Tech News

Windows Vulnerability Lets Arbitrary Code Run in Kernel Mode

Microsoft has patched a critical system vulnerability in Windows that allowed an attacker to "run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

Adobe Flash was also affected by the vulnerability. The vulnerability was discovered by Google researchers, and they informed Microsoft and Adobe on October 21. Adobe fixed the security hold on October 26, whereas Microsoft supposedly kept it for their monthly patches.

Google offers a grace period of seven days to vendors before disclosing vulnerabilities publicly. When Microsoft failed to release the patch after that grace period, Google went public on October 31.

Microsoft was obviously not happy with Google's disclosure. But it's debatable whether such exploits should be patched immediately or companies should wait for their regular update cycle.

To Google's defense, the company provided only basic info about the bug to warn the public without disclosing any critical information that could help cybercriminals in exploiting it. Microsoft admitted that Strontium, a group of hackers with Russian ties, was using the vulnerability to carry out low-volume spear-phishing attacks.

If you are a Windows user, please update your system immediately.

Google Patches and Doesn't Patch Dirty COW Bug

Although Google is quite active at disclosing vulnerabilities in Microsoft's products, the search engine giant isn't that proactive in patching critical bugs in its own products. Google released the November updates for Android, which missed patches for the critical Dirty COW bug that was disclosed recently. Every single Android device is therefore vulnerable.

There is good news for Nexus and Pixel users. The Dirty COW patch is missing from the official November Android update, but Google has released a supplement update for its own devices (Nexus and Pixel) that patches the bug. So far, Samsung is the only other hardware vendor that has independently patched the Dirty COW bug.

Dirty COW is a Linux Kernel bug that has been around for years and was disclosed only recently. According to researchers who discovered the bug, "an unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system."

The Linux kernel community acted swiftly and patched the bug immediately. Major Linux distributions have already pushed updates to patch the bug.

Viewing a JPEG File May Compromise iOS Devices

Apple has released a fix for iOS that patches a very serious security vulnerability discovered by Marco Grassi of Tencent's Keen Lab. What makes this vulnerability extremely serious is that the victim only has to view the affected JPG image file without even downloading the image or installing any malicious code. Apple wrote on its 10.1 update page that "Viewing a maliciously crafted JPEG file may lead to arbitrary code execution."

In addition to fixing the JPEG security hole, the iOS 10.1 update fixed some other flaws in iOS, including a bug in FaceTime that allows an attacker to listen to audio even after the call is terminated. Another bug that was fixed allows applications to obtain access to contacts even if access is revoked. Another notorious problem was fixed in WebKit that lead to arbitrary code execution after visiting maliciously crafted web content.

iOS users should update their devices immediately. Usually it's recommended to always keep software updated, but Apple has recently earned a bad reputation when it comes to iOS updates. It's widely reported that many iPhone and iPad users found their devices bricked when they attempted the over-the-air update to iOS 10. T-Mobile urged its customers not to install iOS updates as they were breaking connectivity. These issues discourage users from installing updates immediately, but in this case, Apple feels an update is necessary.

If you are an iPhone 7 Plus user, there is a carrot for you: The update will also unlock the portrait mode that will allow you to add bokeh effects (blurred background with focused foreground) to your images.

Samsung Kills Galaxy Note 7 Phone

Samsung is killing its Galaxy Note 7 phone after failing to find the cause of spontaneous explosions many users have reported around the globe.

The company has published consumer guidance for the Galaxy Note 7, urging customers to exchange their current Galaxy Note 7 for a Galaxy S7 or Galaxy S7 Edge and offering to replace any Galaxy-Note-7-specific accessories with a refund of the price difference. Customers can also contact their point of purchase to obtain a full refund.

"Samsung has received 92 reports of the batteries overheating in the U.S., including 26 reports of burns and 55 reports of property damage, including fires in cars and a garage," according to the United States Consumer Product Safety Commission.

Initially Samsung blamed faulty batteries by a supplier for the explosions and started a recall program. The bad news started pouring in when the replaced phones, supposedly with a different battery from a different vendor, also started catching fire. Just recently, a US flight had to be cancelled when a Galaxy Note 7 onboard started to smoke.

It appears Samsung still doesn't know why this phone is exploding, and that could be bad news for the Korean giant.

Samsung said in a statement to media, "For the benefit of consumers' safety, we stopped sales and exchanges of the Galaxy Note 7 and have consequently decided to stop production."

But the lack of a known cause could have a long-lasting impact on the trust of Samsung's customers. If Samsung had managed to carry out the recall correctly and identified the actual cause of explosion, they would be in a better position to compete for future business.

The Guardian quotes Richard Windsor, an analyst at the Edison Investment Research, "As long as Samsung carried out the recall smoothly and kept users very happy, the issue would eventually blow over. Unfortunately, this is very far from the case, and the fact that Samsung appears to be still shipping defective devices could trigger a large loss of faith in Samsung products."