Microsoft lets Windows users off the update leash

By Danny Bradbury

Windows users, you know those mandatory OS updates that sometimes break your computer and leave you steaming at the ears? Microsoft is making some big changes that will finally give you more control over them.

The company is changing the way that Windows Update downloads and installs releases, enabling users to delay them.

In older versions of Windows, users could choose which updates they wanted to install. Home editions of Windows 10 bucked that trend with a single ‘check for updates’ button that downloaded and installed everything. Not clicking the box wouldn’t save you from forced updates; the OS would eventually go and get them anyway.

Professional editions were at least able to delay updates using a ‘defer upgrades’ option. This allowed business users to wait until sacrificial guinea pigs using the home edition had been burned first.

This mandatory approach to updates caused some notable problems for users. Microsoft offers a mixture of updates for Windows 10. Monthly updates include security patches that keep Windows safer. Then, there are feature updates that serve as a larger upgrade to the system. There are two of those each year.

The last feature update was in October, and it broke so many PCs that Microsoft had to pause its rollout. Clearly a bit sore over the whole affair, it is shaking up the way that it handles updates.

In a blog post announcing the change, corporate VP of Windows Mike Fortin acknowledged that the mandatory update process isn’t every user’s cup of tea:

Read more at https://nakedsecurity.sophos.com/2019/04/08/microsoft-lets-windows-users-off-update-leash/

Firefox draws battle lines against push notification spam

By John E Dunn

Mozilla doesn’t yet know how to solve the problem of website push notification spam in the Firefox browser, but it wants you to know it’s working on it.

If you’re a sentient web user, the push notification phenomenon needs little explanation: visit a site and it almost immediately throws up a prompt that asks you whether you’re happy to “allow notifications.”

Unlike other annoying website pop-ups, push permissions are powerful because they can activate even when users are not on that website.

In extreme examples, they’re deployed by scam sites as a way of pushing fake extensions and rogue sites, unleashing today’s equivalent of the endless adware pop-ups that used to swarm browsers.

Push notifications have become so ubiquitous that Mozilla’s own telemetry suggests they are now by some distance the most frequently shown permission request, generating 18 million of them in the month to 25 January for a sample set of its users.

Only 3% of users accepted the prompts, while one in five caused visitors to leave the site immediately. This is at odds with other permission requests, as Mozilla’s Johann Hofmann explains:

This is in stark contrast to the camera/microphone prompt, which has an acceptance rate of about 85%!

It’s a bombardment that, at best, delays users and at worst drives them away from sites.

Read more at https://nakedsecurity.sophos.com/2019/04/08/firefox-draws-battle-lines-against-push-notification-spam/

Myspace songs come back from the dead

By Lisa Vaas

Somebody stuck their arm into the back of their backup cupboard, rummaged around, and dragged out a small (but perhaps important to someone) fraction of the 50 million Myspace songs that the social platform admitted to losing in a server migration.

The Internet Archive has published those retrieved tunes and put them up in a catalog of 490,000 mp3 files.

The source of the collection, it said, is an “anonymous academic study,” conducted between 2008 and 2010, that was analyzing music networks while Myspace was still active. During the research, those participating in the study downloaded 1.3 terabytes of music from the service. When the news of Myspace’s mega-fumble came to light, the researchers contacted the Internet Archive and offered to send over the files.

The rediscovered songs represent no more than 1% of the songs/videos that Myspace lost.

You can play the dusted-off music through an online interface that’s been designed to look like Myspace’s original player. Searching and playing is a bit unwieldy, but the Internet Archive says that the database’s search and playing mechanism, “Hobbit,” is still being optimized and will eventually be open-sourced.

Read more at https://nakedsecurity.sophos.com/2019/04/08/myspace-songs-come-back-from-the-dead/

Serious Security: GPS week rollover and the other sort of “zero day”

By Paul Ducklin

I bet you’ve heard of GPS, short for Global Positioning System.

It’s owned and operated by the US government but it’s available for free to anyone in the world – and, boy, is it widely used.

GPS is a fantastic feat of science and engineering that is anything but simple in implementation, but that is fairly simply explained.

