Tag: patch

Intel’s patch release creates more problems for customers

wintel_blimp_featureSome punters who rushed to install an Intel patch to address massive CPU security flaws are probably regretting it as there are reports of it causing reboot problems for some of its customers.

The patch causes systems to reboot more often than normal, particularly if you are running older Broadwell and Haswell CPUs.

According to the  Wall Street Journal, the firm is advising some of its customers to hold off installing patches for the processor security flaw, which was revealed at the beginning of the month.

General manager of Intel’s data centre group Navin Shenoy said in a statement: “We are working quickly with these customers to understand, diagnose and address this reboot issue. If this requires a revised firmware update from Intel, we will distribute that update through the normal channels. We are also working directly with datacentre customers to discuss the issue. End users should continue to apply updates recommended by their system and operating system providers.”

For those who came in late, Intel’s processors contain security flaws, later named Meltdown and Spectre.

Even if you don’t experience crashes, the security fixes are likely to cause significant slowdowns and a decrease in system performance, according to Microsoft.

Help! My Mini needs a patch

350350000patch37As a sign of a 21st century problem, car maker BMW has rolled out a patch for a security flaw that could have allowed hackers to open the doors of some 2.2 million vehicles.

The problem affects BMW, Mini and Rolls Royce models that come equipped with ConnectedDrive – a technology that allows car owners to access internet, navigation and other services via a SIM card installed directly into vehicles.

Security experts were able to create a fake mobile phone base station to intercept network traffic from the car, and use that information to send commands to the car telling it to lower windows or open the doors.

Other boffins working for German automobile association ADAC discovered the security vulnerabilities and the potential for vehicles to be broken into last summer, but kept quiet about them until now to give BMW a chance to produce a fix.

Hackers would only need a few minutes to open a car from outside, without leaving any physical trace of unauthorised entry – which is a lot better than a brick through the window or a bent coat hanger.

ConnectedDrive appBMW issued a statement to the press congratulating itself on its rapid response, how it is “increasing the security of data transmission in its vehicles” in response to what it describes as the “potential security gap” in ConnectedDrive.

The vulnerability revolved around the insecure transmission of data, as the patch rolled out by BMW appears to have enabled HTTPS.  Since HTTPS is the minimal sort of security you would expect from an online transition, you would have thought that BMW’s have thought to install it.

The fact BMW still took half a year to work out a fix and roll it out, indicates that they have not really thought this whole security thing through yet.

Still it is likely that we will see a lot more of these sorts of patches being rolled out for cars. In the old days you could open a mini with a fork.

 

 

Oracle pushes out huge security update

Sisyphus-Image-01CDatabase outfit Oracle has pushed out a record number of patches in a security update.

Included in the patch are critical fixes for Java SE and the Oracle Sun Systems Products Suite.

All up this means that the update contains nearly 170 new security vulnerability fixes, including 36 for Oracle Fusion Middleware. Twenty-eight of these may be remotely exploitable without authentication and can possibly be exploited over a network without the need for a username and password.

The worst of the bugs are in Java SE, Fujitsu M10-1, M10-4 and M10-4S. In the case of Java SE, a CVSS Base Score of 10.0 was reported for four distinct client-only vulnerabilities.

Writing in the company blog, Oracle said that out of these 19 Java vulnerabilities, 15 affect client-only installations, two affect client and server installations, and two affect JSSE installations.

The blog says that the lower number of Oracle Java SE fixes reflect the results of Oracle’s strategy for addressing security bugs affecting Java clients and improving security development practices in the Java development organization.

While that might be true, the ton of patches in the rest of the software suggests that while Java is being closely watched, other bits are not.

In the case of the Oracle Sun Systems Products Suite, CVE-2013-4784 has a CVSS rating of 10.0 and affects XCP Firmware versions prior to XCP 2232. Overall, there are 29 security fixes for the suite.

The update also includes eight new security fixes for Oracle Database Server, none of which are remotely exploitable without authentication. Oracle MySQL has nine security fixes.

There are also: 10 fixes for Oracle Enterprise Manager Grid Control; 10 for Oracle E-Business Suite; six for the Oracle Supply Chain Products Suite; seven security fixes for Oracle PeopleSoft products; 17 for Oracle Siebel CRM; one for Oracle JD Edwards Products; two for Oracle iLearning; two for Oracle Communications Applications; one for Oracle Retail Applications; one for Oracle Health Sciences Applications and 11 new security fixes for Oracle Virtualisation.