Remembering the slide rule. What you must know about Patch Tuesday. Supercookie surveillance shenanigans. When bugs arrive in pairs. Apple’s fast patch that wanted a fast patch. User-Agent thought-about dangerous.
DOUG. An emergency Apple patch, gaslighting computer systems, and WHY CAN’T I KEEP USING WINDOWS 7?
All that, and extra, on the Naked Security podcast.
[MUSICAL MODEM]
Welcome to the podcast, everyone.
I’m Doug Aamoth; he’s Paul Ducklin.
Paul, how do you do?
DUCK. Well, I’m just a little bit startled, Doug.
You had been very dramatic about the necessity to hold utilizing Windows 7!
DOUG. Well, like many individuals, I’m indignant about it (joke!), and we’ll speak about that in a bit.
But first, a vital This Week in Tech History phase.
11 July 1976 marked the final gasp for a once-common mathematical calculation software.
I’m, in fact, referring to the slide rule.
The ultimate US mannequin produced, a Keuffel & Esser 4081-3, was offered to the Smithsonian Institution, marking the top of a mathematical period…
…an period made out of date by computer systems and calculators reminiscent of Paul’s favorite, the HP-35.
So, Paul, I consider you’ve blood in your fingers, Sir.
DUCK. I by no means owned an HP-35.
Firstly, I used to be a lot too younger, and secondly, they had been $395 every after they got here in.
DOUG. [LAUGHS] Wow!
DUCK. So it took one other couple of years for costs to crash, as Moore’s Law kicked in.
And then individuals didn’t need to use slide guidelines any extra.
My Dad gave me his previous one, and I treasured that factor as a result of it was nice…
…and I’ll inform you what a slide rule does train you, as a result of if you’re utilizing it for multiplication, you principally convert the 2 numbers you need to multiply to numbers between 1 and 10, and you then multiply them collectively.
And then it’s essential work out the place the decimal level goes.
If you divided one quantity by 100 and multiplied the opposite by 1000 to get them in vary, then general you need to add one zero, to multiply by 10, on the finish.
So it was a improbable manner of educating your self whether or not the solutions you bought out of your digital calculator, the place you typed in lengthy numbers like 7,000,000,000…
…whether or not you’d really obtained the order of magnitude, the exponent, proper.
Slide guidelines and their printed equal, log tables, taught you numerous about find out how to handle orders of magnitude in your head, and never settle for bogus outcomes too simply.
DOUG. I’ve by no means used one, nevertheless it sounds very thrilling from what you simply described.
Let’s hold the joy going.
Last week, Firefox launched model 115:
Firefox 115 is out, says farewell to customers of older Windows and Mac variations
They included a be aware which I’d prefer to learn, and I quote:
In January 2023, Microsoft ended assist for Windows 7 and Windows 8.
As a consequence, that is the final model of Firefox that customers on these working methods will obtain.
And I really feel that each time one among these notes will get appended to a ultimate launch, individuals come out and say, “Why can’t I keep using Windows 7?”
We even had a commenter saying that Windows XP is simply fantastic.
So what would you say to those individuals, Paul, that don’t need to transfer on from working system variations that they love?
DUCK. The finest manner for me to place it, Doug, is to learn again what I think about the better-informed commenters on our article mentioned.
Alex Fair writes:
It’s not nearly what *you* need, however about how you possibly can be used and exploited, and in flip hurt others.
And Paul Roux quite satirically mentioned:
Why are individuals nonetheless working Windows 7, or XP for that matter?
If the reason being that newer working methods are dangerous, why not use Windows 2000?
Heck, NT 4 was so superior it acquired SIX service packs!
DOUG. [LAUGHS] 2000 *was* superior, although.
DUCK. It’s not all about you.
It is about the truth that your system contains bugs, that crooks already know find out how to exploit, that may by no means, ever get patched.
So the reply is that generally you merely should let go, Doug.
DOUG. “It is better to have loved and lost than to never have loved at all,” as they are saying.
Let’s keep as regards to Microsoft.
Patch Tuesday, Paul, giveth bountifully.
