TP-Link Archer High Vulnerability

[coxhaus]

Here is a TP-Link security issue. Just glancing it recommends running an older software, but the older software is recommending another software, so I don't really know if there is a fix. Probably a good idea not to run it.

NVD - CVE-2023-31710

nvd.nist.gov

 

[L&LD]

Yes, TP-Link is a security issue. Best not to run in a network you want to be safe within.

 

[Tech9]

Both V3 and V3.6 hardware revisions have newer firmware 230621 available. New AX21 routers are hardware revision v4.6 with different firmware.

My-CVE/TP-Link/CVE-2023-31710 at main · xiaobye-ctf/My-CVE

Contribute to xiaobye-ctf/My-CVE development by creating an account on GitHub.

github.com

 

[coxhaus]

I guess this is another case for not running TP-Link. They expect you to buy new hardware for their software mistakes.

I kind of wonder whether they are really this bad at programming or maybe it will be a good hacking point for some Chinese group to hack which someone else pays for.
Mikrotik seems to have issues also. Bleeping computer just reported almost a million devices have issues. Microsoft reported them about a year or more reported them also. Response is always it is fixed.

Super Admin elevation bug puts 900,000 MikroTik devices at risk

A critical severity 'Super Admin' privilege elevation flaw puts over 900,000 MikroTik RouterOS routers at risk, potentially enabling attackers to take full control over a device and remain undetected.

www.bleepingcomputer.com

I would have to hunt for the Microsoft one but it is out there.

 

[Tech9]

Simple firmware update is needed, nothing else. A new patched firmware is already available.

 

[coxhaus]

Here is another link reported.

MSN

Multiple botnets exploiting one-year-old TP-Link flaw to hack routers

At least six distinct botnet malware operations are hunting for TP-Link Archer AX21 (AX1800) routers vulnerable to a command injection security issue reported and addressed last year.

www.bleepingcomputer.com

 

[jerry6]

Yes, TP-Link is a security issue. Best not to run in a network you want to be safe within.

is there anything " safe" these days ?

 

[L&LD]

Online, no. But some choices are obviously bad.

IoT, apps, Apple, Google, and even '-Link' devices.

 

[jerry6]

Online, no. But some choices are obviously bad.

IoT, apps, Apple, Google,

LOT apps and google I agree , why Apple ? I thought they were pretty much foolproof semi secure . Granted I have not been up on al security issues the past 4 years , but Apple was considered safe , are there specific issues /

 

[RMerlin]

but Apple was considered safe , are there specific issues

Apple used to be considered "safer" in large part because they weren't a worthy target for hackers looking to hit the largest number of users they can. iPhone changed that. But Apple code is written by the same human beings that write everyone else's code. Humans aren't perfect programmers. Bugs have always exisited, and they always will.

IOS has never been that safe. All these jailbreaks that people used for years with every new IOS update? Keep in mind that for a jailbreak to exist, a security flaw must be present and exploited. That basically means that for a long time, every new major IOS release had at least one major security flaw present that allowed jailbreaking.

Then on top of that we've had issues where just sending a malicious SMS to an iPhone could crash it. That was a few months ago, so fairly recent.

That doesn`t mean IOS is bad. Just that it`s not the perfect solution that fanbois think it is, and it`s just as susceptible to security flaws as any other piece of code out there.

 

[Tech9]

I use both Android and iOS devices. Apple has better screening of apps on App Store and apps are usually better quality or run better on 20 well known hardware devices. Android apps for 1000 known and unknown hardware devices are hit and miss and Google Play unfortunately allows virtually every BS possible including joke apps doing absolutely nothing.

 

[L&LD]

Apple Warns Users in 92 Countries About Mercenary Spyware Attacks

Apple on Wednesday sent threat notifications to users in 92 countries warning that they may have been targeted by mercenary spyware attacks, likely...

www.macrumors.com

https://www.cbc.ca/news/business/apple-security-flaw-full-control-1.6556039

https://www.cbc.ca/news/business/apple-citizen-lab-spyware-security-patch-1.6174215

iOS 16.6.1 fixes a big iPhone security vulnerability used to install Pegasus spyware

Apple managed to patch the issue just a week after Citizen Lab reported it.

www.theverge.com

How to Fix Your iPhone’s Security Flaw (Published 2021)

A guide to updating your phone's software after researchers found that a flaw had infected billions of Apple products.

www.nytimes.com

Apple, for when you want to pay a lit premium to get maximally compromised.

