Google to Microsoft: We Are Trying to Be Helpful
December 16, 2022
Ah, those fun loving alleged monopolies are in the news again. Microsoft — famous in some circles for its interesting approach to security issues — allegedly has an Internet Explorer security problem. Wait! I thought the whole wide world was using Microsoft Edge, the new and improved solution to Web access.
According to “CVE-2022-41128: Type Confusion in Internet Explorer’s JScript9 Engine,” Internet Explorer after decades of continuous improvement and its replacement has a security vulnerability. Are you still using Internet Explorer? The answer may be, “Sure you are.”
With Internet Explorer following Bob down the trail of Microsoft’s most impressive software, the Redmond crowd the Microsoft Office application uses bits and pieces of Internet Explorer. Thrilling, right?
Google explains the Microsoft issue this way:
The JIT compiler generates code that will perform a type check on the variable
q
at the entry of theboom
function. The JIT compiler wrongly assumes the type will not change throughout the rest of the function. This assumption is broken whenq
is changed fromd
(anInt32Array
) toe
(anObject
). When executingq[0] = 0x42424242
, the compiled code still thinks it is dealing with the previousInt32Array
and uses the corresponding offsets. In reality, it is writing to wherevere.e
points to in the case of a 32-bit process ore.d
in the case of a 64-bit process. Based on the patch, the bug seems to lie within a flawed check inGlobOpt::OptArraySrc
, one of the optimization phases.GlobOpt::OptArraySrc
callsShouldExpectConventionalArrayIndexValue
and based on its return value will (in some cases wrongly) skip some code.
Got that.
The main idea is that Google is calling attention to the future great online game company’s approach to software engineering. In a word or two, “Poor to poorer.”
My view of the helpful announcement is that Microsoft Certified Professionals will have to explain this problem. Google’s sales team will happily point out this and other flaws in the Microsoft approach to enterprise software.
If you can’t trust a Web browser or remove flawed code from a widely used app, what’s the fix?
Ready for the answer: “Helpful cyber security revelations that make the online ad giant look like a friendly, fluffy Googzilla. Being helpful is the optimal way to conduct business.
Stephen E Arnold, December 16, 2022
Apple, the Privacy and Security Outfit, Has a New Spin for Pix
December 16, 2022
In an alarmingly hilarious situation, iCloud users are seeing photos of strangers on their devices. What sounds like a hacker’s gaff, actually proves to be a security risk. XDA Developers investigates what is going on with iCloud in, “iCloud For Windows Users Are Reportedly Seeing Random Family Photos From Strangers.”
People buy Apple products for its better security and privacy settings than PC devices. While Apple has an iCloud app for PC users, the app is not working as well as its fellow Apple products:
“Based on the reports, the corrupted files seemingly revolve around videos shot on iPhone 13 Pro and iPhone 14 Pro models. The footage in some cases is showing a black screen with scan lines. Though, what’s more worrisome is the random content that is showing up for some users. While it’s not confirmed yet, these photos of families, children, and other private moments could potentially belong to other people’s iCloud libraries. If this is the case, then Apple could get in some serious trouble. Unfortunately, deleting the iCloud for Windows app seemingly doesn’t solve this, as the issues are being reflected on the server.”
No one is certain what is causing the bug, but Apple needs to get on the problem. Apple will probably blame the issue on PCs being inept devices and the compatibility between Macs and PCs could be the reason. Apple is not infallible and here is a lesson in humility.
Whitney Grace, December 16, 2022
Small Snowden Item: Not Rooting for US Soccer Team?
December 6, 2022
I think the answer to the question, “Is Edward Snowden rooting for the US soccer team?” is no. I read “Edward Snowden Swears Allegiance to Russia and Receives Passport, Lawyer Says”. [Note: In the spirit of capitalism, you will have to pay to view the original story.] The Bezos affiliated real news outfit said:
It’s unclear whether Snowden swore the oath of allegiance at the same time as he was granted a passport, but the two are common procedures when foreigners become Russian citizens. The text includes swearing “to protect the freedom and independence of the Russian Federation, to be loyal to Russia, to respect its culture, history and traditions,” and to promise to “perform the duties of a citizen of the Russian Federation for the good of the state and society.” Kucherena [The estimable Mr. Snowden’s legal eagle] added that Snowden’s wife, Lindsay Mills, was also undergoing the Russian citizenship application process and that the couple’s children would likely attend Russian schools, when ready.