Microsoft patches 4 zero-days, lastly takes motion towards crimeware kernel drivers
DUCK. Yes, the same old massive variety of bugs mounted.
The large information out of this, the stuff that it’s essential keep in mind (and there are two articles you possibly can go and seek the advice of on information.sophos.com if you wish to know the gory particulars)….
One concern is that 4 of those bugs are within the wild, zero-day, already-being-exploited holes.
Two of them are safety bypasses, and as trivial as that sounds, they do apparently relate to clicking on URLs or opening stuff in emails the place you’ll usually get a warning saying, “Are you really sure you want to do this?”
Which would possibly in any other case cease fairly just a few individuals from making an undesirable mistake.
And there are two Elevation-of-Privilege (EoP) holes mounted.
And though Elevation of Privilege normally will get regarded down on as lesser than Remote Code Execution, the place crooks use the bug to interrupt in within the first place, the issue with EoP has to do with crooks who’re already “loitering with intent” in your community.
It’s as if they’re capable of improve themselves from being a visitor in a lodge foyer to a super-secretive, silent burglar who all of the sudden and magically has entry to all of the rooms within the lodge.
So these are undoubtedly value watching out for.
And there’s a particular Microsoft safety advisory…
…effectively, there are a number of of them; the one I need to draw your consideration to is ADV23001, which principally is Microsoft saying, “Hey, remember when Sophos researchers reported to us that they’d found a whole load of rootkittery going on with signed kernel drivers that even contemporary Windows would just load because they were approved for use?”
I feel ultimately there have been effectively over 100 such signed drivers.
The nice information on this advisory is that every one these months later, Microsoft has lastly mentioned, “OK, we’re going to stop those drivers from being loaded and start blocking them automatically.”
[IRONIC] Which I suppose is kind of large of them, actually, when at the least a few of these drivers had been really signed by Microsoft itself, as a part of their {hardware} high quality programme. [LAUGHS]
If you need to discover the story behind the story, as I mentioned, simply head to information.sophos.com and seek for “drivers“.
Microsoft Revokes Malicious Drivers in Patch Tuesday Culling
DOUG. Excellent.
Alright, this subsequent story… I’m intrigued by this headline for therefore many causes: Rowhammer returns to gaslight your laptop.
Paul, inform me about…
[TO THE TUNE OF PETER GABRIEL’S “SLEDGEHAMMER”] Tell me about…
BOTH. [SINGING] Rowhammer!
DOUG. [LAUGHS] Nailed it!
DUCK. Go on, now you need to do the riff.
DOUG. [SYNTHESISING A SYNTHESISER] Doodly-doo da doo, doo do doo.
DUCK. [IMPRESSED] Very good, Doug!
DOUG. Thank you.
DUCK. Those who don’t keep in mind this from the previous: “Rowhammer” s the jargon identify that reminds us that the capacitors, the place bits of reminiscence (ones and zeros) are saved in trendy DRAM, or dynamic random entry reminiscence chips, are so shut collectively…
When you write to one among them (you really should learn and write the capacitors in rows at a time, thus “rowhammer”), if you do this, since you’ve learn the row, you’ve discharged the capacitors.
Even if all you’ve carried out is take a look at the reminiscence, you need to write again the previous contents, or they’re misplaced endlessly.
When you do this, as a result of these capacitors are so tiny and so shut collectively, there’s a tiny likelihood that capacitors in a single or each of the neighbouring rows would possibly flip their worth.
Now, it’s known as DRAM as a result of it doesn’t maintain its cost indefinitely, like static RAM or flash reminiscence (with flash reminiscence you possibly can even flip the ability off and it’ll keep in mind what was there).
But with DRAM, after a few tenth of a second, principally, the costs in all these little capacitors can have dissipated.
So they want rewriting on a regular basis.
And for those who rewrite super-fast, you possibly can really get bits in close by reminiscence to flip.
Historically, the rationale this has been an issue is that for those who can play with reminiscence alignment, though you possibly can’t predict which bits are going to flip, you *would possibly* be capable to mess with issues like reminiscence indices, web page tables, or knowledge contained in the kernel.
