Easy Contact
253 Main Ave, Passaic NJ 07055Call 973-777-5656
info@advantagecomputers.com
Fax 973-777-5821
© 2024 ~ All Rights Reserved
Advantage Computer Solutions
Company
Services
Testimonials
Amazing!
Zack is amazing! I have gone to him with computer issues for the past few years now and he always finds a way to fix… Read more “Amazing!”
Professional, smart & sensitive
Cannot say enough good things about Zack Rahhal and his team. Professional, smart, sensitive to small biz budgets and a helluva good guy. Could not… Read more “Professional, smart & sensitive”
AMAZINGLY WONDERFUL STAFF
stars indeed. So reliable and helpful and kind and smart. We call Al and he is “on it” immediately and such a FABULOUS teacher, patient… Read more “AMAZINGLY WONDERFUL STAFF”
Whatever my need, unfailingly helpful
I’ve been a customer of the staff at Advantage for many years now. They have never let me down! Whatever my need, however big or… Read more “Whatever my need, unfailingly helpful”
Best Kept Secret
I’ve known the Advantage Team for years. They are the absolute best techs in the field, bar none. I couldn’t tell you how many tens… Read more “Best Kept Secret”
Excellent Experience
I had an excellent experience with Advantage. Aside from being extremely professional and pleasant generally, Zack was incredibly responsive and helpful, even before and after… Read more “Excellent Experience”
Simply The Best!
Simply The Best! Our company has been working with Advantage Computer Solutions for a few years, Zack and his Team are AWESOME! They are super… Read more “Simply The Best!”
Awesome
The engineering team at Advantage Computers is the best in the business. They are nothing short of technical… Read more “Awesome”
It’s like having a cousin in the business.
Al, Nasser and Zack have been keeping our operations going for over a decade, taking care of our regular upgrades and our emergency system problems.… Read more “It’s like having a cousin in the business.”
Exceptional People
In many cases, exceptional people do not receive recognition for their hard work and superior customer service. We do not want this to be one of those… Read more “Exceptional People”
Highly Recommended
I became a customer about 6-7 months and I can say nothing but great things about this business. Zack takes care of me. I am… Read more “Highly Recommended”
Life Savers
THANK GOD for this local computer repair business who saved me hundreds, my hard drive was messed up, i called the company with warranty they… Read more “Life Savers”
I don’t have enough words to express my appreciation
I don’t have enough words to express my appreciation for Nassar and Paul, and the other members of Advantage Computer Solutions. I live in Bergen… Read more “I don’t have enough words to express my appreciation”
Minuteman Press Newark
Advantage Computer Solutions is absolutely great. They show up, do what they say they are going to, complete the job without issues (my other computer… Read more “Minuteman Press Newark”
Knowledgeable, Reliable, Reasonable
Knowledgeable, Reliable, Reasonable Working with Advantage Computers since 1997 for both personal and business tech support has been a rewarding and enjoyable experience. Rewarding, in… Read more “Knowledgeable, Reliable, Reasonable”
Excellent service!
Excellent service! I am the administrator for a busy medical office which relies heavily on our computer system. We have used Advantage Computer Solutions for… Read more “Excellent service!”
