Just Computers

Notable because of the type of information exposed, as well as the amount of it.

State agency exposes 3TB of data, including FBI info and remote logins

I've been messing with my computer for a while and this is just some miscellaneous comments. Nothing significant. Feel free to ignore the post.

I now have four solid state drives in the desktop computer (why do they call them "desktops" when everyone I know has them on the floor?). There is plenty of room in the case for four of the tiny drives (they make special brackets for putting two SSDs in a single HDD slot - my old computer could have held ten SSds!) and the power usage is minimal. The UPS shows the computer (including the monitor, the modem, and the router) using 50 to 60 watts - unless something serious is running in the background.

Two of the drives are for data. One drive is for the Windows 7 operating system and one is for Windows 10. I don't like using a single drive with partitions for two operating systems, although I did it all the time when drives were expensive. Now you can get a 500 GB SSD for $80. I also have a spare SSD which is a clone of the Windows 7 drive. I think the most operating systems I have had on a multi-partition, single drive was four. No, make that five: Windows XP, Windows 95, Windows 98, Windows Server 2000, and Linux. That was for a program I designed. It was a great program, but before I had it finished, it was obsolete. Bummer, it could have been big bucks.

I added the Windows 10 OS drive when the articles I read showed that the system is becoming more stable and is now allowing for the removal of much of the crap that Microsoft has piled on to make the computer look and act more like a smart phone. With just a  little tweaking, the UI can be made to look like a real computer. And it does feel much faster than Windows 7. I am nowhere near the point where Win 10 will become my primary OS, but it may soon get there. There is another major release coming out in April which may do the trick.

Just got a new UPS, as the batteries on the old one were in need of replacement. It was a fine piece of equipment, but the manufacturer - Belkin - had gotten out of the business and the ten-year-old interface software was problematic on Windows 7. Oddly, though, it worked fine on Windows 10. I splurged on the new UPS and went with a true sine wave device. What the hell, I doubt that I will ever buy another one - probably never have to replace the batteries. The one thing that irritates me about the new UPS is that there is not room to plug in the damned wall warts power supplies for the modem and the router. So I have to use a one-foot extension cord to move a wall wart so I can connect all the components that need battery backup. The old UPS had plenty of room for them.

When I added the Windows 10 OS capability, I wanted to sync the data for the browser and the mail program, so that they were identical no matter whih OS I was using. The browser - Firefox - was easy to manage, just a matter of moving the profile (which has all the data) to one of the data drives and using that for both OS. I use Mozilla's Thunderbird mail program and that turned out to to be a fucking hassle. Many of the control and data files have hard-coded addresses in them (I found out too late), so just moving the files won't do the job. I now know what needs to tbe done, but it will be a pain the ass and I found a problem which caused me to lose all of the address book info. I believe it is a problem in Thunderbird's profile manager. I plan on testing to verifty that and then post it on Thunderbird's forum.

When I lost the two Thunderbird files which contained all of the address book info (the files weren't really lost; they were still there but they were empty), I easily recovered them from my backup files. At the time, it occurred to me that after all of the years - decades - in which I have been doing regularly scheduled backups, I believe this is the first time I have used the backups to recover a file. And I retired as a senior software engineer from a company which created the majority of the world's backup software. Go figure.

Enough yammering.

Comcast has a reputation for being a bunch of useless jerks. Stuff like this is the reason why.

Comcast security nightmare: default ‘0000’ PIN on everybody’s account

I don't remember seeing this sort of thing before.

Extortionists leak data of huge firms after IT provider refuses to pay

"Mozilla has fixed the flaw in Firefox version 67.0.3" so they say.
Today, they released 76.0.4 to fix a security flaw. Wonder what that was.

Thank you.

I am getting tired of constant patches in Firefox.

Mozilla patched two Firefox zero-day flaws in one week

Quote :

Two emergency zero days affecting a browser in one week counts as unusual, especially when they pop up as separate alerts two days apart, as part of targeted attacks on a single business sector.

The 18 June 2019 patch for the first fix took Firefox to 67.0.3 (ESR 60.7.1), while the second bumped that to 67.0.4 (ESR 60.7.2), the current version for the Tor browser, based on Firefox, is version 8.5.3).

But there was more – the zero days were intended to work together to facilitate a malware backdoor called Netwire that dates back several years and is known to infect macOS and Linux systems.

VLC media player gets biggest security update ever

Quote :

As explained by VideoLAN’s alert, anyone running 3.0.6 and earlier should update to 3.0.7 as soon as possible, refraining from opening files from untrusted third parties until they do. VLC doesn’t update automatically but does have notification (Tools > Preferences > Privacy & Network Interaction > Activate Update Notifier) that is enabled to check for new versions every three days by default.

I'll trust you on this. VLC is updating right now.
That's a really good program except for the 1992 interface.

Firefox 67.0.4 was getting hourly spam e-messages that I couldn't figure out how to turn off.

So I switched over to Safari for the past couple of weeks, which I like a lot less but it was clean.  On a whim today I checked Firefox for an update -- yes, 68.0 was released July 9 -- so I downloaded it and, so far, the spam has been blocked.  We shall see....

