Microsoft's legacy browser may be dead—but its remnants are not going anywhere, and neither are its lingering security risks.

After years of decline and a final wind-down over the past 13 months, on Wednesday Microsoft confirmed the retirement of Internet Explorer, the company’s long-lived and increasingly notorious web browser. Launched in 1995, IE came preinstalled on Windows computers for almost two decades, and like Windows XP, Internet Explorer became a mainstay—to the point that when it was time for users to upgrade and move on, they often didn’t. And while last week’s milestone will push even more users off the historic browser, security researchers emphasize that IE and its many security vulnerabilities are far from gone.

In the coming months, Microsoft will disable the IE app on Windows 10 devices, guiding users instead to its next-generation Edge browser, first released in 2015. The IE icon will still remain on users’ desktops, though, and Edge incorporates a service called “IE mode” to preserve access to old websites built for Internet Explorer. Microsoft says it will support IE mode through at least 2029. Additionally, IE will still work for now on all supported versions of Windows 8.1, Windows 7 with Microsoft’s Extended Security Updates, and Windows Server, though the company says it will eventually phase IE out in these, too.  

Seven years after the debut of Edge, industry analysis indicates that Internet Explorer may still hold more than half a percent of the total global browser market share. And in the United States, that share may be closer to as much as 2 percent.

“I do think we’ve made progress, and we probably won’t see as many exploits against IE in the future, but we will still have remnants of Internet Explorer for a long time that scammers can take advantage of,” says Ronnie Tokazowski, a longtime independent malware researcher. “Internet Explorer as the browser will be gone, but there are still pieces that exist.”

For something that’s been around as long as IE, backward compatibility is difficult to balance with the desire for a clean slate. “We haven’t forgotten that some parts of the web still rely on Internet Explorer’s specific behaviors and features,” Sean Lyndersay, the general manager of Microsoft Edge Enterprise, wrote in an IE retrospective on Wednesday, pointing to IE mode.

But he added that there was a real need to start over with Edge rather than trying to salvage IE. “The web has evolved and so have browsers,” he wrote last week. “Incremental improvements to Internet Explorer couldn’t match the general improvements to the web at large, so we started fresh.”

Microsoft says it will still support IE’s underlying browser engine, known as “MSHTML,” and it has its eye on versions of Windows still “used in critical environments.” But Maddie Stone, a researcher for Google’s Project Zero vulnerability hunting team, points out that hackers are still exploiting IE vulnerabilities in real-world attacks.

“Since we began tracking in-the-wild 0-days, Internet Explorer has had a pretty consistent number of 0-days each year. 2021 actually tied 2016 for the most in-the-wild Internet Explorer 0-days we’ve ever tracked, even though Internet Explorer’s market share of web browser users continues to decrease,” she wrote in April, referring to previously unknown vulnerabilities, called zero-days. “Internet Explorer is still a ripe attack surface for initial entry into Windows machines, even if the user doesn’t use Internet Explorer as their internet browser."

In her analysis, Stone particularly noted that while the number of new IE vulnerabilities Project Zero has detected has remained fairly constant, attackers have shifted over the years to increasingly target the MSHTML browser engine through malicious files like tainted Office documents. This could mean that neutering the IE application won’t immediately change attack trends that are already in motion.

Given how difficult it has been to rein in Internet Explorer at all, Microsoft and IE users around the world have certainly come a long way. But for a browser that’s supposed to be dead, IE still very much loads with the living.

The Ghost of Internet Explorer Will Haunt the Web for Years

A security flaw in Apple Safari that was exploited in the wild earlier this year was originally fixed in 2013 and reintroduced in December 2016, according to a new report from Google Project Zero.
The issue, tracked as CVE-2022-22620 (CVSS score: 8.8), concerns a case of a use-after-free vulnerability in the WebKit component that could be exploited by a piece of specially crafted web content to

A security flaw in Apple Safari that was exploited in the wild earlier this year was originally fixed in 2013 and reintroduced in December 2016, according to a new report from Google Project Zero.

