ComputerCOP: the dubious “Internet Safety Software” given to US families

This post originally appeared on the Electronic Frontier Foundation's website. The author, Dave Maass, is a media relations coordinator and investigative researcher for EFF.

For years, local law enforcement agencies around the country have told parents that installing ComputerCOP software is the “first step” in protecting their children online.

Police chiefs, sheriffs, and district attorneys have handed out hundreds of thousands of copies of the disc to parents for free at schools, libraries, and community events, usually as a part of an “Internet Safety” outreach initiative. (You can see the long list of ComputerCOP outlets here.) The packaging typically features the agency’s official seal and the chief’s portrait, with a signed message warning of the “dark and dangerous off-ramps” of the Internet.

Read 45 remaining paragraphs | Comments

Security bug in Xen may have exposed Amazon, other cloud services [Updated]

The Xen Project has published a security advisory that could affect millions of virtualized servers running in Amazon’s cloud and other public hosting services. A flaw in the Xen hypervisor could allow a malicious fully virtualized server to read data about other virtualized systems running on the same physical hardware or the hypervisor hosting the virtual machine. The malicious system could also potentially crash the server hosting the virtual machines. A patch, which was privately disclosed last week under embargo, has been issued to correct the issue.

Xen is used by a number of public and private cloud providers to support infrastructure-as-a-service (IaaS) offerings such as Amazon’s Elastic Compute Cloud, Rackspace, and some configurations of the OpenStack cloud provisioning environment. The flaw, discovered by Jan Beulich at SUSE, affects servers configured to support hardware-assisted virtualization (HVM) mode virtualization. HVM lets operating systems use hardware extensions that give them faster access to the physical server’s hardware, and it uses software emulation of other Intel platform hardware to allow those operating systems to run without modification. Windows virtual machines running on Xen require HVM support.

The bug, introduced in versions of Xen after version 4.1, is in HVM code that emulates Intel’s x2APIC interrupt controller. While the emulator restricts the ability of a virtual machine to write to memory reserved specifically for its own emulated controller, a program running within a virtual machine could use the x2APIC interface to read information stored outside of that space. If someone were to provision an inadvertently buggy or intentionally malicious virtual machine on a server using HVM, Beulich found that VM could use the interface to look at the physical memory on the physical machine hosting the VM reserved for other virtual machines or for the virtualization server software itself. In other words, an "evil" virtual machine could essentially read over the shoulder of other virtual machines running on the same server, bypassing security.

Read 6 remaining paragraphs | Comments