Bruce Dawson’s Xbox 360 Prefetch Bug

Bruce Dawson once worked for Microsoft where he found a bug in the Xbox 360 that he was reminded of by the Spectre and Meltdown exploits:

A game developer who was using this function reported weird crashes – heap corruption crashes, but the heap structures in the memory dumps looked normal. After staring at the crash dumps for awhile I realized what a mistake I had made.

Keep reading.

Meltdown & Spectre: Update Everything

There are two big computer vulnerabilities that were announced recently, Spectre and Meltdown attacks. These are significant because they affect almost every desktop, laptop, smartphone, tablet, and game console. Almost anything with a processor can be exploited to give attackers passwords and whatever other private information is on a device.

The attacks work because of the way that computer processors attempt to speculatively work ahead of their current point in executing a computer program. My understanding is that even code executed in your web browser could execute these attacks.

There are already patches available through Apple operating systems, Microsoft’s Windows, some Android devices, and many Linux operating systems.

The workarounds that operating systems are implementing may slow these devices down because the attacks utilize performance features of the processors, but the performance effects of the mitigation might not be noticeable outside of specific workloads.

Bruce Schneier:

These aren’t normal software vulnerabilities, where a patch fixes the problem and everyone can move on. These vulnerabilities are in the fundamentals of how the microprocessor operates.

It shouldn’t be surprising that microprocessor designers have been building insecure hardware for 20 years. What’s surprising is that it took 20 years to discover it. In their rush to make computers faster, they weren’t thinking about security. They didn’t have the expertise to find these vulnerabilities. And those who did were too busy finding normal software vulnerabilities to examine microprocessors. Security researchers are starting to look more closely at these systems, so expect to hear about more vulnerabilities along these lines.

The 2017 iMac Pro

Lost during my recent travel was Apple’s release of the iMac Pro, the “pro” version of the iMac that was announced at WWDC. The iMac Pro gets you higher performance and what may be many features of the promised-but-yet-to-be-updated-since-2013 Mac Pro, but with a glued-on high-resolution (5120×2880 P3 color gamut) screen and absolutely zero upgradability of internal components.

For an iPad or iPhone, that’s fine, glue whatever you need together to make the device as thin and light as it can get. It’d be great if you could upgrade the storage in those, and if sometimes they would optimize for battery life over thinness, but here we are looking at a different beast. Despite the Xeon-based workstation hardware you get inside an iMac Pro, with modern desktops you really must be able to, at a minimum, upgrade the graphics processor in order to maintain performance for the lifespan of these devices

I don’t doubt that there are some people or businesses that would appreciate this design of high-performance in a completely sealed design computer, but I find some serious flaws in one of Apple’s proposed use-cases: the idea that this is for virtual reality developers.

Why would anyone deploy a VR app on a platform where the $5,000 iMac Pro is the only device that can support the final product? Sure you could do your work on the iMac Pro and cross-compile for Windows, but that seems like a bad idea if your main development computer isn’t also a device you can test for your primary distribution platform. This is the worst example of the inaccessibility of virtual reality today. Here’s a $5,000 computer and then you have to buy a $600 VR HMD to get started with using or playing VR. When a future VR headset is released any iMac Pro VR developers and users will either have to buy an external GPU or replace the entire computer. Anyone on a desktop tower using Windows can just upgrade their graphics card.

Of course if you’re working in video or audio production, or another field that requires high-end computation, this could be a good workstation for that. However, you have to also believe that Apple will continue to support the “pro” desktop platform that they have neglected for almost a decade with infrequent (Mac Pro) or half-assed (Mac Mini) updates.

This computer has so many caveats and despite the fact that the starting price is actually competitive with other similarly outfitted workstation computers that price is chief among the reasons why I don’t find it very appealing. Maybe the Mac Pro will actually ship next year and be truly modular to replace the Mac Mini as well as the 2013 “trash can” Mac Pro. 

I still dream of a modular desktop Mac that can do all these things and span a wider range of prices to include regular desktop parts (and prices) in addition to scaling up to workstation performance and price, without the glued-on screen. It’ll never happen, and that’s why even though I’m still writing this on my late 2013 MacBook Pro, I built a Windows desktop machine last year.

Your Portable Denial-of-Service Launcher

Garrett M. Graff has this article for Wired about the Mirai botnet denial-of-service attack, saying that it was powered by angry Minecraft server operators and players:

As the 2016 US presidential election drew near, fears began to mount that the so-called Mirai botnet might be the work of a nation-state practicing for an attack that would cripple the country as voters went to the polls. The truth, as made clear in that Alaskan courtroom Friday—and unsealed by the Justice Department on Wednesday—was even stranger: The brains behind Mirai were a 21-year-old Rutgers college student from suburban New Jersey and his two college-age friends from outside Pittsburgh and New Orleans. All three—Paras Jha, Josiah White, and Dalton Norman, respectively—admitted their role in creating and launching Mirai into the world.

Originally, prosecutors say, the defendants hadn’t intended to bring down the internet—they had been trying to gain an advantage in the computer game Minecraft.

