{"id":33332,"date":"2025-03-16T11:58:11","date_gmt":"2025-03-16T18:58:11","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=33332"},"modified":"2025-03-16T11:58:11","modified_gmt":"2025-03-16T18:58:11","slug":"sb-2025-03-16","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2025\/03\/sb-2025-03-16\/","title":{"rendered":"Security Bits \u2014 16 March 2025 \u2618\ufe0f"},"content":{"rendered":"<h2>Feedback &amp; Followups<\/h2>\n<aside class=\"small-aside\">Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time.<\/aside>\n<ul>\n<li>\ud83c\uddec\ud83c\udde7 \ud83c\uddfa\ud83c\uddf8 The UK&#8217;s secret campaign to compel Apple to break its iCloud Advanced Data Protection feature is reportedly continuing apace (still without official confirmation), with a hearing having apparently taken place in a secret court on Friday. Meanwhile, US lawmakers from both parties have formally complained to the UK and asked that the hearings be opened up to the public, and US government officials have reportedly been in contact with their British counterparts to raise their concerns \u2014 <a href=\"https:\/\/daringfireball.net\/linked\/2025\/03\/14\/us-lawmakers-letter-to-ipt\">daringfireball.net\/\u2026<\/a> &amp; <a href=\"https:\/\/www.macobserver.com\/news\/uk-and-us-officials-discuss-apple-encryption-dispute\/\">www.macobserver.com\/\u2026<\/a><br \/>\n<blockquote><p>\n  <em>&#8220;Given the significant technical complexity of this issue, as well as the important national security harms that will result from weakening cybersecurity defenses, it is imperative that the U.K.\u2019s technical demands of Apple\u2009\u2014\u2009and of any other U.S. companies\u2009\u2014\u2009be subjected to robust, public analysis and debate by cybersecurity experts. Secret court hearings featuring intelligence agencies and a handful of individuals approved by them do not enable robust challenges on highly technical matters.&#8221;<\/em> \u2014 from the letter sent by US Senators\n<\/p><\/blockquote>\n<\/li>\n<li>Those VSCode plugins reported as being malicious that we praised Microsoft for removing from the VS Code Marketplace so quickly have turned out not to be malicious after all, just a little neglected \u2014 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/microsoft\/microsoft-apologizes-for-removing-vscode-extensions-used-by-millions\/\">www.bleepingcomputer.com\/\u2026<\/a>\n<ul>\n<li>The suspicious code was from an outdated dependency left in the project by mistake. It was obfuscated, which is utterly inappropriate for a plugin to an IDE, but not malicious<\/li>\n<li>The developer has released completely rewritten versions of the plugins that remove the dependency entirely<\/li>\n<li>Microsoft have restored both the developer&#8217;s access to the marketplace, and re-listed the plugins<\/li>\n<li>Microsoft have apologised to the developer for their <em>&#8216;overreaction&#8217;<\/em><\/li>\n<li>Microsoft is also updating their policies on obfuscated code<\/li>\n<li><strong>Editorial by Bart:<\/strong> I hope Microsoft don&#8217;t learn the wrong lesson \ud83d\ude15 \u2014 the problem is not that they acted quickly to remove the plugins, it&#8217;s that they jumped straight to accusations of malice before they had done enough investigation. They should suspend plugins immediately on suspicion, not accuse the developer of anything at that point, investigate, and then either restore or remove the plugins and the developer account depending on their findings.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Deep Dive(s)<\/h2>\n<h2>\u2757 Action Alerts<\/h2>\n<aside class=\"small-aside\">Calls to action, if any stories in this section are relevant to you, there is some action you should take.<\/aside>\n<ul>\n<li>Another Patch Tuesday has been and gone, Microsoft patched just 57 vulnerabilities, but an above average 7 were zero-days, so patch ASAP \u2014 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/microsoft\/microsoft-march-2025-patch-tuesday-fixes-7-zero-days-57-flaws\/\">www.bleepingcomputer.com\/\u2026<\/a> &amp; <a href=\"https:\/\/isc.sans.edu\/diary\/rss\/31756\">isc.sans.edu\/\u2026<\/a>\n<ul>\n<li>One of the zero-days has been around a while \ud83d\ude41: <a href=\"https:\/\/www.bleepingcomputer.com\/news\/microsoft\/microsoft-patches-windows-kernel-zero-day-exploited-since-2023\/\">Microsoft patches Windows Kernel zero-day exploited since 2023 \u2014 www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Apple have patched just about everything: <a href=\"https:\/\/appleinsider.com\/articles\/25\/03\/11\/apple-seeds-security-updates-for-ios-1832-ipados-1832-macos-1532-visionos-232\">Apple seeds security updates for iOS 18.3.2, iPadOS 18.3.2, macOS 15.3.2, visionOS 2.3.2 \u2014 appleinsider.com\/\u2026<\/a>\n<ul>\n<li>One of the patches is particularly important, hardening a recent fix of a zero-day that had been discovered in the wild being used by presumed nation state actors in very targeted attacks. The bug was so deep in Webkit that it was still present in Google&#8217;s Chrome which forked off from Webkit a decade or more ago, so Google had to patch it too \u2014 <a href=\"https:\/\/www.intego.com\/mac-security-blog\/apple-and-google-patch-zero-day-vulnerability-used-to-hack-iphones\/\">www.intego.