Google has announced it will be doubling the rewards it offers to bug hunters who can demonstrate working exploits for a range of zero-day and one-day vulnerabilities across a variety of platforms. 

The reward increases will be applied to exploits discovered in the Linux Kernel, Kubernetes, Google Kubernetes Engine (GKE), or kCTF (Kubernetes-based infrastructure for capture the flag exercises), with the next review coming at the start of 2023.

Rewards offered for valid one-day security exploits increase by more than double to a maximum of $71,337, up from $31,337 previously. Sometimes known as ‘n-days’, one-days are publicly known vulnerabilities that have patches for them, but Google will offer rewards for novel exploits in this case.

Bug hunters seeking rewards for valid one-day exploits will have to provide a link to the existing patch in their report. Google also said it will be limiting the number of rewards for one-day vulnerabilities to only one version or build.

“There are 12-18 GKE releases per year on each channel, and we have two clusters on different channels, so we will pay the $31,337 base rewards up to 36 times (no limit for the bonuses),” said Eduardo Vela, Product Security Response TL/M at Google. “While we don’t expect every upgrade to have a valid 1day submission, we would love to learn otherwise.”

Valid exploits for previously unknown zero-day vulnerabilities will nearly double to a maximum reward of $91,337, up from $50,337 previously. Zero-day vulnerabilities typically attract greater rewards because any given vendor would always want to secure the weakness before news of it ever reached cyber criminals.

“We launched an expansion of kCTF VRP on 1 November 2021 in which we paid $31,337 to $50,337 to those that are able to compromise our kCTF cluster and obtain a flag,” said Vela. “We increased our rewards because we recognised that in order to attract the attention of the community we needed to match our rewards to their expectations. We consider the expansion to have been a success, and because of that, we would like to extend it even further to at least until the end of the year (2022).”

An increasing amount of recent research has highlighted cyber criminals’ shift in focus towards Linux environments, both in and outside of the cloud. 

Qualys published findings earlier this year regarding a Linux root privilege flaw that went unnoticed for 12 years while “hiding in plain sight“, while VMware observed an increasing number of ransomware attacks targeting Linux-based multi-cloud environments last week.

Full details on the reporting process can be found in the Google blog post.

Reward structure

Google will offer a base reward of $31,337 for the first valid exploit for a given vulnerability, zero-day or one-day. This will only be paid once per vulnerability and once per cluster version or build. Duplicate exploits will not be awarded unless it presents a novel exploit chain, Google said.

From there, a total of three bonuses of $20,000 are available depending on the nature of the exploit disclosed. 

• $20,000 will be awarded if the exploit is a zero-day
• A further $20,000 will be awarded for exploits that do not require unprivileged user namespaces
• Another $20,000 is on offer to those who can demonstrate novel exploit techniques. This also applies to duplicate exploits and Google requires a full write-up to qualify as a valid submission

Google has announced “early access” to a new version of its Chrome operating system that works on older PCs and Macs. 

Chrome OS Flex is designed for businesses and educational institutions that want to deploy a universal operating system without having to splash out on new hardware. 

The new OS can be installed on any PC and Mac within minutes, according to Google, which adds that it should look and feel identical to the traditional Chrome OS one would find on a Chromebook as it’s built from the same codebase. However, it notes that some features may be dependent on the age of the hardware, though didn’t specify which. 

The technology behind Chrome OS Flex appears to have come from a recent Google acquisition. Neverware, which the tech giant bought at the end of 2020, previously sold the CloudReady service which let users convert old PCs into Chrome OS. Google said that it has been integrating “the benefits of CloudReady into a new version of Chrome OS”. 

Google says Chrome OS Flex will allow IT departments to manage all their machines just like any other Chrome OS hardware. All devices can be managed through Google’s Admin Console, with IT departments able to deploy specific software installs. 

The operating system also comes with built-in security tools, such as sandboxing technology to eliminate the need for antivirus software and IT controls to prevent data loss on lost or stolen devices. 

