Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Thursday July 23 2015, @04:31PM   Printer-friendly
from the just-so-you-know dept.

Bug in Latest Version of OS X Gives Attackers Unfettered Root Privileges

A bug in the latest version of Apple's OS X gives attackers the ability to obtain unfettered root user privileges, a feat that makes it easier to surreptitiously infect Macs with rootkits and other types of persistent malware.

The privilege-escalation bug, which was reported in a blog post published Tuesday by security researcher Stefan Esser, is the type of security hole attackers regularly exploit to bypass security protections built into modern operating systems and applications. Hacking Team, the Italian malware-as-a-service provider that catered to governments around the world, recently exploited similar elevation-of-privileges bugs in Microsoft Windows. When combined with a zero-day exploit targeting Adobe's Flash media player, Hacking Team was able to pierce security protections built into Google Chrome, widely regarded as the Internet's most secure browser by default.

According to Esser, the OS X privilege-escalation flaw stems from new error-logging features that Apple added to OS X 10.10. Developers didn't use standard safeguards involving additions to the OS X dynamic linker dyld, a failure that allows attackers to open or create files with root privileges that can reside anywhere in the OS X file system.

Vulnerability in Microsoft Font Driver Could Allow Remote Code Execution

If you are using Windows, you must patch your system immediately. Microsoft Security Bulletin MS15-078 (CVE-2015-2426) is quite probably the most serious vulnerability in Windows discovered recently, serious enough that Microsoft issued one of its rare out-of-band security updates to address it.

The vulnerability could allow remote code execution if a user opens a specially crafted document or visits an untrusted webpage that contains embedded OpenType fonts.

This security update is rated Critical for all supported releases of Microsoft Windows. For more information, see the Affected Software section.

This is probably one of the most serious of the zero-day exploits that Hacking Team had been using, and was exposed in their recent security breach. Researchers from FireEye Inc. are credited with bringing the bug to Microsoft's attention.

"CVE-2015-2426 is a straight-to-kernel remote code execution vulnerability," a FireEye spokesman said in an email reply to questions, using the flaw's Common Vulnerabilities and Exposure identifier. "The vulnerability was leaked with the Hacking Team email breach."


Original Submission #1Original Submission #2

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Thursday July 23 2015, @04:57PM

    by Anonymous Coward on Thursday July 23 2015, @04:57PM (#212760)

    how do I turn off website fonts?
    it is nothing I need or want, I prefer my own fonts

  • (Score: 3, Funny) by Anonymous Coward on Thursday July 23 2015, @05:12PM

    by Anonymous Coward on Thursday July 23 2015, @05:12PM (#212765)

    $> sudo apt-get install lynx

  • (Score: 0) by Anonymous Coward on Thursday July 23 2015, @05:28PM

    by Anonymous Coward on Thursday July 23 2015, @05:28PM (#212771)

    I'd guess you can override any web site's font choice using a user style sheet. [about.com]

    • (Score: 0) by Anonymous Coward on Thursday July 23 2015, @06:35PM

      by Anonymous Coward on Thursday July 23 2015, @06:35PM (#212796)

      One might hope so but I have my doubts :p

  • (Score: 3, Informative) by Lagg on Thursday July 23 2015, @06:47PM

    by Lagg (105) on Thursday July 23 2015, @06:47PM (#212800) Homepage Journal

    Don't know about chrome but for firefox you can toggle layout.css.prefixes.font-features in about:config

    --
    http://lagg.me [lagg.me] 🗿
  • (Score: 4, Insightful) by bryan on Thursday July 23 2015, @09:59PM

    by bryan (29) <bryan@pipedot.org> on Thursday July 23 2015, @09:59PM (#212873) Homepage Journal

    NoScript blocks external fonts by default.

    Because I've always blocked these fonts, sites that use custom Dingbat fonts as vector graphics (for example GitHub) are especially annoying since they show up as unrenderable Unicode hex character blocks.

  • (Score: 4, Insightful) by VortexCortex on Thursday July 23 2015, @11:19PM

    by VortexCortex (4067) on Thursday July 23 2015, @11:19PM (#212907)

    The question you should be asking is "which OS can I get that doesn't let userland bullshit like font rendering run as a kernel driver".

    • (Score: 0) by Anonymous Coward on Thursday July 23 2015, @11:27PM

      by Anonymous Coward on Thursday July 23 2015, @11:27PM (#212911)

      A thousand times this.

      • (Score: 1, Funny) by Anonymous Coward on Friday July 24 2015, @12:05AM

        by Anonymous Coward on Friday July 24 2015, @12:05AM (#212928)

        Cue the Hairyfeet Font Challenge! You know you want it!

  • (Score: 0) by Anonymous Coward on Friday July 24 2015, @01:50AM

    by Anonymous Coward on Friday July 24 2015, @01:50AM (#212968)

    You can use noscript, it had an option to block webfonts since they became a thing.

  • (Score: 2) by kadal on Friday July 24 2015, @02:45AM

    by kadal (4731) on Friday July 24 2015, @02:45AM (#212982)

    On Firefox, open preferences and then u think it's under content. Somewhere in there is an option to override website fonts and going sizes

    • (Score: 3, Interesting) by Reziac on Friday July 24 2015, @03:28AM

      by Reziac (2489) on Friday July 24 2015, @03:28AM (#212993) Homepage

      Prefbar, turn fonts on and off with one click.

      http://prefbar.tuxfamily.org [tuxfamily.org]

      I only install two add-ons -- Prefbar and NoScript. I can scrape by without NoScript. But I can't live without Prefbar.

      --
      And there is no Alkibiades to come back and save us from ourselves.