Wireless Networking

ASUS Urges Customers To Patch Critical Router Vulnerabilities (bleepingcomputer.com) 25

ASUS has released new firmware for several router models to address security vulnerabilities, including critical ones like CVE-2022-26376 and CVE-2018-1160, which can lead to denial-of-service attacks and code execution. The company advises customers to update their devices immediately or restrict WAN access until the devices are secured, urging them to create strong passwords and follow security measures. BleepingComputer reports: The first is a critical memory corruption weakness in the Asuswrt firmware for Asus routers that could let attackers trigger denial-of-services states or gain code execution. The other critical patch is for an almost five-year-old CVE-2018-1160 bug caused by an out-of-bounds write Netatalk weakness that can also be exploited to gain arbitrary code execution on unpatched devices.

"Please note, if you choose not to install this new firmware version, we strongly recommend disabling services accessible from the WAN side to avoid potential unwanted intrusions. These services include remote access from WAN, port forwarding, DDNS, VPN server, DMZ, port trigger," ASUS warned in a security advisory published today. "We strongly encourage you to periodically audit both your equipment and your security procedures, as this will ensure that you will be better protected."

The list of impacted devices includes the following models: GT6, GT-AXE16000, GT-AX11000 PRO, GT-AX6000, GT-AX11000, GS-AX5400, GS-AX3000, XT9, XT8, XT8 V2, RT-AX86U PRO, RT-AX86U, RT-AX86S, RT-AX82U, RT-AX58U, RT-AX3000, TUF-AX6000, and TUF-AX5400.

Bug

Windows 11 Update Breaks Chrome for Some Antivirus Software Users (bleepingcomputer.com) 49

Wednesday BleepingComputer reported: Malwarebytes confirmed today that the Windows 11 22H2 KB5027231 cumulative update released this Patch Tuesday breaks Google Chrome on its customers' systems... While uninstalling the KB5027231 update fixes the issue, admins report that it's not possible to do so via Windows Server Update Services because of a "catastrophic error..." The Google Chrome process is actually running but is prevented from fully launching the application and loading the user interface due to the conflict.
Then Friday BleepingComputer reported that the same update "also breaks Google Chrome on systems protected by Cisco and WatchGuard EDR and antivirus solutions." "We deploy Secure Endpoint 8.1.7 to our few thousand devices, and we started getting a mountain of reports this morning that Google Chrome would not appear on the screen after attempting to open it," one admin said. "With a little trial & error, I found that killing the Secure Endpoint service or uninstalling Secure Endpoint will allow Chrome to open again..."

WatchGuard staff also confirmed on Friday that Google Chrome wouldn't open on Windows 11 after installing KB5027231 if anti-exploit protection is enabled in the company's Endpoint Security software.

Thanks to Slashdot reader boley1 for sharing the news.
Bug

Dev Boots Linux 292,612 Times to Find Kernel Bug (tomshardware.com) 32

Long-time Slashdot reader waspleg shared this story from Hot Hardware: Red Hat Linux developer Richard WM Jones has shared an eyebrow raising tale of Linux bug hunting. Jones noticed that Linux 6.4 has a bug which means it will hang on boot about 1 in 1,000 times. Jones set out to pinpoint the bug, and prove he had caught it red handed. However, his headlining travail, involving booting Linux 292,612 times (and another 1,000 times to confirm the bug) apparently "only took 21 hours." It also seems that the bug is less common with Intel hardware than AMD based machines.
Privacy

Edge Sends Images You View Online To Microsoft 39

An anonymous reader shares a report: Not so long ago, Microsoft Edge ended up in hot waters after users discovered a bug leaking your browser history to Bing. Now you may want to toggle off another feature to ensure Edge is not sending every picture you view online to Microsoft. Edge has a built-in image enhancement tool that, according to Microsoft, can use "super-resolution to improve clarity, sharpness, lighting, and contrast in images on the web." Although the feature sounds exciting, recent Microsoft Edge Canary updates have provided more information on how image enhancement works. The browser now warns that it sends image links to Microsoft instead of performing on-device enhancements.
Government

10 Years After Snowden's First Leak, What Have We Learned? (theregister.com) 139

An anonymous reader quotes a report from The Register: The world got a first glimpse into the US government's far-reaching surveillance of American citizens' communications -- namely, their Verizon telephone calls -- 10 years ago this week when Edward Snowden's initial leaks hit the press. [...] In the decade since then, "reformers have made real progress advancing the bipartisan notion that Americans' liberty and security are not mutually exclusive," [US Senator Ron Wyden (D-OR)] said. "That has delivered tangible results: in 2015 Congress ended bulk collection of Americans' phone records by passing the USA Freedom Act." This bill sought to end the daily snooping into American's phone calls by forcing telcos to collect the records and make the Feds apply for the information.