How to install Chrome OS Flex

To try Chrome OS Flex, users will need to go to the Chrome Enterprise website and register. A USB drive is all they you need and it should only take a few minutes to set up on a PC or Mac device. 

From there, users need to follow three steps: create a bootable Chrome OS Flex USB drive to test it out prior to installation. Form there, users can install the OS and fully replace the existing operating system, and the USB drive can also be also used to deploy the OS to more devices on your organisation’s network. 

Zoom has added a DocuSign integration to its video meetings, allowing users to sign documents within the video conferencing app.

DocuSign eSignature for Zoom is now available for versions of Zoom Desktop 5.7.3 or later. Users can add the extension by logging into their DocuSign and Zoom accounts and installing the DocuSign eSignature App from the Zoom App Marketplace.

Once installed, users can send a document via email or SMS and, once in the Zoom meeting, select the right document from the “Find your agreement” tab in the right pane of the app, and pass control to the signer. 

The integration could be particularly useful for signing legal documents when setting up a business agreement in another country or applying for a visa, which often require the presence of a notary in order to verify the identity of the signee. However, Zoom Apps & Integrations product lead Ross Mayfield said that the integration is primarily about simplifying the process of signing documents over video call.

“Employees don’t want to spend their days toggling between countless apps and emails, especially when working with customers or partners. They want tools that streamline workflows and easily enable them to connect and collaborate,” he said, adding that Zoom is “excited about DocuSign eSignature for Zoom as it allows stakeholders to review agreements together in real-time before signing, helping eliminate communication silos and accelerate the completion of agreements”.

In a blog post announcing the integration, DocuSign SVP Jerome Levadoux highlighted the impact of the pandemic-induced shift to remote working.

“The past few years have highlighted the need for agility and better productivity tools to meet the evolving needs of customers. We are excited to partner with Zoom to offer the DocuSign eSignature app for Zoom to make it easier than ever to streamline how we collaborate and come to agreement in the emerging anywhere economy,” he said.

The news comes days after the video conferencing platform released an update to its macOS Monterey client addressing a security issue whereby a Mac’s microphone remained enabled even after a Zoom meeting had ended, leading to users claiming that the app is ‘listening in on them’.

Google has released a fresh wave of patches for seven high-severity security issues affecting Google Chrome, including one zero-day vulnerability under active exploitation.

The latest stable build (98.0.4758.102) for Windows, Mac, and Linux brings with it a total of 11 security fixes, with many of the highest-severity flaws relating to use after free (UAF) vulnerabilities.

The zero-day, tracked as CVE-2022-0609 and carrying a CVSSv3 score of 9.8/10, is a UAF in animation vulnerability which Google says is under active exploitation in the wild.

Discovered by Google’s Threat Analysis Group researchers, Adam Weidemann and Clément Lecigne, very few details of the security flaw have been revealed but UAF vulnerabilities typically facilitate attacks such as arbitrary code execution and data corruption in unpatched software, and can lead to the takeover of a victim’s machine.

UAF vulnerabilities relate to incorrect use of dynamic memory in software. Dynamic memory allocation is used by programmers to store large amounts of data within running software and blocks of data are reallocated repeatedly. 

Programmes use headers to check which sections of dynamic memory are free and UAF vulnerabilities can be exploited when programmes don’t manage these headers properly. These flaws allow an attacker to substitute code in place of cleared data in dynamic memory if a pointer isn’t cleared after data is moved to a different block.

The majority of the high-severity vulnerabilities in the latest wave of patches relate to UAF in various components of Google Chrome. One exists in File Manager (CVE-2022-0603), another in the Webstore API (CVE-2022-0605), one in ANGLE (CVE-2022-0606), and finally one in GPU (CVE-2022-0607), as well as the zero-day.

Among the other most serious flaws available in the latest stable build is CVE-2022-0608, an integer overflow flaw in Mojo. Reported by Google Project Zero’s Sergei Glazunov, integer overflow attacks occur when an arithmetic-based process within a programme returns a value greater than the range set by the target variable can hold.

