There are three recent security stories that impact our community. They involve flaws in Dell's System Detect, Firefox 37, and OS X.
We've talked before about the significant security impact that pre-installed software can have on all of us. While the Superfish story was a tale of profit-seeking gone wrong, good intentions can also pave the road to hell.
Dell includes a software package on every PC called Dell System Detect (DSD). This software gives users easy access to driver updates and diagnostic tools. Unfortunately, usability and security are direct tradeoffs.
Rather than ensuring that the URL is coming from dell.com, DSD is instead only confirming that "dell" exists in the string. That means a URL like notreallydell.com would pass.
Dell has released an update that solves this problem. The new version no longer auto-starts with the OS and has an exacting URL input check of "*.dell.com". F-Secure used their customer metrics to reveal that a staggering number of machines have an out-of-date version of this software running. You'll want to assist any friends and family with getting DSD updated to 6.0.14.
Our second story is one about the noble pursuit of security and the reminder that a mistake in its implementation is disastrous.
The revelations of Edward Snowden have caused standards bodies like the Internet Engineering Task Force (IETF) to begin implementing more encryption into our devices and communications. HTTP/2 from the IETF is a wonderful example of the industry changes that will do more for our privacy.
Mozilla eagerly adopted HTTP/2 and implemented it in the release of Firefox 37. One specifically touted feature of HTTP/2 is opportunistic encryption (OE). This form of web encryption still requires configuration on behalf of the web server administrator, but it lowers the costs and burden around the certificates used in HTTPS. That sounds great on the surface, but as with our Dell story above, any time we ease usability, there will be tradeoffs.
With OE, any webserver administrator can now provide encrypted communications to end users with a self-signed certificate, and all it costs is the time to implement the feature. More encryption is always a good thing. However, OE uses a self-signed certificate. Such certificates lack the usual authentication mechanisms to protect us from threats like phishing websites pretending to be our bank. So HTTPS is still a better choice than OE and still the only choice for important sites like banks, but OE is arguably better than no encryption at all for content that doesn't need stringent security.
Of course, I wouldn't be telling this story if things hadn't gone wrong. Shortly after the release of Firefox 37, a flaw was found in the browser's HTTP alternative services implementation. The flaw would have allowed malicious sites to make it appear that users were on a full HTTPS connection, not the weaker OE, without generating any of the certificate authentication errors we rely on to recognize an attack. Mozilla responded quickly by releasing 37.0.1, which disabled the broken alternative services. Unfortunately for us, in disabling alternative services, Mozilla also killed off OE, which relies on alternative services to function.
There's no doubt Mozilla will get OE back into our hands at a future point, but in the meantime, make sure you update to 37.0.1.
Our final story brings us to Cupertino, where Apple released its 10.10.3 update for Yosemite. This release included a bombshell of a disclosure: a clever developer by the name of Emil Kvarnhammar had uncovered a backdoor in OS X that would allow any process to obtain root privileges.
Flaws that allow for escalation of privileges, becoming root or admin of a box, appear in every operating system, but they often require a tailored attack that crashes the victim process in a buffer overflow. This attack stands out in stark contrast; the code simply asks for and receives root privileges.
Privilege escalation flaws are sometimes downplayed as only opening the user to a local attack. However, a determined attacker could decide to chain remote exploits in order to take advantage of a flaw like this one.
Mr. Kvarnhammar suspects that the security hole resulted from efforts to ensure that legitimate tools such as the 'System Preferences' app and systemsetup had sufficient rights. The flaw has existed in OS X as far back as 2011 and OS 10.7 (Lion). That's what brings us to the more troubling part of our tale. Apple has not announced any plans to fix versions of OS X other than 10.10 (Yosemite).