Image: Mozilla Mozilla has announced today that its highly anticipated VPN (virtual private network) service will launch later this summer, ‘in the next few weeks.’ The product has also been renamed from its original name of Firefox Private Network to its new brand of the “Mozilla VPN.” The name change came after Mozilla expanded the […] More

CISA has released an alert about a slate of BlackBerry products affected by the BadAlloc vulnerability, which was spotlighted by Microsoft researchers earlier this year. On Tuesday, BlackBerry released an advisory explaining that its QNX Real Time Operating System — which is used in medical devices, cars, factories and even the International Space Station — can be affected by BadAlloc, which is a collection of vulnerabilities affecting multiple RTOSs and supporting libraries. BlackBerry recently boasted that the QNX Real Time Operating System is used in 200 million cars. CISA added that IoT devices, operational technology and some industrial control systems have incorporated QNX Real Time Operating System, making it urgent for measures to be taken to protect systems. BlackBerry released a full list of the affected products. “A remote attacker could exploit CVE-2021-22156 to cause a denial-of-service condition or execute arbitrary code on affected devices. BlackBerry QNX RTOS is used in a wide range of products whose compromise could result in a malicious actor gaining control of highly sensitive systems, increasing risk to the Nation’s critical functions,” CISA’s alert said. “At this time, CISA is not aware of active exploitation of this vulnerability. CISA strongly encourages critical infrastructure organizations and other organization developing, maintaining, supporting, or using affected QNX-based systems, to patch affected products as quickly as possible.”The alert goes on to explain that the vulnerability involves an “integer overflow vulnerability affecting the calloc() function in the C runtime library of multiple BlackBerry QNX products.”For threat actors to take advantage of the vulnerability, they need to already have “control over the parameters to a calloc() function call and the ability to control what memory is accessed after the allocation.”

Network access would allow an attacker to remotely exploit this vulnerability if the vulnerable product is running and the affected device is exposed to the internet, CISA added. The vulnerability affects every BlackBerry program with a dependency on the C runtime library.CISA warned that since many of the devices affected by the vulnerability are “safety-critical,” the potential for exploitation could risk giving cyberattackers control of systems that manage infrastructure or other critical platforms. “CISA strongly encourages critical infrastructure organizations and other organizations developing, maintaining, supporting, or using affected QNX-based systems to patch affected products as quickly as possible,” the alert said. “Manufacturers of products that incorporate vulnerable versions should contact BlackBerry to obtain the patch. Manufacturers of products who develop unique versions of RTOS software should contact BlackBerry to obtain the patch code,” CISA explained, adding that some organizations may have to create their own software patches. Some software updates for RTOS require removing devices or taking them to an off-site location for physical replacement of integrated memory, according to CISA. BlackBerry said in its own release that they had not yet seen the vulnerability used. The company suggested users of the product ensure that “only ports and protocols used by the application using the RTOS are accessible, blocking all others.” “Follow network segmentation, vulnerability scanning, and intrusion detection best practices appropriate for use of the QNX product in your cybersecurity environment to prevent malicious or unauthorized access to vulnerable devices,” BlackBerry’s notice said. There are no workarounds for the vulnerability, according to BlackBerry, but they noted that users can reduce the possibility of an attack “by enabling the capability for ASLR to randomize process segment addresses.”The notice includes a number of updates BlackBerry has released to address the vulnerability. Microsoft said in April that BadAlloc covers more than 25 CVEs and potentially affects a wide range of domains, from consumer and medical IoT to Industrial IoT.On Tuesday, Politico reported on the behind-the-scenes dispute between BlackBerry and US government officials since the BadAlloc vulnerability was disclosed in April. BlackBerry allegedly denied that the vulnerability affected their products and resisted government attempts to release public notices about the problem. BlackBerry didn’t even know how many organizations were using the QNX Real Time Operating System when asked by government officials, forcing them to go along with government efforts to publicize the vulnerability. CISA officials coordinated with affected industries and even the Defense Department on the security notice about the QNX system, according to Politico, which noted that CISA will also brief foreign officials on the vulnerability as well. BlackBerry said in June that the QNX royalty revenue backlog has increased to $490 million at the end of its first quarter of fiscal year 2022. The company boasted that it is used in millions of cars made by Aptiv, BMW, Bosch, Ford, GM, Honda, Mercedes-Benz, Toyota and Volkswagen. More

Apple has supported

Macs

 for many years, but inevitably the day will come when the support plug is pulled, and security patches dry up.