Great Advice and Service
Advantage offers great advice and service I bought parts for my gaming pc online and they put it together in a day for a great… Read more “Great Advice and Service”
Great Service, Support and Sales
Our company has been using the services of Advantage Computers since 2006. It was important to find a reliable company to provide us with the technical… Read more “Great Service, Support and Sales”
Extremely Professional and Passionate
Our company has been working with Advantage since the 1990’s and have been a loyal client ever since. Advantage does not make it very difficult… Read more “Extremely Professional and Passionate”
Handles all our Office IT
Advantage Computer Solutions has handled all of our computer and IT needs for the past 2 years. The staff is always professional and the service… Read more “Handles all our Office IT”
Passaic Housing Authority
Since 1996 the Housing Authority of the City of Passaic has been a client of Advantage Computer Solutions. Our Agency has utilized their outstanding services… Read more “Passaic Housing Authority”
They made sure EVERYTHING was working
“When the computer I use to run my photography business started acting erratically and kept shutting down, I was in a panic. I depend on… Read more “They made sure EVERYTHING was working”
Third‑party cookies: How they work and how to stop them from tracking you across the web
Cross-site tracking cookies have a bleak future but can still cause privacy woes to unwary users
The post Third‑party cookies: How they work and how to stop them from tracking you across the web appeared first on WeLiveSecurity
SparklingGoblin deploys new Linux backdoor – Week in security, special edition
ESET Research first spotted this variant of the SideWalk backdoor in the network of a Hong Kong university in February 2021
The post SparklingGoblin deploys new Linux backdoor – Week in security, special edition appeared first on WeLiveSecurity
You never walk alone: The SideWalk backdoor gets a Linux variant
ESET researchers have uncovered another tool in the already extensive arsenal of the SparklingGoblin APT group: a Linux variant of the SideWalk backdoor
The post You never walk alone: The SideWalk backdoor gets a Linux variant appeared first on WeLiveSecurity
Use-after-freedom: MiraclePtr
Posted by Adrian Taylor, Bartek Nowierski and Kentaro Hara on behalf of the MiraclePtr team
Memory safety bugs are the most numerous category of Chrome security issues and we’re continuing to investigate many solutions – both in C++ and in new programming languages. The most common type of memory safety bug is the “use-after-free”. We recently posted about an exciting series of technologies designed to prevent these. Those technologies (collectively, *Scan, pronounced “star scan”) are very powerful but likely require hardware support for sufficient performance.
Today we’re going to talk about a different approach to solving the same type of bugs.
It’s hard, if not impossible, to avoid use-after-frees in a non-trivial codebase. It’s rarely a mistake by a single programmer. Instead, one programmer makes reasonable assumptions about how a bit of code will work, then a later change invalidates those assumptions. Suddenly, the data isn’t valid as long as the original programmer expected, and an exploitable bug results.
These bugs have real consequences. For example, according to Google Threat Analysis Group, a use-after-free in the ChromeHTML engine was exploited this year by North Korea.
Half of the known exploitable bugs in Chrome are use-after-frees:
Diving Deeper: Not All Use-After-Free Bugs Are Equal
Chrome has a multi-process architecture, partly to ensure that web content is isolated into a sandboxed “renderer” process where little harm can occur. An attacker therefore usually needs to find and exploit two vulnerabilities – one to achieve code execution in the renderer process, and another bug to break out of the sandbox.
The first stage is often the easier one. The attacker has lots of influence in the renderer process. It’s easy to arrange memory in a specific way, and the renderer process acts upon many different kinds of web content, giving a large “attack surface” that could potentially be exploited.
The second stage, escaping the renderer sandbox, is trickier. Attackers have two options how to do this:
We imagine the attackers squeezing through the narrow part of a funnel:
If we can reduce the size of the narrow part of the funnel, we will make it as hard as possible for attackers to assemble a full exploit chain. We can reduce the size of the orange slice by removing access to more OS interfaces within the renderer process sandbox, and we’re continuously working on that. The MiraclePtr project aims to reduce the size of the blue slice.
Here’s a sample of 100 recent high severity Chrome security bugs that made it to the stable channel, divided by root cause and by the process they affect.
You might notice:
As you can see, the biggest category of bugs in each process is: V8 in the renderer process (JavaScript engine logic bugs – work in progress) and use-after-free bugs in the browser process. If we can make that “thin” bit thinner still by removing some of those use-after-free bugs, we make the whole job of Chrome exploitation markedly harder.
MiraclePtr: Preventing Exploitation of Use-After-Free Bugs
This is where MiraclePtr comes in. It is a technology to prevent exploitation of use-after-free bugs. Unlike aforementioned *Scan technologies that offer a non-invasive approach to this problem, MiraclePtr relies on rewriting the codebase to use a new smart pointer type, raw_ptr<T>. There are multiple ways to implement MiraclePtr. We came up with ~10 algorithms and compared the pros and cons. After analyzing their performance overhead, memory overhead, security protection guarantees, developer ergonomics, etc., we concluded that BackupRefPtr was the most promising solution.
The BackupRefPtr algorithm is based on reference counting. It uses support of Chrome’s own heap allocator, PartitionAlloc, which carves out a little extra space for a hidden reference count for each allocation. raw_ptr<T> increments or decrements the reference count when it’s constructed, destroyed or modified. When the application calls free/delete and the reference count is greater than 0, PartitionAlloc quarantines that memory region instead of immediately releasing it. The memory region is then only made available for reuse once the reference count reaches 0. Quarantined memory is poisoned to further reduce the likelihood that use-after-free accesses will result in exploitable conditions, and in hope that future accesses lead to an easy-to-debug crash, turning these security issues into less-dangerous ones.
