Microsoft issues critical fixes for booby-trapped images – update now!

By Paul Ducklin

Microsoft has just released emergency patches for two critical security holes in the Windows Codecs Library.

We all know what Windows means.

But what is a Codecs Library, and why are bugs in it such as a big deal that they need to be updated without waiting for the next Patch Tuesday to come round?

Well, codec is short for encoder-decoder, and it’s the jargon term for the sort of software that takes data of some sort – notably the raw data that represents the pixels in a video or the sound in an audio file – and reworks it so it can be sent and received easily.

The co- part of a codec takes something like a raw image, consisting of rows and rows of color pixels, and wraps it up in a format such as as JPG or PNG so it can saved into a file for downloading or streaming.

The -dec part does the reverse at the other end, reading in the file, decompressing it (most images and videos are compressed for transmission because this saves an enormous amount of bandwidth) and getting it back into its raw form so it can be displayed.

Read more at https://nakedsecurity.sophos.com/2020/07/01/microsoft-issues-critical-fixes-for-booby-trapped-images-update-now/

Firefox 78 is out – with a mysteriously empty list of security fixes

By Paul Ducklin

Yesterday was both a Tuesday and four weeks since the last major Firefox update, making it the official release date for the latest version.

There are now three mainstream flavors of Firefox to choose from: 68.10ESR, 78.10ESR and 78.0.

ESR is short for Extended Support Release, often preferred by IT departments because it gets security fixes at the same rate as the regular version, but only takes on new features in a staggered fashion – in other words, users of the ESR versions are shielded from sudden switches in appearance, user interface and workflow.

This time you can choose from 68.10ESR (the numbers to the left and right of the dot add up to the current major version number, in this case 78), which is Firefox with the look-and-feel of about a year ago plus 10 updates’ worth of security fixes, or 78.0ESR, which is largely the same as the regular version, as the numbers reveal.

Every time the ESR version “catches up” with the regular version’s features, Mozilla releases old-style and the new-style ESR versions in parallel so there’s always an overlap period in which to try out both before switching over.

The new Firefox 78.0 does have some visible changes, notably the addition of a special web page called the Protections Dashboard, accessible by putting about:protections in the address bar.

This gives you a summary of any trackers blocked recently, a button to entice you to sign up for Firefox’s breach alerts, and a link to the Firefox password manager.

Read more at https://nakedsecurity.sophos.com/2020/07/01/firefox-78-is-out-with-a-mysteriously-empty-list-of-security-fixes/

iOS 14 flags TikTok, 53 other apps spying on iPhone clipboards

By Lisa Vaas

In March, researchers Talal Haj Bakry and Tommy Mysk revealed that Android and iOS apps – including the mind-bogglingly popular, China-owned, video-sharing/often in privacy hot water TikTok – could silently, automatically read anything you copy into your mobile device’s clipboard.

Sexy selfies? Passwords copied from your password manager? Bank account information? Bitcoin addresses? Yes, yes, scary yes, yes. Anything you’ve copied recently, they’ll paste it into themselves. Such data is typically used for advertising and tracking purposes.

The covert content copying is possible not only for a device’s local data, but also on nearby devices, as long as the devices share the same Apple ID and are within about 10 feet of each other. That’s enabled by Apple’s universal clipboard: a clipboard that enables content to be copied on one device and then pasted into an app running on a separate device.

It’s “very, very dangerous,” Mysk told Ars Technica on Friday, after the discovery had bubbled to the surface yet again. The findings hit the headlines anew as Apple released the developer beta of iOS 14 – a release that flags this behavior.

Mysk said that the ability for apps to read content of off nearby devices means that an app on an iPhone could possibly read sensitive data on the clipboards of other connected iOS devices, be they cryptocurrency addresses, passwords, or email messages, even if the iOS apps are running on a separate device.

The iOS 14 developer beta release – which you can download and install now to get an eyeful of this behavior – comes with a feature that’s custom-tailored to spotlight this kind of thing: namely, a banner warning that pops up every time an app reads clipboard contents.

Read more at https://nakedsecurity.sophos.com/2020/06/30/ios-14-flags-tiktok-53-other-apps-spying-on-iphone-clipboards/