{"id":23969,"date":"2021-07-11T15:42:28","date_gmt":"2021-07-11T22:42:28","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=23969"},"modified":"2021-07-11T15:42:28","modified_gmt":"2021-07-11T22:42:28","slug":"sb-2021-07-11","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2021\/07\/sb-2021-07-11\/","title":{"rendered":"Security Bits \u2014 11 July 2021"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li>The Western Digital story from last time has continued to evolve:\n<ul>\n<li>More devices are affected: <a href=\"https:\/\/krebsonsecurity.com\/2021\/07\/another-0-day-looms-for-many-western-digital-users\/\">Another 0-Day Looms for Many Western Digital Users \u2013 Krebs on Security \u2014 krebsonsecurity.com\/\u2026<\/a><\/li>\n<li>But there have also been more responses from WD, including a data recovery service and a trade-in-upgrade program: <a href=\"https:\/\/www.intego.com\/mac-security-blog\/what-to-do-if-you-have-western-digital-my-book-live-or-my-book-live-duo-devices\/\">Got a WD My Book Live device? Your data is at risk \u2013 here\u2019s what to do \u2014 www.intego.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>A new variant of the iOS\/macOS Wifi name bug has emerged (triggered by networks called <code>%secretclub%power<\/code>). <strong>TL;DR:<\/strong> don&#8217;t join any WiFi networks with <code>%<\/code> symbols in their name on Apple devices until Apple patch this \u2014 <a href=\"https:\/\/www.imore.com\/network-name-can-semi-permanently-disable-wifi-your-iphone\">www.imore.com\/\u2026<\/a><\/li>\n<li>Social Media companies continue to evolve in response to abuses of their platforms:\n<ul>\n<li><a href=\"https:\/\/www.brusselstimes.com\/news\/176094\/facebook-tests-new-feature-alerting-users-to-extremist-content\/\">Facebook tests new feature alerting users to extremist content \u2014 www.brusselstimes.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>It&#8217;s not just bad behavior \u2013 why social media design makes it hard to have constructive disagreements online <a href=\"https:\/\/theconversation.com\/its-not-just-bad-behavior-why-social-media-design-makes-it-hard-to-have-constructive-disagreements-online-161337\">theconversation.com&#8230;<\/a><\/li>\n<\/ul>\n<h2>&#x2757; Deep Dive 1 \u2014 Print Nightmare<\/h2>\n<p><strong>TL;DR<\/strong> \u2014 if you run Windows servers, you should probably disable the print spooler by Group Policy and leave it off, especially on your domain controllers. Home users definitely need to stay on top of Microsoft&#8217;s patches and might consider also disabling their print spoolers.<\/p>\n<p><em><strong>Important Caveat<\/strong> \u2014 this is a very rapidly developing and very confusing story. It&#8217;s probably already incomplete as you read this!<\/em><\/p>\n<p>A pair of vulnerabilities have been found in the Windows print spooler process that allows for local privilege escalation, and remote code execution under some circumstances. The phrase <em>some circumstances<\/em> is doing a lot of heavy lifting here \u2014 as the story has developed those circumstances in which remote code execution was believed to be possible have shifted around a lot.<\/p>\n<p>Depending on how you look at it this is one big problem or two interrelated smaller problems. It&#8217;s probably simpler to think of it as one big mess rather than two, but there are two CVE numbers assigned, so officially it is two vulnerabilities.<\/p>\n<p>So far the story started with a responsibly disclosed local privilege escalation bug (LPE) that Microsoft attempted to patch in June. The original security researcher realised that Microsoft&#8217;s patch fixes his proof of concept, but didn&#8217;t actually fix the underlying problem \u2014 Microsoft had treated a symptom, but not cured the disease. Microsoft closed the case, and the security researcher wasn&#8217;t able to re-establish communication, and in frustration, went public.<\/p>\n<p>Meanwhile, another group of security researchers also found a bug in the print spooler, and they assumed it was the one Microsoft just patched, so, they released their proof of concept (POC), assuming it was responsible disclosure, but, their POC still worked on supposedly patched systems, and their POC included remote code execution (RCE), not just LPE, so it exposed a much more dangerous vulnerability. As soon as it became clear the June patch wasn&#8217;t what they thought the researchers un-published their POC, but it was too late, the cat was out of the bag!