How the Top 5 PC Makers Open Your Laptop to Hackers

May 31, 2016 – 6:39 PM

Software makers like Microsoft put a lot of effort into ensuring that the operating system and application updates they deliver to your system are secure, so that hackers can’t hijack updates to get into your computer.

But it turns out that PC hardware makers are not so careful. An investigation conducted by Duo Security into the software updaters of five of the most popular PC manufacturers—HP, Dell, Acer, Lenovo, and Asus—found that all had serious security problems that would allow attackers to hijack the update process and install malicious code on victim machines.

Researchers at Duo Security’s Duo Labs found that all five vendors, known as OEMs or Original Equipment Manufacturers, shipped computers with pre-installed updaters that had at least one high-risk vulnerability that would give an attacker remote-code execution abilities—the ability to remotely run whatever malicious code they want on a system—and gain complete control of the system. The skill required to exploit the vulnerabilities was minimal, the researchers said in a report they’re releasing (.pdf) about their findings.

The OEM vendors all shared similar security flaws in varying degrees, such as failure to deliver updates over a secured HTTPS channel or failure to sign update files or validate them. These problems make it possible for attackers to conduct a man-in-the-middle attack to intercept update files as they’re transmitted to computers and replace them with malicious ones. The malicious files can get installed regardless of other protections a machine might have because updaters operate with the highest level of trust and privilege on machines.

Source:
https://www.wired.com/2016/05/2036876/

Google to block Flash on Chrome, only 10 websites exempt

May 16, 2016 – 7:55 AM

The slow and inexorable slide to a world without Flash continues, with Google revealing plans to phase out support for Adobe’s Flash Player in its Chrome browser for all but a handful of websites. And the company expects the changes to roll out by the fourth quarter of 2016.

While it says Flash might have “historically” been a good way to present rich media online, Google is now much more partial to HTML5, thanks to faster load times and lower power use.

As a result, Flash will still come bundled with Chrome, but “its presence will not be advertised by default.” Where the Flash Player is the only option for viewing content on a site, users will need to actively switch it on for individual sites. Enterprise Chrome users will also have the option of switching Flash off altogether.

Source:
http://www.cnet.com/news/google-to-block-flash-on-chrome-only-10-websites-exempt/

New Windows 10 build kills controversial password-sharing Wi-Fi Sense

May 14, 2016 – 7:27 AM

When Microsoft announced Windows 10, it added a feature called Wi-Fi Sense that had previously debuted on the Windows Phone operating system. Wi-Fi Sense was a password-sharing option that allowed you to share Wi-Fi passwords with your friends and contacts in Skype, Outlook, and Facebook. Here’s how Microsoft described the feature last year:

“When you share Wi-Fi network access with Facebook friends, Outlook.com contacts, or Skype contacts, they’ll be connected to the password-protected Wi-Fi networks that you choose to share and get Internet access when they’re in range of the networks (if they use Wi-Fi Sense). Likewise, you’ll be connected to Wi-Fi networks that they share for Internet access too. Remember, you don’t get to see Wi-Fi network passwords, and you both get Internet access only. They won’t have access to other computers, devices, or files stored on your home network, and you won’t have access to these things on their network.”

There were security concerns related to Windows 10’s management of passwords and whether or not said passwords could be intercepted on the fly. To our knowledge, no security breaches or problems were associated with Wi-Fi Sense. According to Microsoft, few people actually used the feature and some were actively turning it off. “The cost of updating the code to keep this feature working combined with low usage and low demand made this not worth further investment,” said Gabe Aul, Microsoft’s Windows Insider czar.

Source:
http://www.extremetech.com/computing/228259-new-windows-10-build-kills-controversial-password-sharing-wi-fi-sense

New Security Flaw Found in Lenovo Solution Center Software

May 6, 2016 – 5:21 PM

A new vulnerability has been discovered in Lenovo’s much-maligned Lenovo Solution Center (LSC) software. The vulnerability allows attackers with local network access to a PC to execute arbitrary code, said researchers at Trustwave SpiderLabs.

The flaw allows an attacker to elevate privileges and is tied to the LSC application’s backend. It opens the door for a malicious attacker to start the LSC service and trick it in to executing arbitrary code in the local system context, said Karl Sigler, a SpiderLabs researcher at Trustwave.

LSC comes preloaded on nearly all Lenovo business and consumer desktops and laptop PCs. The software acts as a dashboard monitoring system health and security – from battery life, driver updates and firewall status. Lenovo has issued a fix for the security flaw last week. This is the second time the computer maker has had to patch LSC – the first being December 2015.

“In keeping with industry best practices, Lenovo moved rapidly to ready a fix and on April 26 it updated its security advisory disclosing this additional vulnerability and the availability of a fix that addressed it,” a Lenovo spokesperson told Threatpost.

Source:
https://threatpost.com/new-security-flaw-found-in-lenovo-solution-center-software/117896/

Google makes it mandatory for Chrome Apps to tell Users what Data they collect

April 19, 2016 – 5:09 PM

Around 40 percent of all Google Chrome users have some kind of browser extensions, plugins or add-ons installed, but how safe are they?

The company plans to enforce developers starting this summer, to “ensure transparent use of the data in a way that is consistent with the wishes and expectations of users.”

Google is making its Chrome Web Store safer for its users by forcing developers to disclose how they handle customers’ data.

Google’s new User Data Policy will now force app developers, who use the Chrome Web Store to distribute their products, to be more transparent about their data collection practices.

In other words, the company wants its Chrome users to know what’s happening when they use third-party apps and services that rely on its browser.

Source:
https://thehackernews.com/2016/04/chrome-data-security.html