Desktops (Apple)

macOS High Sierra's App Store System Preferences Can Be Unlocked With Any Password (macrumors.com) 58

A bug report submitted on Open Radar this week reveals a security vulnerability in the current version of macOS High Sierra that allows the App Store menu in System Preferences to be unlocked with any password. From a report: MacRumors is able to reproduce the issue on macOS High Sierra version 10.13.2, the latest public release of the operating system, on an administrator-level account by following these steps: 1. Click on System Preferences. 2. Click on App Store. 3. Click on the padlock icon to lock it if necessary. 4. Click on the padlock icon again. 5. Enter your username and any password. 6. Click Unlock.

As mentioned in the radar, System Preferences does not accept an incorrect password with a non-administrator account. We also weren't able to unlock any other System Preferences menus with an incorrect password. We're unable to reproduce the issue on the third or fourth betas of macOS High Sierra 10.13.3, suggesting Apple has fixed the security vulnerability in the upcoming release. However, the update currently remains in testing.

Facebook

WhatsApp Security Flaws Could Be Exploited To Covertly Add Members To Group Chats (iacr.org) 29

A group of crytopgraphers from Germany's Ruhr University Bochum have uncovered flaws in WhatsApp's security that compromise the instant messaging service's end-to-end encryption. WhatsApp, owned by Facebook, has over one billion active users. In a paper published last week, "More is Less: On the End-to-End Security of Group Chats in Signal, WhatsApp, and Threema," anyone who controls WhatsApp's servers, including company employees, can covertly add members to any group -- a claim that might not bode well with privacy enthusiasts. From the paper: The described weaknesses enable attacker A, who controls the WhatsApp server or can break the transport layer security, to take full control over a group. Entering the group however leaves traces since this operation is listed in the graphical user interface. The WhatsApp server can therefore use the fact that it can stealthily reorder and drop messages in the group. Thereby it can cache sent messages to the group, read their content first and decide in which order they are delivered to the members. Additionally the WhatsApp server can forward these messages to the members individually such that a subtly chosen combination of messages can help it to cover the traces. Further reading: Wired.
Security

Meltdown and Spectre Patches Bricking Ubuntu 16.04 Computers (bleepingcomputer.com) 233

An anonymous reader writes: Ubuntu Xenial 16.04 users who updated to receive the Meltdown and Spectre patches are reporting they are unable to boot their systems and have been forced to roll back to an earlier Linux kernel image. The issues were reported by a large number of users on the Ubuntu forums and Ubuntu's Launchpad bug tracker. Only Ubuntu users running the Xenial 16.04 series appear to be affected.

All users who reported issues said they were unable to boot after upgrading to Ubuntu 16.04 with kernel image 4.4.0-108. Canonical, the company behind Ubuntu OS, deployed Linux kernel image 4.4.0-108 as part of a security update for Ubuntu Xenial 16.04 users, yesterday, on January 9. According to Ubuntu Security Notice USN-3522-1 and an Ubuntu Wiki page, this was the update that delivered the Meltdown and Spectre patches.

Security

NVIDIA GPUs Weren't Immune To Spectre Security Flaws Either (engadget.com) 139

Nvidia has became the latest chipmaker to release software patches for the Spectre microchip security threat, indicating that the chipset flaw was affecting graphic processors as well as CPUs. From a report: To that end, NVIDIA has detailed how its GPUs are affected by the speculative execution attacks and has started releasing updated drivers that tackle the issue. All its GeForce, Quadro, NVS, Tesla and GRID chips appear to be safe from Meltdown (aka variant 3 of the attacks), but are definitely susceptible to at least one version of Spectre (variant 1) and "potentially affected" by the other (variant 2). The new software mitigates the first Spectre flaw, but NVIDIA is promising future mitigations as well as eventual updates to address the second. Most of the updates are available now, although Tesla and GRID users will have to wait until late January.
Security

Taiwanese Police Give Cyber-security Quiz Winners Infected Devices (bbc.com) 37

Taiwan's national police agency said 54 of the flash drives it gave out at an event highlighting a government's cybercrime crackdown contained malware. From a report: The virus, which can steal personal data and has been linked to fraud, was added inadvertently, it said. The Criminal Investigation Bureau (CIB) apologised for the error and blamed the mishap on a third-party contractor. It said 20 of the drives had been recovered. Around 250 flash drives were given out at the expo, which was hosted by Taiwan's Presidential Office from 11-15 December and aimed to highlight the government's determination to crack down on cybercrime.
Cellphones

'I Tried the First Phone With An In-Display Fingerprint Sensor' (theverge.com) 70

Vlad Savov from The Verge reports of his experience using the first smartphone with a fingerprint scanner built into the display: After an entire year of speculation about whether Apple or Samsung might integrate the fingerprint sensor under the display of their flagship phones, it is actually China's Vivo that has gotten there first. At CES 2018, I got to grips with the first smartphone to have this futuristic tech built in, and I was left a little bewildered by the experience. The mechanics of setting up your fingerprint on the phone and then using it to unlock the device and do things like authenticate payments are the same as with a traditional fingerprint sensor. The only difference I experienced was that the Vivo handset was slower -- both to learn the contours of my fingerprint and to unlock once I put my thumb on the on-screen fingerprint prompt -- but not so much as to be problematic. Basically, every other fingerprint sensor these days is ridiculously fast and accurate, so with this being newer tech, its slight lag feels more palpable. Vivo is using a Synaptics optical sensor called Clear ID that works by peering through the gaps between the pixels in an OLED display (LCDs wouldn't work because of their need for a backlight) and scanning your uniquely patterned epidermis. The sensor is already in mass production and should be incorporated in several flagship devices later this year.

Slashdot Top Deals