Remembering the slide rule. What you must learn about Patch Tuesday. Supercookie surveillance shenanigans. When bugs arrive in pairs. Apple’s fast patch that wanted a fast patch. Person-Agent thought-about dangerous.
DOUG. An emergency Apple patch, gaslighting computer systems, and WHY CAN’T I KEEP USING WINDOWS 7?
All that, and extra, on the Bare Safety podcast.
[MUSICAL MODEM]
Welcome to the podcast, all people.
I’m Doug Aamoth; he’s Paul Ducklin.
Paul, how do you do?
DUCK. Effectively, I’m a bit of bit startled, Doug.
You have been very dramatic about the necessity to maintain utilizing Home windows 7!
DOUG. Effectively, like many individuals, I’m offended about it (joke!), and we’ll discuss that in a bit.
However first, an important This Week in Tech Historical past phase.
11 July 1976 marked the final gasp for a once-common mathematical calculation device.
I’m, after all, referring to the slide rule.
The ultimate US mannequin produced, a Keuffel & Esser 4081-3, was offered to the Smithsonian Establishment, marking the tip of a mathematical period…
…an period made out of date by computer systems and calculators comparable to Paul’s favorite, the HP-35.
So, Paul, I consider you may have blood in your fingers, Sir.
DUCK. I by no means owned an HP-35.
Firstly, I used to be a lot too younger, and secondly, they have been $395 every once they got here in.
DOUG. [LAUGHS] Wow!
DUCK. So it took one other couple of years for costs to crash, as Moore’s Regulation kicked in.
After which individuals didn’t wish to use slide guidelines any extra.
My Dad gave me his previous one, and I treasured that factor as a result of it was nice…
…and I’ll let you know what a slide rule does train you, as a result of while you’re utilizing it for multiplication, you principally convert the 2 numbers you wish to multiply to numbers between 1 and 10, and then you definitely multiply them collectively.
After which you must work out the place the decimal level goes.
When you divided one quantity by 100 and multiplied the opposite by 1000 to get them in vary, then general you need to add one zero, to multiply by 10, on the finish.
So it was a improbable method of educating your self whether or not the solutions you bought out of your digital calculator, the place you typed in lengthy numbers like 7,000,000,000…
…whether or not you’d truly acquired the order of magnitude, the exponent, proper.
Slide guidelines and their printed equal, log tables, taught you a large number about tips on how to handle orders of magnitude in your head, and never settle for bogus outcomes too simply.
DOUG. I’ve by no means used one, however it sounds very thrilling from what you simply described.
Let’s maintain the joy going.
Final week, Firefox launched model 115:
Firefox 115 is out, says farewell to customers of older Home windows and Mac variations
They included a word which I’d prefer to learn, and I quote:
In January 2023, Microsoft ended help for Home windows 7 and Home windows 8.
As a consequence, that is the final model of Firefox that customers on these working techniques will obtain.
And I really feel that each time one in every of these notes will get appended to a ultimate launch, individuals come out and say, “Why can’t I maintain utilizing Home windows 7?”
We even had a commenter saying that Home windows XP is simply advantageous.
So what would you say to those individuals, Paul, that don’t wish to transfer on from working system variations that they love?
DUCK. One of the best ways for me to place it, Doug, is to learn again what I think about the better-informed commenters on our article mentioned.
Alex Truthful writes:
It’s not nearly what *you* need, however about how you may be used and exploited, and in flip hurt others.
And Paul Roux relatively satirically mentioned:
Why are individuals nonetheless working Home windows 7, or XP for that matter?
If the reason being that newer working techniques are unhealthy, why not use Home windows 2000?
Heck, NT 4 was so superior it obtained SIX service packs!
DOUG. [LAUGHS] 2000 *was* superior, although.
DUCK. It’s not all about you.
It’s about the truth that your system contains bugs, that crooks already know tips on how to exploit, that may by no means, ever get patched.
So the reply is that generally you merely should let go, Doug.
DOUG. “It’s higher to have liked and misplaced than to by no means have liked in any respect,” as they are saying.
Let’s keep with regards to Microsoft.
Patch Tuesday, Paul, giveth bountifully.
