Digital pensions platform Penfold raises $8.5M Series A led by Bridford Group

Penfold, a digital pensions platform, has closed a £7m ($8.49m) Series A funding round led by Bridford Group, an investment group.

Also participating in the round was Jeremy Coller, Chief Investment Officer and Chairman of Coller Capital. Penfold also raised additional funding via a crowdfund amongst its customer base. The cash will be used to expand Penfold’s workplace pension division.

Chris Eastwood, Co-Founder at Penfold, commented (in a statement): “It’s been a big year for Penfold – from launching our workplace pension offering, to reaching £100m AUA.”

Bridford Group, lead investor, commented: “The pensions industry represents a huge market – with £8trn in savings in the UK alone. Despite this, many people remain uninterested and unengaged in their pensions. With so many people not saving enough, there’s a real opportunity for a new provider to step in.” 

Telegram app update was held up over iOS-inspired animated emoji


AppleInsider is supported by its audience and may earn commission as an Amazon Associate and affiliate partner on qualifying purchases. These affiliate partnerships do not influence our editorial content.

Apple has approved Telegram’s latest update, but only after the developers removed animated emoji based on Apple’s designs.

On Thursday, CEO Pavel Durov posted that an upcoming app update for Telegram had been stuck in Apple’s review process for two weeks with no explanation.

As it turns out, Apple had taken issue with the new addition a specific “Telemoji pack.”

Telemoji are animated emoji that are exclusive to the platform. The Telemoji pack in question was heavily inspired by iOS-specific emoji, but featured animations created by Telegram.

“This is a puzzling move on Apple’s behalf, because Telemoji would have brought an entire new dimension to its static low-resolution emoji and would have significantly enriched their ecosystem,” Durov writes in a Telegram post.

After removing the iOS-themed pack, Apple has approved the update, which is now live on the Telegram App Store page.

Durov says that he believes this would be “good for Telegram in the long term” as it would encourage the platform to explore its own in-house style for emoji.

After the FBI raid at Mar-a-Lago, online threats quickly turn into real-world violence

Threats of violence reached a fever pitch reminiscent of the days leading up to the Capitol attack following the news that the FBI raided Trump’s Florida beach club to retrieve classified documents the former president may have unlawfully taken there.

After Trump himself confirmed Monday’s raid at Mar-a-Lago, pro-Trump pundits and politicians rallied around declarations of “war,” and Trump’s ever-fervent supporters called for everything from dismantling the federal law enforcement agency to committing acts of violence against its agents. The situation escalated from there in record time, with online rhetoric boiling over quickly into real-world violence.

By Thursday, an armed man identified as Ricky Shiffer attempted to force his way into a FBI office in Cincinnati, Ohio, brandishing a rifle before fleeing. Law enforcement pursued Shiffer and he was fatally shot during the ensuing standoff with police.

Analysts with the The Institute for Strategic Dialogue (ISD), a nonprofit that researches extremism and disinformation, found evidence that Shiffer was driven to commit violence by “conspiratorial beliefs related to former President Trump and the 2020 election… interest in killing federal law enforcement, and the recent search warrant executed at Mar-a-Lago earlier this week.” He was also reportedly present at the January 6 attack — another echo between this week’s escalating online threats and the tensions that culminated in political violence at the Capitol that day.

Shiffer appears to have been active on both Twitter and Truth Social, the platform from Trump’s media company that hosts the former president and his supporters. As Thursday’s attack unfolded, Shiffer appeared to post to Truth Social about how his plan to infiltrate the FBI office by breaking through a ballistic glass barrier with a nailgun had gone awry. “Well, I thought I had a way through bullet proof glass, and I didn’t,” the account posted Thursday morning. “If you don’t hear from me, it is true I tried attacking the F.B.I., and it’ll mean either I was taken off the internet, the F.B.I. got me, or they sent the regular cops…”

In posts on Truth Social, the account implored others to “be ready to kill the enemy” and “kill the FBI on sight” in light of Monday’s raid at Mar-a-Lago. It also urged followers to heed a “call to arms” to arm themselves and prepare for combat. “If you know of any protests or attacks, please post here,” the account posted earlier this week.

