China Posted November 1, 2021 Share Posted November 1, 2021 ‘Trojan Source’ Bug Threatens the Security of All Code Virtually all compilers — programs that transform human-readable source code into computer-executable machine code — are vulnerable to an insidious attack in which an adversary can introduce targeted vulnerabilities into any software without being detected, new research released today warns. The vulnerability disclosure was coordinated with multiple organizations, some of whom are now releasing updates to address the security weakness. Researchers with the University of Cambridge discovered a bug that affects most computer code compilers and many software development environments. At issue is a component of the digital text encoding standard Unicode, which allows computers to exchange information regardless of the language used. Unicode currently defines more than 143,000 characters across 154 different language scripts (in addition to many non-script character sets, such as emojis). Specifically, the weakness involves Unicode’s bi-directional or “Bidi” algorithm, which handles displaying text that includes mixed scripts with different display orders, such as Arabic — which is read right to left — and English (left to right). But computer systems need to have a deterministic way of resolving conflicting directionality in text. Enter the “Bidi override,” which can be used to make left-to-right text read right-to-left, and vice versa. “In some scenarios, the default ordering set by the Bidi Algorithm may not be sufficient,” the Cambridge researchers wrote. “For these cases, Bidi override control characters enable switching the display ordering of groups of characters.” Bidi overrides enable even single-script characters to be displayed in an order different from their logical encoding. As the researchers point out, this fact has previously been exploited to disguise the file extensions of malware disseminated via email. Here’s the problem: Most programming languages let you put these Bidi overrides in comments and strings. This is bad because most programming languages allow comments within which all text — including control characters — is ignored by compilers and interpreters. Also, it’s bad because most programming languages allow string literals that may contain arbitrary characters, including control characters. “So you can use them in source code that appears innocuous to a human reviewer [that] can actually do something nasty,” said Ross Anderson, a professor of computer security at Cambridge and co-author of the research. “That’s bad news for projects like Linux and Webkit that accept contributions from random people, subject them to manual review, then incorporate them into critical code. This vulnerability is, as far as I know, the first one to affect almost everything.” Click on the link for the full article 1 Link to comment Share on other sites More sharing options...
Renegade7 Posted December 1, 2021 Share Posted December 1, 2021 3 Link to comment Share on other sites More sharing options...
Corcaigh Posted December 1, 2021 Share Posted December 1, 2021 (edited) Looking to buy a new laptop for personal use. No interest in gaming performance. Will do some photo editing. Can use an external drive if the photos/videos take up too much over time. Not a big fan of touch screens. When docked I’ll have a couple of screens attached so think 15” is a decent size when mobile. Is the Dell XPS 15 a decent choice for a Windows user? Edited December 1, 2021 by Corcaigh Link to comment Share on other sites More sharing options...
EmirOfShmo Posted December 1, 2021 Share Posted December 1, 2021 1 hour ago, Corcaigh said: Looking to buy a new laptop for personal use. No interest in gaming performance. Will do some photo editing. Can use an external drive if the photos/videos take up too much over time. Not a big fan of touch screens. When docked I’ll have a couple of screens attached so think 15” is a decent size when mobile. Is the Dell XPS 15 a decent choice for a Windows user? Similar requirements to yours. I've had a Dell Inspiron 5566 since 2017 for home use. Screen went bad about 1 year ago but I replaced it myself (part was ~$100). I've had multiple Inspiron laptops over the years with different companies & have always had good luck with them. Link to comment Share on other sites More sharing options...
zCommander Posted December 1, 2021 Share Posted December 1, 2021 1 hour ago, Corcaigh said: Looking to buy a new laptop for personal use. No interest in gaming performance. Will do some photo editing. Can use an external drive if the photos/videos take up too much over time. Not a big fan of touch screens. When docked I’ll have a couple of screens attached so think 15” is a decent size when mobile. Is the Dell XPS 15 a decent choice for a Windows user? Take a look at this: You want an Intel i5 or i7 with SSD. If you go with a 1 TB SSD then it is $80 more to double the storage. It is always good idea to backup your stuff to an external in case the computer SSD goes south. New Inspiron 15 Laptop ★★★★★★★★★★ 4.2 (1499)4.2 out of 5 stars. 4.2001 reviews Estimated Value $1,018.99 Dell Price$849.99 You Save $169.00 (17%) Free Shipping 11th Generation Intel® Core™ i7-11390H Processor Windows 11 Home Intel® Iris® Xe Graphics with shared graphics memory 16GB, 2x8GB, DDR4, 3200MHz 512GB M.2 PCIe NVMe Solid State Drive 15.6-in. display Link to comment Share on other sites More sharing options...
