#AxisOfEasy 218: New Compiler Bug Impacts Literally Everything

Weekly Axis Of Easy #218

Last Week’s Quote was “It is dangerous to be right when the government is wrong.” was Voltaire and Mike Beasley got the answer.

This Week’s Quote: “I tremble for my country when I reflect that God is just. ” … by???

THE RULES: No searching up the answer, must be posted to the blog– the place to post the answer is at the bottom of the post, in the comments section.

The Prize: First person to post the correct answer gets their next domain or hosting renewal is on us.

In this issue:

  • New compiler bug impacts literally everything
  • The book burnings shall resume until moral purity prevails
  • Facebook changes its company name to Meta
  • MacOS rootkits can be installed by hackers using a Shrootless bug 
  • Facebook will spend more than $10 billion on its Metaverse division this year  
  • Cloud service providers are a new target for SolarWinds attacker

Elsewhere online:

  • Priti Patel is pressed
  • Disney to release its Golden Moments
  • Senators from the US back mandatory standard
  • California has again subpoenaed Signal users
  • Recent AbstractEmu malware

New compiler bug impacts literally everything

Researchers at Cambridge University have released the details, in coordination with numerous organizations, on a software bug that affects nearly all compilers.

Software compilers are what convert text based code into machine executable instructions. The problem is in a unicode encoding standard that uses an algorithm called “Bidi” that deals with the display order in languages (i.e left-to-right in English vs right-to-left for Arabic), and in that algorithm is the capacity  for a “Bidi Override,” to force a reversal in the direction of the language.

“Here’s the problem: Most programming languages let you put these Bidi overrides in comments and strings. This is bad because most programming languages allow comments within which all text — including control characters — is ignored by compilers and interpreters. Also, it’s bad because most programming languages allow string literals that may contain arbitrary characters, including control characters.

“So you can use them in source code that appears innocuous to a human reviewer [that] can actually do something nasty,”

The entire software industry is now scrambling to fix their compilers. There is a lengthy Hackernews thread on it here.

Read: https://krebsonsecurity.com/2021/11/trojan-source-bug-threatens-the-security-of-all-code/

The book burnings shall resume until moral purity prevails

Was saddened and chagrined to come across an article from my hometown paper (Cambridge, ON) describing how the Waterloo District School Board is removing books from school libraries as part of a multi-year effort to remove literature deemed “harmful to staff and students.”

Titles removed (SO FAR) include Harper Lee’s To Kill A Mockingbird and Margaret Atwood’s The Handmaid’s Tale.

Read: https://www.cambridgetoday.ca/local-news/books-deemed-harmful-to-staff-and-students-are-being-removed-from-regions-public-school-libraries-4551859

Meanwhile, also right here in Canada, it was recently disclosed that the Conseil scolaire catholique Providence, the French language school board for Ontario launched a program in 2019 to:

‘replace library books “that had outdated content and carried negative stereotypes about First Nations, Métis and Inuit people.
…More than 4,700 children’s books from 30 schools across CSC Providence were targeted.

The list included old encyclopedias, biographies of French explorers Jacques Cartier and Étienne Brûlé, and even French and Belgian comics including Tintin, Asterix and Obelix, and Lucky Luke.

All were destroyed in a “flame purification” ceremony. A video for students explained the ritual: “We bury the ashes of racism, discrimination and stereotypes in the hope that we will grow up in an inclusive country where all can live in prosperity and security.”’

Read: https://www.wsj.com/articles/book-burning-censorship-cancel-culture-canada-conseil-scolaire-catholique-ontario-kies-11633543158

Facebook changes its company name to Meta

Following the publication of hundreds of internal documents by a whistleblower, Facebook is changing its name as it shifts its focus to the “metaverse.”

The company’s founder, Mark Zuckerberg, announced Thursday that it would change its corporate name to Meta, saying it would devolve its namesake service to a subsidiary, alongside Instagram and WhatsApp, rather than an overarching brand.

As previously announced, Facebook will also begin trading under its new stock ticker “MVRS” on December 1.

The rebranding could be an attempt to improve Facebook’s reputation following public relations nightmares that have included misinformation on its platform, shoddy content moderation, and revelations related to the adverse health effects of its products.

Zuckerberg announced the name change at the company’s virtual reality and augmented reality conference, Facebook Connect. The name shift aligns with efforts to combine virtual and augmented reality technologies into a new online realm referred to as the metaverse.

