apple_badger
About
- Username
- apple_badger
- Joined
- Visits
- 52
- Last Active
- Roles
- member
- Points
- 202
- Badges
- 0
- Posts
- 86
Reactions
-
Why free VPNs aren't always safe to use
anonymouse said:I don't think any public VPNs should be considered "safe". Not if you mean "safe" as protecting your data and privacy better than not using a VPN. VPNs weren't developed for that purpose, and they don't really serve it.
Edit: And to clarify, by "public" I mean meant to "serve" the general public — i.e., not internal organizational VPNs. -
Apple's latest security update is important, but the mass-media response is unhinged
hmlongco said:apple_badger said:That's not how vulnerability chaining doesn't work. Safari is already downloaded and running on your device and CVE-2022-32893 potentially gives an attacker the ability to use Safari to leverage CVE-2022-32894. -
Apple's latest security update is important, but the mass-media response is unhinged
hmlongco said:apple_badger said:CVE-2022-32893 is an arbitrary code execution bug in Webkit.
CVE-2022-32894 is an arbitrary code execution with kernel privileges bug.
Both have been addressed in this update.
It's not, "A remote code execution flaw in webkit paired with the ability to execute arbitrary code with kernel privileges is really, really, *really* bad. " They're not "paired", they're two distinct issues. -
Apple's latest security update is important, but the mass-media response is unhinged
hmlongco said:apple_badger said:I'm going to respectfully disagree here. Speaking as someone who heads up Information security for an organization, this may not be as quite bad as it gets (it won't kill your dog), but it's darn close. A remote code execution flaw in webkit paired with the ability to execute arbitrary code with kernel privileges is really, really, *really* bad.
CVE-2022-32893 is an arbitrary code execution bug in Webkit.
CVE-2022-32894 is an arbitrary code execution with kernel privileges bug.
Both have been addressed in this update. -
Apple's latest security update is important, but the mass-media response is unhinged
cpsro said:apple_badger said:I'm going to respectfully disagree here. Speaking as someone who heads up Information security for an organization, this may not be as quite bad as it gets (it won't kill your dog), but it's darn close. A remote code execution flaw in webkit paired with the ability to execute arbitrary code with kernel privileges is really, really, *really* bad.
(I'm not being critical of Apple here; I'm disagreeing with this story's downplaying of the importance of this update. It's *very* important, and it's very important to update sooner rather than later)
Edit to add: The time from publication of a vulnerability to attempted exploitation is now measured in hours, not days or weeks. When something like this is made public then its value as something to be used in targeted attacks against only high value targets is effectively zero. There's no reason for bad actors to exercise restraint at this point.