That same month, a federal appeals court unanimously ruled that the NSA's phone-records surveillance program was unlawful. The American Civil Liberties Union (ACLU) and the New York Civil Liberties Union sued to end the secret phone spying program, which had been approved by the Foreign Intelligence Surveillance Court, just days after Snowden disclosed its existence. "Once it was pushed out into open court, and the court was able to hear from two sides and not just one, the court held that the program was illegal," Ben Wizner, director of the ACLU Speech, Privacy and Technology project, told The Register. The Freedom Act also required the federal government to declassify and release "significant" opinions of the Foreign Intelligence Surveillance Court (FISC), and authorized the appointment of independent amici -- friends of the court intended to provide an outside perspective. The FISC was established in 1978 under the FISA -- the legislative instrument that allows warrantless snooping. And prior to the Freedom Act, this top-secret court only heard the government's perspective on things, like why the FBI and NSA should be allowed to scoop up private communications.

"To its credit, the government has engaged in reforms, and there's more transparency now that, on the one hand, has helped build back some trust that was lost, but also has made it easier to shine a light on surveillance misconduct that has happened since then," Jake Laperruque, deputy director of the Center for Democracy and Technology's Security and Surveillance Project, told The Register. Wyden also pointed to the sunsetting of the "deeply flawed surveillance law," Section 215 of the Patriot Act, as another win for privacy and civil liberties. That law expired in March 2020 after Congress did not reauthorize it. "For years, the government relied on Section 215 of the USA Patriot Act to conduct a dragnet surveillance program that collected billions of phone records (Call Detail Records or CDR) documenting who a person called and for how long they called them -- more than enough information for analysts to infer very personal details about a person, including who they have relationships with, and the private nature of those relationships," Electronic Frontier Foundation's Matthew Guariglia, Cindy Cohn and Andrew Crocker said.
James Clapper, the former US Director of National Intelligence, "stated publicly that the Snowden disclosures accelerated by seven years the adoption of commercial encryption," Wizner said. "At the individual level, and at the corporate level, we are more secure."

"And at the corporate level, what the Snowden revelations taught big tech was that even as the government was knocking on the front door, with legal orders to turn over customer data, it was breaking in the backdoor," Wizner added. "Government was hacking those companies, finding the few points in their global networks where data passed unencrypted, and siphoning it off." "If you ask the government -- if you caught them in a room, and they were talking off the record -- they would say the biggest impact for us from the Snowden disclosures is that it made big tech companies less cooperative," he continued. "I regard that as a feature, not a bug."

The real issue that the Snowden leaks revealed is that America's "ordinary system of checks and balances doesn't work very well for secret national security programs," Wizner said. "Ten years have gone by," since the first Snowden disclosures, "and we don't know what other kinds of rights-violating activities have been taking place in secret, and I don't trust our traditional oversight systems, courts and the Congress, to ferret those out," Wizner said. "When you're dealing with secret programs in a democracy, it almost always requires insiders who are willing to risk their livelihoods and their freedom to bring the information to the public."
Security

Data Stolen Through Flaw in MOVEit Transfer, Researchers Say (reuters.com) 15

Reuters reports: Hackers have stolen data from the systems of a number of users of the popular file transfer tool MOVEit Transfer, U.S. security researchers said on Thursday, one day after the maker of the software disclosed that a security flaw had been discovered. Software maker Progress Software Corp, after disclosing the vulnerability on Wednesday, said it could lead to potential unauthorized access into users' systems.

The managed file transfer software made by the Burlington, Massachusetts-based company allows organizations to transfer files and data between business partners and customers. It was not immediately clear which or how many organizations use the software or were impacted by potential breaches. Chief Information Officer Ian Pitt declined to share those details, but said Progress Software had made fixes available since it discovered the vulnerability late on May 28...

Cybersecurity firm Rapid7 Inc and Mandiant Consulting — owned by Alphabet Inc's Google — said they had found a number of cases in which the flaw had been exploited to steal data. "Mass exploitation and broad data theft has occurred over the past few days," Charles Carmakal, chief technology officer of Mandiant Consulting, said in a statement... "Although Mandiant does not yet know the motivation of the threat actor, organizations should prepare for potential extortion and publication of the stolen data," Carmakal said.

Thanks to long-time Slashdot reader rexx mainframe for sharing the story.
Operating Systems

System76's Open Firmware 'Re-Disables' Intel's Management Engine (phoronix.com) 19

Linux computer vendor System76 shared some news in a recent blog post. "We prefer to disable the Intel Management Engine wherever possible to reduce the amount of closed firmware running on System76 hardware. We've resolved a coreboot bug that allows the Intel ME (Management Engine) to once again be disabled."