The issue, tracked as CVE-2022-22620 (CVSS score: 8.8), concerns a case of a use-after-free vulnerability in the WebKit component that could be exploited by a piece of specially crafted web content to gain arbitrary code execution.

In early February 2022, Apple shipped patches for the bug across Safari, iOS, iPadOS, and macOS, while acknowledging that it "may have been actively exploited."

"In this case, the variant was completely patched when the vulnerability was initially reported in 2013," Maddie Stone of Google Project Zero said. "However, the variant was reintroduced three years later during large refactoring efforts. The vulnerability then continued to exist for 5 years until it was fixed as an in-the-wild zero-day in January 2022."

While both the 2013 and 2022 bugs in the History API are essentially the same, the paths to trigger the vulnerability are different. Then subsequent code changes undertaken years later revived the zero-day flaw from the dead like a "zombie."

Stating the incident is not unique to Safari, Stone further stressed taking adequate time to audit code and patches to avoid instances of duplicating the fixes and understanding the security impacts of the changes being carried out.

"Both the October 2016 and the December 2016 commits were very large. The commit in October changed 40 files with 900 additions and 1225 deletions. The commit in December changed 95 files with 1336 additions and 1325 deletions," Stone noted.

"It seems untenable for any developers or reviewers to understand the security implications of each change in those commits in detail, especially since they're related to lifetime semantics."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Google Researchers Detail 5-Year-Old Apple Safari Vulnerability Exploited in the Wild

NHI’s health insurance web service component has insufficient validation for input string length, which can result in heap-based buffer overflow attack. A remote attacker can exploit this vulnerability to flood the memory space reserved for the program, in order to terminate service without authentication, which requires a system restart to recover service.

:::

*   首頁
*   資安服務
*   台灣漏洞揭露平台 (TVN)
*   TVN (Taiwan Vulnerability Note) 漏洞公告

TVN ID

TVN-202112007

CVE ID

CVE-2021-45918

CVSS

7.5 (High)  
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

影響產品

健保卡網路服務註冊網站供下載受影響版本之平台與相對應MD5 HASH：  
Windows: Setup.zip MD5驗證碼：515BE7DE5BCE446177FEE8A6E0665093  
Mac: NHI.Card.Mac.pkg.zip MD5驗證碼： 42fcc36541e716e23de77d5f325b186a  
Linux(Ubuntu): mLNHIICC\_Setup.Ubuntu.zip MD5驗證碼： 52EACB7CA2B4D0A5A869DF01079BF4D6  
Linux(Fedora): mLNHIICC\_Setup.fedora.zip MD5驗證碼： 52EACB7CA2B4D0A5A869DF01079BF4D6

問題描述

健保卡網路服務元件之特定函式未驗證輸入的字串長度，導致預先保留的記憶體Buffer不足，造成Heap-based Buffer Overflow漏洞，遠端攻擊者不須權限，即可利用該漏洞導致終止服務，須重啟服務才能恢復。

解決方法

至健保卡網路服務註冊網之下載點下載最新版本

漏洞通報者

Yu-Hsiang Lin

公開日期

2022-06-20

CVE-2021-45918: 健保卡網路服務元件 - Heap-based Buffer Overflow

This week on Lock and Code, we speak with Kim Lewandowski about what steps we can take to secure the software supply chain. 
The post Securing the software supply chain, with Kim Lewandowski: Lock and Code S03E13 appeared first on Malwarebytes Labs.

At the start of the global coronavirus pandemic, nearly everyone was forced to learn about the “supply chain.” Immediate stockpiling by an alarmed (and from a smaller share, opportunistic) public led to an almost overnight disappearance of hand sanitizer, bottled water, toilet paper, and face masks.

In time, those items returned to stores. But then a big ship got stuck in the Suez, and once again, we learned even more about the vulnerability of supply chains. They can handle little stress. They can be derailed with one major accident. They spread farther than we know.

While the calamity in the canal involved many lessons, there was another story in late 2020 that required careful study in cyberspace—an attack on the digital supply chain.

