FOXTROT/ALFA: VMware Vulnerabilities, .NET 5 Preview, Broadcom Sues Netflix over Set-Top Boxes

Hello again and welcome to FOXTROT/ALFA, issue 91, for Tuesday, 17 March 2020. After today’s issue, I will pause the newsletter for a few days as I’ll be on the road for a bit. Also, tech news is currently dominated by a lot of bullshit that isn’t tech news at all so I feel it will actually be beneficial to sit out a few days.

Case in point is today’s meagre selection of relevant news. Here it is nonetheless:

VMware Security Vulnerabilities

VMware has patched three bugs in its desktop virtualisation products. As is usually the case with virtualisation bugs, these are nothing to sneeze at (pun intended):

The most serious of the holes, CVE-2020-3947, is a vulnerability in VMware Workstation and Fusion that can be exploited by a miscreant or malware in a guest VM to gain code execution on the host box via the vmnetdhcp component.

The second fix is for CVE-2020-3948 in VMware Workstation and Fusion with Cortado Thinprint: a privilege-escalation bug that arises in Linux virtual machines on Windows and macOS hosts when Virtual Printing is enabled.

The third bug, assigned as CVE-2019-5543, is a privilege-escalation flaw present in VMware Horizon Client, VMRC and Workstation. That bug, given a rating of 7.3 (not terrible, but you want to fix it) is due to a misconfigured file in the Windows version of the VM tool. “The folder containing configuration files for the VMware USB arbitration service was found to be writable by all users,” VMware says of the bug.

Microsoft Previews .NET 5

Microsoft is trying to unify .NET into a single development platform.

Microsoft has dropped the first preview of its latest attempt to unify its development platform: .NET 5. The emission follows the releases of .NET Core 3.0 and 3.1 at the end of last year, which saw the end of porting of app models from the venerable .NET Framework.

The plan for .NET 5 (now stripped of the “Core”) is to unify .NET into a single platform, including mobile app development in the form of Xamarin, ASP.NET Core, WinForms, WPF and all the other disparate groupings in the Microsoft line-up that variously delight developers or drive them to despair.

Scott Hunter, director of Program Management for .NET, said version 5, a bigger number than either the existing .NET Core versioning or that of the ancient .NET Framework, “makes it clear that .NET 5 is the future of .NET, which is a single unified platform for building any type of application.”

That said, while the sheer weight of legacy .NET Framework code means that security and bug fixes will keep on rolling in, as far as Microsoft is concerned, .NET developers should really be using Core (and subsequently version 5) for new projects .

Of course, everyone has been trying these unification efforts at one time or another. One language for all kinds of apps is not a new idea, just look at Java. Never really works, though. Maybe this time? I bet that’s what Microsoft is thinking there.

Broadcom Sues Netflix

Another lawsuit. This one seems pretty ridicolous, even for tech lawsuit standards, though.

Broadcom is suing Netflix for being so successful that people have cut their cable subscriptions and ditched the set-top boxes that make the chip designer a huge profit.

In a lawsuit filed late last week in California, the San Jose-based Broadcom – which designs and sells chipsets used in millions of set-top boxes – argued that “Netflix has caused, and continues to cause, substantial and irreparable harm to the Broadcom Entities [that] sell semiconductor chips used in the set top boxes that enable traditional cable television services.

“Upon information and belief, as a direct result of the on-demand streaming services provided by Netflix, the market for traditional cable services that require set top boxes has declined, and continues to decline, thereby substantially reducing Broadcom’s set top box business.”

So let me get this straight: They’re basically suing Netflix because times are changing? Is that it? Seems The Register also things its a bullshit suit.

It’s a ridiculous claim: that because one business changes the market that you can then sue it for the impact of the changes. But there is, of course, an underlying legal case and that is that Broadcom claims Netflix is infringing its patents.

“Netflix has built its familiar video streaming business, in part, on the Broadcom Entities’ patented technology,” the lawsuit argues. “Netflix relies on this technology for crucial aspects of the Netflix streaming service."

“This includes, for example, the Netflix systems used to ensure effective and reliable delivery of streaming content with minimal interruptions, to ensure the efficient use of Netflix server resources, and to encode Netflix streaming content in a format compatible with a large percentage of the client devices.”

It’s hard to have sympathy for a company claiming about a loss of business from cable set-tops: the clunky outdated boxes are notoriously overpriced. Cable companies insist that they have to be “rented” by consumers and charge dozens of times their real value. The average American pays $231 a year for their box, resulting in $20bn a year in almost pure profit for the cable industry.

The Story of a Nigerian Scammer

Check Point has written a report on a Nigerian criminal who’s earned three times the average professional salary of his native country from phishing, malware attacks and credit card scams. It reads like a stereotypical account of the infamous Nigerian scammer.

Dton is 25, single, and lives in Benin City, a place with a population of nearly 1.5 million in Southern Nigeria. From his resumé, Dton seems like a model citizen. But he also has another identity: Bill Henry, a career cyber-criminal who buys goods with stolen credit cards and launches phishing and malware attacks.

Dton’s journey into cybercrime shows how even a relatively unskilled, and undisciplined individual can profit handsomely from fraud and malicious online activity. This is simply because, like many other criminal activities, cyber-crime is a numbers game. It doesn’t matter if 499 people don’t open a malware-spiked email: the 500th person will. And when you can target hundreds of thousands of people at a time, you only need to infect a handful to get hold of your ill-gotten gain.

It’s a fascinating read if you’re interested in where all that spam actually comes from and how these guys make money.

Microsoft Teams Outage

Oh yeah, and Microsoft Teams was down again.

Microsoft’s collaboration tool for suits started off Tuesday with a repeat performance of yesterday’s wobbles for some European users. The issue appears to be confined to some European tenants at present, but it is pretty disappointing that a day after first issues arose, Microsoft remains unable to completely deal with the woes of the collaboration platform.

Back on 5 March corporate veep for Microsoft 365, Jared Spataro, announced that user limits on the freemium version of Teams would be lifted from 10 March. He also noted that the gang tested service continuity during a usage spike in China.

He went on to boast that service had been “fluid” despite a 500 per cent jump in Teams conferences, calls and meetings and a 200 per cent leap in mobile usage. Sadly “fluid” is perhaps best applied to the uptime levels as the service is pummelled by unprecedented amounts of remote working.

This is an archived issue of my daily newsletter FOXTROT/ALFA. You can find more information about it, including how to subscribe via email, on this page.