MacInTouch Amazon link...

vulnerabilities and vectors

Channels
Security



It's worth mentioning that RingCentral web/video conferencing software also has the Zoom vulnerability. RingCentral conferencing is a white-label version of Zoom that is aimed at the small and mid-sized business market, and it is quite popular in the SMB space.

If you are responsible for maintaining systems with RingCentral installed, you'll want to review the availability of patches and whether other action should be taken.

You can disable the RingCentral vulnerability manually using steps that are analogous to (but not identical to) the Zoom remediation steps. TidBITS has more information:

 


Zoom has now updated their Mac client to fix this hole.
Release notes of 4.4.53932.0709:
Remove local web server
-We are discontinuing the use of a local web server on Mac devices. Following the update, the local web server will be completely removed from the Zoom installation

Option to uninstall Zoom
-Zoom users can now uninstall the Zoom desktop application and all of its components through the settings menu
 


Ric Ford

MacInTouch
Keyloggers and keystroke interception are obviously big issues when keyboards are used for vital authentication — passwords, etc.
Bleeping Computer said:
Logitech Unifying Receivers Vulnerable to Key Injection Attacks
Four new vulnerabilities were found to affect all Logitech's Unifying USB receivers that allow users to connect up to six different compatible Logitech wireless presentation remotes, mice, and keyboards to the same computer via a 2.4 GHz radio connection.

Security researcher Marcus Mengs discovered that the flaws are caused by Logitech dongles' outdated firmware and that they allow attackers with physical access to their targets' computers to exploit the bugs and launch keystroke injection attacks, record keystrokes, and take control of compromised systems.

Out of the four vulnerabilities found by Mengs, Logitech confirmed that they'll only fix two of them, with the rest to remain unpatched until the company has a change of mind in the future:

CVE-2019-13054 and CVE-2019-13055 - vulnerabilities that will get a patch in August 2019
CVE-2019-13052 and CVE-2019-13053 - vulnerabilities that won't be fixed​

The CVE-2019-13054 (impacts Logitech R500, Logitech SPOTLIGHT) and CVE-2019-13055 (affects all encrypted Unifying devices with keyboard capabilities) security flaws that Logitech plans to patch allow attackers with physical access to the targeted machine to "actively obtain link encryption keys by dumping them from receiver of Unifying devices."

Exploiting CVE-2019-13055 was demonstrated by Mengs in a demo attack against a Logitech K360 keyboard through which he was able to dump AES keys and addresses from all paired devices, subsequently allowing for eavesdropping on and decrypting of Radio Frequency (RF) transmissions in real-time.
 


Ric Ford

MacInTouch
Here's another dangerous supply chain attack (fortunately thwarted by a very diligent security hero):
Sophos said:
Backdoor discovered in Ruby strong_password library

An eagle-eyed developer has discovered a backdoor recently sneaked into a library (or ‘gem’) used by Ruby on Rails (RoR) web apps to check password strength.

A close shave, then. While the Ruby scripting language and RoR aren’t as popular as they once were, they’re still embedded in numerous enterprise development environments, many of which might have used the default library, strong_password, in its infected version 0.0.7.

... This wasn’t a speculative attack – somebody thought about what they were doing and set out to insert the backdoor in a way that might not be noticed straight away.

It also fits a troubling pattern of recent targeting of Ruby libraries, including the RCE discovered inside the Bootstrap-Sass Ruby library in April.
 


Release notes of 4.4.53932.0709:
The Zoom updater is rather confusing. After I downloaded it, I clicked on the Zoom.pkg, saw an installer, clicked on it, told it to continue, then it disappeared and opened the Zoom app. which is labelled Version: 4.4.4 (53932.0709). Is that how it's supposed to work? I'm not seeing an actual installation process, as if it had already automatically been updated.
 


