Authorities serve Apple a warrant for Texas shooter’s iPhone

 Two weeks ago today, 26 people were killed by a gunman at First Baptist Church in Sutherland Springs, Texas. Two phones were discovered at the scene: older push-button LG and what local news described as a “blood spattered” Apple iPhone SE. Now local law enforcement has served Apple with a search warrant in order to retrieve information from the smartphone. The news has echoes of… Read More

Microsoft patches Equation Editor flaw without fixing the source code

When a company like Microsoft needs to fix a security flaw in one of its products, the process is normally straightforward: determine where the bug lies, change the program’s source code to fix the bug, and then recompile the program. But it looks like the company had to step outside this typical process for one of the flaws it patched this Tuesday. Instead of fixing the source code, it appears that the company’s developers made a series of careful changes directly to the buggy program’s executable file.

Bug CVE-2017-11882 is a buffer overflow in the ancient Equation Editor that comes with Office. The Equation Editor allocates a fixed-size piece of memory to hold a font name and then copies the font name from the equation file into this piece of memory. It doesn’t, however, check to ensure that the font name will fit into this piece of memory. When provided with a font name that’s too long, the Equation Editor overflows the buffer, corrupting its own memory, and an attacker can use this to execute arbitrary malicious code.

Normally the work to fix this would be to determine the length of the font name and create a buffer that’s big enough to hold it. It’s a simple enough change to make in source code. If that’s not possible—there are occasional situations where a buffer can’t easily be made bigger—then the next best solution is to limit the amount of data copied to it, truncating the font name if it’s too long to fit. Again, this is a simple change to make in the source code.

Read 6 remaining paragraphs | Comments

Germany bans smartwatches for kids over spying concerns

 Germany’s Federal Network Agency (Bundesnetzagentur) issued a blanket ban on smartwatches aimed at children this week — and asked parents who’d already purchased such a device to destroy them, for good measure. The aggressive move is a response to growing privacy concerns surrounding devices aimed at minors. Read More

Forever 21 tells customers that some credit card numbers may have been stolen

 This week, the clothing retailer Forever 21 disclosed to customers that it was hacked earlier in 2017. While the company has not yet offered many details about the intrusion, we know that it is looking into a portion of credit card transactions between March 2017 and October 2017 that were conducted over machines that appear to have been insecure. “Because of the encryption and… Read More

Call to ban sale of IoT toys with proven security flaws

 Ahead of 2017’s present buying season, UK consumer rights group Which? has warned parents about the risks of giving connected toys to their children, and called for devices with known security and/or privacy risks to be banned from sale on kids safety grounds. Read More

Firefox’s major Quantum upgrade now rolling out to everyone

Mozilla is working on a major overhaul of its Firefox browser, and with the general release of Firefox 57 today, has reached a major milestone. The version of the browser coming out today has a sleek new interface and, under the hood, major performance enhancements, with Mozilla claiming that it’s as much as twice as fast as it was a year ago. Not only should it be faster to load and render pages, but its user interface should remain quick and responsive even under heavy load with hundreds of tabs.

Collectively, the performance work being done to modernize Firefox is called Project Quantum. We took a closer look at Quantum back when Firefox 57 hit the developer channel in September, but the short version is, Mozilla is rebuilding core parts of the browser, such as how it handles CSS stylesheets, how it draws pages on screen, and how it uses the GPU.

This work is being motivated by a few things. First, the Web has changed since many parts of Firefox were initially designed and developed; pages are more dynamic in structure, and applications are richer and more graphically intensive, JavaScript is more complex and difficult to debug. Second, computers now have many cores and simultaneous threads, giving them much greater scope to work in parallel. And security remains a pressing concern, prompting the use of new techniques to protect against exploitation. Some of the rebuilt portions are even using Mozilla’s new Rust programming language, which is designed to offer improved security compared to C++.

Read 1 remaining paragraphs | Comments

You probably don’t need to worry about someone hacking your iPhone X’s Face ID with a mask

 Touted as the iPhone X’s new flagship form of device security, Face ID is a natural target for hackers. Just a week after the device’s release, Vietnamese research team Bkav claims to have cracked Apple’s facial recognition system using a replica face mask that combines printed 2D images with three-dimensional features. No one really knows how legitimate this purported hack is. Read More

Senators push to ditch social security numbers in light of Equifax hack

 Eyeing more secure alternatives to social security numbers, lawmakers in the U.S. are looking abroad. Today, the Senate Commerce Committee questioned former Yahoo CEO Marissa Mayer, Verizon Chief Privacy Officer Karen Zacharia, and both the current and former CEOs of Equifax on how to protect consumers against major data breaches. The consensus was that social security numbers have got to… Read More