That year, attackers breached a network management tool called Orion, which is developed by the Texas-based company SolarWinds. Months before the attack was caught, the attackers swapped malicious code into a legitimately produced security update from SolarWinds. This malicious code gave the attackers a backdoor into every Orion customer who both downloaded and deployed the update and who had their servers connected online. Though the initial number of customers who downloaded the update was about 18,000 companies, the number of customers infected with the attackers’ malware was far lower, somewhere around 100 companies and about a dozen government agencies.

This attack, which did involve a breach of a company, had a broader focus—the many, many clients of that one company. This was an attack on the software supply chain, and since that major event, similar attacks have happened again and again.

Today, on the Lock and Code podcast with host David Ruiz, we speak with Kim Lewandowski, founder and head of product at Chainguard, about the software supply chain, its vulnerabilities, and how we can fix it.

> “Our software supply chains are as brittle and sort of filled with weaknesses, similar to a physical supply chain. When you think about every step of the path from when a developer starts writing software all the way to where it’s pushed to production, or where end user is using it, there’s different attack vectors across that entire path.”
> 
> Kim Lewandowski, founder, head of product, Chainguard Inc.

Tune in to hear about why the software supply chain is so difficult to secure, what is at stake if we continue to ignore the problem, and what steps we can take today—and tomorrow—to ensure that future software builds are secure and trustworthy.

This video cannot be displayed because your _Functional Cookies_ are currently disabled.

To enable them, please visit our _privacy policy_ and search for the Cookies section. Select _“Click Here”_ to open the Privacy Preference Center and select _“Functional Cookies”_ in the menu. You can switch the tab back to _“Active”_ or disable by moving the tab to _“Inactive.”_ Click _“Save Settings.”_

You can find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

****Show notes, resources, and credits**_:_**

Kubernetes diagram:

https://user-images.githubusercontent.com/622577/170547400-ef9e2ef8-e35b-46df-adee-057cbce847d1.svg

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

Securing the software supply chain, with Kim Lewandowski: Lock and Code S03E13

Red Hat Security Advisory 2022-5002-01 - The Advanced Virtualization module provides the user-space component for running virtual machines that use KVM in environments managed by Red Hat products. Issues addressed include buffer overflow, integer overflow, and memory leak vulnerabilities.

Red Hat Security Advisory 2022-5002-01

Red Hat Security Advisory 2022-4994-01 - XZ Utils is an integrated collection of user-space file compression utilities based on the Lempel-Ziv-Markov chain algorithm, which performs lossless data compression. The algorithm provides a high compression ratio while keeping the decompression time short.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: xz security update  
Advisory ID:       RHSA-2022:4994-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:4994  
Issue date:        2022-06-13  
CVE Names:         CVE-2022-1271   
=====================================================================

1. Summary:

An update for xz is now available for Red Hat Enterprise Linux 8.1 Update  
Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux BaseOS E4S (v. 8.1) - aarch64, ppc64le, s390x, x86_64

3. Description:

XZ Utils is an integrated collection of user-space file compression  
utilities based on the Lempel-Ziv-Markov chain algorithm (LZMA), which  
performs lossless data compression. The algorithm provides a high  
compression ratio while keeping the decompression time short.

Security Fix(es):

* gzip: arbitrary-file-write vulnerability (CVE-2022-1271)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2073310 - CVE-2022-1271 gzip: arbitrary-file-write vulnerability

6. Package List:

Red Hat Enterprise Linux BaseOS E4S (v. 8.1):