The Zoom updater is rather confusing. After I downloaded it, I clicked on the Zoom.pkg, saw an installer, clicked on it, told it to continue, then it disappeared and opened the Zoom app. which is labelled Version: 4.4.4 (53932.0709). Is that how it's supposed to work? I'm not seeing an actual installation process, as if it had already automatically been updated.
Open Terminal and enter the following command
Bash:
lsof -i :19421
If the command simply returns with the command prompt, the hidden web server is no longer running, and the update worked. Otherwise, see this TidBITS article for what to do:

 


Open Terminal and enter the following command
Bash:
lsof -i :19421
If the command simply returns with the command prompt, the hidden web server is no longer running, and the update worked. Otherwise, see this TidBITS article for what to do:
Michael, thanks for posting the link to TidBITS. While I no longer have Zoom installed on my main MacBook Pro, ZoomOpener was still running. I followed TidBITS' instructions to remove it from my account... now I'm off to check the other user accounts on this machine, as well the rest of the Macs in the house.
 


The Zoom updater is rather confusing. After I downloaded it, I clicked on the Zoom.pkg, saw an installer, clicked on it, told it to continue, then it disappeared and opened the Zoom app. which is labelled Version: 4.4.4 (53932.0709). Is that how it's supposed to work? I'm not seeing an actual installation process, as if it had already automatically been updated.
Yes, that is how the Zoom update process works. I've noticed a few other programs that update themselves similarly without launching a traditional installer program and without providing much in the way of notification that the update is either progressing or is successful. I'm not really a fan of the practice. A little user notification can go a long way.
 


This appears to have been being accomplished with an update to the Apple Malware Removal Tool (MRT) to version 1.45:
TechCrunch said:
Apple has pushed a silent Mac update to remove hidden Zoom web server

Apple has released a silent update for Mac users removing a vulnerable component in Zoom, the popular video conferencing app, which allowed websites to automatically add a user to a video call without their permission.

The Cupertino, Calif.-based tech giant told TechCrunch that the update — now released — removes the hidden web server, which Zoom quietly installed on users’ Macs when they installed the app.

Apple said the update does not require any user interaction and is deployed automatically.
 


DFG

This appears to have been being accomplished with an update to the Apple Malware Removal Tool (MRT) to version 1.45:
... I want to be in charge of updating my Mac, no matter what (the exception being maybe Gatekeeper updates). Can somebody explain what MRT is and what OS versions are affected?
 



Keyloggers and keystroke interception are obviously big issues when keyboards are used for vital authentication — passwords, etc.
Thanks for posting this, Ric.

Logitech's cavalier attitude with regard to the bugs they don't intend to fix leads me to conclude that their keyboards and remote controls (however impressive) are too big a security risk. I suppose a wireless mouse is somewhat less of a risk. I could be wrong about that.
 


The Mac Observer said:
An interesting concept and I like the idea of applying this to commercial apps you purchase or download.

My main concern is for the developer/hobbyist. If I compile code myself, I don't want to have to develop and implement an entire installer system just so I can run the app I wrote for myself to use on my own computer.

For example, I always compile my own version of GNU Emacs, because the one Apple bundles only runs in a Terminal window, and most binary downloads don't have it configured the way I like it. And it's a GUI application - and a pretty funky kind of installation (at least the way I set it up) with the bulk of the installation going in
/usr/local/package/emacs/​
but with an application package
/Applications/Emacs.app​
that contains a lot of symlinks to code in
/usr/local/package/emacs​
(so I can launch the GUI app from a Terminal or from the Finder).

I'm sure any kind of "look out for suspicious application installations" heuristic would freak out upon witnessing an installation like that. So there needs to be a not-too-difficult way for me to tell macOS "yes, this is the way I want it" without having to develop an entire (and otherwise unnecessary) installer package.
 


Logitech's cavalier attitude with regard to the bugs they don't intend to fix leads me to conclude that their keyboards and remote controls (however impressive) are too big a security risk. I suppose a wireless mouse is somewhat less of a risk. I could be wrong about that.
Wireless security is hard to get right. And it can be expensive to fix things like this in old products, especially if a hardware dongle may need to be replaced in the process.

