300 Million USD in Ethereum Inaccessible due to Bug, Intel Management Engine USB vulnerability
Infosec News
INFORMATION SECURITY NEWS
For The Week of 11/7-11/14 2017
The Information Security News Service is a project of LARS (Laboratory for Advanced Research in Systems) in the CS Department at the University of Minnesota Duluth. We send out top stories in information security every Tuesday (except during some academic breaks). If you have stories you’d like to see featured, please email them to infosec...@d.umn.edu.
CURRENT NEWS
Intel Management Engine Remote Code Execution via USB
Intel’s controversial Management Engine - the separate, black box processor included in every Intel processor since 2008 - is vulnerable to remote code execution via USB. The researchers are able to exploit the fact that both the IME and USB connect to JTAG interfaces to run unsigned code on the IME. However, they are not releasing the specifics of the attack.
Bug Renders $300 Million in Ether Inaccessible
Parity, a popular ethereum client, had a big bug in its multisignature wallets. As the name suggests, a multisignature wallet requires multiple digital signatures before a transaction can be executed. The wallets are governed by a Smart Contract, which is basically just a function that’s executed when the wallet is used. The bug was possible because a library that all multisignature wallets depend on was uninitialized. The user was able to set themselves as the owner of the Smart Contract and self destruct it. This crippled the multisignature wallets - there’s no way to do anything with them other than deposit money. The coins haven’t been stolen -- they wallets just can no longer be accessed. A hard fork is being considered to remedy the issue. Interestingly, this bug has not had a big effect on the price of ether.
https://github.com/paritytech/parity/issues/6995