 

[jerry6]

Apple Warns Users in 92 Countries About Mercenary Spyware Attacks

Apple on Wednesday sent threat notifications to users in 92 countries warning that they may have been targeted by mercenary spyware attacks, likely...

www.macrumors.com

https://www.cbc.ca/news/business/apple-security-flaw-full-control-1.6556039

https://www.cbc.ca/news/business/apple-citizen-lab-spyware-security-patch-1.6174215

iOS 16.6.1 fixes a big iPhone security vulnerability used to install Pegasus spyware

Apple managed to patch the issue just a week after Citizen Lab reported it.

www.theverge.com

How to Fix Your iPhone’s Security Flaw (Published 2021)

A guide to updating your phone's software after researchers found that a flaw had infected billions of Apple products.

www.nytimes.com

Apple, for when you want to pay a lit premium to get maximally compromised.

Thanks have a few family members that use apple products .That is what I like about SNB one stop shop , security networking , saves me time used to read 20 dif forums for all the news I get here

 

[sfx2000]

Thanks have a few family members that use apple products .That is what I like about SNB one stop shop , security networking , saves me time used to read 20 dif forums for all the news I get here

Just keep in mind that there are a lot of anti-Apple folks out there that like to take cheap shots when they can...

Apple is actually in a good spot as they control the hardware, tool chain, kernel, and userland - because of their vertical integration across their platforms, they can implement a fix fairly quickly - the downside is that a vuln can impact things across all their platforms - it happens, but not very often.

They're in a much better spot than Windows or Android to be honest, and that is because of the close integration inside their platform.

Every platform out there is under some level of risk - Mac/Windows/Android/Linux/ChromeOS/Android/iOS and all the linux/bsd's out there - and the supposed bastions of security for enterprise networks - Cisco, PaloAlto - they have had their fair share of exploits lately.

Honestly - I think this is a good thing - the fact the people are finding these things, and reporting them - it's all good, as then they can be remediated...

 

[sfx2000]

Android apps for 1000 known and unknown hardware devices are hit and miss and Google Play unfortunately allows virtually every BS possible including joke apps doing absolutely nothing.

GMS and the PlayStore actually have methods and means to patch things to some degree outside of the Vendor and Chipset provider SDK's...

The big risk for Android is side-loading to bypass PlayStore - that and backdooring of bundled apps - good example here is in China, the keyboard app enhancements were recording and sending keystrokes back to Tencent and Baidu and that data was correlated back to the UUID - while that is a concern itself, consider that Tencent runs WeChat...

For some, that's a problem, because when you install and login to WeChat, the first thing it does is hoover up all your contacts and uploads them to the QQ servers...

Let's not not talk about TikTok - it's the same issue as WeChat - but on a larger scale, as it doesn't just look at your contact list, it looks at everything that you post, and they start correlating data based on views and likes...

It's all social media, so I suppose Threads/Instagram/Facebook Messager/Facebook (itself)/X (formerly known as twitter) and all the like, it's similar...

The only difference is the government that they are reporting in to...

Folks talk about the great firewalls of China, Iran, and Russia - but I'm concerned also about what's happening here in the US...

 

[L&LD]

Facts are not cheap shots.

A single entity can more easily hide/ignore known vulnerabilities too, when they control the whole vertical chain. As Apple has been known to do, and Google, and...

The benefits are not proportional to the risks they still impose on their users (of which, they really don't care about).

 

[bluzfanmr1]

12 years ago I began switching over to Apple products for myself and the family. I got tired of broken Windows updates, Windows updates that would take hours, and on and on. Apple stuff just flat out works and integrates so well between devices. There isn't anything I can think of that I have missed out on by using Apple products exclusively. On the odd occasion that I need to do something that is Windows only, I use my dual boot MacBook Air and boot into Windows 11. If that makes me a fanboy, so be it, it doesn't bother me.

 

[RMerlin]

If that makes me a fanboy, so be it, it doesn't bother me.

Preferring Apple products to Microsoft does not make you a fanboy, it just makes you... an Apple product user. Nothing wrong with that.

Fanbois would be people with blind brand devotion, who thinks that everything Apple does is always perfect and everything else is always bad.