I wonder if Bluetooth devices might fare any better. Bluetooth has some pretty good security in the standard, but I don't know how well peripheral makers conform to the standard or how hard it might be to patch bugs in already-shipped devices.
 


So there needs to be a not-too-difficult way for me to tell macOS "yes, this is the way I want it" without having to develop an entire (and otherwise unnecessary) installer package.
I can definitely see that. But, rather than "not-too-difficult", I would say that such an override should, at a minimum, be sufficiently difficult that the average user isn't going to want to bother, even in the presence of "helpfully" provided instructions (see next paragraph). It needs to be restricted to those who clearly understand the consequences/implications of such a change. And in that case, let such a change be persistent.

If possible, it should also be done in such a way that some unscrupulous developer (who is developing software other than for his own use and merely wants to continue the status quo because he can't be bothered or simply doesn't care about the user's security) can't easily coach the user or automate the process "on the user's behalf." And I realize that it won't be possible to prevent every malicious situation. Lastly, let me be absolutely clear because I do not wish to offend you or anyone else: I am not including those who write for their own use in that group.

Security for the masses, while those like yourself who know what they are doing can continue to do as they wish unimpeded.
 


The following articles discuss open vulnerabilities in Logitech 2.4GHz wireless keyboards and mice. Some of this has been discussed previously here on MacInTouch; however, it looks like many have not patched their hardware, and that there are new vulerabilities, which may or may not be fixed requiring additional patching in upcoming months. How you need to go about updating the firmware using a Mac for such devices is perhaps better discussed by owners of the products.
Marcus Mengs said:
Summary / Overview of known Logitech wireless peripheral vulnerabilities
There has been a ton of research on wireless input devices using proprietary 2.4 GHz radio technology. Lately, I reported some new vulnerabilities for Logitech devices, myself, and noticed that one could easily get confused by all those issues. So here is an attempt to clarify some things. This document focuses on Logitech devices only, as other vendors haven't been part of my own research.

In context of attacks on Logitech devices, the device itself is often assumed to be vulnerable. Especially for keystroke injection attacks, this is not the case. The vulnerable part is the wireless receiver.
ZDNet said:
Logitech wireless USB dongles vulnerable to new hijacking flaws
A security researcher has publicly disclosed new vulnerabilities in the USB dongles (receivers) used by Logitech wireless keyboards, mice, and presentation clickers. The vulnerabilities allow attackers to sniff on keyboard traffic, but also inject keystrokes (even into dongles not connected to a wireless keyboard) and take over the computer to which a dongle has been connected.

When encryption is used to protect the connection between the dongle and its paired device, the vulnerabilities also allow attackers to recover the encryption key.

Furthermore, if the USB dongle uses a "key blacklist" to prevent the paired device from injecting keystrokes, the vulnerabilities allow the bypassing of this security protection system.

Marcus Mengs, the researcher who discovered these vulnerabilities, said he notified Logitech about his findings, and the vendor plans to patch some of the reported issues, but not all.

... All Logitech Unifying USB dongles that support a keyboard input feature are affected. This includes both Logitech wireless keyboards using Unifying dongles, but also the dongles of MX Anywhere 2S mice, which can also accept keyboard input.

Demos are below, and Mengs says the attacks are invisible to users.
 


The following articles discuss open vulnerabilities in Logitech 2.4GHz wireless keyboards
What's the range of the attack? I just set up one of those Logitech keyboards on a home media center computer, and even across about 10 feet from the couch, reception wasn't perfect, but a new battery helped.
 


Ric Ford

MacInTouch
The following articles discuss open vulnerabilities in Logitech 2.4GHz wireless keyboards and mice....
Thanks for the information/links. It looks like the problem is with the wireless receiver (not the mice or keyboards themselves), and Bluetooth should be unaffected, so that may be a safer option where available, e.g. with my essential Mac controller, the M720 Triathlon mouse.