Interesting. I assume information will surface about the forthcoming Russian film “Dinner with Vlad” starring the bold, brave bag man Mr. Snowden and the somewhat weighty Mr. Segal. The plot is, as I understand it, Vlad asks his guests about Russia’s most appealing aspect. Mr. Snowden says, “It’s the great Internet connections”, and Mr. Seagal says, “It the food.” The three stars drink Russian vodka and engage in an arm wrestling competition. Vlad wins and the three drooks head to a cover band featuring Pussy Riot tunes. Mr. Snowden and Mr. Seagal give inspired lectures during the band’s break. Males in the audience are enlisted. Females? Well, fade to black.
Stephen E Arnold, December 6, 2022
Microsoft and Security: Customers! Do Better
November 7, 2022
I have a hunch that cyber security is like Google in the early 2000s. Magic, distractions, and blather helped disguise the firm’s systems and methods for generating revenue. Now (November 4, 2022) the cyber security sector may be taking a page or two from the early Google game plan. Who can blame the cyber security vendors, all 3000 to 7000 of them in the US alone. The variance is a result of the methodology of the business analysts answering the question, “How many companies are chasing commercial, non profit, and government prospects. Either number makes it clear that cyber security is a very big business.
Now stick with me: What operating system and office software is used by about two thirds of the organizations in the United States. The answer, if I can believe the data from my research team, is close enough for horse shoes. Personally, I would peg the penetration of Microsoft software at closer to 90 percent, but let’s go with the 67 percent, plus or minus five percent. That means that cyber security vendors have to provide security for companies already obtaining allegedly secure software and services from Microsoft.
With cyber crime, breaches, zero days, etc, etc going up with dizzying speed, what’s the message I carry away? The answer is, “Cyber security is not working.”
I read “Microsoft Warns Businesses to Up Their Security Game against These Top Threats.” The article then identifies security as a problem. The solution, if I understand the article, is:
Microsoft suggests throughout the MDDR that organizations implement a number of its products into its tech stack to protect against and deal with threats, such as its Security Service Line for support throughout a ransomware attack, and Microsoft Defender for Endpoint for cloud-based protection.
If you are not familiar with MDDR the acronym stands for the Microsoft Digital Defense Report. Presumably Microsoft’s crack security experts and the best available cyber consultants crafted the methods summarized in the article.
The irony is that Microsoft’s own products and services create a large attack surface. Microsoft’s own security tools seem to have chinks, cracks, and gaps which assorted bad actors can exploit.
Net net: Perhaps Microsoft should do security better. Aren’t customers buying solutions which work and do in a way that protects business information and processes? Perhaps less writing about security and more doing security could be helpful?
Stephen E Arnold, November 7, 2022
Computer Security Procedures: Carelessness, Indifference, Poor Management or a Trifecta?
September 27, 2022
“$35M Fine for Morgan Stanley after Unencrypted, Unwiped Hard Drives Are Auctioned” raises an interesting question about security in an important company. The write up asserts:
The SEC action said that the improper disposal of thousands of hard drives starting in 2016 was part of an “extensive failure” over a five-year period to safeguard customers’ data as required by federal regulations. The agency said that the failures also included the improper disposal of hard drives and backup tapes when decommissioning servers in local branches. In all, the SEC said data for 15 million customers was exposed.
Morgan Stanley. Outstanding. If the story is accurate, the auctioning of the drives fits with the parsimonious nature of banks in my experience. Banks like to accept money; banks do not like to output money. Therefore, selling old stuff is a matter of removing the detritus, notifying the person charged with moving surplus to a vendor, and cashing the check for the end of life, zero life clutter. Standard operating procedure? Probably. Does senior management know about hardware security for old gear? My hunch is that most senior managers know about [a] cross selling, [b] sparking deals, [c] getting on a talking head financial news show, and [d] getting the biggest bonus possible. Security is well down my hypothetical list.