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li><strong>Android Users who can Patch:<\/strong> Google have released the March patches for Android, fixing 43 vulnerabilities, including a zero-day being actively exploited by Serbian authorities to break into compromised phones \u2014 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/google-fixes-android-zero-days-exploited-in-targeted-attacks\/\">www.bleepingcomputer.com\/\u2026<\/a><\/li>\n<li><strong>NosiallaCastaways running servers:<\/strong> make sure that if you have the FreeType font libraries installed they&#8217;re patched \u2014 <a href=\"https:\/\/thehackernews.com\/2025\/03\/meta-warns-of-freetype-vulnerability.html\">thehackernews.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Worthy Warnings<\/h2>\n<aside class=\"small-aside\">Potentially relevant warnings from government organisations, public interest groups, or the security community.<\/aside>\n<ul>\n<li><strong>Browser Plugin Users<\/strong> beware that cybersecurity researchers have demonstrated a new technique that allows a malicious browser extension to mimic legitimate extensions like password managers to steal credentials \u2013 the proof of concept was on Chrome, but in principle it could happen on any platform \u2014 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/malicious-chrome-extensions-can-spoof-password-managers-in-new-attack\/\">www.bleepingcomputer.com\/\u2026<\/a>\n<ul>\n<li><strong>Editorial by Bart:<\/strong> yet another reason to minimise your use of browser plugins. Personally, I&#8217;ve decided to limit as many of my plugins as possible to Safari, because those plugins go through a full App Store Review like a regular app, which is definitely a step above what happens in the other browser plugin stores\/market places<\/li>\n<\/ul>\n<\/li>\n<li><strong>Apple Users:<\/strong> beware of a wave of smishing (phishing over SMS) attacks targeting Apple users with subjects like  <em>&#8220;Apple Approval Notice&#8221;<\/em> or <em>&#8220;Apple Pay Verification&#8221;<\/em> pretending to be notifications about expensive purchases and offering a number to call if you did not make the purchase. Remember, <strong>never call a number given in a text or email<\/strong>, use a number you sourced from somewhere trustworthy \u2014 <a href=\"https:\/\/www.macobserver.com\/tips\/dont-fall-for-the-apple-approval-notice-text-scam\/\">www.macobserver.com\/\u2026<\/a><\/li>\n<li><strong>iOS Users:<\/strong> beware of a new trick attackers have started to use to work around Apple&#8217;s link-blocking feature in messages \u2013 Google redirects \u2014 <a href=\"https:\/\/www.intego.com\/mac-security-blog\/scammers-using-new-trick-in-phishing-text-messages-google-redirects\/\">www.intego.com\/\u2026<\/a>\n<ul>\n<li>As described before, Apple&#8217;s Messages app does not permit links in messages received from first-time contacts, unless they are to well-trusted domains<\/li>\n<li>As we recently discussed, attackers had already started to work around this by telling users to reply <code>Y<\/code> and then click the link, because replying tells Messages this is someone you want to communicate with, so it lowers its shields<\/li>\n<li>This new approach abuses Apple&#8217;s trust in Google. To their credit, Google does not blindly redirect, it gives the user a standard interception page clearly stating they are being redirected. But if the user believes the SMS message, they are likely to click past the page, and the attackers have succeeded in making it possible for victims to click a link and land on the target phishing page<\/li>\n<\/ul>\n<\/li>\n<li>\ud83c\uddfa\ud83c\uddf8 <strong>US Residents:<\/strong> beware of a huge spike in smishing attacks related to unpaid parking fees targeting area codes around major US cities \u2014 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/us-cities-warn-of-wave-of-unpaid-parking-phishing-texts\/\">www.bleepingcomputer.com\/\u2026<\/a> (a new variant on the ever popular <em>&#8220;unpaid tolls&#8221;<\/em> trope that seems to plague most of the western world, even little old Ireland where the much hated M50 tolls are an evergreen lure.)<\/li>\n<\/ul>\n<h2>Notable News<\/h2>\n<ul>\n<li>\ud83e\uddefUndocumented commands have been found in a cheap Bluetooth controller chip used in billions of IoT devices, but despite initial over-the-top headlines, these are not a <em>&#8216;back door&#8217;<\/em>, nor are they malicious \u2014 <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/undocumented-commands-found-in-bluetooth-chip-used-by-a-billion-devices\/\">www.bleepingcomputer.com\/\u2026<\/a>\n<ul>\n<li>The vendor, Espressif, have formally responded, and their response confirms the more sober analyses that were already competing with the shouty over-the-top headlines \u2014 <a href=\"https:\/\/www.espressif.com\/en\/news\/Response_ESP32_Bluetooth\">www.espressif.com\/\u2026<\/a><\/li>\n<li>These are completely normal debugging commands that can only be accessed from internally within the device, not over the Bluetooth radio<\/li>\n<li>There does not seem to be any kind of attack vector that does not start with <em>&#8220;if you have root access on the device \u2026&#8221;<\/em> or <em>&#8220;if you can connect to the physical pins on the chip \u2026&#8221;<\/em><\/li>\n<li><strong>Maybe<\/strong> this will develop into a real vulnerability when researchers study it more, but it doesn&#8217;t look that way, and for now there is definitely <strong>no need for NosillaCastaways to worry about this at all<\/strong>!