Coincidentally, I just received a new one today, which I bought to replace the unacceptable Apple "Magic" Mouse that came with the iMac 5K. (Apple's too-stiff springs create RSI problems, and I haven't figured out how to right-click the Magic Mouse, if it's possible.) I already have two Triathlons, because they're essential to my productivity and RSI health, and they have been great. I much prefer WiFi to Bluetooth, since it works so much better, but I've been using Bluetooth due to insufficient USB ports in a MacBook Pro.

A Logitech Unifying Software app offers to update receiver software, when the receiver is plugged in to USB and you click the "Advanced" button. It shows firmware 24.07 (30) for both the new receiver and the one I've been using for a long time and shows no updates available. A third receiver shows firmware 12.07 (29) but the app still offers no updates for it.

Unfortunately, I've been having major problems pairing the new Triathlon to Bluetooth on my Sierra systems today, which is bizarre, since two others are already paired in Sierra, and the new one pairs OK in Mojave. (This has already wasted many hours, and is representative of my bad experiences with Bluetooth over the years.)

For what it's worth, I'll note that I'm pleased with a new mousepad I also bought, a big improvement over the others (neoprene-type) I've been using, with less friction (and supposedly less battery drain...). It's the 3M Precise Mouse Pad ($4.70).

(Let me also note, if Jony's reading, how absolutely brilliant a design it is to place every single USB port on the backside of the iMac... )-:
 



What's the range of the attack?
There are reports that 100 meters is easily reachable.
The Hacker News said:
How to Hack a Computer from 100 Meters by Hijacking its Wireless Mouse or Keyboard
With the use of around $15-$30 long-range radio dongle and a few lines of code, the attack could allow a malicious hacker within 100 meters range of your computer to intercept the radio signal between the dongle plugged into your computer and your mouse.
 


Ric Ford

MacInTouch
A Logitech Unifying Software app offers to update receiver software, when the receiver is plugged in to USB and you click the "Advanced" button. It shows firmware 24.07 (30) for both the new receiver and the one I've been using for a long time and shows no updates available. A third receiver shows firmware 12.07 (29) but the app still offers no updates for it.
Another receiver (possibly from a K750 Solar Keyboard, another favorite with great feel, which I have two of) was at firmware 24.03 (27) and the app actually offered to update this one, which then showed firmware at 24.05 (29).
 


Ric Ford

MacInTouch
More about the Logitech vulnerabilities:
Bleeping Computer said:
Logitech Unifying Receivers Vulnerable to Key Injection Attacks

Four new vulnerabilities were found to affect all Logitech's Unifying USB receivers that allow users to connect up to six different compatible Logitech wireless presentation remotes, mice, and keyboards to the same computer via a 2.4 GHz radio connection.
Security researcher Marcus Mengs discovered that the flaws are caused by Logitech dongles' outdated firmware and that they allow attackers with physical access to their targets' computers to exploit the bugs and launch keystroke injection attacks, record keystrokes, and take control of compromised systems.

Out of the four vulnerabilities found by Mengs, Logitech confirmed that they'll only fix two of them, with the rest to remain unpatched until the company has a change of mind in the future:
CVE-2019-13054 and CVE-2019-13055 - vulnerabilities that will get a patch in August 2019​
CVE-2019-13052 and CVE-2019-13053 - vulnerabilities that won't be fixed​

... It's also important to note that this vulnerability stems from an incomplete fix for CVE-2016-10761, one of the MouseJack vulnerabilities discovered by Bastille back in 2016 which impact "the vast majority of wireless, non-Bluetooth keyboards and mice" and allowed "injecting unencrypted keystrokes into a target computer."
The Verge said:
Why you should really, really update your Logitech wireless dongle
Three and a half years ago, a security researcher broke into my laptop without ever needing to touch it. He didn’t even need its network address. All he had to do was sniff out my Logitech wireless mouse’s tiny USB receiver, fire off a few lines of code, and start typing things that appeared on my screen. He could have wiped my hard drive, installed malware, or worse, much as if he’d had physical access to my PC. ... Yet I’m now learning that the world may not be rid of MouseJack yet.