By Friday, that account was removed from the platform and a search of Shiffer’s name mostly surfaced content denouncing his actions. “Why did you censor #rickyshiffer‘s profile? So much for #truth and #transparency,” one Truth Social user posted on Friday. Still, online conspiracies around the week’s events remain in wide circulation on Truth Social and elsewhere, blaming antifa for the attack on the Ohio FBI office, accusing the agency of planting documents at Mar-a-Lago and sowing unfounded fears that well-armed IRS agents will descend on Americans in light of Friday’s House passage of the Inflation Reduction Act.

“Violence against law enforcement is not the answer no matter what anybody is upset about or who they’re upset with,” FBI Director Christopher Wray said in light of emerging threats of violence this week. Trump appointed Wray to the role in 2017 after infamously ousting former FBI director James Comey.

Friday is also the five year anniversary of the Unite the Right rally, which saw white nationalists clad in Nazi imagery marching openly through the streets of Charlottesville, Virginia. The ensuing events left 32-year-old protester Heather Heyer dead and sent political shockwaves through a nation that had largely grown complacent about the simmering threat of white supremacist violence.

Roon wants to educate patients with freshly sourced info on their conditions

As individuals try to manage medical information and understand their conditions, many typically turn to Google or WebMD — neither of which does much to verify or provide the latest information. But Roon plans to change this with a medical education platform for vetted information, sourced strictly from doctors, patients, and caregivers.

By curating the data it makes available around individual conditions, Roon is meant to reassure patients and caregivers that it’s accurate and well sourced.

“We do pay lip service to caregivers, but there’s so much more that can and should be done to recognize the important role they play in managing health,” said Roon co-founder Rohan Ramakrishna, who previously worked as a neurosurgeon. “And so when we build this medical canon of information, we take that all into account, so that we can meet the unique needs of both patients and caregivers within any individual condition.”

Along with Ramakrishna are Pinterest’s former heads of marketing, Vikram Bhaskaran, and partner engineering, Arun Ranganathan. They entered the health tech space with Roon hoping to reinvent what it means to receive medical information after working as caregivers themselves.

Image Credits: Roon

Bhaskaran and Ranganathan realized it was unnecessarily difficult to look up information about their loved ones’ conditions. After connecting on the idea with Ramakrishna, Roon was born.

“There’s so much medical misinformation… in 2022, it’s crazy that patients don’t have anywhere to go to answer questions,” Bhaskaran told TechCrunch in an interview.

The company claims to be “humanizing medicine” for people who have questions but don’t have a place to turn to.

Roon is meant to provide what they consider “medically vetted” information to caregivers and patients about grave medical conditions. To begin with, they are only providing information related to Glioblastomas, a type of brain tumor, and have 200 active users. The company hopes to expand to include dementia, pediatric cancers and ALS.

“Everything we build starts with actually finding the experts in a condition and really enabling them to create content that is suited for patients and caregivers,” Bhaskaran said.

Someone using the platform is given a medical starter kit — organized information to provide a general understanding of the condition — then they can ask specific questions if it wasn’t already answered on the platform’s FAQ.

Image Credits: Roon

Although the company claims that there is little to no competition, obviously anyone can still do a simple Google search and receive information (although it may not be as concise) or turn to WebMD (which aggregates and summarizes information). One thing the founders also emphasized to TechCrunch was that doctors typically spend time answering the basic questions and not delving fully into the condition — though for the patient and caregiver their doctor can still be a source of information.

For a deeper look at a given condition, patients and caregivers may want to hear directly from today’s specialists, as well as others who can share their experience firsthand. That’s the curated content Roon hopes to make available.

Despite being a little over a year old, the company has garnered support in the form of a $7.5 million Seed Round led by FirstMark, TMV and Sequoia, with participation from SV Angel, Maverson and M13. The company also secured 11 angel investors and four advisors.

For now the company says they are being “a little bit vague on where we’re heading because we’ve had some big insights about how we take this, but all pieces of it will get better.” However, the founders told TechCrunch this round’s funds will be used to expand their team and begin implementing more condition information.

“There’s all this time, energy and money being spent on making shopping easier,” Ramakrishna said. “What if we could spend that same amount of energy and ingenuity in making the experience of health so much better?”

It might be time for companies in San Francisco to call employees’ bluff

Spend any amount of time in New York, and you’ll feel it. Manhattan and Brooklyn are teeming with activity. It’s electrifying to be there after years spent relatively locked down.