We successfully rewrote more than 15,000 raw pointers in the Chrome codebase into raw_ptr<T>, then enabled BackupRefPtr for the browser process on Windows and Android (both 64 bit and 32 bit) in Chrome 102 Stable. We anticipate that MiraclePtr meaningfully reduces the browser process attack surface of Chrome by protecting ~50% of use-after-free issues against exploitation. We are now working on enabling BackupRefPtr in the network, utility and GPU processes, and for other platforms. In the end state, our goal is to enable BackupRefPtr on all platforms because that ensures that a given pointer is protected for all users of Chrome.
Balancing Security and Performance
There is no free lunch, however. This security protection comes at a cost, which we have carefully weighed in our decision making.
Unsurprisingly, the main cost is memory. Luckily, related investments into PartitionAlloc over the past year led to 10-25% total memory savings, depending on usage patterns and platforms. So we were able to spend some of those savings on security: MiraclePtr increased the memory usage of the browser process 4.5-6.5% on Windows and 3.5-5% on Android1, still well below their previous levels. While we were worried about quarantined memory, in practice this is a tiny fraction (0.01%) of the browser process usage. By far the bigger culprit is the additional memory needed to store the reference count. One might think that adding 4 bytes to each allocation wouldn’t be a big deal. However, there are many small allocations in Chrome, so even the 4B overhead is not negligible. PartitionAlloc also uses pre-defined bucket sizes, so this extra 4B pushes certain allocations (particularly power-of-2 sized) into a larger bucket, e.g. 4096B->5120B.
We also considered the performance cost. Adding an atomic increment/decrement on common operations such as pointer assignment has unavoidable overhead. Having excluded a number of performance-critical pointers, we drove this overhead down until we could gain back the same margin through other performance optimizations. On Windows, no statistically significant performance regressions were observed on most of our top-level performance metrics like Largest Contentful Paint, First Input Delay, etc. The only adverse change there1 is an increase of the main thread contention (~7%). On Android1, in addition to a similar increase in the main thread contention (~6%), there were small regressions in First Input Delay (~1%), Input Delay (~3%) and First Contentful Paint (~0.5%). We don’t anticipate these regressions to have a noticeable impact on user experience, and are confident that they are strongly outweighed by the additional safety for our users.
We should emphasize that MiraclePtr currently protects only class/struct pointer fields, to minimize the overhead. As future work, we are exploring options to expand the pointer coverage to on-stack pointers so that we can protect against more use-after-free bugs.
Note that the primary goal of MiraclePtr is to prevent exploitation of use-after-free bugs. Although it wasn’t designed for diagnosability, it already helped us find and fix a number of bugs that were previously undetected. We have ongoing efforts to make MiraclePtr crash reports even more informative and actionable.
Continue to Provide Us Feedback
Last but not least, we’d like to encourage security researchers to continue to report issues through the Chrome Vulnerability Reward Program, even if those issues are mitigated by MiraclePtr. We still need to make MiraclePtr available to all users, collect more data on its impact through reported issues, and further refine our processes and tooling. Until that is done, we will not consider MiraclePtr when determining the severity of a bug or the reward amount.
1 Measured in Chrome 99.
Why is my Wi‑Fi slow and how do I make it faster?
Has your Wi-Fi speed slowed down to a crawl? Here are some of the possible reasons along with a few quick fixes to speed things up.
The post Why is my Wi‑Fi slow and how do I make it faster? appeared first on WeLiveSecurity
ESET Research uncovers new APT group Worok – Week in security with Tony Anscombe
Worok takes aim at various high-profile organizations that operate in multiple sectors and are located primarily in Asia
The post ESET Research uncovers new APT group Worok – Week in security with Tony Anscombe appeared first on WeLiveSecurity
Fuzzing beyond memory corruption: Finding broader classes of vulnerabilities automatically
Posted by Jonathan Metzman, Dongge Liu and Oliver Chang, Google Open Source Security Team
Recently, OSS-Fuzz—our community fuzzing service that regularly checks 700 critical open source projects for bugs—detected a serious vulnerability (CVE-2022-3008): a bug in the
TinyGLTF
project that could have allowed attackers to execute malicious code in projects usingTinyGLTF
as a dependency.The bug was soon patched, but the wider significance remains: OSS-Fuzz caught a trivially exploitable command injection vulnerability. This discovery shows that fuzzing, a type of testing once primarily known for detecting memory corruption vulnerabilities in C/C++ code, has considerable untapped potential to find broader classes of vulnerabilities. Though the TinyGLTF library is written in C++, this vulnerability is easily applicable to all programming languages and confirms that fuzzing is a beneficial and necessary testing method for all software projects.
