Archive for January 29, 2018

VMware Patches Spectre Vulnerability In VMware Fusion…. So, What About Parallels Desktop For Mac?

Posted in Commentary with tags , on January 29, 2018 by itnerd

If you run virtual machines on your Mac, you have two choices. You can run VMware Fusion or Parallels Desktop. In both cases, you have to worry about the fallout from the Spectre and Meltdown CPU issues. And in the case of VMware Fusion, they’ve addressed Spectre in their latest update. Specifically, they’ve addressed an attack vector that only appears on virtual machines. Plus VMware has provided specific instructions on how their users can secure themselves.

So, that leaves Parallels Desktop For Mac. What are they doing to protect their users? Well, the closest thing to advice that I have seen is these Tweets:

And:

The problem with this response is that patching macOS and whatever operating systems that you’re using in your virtual machines isn’t enough as pointed out by VMware. Thus there has to be a patch for the virtual machine software. Now I tried to find any further communication from Parallels and I could not. Thus you have to wonder if Parallels is working on something, or are they ignoring this. I say that because in the absence of any info, people will wonder if the company actually cares. Thus if I were Parallels, I’d be putting out some sort of statement of Spectre and Meltdown ASAP, because VMware has beaten them to the punch and is drawing a pretty stark comparison between the two products that has VMware in control of the message on this issue.

UPDATE: Parallels released an update to Parallels Desktop For Mac. The release notes make no mention of Spectre and Meltdown fixes. So I pinged Parallels over Twitter. Here’s what I got back:

The release notes that is referenced in the Tweet is the same one that I looked at prior to pinging them on Twitter. Thus it doesn’t appear that they’ve done anything to mitigate Spectre and Meltdown despite the fact that their nemesis VMware Fusion has.

4 Comments »

#Fail: Strava Reveals Locations Of Secret US Military Bases

Posted in Commentary with tags on January 29, 2018 by itnerd

Seeing as I am a cyclist, I use Strava to keep track of my rides and also to help me improve. The same is true for millions of other cyclists, runners, and other weekend warriors. Which is when I saw this news over the weekend, I was kind of floored:

Sensitive information about the location and staffing of military bases and spy outposts around the world has been revealed by a fitness tracking company. The details were released by Strava in a data visualisation map that shows all the activity tracked by users of its app, which allows people to record their exercise and share it with others. The map, released in November 2017, shows every single activity ever uploaded to Strava — more than 3 trillion individual GPS data points, according to the company. The app can be used on various devices including smartphones and fitness trackers like Fitbit to see popular running routes in major cities, or spot individuals in more remote areas who have unusual exercise patterns.

However, over the weekend military analysts noticed that the map is also detailed enough that it potentially gives away extremely sensitive information about a subset of Strava users: military personnel on active service… In locations like Afghanistan, Djibouti and Syria, the users of Strava seem to be almost exclusively foreign military personnel, meaning that bases stand out brightly. In Helmand province, Afghanistan, for instance, the locations of forward operating bases can be clearly seen, glowing white against the black map.

Well, Strava is in a whole lot of trouble. But it does illustrate that when companies like Strava, or Map My Run which is owned by UnderArmor, or Runtastic collect the data on millions of users, that data can have all sorts of unintended consequences. For example, I had a brief look at this and these maps (which for the record I have used previously to design cycling routes for myself) clearly outline what I assume are patrol and supply routes. Thus if you’re a bad guy who wants to kidnap or kill people, this would be a great way to figure out where to set up shop so that you could do just that. I am guessing that all these app companies are going to have to get together with the US military to get this sorted for that reason alone. I’m also going to guess that the US military is going to have to crack down on the usage of these sorts of apps to avoid this problem going forward.

 

 

1 Comment »

Microsoft Stops Issuing Spectre & Meltdown Patches…. And Intel Told The Chinese About These Flaws Ahead Of The US

Posted in Commentary with tags , on January 29, 2018 by itnerd

It seems that Microsoft has joined Intel, HP and Dell in stopping people from installing the mitigations for Spectre and Meltdown according to Bleeping Computer via an emergency patch that appeared over the weekend.

Microsoft has issued on Saturday an emergency out-of-band Windows update that disables patches for the Spectre Variant 2 bug (CVE-2017-5715). The update — KB4078130 — targets Windows 7 (SP1), Windows 8.1, all versions of Windows 10, and all supported Windows Server distributions. Microsoft shipped mitigations for the Meltdown and Spectre bugs on January 3. The company said it decided to disable mitigations for the Spectre Variant 2 bug after Intel publicly admitted that the microcode updates it developed for this bug caused “higher than expected reboots and other unpredictable system behavior” that led to “data loss or corruption.”

HP, Dell, and Red Hat took previous steps during the past week.

So, that is pretty bad. But here’s something that’s worse. It appears that Intel might have told the Chinese about these chip flaws before it told the US Government. Here’s why that’s bad:

Intel Corporation initially warned a handful of customers, including several Chinese technology firms, about security flaws within its processor chips, while at the same time not telling the U.S. government, The Wall Street Journal reported Sunday. 

Security experts told the newspaper that the decision could have allowed Chinese tech companies to flag the vulnerabilities to Beijing, giving the Chinese government opportunity to exploit them. 

Now that’s really bad. Clearly the response to these chip flaws has been sub-optimal to say the least. Thus I am fully expecting more bad news to appear on this front in the coming days.

1 Comment »

WhatsApp Now Supports Apple CarPlay

Posted in Commentary with tags , on January 29, 2018 by itnerd

I noticed something last night when I was out in the car. I had updated to the latest version of WhatsApp earlier in the day which only listed “bug fixes” in the change log. But when I plugged my iPhone into my vehicle, this popped up on CarPlay:

IMG_1197.jpg

WhatsApp had made an appearance in Apple CarPlay. That was kind of a surprise. I got a friend to help me to test it out and I found the following:

  • Siri will notify me when I have received a new WhatsApp message.
  • Siri can read messages.
  • I can now send WhatsApp Messages via Siri and it works the same way as the built in messages app.

This is a big deal as up until now, no other messaging app has ever worked in CarPlay as far as I know. I hope that means that other messaging apps like Skype and the like will make an appearance in CarPlay as well.

Leave a comment »