The question, and one asked this week by the San Francisco Chronicle, is why San Francisco isn’t bouncing back in the same way.

As reporter Roland Li writes: “There’s always been a disparity — New York has 10 times the population of San Francisco — but the coastal tourism and economic hubs have diverged in striking ways as they recover from the pandemic.”

Consider, writes Li, that while the construction of major commercial property projects in Manhattan were completed during the pandemic — and while much of that new office space is almost fully leased — over in San Francisco, projects have stalled and a lot of existing buildings are struggling to find tenants.

One possible way to fill those buildings is to convert them into housing. Wall Street, Li observes, has been doing exactly that for decades. But while in New York, there is clear demand for housing, with rents rising to record prices even now, in San Francisco, it’s not as plain that enough people would — at this very point in time — rent converted office space, even if it were made available.

According to a story today in the Real Deal, new data published by the commercial research company Yardi states that San Francisco is right now the least competitive housing market in all of California, with only seven would-be tenants per vacant apartment, compared with double that number in neighboring Silicon Valley and the East Bay.

It’s not all doom and gloom for San Francisco. Yardi’s research notes that the city’s occupancy rate rose to 93% in the second quarter, compared with 89% a year earlier. Also, apartments rented eight days faster at an average of 41 days.

Still, work-from-home policies are clearly having a major impact on where people live, and many Bay Area employees who could flee the region’s high prices have. (California — led by San Francisco, and followed by Los Angeles — lost more than 352,000 residents between April 2020 and January 2022, according to California Department of Finance statistics.)

Indeed, in his piece, Li partly draws a line between the “jarring crowds” on New York’s city streets to April of last year, when then-Mayor Bill de Blasio announced that city workers would soon be going back to the office, a move quickly followed by private companies.

Called back by employers, New Yorkers who’d left during the pandemic suddenly found themselves looking anew for housing, if even to spend just two or three days in the office.

The gambit continues to work, seemingly. The Partnership for New York City, which says it surveyed more than 160 employers between a two-week period in late April and early May, found that 38% of their Manhattan workers are now back in the office on the average weekday, while 28% are fully remote. Meanwhile average attendance is expected to rise to 49% next month.

That doesn’t mean employees are back full time. They might never be, given that even the loudest critics of remote work have been forced to soften their stance, including JPMorgan Chase CEO Jamie Dimon. As Bloomberg reported in May, Dimon told shareholders in an April that working from home “will become more permanent in American business” and estimated that about 40% of his 270,000-person workforce would work under a hybrid model. Soon after, a senior tech executive from the bank told some teams they could spend two and not three days back in the office if they wanted, based on internal feedback.

Those two to three days a week could be saving New York, and it may be time for more San Francisco employers to consider doing the same. Small businesses in San Francisco are increasingly desperate for the economic activity; even if civic duty isn’t top of mind for local tech companies, there continues to be a strong argument that hybrid settings allow employees to enjoy a better work-life balance, more camaraderie with their colleagues, and also to get ahead in their careers.

As for those who might blame San Francisco’s inability to fully bounce back on its lack of affordable housing, there’s no question the city is self-sabotaging on this front. In San Francisco, “instead of bright-line rules, where a developer knows I’m allowed to build this here, everything is a negotiation and every project proceeds on an ad hoc basis,” Jenny Schuetz, a housing economist at the Brookings Institution, told The Atlantic in May.

But forever abandoning return-to-office plans probably won’t solve the problem. Meanwhile, two-and-a-half years after Covid sent everyone packing, and amid a slowing U.S. economy that’s making job hopping less viable, it might be time to more outfits to talk with their employees, ask them to come together in person two to three times a week, and see what happens.

It’s not their responsibility to “fix” San Francisco. At the same time, there might not be much left to come back to if they wait too long.

Daily Crunch: Samsung’s vice chairman receives presidential pardon for bribery conviction

To get a roundup of TechCrunch’s biggest and most important stories delivered to your inbox every day at 3 p.m. PDT, subscribe here.

Last night was a full moon, somehow it’s already halfway through August, and did you know there’s a Beach Plum LaCroix flavor? The world’s gone topsy-turvy, but at least it’s time for the weekend.

