Skulthur - Slashdot User

Submission + - 10-Year-Old Open Source Flaw Could Affect 'Almost Every Apple Device' (thecyberexpress.com)

Submitted by storagedude on Monday July 01, 2024 @01:43PM

storagedude writes: Some of the most widely used web and social media applications could be vulnerable to three newly discovered CocoaPods vulnerabilities — including potentially millions of Apple devices, according to a report by The Cyber Express, the news service of threat intelligence vendor Cyble Inc.

E.V.A Information Security researchers reported three vulnerabilities in the open source CocoaPods dependency manager that could allow malicious actors to take over thousands of unclaimed pods and insert malicious code into many of the most popular iOS and MacOS applications, potentially affecting "almost every Apple device."

The researchers found vulnerable code in applications provided by Meta (Facebook, Whatsapp), Apple (Safari, AppleTV, Xcode), and Microsoft (Teams); as well as in TikTok, Snapchat, Amazon, LinkedIn, Netflix, Okta, Yahoo, Zynga, and many more.

The vulnerabilities have been patched, yet the researchers still found 685 Pods “that had an explicit dependency using an orphaned Pod; doubtless there are hundreds or thousands more in proprietary codebases.”

The newly discovered vulnerabilities – one of which (CVE-2024-38366) received a 10 out of 10 criticality score – actually date from a May 2014 CocoaPods migration to a new 'Trunk’ server, which left 1,866 orphaned pods that owners never reclaimed.

While the vulnerabilities have been patched, the work for developers and DevOps teams that used CocoaPods before October 2023 is just getting started.

“Developers and DevOps teams that have used CocoaPods in recent years should verify the integrity of open source dependencies used in their application code,” the E.V.A researchers said.

Submission + - Microsoft says your content is "freeware" to steal (windowscentral.com)

Submitted by joshuark on Monday July 01, 2024 @11:22AM

joshuark writes: Microsoft's CEO of AI Mustafa Suleymansaid that content on the open web can be copied and used to create new content. The CEO spoke with CNBC's Andrew Ross Sorkin at the Aspen Ideas Festival earlier this week.

"With respect to content that is already on the open web, the social contract of that content since the 90s has been that it is fair use. Anyone can copy it, recreate with it, reproduce with it. That has been freeware, if you like. That's been the understanding," said Suleyman.

Microsoft and OpenAI have been on the receiving end of several copyright infringement lawsuits. Eight US-based publishers filed suits against OpenAI and Microsoft, joining The New York Times, which already had an ongoing suit.

Submission + - regreSSHion: Unauthenticated Remote Root Vulnerability in OpenSSH Server (qualys.com)

Submitted by Artem S. Tashkinov on Monday July 01, 2024 @07:26AM

Artem S. Tashkinov writes: The Qualys Threat Research Unit (TRU) has discovered a Remote Unauthenticated Code Execution (RCE) vulnerability in OpenSSH’s server (sshd) in glibc-based Linux systems. CVE assigned to this vulnerability is CVE-2024-6387. The vulnerability, which is a signal handler race condition in OpenSSH’s server (sshd), allows unauthenticated remote code execution (RCE) as root on glibc-based Linux systems; that presents a significant security risk. This race condition affects sshd in its default configuration.

Based on searches using Censys and Shodan, we have identified over 14 million potentially vulnerable OpenSSH server instances exposed to the Internet. Anonymized data from Qualys CSAM 3.0 with External Attack Surface Management data reveals that approximately 700,000 external internet-facing instances are vulnerable. This accounts for 31% of all internet-facing instances with OpenSSH in our global customer base.

In our security analysis, we identified that this vulnerability is a regression of the previously patched vulnerability CVE-2006-5051, which was reported in 2006. A regression in this context means that a flaw, once fixed, has reappeared in a subsequent software release, typically due to changes or updates that inadvertently reintroduce the issue. This incident highlights the crucial role of thorough regression testing to prevent the reintroduction of known vulnerabilities into the environment. This regression was introduced in October 2020 (OpenSSH 8.5p1).

Submission + - Technical Analysis of Pegasus Spyware

Submitted by Mirnotoriety on Thursday December 28, 2023 @03:08PM

Mirnotoriety writes: An Investigation Into Highly Sophisticated Espionage Software

Executive Summary: “This report is an in-depth technical look at a targeted espionage attack being actively leveraged against an undetermined number of mobile users around the world. Lookout researchers have done deep analysis on a live iOS sample of the malware, detailed in this report. Citizen Lab’s investigation links the software and infrastructure to that of NSO Group which offers a product called Pegasus solution.”

Comment Re:Still no good bookmark menu? (Score 2) 67

by Skulthur on Wednesday September 26, 2018 @08:06AM (#57378088) Attached to: Vivaldi 2.0 Desktop Browser Featuring Expanded Customization, Sync Across Devices and Privacy Tools Released [Q&A With Found

Actually, the bookmark menu was added a couple versions ago (it took a while though). Seems to be pretty similar to what it was in opera 12.x.

Comment No alternative mean a lot didn't really speak (Score 1) 397

by Skulthur on Wednesday July 05, 2017 @06:49PM (#54751719) Attached to: EU Parliament Calls For Longer Lifetime For Products

If you could show numbers for phone with replaceable parts and show that it didn't sell, sure I would agree with you but since there's none on the market you just have no idea what the market is for those that want it, only the market for those that don't care. Sure it's popular but it do not mean that you're not missing out on even more. So no, not anything reliable. Personally, the only smartphone I bought had a replaceable battery, an SD card slot and a physical (landscape, sorry Blackberry) keyboard and of course it's old and I would like to change it but until someone offer an interesting product they just won't get my money. You're probably right that I'm alone in this but until you have real numbers to compare to you just don't know.