Fuzzing as a public service
OSS-Fuzz was launched in 2016 in response to the Heartbleed vulnerability, discovered in one of the most popular open source projects for encrypting web traffic. The vulnerability had the potential to affect almost every internet user, yet was caused by a relatively simple memory buffer overflow bug that could have been detected by fuzzing—that is, by running the code on randomized inputs to intentionally cause unexpected behaviors or crashes that signal bugs. At the time, though, fuzzing was not widely used and was cumbersome for developers, requiring extensive manual effort.
Google created OSS-Fuzz to fill this gap: it’s a free service that runs fuzzers for open source projects and privately alerts developers to the bugs detected. Since its launch, OSS-Fuzz has become a critical service for the open source community, helping get more than 8,000 security vulnerabilities and more than 26,000 other bugs in open source projects fixed. With time, OSS-Fuzz has grown beyond C/C++ to detect problems in memory-safe languages such as Go, Rust, and Python.
Google Cloud’s Assured Open Source Software Service, which provides organizations a secure and curated set of open source dependencies, relies on OSS-Fuzz as a foundational layer of security scanning. OSS-Fuzz is also the basis for free fuzzing tools for the community, such as ClusterFuzzLite, which gives developers a streamlined way to fuzz both open source and proprietary code before committing changes to their projects. All of these efforts are part of Google’s $10B commitment to improving cybersecurity and continued work to make open source software more secure for everyone.
New classes of vulnerabilities
Last December, OSS-Fuzz announced an effort to improve our bug detectors (known as sanitizers) to find more classes of vulnerabilities, by first showing that fuzzing can find Log4Shell. The
TinyGLTF
bug was found using one of those new sanitizers,SystemSan
, which was developed specifically to find bugs that can be exploited to execute arbitrary commands in any programming language. This vulnerability shows that it was possible to inject backticks into the input glTF file format and allow commands to be executed during parsing.A proof of exploit in
TinyGLTF
, extended from the input found by OSS-Fuzz withSystemSan
. The culprit was the use of the “wordexp” function to expand file paths.SystemSan
usesptrace
, and is built in a language-independent and highly extensible way to allow new bug detectors to be added easily. For example, we’ve built proofs of concept to detect issues in JavaScript and Python libraries, and an external contributor recently added support for detecting arbitrary file access (e.g. through path traversal).OSS-Fuzz has also continued to work with Code Intelligence to improve Java fuzzing by integrating over 50 additional Java projects into OSS-Fuzz and developing sanitizers for detecting Java-specific issues such as deserialization and LDAP injection vulnerabilities. A number of these types of vulnerabilities have been found already and are pending disclosure.
Rewards for getting involved
Want to get involved with making fuzzing more widely used and get rewarded? There are two ways:
To apply for these rewards, see the OSS-Fuzz integration reward program.
Fuzzing still has a lot of unexplored potential in discovering more classes of vulnerabilities. Through our combined efforts we hope to take this effective testing method to the next level and enable more of the open source community to enjoy the benefits of fuzzing.
Toys behaving badly: How parents can protect their family from IoT threats
It pays to do some research before taking a leap into the world of internet-connected toys
The post Toys behaving badly: How parents can protect their family from IoT threats appeared first on WeLiveSecurity
RDP on the radar: An up‑close view of evolving remote access threats
Misconfigured remote access services continue to give bad actors an easy access path to company networks – here’s how you can minimize your exposure to attacks misusing Remote Desktop Protocol
The post RDP on the radar: An up‑close view of evolving remote access threats appeared first on WeLiveSecurity
Worok: The big picture
Focused mostly on Asia, this new cyberespionage group uses undocumented tools, including steganographically extracting PowerShell payloads from PNG files
The post Worok: The big picture appeared first on WeLiveSecurity