Read Time:7 Second
Over half of CISA’s known exploited vulnerabilities disclosed since February 2024 have not yet been analyzed by NIST’s National Vulnerability Database
Daily Archives: May 23, 2024
chromium-125.0.6422.76-1.el8
Read Time:49 Second
FEDORA-EPEL-2024-1a95b76e46
Packages in this update:
chromium-125.0.6422.76-1.el8
Update description:
update to 125.0.6422.76
High CVE-2024-5157: Use after free in Scheduling
High CVE-2024-5158: Type Confusion in V8
High CVE-2024-5159: Heap buffer overflow in ANGLE
High CVE-2024-5160: Heap buffer overflow in Dawn
update to 125.0.6422.60
High CVE-2024-4947: Type Confusion in V8
High CVE-2024-4948: Use after free in Dawn
Medium CVE-2024-4949: Use after free in V8
Low CVE-2024-4950: Inappropriate implementation in Downloads
update to 124.0.6367.201
* High CVE-2024-4671: Use after free in Visuals
update to 124.0.6367.155
High CVE-2024-4558: Use after free in ANGLE
High CVE-2024-4559: Heap buffer overflow in WebAudio
update to 124.0.6367.118
High CVE-2024-4331: Use after free in Picture In Picture
High CVE-2024-4368: Use after free in Dawn
chromium-125.0.6422.76-1.el7
Read Time:30 Second
FEDORA-EPEL-2024-46d6266ef3
Packages in this update:
chromium-125.0.6422.76-1.el7
Update description:
update to 125.0.6422.76
High CVE-2024-5157: Use after free in Scheduling
High CVE-2024-5158: Type Confusion in V8
High CVE-2024-5159: Heap buffer overflow in ANGLE
High CVE-2024-5160: Heap buffer overflow in Dawn
update to 125.0.6422.60
High CVE-2024-4947: Type Confusion in V8
High CVE-2024-4948: Use after free in Dawn
Medium CVE-2024-4949: Use after free in V8
Low CVE-2024-4950: Inappropriate implementation in Downloads
chromium-125.0.6422.76-1.el9
Read Time:1 Minute, 50 Second
FEDORA-EPEL-2024-3184c14a07
Packages in this update:
chromium-125.0.6422.76-1.el9
Update description:
update to 125.0.6422.76
High CVE-2024-5157: Use after free in Scheduling
High CVE-2024-5158: Type Confusion in V8
High CVE-2024-5159: Heap buffer overflow in ANGLE
High CVE-2024-5160: Heap buffer overflow in Dawn
update to 125.0.6422.60
High CVE-2024-4947: Type Confusion in V8
High CVE-2024-4948: Use after free in Dawn
Medium CVE-2024-4949: Use after free in V8
Low CVE-2024-4950: Inappropriate implementation in Downloads
update to 124.0.6367.201
* High CVE-2024-4671: Use after free in Visuals
update to 124.0.6367.155
High CVE-2024-4558: Use after free in ANGLE
High CVE-2024-4559: Heap buffer overflow in WebAudio
update to 124.0.6367.118
* High CVE-2024-4331: Use after free in Picture In Picture
* High CVE-2024-4368: Use after free in Dawn
update to 124.0.6367.91
update to 124.0.6367.78
* Critical CVE-2024-4058: Type Confusion in ANGLE
* High CVE-2024-4059: Out of bounds read in V8 API
* High CVE-2024-4060: Use after free in Dawn
update to 124.0.6367.60
High CVE-2024-3832: Object corruption in V8
High CVE-2024-3833: Object corruption in WebAssembly
High CVE-2024-3914: Use after free in V8
High CVE-2024-3834: Use after free in Downloads
Medium CVE-2024-3837: Use after free in QUIC
Medium CVE-2024-3838: Inappropriate implementation in Autofill
Medium CVE-2024-3839: Out of bounds read in Fonts
Medium CVE-2024-3840: Insufficient policy enforcement in Site Isolation
Medium CVE-2024-3841: Insufficient data validation in Browser Switcher
Medium CVE-2024-3843: Insufficient data validation in Downloads
Low CVE-2024-3844: Inappropriate implementation in Extensions
Low CVE-2024-3845: Inappropriate implementation in Network
Low CVE-2024-3846: Inappropriate implementation in Prompts
Low CVE-2024-3847: Insufficient policy enforcement in WebUI
update to 123.0.6312.122
High CVE-2024-3157: Out of bounds write in Compositing
High CVE-2024-3516: Heap buffer overflow in ANGLE
High CVE-2024-3515: Use after free in Dawn
USN-6777-4: Linux kernel (HWE) vulnerabilities
Read Time:48 Second
Zheng Wang discovered that the Broadcom FullMAC WLAN driver in the Linux
kernel contained a race condition during device removal, leading to a use-
after-free vulnerability. A physically proximate attacker could possibly
use this to cause a denial of service (system crash). (CVE-2023-47233)
Several security issues were discovered in the Linux kernel.