Comment Re:CHEAP (Score 1) 183

by Skulthur on Saturday March 18, 2017 @09:17AM (#54064855) Attached to: 58% of High-Performance Employees Say They Need More Quiet Work Spaces

Sorry for the late reply, I thought slashdot would send me an email on reply (yes, the setting is still enabled, not sure what happened).

But no, the "walking space" argument do not work because there exists cubicle with wall on just the desk area - it do not takes any walkway space, and otherwise you could still have 3 walls but have it stop at the back of your butt when you're sat at your desk, and the space saved would be pretty small. Even in a high rent city, how much would you be saving, really?

Yes, you save on the furniture cost by having a huge table vs individual desk, but that is a fixed cost and not a recurring one. Same with the "reconfiguration" cost, it should really not happen frequently, so is not an argument either.

The gain of having the wall is of course to stop noise and visual distraction and I'm pretty sure it's well worth the minimal saving you're getting with open space office.

Comment Re:CHEAP (Score 1) 183

by Skulthur on Wednesday March 15, 2017 @06:28PM (#54047215) Attached to: 58% of High-Performance Employees Say They Need More Quiet Work Spaces

I call bullshit on your "Open plan offices are far more space efficient than cubes", cubicle walls basically takes no space so how can open office be "far more" efficient than cubicles. Seems like it's just slightly so.

Comment Best solution (Score 1) 67

by Skulthur on Friday February 03, 2017 @06:53PM (#53799285) Attached to: Google To Force Basic HTML Gmail On Older Chrome Versions

Just use the basic html version (or use an external client that connect to gmail through POP3 or IMAP). Problem solved and works much better.

But yeah, not sure why you would use chrome in the first place though.

Comment Re:Easy answer (Score 1) 489

by Skulthur on Friday January 27, 2017 @07:13PM (#53752055) Attached to: Ask Slashdot: A Point of Contention - Modern User Interfaces

Do you mean on windows? You know you can disable this behavior right? Can't be bothered to find where the option is right now but a quick google search should solve your problem. But yes, what an awful feature.

Comment Re:Not java, flash player (Score 1) 145

by Skulthur on Friday January 13, 2017 @06:46PM (#53663891) Attached to: Latest Adobe Acrobat Reader Update Silently Installs Chrome Extension

Never said they still did. See this post https://forums.adobe.com/threa... from 2013. It did install just like I said (in 2013). So it has, do not anymore, and I can't speak for the future but it would not suprise me if they do it again.

Comment Not java, flash player (Score 1) 145

by Skulthur on Thursday January 12, 2017 @06:12PM (#53656845) Attached to: Latest Adobe Acrobat Reader Update Silently Installs Chrome Extension

Not java but it was (is?) installed with flash player if you don't uncheck that box FROM THE DOWNLOAD PAGE (it do not ask if you want it when installing - it just install chrome without asking). WTF? Normal google/adobe behavior I guess but I found it pretty dirty from them.

Comment Re:Speed Dial (Score 1) 85

by Skulthur on Monday July 18, 2016 @07:00PM (#52537607) Attached to: Chinese Consortium's $1.24B Bid To Acquire Opera Software Fails, $600M Deal Agreed Instead

I think you missed the part where some number of the old opera guys started a new browser called Vivaldi. Opera wasn't really the same opera since a little while. It's not that surprising they're selling it I guess.

Vivaldi was still pretty "beta" until recently but now it's getting pretty stable and include a lot of must have feature from old opera. Vivaldi is pretty much the replacement for old opera, not the browser being sold. It already has a lot, if not most, features from old opera (including speed dial) so you should probably check it out. The thing I miss the most right now is having access to my bookmark from the menu (there is no bookmark entry in the menu) but it's not the end of the world (it will probably be there eventually). Really, most of it is already there.

Comment Yup, just disabled it in Vivaldi, thanks Chrome (Score 1) 348

by Skulthur on Thursday May 19, 2016 @06:55PM (#52145303) Attached to: Google Chrome To Disallow Backspace As a 'Back' Button

Yup, just disabled it in Vivaldi and (old) opera, thanks Chrome for reminding me to turn that awful binding off. There's already much better binding for that (usually mouse gestures for me) but you can configure them like you want in any sane browser.

Comment Re:Dear Browser Manufaturers. (Score 1) 95

by Skulthur on Tuesday March 15, 2016 @06:58PM (#51704297) Attached to: Mozilla's New Servo Browser Will Hit Alpha In June 2016

Obvious troll but I'll bite.

Opera (old one I assume since you used "was") compared to Apple??? What might make you say that? Did you ever use it for more than 5 minutes?

To the contrary, (old) Opera was more like the old (XP-days) Microsoft with relatively lots of options and easy to use.

The *new* opera is a lot more like Apple (or modern Microsoft, or Google): Here is the new "correct", and *only*, way to use our product. Don't like it? Too bad, get another browser (they're all copying each others and won't have what you're looking for anyway). What do you mean different people might have different preferences/optimal usage? Insanity!

Slashdot Top Deals