What did you do this week that made you feel alive? Can you do more of that next week? And that concludes our microtherapy session. Now, let’s get on with the news.  — Christine and Haje

The TechCrunch Top 3

  • Pardon me: A presidential pardon is restoring Samsung’s vice chairman Jay Lee’s ability to take the company’s helm. Lee had been convicted on bribery charges in 2017, and the pardon will erase it, Kate writes.
  • 5G begets 4G: Yeah, you read that right. Amazon launched AWS Private 5G so companies can build their own 4G networks…for now, Paul writes. This is something that has been in the works since late 2021, and the company said eventually there will be capabilities for 5G networks.
  • Location obliteration: Natasha L explains how Google was fined $40 million by Australia’s government, which found the tech giant had misled consumers about its Android location tracking settings.

Startups and VC

Don’t miss Brian’s Actuator newsletter, which is usually all about the state of hardware and robotics, but today is mostly about Amazon and iRobot.

And for your daily dose of levity, don’t miss Amanda’s excellent piece of satire: FWD: fwd: From the CEO: BeCareful while you BeReal!

A few more highlights:

What does the future look like for e-commerce aggregators?

Man figure consisting of glowing pixels runs through darkness

Image Credits: iLexx (opens in a new window) / Getty Images

In the video game Katamari Damacy, players control an avatar who rolls a sticky ball that captures anything it touches. The goal: create a sphere large enough to become a star or moon.

E-commerce aggregators work in much the same way by purchasing smaller brands, then optimizing their manufacturing and sales channels to boost market share.

This model was effective in a prevaccine era when consumers stopped visiting stores, but is the brand-rollup model still viable today?

“Decreased consumer confidence, inflated brand value and a freeze in investment capital are creating a perfect storm,” says David Wright, co-founder and CEO of e-commerce accelerator Pattern. “Unless aggregators change how they operate, their future is bleak at best and nonexistent at worst.”

(TechCrunch+ is our membership program, which helps founders and startup teams get ahead. You can sign up here.)

Big Tech Inc.

Have you seen these ransomware group members? The U.S. government is offering $10 million in exchange for information leading to the identification and location of members of the Russia-based Conti ransomware operative, Carly writes.

Speaking of alleged fraudulent behavior, Manish writes about India’s anti-money-laundering agency freezing $46.4 million in assets belonging to Singapore-based crypto exchange Vauld while it looks into the company’s business practices.

Meanwhile, Brian looks into what’s happening over at Boston Dynamics after being acquired by Hyundai in 2020, which includes a new artificial intelligence and robotics institute buoyed by $400 million.

Patch Madness: Vendor Bug Advisories Are Broken, So Broken

BLACK HAT USA – Las Vegas – Keeping up with security-vulnerability patching is challenging at best, but prioritizing which bugs to focus on has become more difficult than ever before, thanks to context-lacking CVSS scores, muddy vendor advisories, and incomplete fixes that leave admins with a false sense of security.

That’s the argument that Brian Gorenc and Dustin Childs, both with Trend Micro’s Zero Day Initiative (ZDI), made from the stage of Black Hat USA during their session, “Calculating Risk in the Era of Obscurity: Reading Between the Lines of Security Advisories.”

ZDI has disclosed more than 10,000 vulnerabilities to vendors across the industry since 2005. Over the course of that time, ZDI communications manager Childs said that he’s noticed a disturbing trend, which is a decrease in patch quality and reduction of communications surrounding security updates.

“The real problem arises when vendors release faulty patches, or inaccurate and incomplete information about those patches that can cause enterprises to miscalculate their risk,” he noted. “Faulty patches can also be a boon to exploit writers, as ‘n-days’ are much easier to use than zero-days.”

The Trouble With CVSS Scores & Patching Priority

Most cybersecurity teams are understaffed and under pressure, and the mantra “always keep all software versions up-to-date” doesn’t always make sense for departments who simply don’t have the resources to cover the waterfront. That’s why prioritizing which patches to apply according to their severity rating in the Common Vulnerability Severity Scale (CVSS) has become a fallback for many admins.

Childs noted, however, that this approach is deeply flawed, and can lead to resources being spent on bugs that are unlikely to ever be exploited. That’s because there’s a host of critical information that the CVSS score doesn’t provide.

“All too often, enterprises look no further than the CVSS base core to determine patching priority,” he said. “But the CVSS doesn’t really look at exploitability, or whether a vulnerability is likely to be used in the wild. The CVSS doesn’t tell you if the if the bug exists in 15 systems or in 15 million systems. And it doesn’t say whether or not it’s in publicly accessible servers.”

