vulnerability
Latest
Intel currently facing 32 class-action lawsuits for Spectre and Meltdown
Yesterday, Intel expanded its bug bounty program to catch more issues like the extensive Meltdown and Spectre CPU flaws, but that was too little, too late for some chip owners. We knew three class-action lawsuits were filed in early January days after the vulnerabilities were publicized, but according to an SEC filing, the total has grown to 30 multi-party suits by customers and two securities suits. Most argue that Intel violated securities laws when it assured its products were safe to use, which the Meltdown and Spectre flaws revealed to be untrue.
Intel expands bug bounty to catch more Spectre-like security flaws
To say Intel was caught flat-footed by the Meltdown and Spectre flaws would be an understatement. However, it has a potential solution: enlist more people for help. It's widening its bug bounty program to both include more researchers and offer more incentives to spot Meltdown- and Spectre-like holes. The program is now open to all security researchers, not just by invitation, and includes sweeter rewards for discovering exploits. You now get up to $100,000 for disclosing general security flaws, and there's a new program dedicated to side channel vulnerabilities (read: issues like Spectre) that offers up to $250,000 through December 31st, 2018.
Attackers used Telegram to deliver cryptocurrency-mining malware
Kaspersky Lab says it spotted evidence of a vulnerability in the desktop version of Telegram that allowed attackers to install cryptocurrency mining malware on users' computers. The zero-day exploit was used to trick Telegram users into downloading malicious files, which could then be used to deliver cryptocurrency mining software and spyware. According to Kaspersky, those behind the exploit used the computers their malware had been installed on to mine digital currencies like Monero, Zcash, Fantomcoin and others. Kaspersky also says it found a stolen cache of Telegram data on one of the attackers' servers.
Crucial iPhone source code posted in unprecedented leak (updated)
Critical, top secret Apple code for the iPhone's operating system was posted on Github, opening a new, dangerous avenue for hackers and jailbreakers to access the device, Motherboard reported. The code, known as "iBoot," has since been pulled, but Apple may have confirmed it was the real deal when it issued a DMCA takedown to Github, as Twitter user @supersat noted.
Grammarly patches bug that could expose everything you write (update: not everything)
Grammarly, a copyediting app/extension for Chrome and Firefox that points out typos and grammatical mistakes, had a major bug that allowed any website you visit to log into your account and read everything you ever wrote. It made all your documents, history, logs, tweets and blog posts vulnerable to high-tech snoops. Google's Project Zero, which unearths and tracks vulnerabilities and reports them to software-makers, revealed the bug on February 2nd. Thankfully, the Grammarly team has quickly patched it up and has already auto-updated the program used by over 20 million users.
Lenovo’s fingerprint manager left passwords vulnerable
A slew of Lenovo devices have left users' systems vulnerable to a breach. Fingerprint Manager Pro software installed on any of some three dozen ThinkPad, ThinkCentre or ThinkStation devices apparently features weak encryption that allows someone to bypass the fingerprint scanner and take advantage of a hardcoded password in order to gain access to the system. It also exposes users' logon credentials and fingerprint data. Lenovo described the vulnerability in a security update and released a patch for the bug last week.
Intel told Chinese firms of Meltdown flaws before the US government
Intel may have been working with many tech industry players to address the Meltdown and Spectre flaws, but who it contacted and when might have been problematic. Wall Street Journal sources have claimed that Intel initially told a handful of customers about the processor vulnerabilities, including Chinese tech companies like Alibaba and Lenovo, but not the US government. While the chip giant does have to talk to those companies to coordinate fixes, the Chinese government routinely monitors conversations like this -- it could have theoretically exploited the holes to intercept data before patches were available.
Apple releases Meltdown patches for older versions of macOS
Today, Apple released updates that will protect some older operating systems against the Meltdown vulnerability. Patches for High Sierra were released earlier this month and now Sierra and El Capitan will be protected as well.
Blizzard games were vulnerable to a remote hijacking exploit
Fans of Blizzard games might have dodged a bullet. Google security researcher Tavis Ormandy has revealed that virtually all the developer's titles (including Overwatch and World of Warcraft) were vulnerable to a DNS rebinding flaw that let sites hijack the Blizzard Update Agent for their own purposes. Intruders had to do little more than create a hostname their site was authorized to communicate with, make that resolve to the target of their choice (such as the victim's PC) and send requests to the agent. From there, they could install malicious files, use network drives or otherwise create havoc.
Uber security flaw compromised two-factor authentication
Two-factor authentication only works if it's strictly enforced in software, and it sounds like Uber might have fallen short of that goal for a while. In a chat with ZDNet, security researcher Karan Saini has revealed a flaw in Uber's two-factor verification that reportedly rendered it useless. Saini has been keeping the exact details of the exploit under wraps to prevent abuse, but it revolved around a vulnerability in how Uber authenticates users when they sign in. The net effect was clear: an intruder might have only needed your username and password to sign in, giving them the chance to swipe personal info or misuse services.