Quote :

Security vulnerabilities fixed in Firefox 68

Announced
July 9, 2019
Impact
critical
Products
Firefox
Fixed in

Firefox 68

#CVE-2019-9811: Sandbox escape via installation of malicious language pack

Reporter
Niklas Baumstark
Impact
high

Description

As part of his winning Pwn2Own entry, Niklas Baumstark demonstrated a sandbox escape by installing a malicious language pack and then opening a browser feature that used the compromised translation.
References

Bug 1538007
Bug 1539598
Bug 1539759
Bug 1523741
Bug 1563327

#CVE-2019-11711: Script injection within domain through inner window reuse

Reporter
Boris Zbarsky
Impact
high

Description

When an inner window is reused, it does not consider the use of document.domain for cross-origin protections. If pages on different subdomains ever cooperatively use document.domain, then either page can abuse this to inject script into arbitrary pages on the other subdomain, even those that did not use document.domain to relax their origin security.
References

Bug 1552541

#CVE-2019-11712: Cross-origin POST requests can be made with NPAPI plugins by following 308 redirects

Reporter
Gregory Smiley of Security Compass
Impact
high

Description

POST requests made by NPAPI plugins, such as Flash, that receive a status 308 redirect response can bypass CORS requirements. This can allow an attacker to perform Cross-Site Request Forgery (CSRF) attacks.
References

Bug 1543804

#CVE-2019-11713: Use-after-free with HTTP/2 cached stream

Reporter
Hanno Böck
Impact
high

Description

A use-after-free vulnerability can occur in HTTP/2 when a cached HTTP/2 stream is closed while still in use, resulting in a potentially exploitable crash.
References

Bug 1528481

#CVE-2019-11714: NeckoChild can trigger crash when accessed off of main thread

Reporter
Hanno Böck
Impact
moderate

Description

Necko can access a child on the wrong thread during UDP connections, resulting in a potentially exploitable crash in some instances.
References

Bug 1542593

#CVE-2019-11729: Empty or malformed p256-ECDH public keys may trigger a segmentation fault

Reporter
Jonas Allmann
Impact
moderate

Description

Empty or malformed p256-ECDH public keys may trigger a segmentation fault due values being improperly sanitized before being copied into memory and used.
References

Bug 1515342

#CVE-2019-11715: HTML parsing error can contribute to content XSS

Reporter
Linus Särud
Impact
moderate

Description

Due to an error while parsing page content, it is possible for properly sanitized user input to be misinterpreted and lead to XSS hazards on web sites in certain circumstances.
References

Bug 1555523

#CVE-2019-11716: globalThis not enumerable until accessed

Reporter
Chris Hacking
Impact
moderate

Description

Until explicitly accessed by script, window.globalThis is not enumerable and, as a result, is not visible to code such as Object.getOwnPropertyNames(window). Sites that deploy a sandboxing that depends on enumerating and freezing access to the window object may miss this, allowing their sandboxes to be bypassed.
References

Bug 1552632

#CVE-2019-11717: Caret character improperly escaped in origins

Reporter
Tyson Smith
Impact
moderate

Description

A vulnerability exists where the caret ("^") character is improperly escaped constructing some URIs due to it being used as a separator, allowing for possible spoofing of origin attributes.
References

Bug 1548306

#CVE-2019-11718: Activity Stream writes unsanitized content to innerHTML

Reporter
Mark Banner
Impact
moderate

Description

Activity Stream can display content from sent from the Snippet Service website. This content is written to innerHTML on the Activity Stream page without sanitization, allowing for a potential access to other information available to the Activity Stream, such as browsing history, if the Snipper Service were compromised.
References

Bug 1408349

#CVE-2019-11719: Out-of-bounds read when importing curve25519 private key

Reporter
Henry Corrigan-Gibbs
Impact
moderate

Description

When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure.
References

Bug 1540541

#CVE-2019-11720: Character encoding XSS vulnerability

Reporter
Rakesh Mane
Impact
moderate

Description

Some unicode characters are incorrectly treated as whitespace during the parsing of web content instead of triggering parsing errors. This allows malicious code to then be processed, evading cross-site scripting (XSS) filtering.
References

Bug 1556230

#CVE-2019-11721: Domain spoofing through unicode latin 'kra' character

Reporter
Anonymous
Impact
moderate

Description

The unicode latin 'kra' character can be used to spoof a standard 'k' character in the addressbar. This allows for domain spoofing attacks as do not display as punycode text, allowing for user confusion.
References

Bug 1256009

#CVE-2019-11730: Same-origin policy treats all files in a directory as having the same-origin

Reporter
Luigi Gubello
Impact
moderate

Description

A vulnerability exists where if a user opens a locally saved HTML file, this file can use file: URIs to access other files in the same directory or sub-directories if the names are known or guessed. The Fetch API can then be used to read the contents of any files stored in these directories and they may uploaded to a server. Luigi Gubello demonstrated that in combination with a popular Android messaging app, if a malicious HTML attachment is sent to a user and they opened that attachment in Firefox, due to that app's predictable pattern for locally-saved file names, it is possible to read attachments the victim received from other correspondents.
References