Source:  
xz-5.2.4-4.el8_1.src.rpm

aarch64:  
xz-5.2.4-4.el8_1.aarch64.rpm  
xz-debuginfo-5.2.4-4.el8_1.aarch64.rpm  
xz-debugsource-5.2.4-4.el8_1.aarch64.rpm  
xz-devel-5.2.4-4.el8_1.aarch64.rpm  
xz-libs-5.2.4-4.el8_1.aarch64.rpm  
xz-libs-debuginfo-5.2.4-4.el8_1.aarch64.rpm  
xz-lzma-compat-debuginfo-5.2.4-4.el8_1.aarch64.rpm

ppc64le:  
xz-5.2.4-4.el8_1.ppc64le.rpm  
xz-debuginfo-5.2.4-4.el8_1.ppc64le.rpm  
xz-debugsource-5.2.4-4.el8_1.ppc64le.rpm  
xz-devel-5.2.4-4.el8_1.ppc64le.rpm  
xz-libs-5.2.4-4.el8_1.ppc64le.rpm  
xz-libs-debuginfo-5.2.4-4.el8_1.ppc64le.rpm  
xz-lzma-compat-debuginfo-5.2.4-4.el8_1.ppc64le.rpm

s390x:  
xz-5.2.4-4.el8_1.s390x.rpm  
xz-debuginfo-5.2.4-4.el8_1.s390x.rpm  
xz-debugsource-5.2.4-4.el8_1.s390x.rpm  
xz-devel-5.2.4-4.el8_1.s390x.rpm  
xz-libs-5.2.4-4.el8_1.s390x.rpm  
xz-libs-debuginfo-5.2.4-4.el8_1.s390x.rpm  
xz-lzma-compat-debuginfo-5.2.4-4.el8_1.s390x.rpm

x86_64:  
xz-5.2.4-4.el8_1.x86_64.rpm  
xz-debuginfo-5.2.4-4.el8_1.i686.rpm  
xz-debuginfo-5.2.4-4.el8_1.x86_64.rpm  
xz-debugsource-5.2.4-4.el8_1.i686.rpm  
xz-debugsource-5.2.4-4.el8_1.x86_64.rpm  
xz-devel-5.2.4-4.el8_1.i686.rpm  
xz-devel-5.2.4-4.el8_1.x86_64.rpm  
xz-libs-5.2.4-4.el8_1.i686.rpm  
xz-libs-5.2.4-4.el8_1.x86_64.rpm  
xz-libs-debuginfo-5.2.4-4.el8_1.i686.rpm  
xz-libs-debuginfo-5.2.4-4.el8_1.x86_64.rpm  
xz-lzma-compat-debuginfo-5.2.4-4.el8_1.i686.rpm  
xz-lzma-compat-debuginfo-5.2.4-4.el8_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-1271  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYqcmc9zjgjWX9erEAQgqQRAAm/fGQamwzgXIr6dPxZTYZyCs6DLknzJE  
46CLEojxVLzJKbeoFmQ8GcPLqRPM6lAl+h1aAuIb9ucQuuEPHVZHUScDt55OZPmX  
jeB1Tofdz5qB/BsOgKZjGnCSF2JmBSsBYTKYsj+8n4IAWchT9GZpwwqLU49LIgEv  
H6oyEoJCz/UhMkZRtRpPKYvJs6+EA/FVfVkZ+LzVaLde4E67pqwW9kLH0laLIED1  
qszhimDN9DyqU0BZpEFK5vl2RpQkOSkxKN6BKvmAcGmM97EF2ePGyEzY+siUq9qD  
t8WC2D63myCPfHZMLbQSeJnfY7FSZEbEY5wvVPCVdZGPzqqzc2P5gyFkZralYSRg  
021Hr0cfjI3Sz4f/Hj+MYwJzGDEAKORY/vM3mBVE1aqHFMOd4s/a3T59GnLSX0qj  
NFUsL+qMYnx7Esnj4Y60+/O1fR4uCdPmK1kjiDYtj7aULHRC5/eO+c4c5pLI+5wk  
7RE2s1ghGKFqIXc9e4323KTPoGz9a8akBQRpafrgeVGPnWdT/PAdLQhnwN9vrv6a  
rrtSMoi2eQfHLZ8WYEfc6jLGdtxJED3tjXZEucGGnjrBt9vNqAFpMEvfPoBnhn6y  
bplL5p5/IkwZVKXK7urzdYhlObBC1MOb76E3ihYhh/TTo4/7lg437F3sfsY47OdD  
Lp0DiP3Y824=  
=OTzz  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-4994-01

