Google pulls “Critical” alarm on Chrome CVE-2022-0971

Details are still sketchy on CVE-2022-0971 reported yesterday by the Google Chrome team, while they very clearly gave it a critical rating (topping a list of eight more vulnerabilities ranked as high) .

Critical CVE-2022-0971: Use after free in Blink Layout. Reported by Sergei Glazunov of Google Project Zero on 2022-02-21

A low complexity remotely exploitable bug, it’s coming in with a predicted CVSS base score of 9.8 or 10 out of 10 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

The current fixed Chrome version is 99.0.4844.74

Google’s Blink code has generated a lot of bugs over time. Another “use-after-free” in the “layout implementation in Blink” was reported by them almost a decade ago in CVE-2013-6658

Multiple use-after-free vulnerabilities in the layout implementation in Blink, as used in Google Chrome before 33.0.1750.117, allow remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving (1) running JavaScript code during execution of the updateWidgetPositions function or (2) making a call into a plugin during execution of the updateWidgetPositions function.

Google Maps COVID-19 Highlights Explosion in Idaho

A search on Google Maps for COVID-19 cases highlights the northern “panhandle” area of Idaho, which stands out from the rest of the nation.

175 cases in Benewah County (population 9,285) is incredibly high. Why?

The 120 cases in Kootenai County (population 171,362) are a huge clue. Everything around Kootenai is showing spread, completely counter to the downward move everywhere else.

It looks fairly clear to me that the city of Coeur d’Alene failed in their basic duty to protect health, becoming an intentional infection center.

‘I would not vote to mandate masks’ says Coeur d’Alene mayor

Rates were at nearly half the population infected in early 2022.

Kootenai County’s positivity rate dropped to 4.3% based on 1,220 PCR tests for the week ending March 5. It reached a high of 40% just six weeks ago.

Google is pulling data from the NYT, and there’s evidence cases may be even higher than what was being reported by Idaho officials.

The Coeur d’Alene Wastewater plant conducted a test of the city’s sewage, and the results suggested as many as 490 people could be infected with COVID-19.[…] Officially, the Panhandle Health District reports that only 87 people have COVID-19 in Kootenai County.

Meta hit with €17m fine for “failure to protect people’s information”

Remember 2015 when an incoming CISO infamously announced he was quitting Yahoo? In retrospect we know he was failing to disclose their breaches, trying to sneak out the back door yet avoid charges of misconduct.

His abrupt departure, after just one year in his first ever attempt to be a CISO, was announced very loudly as an intention to lead Facebook instead, because he said it was the best in the world at protecting people’s information (and soon after promising privacy where there would be none).

In fact his track record delivered the exact opposite, and regulators are not pleased.

Not only did Facebook flounder under this CISO’s outspoken and high-profile yet vapid command — leading to the largest breaches in history — it pushed back at regulators and then failed even to rise above a basic test of “key data protection principles“.

The decision follows an inquiry by the Data Protection Commissioner (DPC) into a series of 12 data breach notifications received by DPC the between June and December 2018,

The regulator found that Meta Platforms Ireland infringed Article 5(2), and 24(1) of the GDPR data protection law, which require organisations to put measures in place to meet key data protection principles.

The DPC found that Meta “failed to have in place appropriate technical and organisational measures which would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data”.

In other words, more and more people agree that CISO should probably go to jail.

Today the government is announcing that executives whose companies fail to cooperate with Ofcom’s information requests could now face prosecution or jail time.

Apple macOS 12.3 Quietly Kills 3rd Party “Online Only” Applications

As much as people like to talk up Apple as a privacy advocate, it’s rarely a bright line with an either/or position.

Buried in a macOS 12.3 release (with general availability two days ago) was an important change to the data flow of user files.

Deprecations.

The kernel extensions used by the Dropbox desktop app and Microsoft OneDrive are no longer available. Both service providers have replacements for this functionality currently in beta. (85890896)

That means macOS 12.3 no longer allows opening any files stored in the cloud through third-party applications; users must instead download all files with Apple’s macOS Finder before opening them with any other applications.

That basically kills the entire access model of a product like Dropbox “Smart Sync“, which is built on the premise someone can avoid downloading files to a local system, managing permissions entirely through an app instead.

Stop worrying about hard drive limits. Sync only what you need, and access all your files seamlessly from your desktop or mobile.

There are privacy implications here, as well as control issues, and it will be interesting to see whether Apple can justify the changes within a context of privacy.

On a related note, macOS 12.3 security content also discloses a huge number of major flaws such as “bypass login” and “execute arbitrary code with kernel privileges” and “malicious application may be able to gain root”.

Lots of good reasons to not download files to a local system, let alone give the OS any more access than necessary.