Google settles location tracking lawsuit for only $39.9M
Also, more OEM Android malware, Google's bug reports (mostly) ditch CVEs, and this week's critical vulns
in brief Google has settled another location tracking lawsuit, yet again being fined a relative pittance.
Washington State Attorney General Bob Ferguson's office announced the $39.9 million fine last week, along with news that Google will have to implement several state-ordered tracking reforms that clarify what data is being gathered and for what purposes.
"Today's resolution holds one of the most powerful corporations accountable for its unethical and unlawful tactics," Ferguson said in a statement.
The lawsuit is similar to others filed across the country last year, with attorneys general in Indiana, Texas and Washington, DC joining Washington state in suing Google over claims it used "dark patterns" to trick users into allowing location tracking and data collection, while also making it difficult to opt out.
In January, Washington DC and Indiana announced a joint settlement with Google that netted the pair $9.5 million and $20 million respectively, which the Washington state AG's office said it chose not to sign onto in a bid to earn more money for state coffers.
"Instead of joining a multistate settlement, Ferguson's office independently filed its own lawsuit and obtained this resolution. The Attorney General's Office estimates Washington received more than double the amount it would have received under the wider multistate settlement," the Ferguson's office said.
While it's true that Washington state earned itself considerably more than DC or Indiana, it's worth noting, as we so often have to do at El Reg, that even a $40m settlement is unlikely to make Alphabet accountants take pause.
In Q1 of this year, Google's parent company announced [PDF] it had made $15.05 billion in net profit.
Ferguson's office said it intends to use its Google fine to continue enforcing the Consumer Protection Act. Its enforcement body, the Consumer Protection Division, receives minimal cash from the government and is largely funded by recoveries in cases like this one.
Critical vulnerabilities of the week: KeePass edition
Users of password manager KeePass, beware: it contains a nasty vulnerability that could be used to retrieve all but the first character of a user's master password in plaintext from any number of different memory dump files on a target system. Per the researcher that found it, there's no mitigation available until KeePass version 2.54 is released next month.
In active exploit news, a pair of seven-year old vulnerabilities tied to Java Management Extensions, or JMX are worth mentioning: They're widespread, dangerous and CISA said they're being actively exploited.
CVE-2016-3427, the first of the pair, involves an unspecified vulnerability in Oracle Java SE versions 6u113, 7u99 and 8u77; Java SE Embedded 8u77 and JRockit R28.3.9 that could allow a remote attacker to "affect confidentiality, integrity, and availability via vectors related to JMX," according to NIST. Couple that with an RCE vulnerability in multiple versions of Apache Tomcat that requires an attacker to have access to JMX ports, and you have a recipe for disaster.
In unrelated KEV news, Ruckus Wireless Admin up to version 10.4 allows RCE via an unauthenticated HTTP Get request; patches are available so install now.
In ICS news, there's three issues to be aware of this week:
- CVSS 10.0 - Multiple CVEs: Johnson Controls OpenBlue Enterprise Manager Data Collector firmware prior to 22.214.171.124 contains an improper authorization issue that an attacker could exploit to make API calls
- CVSS 9.8 - CVE-2020-6967: Rockwell Automation FactoryTalk Diagnostics software between versions 2.00 and 6.11 contain a deserialization flaw that an attacker could exploit to execute code with system level privileges.
- CVSS 8.6 - Multiple CVEs: Snap One's OvrC Pro software prior to version 7.3 contains a number of vulnerabilities that could allow an attacker to claim devices, execute arbitrary code and disclose device info.
Non-phone Android devices still shipping with malware, too
We reported recently that Trend Micro security researchers at Black Hat Asia discovered millions of Android handsets built by budget OEMs were laced with malware, now new reports this week point to popular Android TV boxes sold on Amazon having similar problems.
According to security researcher Daniel Milisic, who bought an infected set-top Android box from Amazon manufactured by Chinese company AllWinner, several popular models from AllWinner and fellow Chinese firm RockChip are shipping with malware that immediately reaches out to a C2 server once powered up.
As with other similar malware, much of it comes with budget hardware manufactured by companies with poor supply chain security practices, and the bug could have been slipped in at any stage in production by any number of supply partners.
Milisic claims to have found expired certificates on his device that pointed to mobile advertising platform Dotinapp, a mobile advertising platform that appears defunct. Just add this to the long list of similar issues that budget Android devices have dealt with over the years - consider this a lesson in "you get what you pay for" when it comes to computing hardware.
Google ditches CVEs for all but the most serious vulnerabilities
Google said it had plans to add a quality rating system to security vulnerability reports - yay - while also saying it plans to stop assigning CVEs to most reported issues - boo.
- Diligent developer courageously lied about exec's NSFW printouts - and survived long enough to quit with dignity
- Teen in court after '$600K swiped from DraftKings gamblers'
- Apple warns of three WebKit vulns under active exploitation, dozens more CVEs across its range
- Cisco squashes critical bugs in small biz switches
Few would argue that vulnerability reports could benefit from quality ratings based on details, analysis, the inclusion of proof of concepts and the like. Not attaching CVE numbers "to most moderate severity issues," however, seems less like an attempt to incentivise the discovery of and high-quality reporting on vulnerabilities and more a way to reduce what gets cataloged in a bid to look better.
CISA describes assigning a CVE ID as step one in cataloging known exploited vulnerabilities. Without data on medium- and low-severity vulnerabilities in Google products only one company will benefit: Google, by obfuscating the bulk of its vulnerabilities. ®