Microsoft patches 4 zero-days, lastly takes motion towards crimeware kernel drivers
DUCK. Sure, the standard massive variety of bugs fastened.
The massive information out of this, the stuff that you must bear in mind (and there are two articles you possibly can go and seek the advice of on information.sophos.com if you wish to know the gory particulars)….
One subject is that 4 of those bugs are within the wild, zero-day, already-being-exploited holes.
Two of them are safety bypasses, and as trivial as that sounds, they do apparently relate to clicking on URLs or opening stuff in emails the place you’ll usually get a warning saying, “Are you actually positive you wish to do that?”
Which could in any other case cease fairly a couple of individuals from making an undesirable mistake.
And there are two Elevation-of-Privilege (EoP) holes fastened.
And though Elevation of Privilege often will get appeared down on as lesser than Distant Code Execution, the place crooks use the bug to interrupt in within the first place, the issue with EoP has to do with crooks who’re already “loitering with intent” in your community.
It’s as if they’re in a position to improve themselves from being a visitor in a resort foyer to a super-secretive, silent burglar who all of the sudden and magically has entry to all of the rooms within the resort.
So these are positively value watching out for.
And there’s a particular Microsoft safety advisory…
…properly, there are a number of of them; the one I wish to draw your consideration to is ADV23001, which principally is Microsoft saying, “Hey, bear in mind when Sophos researchers reported to us that they’d discovered an entire load of rootkittery happening with signed kernel drivers that even up to date Home windows would simply load as a result of they have been authorized to be used?”
I believe ultimately there have been properly over 100 such signed drivers.
The good information on this advisory is that every one these months later, Microsoft has lastly mentioned, “OK, we’re going to cease these drivers from being loaded and begin blocking them routinely.”
[IRONIC] Which I suppose is sort of massive of them, actually, when no less than a few of these drivers have been truly signed by Microsoft itself, as a part of their {hardware} high quality programme. [LAUGHS]
If you wish to discover the story behind the story, as I mentioned, simply head to information.sophos.com and seek for “drivers“.
Microsoft Revokes Malicious Drivers in Patch Tuesday Culling
DOUG. Wonderful.
Alright, this subsequent story… I’m intrigued by this headline for thus many causes: Rowhammer returns to gaslight your pc.
Severe Safety: Rowhammer returns to gaslight your pc
Paul, inform me about…
[TO THE TUNE OF PETER GABRIEL’S “SLEDGEHAMMER”] Inform me about…
BOTH. [SINGING] Rowhammer!
DOUG. [LAUGHS] Nailed it!
DUCK. Go on, now you need to do the riff.
DOUG. [SYNTHESISING A SYNTHESISER] Doodly-doo da doo, doo do doo.
DUCK. [IMPRESSED] Superb, Doug!
DOUG. Thanks.
DUCK. Those that don’t bear in mind this from the previous: “Rowhammer” s the jargon title that reminds us that the capacitors, the place bits of reminiscence (ones and zeros) are saved in trendy DRAM, or dynamic random entry reminiscence chips, are so shut collectively…
If you write to one in every of them (you truly should learn and write the capacitors in rows at a time, thus “rowhammer”), while you do this, since you’ve learn the row, you’ve discharged the capacitors.
Even when all you’ve carried out is take a look at the reminiscence, you need to write again the previous contents, or they’re misplaced without end.
If you do this, as a result of these capacitors are so tiny and so shut collectively, there’s a tiny probability that capacitors in a single or each of the neighbouring rows may flip their worth.
Now, it’s referred to as DRAM as a result of it doesn’t maintain its cost indefinitely, like static RAM or flash reminiscence (with flash reminiscence you possibly can even flip the facility off and it’ll bear in mind what was there).
However with DRAM, after a few tenth of a second, principally, the fees in all these little capacitors could have dissipated.
So that they want rewriting on a regular basis.
And in case you rewrite super-fast, you possibly can truly get bits in close by reminiscence to flip.
Traditionally, the explanation this has been an issue is that in case you can play with reminiscence alignment, despite the fact that you possibly can’t predict which bits are going to flip, you *may* be capable of mess with issues like reminiscence indices, web page tables, or knowledge contained in the kernel.
