Categories
Mobile Syrup

November security patch fixes Pixel lock screen bypass bug

Google’s November 2022 security patch dropped for Pixel phones a few days ago, and, if you haven’t already updated your Pixel phone, you should. The update includes a fix for a security flaw that could allow someone to bypass the phone’s lock screen using a SIM card.

David Schütz discovered the issue and detailed it in a blog post and video. While the post is well worth a read if you’re interested in this kind of thing, the short version is that someone with physical access to a Pixel device could bypass lock screen protections, including the fingerprint and PIN, and gain access to the phone.

To do so, all an attacker would need to do is swap the SIM card in the phone. In the video, Schütz shows himself swapping a SIM card into a locked Pixel 6, which then asks for the SIM PIN. After entering that wrong three times, the Pixel asks for a personal unblocking key (PUK), which is used to reset a SIM PIN if a user forgets it. However, in the case of Pixel phones, after entering the PUK and typing in a new SIM PIN, the phone unlocks.

Put another way, an attacker would only need a SIM card with a SIM PIN a PUK code that they know to gain access to any Pixel smartphone. The November 2022 security patch, which is now available for the Pixel 4a and newer, fixes the problem.

Frustratingly, Schütz reported the security flaw to Android’s Vulnerability Rewards Program in the middle of 2022, but Google didn’t do anything until September after some in-person prodding. Still, Schütz got a $70,000 USD reward (about $93,703 CAD), which is a good chunk of change for spotting the flaw.

Source: Schütz Via: 9to5Google

Categories
Mobile Syrup

Google Chrome patch fixes severe zero-day vulnerability

Google released a new update to its Chrome browser for Windows with a fix for a severe zero-day vulnerability, the fourth such patch for Chrome this year.

The flaw impacts Chrome’s WebRTC (Web Real-Time Communications) component and was first reported by Jan Vojtesek from the Avast Threat Intelligence team on July 1st. Zero-day refers to vulnerabilities that are disclosed but not yet patched, while WebRTC is an open-source project and powers browser-based video call tools.

On July 4th, Google published a security advisory (via Bleeping Computer) noting that it was aware of exploits for the vulnerability that exist in the wild. Chrome version 103.0.5060.114 is rolling out globally to the stable desktop channel — Chrome users should make sure to update right away. Google says it’ll take a matter of days or weeks to hit its entire userbase.

To update, click Chrome’s menu button > Help > About Google Chrome. The browser should alert users if there’s an update available and provide an option to install and restart the browser. Make sure to check the version number to make sure you’re updating to the version of Chrome with the patch (version 103.0.5060.114).

It’s worth noting that Chrome auto-checks for new updates and installs them automatically on the next launch.

Bleeping Computer notes that Google didn’t share technical details about the vulnerability, despite it being a zero-day. Google’s security advisory notes that the company may restrict access to bug details “until a majority of users are updated with a fix.” Likely, Google will release the technical details once users have had time to install the update.

Moreover, Bleeping Computer notes that Chrome has previously patched three zero-day vulnerabilities this year in April, March, and February.

Source: Google Via: Bleeping Computer

Categories
Mobile Syrup

Apple hasn’t patched two zero-day vulnerabilities in macOS Big Sur, Catalina

Apple still hasn’t rolled out patches for two zero-day exploits found in macOS to devices running Big Sur and Catalina.

As reported by 9to5Mac, Apple previously released patches for the exploits in macOS Monterey version 12.3.1. However, similar patches were not made available to the older macOS variants, despite that Apple still supports them.

One of the exploits allowed malicious apps to execute arbitrary code with kernel privileges, while the other was an exploit found in the Intel Graphics drivers, which could lead to the disclosure of kernel memory.

Apple typically releases security patches for the current version of macOS and the last two versions of the operating system. Largely, that’s because some users can’t upgrade right away due to software compatibility. People with older Macs may not be able to upgrade to newer versions of macOS if the hardware isn’t supported.

By supported older versions of macOS with security updates, Apple effectively protects users who can’t upgrade to the newest version of macOS right away. However, the company’s failure to push out a patch for these active zero-day exploits is concerning.

Hopefully, those updates come soon, although Intego notes Apple hasn’t given any indication it will provide those updates.

Source: 9to5Mac, Intego

Categories
Mobile Syrup

Intel found a flaw in AMD’s Spectre mitigation, AMD issues fix

Intel’s security team found a flaw in AMD’s old ‘LFENCE/JMP’ patch to mitigate Spectre vulnerabilities across several generations of Ryzen and Threadripper CPUs.

In response, AMD issued a security bulletin recommending the use of alternate mitigation options. The update also had additional information for software developers.

Spectre is a type of security flaw that affects almost all modern Intel and AMD processors. It can potentially allow attackers to access sensitive data without detection. Worse, last week researchers found that Intel and Arm processors are susceptible to a new kind of ‘Spectre v2’ attack.

Intel uncovered the issue with LFENCE/JMP while investigating the new vulnerability. AMD implemented LFENCE/JMP in 2018 to mitigate against Spectre, but Intel’s researchers found it doesn’t adequately protect against the threat.

As per AMD’s security bulletin, the weakness in LFENCE/JMP spans the following chips:

  • Gen 1, 2, and 3 AMD Epyc processors
  • AMD Ryzen 2000, 3000, and 5000 series desktop processors
  • AMD Ryzen 4000 and 5000 series desktop processors with Radeon graphics
  • 2nd and 3rd Gen Ryzen Threadripper
  • AMD Ryzen Threadripper Pro
  • AMD Athlon 3000 series mobile processors with Radeon graphics
  • AMD Ryzen 2000 and 3000 series mobile processors
  • 2nd Gen AMD Ryzen mobile processor with Radeon graphics
  • AMD Ryzen 3000, 4000, and 5000 series with Radeon graphics
  • AMD Athlon, Athlon 3000, and Ryzen 3000 mobile processors with Radeon graphics for Chromebook

You can view the full list here.

The researchers who found the flaw performed the exploit on Linux, but so far there haven’t been examples of the using the exploit on platforms like Windows.

Finally, The Verge points out that patches for Spectre-related vulnerabilities have been known to cause performance issues, especially on older hardware. However, benchmarking platform Phoronix tested the impact of initial patches for Intel and AMD chips in 2019 and found AMD CPUs were less affected than Intel.

Image credit: AMD

Source: Tom’s Hardware, AMD Via: The Verge

Categories
Mobile Syrup

Some AMD Ryzen CPUs seeing up to 15% performance hit on Windows 11

Windows users with AMD Ryzen chips may want to hold off on updating to Windows 11 for the time being — Microsoft and AMD have uncovered at least two issues causing performance issues for Ryzen chips.

According to AMD support (via The Verge), Microsoft’s fancy new operating system can cause performance drops up to 15 percent in some cases.

The first of the two issues is that Windows 11 can cause L3 cache latency to triple. According to AMD, that could cause a three to five percent degradation in performance in most applications. Games (AMD specifically mentions “games commonly used for eSports”) can see a 10-15 percent performance hit.

The second issue is with AMD’s ‘preferred core’ tech, which shifts threads to the fastest core on a processor. AMD says that users may see performance issues with tasks that are heavily reliant on the CPU, especially if they have a processor with more than eight cores and above 65W TDP.

AMD and Microsoft are looking into the issues, with AMD noting on its support page that a Windows update is “in development” and should arrive later this month. For now, however, AMD users may want to hold off on the Windows 11 update.

Image credit: AMD

Source: AMD Via: The Verge