Category Archives: patches

Serious privilege escalation bug in Unix OSes imperils servers everywhere

Enlarge (credit: Victorgrigas)

A raft of Unix-based operating systems—including Linux, OpenBSD, and FreeBSD—contain flaws that let attackers elevate low-level access on a vulnerable computer to unfettered root. Security experts are advising administrators to install patches or take other protective actions as soon as possible.

Stack Clash, as the vulnerability is being called, is most likely to be chained to other vulnerabilities to make them more effectively execute malicious code, researchers from Qualys, the security firm that discovered the bugs, said in a blog post published Monday. Such local privilege escalation vulnerabilities can also pose a serious threat to server host providers because one customer can exploit the flaw to gain control over other customer processes running on the same server. Qualys said it's also possible that Stack Clash could be exploited in a way that allows it to remotely execute code directly.

"This is a fairly straightforward way to get root after you've already gotten some sort of user-level access," Jimmy Graham, director of product management at Qualys, told Ars. The attack works by causing a region of computer memory known as the stack to collide into separate memory regions that store unrelated code or data. "The concept isn't new, but this specific exploit is definitely new."

Read 5 remaining paragraphs | Comments

WCry is so mean Microsoft issues patch for 3 unsupported Windows versions

Enlarge (credit: Health Service Journal)

A day after a ransomware worm infected 75,000 machines in 100 countries, Microsoft is taking the highly unusual step of issuing patches that immunize Windows XP, 8, and Server 2003, operating systems the company stopped supporting as many as three years ago.

The company also rolled out a signature that allows its Windows Defender antivirus engine to provide "defese-in-depth" protection. The moves came after attackers on Friday used a recently leaked attack tool developed by the National Security Agency to virally spread ransomware known as WCry. Within hours, computer systems around the world were crippled, prompting hospitals to turn away patients and telecoms, banks and companies such as FedEx to turn off computers for the weekend.

The chaos surprised many security watchers because Microsoft issued an update in March that patched the underlying vulnerability in Windows 7 and most other supported versions of Windows. (Windows 10 was never vulnerable.) Friday's events made it clear that enough unpatched systems exist to cause significant outbreaks that could happen again in the coming days or months. In a blog post published late Friday night, Microsoft officials wrote:

Read 9 remaining paragraphs | Comments

A major Nintendo policy change has saved at least one Switch game

Enlarge / There. All better, Nintendo Switch. (credit: Sam Machkovech)

With the Nintendo Switch's newness starting to fade, interest in the new console has begun to shift toward its upcoming wave of "bigger" games. These include a gussied-up Mario Kart 8, the brand-new fighting series Arms, and a new Splatoon game that is finally looking more like a sequel than a last-gen port. But something interesting is quietly bubbling within the world of Switch games—though, sadly, I don't mean Nintendo's catalog of classic Virtual Console games.

What's bubbling up is just about as good, however: frequently updated games. And in one case, those updates have transformed at least one major Switch game from "maybe try" to "must buy."

Patchwork

Nintendo spoke at length at a late-February event about how its Nintendo Switch platform will make certain development tasks easier for game makers. The participating "Nindies" game makers on hand echoed that statement. At the time, they mostly spoke about the ease of translating games from other platforms, whether through a major engine like Unity and Unreal or through their own custom-built engines.

Read 18 remaining paragraphs | Comments