<\/p>\n<p>At this point we have a zero-day remote code execution bug with local privilege escalation \u2014 that&#8217;s <strong>BAD<\/strong>. A remote computer could run arbitrary code with <code>SYSTEM<\/code> privileges (Windows&#8217; equivalent of <code>root<\/code> on POSIX OSes). This is when Twitter starts to fill with flow charts trying to explain exactly what configurations do and don&#8217;t lead to remote code execution. Do you have to disable the entire print spooler, or can you get away with just tweaking some registry keys? It got really confusing really quickly, and the advice seemed to change every few hours as security researchers found ever more ways of triggering the bugs.<\/p>\n<p>After a while, things simplified greatly when a mechanism was discovered to trigger RCE so reliably that the only defence was to completely disable the print spooler. There were lots of jokes about the new flow chart being the simplest ever \u2014 just one decision box leading to two answers: &#8220;is print spooler enabled? Yes, then vulnerable; No, then safe&#8221;.<\/p>\n<p>Microsoft were now in full crisis mode and coming under a lot of pressure so they rushed out an emergency (<em>&#8216;out of band&#8217;<\/em>) patch they said fixed the problem. Cue more joke flow charts \u2014 again, one decision box leading to two answers: &#8220;have you patched? Yes, then safe; No, then vulnerable&#8221;. Great!<\/p>\n<p>By the next morning, Irish time confusion reigned again \u2014 security researchers had found combinations of settings that were vulnerable to RCE even on systems with the emergency patches! The flow charts started to become so complicated again that the security community just threw up their collective hands and gave up \u2014 the advice everywhere was <em>&#8220;patch as quickly as you can, but assume that&#8217;s not enough and disable the print spooler too&#8221;<\/em>. In fact, most went even further, advising that on servers, you make the group policy disabling print spooler on servers permanent. Clearly, this is a dangerous attack surface, and since most servers have no need for a print spooler, just get rid of it and reduce the attack surface going forward.<\/p>\n<p>As I type this, that&#8217;s where the story stands. Goodness knows what else has happened between then and when you read this &#x1f642;<\/p>\n<h3>Links<\/h3>\n<ul>\n<li>US-CERT&#8217;s Advisory on PrintNightmare \u2014 <a href=\"https:\/\/us-cert.cisa.gov\/ncas\/current-activity\/2021\/06\/30\/printnightmare-critical-windows-print-spooler-vulnerability\">us-cert.cisa.gov\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2021\/06\/30\/printnightmare-the-zero-day-hole-in-windows-heres-what-to-do\/\">PrintNightmare, the zero-day hole in Windows \u2013  here\u2019s what to do \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2021\/07\/07\/printnightmare-official-patch-is-out-update-now\/\">PrintNightmare official patch is out \u2013 update now! \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/krebsonsecurity.com\/2021\/07\/microsoft-issues-emergency-patch-for-windows-flaw\/\">Microsoft Issues Emergency Patch for Windows Flaw \u2014 krebsonsecurity.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Deep Dive 2 \u2014 Audacity&#8217;s Fall &#x1f641;<\/h2>\n<p>This week Audacity broke into the more main-stream tech news because of a change in their privacy policy which allows them to collect and store users activities on the popular open source audio editor and store and share that data, including IP address, with others, including law enforcement agencies and potential buyers. For the first 24 hours the data would be stored as-is, and then after that, it would be pseudonymised. Basically, each time a user would open the audio editor to edit a podcast or what ever the app would phone home and the activity would be logged, and for a day, tied to the user&#8217;s IP.<\/p>\n<p>The data would be primarily stored in the EAA (EU plus some affiliated countries like Switzerland), which is something at least, it brings GDPR obligations, the policy also states some data will be transferred to the company&#8217;s HQ in Russia, and to their attorneys in the US.<\/p>\n<p>Because tracking the personally identifiable information of kids is a problem under the GDPR (it comes with a lot of responsibilities), the terms of use have also been updated to state that users must be over 13 to use the app. This is a problem for an app used in many schools, and, probably violates the GPL license the code was created under.<\/p>\n<p>Needless to say, there was an immediate backlash, and some security tools even started listing the app as spyware! The company have responded, saying it&#8217;s just poor language choice, and they&#8217;ll have another go at drafting a clearer, more restrained policy. They also said the actual data collected would be quite limited, just OS &amp; version, processor type, IP address, and optionally, error reports.<\/p>\n<p>The company didn&#8217;t address the age restriction at all.<\/p>\n<p>What happened this week is not the start of a new controversy, it&#8217;s actually the third, and so far most egregious, chapter of a longer-running story that&#8217;s been bubbling within the open source community for a few months.