Net net: Security is easy to talk about. Security requires management know how and attention to business processes, not just deals and bonus payments.
Stephen E Arnold, September 27, 2022
Google and Security: The Google Play Protect Situation
September 1, 2022
Unfortunately for Android users, Google’s default app-security program is not the safest bet. A write-up at News Patrolling explores “Why Google Play Protect Fails to Identify Malicious Apps.” A few points are obvious—Google cannot help users who turn the feature off, for example, or those who install software from other sources. The company also lacks Apple’s advantage of controlling both hardware and software. That does not explain, however, why third-party tools from AhnLab to Trend Micro outperform Play Protect. Reporter Satya Prakash observes:
- New kid on the block – As compared to other security software platforms that have been in existence for decades, Google Play Protect was launched in 2017. While it’s true that Google can hire the best security experts, it may still take some time for Google Play Protect to achieve the same level of security as offered by private software platforms. …
- Too many apps and devices – There are around 3 million apps on Google Play and several thousands are added almost every day. Combine that with thousands of different types of smartphones, having different Android versions. Apparently, it’s a massive task to be able to fix security vulnerabilities that may be present in each of these cases.
- Reliance on automated systems – Due to huge number of apps and devices, Google relies on automated systems to detect harmful behavior. Private security firms use the same approach, but apparently, they are doing a much better job. Hackers are constantly looking for new security vulnerabilities that can be exploited. This makes the job tougher for Google Play Protect.”
Happily, there are many stronger alternatives as tested by AV-Test. Their list is worth a look-see for Android users who care about security. A comparison to last year’s results shows Play Protect has actually improved a bit. Perhaps someday it will perform as well in its own app store as its third-party competition.
Cynthia Murrell, September 1, 2022
How about a Decade of Vulnerability? Great for Bad Actors
August 10, 2022
IT departments may be tired of dealing with vulnerabilities associated with Log4j, revealed late last year, but it looks like the problem will not die down any time soon. The Register reveals, “Homeland Security Warns: Expect Log4j Risks for ‘a Decade or Longer’.” Because the open-source tool is so popular, it can be difficult to track down and secure all instances of its use within an organization. Reporter Jessica Lyons Hardcastle tell us:
“Organizations can expect risks associated with Log4j vulnerabilities for ‘a decade or longer,’ according to the US Department of Homeland Security. The DHS’ Cyber Safety Review Board‘s inaugural report [PDF] dives into the now-notorious vulnerabilities discovered late last year in the Java world’s open-source logging library. The bugs proved to be a boon for cybercriminals as Log4j is so widely used, including in cloud services and enterprise applications. And because of this, miscreants soon began exploiting the flaws for all kinds of illicit activities including installing coin miners, stealing credentials and data, and deploying ransomware.”
Fortunately, no significant attacks on critical infrastructure systems have been found. Yet. The write-up continues:
“‘ICS operators rarely know what software is running on their XIoT devices, let alone know if there are instances of Log4j that can be exploited,’ Thomas Pace, a former Department of Energy cybersecurity lead and current CEO of NetRise, told The Register. NetRise bills itself as an ‘extended IoT’ (xIoT) security firm. ‘Just because these attacks have not been detected does not mean that they haven’t happened,’ Pace continued. ‘We know for a fact that threat actors are exploiting known vulnerabilities across industries. Critical infrastructure is no different.'”
Security teams have already put in long hours addressing the Log4j vulnerabilities, often forced to neglect other concerns. We are told one unspecified US cabinet department has spent some 33,000 hours guarding its own networks, and the DHS board sees no end in sight. The report classifies Log4j as an “endemic vulnerability” that could persist for 10 years or more. That is a long time for one cyber misstep to potentially trip up so many organizations. See the article for suggestions on securing systems that use Log4j and other open-source software.
Cynthia Murrell, August 10, 2022
What Microsoft Wants: Identity System and Data for Good Purposes Of Course
June 28, 2022
Microsoft wants its new Verified ID program to move beyond social media platforms. According to Error! Hyperlink reference not valid. in the article, “Microsoft Wants Everything To Come With Its Verified Check Mark,” Microsoft wants Verified ID to validate more personal information and it is starting with verifying credentials.
