Back in March Microsoft issued its second generation of patch which was intended to close a privilege escalation vulnerability used to spread the Stuxnet malware closing a portion of the vulnerability that remained after the original patch in 2010. In a bulletin today Microsoft has announced yet another iteration of the patch (archived) to close this bug as the March patch still maintained sufficient attack surface for this vulnerability to continue being exploited. Microsoft also released a tool for logging attempts to exploit this vulnerability as well as a warning that installing any new language packs after applying this patch will negate any protective effects this patch is purported to have. Windows versions including the new "Windows 10" are effected by this continuing vulnerability.
Implant ID Chips in Citizens Suggests Finnish Politician
Pasi Mäenranta of the True Finns Party has suggested Finland begin implanting identification chips in citizens (archived) when they leave the country in order to prevent Finns from "abusing" the social welfare benefits offered by their Nordic system when they move to a more affordable foreign location. According to Pasi Mäenranta because "the people" happily let Google and Facebook track them with smartphones there's no way this could be considered an invasion of privacy by citizens. Should a system like this be implemented in Finland it remains to be seen whether emigration from Finland through avenues more traditionally associated with far poorer countries would increase, but such an outcome could be reasonably expected.
Copay Multisig Vulnerability Reported
Coinspect has reported the existence of a bug in the Copay multi-signature Bitcoin wallet produced by BitPay. In affected versions of Copay the vulnerability allowed the compromise of one party to empty the shared wallet by submitting a transaction type which would exploit the protocol used by Copay wallets to automatically sign transactions. Coinspect alleges that after reporting the flaw to BitPay on July 20th the flaw was fixed in Copay version 0.4.1 for this particular exploit scenario. Given the nature of this exploit Qntra advises users considering Copay or any multisignature scheme which involves any protocol for automatically engaging additional signers to use extreme caution recommending potential users default to avoiding the shitware involved entirely on first principles. If you trust keys to software that could automatically sign a transaction it could be tricked just as readily into signing a confession.
Zynga Continues Bleeding
A recent filing (archived) with the United States Securities and Exchange Commission show that one once hyped Facebook centric "game" maker Zynga is continuing to bleed both users and money. Zynga has lost more than 73 million United States dollars since the beginning of 2015. From 2012 through the close of 2014 Zynga has lost roughly 472 million United States dollars. Average monthly users of Zynga's products was reported to have fallen from 121 million in 2014's second quarter to 83 million the second quarter of this year, a decline of 32 percent. In spite of Zynga's hemorrhaging wallet and shrinking userbase shares still manage to trade on Nasdaq (archived) at $2.64 per share implying a market cap of $2,072,302,357 on a earnings per share of negative 19 cents.
Mining Difficulty Advances For The Third Consecutive Time
The Bitcoin mining difficulty has reached a new all time high of 52,699,842,409. This represents an increase of 0.81% over July 25th's difficulty of 52,278,304,846. Today's change also marks the second time this year that the mining difficulty has increased for the third consecutive time, last occurring during the February 9th, February 22nd and March 8th adjustments. One must look back to 2014 to find more than four consecutive increases at which time double digit adjustments were common, something which is yet to occur in 2015.
Fiat Chrysler Taken to Court Over Security Vulnerability
The Post-Dispatch reports that a couple from Pacific, Missouri and a Belleville, Illinois man have filed suit against Fiat Chrysler (archived) over security vulnerabilities in their vehicular entertainment system which can adversely affect the safety of motor vehicles with the system installed. The suit was filed in the US District Court in East St Louis on Tuesday and it includes Harmon International Industries, the maker of the entertainment system as a co-defendant. The plaintiffs are aggrieved that the impact of the security vulnerability has diminished the value of their vehicles and further means they over paid for the initial purchase. If the plaintiffs win this case it may open up most current computer manufacturers to claims for diminishing the value of computing products purchased by customers for including Microsoft Windows and other irredeemably flawed components.
Tokyo Court Affirms Ancient Bitcoin Wisdom: Coins Gifted to Scammers are No Longer Yours
This week a Tokyo Court dismissed a lawsuit brought by a Kyoto resident who lost 458 Bitcoins in the Mt Gox scam. The Kyoto resident represented himself in court on a complaint he brought against Mt Gox's receiver as Mt Gox is in bankruptcy. The court in dismissing the suit determined Bitcoin is not subject to ownership claims due to its intangible nature and the third parties involved in the sort of claim the Kyoto resident wished to make. The alarm on Mt Gox's inevitable collapse had been sounded well in advance of popular recognition of Mt Gox's failure.
Brief Offers Insight into USG Theory of Internet Security
The most recent Audit of the Federal Bureau of Investigation’s Implementation of Its Next Generation Cyber Initiative by Office of the Inspector General of the U.S. Department of Justice, dated July 2015, (archived) features several thought-provoking insights into the inner workings of the USG and the headwinds faced by the bureaucratic beast. In no particular order :
1. The protection of the United States against "cyber-based attacks" and "high-technology crimes" is ranked as the third-highest priority behind counterterrorism and counterintelligence. Continue reading
US DoD May Surrender Substantial IPv4 Address Territory
There are reports coming in that the United States Department of Defense has surrendered or is in the process of surrendering the full IPv4 11/8 address block. If this surrender bears out it would mean 16,777,216 IPv4 addresses would be made available for use by people.
OS X Flaw in the Wild Abuses Error Logging Function to Edit sudoers
Malwarebytes reports (archived) that a vulnerability in Apple's latest version of OS X which was reported to exist last month on Stefan Esser's blog (archived) is now appearing on malware in the wild. The flaw came into being through a new feature introduced into the OS X dynamic linker dyld. The new feature allows the linker to log error output to any file on the system without the safety or sanity checks implemented in even "hobbyist" developed Unix systems. Malwarebytes only noticed the flaw being actively exploited because a particular piece of adware had edited the sudoers file on a testing environment while examining the malware. The severity of the flaw though is such that when triggered it can edit any file on the affected machine including executable system files. Esser originally reported this flaw on July 7th, 2015 and Apple has yet to release a patch. On the other hand Esser has published a source code patch on his own which lessens this flaw though it is hard to determine how this patch will interact with possible future updates from Apple.