{"id":28051,"date":"2023-04-02T11:30:14","date_gmt":"2023-04-02T18:30:14","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=28051"},"modified":"2023-04-06T11:01:24","modified_gmt":"2023-04-06T18:01:24","slug":"sb-2023-04-24","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2023\/04\/sb-2023-04-24\/","title":{"rendered":"Security Bits \u2014 2 April 2023"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li>&#x1f1e6;&#x1f1f9; &#x1f1e7;&#x1f1ea; &#x1f1ee;&#x1f1f9; &#x1f1f1;&#x1f1fa; &#x1f1f3;&#x1f1f1; &#x1f1f5;&#x1f1f9; <a href=\"https:\/\/appleinsider.com\/articles\/23\/03\/27\/apple-expands-emergency-sos-via-satellite-to-six-more-countries\">Apple expands Emergency SOS via satellite to six more countries \u2014 appleinsider.com\/\u2026<\/a> (Austria, Belgium, Italy, Luxembourg, the Netherlands &amp; Portugal)<\/li>\n<\/ul>\n<h2>Deep Dive \u2014 Two <em>aCropalypses<\/em><\/h2>\n<p><em><strong>TL;DR<\/strong> \u2014 the <em>markup<\/em> tool on Google Pixel phones and the <em>Snip and Sketch App<\/em> in Windows 10 &amp;  <em>Snipping Tool<\/em> on Windows 11 left data behind after cropping PNGs that may allow the image to be un-cropped later, but the act of uploading to social media sites should inadvertently fix the problem.<\/em><\/p>\n<p>Google&#8217;s Pixel phones offer a <em>markup<\/em> feature in their image editing app that&#8217;s not part of stock Android. If users used this feature to crop PNG images, they are at risk from a potentially privacy-destroying bug. This crop feature did visually remove the excess pixels, but under the hood, much of the original data was unintentionally preserved. This wasn&#8217;t intentional lossless editing or anything like that, this was a bug caused by poor file handling.<\/p>\n<p>The markup tool did not create a new file for the edited version of the image, but simply saved the new data over the old data in the same file. Cropped images have less data than uncropped images, so this meant a chunk of the original data was left unchanged at the end of the file. Because the PNG format uses a special sequence to mark the end of the image data, the leftovers at the end of the file don&#8217;t cause any problems displaying the images. But, but that leftover data is still in PNG format, so it can easily be re-constructed and added back into the image, un-cropping it, and revealing whatever it is the user was trying to remove. PNG is a graphics format, so the camera won&#8217;t use it to save photos, but it is the preferred format for screenshots, so that&#8217;s where the biggest risk is. A very common reason to crop a screenshot is to remove information you don&#8217;t want to share, hence the potential privacy problem!<\/p>\n<p>Once the Pixel bug was published, it didn&#8217;t take long for security researchers to start testing other image editors, and soon enough two more problem tools were found \u2014 the Windows 11 <em>Snipping Tool<\/em> (not the Windows 10 one), and the Windows 10 <em>Snip &amp; Sketch<\/em> app. Note that the venerable <em>Paint<\/em> app is not vulnerable &#x1f642;<\/p>\n<p>This bug appears to go back to the very origins of these tools, so any screenshot cropped on a Pixel phone or with the Windows <em>Snip <em>&amp; Sketch<\/em> or <em>Snipping Tool<\/em><\/em> is likely affected.<\/p>\n<p>One silver lining to this pretty depressing cloud is that most social media sites re-encode the images users upload to reduce their file size and save themselves some money, and as luck would have it, that kind of re-encoding will ignore all data after the end-of-image marker in PNGs, removing the leaked data.<\/p>\n<p>For similar reasons, a <em>Save As<\/em> rather than a simple <em>Save<\/em> will also work around the issue.<\/p>\n<p>Google has patched their Pixel phones, and while Microsoft have fixed their tools, they&#8217;re not proactively pushing the patches via software update, so users need to manually update the apps via the Microsoft store. If you use any of these tools to crop screenshots, _&#8217;_patchy-patchy-patch-patch&#8217;* &#x1f642;<\/p>\n<h3>Links<\/h3>\n<ul>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2023\/03\/21\/google-pixel-phones-had-a-serious-data-leakage-bug-heres-what-to-do\/\">Google Pixel phones had a serious data leakage bug \u2013 here\u2019s what to do! \u2014 nakedsecurity.sophos.com\/\u2026<\/a> (a great explanation with a run retro analogy)<\/li>\n<li><a href=\"https:\/\/nakedsecurity.sophos.com\/2023\/03\/27\/microsoft-assigns-cve-to-snipping-tool-bug-pushes-patch-to-store\/\">Microsoft assigns CVE to Snipping Tool bug, pushes patch to Store \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>&#x2757; Action Alerts<\/h2>\n<aside class=\"small-aside\">Calls to action, if any stories in this section are relevant to you there is some action you should take.<\/aside>\n<ul>\n<li>Apple have patched their legacy Mac &amp; iPhone\/iPad OSes to address critical bugs, <strong>including a zero-day bug in WebKit<\/strong> \u2014 <a href=\"https:\/\/appleinsider.com\/articles\/23\/03\/27\/ios-1574-macos-monterey-1264-macos-big-sur-1175-all-get-security-updates\">appleinsider.com\/\u2026<\/a> &amp; <a href=\"https:\/\/www.cultofmac.com\/810707\/ios-15-7-4-ipados-updates-fix-serious-security-problems\/\">www.cultofmac.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li><a href=\"https:\/\/appleinsider.com\/articles\/23\/03\/24\/on-april-1-all-a-twitter-blue-checkmark-will-mean-is-the-user-is-paid\">Starting April 1, all a Twitter blue checkmark will mean is the user is paid \u2014 appleinsider.com\/\u2026<\/a><\/li>\n<li>&#x1f1ec;&#x1f1e7; <a href=\"https:\/\/nakedsecurity.sophos.com\/2023\/03\/28\/cops-use-fake-ddos-services-to-take-aim-at-wannabe-cybercriminals\/\">Cops use fake DDoS services to take aim at wannabe cybercriminals \u2014 nakedsecurity.sophos.com\/\u2026<\/a> &amp; <a href=\"https:\/\/krebsonsecurity.com\/2023\/03\/uk-sets-up-fake-booter-sites-to-muddy-ddos-market\/\">UK Sets Up Fake Booter Sites To Muddy DDoS Market \u2014 krebsonsecurity.com\/\u2026<\/a><\/li>\n<li><a href=\"https:\/\/www.cultofmac.com\/810956\/wozniak-musk-and-leading-researchers-urge-pause-on-out-of-control-ai-dev\/\">Wozniak, Musk and leading researchers urge pause on \u2018out of control\u2019 AI \u2014 www.cultofmac.com\/\u2026<\/a>\n<ul>\n<li><strong>Related:<\/strong> A timely reminder that AI chatbots hallucinate \u2014 Google&#8217;s Bard rather embarrassingly <strong>wrongly<\/strong> told a Microsoft Bing engineer that it was trained on Gmail data \u2014 <a href=\"https:\/\/appleinsider.com\/articles\/23\/03\/21\/no-google-bard-is-not-trained-on-gmail-data\">appleinsider.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Interesting Insights<\/h2>\n<aside class=\"small-aside\">High-quality opinion and editorial content recommended by Bart.<\/aside>\n<ul>\n<li>&#x1f3a7; A deep conversation with the CEO of Mastodon that gives a good insight into the way the platform is being designed, developed, and run: <a href=\"https:\/\/overcast.fm\/+QLdtV6ow8\">Decoder with Nilay Patel: Can Mastodon seize the moment from Twitter? \u2014 overcast.fm\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Just Because it&#8217;s Cool &#x1f60e;<\/h2>\n<aside class=\"small-aside\">Stories that are not important, that don&#8217;t require you to do anything, and that you don&#8217;t even have to worry about.<\/aside>\n<p>Researchers at <em>the Ruhr<\/em> University Bochum* and <em>the Max Planck Institute for Security and Privacy<\/em> have released details of an algorithm they developed to find hardware changes in printed silicon chips. This could prove a very valuable weapon in protecting organisations from supply-chain attacks \u2014 <a href=\"https:\/\/www.hackster.io\/news\/researchers-spot-silicon-level-hardware-trojans-in-chips-release-their-algorithm-for-all-to-try-ba00bbd56248\">www.hackster.io\/\u2026<\/a> (via the NosillaCast community)<\/p>\n<h2>Palate Cleansers<\/h2>\n<aside class=\"small-aside\">Anything upbeat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<ul>\n<li>The best tribute I read: <a href=\"https:\/\/nakedsecurity.sophos.com\/2023\/03\/27\/in-memoriam-gordon-moore-who-put-the-more-in-moores-law\/\">In Memoriam \u2013 Gordon Moore, who put the more in \u201cMoore\u2019s Law\u201d \u2014 nakedsecurity.sophos.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">&#x1f3a7;<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x2757;<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4ca;<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f9ef;<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> &#x1f642;<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4b5;<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f4cc;<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">&#x1f3a9;<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. &#x1f1e6;&#x1f1f9; &#x1f1e7;&#x1f1ea; &#x1f1ee;&#x1f1f9; &#x1f1f1;&#x1f1fa; &#x1f1f3;&#x1f1f1; &#x1f1f5;&#x1f1f9; Apple expands Emergency SOS via satellite to six more countries \u2014 appleinsider.com\/\u2026 (Austria, Belgium, Italy, Luxembourg, the Netherlands &amp; Portugal) Deep Dive \u2014 Two aCropalypses TL;DR \u2014 the [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":19030,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[5785,4408,5784,233,50,569,5786,434,5787],"class_list":["post-28051","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-acropalypses","tag-crop","tag-emergency-sos","tag-microsoft","tag-security","tag-security-bits","tag-snipping-tool","tag-windows-10","tag-windows-11"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2019\/08\/security_bits_logo_400px_no_alpha.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/28051","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=28051"}],"version-history":[{"count":2,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/28051\/revisions"}],"predecessor-version":[{"id":28053,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/28051\/revisions\/28053"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/19030"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=28051"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=28051"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=28051"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}