<\/li>\n<\/ul>\n<\/li>\n<li>The <a href=\"https:\/\/en.wikipedia.org\/wiki\/GSMA\">GSMA<\/a> (GSM Association, the body that oversees the GSM standard) has formally approved an open cross-platform standard for End-to-End Encryption over the RCS messaging protocol (based on the open <a href=\"https:\/\/en.wikipedia.org\/wiki\/Messaging_Layer_Security\">MLS protocol<\/a>) \u2014 <a href=\"https:\/\/thehackernews.com\/2025\/03\/gsma-confirms-end-to-end-encryption-for.html\">thehackernews.com\/\u2026<\/a>\n<ul>\n<li>Apple have said they will add it to their Messages app in an upcoming update \u2014 <a href=\"https:\/\/arstechnica.com\/gadgets\/2025\/03\/rcs-texting-updates-will-bring-end-to-end-encryption-to-green-bubble-chats\/\">arstechnica.com\/\u2026<\/a><\/li>\n<\/ul>\n<\/li>\n<li>Google are continuing to leverage AI in their fight against scammers \u2014 their latest Android update adds an on-device AI model that scans messages from senders not in the user&#8217;s contact list for common scam patterns and warns users if a conversation looks like it might be a scam \u2014 <a href=\"https:\/\/thehackernews.com\/2025\/03\/google-rolls-out-ai-scam-detection-for.html\">thehackernews.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Palate Cleansers<\/h2>\n<aside class=\"small-aside\">Anything upbeat and nerdy Bart and\/or Allison think you might enjoy.<\/aside>\n<ul>\n<li><strong>From Allison:<\/strong> <a href=\"https:\/\/www.worldsciencefestival.com\/programs\/mind-the-gap-will-tiny-discrepancies-derail-cosmology\/\">Mind the Gap: Will Tiny Discrepancies Derail Cosmology? \u2014 www.worldsciencefestival.com\/\u2026<\/a><\/li>\n<\/ul>\n<h2>Legend<\/h2>\n<p>When the textual description of a link is part of the link, it is the title of the page being linked to, when the text describing a link is not part of the link, it is a description written by <a href=\"https:\/\/bartb.ie\/\">Bart<\/a>.<\/p>\n<table>\n<thead>\n<tr>\n<th align=\"center\">Emoji<\/th>\n<th align=\"left\">Meaning<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td align=\"center\">\ud83c\udfa7<\/td>\n<td align=\"left\">A link to <strong>audio content<\/strong>, probably a podcast.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\u2757<\/td>\n<td align=\"left\">A <strong>call to action<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\"><em>flag<\/em><\/td>\n<td align=\"left\">The story is particularly relevant to people living in a <strong>specific country<\/strong>, or, the organisation the story is about is affiliated with the government of a specific country.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udcca<\/td>\n<td align=\"left\">A link to <strong>graphical content<\/strong>, probably a chart, graph, or diagram.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83e\uddef<\/td>\n<td align=\"left\">A story that has been <strong>over-hyped<\/strong> in the media, or, <em>&#8220;no need to light your hair on fire&#8221;<\/em> \ud83d\ude42<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udcb5<\/td>\n<td align=\"left\">A link to an article behind a <strong>paywall<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83d\udccc<\/td>\n<td align=\"left\">A <strong>pinned<\/strong> story, i.e. one to keep an eye on that&#8217;s likely to develop into something significant in the future.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83c\udfa9<\/td>\n<td align=\"left\">A <strong><em>tip of the hat<\/em><\/strong> to thank a member of the community for bringing the story to our attention.<\/td>\n<\/tr>\n<tr>\n<td align=\"center\">\ud83c\udfa6<\/td>\n<td align=\"left\">A link to <strong>video content<\/strong>.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Feedback &amp; Followups Listener and community feedback, developments in recently covered stories, and developments in long-running stories we&#8217;re tracking over time. \ud83c\uddec\ud83c\udde7 \ud83c\uddfa\ud83c\uddf8 The UK&#8217;s secret campaign to compel Apple to break its iCloud Advanced Data Protection feature is reportedly continuing apace (still without official confirmation), with a hearing having apparently taken place in a [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":28385,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147,214],"tags":[50,569],"class_list":["post-33332","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","category-security-bits","tag-security","tag-security-bits"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2023\/05\/Security-Bits-Logo_1040x520.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/33332","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=33332"}],"version-history":[{"count":1,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/33332\/revisions"}],"predecessor-version":[{"id":33333,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/33332\/revisions\/33333"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/28385"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=33332"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=33332"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=33332"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}