Friday Quick Notes

Breaking from my usual theme of one day, one story, here are a few quick notes for you to ponder over the weekend.

In a story that no one saw coming, Adobe is going to patch a critical zero day flaw, being exploited in the wild.  Next Week.  In fairness to Adobe, they do have to develop, package and test the fixes, so it does take some time, but it doesn’t take the hackers as long to exploit the problem.

I thought I had uninstalled Flash on my machines but after the announcement today I looked and it was back again.  I don’t remember reinstalling it, so maybe some Microsoft update installed them.  Find details on the zero day here.  As of yesterday, this was being exploited in Korea, but likely, as of tomorrow, it will be worldwide.

People like to beat up Google and Android as not being as safe as iPhones and in fairness, beating them up is fun and often accurate.  Still Google is sensitive to being criticized.  They just announced that they removed 700,000 apps from the Google store in 2017.  That’s a lot.  In fact it is up 70% from the year before.  While nothing is perfect, pulling 700,000 apps is a lot of work.  Read the details here.  In an even more encouraging statistic, 99% of the apps were removed before anyone could download and install them.  They also identified 100,000 malicious developers and blocked them from the Google store. Go Google!

Researchers have found a new flaw in Oracle’s Micros point of sale or POS system that is used by 200,000 restaurants and 30,000 hotels in 180 countries.  There is a patch for it, but as we discovered with the Equifax breach, people don’t always install patches.  In the case of restaurants and hotels, when, exactly, do you want to take down your point of sale system to patch it?  The result is that many of these systems will never be patched.  Read the details here.  Note that this site may require you to create a free account.

In a move that I would label “Its about time”, starting March 1, 2018, Microsoft’s anti malware tool will bully the bullies.  Those software tools that claim to have detected a virus and for only $99 or whatever they will remove it for you – Microsoft will label them malware and fix the problem for – by deleting those apps.  Yeah, Microsoft.  Read the details here.

Cybersecurity researchers at Ben Gurion University of the Negev say that medical imaging devices like CT scanners are at risk.  Risk of killing patients if a hacker wanted to, by hacking the PC that controls it and changing the radiation level. Hackers could also hold the imaging devices ransom  – taking them out of service until the ransom is paid or the hospital figures out some other solution.  Apparently, the ransom thing has already happened;  the killing part has only happened to a mannequin.  At least that people are willing to fess up to.  Read the story here.

 

The Challenge of Meltdown and Spectre

The twins bugs of Meltdown and Spectre are a once in a career event for security pros.

Most bugs are found quickly – these have been around for 20+ years.

Most bugs affect one hardware platform like Intel or AMD or are not related to any specific hardware device.  Spectre affects every modern computing processor from the highest end Intel chip to the ARM chips powering all phones.

Most bugs affect one operating system such as Windows or iOS.  These bugs affect Windows, MacOS, Linux and other operating systems.

Finally, most bugs are relatively easily fixed once they are found.  Spectre requires, basically, new chip designs to truly fix them.

Worse yet, researchers wrote about these problems in 1992.  At the time people figured this was too  hard to exploit so no one would try.  We have already seen proof of concept exploits on the web.

In general, the Meltdown bug is fixable in software;  to completely fix Spectre requires changes to the hardware, but software changes will make exploiting Spectre more difficult.

I am pretty diligent about applying patches, so I figured I was protected at least against Meltdown and possibly against Spectre.

Today I installed InSpectre (available at  https://www.grc.com/inspectre.htm ) .  After running it, I received this message (note there is a lot of explanatory commentary when you scroll down):

I was pretty surprised.

I checked to see if I had any pending updates and I did not.  I looked at the updates that had been installed and the January cumulative update had not been installed, but I could not see any reason why.

I eventually did find a link to download it manually and was able to install it.  The install went perfectly and did not exhibit any of the negative symptoms (like a blue screen of death) that some users had experienced early on.

After installing the patch, I ran InSpectre again and got this message:

So I guess I am making progress, but it is not complete.

This free utility written by long time security industry expert Steve Gibson is free on his web site; you might want to see if you are really protected.  Or not.