© Kran Kanthawong, 123RF.com

© Kran Kanthawong, 123RF.com

News for Admins

Tech News

Article from ADMIN 44/2018
By
AMD Confirms CTS Labs vulnerability reports, Windows Remote Assistance vulnerability, Arduino adds Rasp Pi and BeagleBone to the Arduino Create platform, and Linux Foundation announces an embedded hypervisor.

AMD Confirms CTS Labs Vulnerability Reports

CTS Labs released a report that claimed that firmware used with AMD's Ryzen and EPYC processors have more than a dozen vulnerabilities. CTS Labs gave AMD less than 24 hours to address these problems before going public.

Even though CTS Labs was roasted by journalists and the likes of Linus Torvalds, AMD has finally confirmed the findings and acknowledged the 13 vulnerabilities in its processors. However, AMD also downplayed the criticality of these vulnerabilities.

AMD wrote in its advisory, "It's important to note that all the issues raised in the research require administrative access to the system, a type of access that effectively grants the user unrestricted access to the system and the right to delete, create, or modify any of the folders or files on the computer, as well as change any settings. Any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research."

According to Trail of Bits , "There is no immediate risk of exploitation of these vulnerabilities for most users. Even if the full details were published today, attackers would need to invest significant development efforts to build attack tools that utilize these vulnerabilities."

There is a caveat, though. Harry Sintonen, F-Secure's senior security consultant, once said it's very easy to gain physical access to a victim's machine. And once you have access to that machine, in AMD's own words, that attacker would have "a wide range of attacks at their disposal."

All said and done, this story seems to be less about the nature of the vulnerability and more about how CTS Labs reported it. CTS Labs seemingly resorted to the strategy of reporting it without giving away any technical details to build public pressure on such companies to fix it immediately.

With AMD coming out with a report within a week, that strategy seems to be working.

Windows Remote Assistance Vulnerability

Sharing is not caring, when it comes to sharing remote access to your computer. It could be helpful in certain use cases, like troubleshooting, but the access must be revoked as soon as possible. Here, we are talking about "giving" others access to your computer. What risks could be associated with someone giving you access to their computers? It turns out that could be equally dangerous.

A critical vulnerability in Microsoft's Windows Remote Assistance tool can be exploited by remote attackers to steal files from targeted systems. The feature is baked into Windows to ease the process of giving remote access to your system for IT support. All supported versions of Windows are affected by this vulnerability, including Windows 7, 8.1, RT 8.1, and 10.

In a security advisory, Microsoft wrote, "To exploit this condition, an attacker would need to send a specially crafted Remote Assistance invitation file to a user. A attacker could then steal text files from known locations on the victim's machine, under the context of the user, or alternatively, steal text information from URLs accessible to the victim. The stolen information could be submitted as part of the URL in HTTP request(s) to the attacker. In all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action."

Microsoft fixed the vulnerability in the recent patch, which means you must update your Windows machines immediately if you do use the Windows Remote Assistant tool.

Arduino Adds Rasp Pi and BeagleBone to the Arduino Create Platform

At the Embedded Linux Conference & OpenIoT Summit, Arduino announced support for new architectures for its Arduino Create platform for the development of Internet of Things (IoT) applications.

In an interview, Massimo Banzi, the cofounder of Arduino, said that they are looking at IoT as one of the most potential use cases and want to help the community in building projects targeting IoT. Arduino has also built a cloud, using Kubernetes and AWS, to enable developers to the leverage device and cloud sides of the IoT spectrum. This support fits perfectly with that strategy.

Thanks to the Arduino Create platform, Arduino users can manage and program a wide range of popular Linux single-board computers like the AAEON UP board, Raspberry Pi, and BeagleBone as regular Arduino boards.

"With this release, Arduino extends its reach into edge computing, enabling anybody with Arduino programming experience to manage and develop complex multi-architecture IoT applications on gateways," said Banzi. "This is an important step forward in democratizing access to the professional Internet of Things."

In a blog post, the project said that multiple Arduino programs could run simultaneously on a Linux-based board and interact and communicate with each other, leveraging the capabilities provided by the new Arduino Connector. Moreover, IoT devices can be managed and updated remotely, independently from where they are located.

https://blog.arduino.cc/2018/03/13/you-can-now-use-arduino-to-program-linux-iot-devices/

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus