February 27, 2019

Nvidia patches eight security flaws in graphics products

By John E Dunn

Chip maker Nvidia has released its first security update for 2019 (ID 4772), fixing eight CVE flaws in its Windows and Linux graphics display drivers. Users are advised to patch as soon as possible.

The company scores the flaws using the Common Vulnerability Scoring System (CVSS) v3, which shows five with a rating of 8.8, equating to ‘high’ severity rather than ‘critical’.

That’s because none can be exploited remotely and require local access, for example by executing malware on the target system.

Depending on the flaw, an exploit could lead to a denial of service state, code execution, information disclosure or, potentially worst of all, to an escalation of privileges in six of the vulnerabilities.

Affected products include the hugely popular GeForce, Quadro, and NVS, as well as the specialist Tesla graphics cards.

The full list in bulletin 4772 is: CVE-2019-5665, CVE-2019-5666, CVE-2019-5667, CVE-2019-5668, CVE-2019-5669, CVE-2019-5670, CVE-2019-5671, and CVE-2018-6260.

Read more at https://nakedsecurity.sophos.com/2019/02/27/nvidia-patches-eight-security-flaws-in-graphics-products/

Researchers break e-signatures in 22 common PDF viewers

By Danny Bradbury

If you spend much time using computers as an adult, the chances are that you’ve had to electronically sign a document at some point. Many countries accept electronic signatures as legally binding, including the US, Canada, and the UK, where the Law Commission officially concluded that electronic signatures are valid in August 2018.

In some ways, electronic signatures are arguably better than handwritten ones. As they digitally hash the content of the document, they can prove to future viewers that no one has altered it.

Many software products support electronic signatures, mostly using the Portable Document Format (PDF) introduced by Adobe in 1993. The PDF file specification has supported digital signatures since 1999, and people have been happily signing documents ever since, but researchers at Ruhr-University Bochum in Germany just gave everyone pause.

The researchers published a paper revealing a flaw that PDF document viewers have presumably contained for the last 20 years. They found a way to add new content to documents without breaking the electronic signatures.

Read more at https://nakedsecurity.sophos.com/2019/02/27/researchers-find-e-signature-flaw-in-pdf-viewers/

Police bust their own radio shop manager for dodgy software updates

By Lisa Vaas

The manager in charge of Winnipeg’s police radios was arrested last Thursday for allegedly using fraudulent licenses to update the encrypted Motorola radios that police use to keep their conversations private, CBC News reports.

According to court documents, an employee tipped authorities off about the alleged actions of Ed Richardson, who was the manager of the radio shop for the City of Winnipeg. The radio shop is in charge of repairing and maintaining radios used by the Winnipeg Police Service and Winnipeg Fire Paramedic Service.

Richardson allegedly got his hands on millions of dollars’ worth of illegal licenses for the radios, which require frequent updates. Each of those software updates should have cost the city $94, but the informant said that Richardson didn’t like paying those fees to Motorola.

From the affidavit:

[The employee] does not believe his actions were for personal gain; he believes that Richardson likes the idea of not giving more money to Motorola.

According to what the employee told police, in 2011, Richardson gave him a device known as an iButton that was preloaded with more than 65,000 refresh keys, and told him…

You don’t want to know where these came from.

The employee said those keys “clearly” didn’t come from Motorola, according to the court document.

Read more at https://nakedsecurity.sophos.com/2019/02/27/police-bust-their-own-radio-shop-manager-for-dodgy-software-updates/

Millions of utilities customers’ passwords stored in plain text

By Lisa Vaas

In September, a security researcher discovered that their power company’s website was offering to email passwords to users who lost or forgot them…

…as in, emailing in unencrypted plain text, with no salting and nary a dab of hash, to whoever might pop in a given user’s email address, instead of offering the far more secure “password reset” option.

The independent security researcher, who chose to remain anonymous, told the story to Ars Technica contributor Jim Salter, who referred to the researcher as “X” in his writeup of what ensued.

Namely, a months-long saga of trying to get the software company behind the website to realize that it was jeopardizing customers’ security and to actually do something about it… which only happened after it had refused to answer X, then finally sent X to its lawyer, who requested that X stop talking to anybody else about it and who insisted that the company’s process of handling passwords was just fine.

The company in question is SEDC: an Atlanta firm that offers “Cyber Resilience Initiative Services and Solutions” – a bit of a confusing mouthful that translates into software that handles bill payment, cybersecurity and other services for utilities providers.

After X found SEDC’s copyright in the footer of the utility company’s website, the researcher went off in search of more customer-facing sites designed by SEDC. X found plenty: in fact, the researcher found more than 80 utility company sites that all offered to email plain-text passwords.

Read more at https://nakedsecurity.sophos.com/2019/02/27/millions-of-utilities-customers-passwords-stored-in-plain-text/


Advanced Computer Services of Central Florida

Centrally located in Winter Haven, we serve residential and business clients in and around Polk County.

9 Camellia Drive
Winter Haven, FL 33880

Our Promise to You

Plain language, no tech-talk

We will never try to over-sell you a product you don't need.

Advanced Computer Services of Central Florida is your local, hometown computer service and repair company that can do more than just fix your PC.  We offer highly skilled professionals who can be counted on to give you sound advice on upgrades, software and hardware, commercial & residential networks, hardwire or secure wireless.

No trip charges within Polk County

No after-hours or weekend fees

$45.00/hr Residential

$65.00/hr Commercial - free system evaluation