<\/p>\n<p>Once upon a time \u2026 err \u2026 no, back in May, a company named Muse bought Audacity (the code is open source, but it still has a copyright, so owning it means you can release it under other licenses too, and open source licenses don&#8217;t cover things like service marks and trademarks. This is why open source software can be, and often is, owned by for-profit companies. E.g. RedHat own RHEL &amp; CentOS, and Canonical own Ubuntu).<\/p>\n<p>The original blog post announcing the acquisition could probably be best described as tone-deaf, and it piqued the interest of some in the open source community in all the wrong ways. There was a lot of concern, but nothing bad had actually happened yet \u2026 <strong>Yet!<\/strong><\/p>\n<p>The first minor controversy was an update to a more restrictive contributor agreement for anyone contributing code to the open source project in the future. The actual changes were not that bad, but the tone was off again, and more people started to get more worried. Would Muse be a good steward for this important open source project?<\/p>\n<p>The second controversy can a few weeks later when a commit showed up in the official Git repo adding <em>telemetry<\/em> to the upcoming release \u2014 the app would phone home with supposedly anonymous user activity data. Not the end of the world, but it seemed to validate people&#8217;s growing concerns.<\/p>\n<p>And then came this week&#8217;s new privacy policy!<\/p>\n<p>Thankfully, as an open source project the code can be forked, so a new audio editor with a new name can emerge from this. But, someone will need to take on that work, and a big enough team will need to self-assemble to make the new project sustainable.<\/p>\n<p>The possibility of a fork is one of the best features of an open source license, but, it&#8217;s by no means a foregone conclusion that a fork will work out well in reality. The fork can&#8217;t be called <em>Audacity<\/em>, that name belongs to Muse, and it&#8217;s that name that has all the reputation, so will regular people know they need to change to a new app? Will they find the new app?<\/p>\n<p>Years after MariaDB forked from MySQL, how many people have switched? Worse still, how many people are still using the effectively abandoned Open Office instead of the actively maintained and developed fork, Libre Office?<\/p>\n<p>This could still turn out well in one of two ways \u2014 Muse could see the light, change their attitude, and earn back the respect and trust of the open source community, or, a well organised and managed fork could emerge and gain wide-spread adoption, replacing the official Audacity out in the world.<\/p>\n<h3>Links<\/h3>\n<ul>\n<li><a href=\"https:\/\/www.imore.com\/audio-editing-app-audacity-hot-water-over-concerning-changes-its-privacy-policy\">Audio editing app Audacity is in hot water over concerning changes to its privacy policy \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.engadget.com\/audacity-data-collection-privacy-policy-muse-group-145857557.html\">Audacity owner will revise its privacy policy following spyware concerns \u2014 www.engadget.com\/\u2026<\/a><\/li>\n<li>&#x1f3a7; Good coverage of the story and its wider context (starting at 5:57): <a href=\"https:\/\/overcast.fm\/+R9mLAdSR8\/05:37\">Linux Action News 196 \u2014 overcast.fm\/\u2026<\/a><\/li>\n<\/ul>\n<h2>&#x2757; Action Alerts<\/h2>\n<aside class=\"small-aside\">Calls to action, if any stories in this section are relevant to you there is some action you should take.<\/aside>\n<ul>\n<li><a href=\"https:\/\/restoreprivacy.com\/linkedin-data-leak-700-million-users\/\">New LinkedIn Data Leak Leaves 700 Million Users Exposed \u2014 restoreprivacy.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Worthy Warnings<\/h2>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li>A cautionary tale illustrating the importance of using parental controls: <a href=\"https:\/\/www.imore.com\/parent-forced-sell-car-after-child-racks-1800-iphone-bill\">Parent forced to sell car after child racks up $1,800 App Store bill \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li>The password generator included in Kaspersky Password Manager was generating guessable passwords. It&#8217;s been fixed now, but users who use it to generate their password should re-set them where ever they used them \u2014 <a href=\"https:\/\/donjon.ledger.com\/kaspersky-password-manager\/\">donjon.ledger.com\/\u2026<\/a><\/li>\n<li>&#x1f1e7;&#x1f1f7; Reporting has emerged that criminal gangs in Brazil are managing to steal money from iPhone owners via stolen iPhones without needing complex cracking technology. The details are still hazy, but it the technique seems to depend on three things: (<a href=\"https:\/\/9to5mac.com\/2021\/07\/07\/brazilian-criminals-detail-how-they-gain-access-to-bank-accounts-from-stolen-iphones\/\">9to5mac.com\/\u2026<\/a> &amp; <a href=\"https:\/\/www.imore.com\/brazilian-iphone-thieves-reveal-trick-hack-devices-shocking-ease\">www.imore.com\/\u2026<\/a>)\n<ol>\n<li>Users not having a PIN on their SIM cards (and not having eSIMs)<\/li>\n<li>Users Apple ID email addresses being discoverable online via social media profiles and posting<\/li>\n<li>Users storing passwords in unprotected places on their phones like the Notes app.