Verified ID would allow people to get digital credentials that prove where they graduated, their jobs, where they bank, and if they are in good health. Microsoft says Verified ID would be good for people who need to quickly share their personal information, such as job applications. Verified ID uses blockchain-based decentralized identity standards. Microsoft plans to release its Entry Verified ID, its official name, in August. The name for Microsoft’s identity product line is Entra.
Ankur Patel is a Microsoft principal program manager for digital identity and he believes Entry Verified ID will be mainstream in three years:
“In the first year, it’s likely that Verified ID will be used by organizations in tandem with existing verification methods, both digital and analog, with a portion of their users, according to Patel. Wider adoption will depend, in part, on making sure that the service itself hasn’t “done harm,” he acknowledged.
One potential risk is that individuals might inadvertently share sensitive information with the wrong parties using the system, Patel said. ‘In the physical world, when you’re presenting these kinds of things, you’re careful — you don’t just give your birth certificate to anybody,’ he said. Microsoft is aiming to limit the issues in its own digital wallets with features meant to protect against this type of accidental exposure, Patel said.”
Microsoft wants to verify everyone’s information, but what about guaranteeing that its own products are real?
Whitney Grace, June 28, 2022
Follina, Follina, Making Microsofties Cry
June 6, 2022
I read “China-Backed Hackers Are Exploiting Unpatched Microsoft Zero-Day.” According to the estimable Yahoo News outfit:
China-backed hackers are exploiting an unpatched Microsoft Office zero-day vulnerability, known as “Follina”, to execute malicious code remotely on Windows systems…. The flaw, which affects 41 Microsoft products including Windows 11 and Office 365, works without elevated privileges, bypasses Windows Defender detection, and does not need macro code to be enabled to execute binaries or scripts.
Ah, ha, Windows 11. The trusted protection thing? Yeah, well. The write up added some helpful time information:
The Follina zero-day was initially reported to Microsoft on April 12, after Word documents – which pretended to be from Russia’s Sputnik news agency offering recipients a radio interview – were found abusing the flaw in the wild. However, Shadow Chaser Group’s crazyman, the researcher who first reported the zero-day, said Microsoft initially tagged the flaw as not a “security-related issue”. The tech giant later informed the researcher that the “issue has been fixed,” but a patch does not appear to be available.
Bob Dylan’s song makes this latest security issue easy to remember:
Follina, Follina
Girl, you’re on my mind
I’m a-sittin down thinkin of you
I just can’t keep from crying
Big sobs, not sniffles.
Stephen E Arnold, June 6, 2022
Netgear: A Pioneer in What Might Be Called Baked In Insecurity
May 31, 2022
Computer security is an essential component for anyone using the Internet, because hackers target companies and individuals with scams and ransomware as well as steal personal information and intellectual property. As remote work becomes more common, the need for enhanced digital security increases. Companies that build hardware and software for Internet access are challenged to build robust and secure products. They also stand behind their products’ quality, but in a recent case networking equipment manufacturer Netgear admitted a flaw. Forbes reports the details in, “Netgear Says It Can’t Fix Multiple Vulnerabilities On Two Of Its Routers For Homeworkers.”
Netgear described the BR200 and BR500 models as secure routers for at-home workers connecting to their corporate networks. Unfortunately, these routers have exploitable security vulnerabilities and they cannot be fixed. Netgear will replace the defective models with a free or discounted router. The problem is minuscule, but all it takes is one crack to bring down a dam:
“The vulnerability of these two routers means there could be a security breach if a user is visiting a suspicious website and clicking on a malicious link while they have the router’s built-in web interface for adjusting the router’s settings. Frankly, that’s pretty unlikely to happen but with computer security, no matter how minuscule the threat might be, it must be taken seriously. The hacker only has to get lucky once.”
It is wonderful that Netgear admitted the mistake and is working with its customers to resolve the issue. Netgear also released a list of precautions BR200 and BR500 owners could use to prevent the hack if they wish to keep the router.
We wish more companies would own up to mistakes like Netgear. Politicians could certainly learn a thing or two from Netgear. Could Microsoft garner a fresh insight? Maybe?
Whitney Grace, May 31, 2022