A number of orbiting satellites (31 are active at the moment) continuously broadcast both their position in space and the current time.

Radio receivers on earth listen out for these broadcasts, and as long as they can “hear” the signals from three different satellites at the same time, and have their own reliable way of measuring the time, they can solve a system of mathematical equations to compute their own position.

The calculations rely on the fact that the time it takes for the signal to travel from the satellite to the receiver determines its distance, and with three distances you can lock in your position uniquely in three dimensions.

The time from satellite to receiver pinpoints the distance reliably because radio waves travel at a constant speed, and distance = speed × time.

Radio waves, known collectively as EMR, short for electromagnetic radiation, travel at what’s commonly called the speed of light, because light is just a special type of radio wave in the right frequency range to set off the detectors in the human retina. This speed is denoted by c, as in the famous equation E = mc², and is defined in the GPS standard as 299,792,458 meters per second.

Fascinatingly, GPS positional calculations need to take Einstein’s theories of relativity into account.

Read more at https://nakedsecurity.sophos.com/2019/04/05/serious-security-gps-week-rollover-and-the-other-sort-of-zero-day/

Patch now! Magento e-commerce sites targeted by SQLi attacks

By John E Dunn

Cybercriminals are reportedly exploiting a critical flaw in the Magento e-commerce platform only days after it was made public by the researchers who discovered it.

Scoring a 9.0 on CVSS, the bug doesn’t yet have a CVE number to identify it but Magento refers to its patching list as PRODSECBUG-2198 (the number being the important bit).

It’s an SQL injection flaw which can be exploited with no authentication or privileges, which is why for admins tending sites using Magento it’s a stop what you’re doing and patch this now situation.

That’s not difficult as the Adobe-owned Magento patched this among several dozen other security flaws as part of a security update published last week. The affected versions are:

• Version 1 before 2.1.17
• Version 2.2 before 2.8,
• Version 2.3 before 3.1
• Magento Open Source before 9.4.1
• Magento Commerce before 14.4.1

The patch for 2198 can be installed on its own but, ideally, sites should install the whole update. From Magento’s announcement:

To protect against this vulnerability and others, you must upgrade to Magento Commerce or Open Source 2.3.1 or 2.2.8. We strongly suggest that you install these full patches as soon as you can.

Among a total of 37 flaws covering Cross-Site Request Forgery (CSRF), and Cross-Site Scripting (XSS), there’s also a serious (CVSS 9.8) Remote Code Execution (RCE) flaw identified as PRODSECBUG-2192 deserving careful attention.

Read more at https://nakedsecurity.sophos.com/2019/04/05/patch-now-magento-e-commerce-sites-targeted-by-sqli-attacks/

Hoax! Nope, hackers aren’t posting invisible sexual videos on your wall

By Lisa Vaas

Should you “share, share, share” the “urgent warning” that hackers are “posting sexual videos and pictures on your walls” that are completely invisible to you?

No, you should not sharedy-sharedy-SHARE-share-share, because this latest viral Facebook copy-and-paste-me warning is just another social media sneeze, spreading its hoaxy germs in spite of the fact that it’s been around, growing hair and getting debunked multiple times, since 2011.

I caught this variant on Thursday morning.

And here’s a fancied-up one, archived from its Facebook original, which was made by somebody who evidently thinks that yellow type on a red background gives the message an aroma of truthiness:

URGENT WARNING

To all Facebook users!

Friends be careful!

This is serious!

Hackers are posting sexual videos and pictures on your walls! You don’t see them, but your friends do, then it seems as if you posted it. If you see any such garbage posted under my name, please let me know because

“I did not post it!”

Share this to protect yourself and your friends.

That post was picked up by Facebook’s false news bloodhound and reported on by Politifact, one of the fact-checking organizations that’s partnering with the social network to fight fake news.

It’s declaring the latest outbreak of invisible-to-you Facebook porn to be unsupported by credible evidence and that the warnings are vague and unsourced.

Read more at https://nakedsecurity.sophos.com/2019/04/05/hoax-nope-hackers-arent-posting-invisible-sexual-videos-on-your-wall/