By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy

Just days after the monthly Patch Tuesday Windows security update, unpatched system file zero-day vulnerabilities have been publicly disclosed. Every month, Microsoft fixes a bunch of security vulnerabilities across the product range on Patch Tuesday. The latest round of fixes has already been and gone, addressing a total of 111 security vulnerabilities. Some sixteen of these were rated as critical, and, crucially, there were no zero-days. A zero-day vulnerability is one that remains unpatched by the vendor, leaving a window of opportunity for those who would exploit it using a zero-day attack. That's good news. The bad news is that no less than four new zero-days affecting Microsoft Windows have now been publicly disclosed. Three of them impact a core Windows system file. Trend Micro's Zero Day Initiative (ZDI) is a bug bounty program founded in 2005 which encourages the reporting of zero-day vulnerabilities by financially rewarding security researchers. "We make every effort to work with vendors to ensure they understand the technical details and severity of a reported security flaw, which leaves researchers free to go find other bugs," the about ZDI page states. It also says that no technical details about any vulnerability are made public until the vendor has released a patch. ZDI gives vendors a 120-day window in which to address the vulnerability, after which a "limited advisory," which includes mitigation advice, is published if a patch has not been forthcoming. The Microsoft Windows zero-days that were publicly disclosed in such a fashion on May 19 mostly impact a core Windows system file called splwow64.exe, which is a printer driver host for 32-bit apps. The Spooler Windows OS (Windows 64-bit) executable enables 32-bit applications to be compatible with a 64-bit Windows system. CVE-2020-0915, CVE-2020-0916, and CVE-2020-0986 all impact that splwow64 Windows system file. All three are classified as high on the CVE severity scoring system with a 7.0 rating. If exploited by an attacker, these vulnerabilities would allow them to escalate privileges on the targeted Windows computer. "The specific flaw exists within the user-mode printer driver host process splwow64.exe. The issue results from the lack of proper validation of a user-supplied value prior to dereferencing it as a pointer," the ZDI advisory states, "An attacker can leverage this vulnerability to escalate privileges from low integrity and execute code in the context of the current user at medium integrity."Learn more about this zero-day vulnerability by visiting OUR FORUM.

Huawei Technologies Co. warned the latest U.S. curbs on its business will inflict a “terrible price” on the global technology industry, inflaming tensions between Washington and Beijing while harming American interests. China’s largest technology company said it will be “significantly affected” by a Commerce Department decree barring any chipmaker using American equipment from supplying Huawei without U.S. government approval. That means companies like Taiwan Semiconductor Manufacturing Co. and its rivals will have to cut off the Chinese company unless they get waivers -- effectively severing Huawei’s access to cutting-edge silicon it needs for smartphones and networking gear. Washington’s decision drew condemnation from Beijing, which regards Huawei as a national champion because of its success in dominating global networking technology. China and Huawei have threatened retaliation but Rotating Chairman Guo Ping on Monday refrained from commenting on a possible Beijing response -- a departure from just two months ago when the company warned Washington risked opening a “pandora’s box” and Chinese countermeasures if it chose to go ahead with additional restrictions. “Our business will significantly be impacted,” Guo said at a company briefing with analysts in Shenzhen. “Given the changes in the industry over the past year, it dawned on us more clearly that fragmented standards and supply chains benefit no one. If further fragmentation were to take place, the whole industry would pay a terrible price,” he added. Huawei is still assessing the potential fallout of the latest restrictions and couldn’t predict the impact on revenue, for now, Guo said. On Monday, a swathe of Huawei’s suppliers from TSMC to AAC Technologies Holdings Inc. plunged in Asian trading. Guo was far less vocal than colleague Richard Yu, who runs the consumer division responsible for smartphones. The outspoken executive said the restrictions that ostensibly aim to allay U.S. cybersecurity concerns are really designed to safeguard American dominance of global tech. “The so-called cybersecurity reasons are merely an excuse,” Yu, head of the Chinese tech giant’s consumer electronics unit, wrote in a post to his account on messaging app WeChat earlier on Monday. “The key is the threat to the technology hegemony of the U.S.” posed by Huawei, he added. Yu also posted a link to a Chinese article circulating on social media with part of its headline asking: “Why Does America Want to Kill Huawei?” Follow this and more news on Huawei on OUR FORUM.