Corcaigh Posted December 1, 2021 Share Posted December 1, 2021 (edited) You think XPS is overkill? Willing to pay more for lighter or better build quailty as it will get a lot of use? And maybe stick with the 512MB drive and put the difference into a 4 or 5TB external drive. Edited December 1, 2021 by Corcaigh Link to comment Share on other sites More sharing options...
Corcaigh Posted December 2, 2021 Share Posted December 2, 2021 Went with the XPS over the Inspiron mostly because the XPS just felt so nice compared to the Inspiron ‘tin box’. 1 Link to comment Share on other sites More sharing options...
zCommander Posted December 2, 2021 Share Posted December 2, 2021 (edited) 9 hours ago, Corcaigh said: You think XPS is overkill? Willing to pay more for lighter or better build quailty as it will get a lot of use? And maybe stick with the 512MB drive and put the difference into a 4 or 5TB external drive. For what you were going to do I thought the XPS was an overkill. Looks like you liked how it is built. The are nice machines indeed. As an IT guy I always get Latitude and do stuff like Photoshop and video rendering as well. Edited December 2, 2021 by zskins Link to comment Share on other sites More sharing options...
ixcuincle Posted December 2, 2021 Share Posted December 2, 2021 Link to comment Share on other sites More sharing options...
skinsmarydu Posted December 13, 2021 Share Posted December 13, 2021 Nuttiest question ever, I'm sure... Does anyone still use Firefox and is anyone else having trouble with it crashing all day today? Link to comment Share on other sites More sharing options...
zCommander Posted December 13, 2021 Share Posted December 13, 2021 4 minutes ago, skinsmarydu said: Nuttiest question ever, I'm sure... Does anyone still use Firefox and is anyone else having trouble with it crashing all day today? Yes. And nope. Do you have the latest version? If not then just go to firefox.com and download or reinstall. 1 Link to comment Share on other sites More sharing options...
tshile Posted December 13, 2021 Share Posted December 13, 2021 If you’re trying to keep up with log4j here’s an ongoing list of affected apps/vendors https://github.com/authomize/log4j-log4shell-affected if you’re managing a VMware setup then RIP your Christmas break. i get to sit on the sidelines for this one (so far at least.) also if you’re running VMware I’ve got random reports of their workarounds bricking the host. So. Proceed with caution. Link to comment Share on other sites More sharing options...
tshile Posted December 13, 2021 Share Posted December 13, 2021 Sounds like the VMware lockup/brick issues are related to having FIPS enabled. Link to comment Share on other sites More sharing options...
gbear Posted December 13, 2021 Share Posted December 13, 2021 Is the Lonovo Idea pad a decent laptop? I don't know enough to know if this is a good buy, but it seems to have everything on my check list. https://www.costco.com/lenovo-ideapad-5i-15.6"-touchscreen-laptop---11th-gen-intel-core-i7-1165g7---geforce-mx450---1080p---windows-11.product.100794677.html I am looking for a lap top that will primarily be the one my wife uses. She tends to open up a dozen windows with various office programs running in background complaining all the while about any lag in performance. I would like to have the option to play some games on it (if I ever have time and energy at night), and I will end up watching all the Redskins games after they are played as my weekly workout routine allows. My son will likely do some video editing on it along with mixing some music. All in all, I thought this one looked like it could handle those needs. Does anyone have advice on this or other models? Link to comment Share on other sites More sharing options...
tshile Posted December 13, 2021 Share Posted December 13, 2021 (edited) I decided a long time ago Lenovo is junk and will never buy another. Thought they’d be good after buying the idea/think line from ibm but they weren’t. my advice is to stick to HP/Dell business line products. better warranty. Better hardware combination that’s certified (consumer lines use whatever is available at a price point to target a segment of the market.) driver/firmware update past a year (consumer doesn’t have that.) and a better support experience if you need it (they’re broken apart and business support is way better to work with.) a business line laptop with at least 16 gb memory running on an i5 should last you 5 years easy. Edited December 13, 2021 by tshile 3 Link to comment Share on other sites More sharing options...
Renegade7 Posted December 15, 2021 Share Posted December 15, 2021 Dell > HP This log4j thing is no joke, im getting pulled from same day scheduled meetings into unscheduled group calls left and right. Link to comment Share on other sites More sharing options...
tshile Posted December 15, 2021 Share Posted December 15, 2021 Yeah man. And now you have to worry about configuration for every product because the patch doesn’t 100% cover it. It’s better to be a person responsible for the meetings and the deployment and being the person with the answers, instead of the being the dev reworking/qa/pushing fixes to your products in production even if you’ve got a test environment you’re not doing normal testing. Im just losing time tracking it all. Feels like every other hour I’m down a wormhole of “ugh this used it too?” Then make ticket including devs. it’s been two ****ty weeks. also super glad my VMware footprint is super small 😂 Link to comment Share on other sites More sharing options...
tshile Posted December 15, 2021 Share Posted December 15, 2021 Hahahahabaha. Literally just found another one. merry Christmas everyone. Gonna be a ****ty few weeks until this gets resolved. Reminds me of print nightmare 1 Link to comment Share on other sites More sharing options...
