Apple's New MacBook Disconnects Microphone "Physically" When Lid is Closed

Posted by on
 October 31, 2018  Mohit Kumar Apple introduces a new privacy feature for all new MacBooks that "at some extent" will prevent hackers and malicious applications from eavesdropping on your conversations. Apple's custom T2 security chip in the latest MacBooks includes a new hardware feature that physically disconnects the MacBook's built-in microphone whenever the user closes the lid, the company revealed yesterday at its event at the Brooklyn Academy of Music in New York. Though the new T2 chip is already present in the 2018 MacBook Pro models launched earlier this year, this new feature got unveiled when Apple launched the new Retina MacBook Air and published a full security guide for T2 Chip yesterday. "This disconnect is implemented in hardware alone, and therefore prevents any software, even with root or kernel privileges in macOS, and even the software on the T2 chip, from engaging the microphone when the lid is closed,...

VLC and other media players hit by critical vulnerability

Posted by on
A critical code execution vulnerability has been identified in LIVE555 Streaming Media RTSP Server library used by VLC and other media players. Lilith Wyatt, the IT security researcher at Cisco Talos Intelligence Group has discovered the vulnerability.

The vulnerability exists in the HTTP packet-parsing functionality of LIVE555 RTSP Server library through which an attacker can send a crafted malicious packet to trigger the vulnerability and cause a stack-based buffer overflow resulting in code execution.

“A specially crafted packet can cause a stack-based buffer overflow, resulting in code execution. An attacker can send a packet to trigger this vulnerability,” Wyatt explained in her blog post.

The LIVE555 streaming media contains a set of open-source C++ libraries that developed by Live Networks Inc for streaming multimedia. The library works with RTP / RTCP, RTSP or SIP protocols that support both clients and server with the ability to process video and audio formats such as MPEG, H.265, H.264, H.263 +, VP8, DV, JPEG, MPEG, AAC, AMR, AC-3, and Vorbis.

The vulnerability resides in the function that parses HTTP headers for tunnelling RTSP over HTTP. An attacker may create a packet containing multiple “Accept:” or “x-sessioncookie” strings which could cause a stack buffer overflow in the function “lookForHeader.” reads Talos vulnerability report.

These findings (CVE-2018-4013) have left millions of users of media players vulnerable to cyber attacks.

LIVE555 Media Libraries used by most popular media players like such as VLC and MPlayer and multitude of embedded devices such as cameras.

An update has already been issued to address the vulnerability. Therefore, if you are using any of the vulnerable media players make sure they are updated to the latest version.

The vulnerability was found in Live Networks LIVE555 Media Server, version 0.92 and the earlier versions. It can be tracked as CVE-2018-4013.

This, however, is not the first time when popular media player like VLC is making headlines for the wrong reasons Previously, a security researcher had identified critical security flaws in 2.0.5 and earlier versions that could have been exploited by attackers to execute malicious code on computers via ASF files.