Microsoft president and chief legal counsel Brad Smith has taken his turn at admitting Microsoft's former stance on open source put it on the "wrong side of history". In 2001 former Microsoft CEO Steve Ballmer famously said, "Linux is cancer that attaches itself in an intellectual property sense to everything it touches." Shortly after that and for the same reason, Microsoft co-founder Bill Gates described the open-source GPL (GNU General Public License) as "Pac-Man-like". Ballmer has since made peace with open source, and now Smith, who was one of Microsoft's top lawyers during its war on open source, has admitted he too was wrong about its approach to technology. "Microsoft was on the wrong side of history when open source exploded at the beginning of the century, and I can say that about me personally," he said in a talk about hot computing topics at MIT's Computer Science and Artificial Intelligence Laboratory (CSAIL). "The good news is that, if life is long enough, you can learn … that you need to change." Of course today – with an eye on cloud developers and as the owner of a code-sharing site GitHub – Microsoft approaches open source completely differently, even shipping Windows 10 with a custom Linux kernel for developers who use the Windows Subsystem for Linux. "Today, Microsoft is the single largest contributor to open-source projects in the world when it comes to businesses," said Smith. "When we look at GitHub, we see it as the home for open-source development, and we see our responsibility as its steward to make it a secure, productive home for [developers]." Smith also said that in 2013 president Obama warned top execs from Google, Microsoft, Apple, and Facebook that they too would soon face scrutiny over privacy. Obama made the prediction at a roundtable with tech executives who were pushing for surveillance reforms following Edward Snowden's NSA leak, reminding them they held more data about people than the government did. Smith said the "political watershed moment" arrived with the Cambridge Analytica scandal, which affected tens of millions of Facebook users and resulted in huge fines for Facebook. Tune into OUR FORUM to learn more.   

Apple recently confirmed one of the longest-running vulnerabilities in iOS history, affecting millions of iPhone users. And now new information reveals it just got bigger. In April, Apple acknowledged that every iPhone released in the last eight years was vulnerable to remote attacks through the iOS Mail app. At the time, the company played down the severity of this saying it had seen ‘no evidence’ of exploits but now ZecOps, the security specialist which discovered the flaw, has contacted me with new information that not only is it being triggered in the wild but that the first potential triggers existed a decade ago and every iPhone ever made is vulnerable (Apple confirmed there are 900M active iPhone last year). 05/12 Update: Apple has responded to me saying it will be sticking to its original statement regarding this vulnerability (found here) and is crediting ZecOps for its discovery. As it stands, Apple is not commenting on ZecOps' additional discoveries of vulnerabilities and real-world triggers dating back to 2010. Apple will deliver a fix in iOS 13.5, but there is currently no commitment to patch previous versions of iOS to protect older iPhones. Needless to say, I will keep this post updated with further developments on both sides. As it stands, further developments appear inevitable. 05/13 Update: while Apple continues to play down this vulnerability, significant action is being taken elsewhere. For example, Germany's Federal Office for Information Security (BSI) has issued a statement recommending the removal of the iOS Mail app. BSI President Arne Schönbohm states: “The BSI assesses these vulnerabilities as particularly critical. It enables the attackers to manipulate large parts of the mail communication on the affected devices. Furthermore, there is currently no patch available. This means that thousands of iPhones and iPads are at acute risk from private individuals, companies, and government agencies. We are in contact with Apple and have asked the company to find a solution for the security of their products as soon as possible.” iOS 13.5 cannot arrive soon enough. "Apple takes all reports of security threats seriously. We have thoroughly investigated the researcher’s report and, based on the information provided, have concluded these issues do not pose an immediate risk to our users. The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers. These potential issues will be addressed in a software update soon. We value our collaboration with security researchers to help keep our users safe and will be crediting the researcher for their assistance.” “We continued our research of the MailDemon vulnerability,” said ZecOps CEO Zuk Avraham. “We were able to prove that this vulnerability can be used for Remote Code Execution. Unfortunately, a patch is still not available.” For more visit OUR FORUM.