... All of this is to say that if you’ve got a wireless Logitech mouse, keyboard, or presentation clicker, you should probably patch it now — and maybe again in August when Logitech will be rolling some additional fixes out. Logitech’s old support pages for MouseJack are gone...
 


Ric Ford

MacInTouch
Logitech's website, support, software updates, and responsiveness are not at all impressive, but there's a little more information (plus links) about Logitech security holes, firmware et al at Wikipedia:
Wikipedia said:
Logitech Unifying receiver

... Logitech has responded with a few Unifying receiver firmware updates as new exploits have been reported. The latest firmware updates for Windows PCs and Macs can be found here, here, or here.

For Linux users there are native options to flash and experiment with such as fwupd and MouseJack device discovery and research tools. However, with these tools a separate firmware binary is still required. The required .cab files for use with fwupd can be found on the LVFS: Device List, or simply by downloading the updates via fwupdmgr. Flashing on a Linux host via a hypervisor such as VirtualBox along with a Windows virtual guest image and the Windows Logitech update executable is also possible. If using a Windows virtual guest it is recommended to have a second available pointing device while the dongle is being updated. The second pointing device may be needed to allow the user to select and enable pass through of the unifying receiver via the hypervisor task bar after executing the firmware updater so that the device is found and updated.

It should also be noted that updating the Unifying receiver firmware to versions RQR12.xx (xx >= 08) and RQR24.xx (xx >= 06) can limit some functionality of certain paired devices. These devices require their own firmware updates to restore full functionality with patched receivers.

New Developments
As of July 9th 2019 there has been another set of vulnerabilities documented and disclosed by a separate researcher on Github. Firmware fixes for the new vulnerabilities have not been released.
 


Ric Ford

MacInTouch
Thanks for the information/links. It looks like the problem is with the wireless receiver (not the mice or keyboards themselves), and Bluetooth should be unaffected, so that may be a safer option where available, e.g. with my essential Mac controller, the M720 Triathlon mouse.
Hopefully, a wired mouse will avoid the Logitech security issues, as well as working immediately, rather than suffering from Bluetooth pairing/driver/boot delays. I looked for one with free-spinning scroll wheel, which has been a major productivity benefit for me, and I found a wired Logitech mouse that looks similar to my favorite Triathlon, so I just ordered one to try (paying extra for express delivery):

 


Ric Ford

MacInTouch
Can somebody explain what MRT is and what OS versions are affected?
Here's some timely information from Howard Oakley:
Eclectic Light Co. said:
Does anyone here know about MRT?
This has been a week of firsts for Mac users: it’s been the first time that I can recall Apple officially ‘leaking’ information about one of its ‘silent’ security updates, the first time that many users have wanted to run its malware removal tool MRT, and the first time that Apple has pushed out software intended to delete (instead of merely disabling) what was perfectly legitimate third-party software rather than malware.

These all centre on the vulnerabilities which came to light in Zoom conferencing software, issues which are going to continue to have impacts for some time to come. Important though those are, and will continue to be, they can easily distract from those affecting everyone who uses a reasonably recent version of macOS or OS X: what Apple refers to opaquely as “system data files and security updates”.

One of the biggest problems posed by the old Zoom software was that it installed, in a hidden folder, a web server which was left behind, still active, when you uninstalled its app. This web server was capable of reinstalling the Zoom client, and has now been found to have its own vulnerability as well. However Zoom responded to the other issues in its client software, it was vital that all copies of this web server were removed, particularly on Macs whose users may have forgotten that they had ever installed Zoom’s client. This wasn’t something that Zoom was able to handle alone: they needed Apple, just as Apple needed to remove Zoom’s web server before it could be exploited.