Even if all you’re doing is studying from reminiscence as a result of you’ve unprivileged entry to that reminiscence exterior the kernel.
And that’s what rowhammer assaults to this point have tended to deal with.
Now, what these researchers from the University of California in Davis did is that they figured, “Well, I wonder if the bit-flip patterns, as pseudorandom as they are, are consistent for different vendors of chips?”
Which is kind-of/sort-of sounding like a “supercookie”, isn’t it?
Something that identifies your laptop subsequent time.
And certainly, the researchers went even additional and discovered that particular person chips… or reminiscence modules (they normally have a number of DRAM chips on them), DIMMs, double inline reminiscence modules which you could clip into the slots in your desktop laptop, for instance, and in some laptops.
They discovered that, really, the bit-flip patterns may very well be transformed right into a form of iris scan, or one thing like that, in order that they might recognise the DIMMs later by doing the rowhammering assault once more.
In different phrases, you possibly can clear your browser cookies, you possibly can change the record of purposes you’ve obtained put in, you possibly can change your username, you possibly can reinstall a model new working system, however the reminiscence chips, in idea, gives you away.
And on this case, the thought is: supercookies.
Very attention-grabbing, and effectively value a learn.
DOUG. It is cool!
Another factor about writing information, Paul: you’re a excellent news author, and the thought is to hook the reader instantly.
So, within the first sentence of this subsequent article you say: “Even if you haven’t heard of the venerable Ghostscript project, you may very well have used it without knowing.”
I’m intrigued, as a result of the headline is: Ghostscript bug might enable rogue paperwork to run system instructions.
Ghostscript bug might enable rogue paperwork to run system instructions
Tell me extra!
DUCK. Well, Ghostscript is a free and open supply implementation of Adobe’s SubmitScript and PDF languages.
(If you haven’t heard of SubmitScript, effectively, PDF is form of “PostScript Next Generation”.)
It’s a manner of describing find out how to create a printed web page, or a web page on a pc display screen, with out telling the machine which pixels to activate.
So you say, “Draw square here; draw triangle here; use this beautiful font.”
It’s a programming language in its personal proper that offers you device-independent management of issues like printers and screens.
And Ghostscript is, as I mentioned, a free and open supply software to just do that.
And there are quite a few different open supply merchandise that use precisely this software as a manner of importing issues like EPS (Encapsulated SubmitScript) recordsdata, reminiscent of you would possibly get from a design firm.
So you might need Ghostscript with out realising it – that’s the important thing drawback.
And this was a small however actually annoying bug.
It seems {that a} rogue doc can say issues like, “I want to create some output, and I want to put it in a filename XYZ.”
But for those who put, in the beginning of the file identify, %pipe%, and *then* the file identify…
…that filename turns into the identify of a command to run that may course of the output of Ghostscript in what’s known as a “pipeline”.
That could sound like an extended story for a single bug, however the essential a part of this story is that after fixing that drawback: “Oh, no! We need to be careful if the filename starts with the characters %pipe%, because that actually means it’s a command, not a filename.”
That may very well be harmful, as a result of it might trigger distant code execution.
So they patched that bug after which somebody realised, “You know what, bugs often go in pairs or in groups.”
Either related coding errors elsewhere in the identical little bit of code, or multiple manner of triggering the unique bug.
And that’s when somebody within the Ghostscript Script staff realised, “You know what, we also let them type | [vertical bar, i.e. the “pipe” character] space-command identify as effectively, so we have to verify for that as effectively.”
So there was a patch, adopted by a patch-to-the-patch.
And that’s not essentially an indication of badness on the a part of the programming staff.
It’s really an indication that they didn’t simply do the minimal quantity of labor, signal it off, and depart you to undergo with the opposite bug and wait till it was discovered within the wild.
DOUG. And lest you assume we’re carried out speaking about bugs, boy do we’ve got a doozie for you!
An emergency Apple patch emerged, after which un-emerged, after which Apple kind-of/sort-of commented on it, which implies that up is down and left is correct, Paul.
Urgent! Apple fixes crucial zero-day gap in iPhones, iPads and Macs
DUCK. Yes, it’s just a little little bit of a comedy of errors.
