Weekly security roundup week of March 12th

Samba admins urged to patch

An important vulnerability that came to light this past week is one in the venerable Samba open-source networking stack – and if you’re a Samba admin, you need to update now.

The vulnerability means that if you have a Samba 4 LDAP server set up as an Active Directory domain controller, any authenticated user can overwrite any other user’s password – including the admin passwords.

The hole – which Samba fixed with a patch this past Tuesday – affects all versions of Samba from version 4.0 onwards, or in other words, all versions of the software since December 2011.

The advisory warns that the vulnerability means that “authenticated users can change other users’ password” in any version of the software stack since then.

That’s because, according to the advisory, “the LDAP server incorrectly validates certain LDAP password modifications against the ‘Change Password’ privilege, but then performs a password reset option.”

Samba has posted a workaround that also gives advice on how to check for any unauthorized password changes that have been made, and then urges admins to upgrade or patch their installations as soon as possible.

Facebook and WhatsApp concede to data regulator

Meanwhile, there was good news on Wednesday for British users of Facebook and WhatsApp when the UK’s data protection authority, the Information Commissioner’s Office, said that it had finally reached an agreement with Facebook and WhatsApp over how they exchange user data.

This means that Facebook can’t make use of WhatsApp user data as it had wanted to in order to “offer better friend suggestions and show you more relevant ads.”

This tussle between Facebook and the UK’s ICO stretches back to 2016, when WhatsApp, which was acquired by Facebook in 2014 for $19bn, said it was updating its privacy policy so that it could share data with its new parent company.

Not so fast, said the ICO, which pointed out that the plans to share data breached the UK’s Data Protection Act. The ICO then launched an investigation into how Facebook and WhatsApp were sharing data, resulting in something of a stand-off between the regulator and the social media company.

The announcement on Wednesday marks a cessation of hostilities between the two organizations, with a bit of a Pyrrhic victory for Facebook – which won’t face a fine – and a good result for users in the UK.

Explaining the result, Elizabeth Denham said that she had established that “WhatsApp has not identified a lawful basis of processing for any such sharing of personal data,” and that “WhatsApp has failed to provide adequate fair processing information to users in relation to any such sharing of personal data.”

What that means is that Facebook can’t mine the rich seam of data held by WhatsApp, and so it won’t be able to use that to suggest people you might want to connect with or show you “more relevant” ads.

Teeth were probably being gritted at Facebook HQ as the week came to a close because access to that data stream was a big reason Facebook wanted to buy WhatsApp and also one of the reasons the price it paid was so enormous.

Elizabeth Denham says she decided not to fine the companies, preferring instead to get WhatsApp to sign an undertaking not to share the personal data of UK users with Facebook.

There is a caveat to this, however: Denham adds in her blog post announcing the truce that the commitment says WhatsApp won’t share data with Facebook “until they can do so in compliance with the upcoming General Data Protection Regulation (GDPR), which comes into force in May this year.”

As Denham points out, however, this outcome sends a strong message to big technology companies about the standards that consumers and regulators expect of them when it comes to handling personal data. She says: “At the heart of these concerns lies a desire for improved transparency, control, and accountability, at a time when personal data is ever more central to the business models of key players in the digital economy.”

She goes on to note that she’s not the only European regulator to have raised an eyebrow at how Facebook and WhatsApp intended to share user data: Germany’s regulators have also banned them from sharing data, and France is bringing enforcement action too.

And she points out that GDPR tightens up the rules “on what constitutes ‘consent’.”

Facebook and WhatsApp have had a shot fired across their bows: they’ve been warned that they need to have a legal basis for sharing personal data, and that regulators in Europe will be watching.

Avast is a global leader in cybersecurity, protecting hundreds of millions of users around the world. Learn more about products that protect your digital life at avast.com. And get all the latest news on today's cyberthreats and how to beat them at blog.avast.com.