An attacker could possibly use these to compromise the system.
This update corrects flaws in the following subsystems:
– Block layer subsystem;
– Userspace I/O drivers;
– Ceph distributed file system;
– Ext4 file system;
– JFS file system;
– NILFS2 file system;
– Bluetooth subsystem;
– Networking core;
– IPv4 networking;
– IPv6 networking;
– Logical Link layer;
– MAC80211 subsystem;
– Netlink;
– NFC subsystem;
– Tomoyo security module;
(CVE-2023-52524, CVE-2023-52530, CVE-2023-52601, CVE-2023-52439,
CVE-2024-26635, CVE-2023-52602, CVE-2024-26614, CVE-2024-26704,
CVE-2023-52604, CVE-2023-52566, CVE-2021-46981, CVE-2024-26622,
CVE-2024-26735, CVE-2024-26805, CVE-2024-26801, CVE-2023-52583)
python3.6-3.6.15-28.fc39
Read Time:8 Second
FEDORA-2024-18b9c9b9cf
Packages in this update:
python3.6-3.6.15-28.fc39
Update description:
Security fix for CVE-2024-0450 and CVE-2023-6597
National Records of Scotland Data Breached in NHS Cyber-Attack
Read Time:8 Second
National Records of Scotland said sensitive personal data it holds was part of information stolen and published online by ransomware attackers from NHS Dumfries and Galloway
Personal AI Assistants and Privacy
Read Time:2 Minute, 15 Second
Microsoft is trying to create a personal digital assistant:
At a Build conference event on Monday, Microsoft revealed a new AI-powered feature called “Recall” for Copilot+ PCs that will allow Windows 11 users to search and retrieve their past activities on their PC. To make it work, Recall records everything users do on their PC, including activities in apps, communications in live meetings, and websites visited for research. Despite encryption and local storage, the new feature raises privacy concerns for certain Windows users.
I wrote about this AI trust problem last year:
One of the promises of generative AI is a personal digital assistant. Acting as your advocate with others, and as a butler with you. This requires an intimacy greater than your search engine, email provider, cloud storage system, or phone. You’re going to want it with you 24/7, constantly training on everything you do. You will want it to know everything about you, so it can most effectively work on your behalf.
And it will help you in many ways. It will notice your moods and know what to suggest. It will anticipate your needs and work to satisfy them. It will be your therapist, life coach, and relationship counselor.
You will default to thinking of it as a friend. You will speak to it in natural language, and it will respond in kind. If it is a robot, it will look humanoid—or at least like an animal. It will interact with the whole of your existence, just like another person would.
[…]
And you will want to trust it. It will use your mannerisms and cultural references. It will have a convincing voice, a confident tone, and an authoritative manner. Its personality will be optimized to exactly what you like and respond to.
It will act trustworthy, but it will not be trustworthy. We won’t know how they are trained. We won’t know their secret instructions. We won’t know their biases, either accidental or deliberate.
We do know that they are built at enormous expense, mostly in secret, by profit-maximizing corporations for their own benefit.
[…]
All of this is a long-winded way of saying that we need trustworthy AI. AI whose behavior, limitations, and training are understood. AI whose biases are understood, and corrected for. AI whose goals are understood. That won’t secretly betray your trust to someone else.
The market will not provide this on its own. Corporations are profit maximizers, at the expense of society. And the incentives of surveillance capitalism are just too much to resist.
We are going to need some sort of public AI to counterbalance all of these corporate AIs.
USN-6736-2: klibc vulnerabilities
Read Time:39 Second
USN-6736-1 fixed vulnerabilities in klibc. This update provides the
corresponding updates for Ubuntu 24.04 LTS.
Original advisory details:
It was discovered that zlib, vendored in klibc, incorrectly handled pointer
arithmetic. An attacker could use this issue to cause klibc to crash or to
possibly execute arbitrary code. (CVE-2016-9840, CVE-2016-9841)
Danilo Ramos discovered that zlib, vendored in klibc, incorrectly handled
memory when performing certain deflating operations. An attacker could use
this issue to cause klibc to crash or to possibly execute arbitrary code.
(CVE-2018-25032)
Evgeny Legerov discovered that zlib, vendored in klibc, incorrectly handled
memory when performing certain inflate operations. An attacker could use
this issue to cause klibc to crash or to possibly execute arbitrary code.
(CVE-2022-37434)
USN-6663-3: OpenSSL update
Read Time:17 Second
USN-6663-1 provided a security update for OpenSSL.
This update provides the corresponding update for
Ubuntu 24.04 LTS.
Original advisory details:
As a security improvement, OpenSSL will now
return deterministic random bytes instead of an error
when detecting wrong padding in PKCS#1 v1.5 RSA
to prevent its use in possible Bleichenbacher timing attacks.