The solution lay in gently repurposing Apple’s MRT to detect and destroy Zoom’s web server in its hidden folder. The delivery vehicle had therefore to be an urgent ‘silent’ security update containing the new version of MRT, which Apple had ready to push out on 10 July.

Then everything got rather strange. Instead of Apple breaking its self-imposed silence on security updates and explaining this direct to users, it passed the message on to Zack Whittaker at TechCrunch, then re-tweeted TechCrunch’s tweet linking to that news story. Not only that, but the story was coy over detail: it didn’t mention MRT, merely that the “silent update” had been released, and that all users would receive it automatically. Neither did it explain that users needed to do anything other than wait for the update to be installed.
 


There are reports that 100 meters is easily reachable.
Thanks, I guess.

Just spent a frustrating hour with three Logitech Unifying Receivers.
  • K800 keyboard that shows "encrypted" in Solaar, the Linux Logitech Unifying Receiver manager
  • M570 wireless trackball that doesn't show encrypted
  • a Logitech M325 mouse used on my desktop Mac
Followed the links in The Verge article on Mac running Mojave to install the Logitech System Preferences panels and "Secure DFU" updater. At first, it looked like Mojave wouldn't install them, but on restart it did, though it presented me with the warnings I associate with 32-bit software needing updating.

Ran the updaters on the receivers. Two at 12.08 with no update. The newest, associated with the K800 keyboard, stands at 12.09. I do have the fairly recent "Linux Vendor Firmware Service" active, and Linux Vendor Firmware Service has the 12.08 Unfifying Receiver firmware, but not 12.09.

There's information from April, 2019 about the affected products and problems with them at the Linux Vendor Firmware Service site:

Having confirmed that 12.08 and 12.09 are as new as they will update through the Mac "Secure DFU" updater and Linux Vendor Firmware Service, I'm still uncertain. Do I just need to put them away, lest some guy across the street purloin my passwords and log into my financial institutions? Going back to wired USB would be cheap at that price.
 


Ric Ford

MacInTouch
These don't usually run macOS, but I thought it might be worth mentioning security issues with Intel NUC machines (which run Linux and Windows):
Bleeping Computer said:
Intel Updates NUC Firmware to Patch High Severity Bug
Intel today released a firmware update for multiple NUC Kit models to patch a high-severity issue that could be exploited to achieve privilege escalation, cause a denial-of-service (DoS) condition, or information disclosure.

NUC Kits are not the only small-form-factor computers from Intel requiring this update. A Compute Card and a Compute Stick run with the same BIOS and are equally affected by the bug.
George clued me in to the Linux Vendor Firmware Service, which apparently is very helpful for keeping Linux systems updated.
 


They don't usually run macOS, but I thought it might be worth mentioning security issues with Intel NUC machines (which run Linux and Windows):
George clued me in to the Linux Vendor Firmware Service, which apparently is very helpful for keeping Linux systems updated.
I'm grateful to the ever-helpful Ric, who knows I have and supervise a small group of NUCs running Linux.

The Linux Vendor Firmware Service works, and Intel is a listed partner. I've seen any number of "firmware updates" come through the "Software Updater" service on the variety of Linux (mostly Ubuntu or Ubuntu derivatives such as Linux Mint) I've used and test. Unfortunately, whatever is passing through the Vendor Firmware Service updates, it isn't BIOS/UEFI firmware for NUCs.

The first NUCs I bought, in 2015, were supposed to be Linux-friendly. They were ahead of the curve, as they were released before the Linux kernel was updated for "improvements" they included over the preceding models. Didn't take long, but it was in that time period I did my one and only NUC BIOS update — until tonight.