He added, “And most importantly, it doesn’t say whether or not the bug is present in a system that’s critical to your specific enterprise.”

Thus, even though a bug might carry a critical rating of 10 out of 10 on the CVSS scale, it’s true impact may be much less concerning than that critical label would indicate.

“An unauthenticated remote code execution (RCE) bug in an email server like Microsoft Exchange is going to generate a lot of interest from exploit writers,” he said. “An unauthenticated RCE bug in an email server like Squirrel Mail is probably not going to generate as much attention.”

To fill in the contextual gaps, security teams often turn to vendor advisories – which, Childs noted, have their own glaring problem: They often practice security through obscurity.

Microsoft Patch Tuesday Advisories Lack Details

In 2021, Microsoft made the decision to remove executive summaries
from security update guides, instead informing users that CVSS scores would be sufficient for prioritization – a change that Childs blasted.

“The change removes the context that’s needed to determine risk,” he said. “For example, does an information-disclosure bug dump random memory or PII? Or for a security-feature bypass, what is being bypassed? The information in these writeups is inconsistent and of varying quality, despite near universal criticism of the change.”

In addition to Microsoft either “removing or obscuring information in updates that used to produce clear guidance,” it’s also now more difficult to determine basic Patch Tuesday information, such as how many bugs are patched each month.

“Now you have to count yourself, and it’s actually one of the hardest things I do,” Childs noted.

Also, the information about how many vulnerabilities are under active attack or publicly known is still available, but buried in the bulletins now.

“As an example, with 121 CVEs being patched this month, it’s kind of hard to dig through all of them to look for which ones are under active attack,” Childs said. “Instead, people now rely on other sources of information like blogs and press articles, rather than what should be authoritative information from the vendor to help determine risk.”

It should be noted that Microsoft has doubled down on the change. In a conversation with Dark Reading at Black Hat USA, the corporate vice president of Microsoft’s Security Response Center, Aanchal Gupta, said the company has consciously decided to limit the information it provides initially with its CVEs to protect users. While Microsoft CVEs provide information on the severity of the bug, and the likelihood of it being exploited (and whether it is being actively exploited), the company will be judicious about how it releases vulnerability exploit information, she said.

The goal is to give security administrations enough time to apply the patch without jeopardizing them, Gupta said. “If, in our CVE, we provided all the details of how vulnerabilities can be exploited, we will be zero-daying our customers,” she said.

Other Vendors Practice Obscurity

Microsoft is hardly alone in providing scant details in bug disclosures. Childs said that many vendors don’t provide CVEs at all when they release an update.

“They just say the update fixes several security issues,” he explained. “How many? What’s the severity? What’s the exploitability? We even had a vendor recently say to us specifically, we do not publish public advisories on security issues. That’s a bold move.”

In addition, some vendors put advisories behind paywalls or support contracts, further obscuring their risk. Or, they combine multiple bug reports into a single CVE, despite the common perception that a CVE represents a single unique vulnerability.

“This leads to possibly skewing your risk calculation,” he said. “For instance, if you look at buying a product, and you see 10 CVEs that have been patched in a certain amount of time, you may come up with one conclusion of the risk from this new product. However, if you knew those 10 CVEs were based on 100+ bug reports, you might come to a different conclusion.”

Placebo Patches Plague Prioritization

Beyond the disclosure problem, security teams also face troubles with the patches themselves. “Placebo patches,” which are “fixes” that actually make no effective code changes, are not uncommon, according to Childs.

“So that bug is still there and exploitable to threat actors, except now they’ve been informed of it,” he said. “There are many reasons why this could happen, but it does happen – bugs so nice we patch them twice.”

There are also often patches that are incomplete; in fact, in the ZDI program, a full 10% to 20% of the bugs researchers analyze are the direct result of a faulty or incomplete patch.

Childs used the example of an integer overflow issue in Adobe Reader leading to undersized heap allocation, which results in a buffer overflow when too much data is written to it.

“We expected Adobe to make the fix by setting any value over a certain point to be bad,” Childs said. “But that’s not what we saw, and within 60 minutes of the rollout, there was a patch bypass and they had to patch again. Reruns aren’t just for TV shows.”

