Little Pig, Little Pig! Let Me Admin! (Security Thread)

[Friday]

Do I need this security update if I never have hooked my computer up to a printer and never will?

[Grath]

Do I need this security update if I never have hooked my computer up to a printer and never will?

Yes. This is a hilariously bad bug that allows Windows to basically load any code whatsoever as though it's a printer driver and then run it as the System user, so it's automatically at elevated permissions.

[Mongrel]

Always a bit fascinating when a critical failure bug goes undetected for THIS LONG.

It's been what? 13 years since Win 7 was released?

[Brantly B.]

The fascinating thing to me is that it took 13 years for somebody to exploit it badly enough to warrant a patch. It's no secret to anybody who's ever touched an ink cartridge that the printer API is a rotting zombie that's been shambling around since the 90s; if I was inclined to ransom somebody's wares, I'd probably have put more effort into figuring out exactly how rotting at some point.

[Thad]

Though accidental disclosure by security researchers who confused it with another print spooler vulnerability that had already been patched? That part's very, very easy to believe.

[Upthorn]

New Discord malware going around, in the form of an itch.io link that gains steals your discord account login cookie if opened in a browser that has your login saved.

Also, seems Discord has no safeguards against an account hacker spending money via a nitro account's saved credentials...


I absolutely hate that itch.io is being used as the vector for this. It would work on literally any website, and itch.io is both really important for indie game development, and small/obscure enough that people really don't need any reason to start avoiding links there.

[Upthorn]

You may or may not have already heard, but Twitch got completely owned today.
Payment records, source code, with comments.
Probably reasonable to assume that they dumped all the user DBs, and somebody somewhere is at work cracking passwords right now.

If you use twitch: reset your password and stream key, consider adding 2FA to your account.

[Thad]

...it would have been pretty weird if they got the source code *without* comments.

[Grath]

...it would have been pretty weird if they got the source code *without* comments.

I mean, you can decompile programs to get source code without comments, or if the devs are full of hubris you can find source code without comments.

(Sidebar: A coworker at IBM had a custom status message of

Code: Select all

/* Yuri made me put in a comment saying what I was doing. I was modifying the damn code. Figuring out how I did it is left as an exercise to the astute reader, you poor bastard */

and I didn't see that myself in the source code, but I do know we had a coworker named Yuri in the dev team.)

[Thad]

I mean, you can decompile programs to get source code without comments

Yeah, but nobody would describe getting binaries and decompiling them as getting access to source code.

[Brantly B.]

Somebody absolutely would and generally they're the kind of somebody who "own" websites.

[Thad]

Wil Wheaton?

[mharr]

Former Malware Distributor Kape Technologies Now Owns ExpressVPN, CyberGhost, Private Internet Access, Zenmate, and a Collection of VPN “Review” Websites

The main person behind Kape is Teddy Sagi, an Israeli billionaire who previously spent time in jail for insider trading. Sagi earned much of his wealth from a gambling company called Playtech. Sagi acquired Kape Technologies in 2012 and led it to be a major player in the malware and adware industry.

Interestingly, Sagi is also named in the Panama Papers that detail a “rogue offshore financial industry.”

The other key figure behind Kape is Koby Menachemi. Forbes wrote a good article on Menachemi, detailing his ties to Israeli intelligence and cyber espionage.

[Upthorn]

Missed in all the havoc of the past year, but apparently the Norton 360 subscription-based antivirus recently pivoted from software security to... etherium mining network.

What is not mentioned in the linked blog post is that there is no way to opt out except to uninstall, and the miner automatically connects to a Norton-run mining pool which takes a 15% fee. Nor is there any notification to users that Norton now automatically mines Etherium with your spare cycles, so unless they happened to check the blog 6 months ago, or thoroughly explore the updated UI to find where it tells them their payout numbers, they have no way to know it's happening...

[Thad]

Huh. And here I was thinking my opinion of Norton couldn't get lower.

[Thad]

Safari and iOS users: Your browsing activity is being leaked in real time

Since September’s release of Safari 15 and iOS and iPadOS 15, [same-origin] policy has been broken wide open, research published late last week found. As a demo site graphically reveals, it’s trivial for one site to learn the domains of sites open in other tabs or windows, as well as user IDs and other identifying information associated with the other sites.

[Thad]

High-severity bug in the Linux kernel; affects anything running kernel v5.8 or later. That includes Android, so if you've got any Android devices you may want to manually check if there's an update available.

The good news is it's probably not going to affect many production servers. If you're using Ubuntu LTS with a stock kernel, you're running Linux 5.4 at the latest. I haven't checked the current kernel version on RHEL but I'm guessing it's not using 5.8 either. And Debian stable is definitely going to be running an older kernel than Ubuntu LTS, because that's how Ubuntu works.

Now, if this had been discovered a month later, it would have...still probably not had much of an impact on production environments, because nobody in a production environment updates to a new Ubuntu LTS at launch. Hell, I'm still in the process of updating our servers to 20.04.

[Thad]

WatchGuard failed to explicitly disclose critical flaw exploited by Russian hackers
Silently fixed authentication bypass remained a secret even after it was under attack.

I've always thought of WatchGuard as cheap trash your boss buys because he thinks Cisco is too expensive.

This, though, is a whole other level. Being informed by the FBI that your product has a vulnerability being actively exploited by Russian state actors, taking three months to patch said vulnerability, and then failing to disclose it until forced to in court, is completely disqualifying.

Don't use WatchGuard. Ever. If you're in a shop that does use it, point the people who make buying decisions at this story and explain how much more this kind of breach would cost the company compared to buying a better firewall.

[Büge]

[Büge]