ZDNet Recommends

The best Macs

Apple’s Mac lineup can be confusing as the company transitions from Intel processors to its own Apple Silicon processors. But we’re here to help.

Read More

And once that happens, it’s the beginning of the end.And then it’s time for the scrap heap.Well, if you’re someone who didn’t send their old Mac off to the scrap heap (or, as it would be today, the recycling center), then you might be able to give the system a new lease of life thanks to Google.Yes, you read that, right. Google. Chrome OS Flex is Google’s latest project, and it brings Chrome OS to

Macs

 and PCs. Aimed at businesses and schools, it is currently in the early access stage and has been designed to be installed in minutes and will look and feel the same as Chrome OS.Google has published a certified models list of systems that will run Chrome OS Flex, and on that list are a number of Macs that are either verified to work or will work but with minor issues.

Also: Apple’s M1 Pro MacBook Pro is an amazing Windows 11 laptopHere’s the listing:Macs supported by Google Chrome OS FlexWe can decipher this list into something a bit more useful, and we can see that they span 2009 to 2015:iMac 21.5-inch Midv2010iMac 21.5-inch Mid 2011/Late 2011iMac 20-inch Early 2009/Mid 2009Mac Mini Late 2014MacBook 13-inch Early 2009/Mid 2009MacBook 13-inch Late 2009MacBook 13-inch Mid 2010MacBook Air 11-inch Mid 2012MacBook Air 11-inch Mid 2013/Early 2014MacBook Pro 13-inch Mid 2009MacBook Pro 13-inch Mid 2012As you can see, a lot of Macs here going back over a decade. Macs that Apple has long forgotten.Oh, and Chrome OS Flex also runs on a variety of PCs from vendors ranging from Acer, ASUS, Dell, HP, Microsoft, Toshiba, and many more.It’s an interesting project and a good way to offer a new lease of life for older macs. That said, I wonder just how many Macs are still around from the 2009 to 2015 era. More

Home Affairs Minister Karen Andrews.
Image: Tracey Nearmy/Getty Images
Home Affairs Minister Karen Andrews introduced three new Bills into Parliament on Thursday, covering the federal government’s ransomware action plan, critical aviation and marine cybersecurity, and mobile phone access in prisons. The first of the three Bills contains criminal law reforms announced in October last year as part of Home Affairs’ ransomware action plan to create tougher penalties for cybercriminals. Chief among these penalties are an increased maximum penalty of 10 years’ imprisonment for cybercriminals that use ransomware and a new maximum penalty of 25 years’ imprisonment for criminals that target Australia’s critical infrastructure. Labelled by Home Affairs Secretary Mike Pezzullo earlier this week as the government’s “offence” against cyber threats, the Bill also seeks to criminalise individuals buying and selling malware for the purpose of committing a computer offence and dealing with stolen data. The Bill, if passed, would also expand law enforcement’s ability to monitor, freeze, and seize ill-gotten gains of criminals to also cover digital assets, including those held by digital currency exchanges. According to Andrews, the reforms are a response to the growing threat of malicious cyber attacks. “This Bill gives Australian law enforcement agencies the legal tools and capabilities they need to pursue and prosecute ransomware gangs and the pervasive threat of ransomware attacks on Australia and Australians,” Andrews said. “The Morrison government will not tolerate attacks on Australia’s critical infrastructure, small businesses, or targeting the most vulnerable members of our community. Cybercriminals use ransomware to do Australians real and long-lasting harm.”

