PSW #747 – Andy Robbins

According to Lenovo, laptops being shipped with Secure Cored PCs will not trust the Microsoft 3rd party CA by default, you will have to go into the BIOS and enable it. This means if you are running Linux and want Secure Boot, you have to go into the BIOS and enable it. I don't see the security benefits here.

"The vulnerabilities can be exploited to achieve arbitrary code execution in the early phases of the platform boot, possibly allowing the attackers to hijack the OS execution flow and disable some important security features.” wrote ESET in a series of tweets. “These vulnerabilities were caused by insufficient validation of DataSize parameter passed to the UEFI Runtime Services function GetVariable. An attacker could create a specially crafted NVRAM variable, causing buffer overflow of the Data buffer in the second GetVariable call."

Sounds like what many large organizations are already doing: "A robust update process leverages update deployment rings. The Windows Autopatch feature works dynamically creating 4 testing rings, each of them representative of all the diversity in an enterprise. The updates are initially tested on a small set of devices, then if the installation creates no problems, the installation is extended to increasingly larger sets, with an evaluation period at each progression. “The ‘test ring’ contains a minimum number of representative devices. The ‘first’ ring is slightly larger, containing about 1% of all devices under management. The ‘fast’ ring contains about 9% of endpoints, with the rest assigned to the ‘broad’ ring.” continues the announcement."

"Researcher Gafnit Amiga of Lightspin detailed in a blog post how an attacker can send two different variables with the same name but with different uppercase and lowercase characters – for example, they are able to send both ‘Action’ and ‘action’. Amiga explained: “Since both [variables in the vulnerable code] are… ‘ToLower’, the value in the queryParamsLower dictionary will be overridden while the request to AWS will be sent with both parameters and their values."

"Retbleed aims to hijack a return instruction in the kernel to gain arbitrary speculative code execution in the kernel context. With sufficient control over registers and/or memory at the victim return instruction, the attacker can leak arbitrary kernel data." The core idea, in a nutshell, is to treat return instructions as an attack vector for speculation execution and force the returns to be predicted like indirect branches, effectively undoing protections offered by Retpoline." and updating: "Windows operating system uses IBRS by default, so no update is required," Intel said in an advisory, noting it worked with the Linux community to make available software updates for the shortcoming."

https://m.youtube.com/watch?v=WaEudnuQBOM

The UK Information Commissioner's Office (ICO) on Monday issued a reprimand and called for a review of how and whether messaging services should be used for government business practices, after finding widespread and potentially dangerous use of private email, WhatsApp and other messaging tools by officials at the Department of Health and Social Care (DHSC).

Researchers say they have discovered that various modern Honda vehicles have a vulnerable (medium-severity) rolling code mechanism (CVE-2021-46145) they have dubbed "Rolling-PWN" that allows individuals to remotely unlock the doors and start the car's engine. Researchers found that the counter in Honda vehicles is resynchronized when the car vehicle gets lock/unlock commands in a consecutive sequence. This causes the car to accept codes from a previous session, which should have been invalidated.

Kubernetes code enabled privilege escalation. An error in one line of code in an AWS authentication component has created a trio of security bugs. CVE-2022-2385, the bug is a mistake in parameter validation – the code doesn’t check the capitalization of parameters passed to it.

The OpenSSL development team has released a fix to address a high-severity memory corruption flaw (CVE-2022-2274) affecting the OpenSSL library that could be exploited by attackers to perform remote code execution. Affects 3.0.4, update to 3.0.5

The group claiming responsibility for cyberattacks on multiple Iranian steel facilities last month posted almost 20 gigabytes (GB) of data on July 7, 2020, which included corporate documents showing that the facilities are affiliated with Iran's Islamic Revolutionary Guard Corp.

NAS vendor QNAP warned customers to secure their devices against attacks using Checkmate ransomware to encrypt data. QNAP says the attacks are focused on Internet-exposed QNAP devices with the SMB service enabled and accounts with weak passwords that can easily be cracked in brute-force attacks.