Software

BEAST SSL fix in supersized Patch Tuesday

Microsoft's 2012 kick-off features 7 security bulletins

John Leyden Fri 6 Jan 2012 // 16:02 UTC

Microsoft plans to start 2012 with a surprisingly large Patch Tuesday that covers seven security bulletins which collectively address eight separate vulnerabilities. Previous January releases have normally featured only one or two bulletins.

The solitary critical bulletin in the batch fixes a remote code execution issue in Media Player. The remaining six "important" bulletins due next Tuesday handle the BEAST SSL issue and various information disclosure bugs, escalation of privilege issues and an update to Microsoft’s SEHOP (Structured Exception Handler Overwrite Protection) technology to enhance the defence-in-depth capability that it can offers to legacy applications. The "important" rather than critical status for the Beast SSL issue is at least debatable.

The BEAST attack affects web servers that support SSLv3/TLSv1 encryption. Microsoft has already published a workaround, which involves using the non-affected RC4 cipher in SSL installations. A patch was originally promised in December but delayed until this month due to problems uncovered during testing.

"Despite all of the hype over 'The Beast', attacks have simply never materialised and the issue has retained its 'important' classification from Microsoft," notes Paul Henry, a security and forensic analyst at Lumension.

Adobe and Oracle have both timetabled quarterly updates, on 10 January and 17 January, respectively in what promises to be a busy month for patching, Qualys adds.

Microsoft's pre-alert is here. ®

Similar topics

Broader topics

Narrower topics

Corrections Send us news

Other stories you might like

Broadcom to 'focus on rapid transition to subscriptions' for VMware

Offers comforting vision for core customers, products, channel – though warns efficiencies are coming

Simon Sharwood, APAC Editor Fri 27 May 2022 // 01:58 UTC

Broadcom has signaled its $61 billion acquisition of VMware will involve a “rapid transition from perpetual licenses to subscriptions.”
That's according to Tom Krause, president of the Broadcom Software Group, on Thursday's Broadcom earnings call. He was asked how the semiconductor giant plans to deliver on its guidance that VMware will add approximately $8.5 billion of pro forma EBITDA to Broadcom within three years of the deal closing – significant growth given VMware currently produces about $4.7 billion. And subscriptions was the answer.
Krause also repeatedly said Broadcom intends to invest in VMware’s key product portfolio and is pleased to be acquiring a sales organization and channel relationships that give it reach Broadcom does not currently enjoy.

Continue reading
How to reprogram Apple AirTags, play custom sounds

Voltage glitch here, glitch there, now you can fiddle with location disc's firmware

Thomas Claburn in San Francisco Fri 27 May 2022 // 00:52 UTC

At the Workshop on Offensive Technologies 2022 (WOOT) on Thursday, security researchers demonstrated how to meddle with AirTags, Apple's coin-sized tracking devices.
Thomas Roth (Leveldown Security), Fabian Freyer (Independent), Matthias Hollick (TU Darmstadt, SEEMOO), and Jiska Classen (TU Darmstadt, SEEMOO) describe their exploration of Apple's tracking tech in a paper [PDF] titled, "AirTag of the Clones: Shenanigans with Liberated Item Finders."
The boffins discuss tools they've developed and released to advance the exploration of AirTag hardware and firmware, made possible by existing imperfections.

Continue reading
Ransomware encrypts files, demands three good deeds to restore data

Shut up and take ... poor kids to KFC?

Jessica Lyons Hardcastle Thu 26 May 2022 // 23:20 UTC

In what is either a creepy, weird spin on Robin Hood or something from a Black Mirror episode, we're told a ransomware gang is encrypting data and then forcing each victim to perform three good deeds before they can download a decryption tool.
The so-called GoodWill ransomware group, first identified by CloudSEK's threat intel team, doesn't appear to be motivated by money. Instead, it is claimed, they require victims to do things such as donate blankets to homeless people, or take needy kids to Pizza Hut, and then document these activities on social media in photos or videos.
"As the threat group's name suggests, the operators are allegedly interested in promoting social justice rather than conventional financial reasons," according to a CloudSEK analysis of the gang.

Continue reading

Microsoft Azure to spin up AMD MI200 GPU clusters for 'large scale' AI training

Windows giant carries a PyTorch for chip designer and its rival Nvidia

Tobias Mann Thu 26 May 2022 // 22:46 UTC

Microsoft Build Microsoft Azure on Thursday revealed it will use AMD's top-tier MI200 Instinct GPUs to perform “large-scale” AI training in the cloud.
“Azure will be the first public cloud to deploy clusters of AMD's flagship MI200 GPUs for large-scale AI training,” Microsoft CTO Kevin Scott said during the company’s Build conference this week. “We've already started testing these clusters using some of our own AI workloads with great performance.”
AMD launched its MI200-series GPUs at its Accelerated Datacenter event last fall. The GPUs are based on AMD’s CDNA2 architecture and pack 58 billion transistors and up to 128GB of high-bandwidth memory into a dual-die package.

Continue reading
New York City rips out last city-owned public payphones

Y'know, those large cellphones fixed in place that you share with everyone and have to put coins in. Y'know, those metal disks representing...

Thomas Claburn in San Francisco Thu 26 May 2022 // 21:54 UTC

New York City this week ripped out its last municipally-owned payphones from Times Square to make room for Wi-Fi kiosks from city infrastructure project LinkNYC.
"NYC's last free-standing payphones were removed today; they'll be replaced with a Link, boosting accessibility and connectivity across the city," LinkNYC said via Twitter.
Manhattan Borough President Mark Levine said, "Truly the end of an era but also, hopefully, the start of a new one with more equity in technology access!"