Even when all you’re doing is studying from reminiscence as a result of you may have unprivileged entry to that reminiscence outdoors the kernel.
And that’s what rowhammer assaults up to now have tended to deal with.
Now, what these researchers from the College of California in Davis did is that they figured, “Effectively, I’m wondering if the bit-flip patterns, as pseudorandom as they’re, are constant for various distributors of chips?”
Which is kind-of/sort-of sounding like a “supercookie”, isn’t it?
One thing that identifies your pc subsequent time.
And certainly, the researchers went even additional and discovered that particular person chips… or reminiscence modules (they often have a number of DRAM chips on them), DIMMs, double inline reminiscence modules that you could clip into the slots in your desktop pc, for instance, and in some laptops.
They discovered that, truly, the bit-flip patterns could possibly be transformed right into a form of iris scan, or one thing like that, in order that they might recognise the DIMMs later by doing the rowhammering assault once more.
In different phrases, you possibly can clear your browser cookies, you possibly can change the checklist of purposes you’ve acquired put in, you possibly can change your username, you possibly can reinstall a model new working system, however the reminiscence chips, in idea, gives you away.
And on this case, the thought is: supercookies.
Very attention-grabbing, and properly value a learn.
DOUG. It’s cool!
One other factor about writing information, Paul: you’re a excellent news author, and the thought is to hook the reader immediately.
So, within the first sentence of this subsequent article you say: “Even in case you haven’t heard of the venerable Ghostscript challenge, you could very properly have used it with out figuring out.”
I’m intrigued, as a result of the headline is: Ghostscript bug might enable rogue paperwork to run system instructions.
Ghostscript bug might enable rogue paperwork to run system instructions
Inform me extra!
DUCK. Effectively, Ghostscript is a free and open supply implementation of Adobe’s PostScript and PDF languages.
(When you haven’t heard of PostScript, properly, PDF is form of “PostScript Subsequent Technology”.)
It’s a method of describing tips on how to create a printed web page, or a web page on a pc display, with out telling the machine which pixels to activate.
So that you say, “Draw sq. right here; draw triangle right here; use this stunning font.”
It’s a programming language in its personal proper that provides you device-independent management of issues like printers and screens.
And Ghostscript is, as I mentioned, a free and open supply device to just do that.
And there are quite a few different open supply merchandise that use precisely this device as a method of importing issues like EPS (Encapsulated PostScript) information, comparable to you may get from a design firm.
So that you may need Ghostscript with out realising it – that’s the important thing downside.
And this was a small however actually annoying bug.
It seems {that a} rogue doc can say issues like, “I wish to create some output, and I wish to put it in a filename XYZ.”
However in case you put, initially of the file title, %pipe%, and *then* the file title…
…that filename turns into the title of a command to run that may course of the output of Ghostscript in what’s referred to as a “pipeline”.
That will sound like an extended story for a single bug, however the necessary a part of this story is that after fixing that downside: “Oh, no! We must be cautious if the filename begins with the characters %pipe%, as a result of that truly means it’s a command, not a filename.”
That could possibly be harmful, as a result of it might trigger distant code execution.
So that they patched that bug after which somebody realised, “You understand what, bugs typically go in pairs or in teams.”
Both related coding errors elsewhere in the identical little bit of code, or a couple of method of triggering the unique bug.
And that’s when somebody within the Ghostscript Script group realised, “You understand what, we additionally allow them to kind | [vertical bar, i.e. the “pipe” character] space-command title as properly, so we have to examine for that as properly.”
So there was a patch, adopted by a patch-to-the-patch.
And that isn’t essentially an indication of badness on the a part of the programming group.
It’s truly an indication that they didn’t simply do the minimal quantity of labor, signal it off, and go away you to endure with the opposite bug and wait till it was discovered within the wild.
DOUG. And lest you assume we’re carried out speaking about bugs, boy do we’ve a doozie for you!
An emergency Apple patch emerged, after which un-emerged, after which Apple kind-of/sort-of commented on it, which implies that up is down and left is correct, Paul.
Pressing! Apple fixes crucial zero-day gap in iPhones, iPads and Macs
DUCK. Sure, it’s a bit of little bit of a comedy of errors.
