Office & BT exploits, Apple 'DIY' Repair Kit, & Pizza Vending Machines

June 3, 2022 by
Office & BT exploits, Apple 'DIY' Repair Kit, & Pizza Vending Machines
Lighthouse IT Solutions, Matthew Almendinger

The Lighthouse IT Podcast - June 3rd, 2022

This week, Matt & Griff discuss a major hole in Microsoft Office, a huge vulnerability in Teslas and other BT devices using proximity authentication, Twitter news, the Apple DIY (except, you can't do it yourself) repair kit, DuckDuckGo's apparently not-so-private browser, modular laptops, and pizza vending machines.

Listen here!


"Follina" zero-day hole in Office

  • Follina is a code execution security hole that can (among other methods) be exploited by way of Office files.
  • Kevin Beaumont has supplied it with the entirely arbitrary name Follina
  • How it works:
    • You open a booby-trapped DOC file, perhaps received via email.
    • The document references a regular-looking 'https:' URL that gets downloaded.
    • This 'https:' URL references an HTML file that contains some weird-looking JavaScript code.
    • That JavaScript references an URL with the unusual identifier 'ms-msdt:' in place of 'https:'
    • On Windows, 'ms-msdt:' is a proprietary URL type that launches the MSDT software toolkit.
    • MSDT is shorthand for Microsoft Support Diagnostic Tool.
    • The command line supplied to MSDT via the URL causes it to run untrusted code.
  • Note, this works even if you have Office macros turned off completely.
  • An official workaround by Microsoft is simply to break the relationship between 'ms-msdt:' URLs and the MSDT utility.
  • But we are still awaiting a patch.


Bluetooth hack that can unlock your Tesla as well as many other devices

  • Tesla, among many other devices, can use something call proximity authentication. Get closer to the car (with your phone) and it unlocks. Move away and it locks.
  • A researcher has devised a hack that allows him to unlock these devices miles away.
  • The hack exploits weaknesses in the Bluetooth Low Energy standard that many manufacturers adhere to.
  • The method used is called a Relay Station Attack or RSA.
  • An RSA requires two attacks, and in the case of a locked Tesla, the first attacker just needs to be close to the car. Attacker 2 needs to be in range of the car's owner or authentication device. Using some hardware that costs just about $100 and some know-how, they can make a daisy-chain by pulling the authentication and relaying it to the first attacker who is standing next to the car.


DuckDuckGo isn't as private as you thought

  • DuckDuckGo pulls its search results from other services, primarily Bing.
  • Due to a confidential search agreement, the DuckDuckGo browser does not block all Microsoft trackers.
  • Clicking a Microsoft-provided ad in DuckDuckGo will reveal your IP address to the Microsoft Advertising service
  • DuckDuckGo only acknowledged this "privacy hole" after it was discovered
  • Security researcher @thezedwards found that the mobile DuckDuckGo browser does not block Microsoft trackers on third-party websites, such as the Facebook-owned
  • Gabriel Weinberg, the CEO of DuckDuckGo, explained that Microsoft cannot see what you search, and that the DuckDuckGo browser blocks all Microsoft cookies. But if you visit a website that contains Microsoft's trackers, then your data is exposed to services like Bing and LinkedIn.


Twitter turns the tables on Musk, will "enforce" merger

  • Twitter's board said it plans to "close the transaction and enforce the merger agreement" between Elon Musk and Twitter.
  • This comes just after Musk said the deal was on hold until "CEO Parag Agrawal publicly proves that less than 5% of users are bots or spam accounts."
  • Whether Musk says it is on hold or not, he currently has a contractual obligation to buy Twitter at $54.20 per share.


Jack Dorsey leaves Twitter's board of directors

  • As of May 25th, Dorsey has left the board of Twitter.
  • Dorsey is apparently on good terms with Elon Musk and plans to roll over his 2.4% ownership stake into the deal.


Redesigned Outlook Windows app

  • Microsoft just previewed a new version of Outlook for Windows that is missing a bunch of features and mirrors the web client.
  • The new app is available to Office Insiders in the Beta channel who have work or school Microsoft 365 accounts
  • The new Outlook app will reportedly replace not just the current Outlook app but also Windows' built-in Mail and Calendar apps.


Microsoft announces a brand-new Arm-powered desktop PC and Arm-native dev tools

  • Project Volterra, a Microsoft-branded mini-desktop computer powered by an unnamed Qualcomm Snapdragon SoC.
  • According to Microsoft's blog post, the company will be releasing ARM-native versions of Visual Studio 2022 and VSCode, Visual C++, Modern .NET 6, the classic .NET framework, Windows Terminal, and both the Windows Subsystem for Linux and Windows Subsystem for Android.
  • Previews of these tools will begin to be available "in the next few weeks."


Framework's new laptop Makes modular gadgets feasible

  • A little more than a year after announcing the first version of its ultra-repairable, upgradeable notebook, Framework is launching the second-generation Framework Laptop.
  • Framework is serious about building truly long-lasting devices and might actually be fulfilling the often promised and rarely delivered dream of upgradeable, modular gadgets.


Pizza vending machines?

  • Startup Piestro just raised something like $580m for its Pizza vending machines. Why? Labor for pizza is up to just shy of 32% of the cost of a 'za. The Piestro is all in one. Keep the hoppers loaded with fresh ingredients, and she'll make-a you a pie right in front-a yer face!
  • But what happens if it gets stuck while vending??????


Remember that Apple DIY repair kit? It sucks, apparently...

  • One writer damaged his phone in the second step. Another writer received an undocumented error while removing the screen (which involves a giant heat press).
  • You don't have to get their tools like we originally thought, if you're brave enough.
  • Upon completion you have to call an Apple logistics company with a computer connected to your phone to "program" the replacement parts as being genuine. Until then, the device simply says it's not.
  • You have to acknowledge that you've read all the documents involving a six-digit code.
  • Not everything is included in the kit (one writer indicated tweezers and a large jar of sand... in case the phone catches fire.).
  • The cost of all this convenience?
    • $69 for the battery kit, but you get $24 for the battery return.
    • $49 to rent the tools
    • A credit hold of $1,210 to cover the full cost of the tools if they are not returned in 7 days. (The Verge writer even had his battery show up 2 days after the tools, so had less time).
    • Risk of damaging your device
    • Stress that your wife will leave you
  • The cost of the Apple store repairing your phone? $69.


Back to the past via the future

  • DeLorean come back with new performance EV
  • Not Johnny D, but actually another guy who made his mint restoring DMC-12s.
  • Italdesign (original designer of the OG) also designed the new Alpha 5
  • Finding out more end of this year.
  • Alpha 5 has more or less tech than the original, depending on how you feel about the absence of the flux capacitor.