The Truth: Patch Day, Facebook’s iOS App is Looking at You, US Border Searches of Electronics Need Probable Cause

Wednesday, 13 November 2019

Hello, hello hump day! If you’re wondering why your computer was so slow to wake up this morning, it’s probably because of Patch Day. You also might want to uninstall the Facebook app on your iPhone. Just saying…

Yesterday was Patch Tuesday once again. On this occasion, Microsoft has fixed 74 security vulnerabilities (13 of them critical) in Internet Explorer, Edge, Office and Windows itself. One vulnerability in Internet Explorer’s scripting engine (CVE-2019-1429) allows remote code execution and is a zero-day, meaning it was discovered when attacks on the flaw in the wild were noticed. Meanwhile, Adobe has released patches for security vulnerabilities in their Adobe Media Encoder and some of its Creative Cloud apps. SAP has also released 12 security updates.

In other security news, Intel has disclosed a new variant of the CPU hardware vulnerability ZombieLoad. The Register reports that “the same group of university boffins who helped uncover the infamous Spectre and Meltdown flaws say that a third issue, reported back in May under the name ZombieLoad, extends even further into Chipzilla’s processor line than previously thought. The ZombieLoad hole can be exploited by malware running on a vulnerable machine, or a rogue logged-in user, to snoop on processor cores and extract sensitive information from memory that should be out of bounds. In practice, this would potentially allow an attacker already on the system to lift passwords, keys, and the like from other running software.” Apparently the security researchers have discovered that this vulnerability also extends to Intel’s newest processors (8th and 9th generation), which Intel had denied earlier this year. “The researchers say the only way to fully resolve the flaw is to turn off speculative execution, a move that will effectively cripple CPU performance.” Intel is trying to patch it with microcode updates as well as they can and they have released software updates to do this. But, says The Register, “Chipzilla acknowledges this release does not fully remedy the problem.”

Facebook’s iOS app has been spying on people. It uses the phone’s camera app in the background without telling the user. “A number of users have noticed the unusual behavior and posted videos demonstrating it. In each, the rear camera is clearly turned on and can be seen behind the main app screen: something that is unnecessary and the user is not informed about.” Facebook says its a bug and they are looking into it. I’m not buying it and I think The Register’s advice is reasonable: “The best solution is to delete the Facebook app from your phone and, if you must, access Facebook through a browser, preferably a separate browser to the one you normally use. Facebook has a long history of abusing trust, and downloading an app grants it far more access to your data that accessing its service through a browser.”

Windows 10 version 1909, the November 2019 Update, is now available. According to The Verge, it’s more like a Service Pack than the previous, more feature-packed updates: “Most of the changes are minor, and you won’t see a lot of them as they’re behind-the-scenes improvements focused on stability, performance, and more.” Microsoft has started to push this version on people now. If you want it right away, go to Settings / Update & Security / Windows Update and click the button to check for updates.

Microsoft is moving Visual Studio to the web – and a rental model – with Visual Studio Online. It has some fancy features. But no doubt the idea is, as has been the case with software sales models everywhere for quite a while now, to get people away from buying software once and towards paying continuously.

WebAssembly, a kind of bytecode-language for the web, is being tendered as a solution for software that runs outside of browsers. Mozilla, Intel, Red Hat and Fastly habe now created the so-called Bytecode Alliance for the purpose. As The Register explains: “Wasm, as WebAssembly is known to its friends, is faster than JavaScript – about 20x by one measure – and has other advantages in terms of security, portability, size, and load-time efficiency. It’s been implemented in at least four major browsers – Chrome, Edge, Firefox, and Safari – and now Bytecode Alliance members aim to help it move beyond the browser. Many of the use-cases for wasm involve in-browser applications, such as running games or other performance-sensitive tasks. But wasm also has potential outside the browser, for content distribution, server-side handling of untrusted code, hybrid native apps on mobile devices, and multi-node computation.”

A Massachusetts district court has decided that US border agents seizing your electronics and searching them without demonstrating reasonable suspicion of a crime is unconstitutional. As such, “the CBP (Customs and Border Protection) and ICE (Immigration and Customs Enforcement) policies for basic and advanced searches, as presently defined, violate the Fourth Amendment to the extent that the policies do not require reasonable suspicion that the devices contain contraband for both such classes of non-cursory searches and/or seizure of electronic devices.” This sounds like good news for many techies travelling to the US who currently use burner devices because of these policies. But… “despite ruling that such searches are unconstitutional, the judge declined to issue an injunction that would require border agents to get a warrant before probing such devices or to have probable cause before searching a device. That means border agents will continue to be able to search devices at the border, though will have to justify doing so.” And: “It appears clear that the judge was determined to allow the fundamental decision that searches of electronic devices at the border break the Fourth Amendment stand until the case reaches the Supreme Court – something that it is almost certainly destined to do.” A win for privacy, albeit a small one.

This is an archived issue of my daily newsletter FOXTROT/ALFA. You can find more information about it, including how to subscribe via email, on this page.