News
Stack Overflow Compromised
According to The Hacker News, a hacker gained unauthorized access to the production version of Stack Overflow (https://thehackernews.com/2019/05/stack-overflow-databreach.html).
The attack initially exploited a bug in the development version of Stack Overflow and then escalated privileges to gain access to the product version.
The company also admitted that the intruders may have managed to access information on users. "While our overall user database was not compromised, we have identified privileged web requests that the attacker made that could have returned IP addresses, names, or emails for a very small number of Stack Exchange users. Our team is currently reviewing these logs and will be providing appropriate notifications to any users who are impacted," said Mary Ferguson, VP of Engineering at Stack Overflow.
The company has taken some steps to mitigate further damage. They are terminating the unauthorized access to the system and also patching the bug that allowed the unauthorized access and escalation.
Docker Hub Breached
Criminals managed to breach Docker Hub and gained access to the company database. The company admitted that during the breach, sensitive data from approximately 190,000 accounts may have been exposed. Compromised data includes usernames and hashed passwords for a small percentage of these users, as well as GitHub and Bitbucket tokens for Docker autobuilds.
The company sent a notice to users, "On Thursday, April 25th, 2019, we discovered unauthorized access to a single Hub database storing a subset of non-financial user data. Upon discovery, we acted quickly to intervene and secure the site."
The company is asking users to reset their passwords.
Docker has not released any details about the breach and how the attackers managed to gain access to its database.
Microsoft Brings Linux to Windows 10
At the recent Microsoft Build 2019 developer conference, Microsoft announced the next generation of Windows Subsystem for Linux (WSL). Starting with builds available this summer through the company's Windows Insider program, version 2 of WSL will include a custom Linux kernel to boost performance and add native support for many protocols. In essence, Windows 10 users will be able to take advantages of both the Windows NT and Linux kernels.
According to Jack Hammons, program manager, Linux Systems Group at Microsoft, "The kernel provided for WSL 2 will be fully open source! When WSL 2 is released in Windows Insider builds, instructions for creating your own WSL kernel will be made available on GitHub. We will work with developers interested in contributing to help get changes upstream. Check back in a few weeks for more information."
Microsoft is using some clever tricks to run both the Linux and Windows NT kernels on the same system. They have fine-tuned their virtualization technology to run the Linux kernel inside of a lightweight utility virtual machine (VM). According to Microsoft, users will experience high levels of integration between Windows and Linux, extremely fast boot times, and a small resource footprint – all without VM configuration or management.
Running Oracle? Get Ready for Almost 300 Patches
Oracle has pushed quarterly security updates for its products. These updates are targeting a record 297 vulnerabilities affecting Oracle products.
According to Sophos, "The latest Critical Update Patch contains vulnerabilities spanning dozens of products, including its Fusion Middleware product set, which received 53 new security fixes overall – 42 of them for vulnerabilities that could, in theory, be exploited remotely over a network with no user credentials."
The Oracle Communications Applications set was among products to receive the most fixes – 26 security fixes, out of which 19 were remotely exploitable.
297 might seem like a big number, but looking at the vast product portfolio and quarterly nature of these updates, this number is not that big.
However, if you are running any of the Oracle products, it is time to run these updates.
Microsoft Acquired RTOS Company
Microsoft has acquired Express Logic, the maker of ThreadX, a real-time operating system (RTOS) for embedded devices.
Microsoft already owns Linux-based Azure Sphere, an operating system designed for IoT/Edge devices. However, by acquiring Express Logic, the company hopes to expand its support for microcontroller unit (MCU) devices running native RTOS systems.
ThreadX requires a 2KB instruction area and 1KB of RAM for its minimal footprint. It supports a wide range of 32/64-bit microprocessors including ARM, Cypress (RISC-V) and Xilinx, to name a few.
"While we recommend Azure Sphere for customers' most secured connections to the cloud, where Azure Sphere isn't possible in highly constrained devices, we recommend Express Logic's ThreadX RTOS over other RTOS options in the industry because of its additional certifications and out-of-the-box connectivity to Azure IoT Hub," said Sam George, Microsoft's director of Azure IoT in a blog post.
Express Logic has over 6.2 billion deployments in the world. Microsoft has committed to invest $5 billion in the IoT space by 2022, and this acquisition is part of that strategy.