FOXTROT/ALFA: Patch Tuesday, FBI to Read US Citizens' Browsing History without Warrants, Ubuntu Installer Leaks Hard Drive Encryption Passwords
Hi, everyone! This is issue 119 of FOXTROT/ALFA for Thursday, 14 May 2020 and I once again must apologise for missing the Wednesday edition of the newsletter. I swear I didn’t plan to. I’ve just been working non-stop and something had to give. I barely finished yesterday’s episode of The Private Citizen in time as it was. I’m truly sorry this happened. I will try to minimise unplanned interruptions in the future but sometimes it’s just the way it has to be.
Speaking of interruptions, I’ll most likely skip a couple of newsletters at the beginning of next week as I’ll be on the road and busy with research and other things. Just to let you know ahead of time. But enough meta talk, let’s get into some tech news, starting with the Patch Tuesday recap that I’m still owing you…
Lots of Patches for Patch Tuesday
Microsoft shipped 111 security updates this week:
A total of 111 fixes were released by Microsoft, though on the bright side none are being actively exploited, as far as we know. Sixteen earned Microsoft’s top rating of critical, and range from remote code execution to elevation of privilege.
One standout programming blunder was CVE-2020-1067, a remote-code execution (RCE) vulnerability in all supported versions of Windows. Anyone with a domain user account can exploit it for elevated access on the targeted system. It’s rated important though that kinda masks the threat. “This patch corrects an RCE bug in the Windows OS that could allow an attacker to execute arbitrary code with elevated permissions on affected systems,” said Dustin Childs of the Trend Micro’s ZDI. “The only thing keeping this from being critical is the fact that the attacker needs a domain user account for their specially crafted request to succeed. This makes the bug a prime target for insider threats, as well as penetration testers looking to expand their foothold in a target enterprise.”
Those still running Windows 7, and even those paying Microsoft top dollar for support to do so, should be aware of an issue with KB4556399, a .NET security and quality update. Depending on your configuration, it may fail to install.
Adobe has updates for its PDF readers:
36 bugs were patched by Adobe this month in Acrobat and Reader: The usual assortment of code execution and denial of service flaws that require opening a document to exploit. Linux fans are spared this time around, as the patches are only for macOS and Windows boxes.
And SAP and VMware also have updates for you to install:
SAP admins will want to address a number of bugs, including CVE-2020-6262, CVE-2020-6248, and CVE-2020-6243 (code injections), note 2622660 (Chromium updates), CVE-2020-6242 (missing authentication check), and CVE-2020-6219 (deserialization of untrusted data). VMware also emitted fixes for CVE-2020-11651 and CVE-2020-11652, which are authentication bypass and directory traversal vulnerabilities.
PATRIOT Act Amendment to Limit FBI Spying Doesn’t Pass
The FBI can now read the web browsing histories of US citizens without having a warrant.
An amendment that would require the FBI get a warrant before they access Americans’ web-browsing history failed to pass by a single vote in the US Senate on Wednesday. The bi-partisan push to install the privacy protection mechanism was led by Senators Ron Wyden (D-OR) and Steve Daines (R-MT), and came following the news a planned addition to the PATRIOT Act, which is due to be renewed this week, would allow law enforcement to collect people’s browsing histories without a warrant. It was hoped the amendment would see off the upcoming PATRIOT Act changes at the pass, and preemptively install a warrant requirement.
A aforementioned planned addition to the PATRIOT Act, drafted by Senate leader Mitch McConnell (R-KY), explicitly allows for the collection of search and browsing data in section 215 of the law. It doesn’t require probable cause, meaning that in reality, the FBI will be able to go to ISPs and demand web-surfing histories on individuals without requiring to produce any evidence of wrongdoing. Worse, thanks to a controversial and highly questionable series of legal interpretations devised by the FBI, that browsing data is likely to be stored and made readily available to other law enforcement across the country with a simple search.
Section 215 of the Patriot Act has repeatedly been shown to be ineffective, expensive, and quite likely unlawful. The government’s own Privacy and Civil Liberties Oversight Board (PCLOB) recently said in a report that the measure had cost US taxpayers $100m – and resulted in just one useful lead in over four years.
But Fab, aren’t the FBI the good guys? The guys who catch the serial killers. Yeah. But they also lie to secret courts in order to spy on innocent people.
Ubuntu Installer Logs Hard Drive Encryption Passwords in Plain Text
With the recently released Ubuntu 20.04 LTS, the Ubuntu Server installer exclusively uses the “Subiquity” installer that Canonical has been working on in recent years in moving away from the classic Debian Installer. Unfortunately a security issue crept into Subiquity that has now been resolved. Thankfully the Subiquity installer supports upgrading the installer software during the installation process as CVE-2020-11932 is now public as what was deemed a critical bug. Subiquity was logging the LUKS encrypted volume passwords via the installation log and in turn copying the passphrase to the disk, not necessarily within the encrypted volume, that could then be easily read/leaked from there. For those using the Ubuntu Server installer, the issue is fixed in v20.05.2 and should be promoted to update when next firing up the installer with an active Internet connection.