<\/li>\n<\/ol>\n<\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li><a href=\"https:\/\/www.macobserver.com\/news\/private-search-neeva-launch\/\">Ad-Free, Private Search Engine \u2018Neeva\u2019 Launches for $4.95 per Month \u2014 www.macobserver.com\/\u2026<\/a><\/li>\n<li>&#x1f1e9;&#x1f1ea; (from Allison) <a href=\"https:\/\/techcrunch.com\/2021\/07\/01\/german-government-bodies-urged-to-remove-their-facebook-pages-before-next-year\/\">German government bodies urged to remove their Facebook Pages before next year \u2014 techcrunch.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Excellent Explainers<\/h2>\n<aside class=\"small-aside\">High-quality content explaining a security concept of some kind.<\/aside>\n<ul>\n<li><a href=\"https:\/\/www.intego.com\/mac-security-blog\/a-parents-guide-to-protecting-kids-privacy-on-social-media\/\">A Parent&#8217;s Guide to Protecting Kids&#8217; Privacy on Social Media &#8211; The Mac Security Blog \u2014 www.intego.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.intego.com\/mac-security-blog\/guide-to-in-app-purchases\/\">A Parent&#8217;s Guide to In-App Purchases on iOS, iPadOS, and macOS &#8211; The Mac Security Blog \u2014 www.intego.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Interesting Insights<\/h2>\n<aside class=\"small-aside\">High-quality opinion and editorial content recommended by Bart.<\/aside>\n<ul>\n<li><a href=\"https:\/\/digiday.com\/marketing\/how-apples-private-relay-could-be-the-beginning-of-the-end-for-fingerprinting-on-ios-devices\/\">How Apple\u2019s Private Relay could be the beginning of the end for fingerprinting on iOS devices \u2014 digiday.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.imore.com\/apples-app-tracking-transparency-rules-are-pushing-advertisers-android\">Apple&#8217;s App Tracking Transparency rules are pushing advertisers to Android \u2014 www.imore.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2021\/07\/09\/where-do-all-those-cybercrime-payments-go\/\">Where do all those cybercrime payments go? \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Palate Cleansers<\/h2>\n<aside class=\"small-aside\">Anything up-beat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<ul>\n<li>&#x1f3a7; A riveting podcasting mini-series that weaves together so many of the big security news stories we&#8217;ve covered in this segment over the years: <a href=\"https:\/\/overcast.fm\/+smMPm01LA\">Introducing The Lazarus Heist \u2014 overcast.fm\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">&#x1f3a7;<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x2757;<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4ca;<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f9ef;<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> &#x1f642;<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4b5;<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4cc;<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f3a9;<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. The Western Digital story from last time has continued to evolve: More devices are affected: Another 0-Day Looms for Many Western Digital Users \u2013 Krebs on Security \u2014 krebsonsecurity.com\/\u2026 But there have also been [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":19030,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[4673,4674,1899,4672,50,569,2003,13,1968],"class_list":["post-23969","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-audacity","tag-fork","tag-open-source","tag-print-spooler","tag-security","tag-security-bits","tag-vulnerabilities","tag-windows","tag-zero-day"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2019\/08\/security_bits_logo_400px_no_alpha.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/23969","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=23969"}],"version-history":[{"count":3,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/23969\/revisions"}],"predecessor-version":[{"id":23972,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/23969\/revisions\/23972"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/19030"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=23969"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=23969"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=23969"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}