The three NUCs I have at home were many iterations of BIOS updates behind; one's an original from 2015, but two are much newer. The BIOS updates are not the ones mentioned in Bleeping Computer — I believe those are for the very newest NUCs — but the somewhat older updates for mine did refer to "security" updates for the BIOS.
Intel Support said:
BIOS Overview for Intel® NUC
When Do I Update the BIOS?
Update the BIOS on your computer only if the newer BIOS version can solve a specific problem. We don't recommend BIOS updates for computers that do not need it.
I'd just assumed this meant, "if it ain't broke, don't fix it." I do remember horror stories from the early days of PCs about firmware updates bricking hardware, and so haven't been anxious to seek out and apply BIOS updates for NUCs that are, superficially, working just fine. But, no question, an update that addresses security vulnerabilites in a computer's BIOS is one that will "solve a specific problem."
 


I'd just assumed this meant, "if it ain't broke, don't fix it." I do remember horror stories from the early days of PCs about firmware updates bricking hardware, and so haven't been anxious to seek out and apply BIOS updates for NUCs that are, superficially, working just fine. But, no question, an update that addresses security vulnerabilites in a computer's BIOS is one that will "solve a specific problem."
Of course, for this particular update, local access is required for the exploit. Depending on who has local access to the machine, this may not matter to you.
 


Of course, for this particular update, local access is required for the exploit. Depending on who has local access to the machine, this may not matter to you.
The cleaning manager holds a key. Her "significant other" is a systems administrator? They seem trustworthy, but...

Exploits that require local access are less scary than those which can drip in over the Internet. But it's surely "best practice" to install any updates that address security vulnerabilities.
 


The cleaning manager holds a key. Her "significant other" is a systems administrator? They seem trustworthy, but...
Exploits that require local access are less scary than those which can drip in over the Internet. But it's surely "best practice" to install any updates that address security vulnerabilities.
As I wrote, it depends on who has access. If these are desktop systems in an office space that is unsupervised after hours, then that's a problem. Of course, a situation where the cleaners can bring in friends without anyone noticing is an even bigger problem.

If these are servers in a secure room where only your IT staff has keys, that's a different situation. If they are on your desk at home and you don't have maids coming in to clean when you're not home, then you only have to decide how much you trust your own family.

Regarding best practices for security updates, that also depends on your situation. For instance, many of the Spectre/Meltdown-related exploits are only meaningful on multi-tenant systems (e.g. cloud or VM servers), since they involve processes exfiltrating code from other processes. In a single-user system (like in your home), you only have to worry about malware doing this, and if you have a malware infection, you're probably losing a lot more than what these exploits can exfiltrate, which is why you don't find (for example) Apple installing every single such fix into macOS (and why Microsoft only incorporates them all into the server editions of Windows).

All that having been said, I do agree it's important to keep your system BIOS/EFI firmware up to date. If you're not maintaining your own private build of this firmware, you can't pick-and-choose which fixes to keep and which to ignore, and there will definitely be some that nobody should ignore. Ditto for ordinary users updating their OS or applications.

But if you are maintaining a build (e.g. Apple or Microsoft, or an IT department managing a corporate Linux distribution), then you probably do want to cherry pick updates (after conducting research to understand what you're doing), because blindly accepting every security fix that exists may seriously impact performance for no improvement in security for your particular situation.
 


  • Spectre/Meltdown-related exploits are only meaningful on multi-tenant systems (e.g. cloud or VM servers), since they involve processes exfiltrating code from other processes.
  • But if you are maintaining a build (e.g. Apple or Microsoft, or an IT department managing a corporate Linux distribution), then you probably do want to cherry pick updates . . .
In November, 2018 Linus Torvalds directed Spectre v2 patches in Linux kernel 4.2 be reverted because of a 50% peformance hit. It's more complicated than that or than I understand, so if you're interested, links below:

The Register:

Phoronix:

It's unrealistic to think individual users (e.g., me) have the skills to cherry pick updates. I've not noticed any drop in peformance of our Macs or Linux computers due to Spectre / Meltdown, and they're all Intel processors, though I'd have to go through the specs on each one to see if they're Hyper-Threading CPUs. I do know not all Intel CPUs do Hyper-Threading - which is probably more knowledge than most Intel users have.

