The Lighthouse IT Podcast - December 3rd, 2021
This week, Matt & Griff discuss the revival of Clippy (kind of), bad news for Meta, advances coming from Apple, some Windows vulnerability drama, the aftermath of the 'Buy the Constitution' movement, Samsung's new chip facility and more.
New Windows zero-day with public exploit lets you become an admin
- New Windows zero-day local privilege elevation vulnerability that gives admin privileges in Windows 10, Windows 11, and Windows Server
- As part of the November 2021 Patch Tuesday, Microsoft fixed a 'Windows Installer Elevation of Privilege Vulnerability' vulnerability tracked as CVE-2021-41379.
- This vulnerability was discovered by security researcher Abdelhamid Naceri, who found a bypass to the patch and a more powerful new zero-day privilege elevation vulnerability after examining Microsoft's fix.
- Naceri explained that while it is possible to configure group policies to prevent 'Standard' users from performing MSI installer operations, his zero-day bypasses this policy and will work anyway.
- When BleepingComputer asked Naceri why he publicly disclosed the zero-day vulnerability, we were told he did it out of frustration over Microsoft's decreasing payouts in their bug bounty program. "Microsoft bounties has been trashed since April 2020"
Next Windows 11 update brings back Clippy, but only as an emoji
- You can get the new emoji designs now if you install the optional November 2021 Cumulative Update for Windows 11
- Windows 10 users won't be getting the new emoji designs.
'Buy the Constitution' aftermath
- The community of crypto investors who tried and failed to buy a copy of the U.S. Constitution last week has descended into chaos as people are realizing today that roughly half of the donors will have the majority of their investment wiped out by cryptocurrency fees.
- Disagreements have broken out over the future of ConstitutionDAO, the original purpose of the more than $40 million crowdfunding campaign, and what will happen to the $PEOPLE token that donors were given in exchange for their contributions.
Meta goes into lockdown after a flood of leaks
- Last month, Meta rolled out a new "Integrity Umbrella" system designed to thwart leakers. The Umbrella maintains a list of employees in Integrity and gives them automatic access to join private Integrity groups in Workplace, the internal version of Facebook used by employees. When it was introduced, several employees internally pointed out that the system wouldn't have stopped Haugen, since she worked in the Integrity division when she gathered the leaked documents.
- The change has become so widespread that employees have taken to group in Workplace titled "Examples of Meta Culture trending towards — Closed,'" where they've been posting screenshots of previously open groups they belong to being set to private.
Meta's acquisition of Giphy is set to be blocked by an antitrust regulator
- Meta is set to have a major acquisition blocked by the UK's antitrust regulator
- Facebook announced in May 2020 it was acquiring Giphy for $400 million.
- UK's Competition and Markets Authority says the merger would harm competition.
- Giphy could give Facebook an unfair advantage over rival social media platforms such as Snapchat and TikTok which also use Giphy.
Apple will sell you iPhone parts to fix your own phone at home
- Apple is opening up iPhones and Macs to DIY repairs. The company plans to start selling parts and tools and offering instructions on how to repair Apple products at home, without having to bring them into a store or a third-party repair shop.
- This is a huge shift from Apple, which has historically been resistant to the right-to-repair movement and from any repairs happening outside of its own stores. Even this week, Apple was walking back software that prevented Face ID from working if customers replaced their own screen.
- Apple is calling the program "Self Service Repair," and it'll launch "early next year" in the US
Apple wants to launch a self-driving EV in 2025
- Apple has completed "much of the core work" on a new processor meant to power its secretive autonomous electric car project known as Titan
Apple AR headset coming in late 2022
- Apple's long-rumored augmented reality (AR) headset project is set to bear its first fruit late next year with the launch of the first device carrying a pair of processors
- The initial AR headset will be able to operate independently without needing to be tethered to a Mac or iPhone, and Apple is intending it to support a "comprehensive range of applications" with an eye toward replacing the iPhone within ten years.
Samsung is building a new $17 billion advanced chip plant in Texas
- Samsung officially announced a new advanced chip-making plant in Texas, that's estimated to cost around $17 billion and could create 1,800 jobs.
- "With greater manufacturing capacity, we will be able to better serve the needs of our customers and contribute to the stability of the global semiconductor supply chain." - Kinam Kim, the vice chairman and CEO of Samsung Electronics Device Solutions Division
- Samsung plans to break ground on the location next year, and start producing chips in 2024.
- The expansion comes as the global semiconductor shortage continues to cause major problems for everyone from console makers to car manufacturers. It's a situation that's unlikely to abate until at least 2023.
Using a common configuration on your cloud service? Yeah don't...
- Unit 42 set up 320 honeypots (poorly configured servers designed to capture threat actors).
- 80% were compromised within 24 hours; all 320 within 7 days.
- One threat actor compromised nearly all of the initial 80 honey pots attacked within seconds.
GoDaddy admits managed WordPress (ugh) password breach
- Had been active since 06 September 2021, a ten-week window.
- Acquired email addresses and customer numbers of 1,200,000 Managed WordPress (MWP) customers.
- Got access to all active MWP usernames and passwords for sFTP (secure FTP) and WordPress databases.
- Got access to SSL/TLS private keys belonging to some MWP users. (The report just says "a subset of active users", rather than stating how many.)
- Additionally, GoDaddy stated that default WordPress admin passwords, created when each account was opened, were accessed, too, though we're hoping that few, if any, active users of the system had left this password unchanged after setting up their WordPress presence.
Dollar Tree hikes prices 25% - most items now will be $1.25
- My life may be over.