Replies

I do not have problem with doing this, however had not had to do this before…

Does it not require rooting the device, which may in turn invalidate all sorts of sensitive apps (banking, security etc.?)

Still, I may give it a pass though, will be replacing this device in the next year probably…

Well, the short answer is: yes.

But nobody will do anything about it.

Just as an example, take a look here:

https://geekthingy.com/petition-for-sony-xperia-xz1-android-10-update-hits-2k/

https://www.notebookcheck.net/Official-Sony-Android-10-update-roadmap-confirms-that-the-Xperia-XZ1-phones-have-now-been-abandoned.442829.0.html

SONY quite lightly broke their promise to keep this flagship device updated. I can obviously  understand why, but this is quite unacceptable. And nothing happened.

Also, to compound the above: I actually own this very phone and 4 (four) years later it performs like it’s just removed from its box.

Shame.

1 user thanked author for this post.

migongo

Late realisation my end – after goring through all the above at later stage – was/is that v4 is not based on OS3 actually.

Security by obscurity?

As per my post on WD Forums:

https://community.wd.com/t/unofficial-patch-for-os3-zero-day-rce-vulnerability/268631/24?u=krzemien

I just revisited all the above with the clear eyes and corrected typos accordingly. Nonetheless the result remains the same(…)

The unit I own is 1st Gen (v4.x), with the latest available firmware (v04.05.00-342) installed. No faffing with its content, with the exception of HD Sentinel installation (as per the other thread & my post here: Monitor Network Attached Storage (NAS) status via HD Sentinel – #6 by krzemien)

(…)

The results I am seeing – but I might be missing something bleeding obvious – seem to indicate that 1st Gen units might be immune to this vulnerability.

And no, I understand that I cannot upgrade this unit to OS5 as it’s not supported on this hardware.

Well, I just did, and there we are:

(https://community.wd.com/t/unofficial-patch-for-os3-zero-day-rce-vulnerability/268631/18?u=krzemien)

EDITED TO ADD #1: I’m not getting the same response wher **nobody** & **squeezecenter** accounts are considered as authors do to *cat /etc/shadow* command (~5m45s)

Code:

nobody:*:15729:0:99999:7:::

**squeezecenter** account does not in fact exist.

EDITED TO ADD #2: I’m not getting the same response as authors do to *curl ‘http://127.0.0.1/api/2.1/rest/device?auth_username=nobody?auth_password=’* command (~9m45s)

Code:

<?xml version="1.0" encoding="utf-8"?><core><error_code>401</error_code><http_status_code>401</http_status_code><error_id>57</error_id><error_message>User not authorized</error_message></core>WDMyCloud:~#

EDITED TO ADD #3:

I’m not getting the same response as authors do to *’curl -X POST ‘http://127.0.0.1/api/2.1/rest/firmware_update?auth_username=nobody&auth_password=’* command (~13m00s)

Code:

<?xml version="1.0" encoding="utf-8"?><core><error_code>401</error_code><http_status_code>401</http_status_code><error_id>57</error_id><error_message>User not authorized</error_message></core>WDMyCloud:~#

EDITED TO ADD #4: Whole premise of attack assumes using **nobody** account for nefarious purposes (15m30s)

EDITED TO ADD #5: I’m not getting the same response as authors do to *ps faux | grep httpd* command (~21m45s)

Code:

root 16889 0.0 0.7 2432 1728 pts/0 S+ 16:26 0:00 \_ grep httpd

What am I seeing is that my device seems to be immune to that vector of attack as user **nobody** does not seem to respond to the commands as shown in this YouTube video. At least that’s my quick conclusion…

Thanks for sharing – had interesting lecture yesterday evening…

Does anybody know what the exact vulnerability is though? I have a skin in the game… For reference:

https://community.wd.com/t/unofficial-patch-for-os3-zero-day-rce-vulnerability/268631/16

That’s what I just got when I created and ran the script:

Patching vulnerability and restarting httpd…
httpd: no process found
authfix.sh: line 15: httpd: command not found
Vulnerability patched. Don’t forget to run this script at every reboot!

(…)Also, does anybody actually know what this vulnerability entails exactly, given that the above scrips seems doing something to httpd which apparently does not run on my device?

Ah, but I’m merely a humble and boring home user so really it’s not end of the world for me…

Still, I simply cannot comprehend how something such basic like core functionality – ability to read messages in e-mail client – can be made broken, and across multiple versions. And not to mention: released to the wide world and on a planned date either.

Mind truly boggles (and I thought I’ve seen it all…!)

1 user thanked author for this post.

Coldheart9020

Quite! I was wondering about the same thinking: ‘Have I missed something and actually did get Edge installed incautiously already’?

Same here, listed under Optional updates on Win 8.1

Microsoft Edge Update for Windows 8.1 for x64-based Systems (KB4567409)

Download size: 80.6 MB

You may need to restart your computer for this update to take effect.

Update type: Recommended

This update provides the latest feature and quality updates to Microsoft Edge.

More information:
https://support.microsoft.com/help/4567409

Help and Support:
https://support.microsoft.com/help/4567409

As I wrote elsewhere recently about the same: Plus ça change, plus c’est la même chose.

Likewise.

Also, if I read that correctly, does that mean that in effect I will have three MS browsers installed on my PC simultaneously?

*IE

*Edge (legacy)

*Chredge

 

[krzemien]

Really heart-warming that one can issue a major OS release with such a bug. if DISM gives inconsistent results, where’s the source of truth?

Also, does it not imply (yet again) that this release was pushed out of the door hastily and prematurely (yet again)?

One really wonders what else is there to be found.

• This reply was modified 4 years, 11 months ago by krzemien. Reason: SPELLING

1 user thanked author for this post.

woody

Check this out as well:

https://boingboing.net/2020/05/05/adobe-to-read-the-terms-of-us.html

…so in order to use this software one needs to agree that one does not sue them?

Nice.

2 users thanked author for this post.

Elly, Cybertooth

[krzemien]

…so does latest SKYPE as well:

Why don’t I see the option to blur or customize my video background?

To blur your background in Skype, your computer processor needs to support Advanced Vector Extensions 2 (AVX2). For more information, check with your computer manufacturer.

https://support.skype.com/en/faq/FA34896/how-do-i-customize-my-background-for-skype-video-calls

For Intel-based CPUs it’s everything from Haswell (i.e. series 4 – year 2014) onwards.

• This reply was modified 5 years ago by krzemien.
• This reply was modified 5 years ago by krzemien.

[krzemien]

You did not confuse ‘updated’ with ‘upgraded’ surely? Just checkin’…

• This reply was modified 5 years ago by krzemien.