If you’re upgrading to Windows 10, you should be aware that its default privacy settings are not very private, and share a lot of your activities with Microsoft. You may be OK with this, but if you’re not then here’s a blog post telling you how to change the defaults.
Sometimes keeping your operating system fully patched is not enough. Malwarebytes have discovered active use of a Mac exploit that Apple have not yet patched (except in the OS X 10.11 beta).
To protect yourself, be cautious when downloading and running software on your Mac. The exploit can only work if you run a downloaded program, which can then exploit the vulnerability to gain full privileges on your system. And of course keep an eye out for a fix from Apple, and install it as soon as it is available.
If you want to know just how bad it can be when software suppliers get their security wrong, look no further than this advisory from the FDA.
There appears to be a remote exploit against medical drug infusion pumps, potentially allowing an attacker to change the drug dosage. While there are no reports of any actual attacks against this exploit, it could obviously have extremely serious consequences. It’s the Hospira Symbiq Infustion System, so you don’t need to worry (this time) unless or your hospital you use one of those devices.
It seems to be the result of schoolboy security errors. The advisory recommends closing the FTP and Telnet ports. Networked medical devices should under no circumstances be programmed to accept FTP or Telnet connections. They also advise changing the default passwords — the device should not function until the default password has been changed. Such mistakes may be forgivable on some networked devices, but no on medical devices.
The Register points out that by default Windows 10 will upload an encrypted version of your wifi password to Microsoft and anyone in your contacts will be able to use your wifi. Now, that’s a nice feature and lots of people might find it useful — but it should really be opt-in rather than opt-out, even though that would drastically reduce the take-up. Windows Phone has apparently been doing this for some time, but no one has noticed, because no one actually uses Windows Phone.
By default, your Outlook.com and Skype contacts will be able to use your wifi, assuming they’re also using Windows 10. If you opt in, then so will your Facebook friends.
The feature is called Wi-Fi Sense, and it’s relatively hard to opt-out — you have to change the name of your wifi network to have “_optout” on the end. I think I’d rather opt out by not installing Windows 10, and not giving my wifi password to anyone who is running Windows 10.
Even worse, it’s not just your network that’s shared (Windows doesn’t know which network is yours, after all); it’s any password-protected wifi network you connect to. So you’re potentially sharing the passwords of your employer, friends and family, not just your own password.
Edited: It appears that The Register is being needlessly alarmist. It’s hardly the first time, and I should have checked more thoroughly.
Arstechnica has a more sensible version of the story. Wi-fi sense is opt-in in Windows 10, and you have to opt in for each network. However, you should still be careful — for example, Gmail adds everyone you email to your address book, so if you since your Gmail address book with your Outlook.com contacts, then everyone you’ve ever emailed will be able to use any wifi network that you’ve chosen to share. And certainly don’t share your employer’s wifi network.
This looks like a bad one. An attacker can execute their own code on many Android phones simply by sending an MMS message, and in some cases you don’t even have to view the message to be infected. And the whole Android software update ecosystem is a complete mess, so very many phones will never get patched for it. At the time of writing it seems like there are almost no fixes available from handset suppliers, although the vulnerability was discovered and reported (by Joshua Drake at Zimperium zLabs) in April.
There’s not much you can do about other than waiting for your supplier to release a fix. It’s worth changing the settings in apps like Messenger and Hangouts that can receive MMS messages to not “automatically receive MMS messages”. If your Android version uses Messenger for SMS messages, you can block messages from people you don’t know, but of course that could block messages that you want to receive.
If you’re on an old handset — and that may mean only a few months old — you may never get a fix. I would certainly avoid opening messages that you’re not expecting from anyone you don’t know, but it seems that may not be enough on at least some phones — the bug is much harder to exploit on iOS versions 4.1 and later, so they’re potentially less affected. If your Android version is so old that it’s 2.1 or earlier, then you’re not affected at all.
It’s this kind of thing that frankly makes me question whether anyone should be buying an Android phone, except for a Nexus or another phone made by Google themselves. The manufacturers don’t regard themselves as software companies, and so don’t pay enough attention to software issues and getting updates out to users, especially users on handsets that aren’t being manufactured any more.
More later, when we have clearer details of exactly who is affected and how bad it is.
Edited to add: Here is the original blog post announcing the vulnerability.