Sorry, what!?!?! How does something like that get through testing? Holy crap. I can already hear all my Red Hat friends sniggering with glee…
Jaws Hit Floors as Epic Shows Off Unreal 5 Engine on PS5
We’ve seen the specs, we’ve heard the pitches - but what we haven’t experienced is any demonstration of a genuine next-gen vision. That changes today with Epic Games' reveal of Unreal Engine 5, accompanied by an astonishing tech demo confirmed as running in real-time on PlayStation 5 hardware. The promise is immense with the quality and density of the visuals on display almost defying belief. Imagine a game world where geometric detail is unlimited, with no pop-in and huge draw distances. Now picture this unprecedented level of fidelity backed up by real-time global illumination that’s fully dynamic. It sounds too good to be true, but watch the video on this page and that’s what’s on display. This is next-gen and it’s enormously exciting.
You should have a look for yourselves, it is pretty cool. I wouldn’t necessarily gush as hard as Eurogamer does as we all know that you have to subtract about 30% to 50% of the awesomeness of these demos if you want to approximate what’ll actually come across in your living room in a few years, but yeah, it’s very cool looking.
Speaking of Epic Games, they definitely were determined to make a big splash today as they also made Grand Theft Auto V free to own on their game store. If you can get to it, as their infrastructure promptly fell over. Don’t worry, though, you’ll be able to download it for free for the next seven days. And you definitely should because GTA 5 is a great game. I’ve played through it twice (on PS3 and PC) and it’s not one to miss. Especially for free. Even if you might have to install the 16th launcher on your PC to do it. Le sigh.
Tab Grouping is Coming to Chrome
Hallelujah. Chrome is finally getting tab grouping.
Google is taking steps to deal with tab overload in its browser by adding the ability to group the things together. Lurking in current betas of the Chrome browser, the functionality allows a user to group a number of tabs and assign the group a name, colour or even, heaven forbid, an emoji.
I might even switch back to Chrome for that. Grouping tabs with the smiling shite emoji? Sign me up!
Some Other Random Titbits
Slack fell over again.
Slack is down – in the middle of a pandemic during which millions are working from home and reliant on collaboration tools.
There’s a pretty bad vulnerability in F5’s BIG-IP Edge Client for Windows (CVE-2020-5897) and no fix available at the moment.
This vulnerability allows an attacker to trigger memory corruption to the browser or execute code from the browser when the attacker crafts a malicious webpage and loads it into the Internet Explorer browser by BIG-IP Edge Client users.
Symantec Endpoint Protection Security also has a number of holes, these do have fixes available, though.
Symantec, A Division of Broadcom has released updates to address issues that were discovered in the Symantec Endpoint Protection (SEP) and Symantec Endpoint Protection Manager (SEPM) products.
Trump Extends Huawei Ban
Despite the pandemic, or maybe because of it, US President Trump is not letting go of his trade war.
President Donald Trump has extended his executive order banning US companies from using or buying telecoms equipment from Chinese manufacturers Huawei and ZTE for another year. He also extended an exemption allowing American organizations to continue doing business with the two Chinese vendors, such as supplying parts and software, until April 1. That will be the fifth such extension, raising questions over whether it has proved to be the killer negotiating tactic in a US-China trade war that the president felt it would be.
“iOS Security is Fucked”
There are too many security vulnerabilities in iOS to make buying and selling zero-day flaws a profitable endeavour any longer, says Zerodium, who’s specialised in it.
Five years ago, Zerodium offered a $1m reward for a browser-based, untethered jailbreak in iOS 9. On Wednesday, the software exploit broker said it won’t pay anything for some iOS bugs due to an oversupply. “iOS Security is fucked,” said Zerodium’s founder Chaouki Bekrar via Twitter. “Only [Pointer Authentication Codes] and non-persistence are holding it from going to zero …but we’re seeing many exploits bypassing PAC, and there are a few persistence exploits (0days) working with all iPhones/iPads. Let’s hope iOS 14 will be better.”
Apple’s iOS 13 has been particularly buggy, enough that SVP of software engineering Craig Federighi reportedly overhauled the company’s internal software testing process to avoid a repeat when iOS 14 arrives later this year. The mobile OS has had 12 updates (about half with no cited vulnerabilities, or CVEs) since its release in September 2019. The market for iOS vulnerabilities took a hit last September when Zerodium said for the first time that it would pay more for flaws in Android than in iOS. That was a month after Google’s Project Zero disclosed five privilege escalation exploit chains affecting iOS versions 10-12. Shortly after that, in December last year, Apple opened its bug bounty program, invitation-only since 2016, to the public. The phone-and-computer biz offers potential payouts of varying amounts, up to $1m (Network Attack without User Interaction: Zero-Click Kernel Code Execution with Persistence and Kernel PAC Bypass).
Other stories I’ve been reading:
- The end really is nigh – for 32-bit Windows 10 on new PCs
- Danger zone! Brit research supercomputer ARCHER’s login nodes exploited in cyber-attack, admins reset passwords and SSH keys
- Australians can demand visitors to their homes run contact-tracing app
This is an archived issue of my daily newsletter FOXTROT/ALFA. You can find more information about it, including how to subscribe via email, on this page.