Red Hat Security Advisory 2022-5026-01 - This advisory contains the following OpenShift Virtualization 4.10.2 images: RHEL-8-CNV-4.10. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Virtualization 4.10.2 Images security and bug fix update  
Advisory ID:       RHSA-2022:5026-01  
Product:           cnv  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:5026  
Issue date:        2022-06-14  
CVE Names:         CVE-2018-25032 CVE-2022-1271 CVE-2022-21698   
=====================================================================

1. Summary:

Red Hat OpenShift Virtualization release 4.10.2 is now available with  
updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

This advisory contains the following OpenShift Virtualization 4.10.2  
images:

RHEL-8-CNV-4.10  
===============

virt-artifacts-server-container-v4.10.2-1  
kubevirt-template-validator-container-v4.10.2-1  
virtio-win-container-v4.10.2-1  
node-maintenance-operator-container-v4.10.2-1  
hostpath-provisioner-operator-container-v4.10.2-1  
virt-handler-container-v4.10.2-1  
libguestfs-tools-container-v4.10.2-1  
hostpath-csi-driver-container-v4.10.2-1  
virt-operator-container-v4.10.2-1  
virt-launcher-container-v4.10.2-1  
hostpath-provisioner-container-v4.10.2-1  
virt-api-container-v4.10.2-1  
virt-controller-container-v4.10.2-1  
cnv-must-gather-container-v4.10.2-2  
kubernetes-nmstate-handler-container-v4.10.2-3  
bridge-marker-container-v4.10.2-3  
virt-cdi-uploadproxy-container-v4.10.2-3  
virt-cdi-uploadserver-container-v4.10.2-3  
ovs-cni-marker-container-v4.10.2-3  
virt-cdi-operator-container-v4.10.2-3  
ovs-cni-plugin-container-v4.10.2-3  
kubemacpool-container-v4.10.2-3  
virt-cdi-controller-container-v4.10.2-3  
kubevirt-ssp-operator-container-v4.10.2-4  
cnv-containernetworking-plugins-container-v4.10.2-3  
cluster-network-addons-operator-container-v4.10.2-3  
virt-cdi-apiserver-container-v4.10.2-3  
hyperconverged-cluster-operator-container-v4.10.2-2  
hyperconverged-cluster-webhook-container-v4.10.2-2  
virt-cdi-cloner-container-v4.10.2-3  
virt-cdi-importer-container-v4.10.2-3  
hco-bundle-registry-container-v4.10.2-10

Security Fix(es):

* prometheus/client_golang: Denial of service using  
InstrumentHandlerCounter (CVE-2022-21698)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2016290 - [Warm] Warm Migration Fails and reporting ambiguous status.  
2033346 - [cnv-4.10] Add vm name label to virt-launcher pods  
2037605 - Openshift Virtualization alert 50% of the hyperconverged-cluster-operator-metrics/hyperconverged-cluster-operator-metrics targets in openshift-cnv namespace have been unreachable for more than 15 minutes on port 8686  
2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter  
2074384 - SAP HANA template - template should be moved to https://github.com/RHsyseng/cnv-supplemental-templates  
2080453 - [4.10.z] cluster-network-addons-operator deployment's MULTUS_IMAGE is pointing to brew image  
2080918 - Upgrade CNV from 4.10.1 to 4.11 should be blocked if CNV k8s-nmstate is still installed  
2083594 - virtctl guestfs incorrectly assumes image name  
2085459 - smartclone-controller not started and cloned DataVolumes stuck in SnapshotForSmartCloneInProgress  
2086114 - HCO is taking more than 12 minutes to reconcile consolequickstart connect-ext-net-to-vm and customize-a-boot-source  
2086541 - NMO CSV dependency to CNV is failing  
2088476 - [4.10.z] VMSnapshot restore fails to provision volume with size mismatch error  
2088622 - 4.10.2 containers  
2089637 - CNAO is blocking upgrade to 4.11 despite standalone nmstate operator is installed  
2089658 - SSP Reconcile logging improvement when CR resources are changed  
2089661 - [CNV-4.10] HCO Being Unable to Reconcile State