Such vulnerabilities can lead to data theft, data exfiltration, a complete takeover of a system, or simply prevent the application from running properly.

Google said the update will be rolling out automatically over the coming days and weeks for all operating systems, but concerned users can force an update immediately to the latest version by navigating to the Google Chrome menu in the top right corner of the browser, hovering over ‘Help’, and selecting the ‘About Google Chrome’ menu, or by typing ‘chrome://settings/help’ into the URL bar.

Microsoft is looking to tempt disgruntled legacy G Suite users with a “special offer” that includes a 60% discount on year-long Microsoft 365 Business Basic, Business Standard, or Business Premium subscriptions.

Last month, Google announced that it would give those with free G Suite accounts until 1 July to upgrade their plans to a paid subscription, after which point they will lose access to most of its services. The move could be especially detrimental to small businesses that were able to save up to £13.80 per user per month by not paying for a G Suite, now known as Workspace, account.

Microsoft has seemingly decided to capitalise on Google’s decision, identifying a new group of potential customers who could be seeking a new email account provider, allowing them to also benefit from Microsoft Teams, cloud storage, as well as a suite of Office apps.

“If you’re a small business that’s relied on G Suite legacy free edition, we couldn’t help but notice you might be in the market for a new solution. We’ve got news for you: today, you can get a 60% discount on a 12-month Microsoft 365 Business Basic, Business Standard, or Business Premium subscription, along with the help you need to make the move,” Jared Spataro, corporate vice president for Microsoft 365, announced last week in a blog post.

Small businesses that decide to migrate their data from legacy G Suite to Microsoft 365 will be able to benefit from Microsoft’s Business Assist, which provides expertise and advice for those who are new to the service, ensuring that they make the most out of 365.

Google has since backtracked on its decision to shutter legacy accounts, adding a section to its support page that promises more options for people to keep the data stored in their accounts for free. Although the options won’t include premium features like custom email or multi-account management, this could potentially be subject to change “in the coming months”, the tech giant added. 

The company was not immediately available to comment when reached by CloudPro. 

Vodafone has announced that it has selected Oracle to provide cloud-native network policy management that will help it progress towards standalone (SA) 5G. 

The solution is comprised of Oracle’s 5G Core Policy Control Function (PCF) and Policy and Charging Rules Function (PCRF), which allows the deployment of complex network policies, including wireless, fixed, and cable, as well as Internet of Things (IoT) and machine-to-machine (M2M) networks. 

In Vodafone’s case, the solution will provide data on the basis of which Vodafone’s customers will be able to choose the best network offering for their needs. This will allow Vodafone to automate and scale to meet the expected growth in 5G subscribers and connected devices, allowing a seamless experience across 4G and 5G networks while also delivering a smooth integration of new 5G services – such as VR/AR, live-streaming, or IoT.

Oracle’s senior vice president and general manager of Networks, Andrew Morawski, said that intelligent policy management is the “entryway” to any new opportunities provided by 5G connectivity:

“Our 5G and cloud capabilities are helping Vodafone to build a future-proof network that is automated, easier to scale, simpler to operate, and more cost-effective,” he added.

Commenting on the news, Vodafone UK chief network officer Andrea Dona said that “moving to ‘cloud native’ is a culture shift as much as it is a technology shift for a techcomms company like Vodafone”. 

“Our partners must demonstrate flexibility and agility, as well as aligning to our vision of how technology will augment and support tomorrow’s digital society,” she added.

The news comes days after reports emerged of Virgin Media O2 calling off its Mobile Virtual Network Operator (MVNO) agreement with Vodafone.

Signed in 2019 and implemented only last year, the deal saw Vodafone replace BT in supplying wholesale mobile network services, including both voice and data, to Virgin Mobile and Virgin Media Business. It also provided Virgin Media with full access to Vodafone’s current services and future technologies, including its 5G network, and was set to last until 2026. However, the newly-merged Virgin Media O2 has reportedly informed its bondholders late last week that it has now cancelled the deal.

