Excel 4 Is Alive and Well, and Ready to Attack

You’ve got to be a real cybergeezer to remember using Excel 4, given that it was replaced by Excel 5 in 1993. After almost 30 years, surely everyone is running a more up-to-date version of Microsoft’s popular spreadsheet software. So why do we care about Excel 4? It turns out that Excel 4’s macro system is alive, armed, and dangerous.

The problem is those macros have full access to the operating system, while VBA (which supposedly replaced macros) can’t do anything outside the spreadsheet. And the system lends itself well to obfuscation, meaning malware coders can hide their macros’ malicious actions.

A team led by Giovanni Vigna, VMWare’s Senior Director of Threat Intelligence, worked up a novel technique to identify and defang malicious code by stripping the layers of obfuscation that normally keep it hidden. At the Black Hat conference in Las Vegas, the team presented a Symbolic Execution tool that they call SymbExcel, so others can share the magic.

Source

Google+ class action starts paying out $2.15 for G+ privacy violations

Who remembers the sudden and dramatic death of Google+?

Google’s Facebook competitor and “social backbone” was effectively dead inside the company around 2014, but Google let the failed service hang around for years in maintenance mode while the company spun off standalone products. In 2018, The Wall Street Journal reported that Google+ had exposed the private data of “hundreds of thousands of users” for years, that Google knew about the problem, and that the company opted not to disclose the data leak for fear of regulatory scrutiny. In the wake of the report, Google was forced to acknowledge the data leak, and the company admitted that the “private” data of 500,000 accounts actually wasn’t private. Since nobody worked on Google+ anymore, Google’s “fix” for the bug was to close Google+ entirely. Then the lawsuits started.

Source

Google will kill off very old versions of Android next month

Google has started emailing users of very old Android devices to tell them it’s time to say goodbye.

Starting September 27, devices running Android 2.3.7 and lower will no longer be able to log in to Google services, effectively killing a big portion of the on-rails Android experience. As Google puts it in an official community post, “If you sign in to your device after September 27, you may get username or password errors when you try to use Google products and services like Gmail, YouTube, and Maps.”

Android is one of the most cloud-based operating systems ever. Especially in older versions, many included apps and services were tied to your Google login, and if that stops working, a large chunk of your phone is bricked. While Android can update many core components without shipping a full system update today, Android 2.3.7 Gingerbread, released around 10 years ago, was not so modular.

Source

Percentage of Linux Gamers on Steam Tops 1% for First Time in Years

Gaming on Linux is still niche, but the number of users doing so has recently shot up, according to Valve’s Steam.

In July, the market share for Linux-based gaming on Steam reached the 1% threshold after three years of remaining at the 0.8 to 0.9% range. GamingOnLinux noticed the sudden increase through Steam’s hardware and software survey, which regularly polls users to see what platforms they use to game.

Source

Google Makes Chrome for Android a 2FA Option

Google’s Chrome for Android is reportedly being added as a security key option for Google Accounts protected with two-factor authentication.

9to5Google reports that the Chrome 93 for Android beta now prompts users when someone attempts to sign in to the same Google Account on a nearby device. The change wasn’t mentioned in Google’s announcement of the latest beta release, however, or in the Chromium blog post that’s supposed to offer more information about new features coming to the browser

Source

Olympics Broadcaster Announces His Computer Password on Live TV

In what is, at least so far, the biggest cybersecurity blunder of the Tokyo Olympics, an Italian TV announcer did not realize he was on air when he asked the password for his computer.

“Do you know the password for the computer in this commentator booth?” he asked during the broadcast of the Turkey-China volleyball game, apparently not realizing he was still on air.

“It was too hard to call the password Pippo? Pippo, Pluto or Topolino?” he complained, referring to the Italian names for Goofy, Pluto and Mickey Mouse.

Whoopsy-Doodle Sauce

Here’s what that Google Drive “security update” message means

“A security update will be applied to Drive,” Google’s weird new email reads. A whole bunch of us on the Ars Technica staff got blasted with this last night. If you visit drive.google.com, you’ll also see a message saying, “On September 13, 2021, a security update will be applied to some of your files.” You can even see a list of the affected files, which have all gotten an unspecified “security update.” So what is this all about?

Google is changing the way content sharing works on Drive. Drive files have two sharing options: a single-person allow list (where you share a Google Doc with specific Google accounts) and a “get link” option (where anyone with the link can access the file). The “get link” option works the same way as unlisted YouTube videos—it’s not really private but, theoretically, not quite public, either, since the link needs to be publicized somewhere. The secret sharing links are really just security through obscurity, and it turns out the links are actually guessable.

Source

Google Launches Bug Hunters Platform

Rewarding security researchers for reporting bugs helps to keep online services safe and secure. Google has been doing it for 10 years now, and is celebrating by launching a new platform called Bug Hunters.

Posting on the Google Security Blog, Jan Keller, Technical Program Manager for Google VRP, reveals that the company’s multiple Vulnerability Reward Programs (VRP) have so far rewarded 2,022 researchers spread across 84 countries, who reported 11,055 valid bugs. In total, Google has paid them $29,357,516 in rewards.

Souirc

Here’s the first credible Microsoft Surface Duo 2 leak

The Surface Duo was one of the biggest hardware flops in recent memory, but Microsoft is still charging ahead with a sequel to the device, and now we have the first credible pictures of it. The story here is kind of weird. We’re not actually sure where the pictures are from (they’ve been uploaded to this random YouTube channel with other uncredited content), but Windows Central’s Zac Bowden says the images are legit, and since he has had an impeccable history of nailing Surface Duo rumors, his affirmation is good enough for us. Bowden calls the two devices shown off in the leak “near-final prototypes.”

The most obvious change in the pictures is a huge camera bump on the back of the device. The bump houses three cameras, along with what looks like an LED flash to the right and one more sensor, perhaps laser autofocus, just below the flash. The standalone fingerprint reader on the side is gone (Windows Central speculates it will be integrated into the power button), and the USB-C port on the bottom is now centered. Sadly, we don’t know what the inside looks like yet.

Source

1234