I practically, however not fairly, really feel sorry for Apple on this one…
…however due to their insistence on saying as little as attainable (once they don’t say nothing in any respect), it’s nonetheless not clear fairly whose fault it’s.
However the story goes like this: “Oh no! There’s an 0-day in Safari, in WebKit (the browser engine that’s utilized in each single browser in your iPhone and in Safari in your Mac), and crooks/spy ware distributors/any individual is outwardly utilizing this for nice evil.”
In different phrases, “look-and-be-pwned”, or “drive-by set up”, or “zero-click an infection”, or no matter you wish to name it.
So Apple, as you understand, now has this Speedy Safety Response system (no less than for the newest iOS, iPadOS and macOS) the place they don’t should create a full system improve, with an entire new model quantity that you could by no means downgrade from, each time there’s an 0-day.
Thus, Speedy Safety Responses.
These are the issues that, in the event that they don’t work, you possibly can take away them afterwards.
The opposite factor is that they’re typically actually tiny.
Nice!
The issue is… it appears that evidently as a result of these updates don’t get a brand new model quantity, Apple needed to discover a method of denoting that you simply had already put in the Speedy Safety Response.
So what they do is you’re taking your model quantity, comparable to iOS 16.5.1, and so they add after it an area character after which (a).
And the phrase on the road is that some web sites (I shan’t title them as a result of that is all rumour)…
…once they have been analyzing the Person-Agent string in Safari, which incorporates the (a) only for completeness, went: “Whoooooa! What’s (a) doing in a model quantity?”
So, some customers have been reporting some issues, and Apple apparently pulled the replace.
Apple silently pulls its newest zero-day replace – what now?
After which, after an entire load of confusion, and one other article on Bare Safety, and no person fairly figuring out what was happening… [LAUGHTER]
…Apple lastly revealed HT21387, a safety bulletin that they produced earlier than they really had the patch prepared, which they usually don’t do.
But it surely was virtually worse than saying nothing, as a result of they mentioned, “Due to this downside, Speedy Safety Response (b) shall be obtainable quickly to deal with this subject.”
And that’s it. [LAUGHTER]
They don’t fairly say what the problem is.
They don’t say if it it’s all the way down to Person-Agent strings as a result of, in that case, possibly the issue’s extra with the web site on the different finish than withg Apple themselves?
However Apple isn’t saying.
So we don’t know whether or not it’s their fault, the net server’s fault, or each of them.
And so they simply say “quickly”, Doug.
DOUG. This can be a good time to usher in our reader query.
On this Apple story, reader JP asks:
Why do web sites want to examine your browser a lot?
It’s too snoopy and depends on previous methods of doing issues.
What do you say to that, Paul?
DUCK. I questioned that very query myself, and I went on the lookout for, “What are you imagined to do with Person-Agent strings?”
It does appear to be a little bit of a perennial downside for web sites the place they’re making an attempt to be super-clever.
So I went to MDN (what was, I believe, Mozilla Developer Community, however it’s now a neighborhood web site), which is likely one of the greatest sources in case you surprise, “What about HTTP headers? What about HTML? What about JavaScript? What about CSS? How does this all match collectively?”
And their recommendation, fairly merely, is, “Please, all people, cease wanting on the Person-Agent string. You’re simply making a rod on your personal again and a bunch of complexity for everyone else.”
So why do websites take a look at Person-Agent?
[WRY] I assume as a result of they will. [LAUGHTER]
If you’re creating an internet site, ask your self, “Why am I happening this rabbit gap of getting a unique method of responding based mostly on some bizarre little bit of a string someplace in Person-Agent?”
Try to assume past that, and life shall be easier for all of us.
DOUG. Alright, very philosophical!
Thanks, JP, for sending that in.
If in case you have an attention-grabbing story, remark or query you’d prefer to submit, we’d like to learn it on the podcast.
You may e-mail ideas@sophos.com, touch upon any one in every of our articles, or hit us up on social: @nakedsecurity.
That’s our present for at this time; thanks very a lot for listening.
For Paul Ducklin, I’m Doug Aamoth, reminding you: Till subsequent time…
BOTH. Keep safe!
[MUSICAL MODEM]