A spokesperson for Virgin Media O2 declined to comment on the reports.

Video conferencing and collaboration platform Zoom has released an update to its macOS client addressing a security issue whereby a Mac’s microphone remained enabled even after a meeting had ended.

Zoom users running the latest version of macOS Monterey had been concerned about the apparent privacy issues since December 2021, according to posts made on the official Zoom community support forums, first reported by The Register.

The issue in question involved the orange dot in the Mac’s Control Centre appearing, indicating that the device’s microphone was being used in an application. That app was revealed to be Zoom, which was open in the taskbar but not actively in a meeting.

Numerous replies to the original post echoed concerns regarding where the audio data was being sent, and that it wasn’t a single use case. 

One user appearing to represent Zoom support said the bug was known to Zoom and it was patched in the 5.9.3 version released on 24 January 2022. That said, IT Pro is still waiting to hear from Zoom officially.

The release notes accompanying version 5.9.3 made no explicit mention of the macOS bug, but earlier release notes for version 5.9.1 issued on 20 December 2021 indicated the big had been fixed, though no explanation as to why the bug presented itself, or what was done with recordings.

Numerous users also reported the bug persisting even after updating to version 5.9.1 and complaints persisted well into January 2022, long after even the 5.9.3 patch was released. IT Pro will update this story if Zoom provides clarity on the issues.

At the time, users commenting on the community support thread voiced their concerns around privacy, re-iterating their experience with Zoom’s privacy issues in years gone by. One user said: “This is [a] major privacy breach and I am considering dropping Zoom and asking my IT department to replace Zoom with a more secure option”.

The incident prompted Apple to roll out a silent update removing the web server from all Mac machines which followed Zoom’s own update achieving the same purpose. Apple said at the time that no user intervention was required to enable the update but IT Pro’s testing, at the time, showed the issue persisted until the user rebooted their machine.

The company also settled a case with the Federal Trade Commission (FTC) in 2020 after the claims it made about the use of end-to-end encryption (E2EE) on its platform, which was used by governments and local authorities during the pandemic, turned out to be false.

Singapore’s Home Team Science and Technology agency (HTX) has chosen Microsoft to develop a sovereign cloud to accelerate its digital transformation.

HTX said the agreement will play a key role in helping domestic services, such as the police or civil defence force, to deliver improved safety and security to all citizens, residents, and visitors to the city-state.

The sovereign cloud will be built on Microsoft’s Azure platform and equip HTX with on-demand high-performance cloud computing and data storage resources. It hopes this will help the agency quickly adopt and create new technologies and reduce time-to-market in introducing new digital capabilities.

It added that it will provide home team officers on the ground with real time data to help them respond quicker to incidents and make decisions faster.

“This strategic partnership with Microsoft to develop a sovereign cloud here in Singapore will enable us to push the boundaries of innovation and be in the forefront of technology,” said Chan Tsan, CEO of HTX and deputy secretary of the Ministry of Home Affairs.

“This way, we will be well-poised to exponentially enhance the capabilities of the home team and to keep Singapore as the safest place on the planet.”

Microsoft will also provide additional training and educational opportunities as part of the agreement, including 600 training places along with exam certificates to be made annually to the organisation. It hopes that the training will advance the technical skills of cloud technology professionals in Singapore.

“We’re delivering a trusted sovereign cloud that adheres to and meets the needs of the Singapore government – one that will expedite their digital transformation efforts,” said Judson Althoff, executive vice president and chief commercial officer at Microsoft. “Our agreement will enable key technological advancements and provide access to data and insights to help drive change across various communities.”

Although Microsoft does have an Azure cloud region in Singapore, it remains unclear as to where the new sovereign cloud will be housed. Building data centres in the city is still restricted but the government is planning to lift the ban on their construction once new rules placing strict energy efficiency requirements on all new sites come into force.

A quarter (24.77%) of all spam emails sent in 2021 originated from Russia, with more than half (56%) of all emails being spam messages.