[…]

VDOS was an advanced botnet: a network of malware-infected, zombie devices that its masters could commandeer to execute DDoS attacks at will. And the teens were using it to run a lucrative version of a then-common scheme in the online gaming world—a so-called booter service, geared toward helping individual gamers attack an opponent while fighting head-to-head, knocking them offline to defeat them. Its tens of thousands of customers could pay small amounts, like $5 to $50, to rent small-scale denial-of-service attacks via an easy-to-use web interface.

A similar service was used to attack the ioquake3 master server in the past. It was surprisingly easy for it to be launched on an ongoing basis.

Update to iOS 11.2 Immediately, Apple’s Bad Bug Week Got Worse

Apple has another serious software flaw, this one isn’t a security vulnerability but it causes some iOS devices (iPhones, iPads) with third-party apps installed that use local notifications to get stuck in a reboot loop on December 2nd. iOS 11.2 is out now and resolves the issue along with adding other features like Apple Pay Cash to send money to your friends and family, and resolves other issues. If you’re already experiencing the reboot loop then Apple has some steps for you to do before updating.

Other workarounds include setting your time back by a day or disabling notifications for the apps that cause it, but it’s better to just update.

Some people have an idea that staying on an older version of the software is more stable or more secure, this is always a bad idea in our day of networked devices that are constantly under attack from governments and other bad actors.

It must really be crappy to be on the teams responsible for these issues this week but it’s difficult to blame anyone specifically for them. With the root exploit it looks like a reasonable mistake that could happen to anyone. We don’t have all the details of the December 2nd bug yet, but both of these issues require an extremely specific set of things to go wrong before they happen. I have no doubt that Apple’s QA processes will change to include testing for these kinds of issues, but there isn’t any perfect software. What they have done well is the delivery mechanism for getting those updates out to users.

When Android has issues like these they are difficult to resolve because so many different companies have to get involved in order for updates to get released to end-users. I don’t envy anyone trying to resolve that issue at Google.

 

Apple Has a Patch out for the macOS Root Access Security Vulnerability

Go to the Updates tab in the Mac App Store to apply it now, you won’t even need to reboot. Apple has more details about the update at this link.

Here’s the post from yesterday with the details of the vulnerability.

Update:
If you have any trouble with file sharing after applying this security patch Apple has another fix for that, oops.

The macOS Root Access Security Vulnerability

There’s a vulnerability in the latest version of macOS High Sierra (10.13.1) that may let anyone with physical access to a Mac log in and gain system administrator (root) access. Or, if they already have an account, upgrade their access to the system administrator (root) level.

You can work around the issue by setting a root password as described in this support document from Apple. They’re working on fixing it.

The vulnerability works like this:

  1. At any login or a privilege escalation dialog a user types in the username root
  2. The user hits the login button or enter a few times in quick succession
  3. The system enables the root user account and assigns it no password.

This is incredibly bad for Apple to have a vulnerability this easy to exploit, and it’s ridiculous that it was also apparently publicly available on Apple’s developer forums weeks ago.

Uber Hid Hack of Data From 57 Million Users & Drivers

Bloomberg’s Eric Newcomer:

Hackers stole the personal data of 57 million customers and drivers from Uber Technologies Inc., a massive breach that the company concealed for more than a year. This week, the ride-hailing firm ousted its chief security officer and one of his deputies for their roles in keeping the hack under wraps, which included a $100,000 payment to the attackers.

Compromised data from the October 2016 attack included names, email addresses and phone numbers of 50 million Uber riders around the world, the company told Bloomberg on Tuesday. The personal information of about 7 million drivers was accessed as well, including some 600,000 U.S. driver’s license numbers. No Social Security numbers, credit card information, trip location details or other data were taken, Uber said.

Android Users’ Location Information Is Always Being Sent to Google

Quartz’ Keith Collins:

Many people realize that smartphones track their locations. But what if you actively turn off location services, haven’t used any apps, and haven’t even inserted a carrier SIM card?

Even if you take all of those precautions, phones running Android software gather data about your location and send it back to Google when they’re connected to the internet, a Quartz investigation has revealed.

Since the beginning of 2017, Android phones have been collecting the addresses of nearby cellular towers—even when location services are disabled—and sending that data back to Google. The result is that Google, the unit of Alphabet behind Android, has access to data about individuals’ locations and their movements that go far beyond a reasonable consumer expectation of privacy.

Quartz observed the data collection occur and contacted Google, which confirmed the practice.

Google claimed they weren’t doing anything with the data received from Android devices, and says they’ll stop doing it (at the end of the month) now that they’ve been caught by Quartz.

I’m not sure why anyone should trust Google’s word about what they were doing with this information when they explicitly use location information to target ads and were pulling this shit with no way for a user to disable it.

You can bet that companies like Google (photos), Facebook and their subsidiaries such as Instagram, and Twitter, also scrape location information whenever you upload photos to their services by reading the EXIF data attached to every photo. You can download apps like Metapho on iOS to remove the EXIF information from your photos before you share them.