of the main takeaways of their research is that Electron is risky precisely because users are very likely to click on links shared in Discord or Microsoft Teams.

Medicine

Major Test of First Possible Lyme Vaccine In 20 Years Begins (apnews.com) 58

An anonymous reader quotes a report from The Associated Press: Researchers are seeking thousands of volunteers in the U.S. and Europe to test the first potential vaccine against Lyme disease in 20 years -- in hopes of better fighting the tick-borne threat. Lyme is a growing problem, with cases rising and warming weather helping ticks expand their habitat. While a vaccine for dogs has long been available, the only Lyme vaccine for humans was pulled off the U.S. market in 2002 from lack of demand, leaving people to rely on bug spray and tick checks. Now Pfizer and French biotech Valneva are aiming to avoid previous pitfalls in developing a new vaccine to protect both adults and kids as young as 5 from the most common Lyme strains on two continents.

Most vaccines against other diseases work after people are exposed to a germ. The Lyme vaccine offers a different strategy -- working a step earlier to block a tick bite from transmitting the infection, said Dr. Gary Wormser, a Lyme expert at New York Medical College who isn't involved with the new research. How? It targets an "outer surface protein" of the Lyme bacterium called OspA that's present in the tick's gut. It's estimated a tick must feed on someone for about 36 hours before the bacteria spreads to its victim. That delay gives time for antibodies the tick ingests from a vaccinated person's blood to attack the germs right at the source.

In small, early-stage studies, Pfizer and Valneva reported no safety problems and a good immune response. The newest study will test if the vaccine, called VLA15, really protects and is safe. The companies aim to recruit at least 6,000 people in Lyme-prone areas including the Northeast U.S. plus Finland, Germany, the Netherlands, Poland and Sweden. They'll receive three shots, either the vaccine or a placebo, between now and next spring's tick season. A year later, they'll get a single booster dose.

Bug

Windows 11 Encryption Bug Could Cause Data Loss, Temporary Slowdowns On Newer PCs (arstechnica.com) 28

An anonymous reader quotes a report from Ars Technica: Microsoft has published a knowledge base article acknowledging a problem with encryption acceleration in the newest versions of Windows that could result in data corruption. The company recommends installing the June 2022 security updates for Windows 11 and Windows Server 2022 "to prevent further damage," though there are no suggested solutions for anyone who has already lost data because of the bug.

The problems only affect relatively recent PCs and servers that support Vector Advanced Encryption Standard (VAES) instructions for accelerating cryptographic operations. Microsoft says affected systems use AES-XTS or AES-GCM instructions "on new hardware." Part of the AVX-512 instruction set, VAES instructions are supported by Intel's Ice Lake, Tiger Lake, Rocket Lake, and Alder Lake architectures -- these power some 10th-generation Core CPUs for laptops, as well as all 11th- and 12th-gen Core CPUs. AMD's upcoming Zen 4 architecture also supports VAES, though by the time these chips are released in the fall, the patches will have had plenty of time to proliferate. Microsoft says that the problem was caused when it added "new code paths" to support the updated encryption instructions in SymCrypt, Windows' cryptographic function library. These code paths were added in the initial release of Windows 11 and Windows Server 2022, so the problem shouldn't affect older versions like Windows 10 or Windows Server 2019.

The initial fix for the problem, provided in Windows' June 2022 security update package (Windows 11 build 22000.778), will prevent further damage at the cost of reduced performance, suggesting that the initial fix was to disable encryption acceleration on these processors entirely. Using Bitlocker-encrypted disks or the Transport Layer Security (TLS) protocol or accessing encrypted storage on servers will all be slower with the first patch installed, though installing the July 2022 security updates (Windows 11 build 22000.795) should restore performance to its previous level.

Intel

SGX, Intel's Supposedly Impregnable Data Fortress, Has Been Breached Yet Again (arstechnica.com) 23

Intel's latest generation of CPUs contains a vulnerability that allows attackers to obtain encryption keys and other confidential information protected by the company's software guard extensions, the advanced feature that acts as a digital vault for security users' most sensitive secrets. From a report: Abbreviated as SGX, the protection is designed to provide a fortress of sorts for the safekeeping of encryption keys and other sensitive data, even when the operating system or a virtual machine running on top is maliciously compromised. SGX works by creating trusted execution environments that protect sensitive code and the data it works with from monitoring or tampering by anything else on the system.

SGX is a cornerstone of the security assurances many companies provide to users. Servers used to handle contact discovery for the Signal Messenger, for instance, rely on SGX to ensure the process is anonymous. Signal says running its advanced hashing scheme provides a "general recipe for doing private contact discovery in SGX without leaking any information to parties that have control over the machine, even if they were to attach physical hardware to the memory bus." The example is purely hypothetical. Signal spokesperson Jun Harada wrote in an email: "Intel alerted us to this paper... and we were able to verify that the CPUs that Signal uses are not impacted by the findings of this paper and therefore are not vulnerable to the stated attack." Key to the security and authenticity assurances of SGX is its creation of what are called "enclaves," or blocks of secure memory. Enclave contents are encrypted before they leave the processor and are written in RAM. They are decrypted only after they return. The job of SGX is to safeguard the enclave memory and block access to its contents by anything other than the trusted part of the CPU.

Twitter

Twitter Confirms Vulnerability Exposed Data of Anonymous Account Owners (twitter.com) 17

Friday the Twitter Privacy Center posted an announcement on their blog:

"We want to let you know about a vulnerability that allowed someone to enter a phone number or email address into the log-in flow in the attempt to learn if that information was tied to an existing Twitter account, and if so, which specific account. We take our responsibility to protect your privacy very seriously and it is unfortunate that this happened...."

Engadget explains: [T]he company said a malicious actor took advantage of a zero-day flaw before Twitter became aware of and patched the issue in January 2022. The vulnerability was discovered by a security researcher who contacted Twitter through the company's bug bounty program. When Twitter first learned of the flaw, it said it had "no evidence" to suggest it had been exploited. However, an individual told Bleeping Computer last month that they took advantage of the vulnerability to obtain data on more than 5.4 million accounts. Twitter said it could not confirm how many users were affected by the exposure.
From the Twitter Privacy Center: This bug resulted from an update to our code in June 2021. When we learned about this, we immediately investigated and fixed it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability.... After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed.

We will be directly notifying the account owners we can confirm were affected by this issue. We are publishing this update because we aren't able to confirm every account that was potentially impacted, and are particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors.

If you operate a pseudonymous Twitter account, we understand the risks an incident like this can introduce and deeply regret that this happened. To keep your identity as veiled as possible, we recommend not adding a publicly known phone number or email address to your Twitter account.

Bug

Microsoft Outlook Is Crashing When Reading Uber Receipt Emails (bleepingcomputer.com) 45

Microsoft says the Outlook email client will crash when opening and reading emails with tables such as Uber receipt emails. BleepingComputer reports: "When opening, replying, or forwarding some emails that include complex tables, Outlook stops responding," the company explains in a support document. To make matters worse, emails with the same table contents will also cause the Microsoft Word app to stop responding. While the known issue affects Microsoft 365 customers in the Current Channel Version 2206 Build 15330.20196 and higher, it can also trigger freezes in current Beta and Current Channel Preview builds. The Microsoft Word team has already developed a fix that will be released to Beta channel customers soon, after undergoing verification. Microsoft added that customers using Outlook versions in the Current Channel would receive the fix as part of this month's Patch Tuesday, on August 9, 2022. For those unable to wait for the fix, Microsoft has provided a workaround that requires users to revert to an older build.

Slashdot Top Deals