That’s according to Kaspersky’s latest Annual Spam and Phishing Report, which analysed close to 150 million malicious email attachments blocked by the cyber security provider’s antivirus over the course of last year.

​

Kaspersky identified 10 countries that were responsible for sending out more than three quarters of the world’s spam emails, with Russia and Germany (14.12%) being the most prolific senders.

The US and China came in third and fourth place, at 10.46% and 8.73% respectively. The Netherlands (4.75%) came in fifth place, followed by France (3.57%), Spain (3%) and Brazil (2.41%), Japan (2.36%), and Poland (1.66%).

When compared to 2020, Russia and China had the most significant rise in sent spam – a 3.5% and 2.5% increase, respectively.

Brazil-based users were most often targeted by phishing attacks, with 12.4% of 2021’s victims being based in the South American country, followed by French, Portuguese, and Mongolian users.

When it came to content, 2021’s spam emails mostly centred around popular topics including money and investment, Bond and Spider-Man movie premieres, and the pandemic, which Tatyana Shcherbakova, security expert at Kaspersky, described as “bread and butter for scammers”.

The most notable COVID-related scams included fictitious financial support schemes and fake COVID vaccination passes and QR codes, Kaspersky found.

“These scams prove to be very efficient as people continue to trust too much of what they see in their inboxes and browsers. We believe it is important to be aware that there are a lot of offers out there that seem “too good to be true”,” she said, calling on people “to be cautious when it comes to trusting what’s in their email”.

“This approach may help them save their private data and money,” Shcherbakova added.

Kaspersky’s findings come weeks after Microsoft issued a warning about hackers targeting Microsoft 365 users with a fake app capable of stealing OAuth authentication tokens, providing them full access to the victim’s email, calendar, and contacts.

​

Microsoft has said its Teams app now uses 50% less power when running video calls and meetings, thanks to a range of performance improvements it has implemented since 2020. 

Microsoft Teams can be especially demanding for users of low-end devices that lack the adequate hardware processing capabilities of more expensive models, Microsoft said, especially with functions like meetings with multiple video streams or sharing one’s screen with a group.

​

Ongoing optimisations to the collaboration platform have improved the experiences for many business users and have led to reduced energy costs, Microsoft said, as it outlined the timeline of its optimisation releases over the past few years.

“One of the challenges brought on by the ubiquity of Teams is the need to create equitable experiences across an incredibly diverse Windows device ecosystem,” said Robert Aichner, principal group program manager at Microsoft.

“We’re committed to ensuring great calling and meeting experiences for users on low-end hardware as well as those on high-end workstations and high-resolution monitors. One of the factors we’ve addressed is the difference in power requirements for different customer profiles by ensuring Teams meetings are as energy-efficient as possible, regardless of setup.”

Microsoft measured the improvements by creating a testing framework that accounted for different energy-demanding scenarios, such as video meetings and screen sharing, to evaluate the critical processes associated with them to identify optimisation opportunities. Such processes included content capture, encoding, and rendering.

Credit

Microsoft

Over the course of 17 months, Microsoft made changes to these processes, starting with video capture optimisation in October 2020, involving a reduction in CPU load when the camera was enabled. This delivered the most significant performance increase, with a 27% drop in power consumption.

Specifically, Microsoft focused on camera optimisations that targeted reduced CPU load in meetings and reducing code complexity in areas such as auto-exposure, auto-white balance, and auto-aliasing.

This was followed by consolidating multiple screen elements for a single render process in February 2021, which brought an additional 14% decrease in power use. Incremental optimisations made over the following year delivered small improvements, slowly building to a peak performance improvement of 52%.

“Similar to our other performance improvement initiatives, these power consumption improvements are subjected to progressive testing to validate the intended benefits across customers and environments,” said Aichner. “Additionally, we evaluate each new planned Teams feature to ensure existing processing efficiencies are not compromised.

“So while we continue to launch innovative Teams features to help people connect and collaborate in new ways, we’re also dedicated to making sure these experiences are optimised for all users, regardless of their network and devices.”

​