Congress chews up Zuckerberg, day two: A far more thorough mastication

By Lisa Vaas

After Tuesday’s nearly five-hour grilling in the Senate – more of a light sautéing, really – Facebook CEO Mark Zuckerberg on Wednesday gave Congress another five hours of his life: this time, before the House Energy and Commerce Committee.

Representatives’ questions again hit on Tuesday’s themes: data privacy and the Cambridge Analytica (CA) data-scraping fiasco, election security, Facebook’s role in society, censorship of conservative voices, regulation, Facebook’s impenetrable privacy policy, racial discrimination in housing ads, and what the heck Facebook is: a media company (it pays for content creation)? A financial institution (think about people paying each other with Facebook’s Venmo)?

Zuck’s take on what Facebook has evolved into: “I consider Facebook a technology company. The main thing we do is write code. We do pay to help produce content. We also build planes to help connect people, but I don’t consider ourselves to be an aerospace company.” (Think of Facebook’s flying ISPs.)

When he hears people ask whether Facebook is a media company, the CEO said that what he really hears is whether the company has, or should have, responsibility over published content – be it fake news meant to sway elections, hate speech, or Russian bots doing bot badness.

His answer has evolved: for years, he’s been pushing back against fears about fake news on Facebook. The company just builds the tools and then steps back, he’s repeatedly said, insisting that platform doesn’t bear any of the responsibilities of a publisher for verifying information.

Read more at https://nakedsecurity.sophos.com/2018/04/12/congress-chews-up-zuckerberg-day-two-a-far-more-thorough-mastication/

Update now! Microsoft April Patch Tuesday – 65 vulnerabilities, 24 critical

By John E Dunn

With the Windows 10 1803 Spring Creators Update delayed at the eleventh hour for unknown reasons, admins and end users still have plenty of work on their hands with April’s Patch Tuesday.

The big picture is 65 security fixes assigned CVE numbers, 23 of which (plus a separate Adobe Flash flaw) are rated critical, with no true zero-days among them.

An urgent 66^th CVE on the list should already have been fixed a week ago through an emergency patch that Microsoft issued for a critical vulnerability (CVE-2018-0986) in the Microsoft Malware Protection Engine (MMPE).

Affecting Security Essentials, Intune Endpoint Protection, Windows Defender, Exchange Server 2013/2016, and Forefront Endpoint Protection 2010, this patch should have been applied automatically via MMPE itself.

A breakdown of the remaining 22 critical flaws shows:

• Seven memory corruption vulnerabilities in the Chakra Scripting Engine (Edge’s JavaScript interpreter).
• Five remote code execution (RCE) flaws in Microsoft Graphics’ Windows font library.
• Four affecting Internet Explorer
• Four affecting the scripting engine also used by Internet Explorer.
• One affecting Windows 10’s Edge browser.
• One RCE in the Windows VBScript engine.

Read more at https://nakedsecurity.sophos.com/2018/04/12/update-now-microsoft-april-patch-tuesday/

3 critical Flash vulnerabilities patched. Update now!

By Mark Stockley

In news that can surely only be a surprise to people who’ve learned to use a computer since the middle of March 2018, or who’ve been trapped in their own fridge for the last decade… last Tuesday was Patch Tuesday, there’s a Critical Flash vulnerability and, if you’re still using Flash, it’s time to reexamine your attitude to risk and reward (and while you’re doing that, update to the latest version).

Did I say a critical vulnerability? I meant three.

Adobe Bulletin APSB18-08 lists six security issues fixed in the latest release, version 29.0.0.140, three RCE (Remote Code Execution) vulnerabilities rated critical and three information disclosure vulnerabilities rated Important.

Updates for all platforms have been given a priority of 2, which means that to Adobe’s knowledge there are currently no known exploits and none are expected imminently.

Flash plug-ins for Google Chrome on all platforms, or for Microsoft Edge and Internet Explorer 11 on Windows 10 and 8.1, will update themselves automatically.

Everyone else should download the latest version:

Adobe recommends users of the Adobe Flash Player Desktop Runtime for Windows, Macintosh and Linux update to Adobe Flash Player 29.0.0.140 via the update mechanism within the product [1] or by visiting the Adobe Flash Player Download Center.

The good news is that, in this case, Adobe and the independent researchers who found the holes in its product are one step ahead of the bad guys this month (provided you install the update).

The bad news is that the rate at which critical, remotely exploitable flaws are found – in a product that barely changes – shows no signs of slowing, even after all these years.

So, if you find yourself downloading the latest version, ask yourself what you’re planning to use it for and whether you really need it.

Why? Because cybercriminals love that you run Flash.

Read more at https://nakedsecurity.sophos.com/2018/04/11/3-critical-flash-vulnerabilities-patched-update-now/