Richard Speed (via Hacker News):

Google’s Cloud CEO Thomas Kurian has weighed in on the UniSuper fiasco and confirmed that UniSuper’s Private Cloud subscription was accidentally deleted.

In a joint statement with UniSuper CEO Peter Chun, Kurian admitted that an “inadvertent misconfiguration” during the provisioning of UniSuper’s Private Cloud services resulted in the deletion of the subscription.

In a cascade of catastrophe familiar to anyone using duplication, the deletion of the account resulted in deletion across other regions.

Two weeks later, they are finally fully restored:

Restoring UniSuper’s Private Cloud instance has called for an incredible amount of focus, effort, and partnership between our teams to enable an extensive recovery of all the core systems. The dedication and collaboration between UniSuper and Google Cloud has led to an extensive recovery of our Private Cloud which includes hundreds of virtual machines, databases and applications.

UniSuper had backups in place with an additional service provider. These backups have minimised data loss, and significantly improved the ability of UniSuper and Google Cloud to complete the restoration.

auspiv:

The customer isn’t exactly small either - “UniSuper is an Australian superannuation fund that provides superannuation services to employees of Australia’s higher education and research sector. The fund has over 620,000 members and $120 billion in assets (funds under management and total member accounts at 7 July 2021).”

Previously:

• Google Cloud Services Outages
• Google Account Deleted Due to CSAM False Positive
• Relying on Google Cloud

Michael Potuck:

Following the acquisition, Broadcom’s VMware has announced today that Fusion Pro 13 and Workstation Pro 17 have been made free for personal use.

[…]

For commercial use, Broadcom has simplified the VMware options to a single product, which can be purchased through any “Broadcom Advantage” partner.

Michael Roy:

This means that everyday users who want a virtual lab on their Mac, Windows or Linux computer can do so for free simply by registering and downloading the latest build from the new download portal located at support.broadcom.com.

[…]

This simplification eliminates 40+ other SKUs and makes quoting and purchasing VMware Desktop Hypervisor apps, Fusion Pro and Workstation Pro, easier than ever.

Previously:

• VMware Transition to Subscriptions

[That’s solid work.]

Seaside, California resident Etienne Constable was recently told by the city that he needed to build a fence to hide his boat. He complied, and even had the fence painted. It’s lovely:

Yes, Constable’s neighbor Hanif Wondir helpfully painted a realistic boat mural, so that despite the fence, no one would miss the chance to see what Constable’s boat looks like.

Link: https://www.nbcnews.com/news/us-news/man-gets-realistic-picture-boat-painted-fence-designed-hide-rcna151928

A critical security vulnerability has been uncovered in two widely used PDF libraries, PDF.js and React-PDF, potentially exposing millions of users to malicious JavaScript code execution.

The flaws, identified as CVE-2024-4367 in PDF.js and CVE-2024-34342 in React-PDF, stem from the improper handling of JavaScript within PDF files.

PDF.js, a popular open-source PDF viewer supported by Mozilla, is used extensively across the web, with over 46,000 stars on GitHub and nearly 2 million weekly downloads from npm.

Similarly, React-PDF, a library for rendering PDFs in React applications, sees over 600,000 downloads per week. The widespread adoption of these libraries amplifies the potential impact of the discovered vulnerabilities.

The flaws were identified by security researcher Thomas Rinsma, who found that when PDF.js or React-PDF loads a malicious PDF file with the isEvalSupported setting enabled (which is true by default), it can lead to the execution of unrestricted JavaScript code within the context of the hosting domain.

This opens the door for attackers to steal sensitive user data, such as cookies and session tokens, or even perform actions on behalf of the unsuspecting user.

Versions of PDF.js up to 4.1.392 and React-PDF versions up to 7.7.2 and from 8.0.0 to 8.0.1 are affected by these vulnerabilities.

Users are strongly advised to update to the patched versions - 4.2.67 for PDF.js and 7.7.3 or 8.0.2 for React-PDF - which address the issue by removing the use of the JavaScript eval function, a known security risk.

For those unable to update immediately, a temporary workaround involves setting "isEvalSupported" to false.

In PDF.js, this is a global configuration, while in React-PDF, it must be specified within the "options" prop of the "Document" component. Disabling "eval" prevents the execution of malicious scripts embedded in PDF files.

We've been hit hard by inflation here in the States, but we're not the only ones witnessing the devaluation of our currency.