I almost, however not fairly, really feel sorry for Apple on this one…
…however due to their insistence on saying as little as doable (after they don’t say nothing in any respect), it’s nonetheless not clear fairly whose fault it’s.
But the story goes like this: “Oh no! There’s an 0-day in Safari, in WebKit (the browser engine that’s used in every single browser on your iPhone and in Safari on your Mac), and crooks/spyware vendors/somebody is apparently using this for great evil.”
In different phrases, “look-and-be-pwned”, or “drive-by install”, or “zero-click infection”, or no matter you need to name it.
So Apple, as you understand, now has this Rapid Security Response system (at the least for the most recent iOS, iPadOS and macOS) the place they don’t should create a full system improve, with a complete new model quantity which you could by no means downgrade from, each time there’s an 0-day.
Thus, Rapid Security Responses.
These are the issues that, in the event that they don’t work, you possibly can take away them afterwards.
The different factor is that they’re usually actually tiny.
Great!
The drawback is… plainly as a result of these updates don’t get a brand new model quantity, Apple needed to discover a manner of denoting that you just had already put in the Rapid Security Response.
So what they do is you’re taking your model quantity, reminiscent of iOS 16.5.1, and so they add after it an area character after which (a).
And the phrase on the road is that some web sites (I shan’t identify them as a result of that is all rumour)…
…after they had been inspecting the User-Agent string in Safari, which incorporates the (a) only for completeness, went: “Whoooooa! What’s (a) doing in a version number?”
So, some customers had been reporting some issues, and Apple apparently pulled the replace.
Apple silently pulls its newest zero-day replace – what now?
And then, after a complete load of confusion, and one other article on Naked Security, and no one fairly realizing what was occurring… [LAUGHTER]
…Apple lastly printed HT21387, a safety bulletin that they produced earlier than they really had the patch prepared, which they usually don’t do.
But it was nearly worse than saying nothing, as a result of they mentioned, “Because of this problem, Rapid Security Response (b) will be available soon to address this issue.”
And that’s it. [LAUGHTER]
They don’t fairly say what the difficulty is.
They don’t say if it it’s all the way down to User-Agent strings as a result of, in that case, possibly the issue’s extra with the web site on the different finish than withg Apple themselves?
But Apple isn’t saying.
So we don’t know whether or not it’s their fault, the online server’s fault, or each of them.
And they simply say “soon”, Doug.
DOUG. This is an efficient time to usher in our reader query.
On this Apple story, reader JP asks:
Why do web sites want to examine your browser a lot?
It’s too snoopy and depends on previous methods of doing issues.
What do you say to that, Paul?
DUCK. I questioned that very query myself, and I went in search of, “What are you supposed to do with User-Agent strings?”
It does appear to be a little bit of a perennial drawback for web sites the place they’re making an attempt to be super-clever.
So I went to MDN (what was, I feel, Mozilla Developer Network, nevertheless it’s now a neighborhood website), which is without doubt one of the finest assets for those who marvel, “What about HTTP headers? What about HTML? What about JavaScript? What about CSS? How does this all fit together?”
And their recommendation, fairly merely, is, “Please, everybody, stop looking at the User-Agent string. You’re just making a rod for your own back and a bunch of complexity for everybody else.”
So why do websites take a look at User-Agent?
[WRY] I assume as a result of they will. [LAUGHTER]
When you’re creating a web site, ask your self, “Why am I going down this rabbit hole of having a different way of responding based on some weird bit of a string somewhere in User-Agent?”
Try and assume past that, and life will likely be less complicated for all of us.
DOUG. Alright, very philosophical!
Thank you, JP, for sending that in.
If you’ve an attention-grabbing story, remark or query you’d prefer to submit, we’d like to learn it on the podcast.
You can electronic mail ideas@sophos.com, touch upon any one among our articles, or hit us up on social: @nakedsecurity.
That’s our present for immediately; thanks very a lot for listening.
For Paul Ducklin, I’m Doug Aamoth, reminding you: Until subsequent time…
BOTH. Stay safe!
[MUSICAL MODEM]