FOXTROT/ALFA: Slack Vulnerability, China Fights Trump on TikTok, Bing Errors in Microsoft Flight Simulator

Here we go! A new week and with it a fresh issue (#141) of FOXTROT/ALFA. Here are the tech news for Monday, 31 August 2020.

Another Cisco Vulnerability

Cisco is back with more security issues.

Cisco has warned hackers are crashing or crippling its networking kit out in the field by black-holing all available memory via specially crafted IGMP packets. To pull this off, miscreants are exploiting CVE-2020-3566, a vulnerability that can be abused by “an unauthenticated, remote attacker to exhaust process memory of an affected device” running Switchzilla’s IOS XR operating system.

As there is no patch available right now, IOS XR users are advised to disable multicast routing on interfaces that don’t need it as a simple fix, or implement a rate limiter that increases the time-to-exploitation.

Don’t Slack on Updating Your Slack

Slack has also had a pretty hefty vulnerability disclosed, so you probably want to check you’re running the latest version.

A critical vulnerability in the popular Slack collaboration app would allow remote code-execution (RCE). Attackers could gain full remote control over the Slack desktop app with a successful exploit – and thus access to private channels, conversations, passwords, tokens and keys, and various functions. They could also potentially burrow further into an internal network, depending on the Slack configuration, according to a security report. The bug (rated between nine and 10 on the CvSS vulnerability-severity scale), was disclosed on Friday, and involves cross-site scripting (XSS) and HTML injection. Slack for Desktop (Mac/Windows/Linux) prior to version 4.4 are vulnerable.

“With any in-app redirect-logic/open redirect, HTML or JavaScript injection, it’s possible to execute arbitrary code within Slack desktop apps,” wrote a bug-hunter going by the handle “oskarsv,” who submitted a report on the bug to Slack via the HackerOne platform (earning $1,500). “This report demonstrates a specifically crafted exploit consisting of an HTML injection, security control bypass and a RCE JavaScript payload.” According to the disclosed technical writeup, attackers could trigger an exploit by overwriting Slack desktop app “env” functions to create a tunnel via BrowserWindow; to then execute arbitrary JavaScript, in what is “a weird XSS case,” he said.

I’m thinking $1,500 isn’t a lot when you consider the impact of that vulnerability. Slack is quite stingy when it comes to security, it seems.

Users should make sure their Slack desktop apps are upgraded to at least version 4.4 in order to avoid attacks. The bug was patched in February, but has just now been disclosed because of a HackerOne disclosure hiatus on all bugs, which was in effect for several months.

China Fights Back on Trump’s TikTok Gambit

LOL. The next chapter in the TikTok saga: China is now using the US’s old export control trick to try and prevent the sale.

China has added new technologies to its export control list and by doing so could derail the sale of Tiktok’s US operations. The Chinese Ministry of Commerce on Friday posted changes to its list of technologies that can’t be exported and/or require a permit to send offshore. State media outlet Xinhua reports that two new entries cover “personalized information push service technology based on data analysis” and “artificial intelligence interactive interface technology.”

The organ also quotes Professor Cui Fan from the University of International Business and Economics as saying that the two new listings are just the sort of thing that TikTok developer ByteDance probably uses. Which could mean that Microsoft, Oracle and other US-based bidders for bits of TikTok could either be denied their prey or face a review that makes the purchase process painful.

China is enormously proud of TikTok because the service is the first Middle Kingdom app other than a game to really make a mark on Western culture. State media uses that success as an example of Chinese businesses being able to match any nation or firm, an interpretation that also says bans of TikTok are the petty acts of rival nations who resort to unfairly crimping competition rather than acknowledge China’s rise.

China could decide to make ByteDance wear the pain of not being able to sell its US operations, continue to celebrate TikTok’s success and explain its withdrawal from overseas markets as a necessary defensive measure. As TikTok does not operate in China, domestic audiences may accept that explanation. Or China could decide to let ByteDance sell but conduct a review of TikTok’s tech, a process that could make Microsoft, Oracle and other suitors wait to seal a deal. Perhaps even wait beyond the November deadline to do a deal imposed by president Trump. Such delays would not leave the Tweeter-In-Chief looking particularly potent, an outcome that accords with US intelligence agencies’ assessment belief that China wants Trump to lose the forthcoming US presidential election.

Let’s see what Trump does next. I don’t care, one way or another. I’m way too old for this TikTok shit.

Bing Maps is Fucking Up Microsoft Flight Simulator

Bing Maps has a lot of wrong data. Unsurprisingly. It’s Bing after all. But since that data is being used in Microsoft’s new Flight Simulator, it’s finally being surfaced to people who care. So they started fixing it themselves, using a mapping solution that actually works.

Poor Bing Maps. Microsoft Flight Simulator’s usage of the mapping services data is so bloody awe-inspiring that any errors or gaps in the data stand out like giant, monolithic thumbs. It is missing some major landmarks, where the autogen tech has swapped out famous stadia and shiny palaces with bizarre, brutalist replacements. And the slightly humiliating solution the community has come up with is to use Google Maps to fill in the gaps.

The method of creating them is pretty involved. You don’t just drag and drop the models. You have to rip and convert them through a number of programs. It’s all far too much to summarise, but the FDS2020Creation subreddit has a handy collection of tutorials if you want to try. The process lets players share the files, which they have been doing, so all you need to do to install a landmark is place it into your Community folder within the game’s folder.

Also Noteworthy

Other things I’ve been reading today:

This is an archived issue of my daily newsletter FOXTROT/ALFA. You can find more information about it, including how to subscribe via email, on this page.