Renegade7 Posted December 15, 2021 Share Posted December 15, 2021 (edited) Bruh, the backup software on our production servers is vulnerable to it, beyond ironic from a security standpoint. Same time its like herding cats dealing with different application teams and getting them to talk to each other. Some are wanting 2.15, some are saying 2.16, some are making manual changes. Confirming the scope of impact is hard enough, yes, what to do about it and the timeline for it is even harder. This sucks worse then SolarWinds, imo, because in that case it was far easier to identify the servers that had the limited list of impacted software. It seems like the list of impacted software is growing as more and more folks confirm it, its f'n whackamole now. Edited December 15, 2021 by Renegade7 1 Link to comment Share on other sites More sharing options...
tshile Posted December 15, 2021 Share Posted December 15, 2021 (edited) Yeah that link I posted about an aggregated list - like three hours later two things I knew had it weren’t on the list so I quit looking at it. was just discussing it with the wife and she asked how I’m figuring it out. 🤷♂️ if what you’re looking at does logging, and it’s not built on .net, then it probably used it… thankfulky my dev exposure is just warning and in some cases deploying the fix. But otherwise I’m just a third party in the meeting silently going “so glad this has nothing to do with me…” in the form of a jingle My issue is getting key people to correctly understand the risk. Peoples risk assessments are just dumb. It seems like they’re either chicken little, or don’t care at all to the point of it being difficult to get any buy in. no, just because the system uses it, doesn’t mean this is a critical emergency that requires everyone to drop what they’re doing to placate your current line of questions (which are just different versions of previously asked questions) or yes, because your system is public-facing this is a ****ing emergency and you need to make some decisions. people are a trip. honestly though @Renegade7 embrace it dude. This is the best part of the job. the problem isn’t yours; it’s someone else’s but you get a front row seat to the **** show This is my favorite part of the job. Enjoy it. Edited December 15, 2021 by tshile Link to comment Share on other sites More sharing options...
tshile Posted December 15, 2021 Share Posted December 15, 2021 (edited) 15 minutes ago, Renegade7 said: Bruh, the backup software on our production servers is vulnerable to it, beyond ironic from a security standpoint. Out of curiosity veeam? Edited December 15, 2021 by tshile Link to comment Share on other sites More sharing options...
Renegade7 Posted December 15, 2021 Share Posted December 15, 2021 (edited) 20 minutes ago, tshile said: Out of curiosity veeam? Lol, pm sent. Ya, know, my wife says I take my job too seriously. I dont know, maybe she's right, but context is everything. Our group is inside a software development shop, SolarWinds made it clear that software developments shops can and will be targeted in the future. I work for the federal government, so the obvious concern is that state actors will start coming after us with this zero day (if they haven't already, not in the SOC anymore). Have to be careful what I say here, but yes, our group is asking how responsible for this are we in context that we don't have the power or permissions to implement the fixes ourselves. Its obvious that someone needs to coordinate zero day efforts concerning scope and confirming timelines are made for addressing it, and I'm fine with the security team doing that, if anyone should know those two things, its us. There's already hints of a lessons learned meeting coming after this is over, first thing is get those same people you had in the "where the hell are we now" meeting together on day one of the zero day of this level of impact and recurring if neccesary for progress made if something like SharePoint/Teams isn't enough. I only say this not as a complaint but as wisdom to other shops going through something similar. Edited December 15, 2021 by Renegade7 Link to comment Share on other sites More sharing options...
tshile Posted December 16, 2021 Share Posted December 16, 2021 15 minutes ago, Renegade7 said: Ya, know, my wife says I take my job too seriously. I dont know, maybe she's right, but context is everything. You need to learn to enjoy the parts where you’re just managing the situation. You’ll be in enough where the spotlights on you, don’t make it worse for yourself when it isn’t. Just make sure you’re not the one ****ing up, stay on top of your responsibilities. And let others worry about theirs. but, and regarding the rest, we may just be in different spots. You’re in a security team. So, this is probably the only thing you’re doing right now. im a consultant/sme/whatever you need me to be. My role is different. Other than tracking and installing patches when available, not much for me to do. We did risk assessment day 1. Nothing was so critical it had to be shut down. Everything could have public access shut down until remedy is known. Just lucky like that in this case. 1 Link to comment Share on other sites More sharing options...
tshile Posted December 17, 2021 Share Posted December 17, 2021 https://github.com/cisagov/log4j-affected-db @Renegade7 1 Link to comment Share on other sites More sharing options...
tshile Posted December 17, 2021 Share Posted December 17, 2021 I know for a fact GitHub enterprise and paper cut are affected, but are not on that list. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now