Linux faces a problem with shims. The obvious question is What is a shim? And Why do we need it? The answer lies in making Linux compatible with Secure Boot, which was an unintended consequence of the GPLv3. Secure Boot is the authentication mechanism on modern systems that ensures only a trusted OS can boot. When Secure Boot was initially introduced, there were concerns that it aimed to ban Linux distros from consumer machines. However, Microsoft has officially recognized the Linux Shim, enabling users to run Linux distros on Secure Boot systems. The shim acts as the default bootloader, capable of booting GRUB2 or another target. While it may be puzzling why Microsoft can’t sign GRUB2 directly, it is due to the “anti-tivoization” section in the GPLv3 license, which requires “Installation Information” as part of GPLv3 compliance. Thus, Microsoft’s legal team understands these requirements and refrains from signing any GPLv3 code, leading to the use of a shim instead. The broken aspect of the shim lies in the risk of buffer overflows in HTTP file transfer code, which can be exploited by a malicious HTTP server to corrupt the code. Despite this vulnerability, it only poses a risk when using HTTP boot and connecting to a malicious server or experiencing a man-in-the-middle attack. Furthermore, Red Hat’s vulnerability document suggests that exploiting this issue is highly difficult and is only feasible from a nearby network. The vulnerabilities were addressed in shim 15.8.
LastPass Banned from App Store
LastPass developers discovered a counterfeit LassPass app on the Apple App Store, highlighting the prevalence of typosquatting not only in public Open Source software repositories but also in software stores.
Three Million Toothbrushes
Reports surfaced claiming that three million smart toothbrushes were compromised and used to launch a Distributed Denial of Service (DDoS) attack on a Swiss website. However, this story lacks specific details such as the brand of the toothbrush, the targeted company, or the type of botnet or malware involved. Smart toothbrushes are known to exist, though their extensive Internet presence seems unusual. To compromise these devices, they would need Wi-Fi connectivity as part of the setup. While this scenario is hypothetical, it illustrates the potential for toothbrush malware based on previous Fortinet research. However, Fortinet clarified that the story was stretched to the point of blurring fiction and reality, and that the brush attack was used as an example during an interview but was not based on their research. The original site, Aargauer Zeitung, maintained that Fortinet had initially described the brush attack as real and costly to the victim before changing their story in response to Fortinet’s announcement.
Takeaways
This incident sheds light on how news sites can make mistakes, emphasizing the importance of checking original sources to validate peculiar stories. In this case, it appears that a Fortinet employee misread an internal report, thinking it described a real event. It also illustrates the challenges security researchers face with honey pots and the difficulty in tracking the number of available, insecure devices on the Internet. Furthermore, some heat pumps have an undocumented SSH access feature with a known password, posing potential security risks. Additionally, an attack on Mastodon was revealed, prompting the release of an update.
In conclusion, it is essential to critically assess and verify security-related news to differentiate between factual and speculative information.
