16 | February | 2018 | The IT Nerd

Archive for February 16, 2018

A Nasty Bug Is Discovered In macOS High Sierra Related To APFS Disk Images

Posted in Commentary with tags Apple on February 16, 2018 by itnerd

The quality issues with Apple software keep popping up. Last night I became aware of a new one that while it would be a bit of an edge case, is still pretty serious. Mike Bombich of Bombich Software who make the popular Carbon Copy Cloner backup software discovered a pretty bad bug when it comes to disk images formatted for Apple’s shiny new APFS file system. Before I get to the bug, let me explain what disk images are.

In short, disk images are basically files that behave like hard disks. You can store thousands of files in them and mount and unmount them like hard disks. In other words, it’s a pretty cool way to back up stuff as it’s a pretty easy concept to understand for most users. Disk images on the Mac platform have been around forever and even Apple uses them with its Time Machine backup application. Thus, you might have used a disk image and not even been aware of it.

Now here’s the bug as described by Bombich:

Earlier this week I noticed that an APFS-formatted sparsebundle disk image volume showed ample free space, despite that the underlying disk was completely full. Curious, I copied a video file to the disk image volume to see what would happen. The whole file copied without error! I opened the file, verified that the video played back start to finish, checksummed the file – as far as I could tell, the file was intact and whole on the disk image. When I unmounted and remounted the disk image, however, the video was corrupted. If you’ve ever lost data, you know the kick-in-the-gut feeling that would have ensued. Thankfully, I was just running some tests and the file that disappeared was just test data. Taking a closer look, I discovered two bugs in macOS’s “diskimages-helper” service that lead to this result.

Well, that’s a #fail and a pretty bad one. He then tested on disk images formatted for HFS+ which is Apple’s previous file system and didn’t get this result. Thus he believes that this was an oversight rather than a regression (a regression is something that started out working fine and then broke at some point). More on that in a moment. But because this was a serious enough bug, he took the step of putting out an update to Carbon Copy Cloner that stops users from using APFS formatted disk images as well as filing a bug report with Apple. He also recommends that nobody on planet Earth use APFS formatted disk images until this issue is addressed.

This is clearly a QA fail as I would expect that a test case would have been built around testing an APFS formatted disk image to see if it had the same functionality of an HFS+ disk image. Clearly that didn’t happen here and it underlines the issues that Apple clearly has with the quality of their software. Now earlier this week I tweeted out a story from Bloomberg about a how Apple will address these systemic issues:

Apple has a software problem. Here's how it plans to fix it. https://t.co/495WjLDXiz via @technology

— The IT Nerd (@The_IT_Nerd) February 13, 2018

Hopefully that yields results as the current state of affairs is not that good.

Thousands Of FedEx Customers Had Their Data Exposed On A Wide Open Server

Posted in Commentary with tags Security on February 16, 2018 by itnerd

You have to wonder when will companies learn that securing customer data isn’t optional. I say that because Kromtech Security Center which is the parent company of MacKeeper Security has found that thousands of FedEx customers have had their private information exposed after one of the courier’s Amazon S3 servers was left open without a password. FedEx got the server as part of buying a company called Bongo International a few years ago. Now here’s the really bad part, after Kromtech reached out to FedEx to tell them about the security screw up, the server was then yanked from pubic view. Which implies that they had no clue that this server was sitting out there wide open for anyone to find.

So, what data are we talking about here? Nothing significant really. Just passport information, driver’s licenses and other high profile security info that would allow any miscreant to steal your identity. And the data comes from customers around the world.

Ouch.

Bob Diachenko, head of communications, Kromtech Security Center had this to say:

“Technically, anybody who used Bongo International services back in 2009-2012 is at risk of having his/her documents scanned and available online for so many years. Seems like bucket has been available for public access for many years in a row. Applications are dated within 2009-2012 range, and it is unknown whether FedEx was aware of that “heritage” when it bought Bongo International back in 2014″

For it’s part, FedEx had this to say:

“After a preliminary investigation, we can confirm that some archived Bongo International account information located on a server hosted by a third-party, public cloud provider is secure. The data was part of a service that was discontinued after our acquisition of Bongo. We have found no indication that any information has been misappropriated and will continue our investigation.”

Seeing as this S3 server was available for who knows how long, nobody knows if data was swiped. If I were FedEx, I’d assume that data was swiped by the forces of evil and then start reaching out to those who had info on this server and give them the heads up. Because these days you can’t be too careful.