Recently, I removed every Logitech wireless keyboard and mouse from service due to a reported vulnerability in the "Unifying Receiver" I first learned about on MacInTouch. There wasn't much else do do, as the idea of someone intercepting financial institution log-ins outside my office was just unacceptable.

My bet is most users just went meh and kept on typing. In fact, the vulnerability report was ambiguous, because it mentioned Logitech Unifying Receiver updates, but there was no way to confirm they addressed the remote access vulnterability.

Turns out, they didn't. Logitech has promised a new update in August, 2019, but as I read Logitech's document and user comments, it won't be a complete fix, consigning my devices to the shelf.

This all really is too difficult.
 


It's unrealistic to think individual users (e.g., me) have the skills to cherry pick updates.
I think I said that ordinary users should install whatever their OS distribution supplies, but organizations maintaining a custom distribution should do this kind of research.

I think if you are skilled enough to be building custom kernels with custom sets of options (which include many of the various Spectre/Meltdown fixes), you really should know about this stuff and not just blindly install every patch that says it is "security", because some can significantly impact performance but may not be important to your particular deployment.

If you're not willing/able to do that, then do what most people do: stick with a distribution aimed at your kind of deployment from an organization you trust, and install every update they provide, trusting that their teams will do the appropriate cherry-picking (which, by implication, means you probably shouldn't be installing desktop distributions on servers or vice versa).
 


Ric Ford

MacInTouch
FYI:
BleepingComputer said:
iTerm2 Patches Critical Vulnerability Active for 7 Years
The most popular terminal emulator for macOS, iTerm2, has been updated to fix a critical security issue that survived undisclosed for at least seven years.

Attackers can achieve remote command execution on systems with a vulnerable iTerm2 version when the application is used to connect to a malicious source. Tracked as CVE-2019-9535, the vulnerability was discovered following a security audit from Radically Open Security, sponsored by the Mozilla Open Source Support (MOSS) program.
 


Apple patched a vulnerability in iTunes / iCloud for Windows on Monday October 7. Information about the issue is somewhat confusing, but it apparently afflicted users who had previously installed iTunes on Windows then removed it using the iTunes Uninstaller which conveniently (sarcasm intended) left Bonjour in place, but without an update mechanism, leaving a path for attack.

Given Windows remains by far the most common OS, there's millions of iPhone / iPad users and iTunes store customers who have iTunes and possibly iCloud installed on Windows. I just notified a friend who has that setup. She had not "accepted" Monday's iTunes update.

ArsTechnica said:
Attackers exploit an iTunes zeroday to install ransomware
Apple patches actively exploited flaw that let ransomware crooks evade AV protection. (Windows)
I don't know enough about the underpinnings of Bonjour to understand if the vulnerability extends beyond its use for iTunes / iCloud in Windows. I do know there's a similar zero-configuration networking tool, Avahi, on Linux that seems to be based on Bonjour.
 


I don't know enough about the underpinnings of Bonjour to understand if the vulnerability extends beyond its use for iTunes / iCloud in Windows. I do know there's a similar zero-configuration networking tool, Avahi, on Linux that seems to be based on Bonjour.
It's a really old one (or two) in mDNSresponder (so long ago that I only vaguely remember the details, but that's becoming more and more common at my age).
 



According to the reports, the vulnerability is specific to Apple’s Bonjour implementation in Windows.
In our mixed Mac and Linux LAN at work (and for XMPP chat services between two distant offices) we use Pidgin on Linux and Adium on Mac. Both Pidgin on Linux and Adium on Mac offer local connections over Bonjour.

I'm not sure why, but I've dead-ended when trying to connect our Linux / Mac systems to our Synologies at work on both SAMBA and NFS on the LAN. Yet the Synology is accessible over AFP.

None of that disputes the reported vulnerability is specific to Apple's prior implementations of Bonjour on Windows, Just creates a sense of uncertainty.
 


Amazon disclaimer:
As an Amazon Associate I earn from qualifying purchases.

Latest posts