5. References:

https://access.redhat.com/security/cve/CVE-2018-25032  
https://access.redhat.com/security/cve/CVE-2022-1271  
https://access.redhat.com/security/cve/CVE-2022-21698  
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYqkgw9zjgjWX9erEAQgx+Q/8D2hk89x/JBZwDsyIG/MKZv4CSdKzpdEv  
hXrzpPanW2er9kpYXXFtzIXTpE72UHhbcDvDypyYWPTFaf7b1Lh8Xnk2/3EJMBym  
woyeAngh7a8R7bYNQaokpNVUPTk3IifQkh3ZfRQn5O5GRP2sIZe1eOAc5OX05//R  
VzjfKv5KEJlbW/9EYlmXhQUUirhRsAmKKakRWtMxAMjepatjvR1kuJVn6GWBRlWj  
HOKi8oku30sk3SPWs3oBQ4tzPa2eJu9xAohO5wi16WlCcUj8T4V8yQiO5Ej2gEbY  
0jxYZ1KERyLGxOOP5Pfx1ZkcxmOydvRPxAfqqU7tKoiZPRrOropKJwXpQMGDXxnJ  
TnHPP0Y7KaoI8ybC45nY4pYpPimxRl4+o0hzoIEomOdCFpg+e1aNj2sQE/IzUYAT  
nn6b9n5gm3tKNGbgaQu3P+HA2BVIEmZnCGMOknD0ji3yLiVBObri+mSr0TgaQrNt  
vvIsBdfbDfOOI6ZFhl55fAowj0o8UATfBDbh0G/eO5fQ3g3f1Ydk1/jleOaQwZ1U  
usNYXKD2hbfq0Hq4GaI+a/4ZGFSJ1eRUFSdUtWHvX69DBtrDAj4ivCv6AX5jAoWL  
B66g76/nyTqxVT6frlTh2BT5ZC4T8DoICLB+HLlmXSu9sk4fLGGGCkaqq/wTagfE  
KAa582gklnA=  
=C1sU  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-5026-01

Zyxel firewalls, AP controllers, and APs suffer from buffer overflow, format string, and command injection vulnerabilities.

Zyxel Buffer Overflow / Format String / Command Injection

Put a digital lock on your most important data.

You never know when one of your files might reach someone it wasn't intended to reach—perhaps through an email forward, a USB stick left behind on a desk, or maybe even an unauthorized user accessing your computer.

Should that happen, password protection is all that stands between your data and the people whom you don't want to see it. It's an extra layer of security you can add to your most sensitive files without too much trouble.

How you go about this will depend on the software you're using to create the file in the first place. Some applications have password protection features built in, while in other cases you'll need to lock up your files using a different method.

Microsoft Word, Excel, and PowerPoint

Adding a password to a document in Word.

Microsoft Word via David Nield

In Word, Excel, or PowerPoint for Windows, open the file you want to protect with a password, then select **File** and **Info**. You should see a Protect option at the top of the next list: Click this button, choose **Encrypt with Password**, and type out your password.

Passwords can be up to 15 characters long and are case-sensitive, so double-check what you're typing in. If you forget the password for a document, spreadsheet, or presentation, you won't be able to get back into it—you'll have to start again from scratch.

If you're using Office on macOS, the process is slightly different: Open the **Review** tab in the ribbon menu at the top, then click the **Protect** button to enter a password. (The button will be labeled slightly differently depending on which program you're in.)

Google Docs, Sheets, and Slides

Sharing a document in Google Docs.

Google Docs via David Nield

There's no password protection feature as such in Google Drive, because your files are already protected by a password: The password linked to your Google account that you use to log in and view your documents, spreadsheets, and presentations.

If you choose to share a file from Google Docs, Sheets, or Slides—via the big **Share** button in the top-right corner when you're working on something—you can either invite specific users to see it (via their email addresses) or generate a link that anyone can use.

