We’re heading into the home stretch, and it’s going to be pretty dense with “Peaceful Protest” rallies. 2 or 3 a day. Over 14 and up to 21. So here’s the three for Monday and then the 3 that are already up for Tuesday.
“Rally in Allentown, Pennsylvania on Monday, October 26th, 2020 at 11:00 AM EDT.” That’s going to be 8 AM Pacific for me. (Groan! Early coffee it is, then ;-O )
“Rallies in Lititz, Pennsylvania on Monday, October 26th, 2020 at 1:30 PM EDT,” Or about 10:30 AN Pacific.
“Martinsburg, Pennsylvania on Monday, October 26th, 2020 at 4:30 PM EDT,” Or 1:30 PM Pacific.
Then Tomorrow:
Lansing, Michigan on Tuesday, October 27th, 2020 at 2:00 PM EDT, West Salem, Wisconsin on Tuesday, October 27th, 2020 at 4:00 PM CDT, and Omaha, Nebraska on Tuesday, October 27th, 2020 at 7:30 PM CDT.
Live Stream already available (for a long wait ;-)
I’m a few days after the actual Zero Day announcement, but it’s still early enough to matter.
Chrome has an exploitable bug in it. A patch does exist, but until you apply it / upgrade your browser, you are exposed.
Realize this is NOT just in Chrome. As Chromium (the open source version) is the base for several other browsers, they too are exposed. This includes Brave and Vivaldi browsers AND Edge from Microsoft. In total, about 1 BILLION devices are exposed.
It is a relatively “meet and potatoes” buffer overflow exploit that can lead to running arbitrary code and then privilege escalation. Essentially, you can take over the whole system. Note that more recent Linux kernels have protection against such privilege escalation so the biggest risk is Microsoft Edge on their OS or Chromium on older Linux kernels.
That said, if you practice reasonable habits of paranoia, like running load / process monitors that you look at often, and shutting down quickly if something strange happens (like sudden sluggishness or software acting broken) you can interrupt such attacks before they are fully engaged.
For me, I’m shifting my primary use to FireFox until I’ve got things on patched versions.
Google’s own Chrome browser has just been patched for a brand new – obviously – zero-day vulnerability in the software’s FreeType font rendering library.
The bug was reportedly already exploited in the wild
According to Sergei Glazunov of Google Project Zero the bug is a type of memory-corruption flaw called a heap buffer overflow in FreeType.
Glazunov informed Google of the vulnerability Monday. Project Zero is an internal security team at the company aimed at finding zero-day vulnerabilities.
Fortunately for all Chrome users, Google has already released a stable channel update, Chrome version 86.0.4240.111, that deploys five security fixes for Windows, Mac and Linux.
Among them also the fix for the zero-day that Glazunov discovered (classified as CVE-2020-15999).
As Google themselves acknowledged, in the blog post regarding the update, they are fully aware that the exploit exists and are urging everybody to update as soon as possible.
On the subject, Ben Hawkes, technical lead for the Project Zero team, warned that while Google researchers only observed the Chrome exploit, it’s possible that other implementations of FreeType might be vulnerable as well since Google was so quick in its response to the bug.
Note that even non-browser applications can be using FreeType. The attack vector choices are huge. I’m not real keen on how many bugs have been shown to be exploits in Chrome lately, especially given how many folks base their browsers on it.
Other than CVE-2020-15999, Google patched four other bugs, as you care read below (with the bug huners payout inclued):
[$500][1125337] High CVE-2020-16000: Inappropriate implementation in Blink. Reported by amaebi_jp on 2020-09-06
[$TBD][1135018] High CVE-2020-16001: Use after free in media. Reported by Khalil Zhani on 2020-10-05
[$TBD][1137630] High CVE-2020-16002: Use after free in PDFium. Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec at Qi’anxin Group on 2020-10-13
[$3000][1134960] Medium CVE-2020-16003: Use after free in printing. Reported by Khalil Zhani on 2020-10-04
Considering the last few months, this is the third zero-day that has been patched by Google in its Chrome browser.
Prior to this week’s FreeType disclosure, the first was a critical remote code execution vulnerability (CVE-2019-13720), and the second was a type of memory confusion bug tracked as CVE-2020-6418 that was fixed in February of this year.
The other good hygiene thing I do is not visiting dodgy web sites (and using different systems for different tasks so if I did get attacked, they would find, for example, a Raspberry Pi with nothing but Linux downloads, or an Odroid XU3 with a lot of temperature data on it.) Segmenting your work across different systems works. Made much easier by effective desktop SBCs that cost under $60 and where you can swap system images for the cost of a uSD card (about $8).
To see if your favorite Web Browser is likely to be at risk, look for “Blink” in the “Layout Engine” column of this list:
FWIW, I don’t know the degree to which this exploit is limited to particular architectures of CPUS. That is, I don’t know if Intel vs ARM vs PPC vs “whatever” matters.
Early today we’ve already got the pre-show happening in Lumberton, North Carolina. Trump is supposed to arrive about noon Eastern ( 9 AM Pacific ) but the coverage has already started.
Donald J. Trump for President, Inc. announced that President Donald J. Trump will deliver remarks on fighting for the forgotten men and women in Lumberton, North Carolina on Saturday, October 24th, 2020 at 12:30 PM EDT. President Donald J. Trump will also deliver remarks at Make America Great Again Victory Rallies in Circleville, Ohio on Saturday, October 24th, 2020 at 4:00 PM EDT, Waukesha, Wisconsin on Saturday, October 24th, 2020 at 7:00 PM CDT, and Manchester, New Hampshire on Sunday, October 25th, 2020 at 1:00 PM EDT. These events will feature remarks from President Donald J. Trump and Republican candidates.
Then they go to Circleville Ohio at 4 PM Eastern
And Waukesha, Wisconsin at 7 PM Central (8 Eastern, 5 Pacific)
It’s once again an Australia Time Friday! It’s FRIDAY!!!!
Tonight we’re having T-bone lamb chops. Yeah, those little expensive ones. Again. Cut thick, I put them in a cast iron skillet in the oven for about 40 to 45 minutes on 350 F. Yes, I like them cooked through. Those liking red in the middle, use a lot less time :-)
The side vegetable tonight is a sweet potato baked at the same time. Then buttered on the plate. Also we’ll have some green beans too.
The wine tonight is the Little Penguin Shiraz Cabernet blend. I’m slowly coming to like it more than the others. Just a bit more “perky”. ;-)
In Other News
Japan has now approached the other nations around the edge of the South China Sea to arrange a joint resistance to China.
It sure looks to me like China is finding itself no longer able to “divide and conquer”. We’ve all been united by Chinese Abuse and The Chinese Wunan Covid virus.
Sweden has kicked out their last “Confucius Institute” and the USA is moving that way too. IF your nation isn’t doing that yet, ask why…
The astounding depth and breadth of Chinese corruption of various governments around the world is starting to enter the national consciousness of many nations. It simply must be rooted out and ended.
Pakistan, yes, “owned by China” Pakistan, is having strong resistance to letting China fish out their waters (even though 70% is supposed to go to Pakistan processing plants). Why? Oh, maybe the fact that massive bottom trawling destroys fishing longer term and millions of local fishermen are “not pleased” at being sold out?
I’d never realized how much of global politics would be tied up with fish. Even the EU / UK negotiations are stuck on fish.
Paypal Donation Site.
To make a donation, visit Paypal at the link above and put in the email address pub4all @ aol (DOT) com (leaving out the gratuitous blanks and putting in a "." for (DOT) that is in the text here to defeat spam bots). Many thanks to all!