New Bug Affecting iOS, macOS, & watchOS Crashes iPhones With A Single Character

Posted in Commentary with tags Apple on February 16, 2018 by itnerd

Apple’s software quality continues to be a bit of a gong show. Case in point is a new bug affecting the currently available versions of watchOS, tvOS, iOS and macOS has been discovered that will crash your iPhone and not allow you to access a range of messaging and e-mail apps, including Apple’s Messages, WhatsApp, and Gmail, among others. According to a report from The Verge the bug happens when a particular Indian language (Telugu) character is received, or even just pasted into a text area.

Here’s the bug in action:

Another iOS bug is crashing iPhones and disabling access to iMessage https://t.co/9do0xyz7k4 pic.twitter.com/15Ripq7PP8

— Tom Warren (@tomwarren) February 15, 2018

The good news is that according to The Verge a fix is coming to address the bug in the form of some sort of minor update. That implies that it could be pushed out at any time. The other option is for Apple to push out the versions of those operating systems that are currently under beta. I say that because all existing beta versions of iOS, macOS, tvOS and watchOS are unaffected by this bug. But based on what I am reading, it is likely that Apple will push out a quick fix.

Regardless of what Apple does to fix this, the fact that this bug even exists underscores the issues that Apple has with its software quality, and that fixing that problem is clearly a huge challenge for them.

2 Comments »

That Skype Bug That Microsoft Wasn’t Going To Fixed Is Actually Already Fixed

Posted in Commentary with tags Skype on February 16, 2018 by itnerd

You might recall that I posted a story about a Skype bug that could lead to you getting pwned by hackers, and that Microsoft wasn’t gong to fix it. Well, it’s actually been fixed.

Confused? Yeah. So was I. Hang with me and I’ll explain.

According to Skype program manager Ellen Kilbourne via a support forum post, the vulnerability is present in Skype for Windows versions 7.40 and lower. Last October, Microsoft released version 8 without the flaw. Thus the fix is to upgrade to the latest version.

So, how did we end up with this becoming an issue?

The issue was discovered by German researcher Stefan Kanthak. In the paper where he disclosed this bug, he says this:

“The engineers provided me with an update on this case. They’ve reviewed the code and were able to reproduce the issue, but have determined that the fix will be implemented in a newer version of the product rather than a security update. The team is planning on shipping a newer version of the client, and this current version will slowly be deprecated. The installer would need a large code revision to prevent DLL injection, but all resources have been put toward development of the new client.”

Clearly version 8 was the new client that Microsoft was speaking of. Thus I have to assume that either he believed that Microsoft wasn’t going to do anything, or he mistook what Microsoft said. And as a result he waited three months and disclosed something that had already been fixed. In other words, it was an honest mistake.

And with that, you can go back to using Skype without worrying that you’re going to get pwned.

Guest Post: NordVPN Discusses Facebook’s VPN App Which Collects User Data

Posted in Commentary with tags NordVPN on February 16, 2018 by itnerd

Facebook is now officially promoting its own VPN (Virtual Private Network), called Onavo.

Users of the Facebook’s iOS app have recently been shown a new option called Protect (found within the app’s navigation menu), which prompts users to download the Onavo VPN app. However, this app comes with serious privacy issues.

“The purpose of a VPN is to provide its users with online privacy and security by encrypting all data exchanged between a user’s device and a VPN server. Reputable VPNs do not keep any user logs. Unfortunately, Facebook’s VPN seems to do the opposite – its goal is data collection, while it’s disguised as a privacy tool,” said Marty P. Kamden, CMO of NordVPN. “This discredits VPNs and deprives people of online protection that they need – especially if they are using a VPN in countries where the freedom of speech is restricted.”

The Onavo app has already got 33 million installs by claiming it provides online protection. When a user downloads Onavo, the app establishes a tunnel – the usual VPN practice – to reroute all traffic from the user’s device to one of Onavo’s servers. This tunnel is encrypted, and a privacy-focused VPN will never monitor the online habits of its users by keeping logs of their activity. However, Onavo does collect mobile data traffic, claiming the collection helps improve its service.

“The problem is that when the data is collected, we cannot know how and where it will be used. It becomes the property of Facebook, and Facebook is not in the business of data privacy,” said Marty P. Kamden. “The data can be easily mishandled, sold to third parties or used for any other purpose. Facebook users should avoid downloading this app, and if they did – they should uninstall it, and use a trusted paid VPN instead. Unfortunately, a VPN provider that is offering a free service will be using other ways to earn money – and it’s usually through selling user data.”