We'd recommend the former option (inviting individual users) for maximum security. This means they'll need to log in with their own Google account password—another layer of password protection—before being able to view the file you've shared.

Apple Pages, Numbers, and Keynote

Setting a password on a document in Apple Pages.

Apple Pages via David Nield

If it's the Apple office applications that you're using, the process of adding a password couldn't be much easier. With the file open in Pages, Numbers, or Keynote, select **File** and then **Set Password** to choose and apply your password.

The same warning applies as it does with Microsoft Office—if you can't remember your password then you're not going to be able to get back into your document, spreadsheet, or presentation (otherwise hackers would be able to get in as well).

Note the **Open with Touch ID** checkbox on the password dialog. This gives you the option of using a Touch ID–enabled keyboard on macOS to open your own protected files, saving you the trouble of typing out a password each time.

Protecting Other Files

Adding password protection to a folder on Dropbox.

Dropbox via David Nield

We can't cover every application out there in terms of password protection, but if you dig around in the programs that you're using you might find that they offer this form of additional security while saving files.

If not, you've still got a few options. Keeping files in cloud storage lockers (like Google Drive) is one option: The act of sharing files on these services usually requires a username and password to log in, so your files are kept safe in that way.

Sometimes there are extra features. In the case of Dropbox, for example, on the folder-sharing pane on the web, you can click **Settings** and then change **Who has access** to **People with password**—so both a unique URL and a password are required for access.

If you need another option, create a password-protected archive containing the file or files that you need to keep safe. 7-Zip is a free tool for Windows that is able to build password-protected archives, for example.

Should your files be on an external hard drive, you can encrypt the entire drive and add a password to guard against unwanted access: In Windows, right-click on the drive in File Explorer and choose **Turn on BitLocker**; on macOS, go through the Disk Utility.

Third-party applications such as VeraCrypt (free for both Windows and macOS) are also able to encrypt drives for you, adding password protection at the same time. It's a sensible choice if you're putting sensitive data on a portable storage device.

How to Password Protect Any File

Plus: Firefox adds new privacy protections, a big Intel and AMD chip flaw, and more of the week’s top security news.

This week, WIRED revealed new details that link an Indian police force to a hacking campaign against human rights defenders and activists. Researchers at SentinelOne uncovered connections between the city of Pune’s police agency and evidence planted on the devices of activists, as part of a hacking campaign dubbed Modified Elephant. It is alleged that evidence was planted on the computers of activists Rona Wilson and Varvara Rao and then used to arrest the two men. Among other details, an unnamed security analyst at an email provider revealed to SentinelOne and WIRED that the email address and phone number of a Pune police official was set as the recovery email on hacked accounts.

Elsewhere, a new front is emerging in Russia’s war against Ukraine. In the occupied city of Kherson and other nearby regions, Russian forces are routing internet connections from Ukrainian internet service providers to Russian companies. Ukrainian officials tell WIRED the shifts are happening at a large scale and could result in people being subjected to Vladimir Putin’s surveillance and censorship machine.

Robocalls aren’t going away. There’s been progress in tackling the nuisance calls in recent years but the spammy calls are still prevalent. This week we looked into the roots of the problem and what can still be done in the fight against robocalls. We also looked at a new way for cops to collect your fingerprints. How censors in Shanghai haven’t been able to hide stories of the city’s dead during an aggressive Covid-19 lockdown. And the dwindling options facing WikiLeaks founder Julian Assange after the UK Home Office approved his extradition to the US, where he faces espionage and hacking charges.

But that's not all, folks. Each week we round up the big security and privacy news we didn't cover ourselves. Click the links for the full stories, and stay safe out there.

Viktor Muller Ferreira had a traumatic childhood. Growing up, his father and mother—who had adopted him—split up. His mother later died of pneumonia, and his aunt, who raised him, also passed away. The family didn’t have much money. At school, children bullied Ferreira for his looks and his weird accent. As a result, he didn’t have many friends.