Congressman requests Meltdown and Spectre briefing from chip makers
US Representative Jerry McNerney sent a letter to Intel, AMD and ARM today requesting a briefing on the Meltdown and Spectre vulnerabilities and the companies' handling of them. McNerney, a California representative and member of the House Energy and Commerce Committee, said, "I am looking to better understand the nature of these critical vulnerabilities, the danger they pose to consumers and what steps your companies plan to take to protect consumers."
Intel’s Meltdown and Spectre fixes have some bugs of their own
Earlier this week, Intel said it would have Meltdown and Spectre fixes available by the end of the month for all recently made chips. But as the Wall Street Journal reports, some of the patches the company has released have caused some problems of their own. Some firmware updates are apparently causing computers to reboot.
AMD is deploying a patch for the second Spectre CPU vulnerability
While Intel is at the center of the Spectre/Meltdown fiasco, AMD's chips are also affected by the CPU vulnerabilities. The company previously said that the risk of exploit using variant 2 was near zero due to its chips' architecture. But in its latest announcement, it said that because both variants are still "applicable to AMD processors," it also plans to release patches for the second variant to be absolutely safe. AMD already provided PC manufacturers its fix for the first Spectre version, and Microsoft has begun rolling it out. The chipmaker also said it's working with Redmond to address a problem that delayed the distribution of patches for its older processors.
Google details how it protected services like Gmail from Spectre
Google says it already deployed anti-Spectre and Meltdown solutions to protect its products, and users didn't even notice. The downside of the patches companies are rolling out to fix the CPU vulnerabilities is that they have the potential to slow down systems. For the big G, that means slowdown for huge services like Gmail, Google Drive and Search and its Cloud products. Mountain View had to gather hundreds of engineers working across the company to find a way to protect its products. After a few months, they found a solution for Meltdown and the first variant of Spectre (two of the three vulnerabilities), which they then started rolling out way back in September. Google says it didn't get any complaint reporting performance degradation after it deployed the fix.
Intel pledges transparency after Spectre, Meltdown vulnerability
The last week or so has seen a lot of activity around Meltdown and Spectre, two CPU flaws in modern chips from the likes of AMD and Intel. Apple, Microsoft and Google have provided interim fixes for their respective hardware, but it will take much more than simple patches (that can cause more harm than good) to truly eradicate the issue. Just a few hours after Intel revealed that there may be more slowdowns from its Meltdown processor fix, the company's CEO Brian Krzanich has written an open letter to further detail the steps Intel is taking to deal with the issues.
Google shares which Chromebooks won’t get a Meltdown fix
Google has published a list that includes every Chromebook model, which are vulnerable to Meltdown and the patch status of each one. You can check out the list here. The column you'll most want to pay attention to is the one titled "CVE-2017-5754 mitigations (KPTI) on M63?" If the device has a "Yes" or a "Not needed" in that column, it's safe and if you own it, you have one less thing to worry about. A "No" in that column means the device will need an update to be protected against Meltdown. But if the device is listed as "EoL," there will be no patches for it because it's an end of life product and is no longer supported. EoL devices include Samsung Chromebook Series 5, Samsung Chromebook Series 5 550, Cr-48, Acer C7 Chromebook and Acer AC700.
NVIDIA updates video drivers to help address CPU memory security (updated)
It's not just your processor and operating system that need patches for the Meltdown and Spectre memory vulnerabilities -- your graphics card does, too. To that end, NVIDIA has started releasing updated drivers that help protect against the CPU vulnerability. All its GeForce, Quadro, NVS, Tesla and GRID chips are immune to Meltdown and Spectre themselves, but the code could leave CPUs open to two Spectre variants. The new software immediately mitigates one Spectre flaw, and NVIDIA is promising future mitigations as well as eventual updates to address the second.
Microsoft says security fixes will noticeably slow older PCs
It's been clear for a while that the fixes for the Meltdown and Spectre memory vulnerabilities would slow down PCs, but just how bad is the hit, really? Microsoft has run some benchmarks, and it's unfortunately bad news if your system is less than fresh. While the patches for Meltdown and one variant of Spectre will have a "minimal performance impact," fixing a second Spectre variant through low-level microcode imposes a tangible speed penalty -- and it's particularly bad on systems released around 2015 or earlier.
Microsoft's 'Meltdown' updates are reportedly bricking AMD PCs
Following reports of unbootable machines, Microsoft has halted updates of its Meltdown and Spectre security patches for AMD computers, according to a support note spotted by the Verge. It made the move after numerous complaints from users who installed the patch and then couldn't get past the Windows 10 splash screen. "To prevent AMD customers from getting into an unbootable state, Microsoft will temporarily pause sending the following Windows operating system updates to devices with impacted AMD processors," it wrote.
Apple updates macOS and iOS to address Spectre vulnerability
Just a few days after Apple disclosed how it would be dealing with the Meltdown bug that affects modern computers, it's pushed out fixes for the Spectre exploit as well. iOS 11.2.2 includes "Security improvements to Safari and WebKit to mitigate the effects of Spectre," the company writes on its support page, while the macOS High Sierra 10.13.2 Supplemental Update does the same for your Mac laptop or desktop. Installing this update on your Mac will also update Safari to version 11.0.2.