Slowly, slowly, Huawei is piecing together its alternatives to Google’s software and services, bedding down for a world where there can be no post-blacklist return to business as usual. And while the mood music from Shenzhen still suggests that the company would like nothing more than restoring Google on its new phones, the truth is much more complicated. The strategy in Shenzhen goes beyond phones, leveraging China’s huge investments in 5G and AI, looking at areas in which it can establish its brand beyond 5G network kit and consumer devices. At around the time of the Mate 30 launch last fall, Huawei also started talking up its new connected car platform—HiCar. And while this may have come across as an Android Auto (or Apple CarPlay) lookalike, compensating for the company’s loss of Google, that isn’t the plan. This is much more radical, a fundamentally different approach to the one taken by Google and Apple. Pitched at automakers as well as the drivers of their cars, this is API-level integration to car functions, linkages to cameras, fatigue and safety checks, even cloud-based services. All that atop the usual infotainment and navigation options. Now the rubber is about to hit the road on HiCar, quite literally, as Huawei looks to shepherd the tech onto countless cars from dozens of manufacturers. This is the year that HiCar becomes a reality and we will find out whether it is a viable option in itself, and how it battles Google (and Apple) apps in the auto space. If Huawei gets the strategy right, it will help fill some of the international smartphone-shaped gaps in its revenues, while millions of its users will stand to benefit. In the aftermath of the launch of the P40, its latest non-Google flagship, Huawei has been lauding the features of HiCar and its coming to market this year. The company has reportedly ensured that HiCar will reach its users en masse in 2020, shipping on as many as 120 different car models from 30 manufacturers. In the six months since the HiCar chatter began, we’ve seen Chinese automaker (and GM joint venture) Baojun become the first to launch a vehicle with the tech on board. The company says all future vehicles will get the update. The expectation is that many other manufacturers will follow this year—not just in China but overseas as well; according to Nikkei Asian Review and ChinaPEV, German giant Audi is among them. Audi has been approached for any comments on this. As I reported yesterday, May 8, Huawei is quietly using its balance sheet to fund investments in connected automotive technologies. Bringing together consumer OS expertise with advancements in silicon and cloud services, the Chinese giant has set itself the goal of becoming the “leading Chinese platform provider” in the space. Huawei’s newest business unit is Intelligent Automotive Solution (IAS), and it could become one of its most important. Automotive is at the very intersection of huge investments in AI, 5G, cloud, and IoT. That’s why Huawei’s competition in the space includes Apple, Google’s stablemate Waymo and Tesla. China is the world’s largest car market and will likely lead the world for next-gen autonomous vehicles as well. Huawei is well placed—right place, right time. There is more posted on OUR FORUM.

Despite increasingly vocal anti-China rhetoric by American politicians of late, the United States government as reported by Reuters is set to sign off on new rules which allow American technology companies to work with China's Huawei in coordinating on standards for global 5G internet networks. The move comes despite an all-out war against the Shenzhen firm by the United States government for nearly two years which has seen Washington attempt to bludgeon the company with a number of tactics, including domestic blacklistings and sale restrictions, coercing foreign governments against using it and tactics which have included legal charges at home and the pursuit of Meng Wanzhou in Canada. The timing of this move given the circumstances is extremely odd. However, the conceding that Huawei will have a role in the setting of global 5G standards is an indication that the White House is now aware of the realities that are at play. The United States has effectively lost the 5G war against Huawei. Failing to get it blacklisted throughout the world, Washington is now resigned to the fact that the company will now dominate the standards of the next generate internet, and therefore, it is now forced to ultimately work with it in doing so, than against it. The outcome marks a major strategic defeat for the United States on this issue. First of all, despite everything we are hearing from the U.S. right now, policy and rhetoric are different. As I have set out previously, many American politics are showcasing anti-China stances in the pursuit of electoral races and this does not always translate into practical policy outcomes. Trump sees opportunity in bashing China right now over the COVID-19 pandemic, however, what he says and suggests does not tell us everything he will do in practice and thus it is important to read deep between the lines during this given period. This brings us to Huawei. The Trump administration's campaign against the Chinese firm has been a failure on multiple levels. Starting in 2018, it sought to isolate Huawei globally by placing pressure on allied countries to shun the firm from their 5G networks branding it a security risk. One of the cited reasons for this was a fear from Washington that China could grow to dominate the global standards of the next generation of internet technology. Whilst countries more loyal to U.S. strategic goals, such as Australia, followed suit with this, by and large, the rest of the world did not, even close allies such as the United Kingdom. As a result, despite repeated aggressive actions from Washington, by the start of 2020 Huawei stood as the world's largest provider of 5G patents and commercial contracts, well on course for over 100 deals with roughly half of those being based in Europe. Details can be found on OUR FORUM.