One day when his aunt was out, a neighborhood boy came round and told Ferreira that he was the fairy tale character Grey Shadow and he was going to “devour” him. “This scared me so much that I spent the entire day in a small box out on the balcony, praying until my aunt came home.” As he grew older he worked in a garage, took an interest in journalism, and moved to Brazil to reunite with his estranged father and “restore my citizenship.”

Except, according to authorities in the Netherlands, none of that is true.

Dutch intelligence agency AVID claimed this week that “Viktor Muller Ferreira” is just a cover story and false identity for Sergey Vladimirovich Cherkasov, an alleged Russian intelligence officer belonging to the GRU military unit. AVID said it caught Cherkasov applying to be an intern at the International Criminal Court at The Hague, which is investigating potential war crimes in Russia’s wars against Ukraine and Georgia.

As well as stopping Cherkasov from obtaining the position at the ICC and sending him back to Brazil, the Dutch intelligence agency also published his long and detailed cover story. The four-page story, often known as a covert intelligence officer’s “legend,” details the background of the “Ferreira” identity. “The threat posed by this intelligence officer is deemed potentially very high,” AVID said in a statement.

Since outing “Ferreira,” more clues about his undercover life have emerged. Social media profiles belonging to “Ferreira” have been discovered by the investigative unit Bellingcat, as well as a blog and online CV. He also studied at Trinity College Dublin and Johns Hopkins University. Eugene Finkel, an associate professor at Johns Hopkins, who says he taught “Ferreira,” tweeted: “I wrote him a letter. A strong one, in fact. Yes, me. I wrote a reference letter for a GRU officer. I will never get over this fact. I hate everything about GRU, him, this story. I am so glad he was exposed.”

For years it’s been impossible to move backups of WhatsApp chats between Android and iOS, and vice versa. In August last year, WhatsApp announced it was starting to roll out the ability for people to move their data between iPhones and Android devices. Now, this week, the Meta-owned company says backups will work in the other direction too—from Android to iOS.

Processors from Intel and AMD are vulnerable to a new side-channel attack called Hertzbleed. The attack could allow the theft of cryptographic keys and data, as reported by BleepingComputer and DarkReading. Hertzbleed works by exploiting a common power-saving feature in chips—called dynamic frequency scaling (DVFS)—that could allow an attacker to steal data. Frequency changes in DVFS may be correlated with information being processed by chips, Intel says in a blog post. Despite this, neither Intel nor AMD appear to have plans to address the issue. However, the risk to end users seems low at the moment. The team of researchers who found Hertzbleed say ordinary users probably shouldn’t be worried.

Ever since Covid-19 started spreading in early 2020, technological systems have been developed to try to control its spread. In China, a mandatory health code system was created to monitor people’s health status—people with a red code are required to self-isolate, those with a green code are allowed to move freely. These health codes are tied to people’s phones. Now, according to multiple reports, people in the Chinese province of Henan claim their plans to protest have been blocked as their health code has been turned red. Several people impacted claim they have not been around anyone positive with Covid-19 and the change is an abuse of power by officials.

Mozilla’s web browser may have been struggling in recent years, but it is still one of the most privacy-friendly browsers. This week the company said Firefox is turning on its Total Cookie Protection feature by default for everyone using the browser. Any cookies saved to your computer will be available only to the website that placed them there, Mozilla explains in a blog post. “Instead of allowing trackers to link up your behavior on multiple sites, they just get to see behavior on individual sites,” the company says, adding it is “Firefox’s strongest privacy protection to date.”

In November 2021, the US sanctioned notorious Israeli spyware firm NSO Group. The company’s Pegasus hacking tool has been used around the world to spy on journalists and activists. This week it emerged that US defense firm L3Harris is interested in purchasing the technology behind Pegasus, as the _Financial Times_ reports. Any purchase of the technology by a US company would potentially put it at odds with the Biden administration, which blacklisted NSO. Talk of the potential deal, which was said to be in early stages, has prompted criticism from the White House. “We are deeply concerned,” a senior official told the _Washington Post_. They said the deal could cause security and counterintelligence issues for the US.

Tag

#mac