Read: https://edition.cnn.com/2021/10/28/tech/facebook-mark-zuckerberg-keynote-announcements/index.html

MacOS rootkits can be installed by hackers using a Shrootless bug

Microsoft discovered a new macOS vulnerability that attackers could exploit to circumvent System Integrity Protection and perform arbitrary operations, elevate privileges to root, and install rootkits on vulnerable systems.

Researchers from Microsoft 365 Defender Research Team reported the vulnerability to Apple via Microsoft Security Vulnerability Research (MSVR) under the name “Shrootless” (currently tracked as CVE-2021-30892).

Jonathan Bar-Or, a principal security researcher at Microsoft, explained that they “found that the vulnerability lies in how Apple-signed packages with post-install scripts are installed. A malicious actor could create a specially crafted file that would hijack the installation process.”

Microsoft also discovered a new variant of macOS WizardUpdate malware (also known as UpdateAgent or Vigram), updated to take advantage of new evasion and persistence techniques.

In addition to spreading second-stage malware payloads, this trojan also drops Adload, a malware strain active since late 2017 known for slipping through the built-in Apple antivirus XProtect.

Read: https://www.bleepingcomputer.com/news/security/microsoft-shrootless-bug-lets-hackers-install-macos-rootkits/

Facebook will spend more than $10 billion on its Metaverse division this year 

Facebook announced last week that it would be hiring 10,000 workers in the European Union for “the metaverse,” a futuristic concept for interacting online that uses virtual reality and augmented reality. As reported by The Verge, Facebook is planning to spend at least $10 billion on Facebook Reality Labs this year, the company’s multimedia division that creates AR and VR hardware, software, and content.

In Facebook’s view, AR and VR are essential to “the next generation of online social experiences.” The division, which already produces the Oculus Quest headset and Portal series of calling devices, is positioned as the next big thing inside Facebook.

The move could also be intended to distract people from everything else happening in Facebook’s earnings today. In the first quarter, Facebook missed revenue expectations by roughly $1 billion (which isn’t much at Facebook’s scale), reflecting the company’s difficult circumstances.

Read: https://tech.slashdot.org/story/21/10/26/023208/facebook-is-spending-at-least-10-billion-this-year-on-its-metaverse-division

Cloud service providers are a new target for SolarWinds attacker

During a large-scale and ongoing campaign targeting cloud service providers and IT services organizations, Nobelium, the threat actor behind the SolarWinds attack, infiltrates systems belonging to these companies’ downstream customers.

According to Microsoft, Nobelium has attacked at least 140 cloud service providers and compromised 14 since May.

As a result of this latest Nobelium campaign, attackers have increasingly focused on targets that will allow them to compromise multiple organizations at once, rather than having to break into each one individually. Among such targets are cloud service providers, managed service providers, software vendors, and other trusted parties in the technology supply chain, many of whom have privileged access to networks that belong to their customers.

Read: https://www.darkreading.com/attacks-breaches/solarwinds-attacker-targets-cloud-service-providers-in-new-supply-chain-threat

Elsewhere online:

Priti Patel is pressed to explain the award of spy agency contract to Amazon
Read: https://www.theguardian.com/uk-news/2021/oct/26/amazon-web-services-aws-contract-data-mi5-mi6-gchq

Disney to release its Golden Moments NFT Collectibles via the digital collectibles app Veve
Read: https://news.bitcoin.com/disney-to-drop-golden-moments-nft-collectible-series-via-digital-collectibles-app-veve/

Senators from the US back mandatory standards for transport and logistics cybersecurity
Read: https://portswigger.net/daily-swig/inaction-isnt-an-option-us-lawmakers-back-mandatory-standards-for-transport-and-logistics-cybersecurity

The Central District of California has again subpoenaed Signal users for data
Read: https://signal.org/bigbrother/cd-california-grand-jury/

Recent AbstractEmu malware is rooting Android devices and evading detection
Read: https://www.bleepingcomputer.com/news/security/new-abstractemu-malware-roots-android-devices-evades-detection/?&web_view=true

3 thoughts on “#AxisOfEasy 218: New Compiler Bug Impacts Literally Everything

  1. Former US president Thomas Jefferson in reference to the mistreatment of Indigenous, Indian, and so-called African Americans.

    Looks like someone else just beat me to it.

Leave a Reply

Your email address will not be published. Required fields are marked *