Embedded Systems
A TIMESYS DEEP DIVE
DECEMBER 2023
WHAT’S INSIDE
- Cybersecurity news: “Windows and Linux devices can be hacked by malicious logo images”
- New Opportunities in the New Year: Timesys and Lynx Join Forces
- On the 25th Day of Christmas, my computer sent to me: The Timesys Advent Calendar~♫
- Email Changes: Google Introduces New Gmail Protections
- Learn with Timesys: Elevating Your SCA Management with the Power of Vigiles-CLI
Cybersecurity in the news
“Windows and Linux devices can be hacked by malicious logo images”
According to ArsTechnica, this new vulnerability affects “hundreds of Windows and Linux computer models from virtually all hardware makers” to “a new attack that executes malicious firmware early in the boot-up sequence.” This can result in “infections that are nearly impossible to detect or remove using current defense mechanisms.”
ArsTechnica goes on to state, “The attack—dubbed LogoFAIL by the researchers who devised it—is notable for the relative ease in carrying it out, the breadth of both consumer- and enterprise-grade models that are susceptible, and the high level of control it gains over them. In many cases, LogoFAIL can be remotely executed in post-exploit situations using techniques that can’t be spotted by traditional endpoint security products. And because exploits run during the earliest stages of the boot process, they are able to bypass a host of defenses, including the industry-wide Secure Boot, Intel’s Secure Boot, and similar protections from other companies that are devised to prevent so-called bootkit infections.”
Timesys recommends immediately addressing these new vulnerabilities and integrating upstream fixes. Our engineering team at Timesys is happy to assist with this, just reply to this email and let us know.
These LogoFAIL vulnerabilities are being tracked under the following CVE designations, however this list is currently incomplete. You can click each of the below links for more info on that vulnerability:
With an average of 420 new CVEs every week, how do you cut through the noise and take action on the vulnerabilities that pose the largest threat to your device?
We launched the Timesys CVE Dashboard and update it weekly with details on the dangerous security vulnerabilities that could be affecting your device.
New Opportunities in the New Year
Timesys and Lynx Join Forces
Earlier this month, we announced an exciting new development! Timesys joined forces with Lynx Software Technologies – a leading provider of open architecture software solutions for mission-critical edge and embedded systems.
Combining our two businesses opens up innovative new possibilities to present to you, our customers, for the new year!
While Timseys and Lynx have different end markets, we are both driven by a mission of supporting our customers to deliver robust and mission-critical software products that can perform reliably and securely in the field, on time and within budget. Our focus on open-source software ecosystems also strongly aligns with Lynx’s products, built on a foundation of openness, efficiency, and flexibility.
We are thrilled to have the support of a new strategic partner in Lynx; their scaled corporate infrastructure, go-to-market resources, and technical expertise will support and strengthen our unwavering commitment to providing best-in-class technology with exceptional customer service.
Holiday Special
On the 25th Day of Christmas, my computer sent to me: a Timesys Advent Calendar~♫
In honor of the holidays, Timesys hosted an Advent Calendar throughout December featuring security tips, tools, and tricks to help you get more secure in anticipation of the New Year. Missed the webinar series on designing OTA updates for secure embedded Linux systems or the Timesys eBook on cybersecurity? You can catch up on each of the holidays gifts at the Timesys Advent Calendar page below!
Email Changes
Google Introduces New Gmail Protections
In an effort to enhance email security and reduce spam, Google has announced new requirements for using Gmail starting in 2024. These changes specifically affect those who send over 5,000 messages to Gmail addresses in a day, such as the Timesys newsletter, and will enforce a clear spam rate threshold to ensure users receive fewer unwanted messages.
What does this mean for you?
If you want to keep receiving the Timesys newsletter, keep an eye out for it and mark it as a non-spam email. If you do not wish to keep receiving the newsletter, please scroll to the bottom of this email and hit the unsubscribe button — we understand!
If you ever want to come back and receive cybersecurity and embedded Linux device tips, tricks, and insider information, you can always re-sign-up for the newsletter at https://www.timesys.com/newsletter-subscribe/
Learn with Timesys
Elevating Your SCA Management with the Power of Vigiles-CLI
How can you enhance and streamline your SCA management in the New Year? Look no further than the Vigiles-CLI revolution!
Unlock a turbocharged Software Composition Analysis (SCA) experience with this game-changing addition, seamlessly integrating with third-party SBOM generation tools like syft. Picture lightning-fast SBOM generation, a dramatic reduction in false positives, and a workflow so smooth it’s like a software magic carpet ride. Ready to embark on this transformative journey? Explore Vigiles-CLI on our Git project page, meet the requirements, and personalize your SCA management by configuring the tool to your liking. It’s not just an upgrade; it’s a revolution!
Vulnerability Management for Embedded
Tools & Techniques to Monitor and Remediate Vulnerabilities in Your SBOM
January 18 @ 12 PM EDT / 9 AM PT
In this monthly live webinar and Q&A session, you’ll learn essential ways to avoid a five-figure mistake along with:
– Why you need to manage your open-source software risks
– How to generate an accurate SBOM (Software Bills of Materials) and why it matters
– Tools and techniques to monitor and remediate vulnerabilities in your SBOM
– And much more!
Learn More
October 2023
Worst Security Problem Found in cURL” Highlights Need for SBOMs and 1-Click Remote Attack CVE Discovered in libcue
September 2023
Critical Zero-Day Vulnerability” Recently Disclosed In The Webp Image Library and 7 More Vulnerabilities Exposed
August 2023
