This Week In Security: Android Bluetooth RCE, Windows VMs, And HTTPS Everywhere

Android has released it’s monthly round of security updates, and there is one patched bug in particular that’s very serious: CVE-2021-0316. Few further details are available, but a bit of sleuthing finds the code change that fixes this bug.

Fix potential OOB write in libbluetooth
Check event id if of register notification command from remote to avoid OOB write.

It’s another Bluetooth issue, quite reminiscent of BleedingTooth on Linux. In fact, in researching this bug, I realized that Google never released their promised deep-dive into Bleedingtooth. Why? This would usually mean that not all the fixes have been rolled out, or that a significant number of installations are unpatched. Either way, the details are withheld until the ramifications of releasing them are minimal. This similar Bluetooth bug in Android *might* be why the BleedingTooth details haven’t yet been released. Regardless, there are some serious vulnerabilities patched this in this Android update, so make sure to watch for the eventual rollout for your device.

HTTPS Everywhere

Google and Firefox are continuing their push toward a web based on HTTPS. Some of the changes, particularly by Google, have been viewed with some skepticism. However, this upcoming Chromium change looks like a welcome one. Put simply, when a user types in a URL without specifying HTTP or HTTPS, Chrome will try to load the website over HTTPS first. This change has been spotted in the Chromium source, and isn’t deployed by default anywhere — yet. The eventual implementation will probably feature a parallel lookup of web sites over HTTP and HTTPS, in order to avoid a large slowdown for HTTP only sites. If you live on the Firefox side of the fence, you’re still covered, as Firefox has an optional HTTPS everywhere mode as well.

Zyxel and the Hard-coded Credentials

[Niels Teusink] from EYE was doing some research on his Zyxel router, and came across an undocumented user account, zyfwp. Just looking at the username, I would guess it enables Zxel firmware updates of some sort — And yes, the account is to enable automatic firmware updates. It wasn’t supposed to be enabled for SSH login, though. Yes, a handful of Zyxel models had an unintentional backdoor. [Niels] believes he discovered the problem just weeks after the vulnerable firmware was released, so the impact of this one is minimal. Go check the list of products and firmware to see if your device was affected. One last note, while this sort of vulnerability is always facepalm-worthy, Zyxel absolutely owned up to the goof, responded quickly, and has absolutely done the right thing in fixing this.

Legal and Easy Windows VMs

There’s often a need for disposable Windows installs. Whether you’re looking at a file that is probably a virus, or want to check something out on a clean install, there’s a certain safety in knowing that if something goes wrong, you can just trash the VM and start over. Yes, it’s possible to manage all this manually, but when I came across [Rolando Anton]’s guide to automating the process, I had to make a mental bookmark and share it with you guys.

He first gives us the details on how to manually turn a fresh Windows install into a VM image, which is a useful howto in it’s own right. What comes next is impressive. If I understand what I’m seeing, he’s using Packer to run the whole process as a one-liner. He’s careful to point out that these images are legal for testing, research, and evaluation — not for production environments, as per Microsoft’s licensing.

Using Google to Defeat Google reCAPTCHA

And in a fun turn, it was pointed out to me this week, that you can use Google’s speech to text service to defeat Google’s reCAPTCHA service. ReCAPTCHA is widely considered one of the best CAPTCHA services, or “Completely Automated Public Turing test to tell Computers and Humans Apart”. One of the laudable things Google has done is include alternative ways to solve a CAPTCHA. A blind person, for instance, would be unable to complete a visual CAPTCHA test. One of the alternatives is to listen to a brief audio file, and transcribe what is being said. It just so happens that Google also has a really robust speech-to-text API. With a success rate of something like 91%, you can automatically pass reCAPTCHA using Google’s own service. Man bites dog.

5 thoughts on “This Week In Security: Android Bluetooth RCE, Windows VMs, And HTTPS Everywhere

  1. That google thing is hilarious. Although I suspect it’s not to bad as the speed of passing audio based CAPTCHA is not toooo fast and I think google will block you from doing audio to text if you use it to much unless you pay (though I could be wrong on that).

  2. I am starting to wonder if part of the Turing test now is having the capacity to lie your ass off. By i.e. pretending that eBikes are motorcycles, tube steel bicycle sculptures are bicycles, and that you can’t tell that anything in the last 15% of the visual depth/distance is something they’re asking for (Distant stoplights, crosswalks, buses etc)

  3. I love the Windows image automation stuff. However, I found that VirtualBox is conspicuously missing. I guess that doesn’t matter for the author’s use case as it appears they’re using remote desktop tools for interaction. Or VMware or QEMU. I’m just surprised. I thought VirtualBox was still the standard for light virtual machine usage.

    1. Looks like they are not aiming at VirtualBox local stuff but cloud services really.
      Though I thought it was, and have just verified according to wiki virtualbox is related to qemu, so it probably just works with that. Something to try if you are interested I guess.

      For myself I found it easier to just have a backup image of the windows boot disk, can duplicate it as often as needed. Personally was wondering about using LVM via qemu so each new VM can be running off a thin-snapshot of the fresh install for more efficient disk use (But I don’t really keep or run enough VM’s to find disk space much of an issue) – pretty sure that doesn’t fall foul of the windon’t EULA stuff around VMs, but I’m no lawyer. Can’t see how it differs from a repair partition OEM’s ship either..

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.