Blue Screen of the day—update crashes Windows 10 PCs on print

Found on Ars Technica on Monday, 22 March 2021
Browse Software

A Microsoft Windows Update is wreaking havoc with printers worldwide this week—KB50000802 (for newer Windows 10 builds; older Windows 10 and Server builds may have a KB ending in 808 or 822 instead) was intended to provide updates to security "when Windows performs basic operations," but the update crashes some print drivers due to overflowing a GDI Object limit of 10,000.

It feels more and more like Microsoft has decided to drop any testing before releasing updates into the wild.

You only need pen and paper to fool this OpenAI computer vision code

Found on The Register on Wednesday, 17 March 2021
Browse Software

The lab's latest computer vision model, CLIP, can be tricked by in what's described as a “typographical attack." Simply write the words ‘iPod’ or ‘pizza’ on a bit of paper, stick it on an apple, and the software will wrongly classify the piece of fruit as a Cupertino music player or a delicious dish.

That is some impressive AI technology...

Flash version distributed in China after EOL is installing adware

Found on ZD Net on Sunday, 07 March 2021
Browse Software

Currently, this Chinese version of the old Flash Player app is available only via flash.cn, a website managed by a company named Zhong Cheng Network, the only entity authorized by Adobe to distribute Flash inside China.

During subsequent analysis, researchers found that the app was indeed installing a valid version of Flash but also downloading and running additional payloads.

Flash has been a security problem. Now after it's official death still is. Nothing seems to have changed.

Red Hat returns with another peace offering in the wake of the CentOS Stream affair

Found on The Register on Friday, 05 March 2021
Browse Software

The IBM-owned Linux distro giant will offer selected bodies free "RHEL subscriptions for any use within the confines of their infrastructure." By infrastructure, they mean things like build and continuous integration systems, and web and mail servers.

And in case you're wondering, Red Hat said it is going to keep Fedora around, "for driving leading-edge development of Linux operating system improvements and enhancements."

Fool me once...

Why are there seven embedded trackers in the LastPass Android app?

Found on The Register on Thursday, 04 March 2021
Browse Software

The Exodus report on LastPass shows seven trackers in the Android app, including four from Google for the purpose of analytics and crash reporting, as well as others from AppsFlyer, MixPanel, and Segment. Segment, for instance, gathers data for marketing teams, and claims to offer a "single view of the customer", profiling users and connecting their activity across different platforms, presumably for tailored adverts.

Do all password apps contain such trackers? Not according to Exodus. 1Password has none. KeePass has none. The open-source Bitwarden has two for Google Firebase analytics and Microsoft Visual Studio crash reporting. Dashlane has four. LastPass does appear to have more than its rivals.

Anything related to security should never implement tracking/monitoring code from third parties.

New malware found on 30,000 Macs has security pros stumped

Found on Ars Technica on Sunday, 21 February 2021
Browse Software

So far, however, researchers have yet to observe delivery of any payload on any of the infected 30,000 machines, leaving the malware’s ultimate goal unknown. The lack of a final payload suggests that the malware may spring into action once an unknown condition is met.

“To me, the most notable [thing] is that it was found on almost 30K macOS endpoints... and these are only endpoints the MalwareBytes can see, so the number is likely way higher,” Patrick Wardle, a macOS security expert, wrote in an Internet message. “That’s pretty widespread... and yet again shows the macOS malware is becoming ever more pervasive and commonplace, despite Apple’s best efforts.”

Remember the "you'll never get a virus on an Apple" marketing?

Rocky Linux gets a new sponsor—Gregory Kurtzer’s startup, Ctrl IQ

Found on Ars Technica on Sunday, 07 February 2021
Browse Software

Gregory Kurtzer, co-founder of the now-defunct CentOS Linux distribution, has founded a new startup company called Ctrl IQ, which will serve in part as a sponsoring company for the upcoming Rocky Linux distribution.

Ctrl IQ reached out due to confusion caused by the original headline of this article (since corrected). Ctrl IQ is only a sponsor of the Rocky Linux project, not a parent company.

Good luck, Rocky.

CentOS is gone—but RHEL is now free for up to 16 production servers

Found on Ars Technica on Monday, 25 January 2021
Browse Software

Long-standing tradition—and ambiguity in Red Hat's posted terms—led users to believe that CentOS 8 would be available until 2029, just like the RHEL 8 it was based on. Red Hat's early termination of CentOS 8 in 2021 cut eight of those 10 years away, leaving thousands of users stranded.

Although CentOS Stream could be considered appropriate and perfectly adequate for enthusiasts and home-labbers, the lack of a long, well-defined life cycle made it inappropriate for most production use and, especially, production use by shops that chose a RHEL-compatible distribution in the first place.

RedHat has axed the flagship of its portfolio and now hopes to regain some of the lost trust. For the majority, it does not work like that.

When Adobe Stopped Flash Content From Running It Also Stopped A Chinese Railroad

Found on Jalopnik on Sunday, 24 January 2021
Browse Software

For a select few in China, though, the death of Flash meant being late to work, because the city of Dalian in northern China was running their railroad system on it. Yes, a railroad, run on Flash, the same thing used to run “free online casinos” and knockoff Breakout games in mortgage re-fi ads.

The railroad’s technicians did get everything back up and running, but the way they did this is fascinating, too. They didn’t switch the rail management system to some other, more modern codebase or software installation; instead, they installed a pirated version of Flash that was still operational.

It most likely won't even be fixed or migrated and just keep on running on a pirated and insecure piece of software.

Windows 10 bug corrupts your hard drive on seeing this file's icon

Found on Bleeping Computer on Tuesday, 19 January 2021
Browse Software

In multiple tests by BleepingComputer, this one-liner can be delivered hidden inside a Windows shortcut file, a ZIP archive, batch files, or various other vectors to trigger hard drive errors that corrupt the filesystem index instantly.

What's worse is, the vulnerability can be triggered by standard and low privileged user accounts on Windows 10 systems.

BleepingComputer's tests also show that you can use this command on any drive, not only the C: drive and that drive will subsequently become corrupted.

A bunch of trolls and pranksters will have a fun time with that.