How to Combat Patch Prioritization Woes

Ultimately when it comes to patch prioritization, effective patch management and risk calculation boils down to identifying high-value software targets within the organization as well as using third-party sources to narrow down which patches would be the most important for any given environment, the researchers noted.

However, the issue of post-disclosure nimbleness is another key area for organizations to focus on.

According to Gorenc, senior director at ZDI, cybercriminals waste no time integrating vulns with large attack surfaces into their ransomware tool sets or their exploit kits, looking to weaponize newly disclosed flaws before companies have time to patch. These so-called n-day bugs are catnip to attackers, who on average can reverse-engineer a bug in as little as 48 hours.

“For the most part, the offensive community is using n-day vulnerabilities that have public patches available,” Gorenc said. “It’s important for us to understand at disclosure if a bug is actually going to be weaponized, but most vendors do not provide information regarding exploitability.”

Thus, enterprise risk assessments need to be dynamic enough to change post-disclosure, and security teams should monitor threat intelligence sources to understand when a bug is integrated into an exploit kit or ransomware, or when an exploit is released online.

Ancillary to that, an important timeline for enterprises to consider is how long it takes to actually roll out a patch across the organization, and whether there are emergency resources that can be brought to bear if necessary.

“When changes occur to the threat landscape (patch revisions, public proof-of-concepts, and exploit releases), enterprises should be shifting their resources to meet the need the need and combat the latest risks,” Gorenc explained. “Not just the latest publicized and named vulnerability. Observe what’s going on in the threat landscape, orient your resources, and decide when to act.”

Apple shares first look at 'Lessons in Chemistry'


AppleInsider is supported by its audience and may earn commission as an Amazon Associate and affiliate partner on qualifying purchases. These affiliate partnerships do not influence our editorial content.

The upcoming Apple TV+ series “Lessons in Chemistry” is set to hit the streaming platform in 2023.

Apple on Friday shared a first look at upcoming drama series “Lessons in Chemistry.”

“Lessons in Chemistry” is set in the 1950s, when a young, aspiring scientist named Elizabeth Zott (Lawson) is fired from her lab after finding out she’s pregnant. She takes a job as a host on a cooking show and winds up teaching her audience more than just recipes.

Staring alongside Larson are actors Lewis Pullman (“Top Gun: Maverick”), Aja Naomi King (“How to Get Away with Murder”), Stephanie Koenig (“The Flight Attendant”), Patrick Walker (“The Last Days of Ptolemy Grey“), Thomas Mann (“Winning Time: The Rise of the Lakers Dynasty”), Kevin Sussman (“The Big Bang Theory”), and Beau Bridges (“Homeland”).

“Lessons in Chemistry” joins a growing slate of Apple TV+ dramas, including highly praised workplace drama “Severance,” and sci-fi alt-reality drama “For All Mankind.”

Zoom installer flaw can give attackers root access to your Mac


AppleInsider is supported by its audience and may earn commission as an Amazon Associate and affiliate partner on qualifying purchases. These affiliate partnerships do not influence our editorial content.

A security researcher has discovered a flaw in Zoom on macOS that could allow attackers to gain root access and control the entire operating system — and the issue has yet to be fully fixed.

Patrick Wardle, a veteran security researcher who formerly worked for the NSA, shared his findings in a presentation at the Defcon conference in Las Vegas on Friday, according to The Verge.

The attack works by leveraging the Zoom for macOS installer, which requires special user permissions to be able to install or uninstall Zoom from a Mac. More specifically, Wardle discovered that the installer as an auto-update function that continues to run in the background with elevated privileges.

Whenever Zoom issued an update to its video conferencing platform, the auto-updater would install the update after checking that it legitimate. However, a flaw in the cryptographic verification method meant that an attacker could trick the updater into thinking a malicious file was signed by Zoom.

Since the updater runs with superuser privileges, Wardle found that an attacker could run any sort of program through the update function — and gain those privileges. And, Zoom let the flaw exist for months.

“To me that was kind of problematic because not only did I report the bugs to Zoom, I also reported mistakes and how to fix the code,” Wardle said to The Verge “So it was really frustrating to wait, what, six, seven, eight months, knowing that all Mac versions of Zoom were sitting on users’ computers vulnerable.”

As a privilege escalation attack, the flaw could allow attackers to gain “root” or “superuser” privileges on a Mac. In theory, that could allow them to add, remove, or modify any file on the machine.

