Skip to main content

Apple's New MacBook Disconnects Microphone "Physically" When Lid is Closed

Posted by on
 October 31, 2018  Mohit Kumar Apple introduces a new privacy feature for all new MacBooks that "at some extent" will prevent hackers and malicious applications from eavesdropping on your conversations. Apple's custom T2 security chip in the latest MacBooks includes a new hardware feature that physically disconnects the MacBook's built-in microphone whenever the user closes the lid, the company revealed yesterday at its event at the Brooklyn Academy of Music in New York. Though the new T2 chip is already present in the 2018 MacBook Pro models launched earlier this year, this new feature got unveiled when Apple launched the new Retina MacBook Air and published a full security guide for T2 Chip yesterday. "This disconnect is implemented in hardware alone, and therefore prevents any software, even with root or kernel privileges in macOS, and even the software on the T2 chip, from engaging the microphone when the lid is closed,...

Posted by on


GOOGLE PATCHES ‘HIGH SEVERITY’ BROWSER BUG

by 
UPDATE Google is urging users to update their Chrome desktop browsers to avoid security issues related to a high-severity stack-based buffer overflow vulnerability. Google issued the alert Thursday and said an update for most browsers has been released.
“The stable channel has been updated to 62.0.3202.75 for Windows, Mac and Linux which will roll out over the coming days/weeks,” wrote Abdul Syed, a Google Chrome engineer, in a security bulletin to Google’s Chrome Release blog.


The bug is tied to the browser’s Chrome V8 open-source JavaScript engine used on Windows 7 and later, macOS 10.5 and later and Linux systems that use processors Intel Architecture 32-bit (i386), ARM or MIPS, according to Google.
Google is not releasing any details surrounding this stack buffer overflow vulnerability (CVE-2017-15396) stating, “access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain (disclosure) restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”  Chrome V8 is written in C++ and in Node.js and can be embedded into any C++ applications or can run standalone, according to Google.
This type of bug typically allows attackers to execute arbitrary code within the context of a targeted application. A failed exploit attempt causes a denial-of-service condition, according to an OWASP Foundation description of the vulnerability.
According to an analysis of the vulnerability by researchers at Risk Based Security, the flaw is in the International Components for Unicode for C/C++, which is a library used by V8. “Ultimately, while it does affected V8 and Chrome, the flawed code is not Google’s,” according to Risk Based Security. The vulnerability, a “NUL-terminated buffer handling buffer overflow, was made public Oct. 11, according to the firm.
The bug was reported by researcher Yu Zhou, of Ant-Financial Light-Year Security Lab on Sept. 30. He was awarded $3,000 for the discovery through Google’s bug bounty program.
In December of 2016, Google also addressed high-severity vulnerabilities in Chrome’s V8 JavaScript engine. One of the flaws is described as a “private property access in V8” vulnerability. The other V8 issue is a use after free vulnerability in V8.
The United States Computer Emergency Readiness Team issued an alert for the buffer overflow vulnerability on Friday.
On Thursday Google also released an update for Chrome for Android (62.0.3202.73) that fixes a memory leak bug and a “major crash issue,” according the advisory.
Google had previously updated the desktop Chrome 62 browser on Oct. 17. That update (62.0.3202.62) included 35 security updates, eight rated high severity and seven ranked medium. The largest bug bounty payout was $8,837 for a UXSS with HHTML vulnerability (CVE-2017-5124) and paid to an anonymous researcher. The flaw, according to a Red Hat description, is “found in the processing of malformed web content. A web page containing malicious content could cause Chromium to crash, execute arbitrary code, or disclose sensitive information when visited by the victim.”
(Article was updated with additional analysis by Risk Based Security on Oct. 27 at 5:30 pm ET)
#ref-menu