Continue reading
Cheers ransomware hits VMware ESXi systems

Now we can say extortionware has jumped the shark

Jeff Burt Thu 26 May 2022 // 21:10 UTC

Another ransomware strain is targeting VMware ESXi servers, which have been the focus of extortionists and other miscreants in recent months.
ESXi, a bare-metal hypervisor used by a broad range of organizations throughout the world, has become the target of such ransomware families as LockBit, Hive, and RansomEXX. The ubiquitous use of the technology, and the size of some companies that use it has made it an efficient way for crooks to infect large numbers of virtualized systems and connected devices and equipment, according to researchers with Trend Micro.
"ESXi is widely used in enterprise settings for server virtualization," Trend Micro noted in a write-up this week. "It is therefore a popular target for ransomware attacks … Compromising ESXi servers has been a scheme used by some notorious cybercriminal groups because it is a means to swiftly spread the ransomware to many devices."

Continue reading

Twitter founder Dorsey beats hasty retweet from the board

As shareholders sue the social network amid Elon Musk's takeover scramble

Brandon Vigliarolo Thu 26 May 2022 // 20:18 UTC

Twitter has officially entered the post-Dorsey age: its founder and two-time CEO's board term expired Wednesday, marking the first time the social media company hasn't had him around in some capacity.
Jack Dorsey announced his resignation as Twitter chief exec in November 2021, and passed the baton to Parag Agrawal while remaining on the board. Now that board term has ended, and Dorsey has stepped down as expected. Agrawal has taken Dorsey's board seat; Salesforce co-CEO Bret Taylor has assumed the role of Twitter's board chair.
In his resignation announcement, Dorsey – who co-founded and is CEO of Block (formerly Square) – said having founders leading the companies they created can be severely limiting for an organization and can serve as a single point of failure. "I believe it's critical a company can stand on its own, free of its founder's influence or direction," Dorsey said. He didn't respond to a request for further comment today.

Continue reading
Snowflake stock drops as some top customers cut usage

You might say its valuation is melting away

Lindsay Clark Thu 26 May 2022 // 19:16 UTC

IPO darling Snowflake's share price took a beating in an already bearish market for tech stocks after filing weaker than expected financial guidance amid a slowdown in orders from some of its largest customers.
For its first quarter of fiscal 2023, ended April 30, Snowflake's revenue grew 85 percent year-on-year to $422.4 million. The company made an operating loss of $188.8 million, albeit down from $205.6 million a year ago.
Although surpassing revenue expectations, the cloud-based data warehousing business saw its valuation tumble 16 percent in extended trading on Wednesday. Its stock price dived from $133 apiece to $117 in after-hours trading, and today is cruising back at $127. That stumble arrived amid a general tech stock sell-off some observers said was overdue.

Continue reading
Amazon investors nuke proposed ethics overhaul and say yes to $212m CEO pay

Workplace safety, labor organizing, sustainability and, um, wage 'fairness' all struck down in vote

Brandon Vigliarolo Thu 26 May 2022 // 17:17 UTC

Amazon CEO Andy Jassy's first shareholder meeting was a rousing success for Amazon leadership and Jassy's bank account. But for activist investors intent on making Amazon more open and transparent, it was nothing short of a disaster.
While actual voting results haven't been released yet, Amazon general counsel David Zapolsky told Reuters that stock owners voted down fifteen shareholder resolutions addressing topics including workplace safety, labor organizing, sustainability, and pay fairness. Amazon's board recommended voting no on all of the proposals.
Jassy and the board scored additional victories in the form of shareholder approval for board appointments, executive compensation and a 20-for-1 stock split. Jassy's executive compensation package, which is tied to Amazon stock price and mostly delivered as stock awards over a multi-year period, was $212 million in 2021.

Continue reading
Confirmed: Broadcom, VMware agree to $61b merger

Unless anyone out there can make a better offer. Oh, Elon?

Dan Robinson Thu 26 May 2022 // 16:20 UTC

Broadcom has confirmed it intends to acquire VMware in a deal that looks set to be worth $61 billion, if it goes ahead: the agreement provides for a “go-shop” provision under which the virtualization giant may solicit alternative offers.
Rumors of the proposed merger emerged earlier this week, amid much speculation, but neither of the companies was prepared to comment on the deal before today, when it was disclosed that the boards of directors of both organizations have unanimously approved the agreement.
Michael Dell and Silver Lake investors, which own just over half of the outstanding shares in VMware between both, have apparently signed support agreements to vote in favor of the transaction, so long as the VMware board continues to recommend the proposed transaction with chip designer Broadcom.

Continue reading
Perl Steering Council lays out a backwards compatible future for Perl 7

Sensibly written code only, please. Plus: what all those 'heated discussions' were about

Richard Speed Thu 26 May 2022 // 15:06 UTC

The much-anticipated Perl 7 continues to twinkle in the distance although the final release of 5.36.0 is "just around the corner", according to the Perl Steering Council.
Well into its fourth decade, the fortunes of Perl have ebbed and flowed over the years. Things came to a head last year, with the departure of former "pumpking" Sawyer X, following what he described as community "hostility."
Part of the issue stemmed from the planned version 7 release, a key element of which, according to a post by the steering council "was to significantly reduce the boilerplate needed at the top of your code, by enabling a lot of widely used modules / pragmas."

Continue reading

ABOUT US

MORE CONTENT

SITUATION PUBLISHING

The Register - Independent news and views for the tech community. Part of Situation Publishing

SIGN UP TO OUR DAILY NEWSLETTER

Security Scorecard

Biting the hand that feeds IT © 1998–2022

Do not sell my personal information Cookies Privacy Ts&Cs