Although Zoom issued an initial patch a months weeks before the event, Warlde said that the update contained another bug that could have allowed attackers to continue exploiting the flaw.

He soon disclosed the second bug and waited eight months to publish his own research.

A few months before the Defcon conference in August, Wardle says that Zoom issued another patch that fixed the bugs he initially discovered. However, this latest patch still contains errors that could allow an attacker to leverage the flaw.

The second bug is currently still active in the latest update for Zoom. It’s apparently easy to fix, so Wardle hopes that talking about it publicly at Defcon will get Zoom to quickly issue a patch.

How to protect yourself

Since the flaw is currently still present in the latest version of Zoom, the only way to completely mitigate it is to stop using the Zoom installer. You can also go one step further and delete the installer from your Applications folder in macOS.

Users who still require Zoom access can download the Mac App Store version of the app. Alternatively, you can also join Zoom meetings from most standard web browsers.

Patch Madness: Vendor Bug Advisories Are Broken, So Broken

BLACK HAT USA – Las Vegas – Keeping up with security-vulnerability patching is challenging at best, but prioritizing which bugs to focus on has become more difficult than ever before, thanks to context-lacking CVSS scores, muddy vendor advisories, and incomplete fixes that leave admins with a false sense of security.

That’s the argument that Brian Gorenc and Dustin Childs, both with Trend Micro’s Zero Day Initiative (ZDI), made from the stage of Black Hat USA during their session, “Calculating Risk in the Era of Obscurity: Reading Between the Lines of Security Advisories.”

ZDI has disclosed more than 10,000 vulnerabilities to vendors across the industry since 2005. Over the course of that time, ZDI communications manager Childs said that he’s noticed a disturbing trend, which is a decrease in patch quality and reduction of communications surrounding security updates.

“The real problem arises when vendors release faulty patches, or inaccurate and incomplete information about those patches that can cause enterprises to miscalculate their risk,” he noted. “Faulty patches can also be a boon to exploit writers, as ‘n-days’ are much easier to use than zero-days.”

The Trouble With CVSS Scores & Patching Priority

Most cybersecurity teams are understaffed and under pressure, and the mantra “always keep all software versions up-to-date” doesn’t always make sense for departments who simply don’t have the resources to cover the waterfront. That’s why prioritizing which patches to apply according to their severity rating in the Common Vulnerability Severity Scale (CVSS) has become a fallback for many admins.

Childs noted, however, that this approach is deeply flawed, and can lead to resources being spent on bugs that are unlikely to ever be exploited. That’s because there’s a host of critical information that the CVSS score doesn’t provide.

“All too often, enterprises look no further than the CVSS base core to determine patching priority,” he said. “But the CVSS doesn’t really look at exploitability, or whether a vulnerability is likely to be used in the wild. The CVSS doesn’t tell you if the if the bug exists in 15 systems or in 15 million systems. And it doesn’t say whether or not it’s in publicly accessible servers.”

He added, “And most importantly, it doesn’t say whether or not the bug is present in a system that’s critical to your specific enterprise.”

Thus, even though a bug might carry a critical rating of 10 out of 10 on the CVSS scale, it’s true impact may be much less concerning than that critical label would indicate.

“An unauthenticated remote code execution (RCE) bug in an email server like Microsoft Exchange is going to generate a lot of interest from exploit writers,” he said. “An unauthenticated RCE bug in an email server like Squirrel Mail is probably not going to generate as much attention.”

To fill in the contextual gaps, security teams often turn to vendor advisories – which, Childs noted, have their own glaring problem: They often practice security through obscurity.

Microsoft Patch Tuesday Advisories Lack Details

In 2021, Microsoft made the decision to remove executive summaries
from security update guides, instead informing users that CVSS scores would be sufficient for prioritization – a change that Childs blasted.

“The change removes the context that’s needed to determine risk,” he said. “For example, does an information-disclosure bug dump random memory or PII? Or for a security-feature bypass, what is being bypassed? The information in these writeups is inconsistent and of varying quality, despite near universal criticism of the change.”

In addition to Microsoft either “removing or obscuring information in updates that used to produce clear guidance,” it’s also now more difficult to determine basic Patch Tuesday information, such as how many bugs are patched each month.

“Now you have to count yourself, and it’s actually one of the hardest things I do,” Childs noted.

