This article is more than 1 year old
Homebrew fixes Cask repo GitHub Actions bug that would have let anyone sneak malicious code onto machines
Plus: America creates task force to tackle ransomware crims
In Brief The Homebrew package manager for macOS and Linux has fixed an issue that could have been exploited by miscreants to run malicious code on people's computers.
Specifically, the project's GitHub Actions setup could have been abused to sneak arbitrary Ruby code into its Cask repositories, security researcher RyotaK discovered and disclosed via HackerOne.
The infosec bod found it was possible to merge a "malicious pull request by confusing the library that is used in the automated pull request review script developed by the Homebrew project. By abusing it, an attacker could execute arbitrary Ruby codes on users' machines."
According to the Homebrew folks, the vulnerability was exploited in a harmless proof-of-code test by RyotaK, with permission and reversed – and the hole was addressed.
"The vulnerable review-cask-pr GitHub Action has been disabled and removed from all repositories," the project's Markus Reiter said in an advisory this week.
"We have removed the ability for our bots to commit to homebrew/cask* repositories," he added, among other listed mitigations.
A lesson to be learned for anyone writing and deploying GitHub Actions scripts.
Uncle Sam better late than never with anti-ransomware pledge
The US government has signaled it intends to get tough on ransomware, saying it has to "break the cycle" of payoffs that lead to more infections and extortion.
Uncle Sam's newly formed Ransomware and Digital Extortion Task Force will "bring all of the [Department of Justice's] resources to bear to bolster our all-tools approach and work with our partners here and abroad to combat the threat of ransomware and digital extortion, and to ensure that we hold those who participate in the propagation of these crimes responsible and accountable," according to a leaked memo from Acting Deputy Attorney General John Carlin.
“When criminals target critical infrastructure such as hospitals, utilities, and municipal networks, their activity jeopardizes the safety and health of Americans.”
Carlin's note gets to the crux of the matter: paying off file-scrambling criminals doesn't work in the long run. This also comes after businesses have received mixed messages on how to handle ransomware infections from the US and UK governments.
Maybe we'll get some action on a crimeware epidemic that's upending lives and sucking money out of the global economy. We note that America's task force seems more built around the prosecution of the malware's makers than securing networks, software, and people from extortion in the first place, which is the long-term hard problem to solve... if that's even possible.
Mozilla fixes HTTPS spoofing issue
Firefox 88 is out and within the code is a fix for an HTTPS spoofing flaw. The issue, CVE-2021-23998, could be exploited by a plain-text HTTP to appear to be HTTPS-protected by showing the familiar padlock in the address bar.
In all, six high-severity bugs were fixed in the update, and a host of lesser ones. Other changes include disabling FTP support, and isolating window.name data to block some cross-site privacy leaks.
Aircraft booking biz hit by malware
Not that many people are flying these days, and times just got a little tougher for flight-booking software provider Radixx, which has been hit by a malware infection.
The offshoot of SABRE, the booking system developed for American Airlines in the 1950s that grew to control how and when most of us fly, was knocked offline in a multi-day outage by the software nasty, affecting about 20 low-cost airlines globally. SABRE's core system haven't been harmed.
"Radixx Res has experienced an event impacting its Radixx reservation system," it said on Thursday. "The company is in the process of restoring service to the approximately 20 Radixx airline customers affected by this event." ®