The Truth: Patch Tuesday, Linux Packages from Microsoft, Chrome Now Checking Your Credentials on All Websites

Welcome to The Truth for Wednesday, 11 December 2019. Lots of things happening in the run-up to the end of the year, it seems. I’ll have to skip tomorrow’s newsletter, since I’ll be on the road all day, but I’ll be back on Friday. Anyway, here’s the selection for today.

Yesterday was Patch Tuesday, which means security updates from Microsoft, Adobe, Intel and SAP.

This month is a relatively small patch bundle from Microsoft, with fixes kicked out for just 36 CVE-listed bugs, only seven of which are considered to be critical risks by Redmond standards. Not among those seven is CVE-2019-1458, a flaw believed to be under active attack in the wild. The bug, an elevation of privilege error caused by the handling of objects in memory, is said to have been chained with a Chrome flaw to let attackers remotely attack PCs, and is just rated as important. “While it’s not confirmed this patch is connected to those Chrome attacks, this is the type of bug one would use to perform a sandbox escape.”

For Adobe, there are updates for Acrobat, Photoshop, Brackets, and ColdFusion.

On Tuesday morning, word broke about Plundervolt, the latest side-channel flaw for Intel processors. That advisory was one of 11 from Chipzilla this month.

More on Plundervolt

For those using SAP software, there are a total of seven security notes this month, including fixes for bugs in Adaptive Server Enterprise (CVE-2019-0402), SAP BusinessObjects (CVE-2019-0395) and SAP Enable Now (CVE-2019-0405).

It’s probably not a good idea to buy a smart toy this Christmas.

Working with security researchers NCC Group, Which? found a karaoke machine that could transmit audio from anyone passing within Bluetooth range because of its unsecured connection. It found walkie-talkies from VTech which anyone with their own set of similar equipment could connect to over a 200-metre range. It also found a Mattel-backed games portal which appeared to be unmoderated, allowing users to upload their own games with content inappropriate for children.

Meanwhile, Sphero, maker of the Sphero Mini interactive toy also implicated in the Which? study, said that the feature highlighted related to the Sphero Edu app, which was meant to be used in classrooms or in the home with teacher or parent supervision.

As usual, the word “smart” can be substituted with the word “insecure”.

Google’s Chrome browser will now check your username and password against a database of known leaks every time you sign in somewhere. According to reporting on The Register they are not sending this data to Google, though:

The idea is that your credentials are never sent to Google in a form it can read, and that details of other people’s breached credentials are never sent to you in a form you can read. The procedure, we are told, “reflects the work of a large group of Google engineers and research scientists”.

Even though users may still feel uncomfortable enabling this kind of check, the risks are likely lower than that of being unaware that your credentials have been stolen. The bigger snag, perhaps, is that you have to sign into Chrome with all that implies in terms of giving the data-grabbing giant more information about your digital life.

This seems to be similar to how Troy Hunt’s HIBP works.

Tim Cook thinks having a monopoly isn’t bad if you don’t misuse it. No, seriously. He said that.

“A monopoly by itself isn’t bad if it’s not abused,” Cook said, while insisting that Apple does not have a monopoly in any sector.

Apple sounds more and more like Microsoft in the ’90s these days.

Microsoft has released a public preview of Microsoft Teams for Linux. They have .deb and RPM packages. What a crazy world we live in these days!

After users who were trying to backup data from Yahoo Groups had complained, Yahoo (now a subsidiary of Verizon) has now extended the deadline to do so until 31 January 2020. Volunteers are helping the Internet Archive to back up information from the message board system.

Struth! Some guy in Queensland has downloaded 26.8 TB in June of this year alone. That’s a lot of porn, mate!

Early adopters got shafted in two bankruptcies recently: E-scooter startup Unicorn has packed it in due to buying too many Facebook ads, which means orders will neither be shipped nor refunded. And the Kickstarter project Coolest Cooler, some kind of drinks cooler with built-in blender, is also history, allegedly due to the trade war between the US and China. It leaves 20,000 orders unfulfilled.


This is an archived issue of my daily newsletter FOXTROT/ALFA. You can find more information about it, including how to subscribe via email, on this page.