Also, the information about how many vulnerabilities are under active attack or publicly known is still available, but buried in the bulletins now.

“As an example, with 121 CVEs being patched this month, it’s kind of hard to dig through all of them to look for which ones are under active attack,” Childs said. “Instead, people now rely on other sources of information like blogs and press articles, rather than what should be authoritative information from the vendor to help determine risk.”

It should be noted that Microsoft has doubled down on the change. In a conversation with Dark Reading at Black Hat USA, the corporate vice president of Microsoft’s Security Response Center, Aanchal Gupta, said the company has consciously decided to limit the information it provides initially with its CVEs to protect users. While Microsoft CVEs provide information on the severity of the bug, and the likelihood of it being exploited (and whether it is being actively exploited), the company will be judicious about how it releases vulnerability exploit information, she said.

The goal is to give security administrations enough time to apply the patch without jeopardizing them, Gupta said. “If, in our CVE, we provided all the details of how vulnerabilities can be exploited, we will be zero-daying our customers,” she said.

Other Vendors Practice Obscurity

Microsoft is hardly alone in providing scant details in bug disclosures. Childs said that many vendors don’t provide CVEs at all when they release an update.

“They just say the update fixes several security issues,” he explained. “How many? What’s the severity? What’s the exploitability? We even had a vendor recently say to us specifically, we do not publish public advisories on security issues. That’s a bold move.”

In addition, some vendors put advisories behind paywalls or support contracts, further obscuring their risk. Or, they combine multiple bug reports into a single CVE, despite the common perception that a CVE represents a single unique vulnerability.

“This leads to possibly skewing your risk calculation,” he said. “For instance, if you look at buying a product, and you see 10 CVEs that have been patched in a certain amount of time, you may come up with one conclusion of the risk from this new product. However, if you knew those 10 CVEs were based on 100+ bug reports, you might come to a different conclusion.”

Placebo Patches Plague Prioritization

Beyond the disclosure problem, security teams also face troubles with the patches themselves. “Placebo patches,” which are “fixes” that actually make no effective code changes, are not uncommon, according to Childs.

“So that bug is still there and exploitable to threat actors, except now they’ve been informed of it,” he said. “There are many reasons why this could happen, but it does happen – bugs so nice we patch them twice.”

There are also often patches that are incomplete; in fact, in the ZDI program, a full 10% to 20% of the bugs researchers analyze are the direct result of a faulty or incomplete patch.

Childs used the example of an integer overflow issue in Adobe Reader leading to undersized heap allocation, which results in a buffer overflow when too much data is written to it.

“We expected Adobe to make the fix by setting any value over a certain point to be bad,” Childs said. “But that’s not what we saw, and within 60 minutes of the rollout, there was a patch bypass and they had to patch again. Reruns aren’t just for TV shows.”

How to Combat Patch Prioritization Woes

Ultimately when it comes to patch prioritization, effective patch management and risk calculation boils down to identifying high-value software targets within the organization as well as using third-party sources to narrow down which patches would be the most important for any given environment, the researchers noted.

However, the issue of post-disclosure nimbleness is another key area for organizations to focus on.

According to Gorenc, senior director at ZDI, cybercriminals waste no time integrating vulns with large attack surfaces into their ransomware tool sets or their exploit kits, looking to weaponize newly disclosed flaws before companies have time to patch. These so-called n-day bugs are catnip to attackers, who on average can reverse-engineer a bug in as little as 48 hours.

“For the most part, the offensive community is using n-day vulnerabilities that have public patches available,” Gorenc said. “It’s important for us to understand at disclosure if a bug is actually going to be weaponized, but most vendors do not provide information regarding exploitability.”

Thus, enterprise risk assessments need to be dynamic enough to change post-disclosure, and security teams should monitor threat intelligence sources to understand when a bug is integrated into an exploit kit or ransomware, or when an exploit is released online.

Ancillary to that, an important timeline for enterprises to consider is how long it takes to actually roll out a patch across the organization, and whether there are emergency resources that can be brought to bear if necessary.

“When changes occur to the threat landscape (patch revisions, public proof-of-concepts, and exploit releases), enterprises should be shifting their resources to meet the need the need and combat the latest risks,” Gorenc explained. “Not just the latest publicized and named vulnerability. Observe what’s going on in the threat landscape, orient your resources, and decide when to act.”