The Category5.TV Newsroom

Here are the stories we're following for the week of Wednesday May 6, 2020

Kernel security updates fix several issues in Ubuntu.

Canonical has published new Ubuntu Linux kernel security updates for all of its supported releases to patch several vulnerabilities discovered lately by various security researchers.

Affecting Linux 4.15, 4.4 and 5.3 kernels in several versions of Ubuntu Linux, the new security patch fixes an issue found in the Intel Wi-Fi driver, a race condition discovered in Linux kernel’s virtual terminal implementation, a flaw discovered in the floppy driver, and a race condition in the block I/O tracing implementation. All these issues could allow a local attacker to either crash the system or expose sensitive information.

The new kernel update also patches a stack buffer overflow discovered in the vhost net driver. This could allow a local attacker with the ability to perform ioctl() calls on /dev/vhost-net to cause a denial of service, crashing the system.

That's just to name a few of the critical security issues that have been patched. Canonical urges all users to update their installations and install the new kernel versions as soon as possible.

New kernel versions are also available for Raspberry Pi devices, cloud environments, OEM processors, Snapdragon processors, as well as Amazon Web Services, Microsoft Azure Cloud, Oracle Cloud, Google Cloud Platform, and Google Container Engine systems.

Keep in mind when updating a production system that a system reboot is required for the security issues to be corrected, so it's best to schedule a short downtime to perform this update.

Source: 9to5linux.com

Sent to us by: Roy W. Nash

LibreOffice 6.3.6 is the final update to 6.3, which is going EOL.

The Document Foundation has announced the release of LibreOffice 6.3.6 as the sixth and final update of the 6.3 series, which will reach end of life at the end of this month.

Coming more than two months after LibreOffice 6.3.5, the LibreOffice 6.3.6 update is here to provide users of the LibreOffice 6.3 series with one last set of bug and regression fixes. It also aims to improve document compatibility.

The LibreOffice 6.3 series is targeted at enterprise deployments and production environments. While LibreOffice 6.4 is already available, 6.3 is the only version currently recommended by The Document Foundation for organizations.

That said, LibreOffice 6.3 is set to reach end of life on May 29th, 2020, and this is the last update.

If you’re running LibreOffice 6.3 in your organization, it would be best to update to version 6.3.6 as soon as possible, and start considering upgrading your 6.3 installations to the 6.4 series in the coming weeks. The current release of LibreOffice is 6.4.3, which will be considered ready for enterprise deployment by the next point release, which should be out by the end of the month.

Until then, you can get either version now from the official LibreOffice web site. Binaries are provided for DEB- and RPM-based distros, or you can install the latest release from the stable software repositories of your Linux distribution.

Source: 9to5linux.com

Sent to us by: Roy W. Nash

Sophos firewall falls victim to in-the-wild SQL injection attack.

Users of a widely used firewall from Sophos have been under a zero-day attack that was designed to steal usernames, cryptographically protected passwords, and other sensitive data.

The well-researched and developed attack exploited a SQL injection flaw in fully patched versions of the Sophos XG Firewall. With that toehold in systems, it downloaded and installed a series of scripts that ultimately executed code intended to make off with users’ real names, usernames, the cryptographically hashed form of the passwords, and the salted SHA256 hash of the administrator account’s password. Sophos has delivered a hotfix that mitigates the vulnerability.

Other data targeted by the attack included a IP address allocation permissions for firewall users, system information such as running OS and version, uptime and network configuration, as well as the ARP tables used to map IP addresses to device MAC addresses.

Sophos researchers wrote in Sunday’s disclosure, "This malware’s primary task appeared to be data theft, which it could perform by retrieving the contents of various database tables stored in the firewall, as well as by running some operating system commands."

The exploits also downloaded the malware from domains that appeared to be legitimate. To evade detection, some of the malware deleted underlying files that executed it and ran solely in memory. The malicious code uses a creative and roundabout method to ensure it’s executed each time firewalls are started. Those characteristics strongly suggest that the threat actors spent weeks or months laying the groundwork for the attacks.