When the ransomware action plan was first announced, Andrews said the legislation would sit alongside a mandatory ransomware incident reporting regime, which would require organisations with a turnover of over AU$10 million per year to formally notify government if they experience a cyber attack. Concrete details of the ransomware reporting regime are still yet to surface, however.The second Bill that was introduced into Parliament by Andrews on Thursday was the Transport Security Amendment (Critical Infrastructure) Bill 2022 (TSACI Bill), which Andrews said is aimed at bolstering the cyber defence of Australia’s airports and seaports.”The aviation and maritime transport sectors that support our economy and way of life are targets for criminals, terrorists. and malicious foreign actors. This is why in times of emergency we must be prepared to protect our critical aviation and maritime sectors,” Andrews said. Unlike the pair of Critical Infrastructures that already entered Parliament, with the first of them becoming law last year, the TSACI Bill is focused on creating additional reporting requirements for aviation and maritime entities whereas the other two Bills were drafted to generally cover entities across Australia’s 11 designated critical infrastructure sectors. The federal government said critical aviation and maritime needed additional reporting requirements against cyber threats due to the impact of the COVID-19 pandemic, as well as for times of emergency. This includes a new requirement for critical aviation and maritime entities to report cybersecurity incidents to both Home Affairs and the Australian Signals Directorate (ASD). Examples of cybersecurity incidents are malware, phishing, denial of service, and cross-site scripting, the Bill’s explanatory memorandum details. The new Bill also classifies cybersecurity incidents that have a relevant impact on a critical aviation or maritime asset to be unlawful interference. If the person who created the cybersecurity incident that had a relevant impact is convicted, they could potentially face the tougher penalties proposed in the aforementioned ransomware action plan legislation. A cybersecurity incident will be deemed to have created a relevant impact if it affected the availability, integrity, reliability or confidentiality of information about the asset.The Bill also seeks to create an “all hazards” reporting framework that will require critical aviation and maritime entities to consider and be resilient to any natural disasters, cyber vulnerabilities, and supply chain disruptions that could impact their ability to provide services. According to the TSACI Bill’s explanatory memorandum, the new reporting requirements align with the reporting requirements contained in the first Critical Infrastructure Bill and work alongside the existing reporting requirements for other types of aviation and maritime security incidents. The last of three Bills is legislation to assist state and territory corrective services authorities identify, investigate, and prevent illegal mobile phone criminal activity in Australia’s prisons. If passed, the Bill would amend the Telecommunications (Interception and Access) Act 1979 (TIA Act) to provide prison authorities with the ability to access telecommunications data to track down illegal mobile phone use activity in prisons. “It is vital for prison authorities to have the powers they need to uncover illicit mobile phones and access their telecommunications data to prevent and prosecute criminal and national security offences inside Australia’s prisons,” Andrews said. “Australians expect our prison authorities to have the legal powers they need to identify and prosecute an inmate or inmates found to be linked to illegal mobile phones, to stop criminal activity, and to stop inmates establishing criminal networks within our prison system. Prior to the prison mobile phone legislation coming before Parliament, Andrews already provided immediate access to these powers to Corrective Services NSW, using her temporary declaration powers under the TIA Act. Related Coverage More

Jada Jones/ZDNETYour AirPods can be your best friend, small enough to stay in your pocket or bag until you need them. But if you like to work out with your AirPods, pushing your slippery earbuds back into your ear can become a particularly intense workout. I’ve found three products to help with this problem — a few dollars spent can revitalize your AirPods experience.Also: Best AirPods 2025: I’ve tested every pair of Apple headphones and earbudsUnfortunately, some people’s ear anatomy simply isn’t compatible with certain earbuds, and the best option may be purchasing from another brand. But if you’re determined to make your AirPods stay in your ear, try these tips first.1. Detachable ear hooks More