Popular iPhone and iPad Apps Snooping on the Pasteboard

Found on Mysk on Saturday, 27 June 2020
Browse Software

We found that many apps quietly read any text found in the pasteboard every time the app is opened. Text left in the pasteboard could be as simple as a shopping list, or could be something more sensitive: passwords, account numbers, etc.

We have investigated many popular apps in the App Store and found that they frequently access the pasteboard without the user being aware. Our investigation confirms that many popular apps read the text content of the pasteboard. However, it is not clear what the apps do with the data. To prevent apps from exploiting the pasteboard, Apple must act.

Every bit of data that can be slurped, will be slurped. Don't think it's the usual list of shady apps nobody uses: ABC, NY Times, Fox, Reuters, WSJ, TikTok and so on...

The Golden Tax Department and the Emergence of GoldenSpy Malware

Found on Trustwave on Friday, 26 June 2020
Browse Software

We identified an executable file displaying highly unusual behavior and sending system information to a suspicious Chinese domain. Discussions with our client revealed that this was part of their bank’s required tax software.

Basically, it was a wide-open door into the network with SYSTEM level privileges and connected to a command and control server completely separate from the tax software’s network infrastructure.

We believe that every corporation operating in China or using the Aisino Intelligent Tax Software should consider this incident a potential threat and should engage in threat hunting, containment, and remediation countermeasures, as outlined in our technical report.

In communist China, computer owns you.

Adobe Flash Is Actually Going to Die This Time, For Real

Found on Gizmodo on Monday, 22 June 2020
Browse Software

Three years ago, long after the rise (and fall) of Flash, Adobe announced that its once-ubiquitous multimedia platform was finally going away. But Adobe never provided a specific date for when Flash would reach its end-of-life. Now we know: Adobe Flash is going to officially die on December 31, 2020.

For a software platform that lasted more than two decades and played a huge part in the Dot-com bubble of the late 90s and early 2000s, Flash lasted a lot longer than most people probably ever expected.

Also, Flash was one of the worst pieces of software from a security point of view. It should have vanished a decade ago.

Linux Mint dumps Ubuntu Snap

Found on ZDNet on Saturday, 06 June 2020
Browse Software

In the Ubuntu 20.04 package base, the Chromium package is indeed empty and acting, without your consent, as a backdoor by connecting your computer to the Ubuntu Store. Applications in this store cannot be patched, or pinned. You can't audit them, hold them, modify them, or even point Snap to a different store. You've as much empowerment with this as if you were using proprietary software, i.e. none. This is in effect similar to a commercial proprietary solution, but with two major differences: It runs as root, and it installs itself without asking you.

Behind the scenes installs which force new dependencies on you are always bad. Mint is doing the right thing there.

It took 16 years, but open-source vector graphics editor Inkscape now works properly

Found on The Register on Saturday, 09 May 2020
Browse Software

Inkscape can be seen as an alternative to commercial products such as Adobe Illustrator or Serif Affinity Designer – though unlike Inkscape, neither of those run on Linux.

Inkscape 1.0 seems polished and professional. Adobe, which sells Illustrator on a subscription basis starting at £19 (if you inhale the rest of the Creative Cloud), will likely not be worried, but apart from the cost saving there are advantages in simpler applications that are relatively lightweight and easy to learn, as well as running well on Linux.

Mozilla would have reached verion 1000 in that time.

Firefox 76 arrives with password management and Zoom improvements

Found on Venturebeat on Friday, 08 May 2020
Browse Software

Firefox 76 includes new Firefox Lockwise password functionality, Zoom improvements, and a handful of developer features.

Mozilla this year sped up Firefox releases to a four-week cadence (previously they arrived every six to eight weeks).

The company specifically called out Zoom, which has become a phenomenon of its own during the pandemic. In short, you now join Zoom calls in Firefox without having to download or install the Zoom client.

The bloatware is getting bigger and bigger with every release; and less interesting. Will Firefox now start to natively support everything that's getting a little attention?

Firefox Raises Its Bug Bounties to $10,000

Found on Slashdot on Monday, 27 April 2020
Browse Software

"We're updating our bug bounty policy and payouts to make it more appealing to researchers and reflect the more hardened security stance we adopted after moving to a multi-process, sandboxed architecture," reports the Mozilla security blog.

They point out that Firefox has one of the world's oldest bug bounty programs, dating back to 2004 -- and it's still going strong. "From 2017-2019, we paid out $965,750 to researchers across 348 bugs, making the average payout $2,775 — but as you can see in the graph below, our most common payout was actually $4,000!"

Firefox keeps losing ground no because of bugs, but because of bad UI decisions.

Windows 10 Update: Would You Like Deleted Files And Blue Screens With That?

Found on Forbes on Sunday, 26 April 2020
Browse Software

With Windows 10 now installed on more than one billion devices, there will always be a wide variation in terms of user satisfaction. One area where this variation can be seen perhaps most clearly is that of updates. It has almost become the norm following the monthly Patch Tuesday update for users to take to support forums and complain that something or other has been borked as a result.

The problems those users are reporting to the Microsoft support forums and on social media have included the installation failing and looping back to restart again, the dreaded Blue Screen of Death (BSOD) following a "successful" update and computers that simply refuse to boot again afterward. Among the more common issues, in terms of complaints after a Windows 10 update, were Bluetooth and Wi-Fi connectivity related ones. But there were have also been users complaining that after a restart, all files from the C drive had been deleted.

Forcing people to upgrade is one of the reasons for problems. Yes, updates are important, but the decision should still be left to the administrator who knows the systems better than Microsoft.

LibreOffice 7.0 Finally Retiring Its Adobe Flash Export Support

Found on Phoronix on Saturday, 25 April 2020
Browse Software

LibreOffice 7.0 has long offered an Adobe Flash export filter, back to the days of it being Macromedia Flash. The focus on this export filter has been for allowing LibreOffice presentations and drawings to be in Flash format.

The support was dropped on Thursday and in the process lightened up this open-source office suite by nearly six thousand lines of code.

That should have happened years ago. Flash was one of the biggest security holes.

Ring 0 of fire: Does Riot Games’ new anti-cheat measure go too far?

Found on Ars Technica on Friday, 17 April 2020
Browse Software

While the Vanguard anti-cheat client only launches when Valorant is being played, Riot says the system also makes use of a "kernel mode driver" that starts operating as soon as Windows boots up. That's a big change from Riot's pre-Vanguard anti-cheat systems, which operated entirely at the more common "user mode" level, just like most Windows executables.

At the kernel level, any flaws in Riot's driver code could create system-wide, "blue screen of death"-style crashes, as opposed to more localized application-specific glitches. And a serious oversight in the driver, like a buffer overflow exploit, could let an attacker install their own malicious code at an extremely low level, where it could be extremely dangerous.

How about no? Granting random software such access ist a big no-no. On top of that, Riot is owned by chinese Tencent.