The data the malware was designed to exfiltrate suggests the attack was designed to give attackers the means to further penetrate the organizations that used the firewall through phishing attacks and unauthorized access to user accounts.

The zero-day vulnerability that made the attacks possible was a pre-authentication SQL injection flaw found in the custom operating system that runs the firewall. Sophos provided no additional details about the vulnerability.

Users of vulnerable firewalls should ensure the hotfix is installed as soon as possible and then examine their systems for signs of compromise published on the Sophos news site. As the fix is part of the automatic update ecosystem, ensure your firewall has these enabled to receive the fix.

Source: arstechnica.com

Sent to us by: Roy W. Nash

Revolutionary new tech means you can touch things in VR.

A new lightweight virtual reality device has been created that would allow users to touch objects at shops and museums without ever having to go there in the flesh.

The limits of virtual reality have been stretched in the last five years. The technology has become the medium of choice for game developers, artists and actors alike, seeing a real boom in projects that bring us alternate realities during enforced social isolation. Through immersive audio and visual landscapes the ability to visit mindblowing locations, real or not, is on the brink of becoming an affordable option for many.

Nowadays, what you see and hear in virtual reality is not so dissimilar from actually visiting these places. However, up until now, the experiences did not give us the ability to physically interact with surrounding environments.

Chris Harrison, assistant professor at Carnegie Mellon University's Human-Computer Interaction Institute says, "Elements such as walls, furniture and virtual characters are key to building immersive virtual worlds, and yet contemporary VR systems do little more than vibrate hand controllers"

A team at the Pennsylvania University have created a new device that uses ‘haptic feedback’, a technology which simulates the sensation of touch to make the virtual experience seem more real.

Where other devices might use a series of expensive, power-hungry motors to give the sensation of touch, their design uses a simpler mechanical solution. From a shoulder-mounted system, a string is attached to each finger, giving resistance based on what the user should be feeling. A spring-loaded mechanism is combined with an electric latch that stops the hand from moving further as it makes contact with heavy objects in the virtual world.

Cathy Fang, co-author of the study says, "I think the experience creates surprises, such as when you interact with a railing and can wrap your fingers around it."

Fang said the system would be suitable for VR games and experiences that involve interacting with physical obstacles and objects, such a maze. It might also be used for visits to virtual museums. And, in a time when physically visiting retail stores is not always possible, she says, "you might also use it to shop in a furniture store."

While their research shows this method provides a much more realistic sense of touch, the team says that a mass-produced version, when ready, could be available to the public for less than $50.

Source: www.euronews.com

Sent to us by: Robbie Ferguson

Google has released the AI code for Tapas as open source software.

Google has released the code for their internally developed artificial intelligence, Tapas. It can take a natural language question such as “What’s the name of the latest iPhone?” and fetch the answer from a relational database or spreadsheet, and it's now open source.

The search giant’s researchers detailed the AI on Thursday. Tapas is based on BERT, a natural-language processing technique Google uses in its search engine.

A sizable portion of the world’s information is relational, that is to say organized into rows and columns. Navigating from these rows and columns historically required either manually sifting through a spreadsheet or writing SQL queries. Natural-language processing makes the task considerably easier for users, which is why the technology has been extensively adopted by Google and other players in the analytics market.

The search giant says that Tapas beats or matches the three top open-source algorithms for parsing relational data. They trained the AI on 6.2 million tables from the English version of Wikipedia and then set it to work on a trio of academic datasets. Benchmark tests then showed that the neural network provides accurate, comparable answers as the rival algorithms across all three datasets.

The type of language processing Google has implemented into Tapas allows the AI to consider not only the question posed by users and the data they wish to query, but also the structure of the relational tables in which the data is stored.

Tapas can go beyond just fetching data and also perform basic calculations. For example, if a business user evaluating sales data asks for the average revenue across their company’s three most popular products, the AI would reply with the calculated answer, not just the dataset.

Tapas is available now on the google-research Github repository.

Source: siliconangle.com

Sent to us by: Robbie Ferguson