Bug 1558299

#CVE-2019-11723: Cookie leakage during add-on fetching across private browsing boundaries

Reporter
Andreas Wagner
Impact
low

Description

A vulnerability exists during the installation of add-ons where the initial fetch ignored the origin attributes of the browsing context. This could leak cookies in private browsing mode or across different "containers" for people who use the Firefox Multi-Account Containers Web Extension.
References

Bug 1528335

#CVE-2019-11724: Retired site input.mozilla.org has remote troubleshooting permissions

Reporter
Frederik Braun
Impact
low

Description

Application permissions give additional remote troubleshooting permission to the site input.mozilla.org, which has been retired and now redirects to another site. This additional permission is unnecessary and is a potential vector for malicious attacks.
References

Bug 1512511

#CVE-2019-11725: Websocket resources bypass safebrowsing protections

Reporter
Andrey
Impact
low

Description

When a user navigates to site marked as unsafe by the Safebrowsing API, warning messages are displayed and navigation is interrupted but resources from the same site loaded through websockets are not blocked, leading to the loading of unsafe resources and bypassing safebrowsing protections.
References

Bug 1483510

#CVE-2019-11727: PKCS#1 v1.5 signatures can be used for TLS 1.3

Reporter
Hubert Kario
Impact
low

Description

A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages.
References

Bug 1552208

#CVE-2019-11728: Port scanning through Alt-Svc header

Reporter
Trishita Tiwari, Ari Trachtenberg
Impact
low

Description

The HTTP Alternative Services header, Alt-Svc, can be used by a malicious site to scan all TCP ports of any host that the accessible to a user when web content is loaded.
References

Bug 1552993

#CVE-2019-11710: Memory safety bugs fixed in Firefox 68

Reporter
Mozilla developers and community
Impact
critical

Description

Mozilla developers and community members André Bargull, Christian Holler, Natalia Csoregi, Raul Gurzau, Daniel Varga, Jon Coppeard, Marcia Knous, Gary Kwong, Randell Jesup, David Bolter, Jeff Gilbert, and Deian Stefan reported memory safety bugs present in Firefox 67. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.
References

Memory safety bugs fixed in Firefox 68

#CVE-2019-11709: Memory safety bugs fixed in Firefox 68 and Firefox ESR 60.8

Reporter
Mozilla developers and community
Impact
critical

Description

Mozilla developers and community members Andreea Pavel, Christian Holler, Honza Bambas, Jason Kratzer, and Jeff Gilbert reported memory safety bugs present in Firefox 67 and Firefox ESR 60.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.
References

Memory safety bugs fixed in Firefox 68 and Firefox ESR 60.8

[Heavy sigh.] Spam still pops up onscreen. Goddamn it.

I consider it completely ridiculous that Firefox can't block pop-up ads, so I did a little googling and came up with this website. We'll see if their recommendations bear any fruit.

Fuck. Shit. Piss.

Desktop only. Portable devices use Firefox without any interference.

NoCoPilot wrote:

I consider it completely ridiculous that Firefox can't block pop-up ads, so I did a little googling and came up with this website.  We'll see if their recommendations bear any fruit.

Did you notice that the article at that link is for Windows 8, Firefox 22 ?

The next time you get a spam pop-up, take a snap of the screen and post it on here.
Maybe it's something I've run into.

That's tough to do, because they only appear on-screen once per hour for about 3 seconds then disappear.  They do however make a pinging noise which interrupts any recording I'm doing, which pisses me the fucking hell off.  Here's one that came up as soon as I launched Firefox:


There is a big number of different URLs that come up.  A dozen?  A couple dozen?  Never counted.  Yes, I noticed the instructions were for Windows and I had to adjust them for OS-X but I thought I did that successfully.

To no avail.

68.0.1 released July 18, installed today (7/21)

Release notes don't look like this'll fix my spam problem

Google "remove Tofideventresfa.info" and you will be presented with a lot of assistance in getting rid of this.

In exploring your problem, I found this:



It looks like you accidentally gave notification privileges to a nasty program.
Getting rid of this little basterd (thank you Tarantino) may be as simple as removing an add-on to Firefox, or it may require some work to remove crap that this thing has tacked on to Firefox or maybe to your system. The good news is that it is not a virus, just a pain in the ass. However, it can be used to install malware so it needs to be gone.

Uh, thanks, that might just do it. The instructions weren't 100% correct, but I did end up at a screen that allowed me to block "Tofideventresfa.info."

Frankly, I'm a little bit scared of websites with great big long instructions for making changes to your permissions. Seems like an open invitation to somebody's malware.

NoCoPilot wrote:

Frankly, I'm a little bit scared of websites with great big long instructions for making changes to your permissions.  Seems like an open invitation to somebody's malware.

I'm the same way. I blame it on the computer companies trying to make their devices look like "smart" phones.

I blame it on malware companies making their "products" look more and more legit. You gotta be damn careful these days.