Phoronix reports that the move will "benefit their latest Intel Core 13th Gen 'Raptor Lake' wares as well as prior generation devices." Intel ME is disabled for their latest Raptor lake laptops and most older platforms with some exceptions like where having a silicon issue with Tiger Lake. System76 has also added a new firmware setup menu option for enabling/disabling UEFI Secure Boot. The motivation here with making it easier to toggle Secure Boot is for allowing Windows 11 support with SB active while running System76 Open Firmware.
Microsoft

Microsoft's Surface Pro X Cameras Have Suddenly Stopped Working (theverge.com) 45

Microsoft's ARM-based Surface Pro X tablet is not having a good time, and neither are its owners. From a report: According to multiple reports, the tablet's cameras stopped working out of the blue, showing a cryptic error when trying to launch the Windows Camera app or other software: "Something went wrong. If you need it, here's the error code: 0xA00F4271 (0x80004005)."

The first thing that comes to the user's mind when experiencing issues like this is reinstalling the corresponding driver. However, this is not true with Surface Pro X's botched cameras. Affected customers say removing and installing camera drivers on the Surface Pro X has no effect and leaves them stranded, unable to join video calls, take pictures, and perform other camera-related tasks. More importantly, the bug also breaks facial recognition, forcing customers to use their PIN codes instead.

AI

Apple Restricts Employee Use of ChatGPT, Joining Other Companies Wary of Leaks (wsj.com) 22

Apple has restricted the use of ChatGPT and other external artificial intelligence tools for some employees as it develops its own similar technology, WSJ repors, citing an internet document and people familiar with the matter. From the report: Apple is concerned workers who use these types of programs could release confidential data, according to the document. Apple also told its employees not to use Microsoft-owned GitHub's Copilot, which automates the writing of software code, the document said. ChatGPT, created by Microsoft-backed OpenAI, is a chatbot derived from a so-called large language model that is able to answer questions, write essays and perform other tasks in humanlike ways. When people use these models, data is sent back to the developer to enable continued improvements, presenting the potential for an organization to unintentionally share proprietary or confidential information. OpenAI disclosed in March that it took ChatGPT temporarily offline because a bug allowed some users to see the titles from a user's chat history.
Security

Microsoft Will Take Nearly a Year To Finish Patching New 0-Day Secure Boot Bug (arstechnica.com) 48

An anonymous reader quotes a report from Ars Technica: Earlier this week, Microsoft released a patch to fix a Secure Boot bypass bug used by the BlackLotus bootkit we reported on in March. The original vulnerability, CVE-2022-21894, was patched in January, but the new patch for CVE-2023-24932 addresses another actively exploited workaround for systems running Windows 10 and 11 and Windows Server versions going back to Windows Server 2008. The BlackLotus bootkit is the first-known real-world malware that can bypass Secure Boot protections, allowing for the execution of malicious code before your PC begins loading Windows and its many security protections. Secure Boot has been enabled by default for over a decade on most Windows PCs sold by companies like Dell, Lenovo, HP, Acer, and others. PCs running Windows 11 must have it enabled to meet the software's system requirements.

Microsoft says that the vulnerability can be exploited by an attacker with either physical access to a system or administrator rights on a system. It can affect physical PCs and virtual machines with Secure Boot enabled. We highlight the new fix partly because, unlike many high-priority Windows fixes, the update will be disabled by default for at least a few months after it's installed and partly because it will eventually render current Windows boot media unbootable. The fix requires changes to the Windows boot manager that can't be reversed once they've been enabled. Additionally, once the fixes have been enabled, your PC will no longer be able to boot from older bootable media that doesn't include the fixes. On the lengthy list of affected media: Windows install media like DVDs and USB drives created from Microsoft's ISO files; custom Windows install images maintained by IT departments; full system backups; network boot drives including those used by IT departments to troubleshoot machines and deploy new Windows images; stripped-down boot drives that use Windows PE; and the recovery media sold with OEM PCs.

Not wanting to suddenly render any users' systems unbootable, Microsoft will be rolling the update out in phases over the next few months. The initial version of the patch requires substantial user intervention to enable -- you first need to install May's security updates, then use a five-step process to manually apply and verify a pair of "revocation files" that update your system's hidden EFI boot partition and your registry. These will make it so that older, vulnerable versions of the bootloader will no longer be trusted by PCs. A second update will follow in July that won't enable the patch by default but will make it easier to enable. A third update in "first quarter 2024" will enable the fix by default and render older boot media unbootable on all patched Windows PCs. Microsoft says it is "looking for opportunities to accelerate this schedule," though it's unclear what that would entail.

Bug

DEF CON To Set Thousands of Hackers Loose On LLMs (theregister.com) 18

An anonymous reader quotes a report from The Register: This year's DEF CON AI Village has invited hackers to show up, dive in, and find bugs and biases in large language models (LLMs) built by OpenAI, Google, Anthropic, and others. The collaborative event, which AI Village organizers describe as "the largest red teaming exercise ever for any group of AI models," will host "thousands" of people, including "hundreds of students from overlooked institutions and communities," all of whom will be tasked with finding flaws in LLMs that power today's chat bots and generative AI. Think: traditional bugs in code, but also problems more specific to machine learning, such as bias, hallucinations, and jailbreaks -- all of which ethical and security professionals are now having to grapple with as these technologies scale. DEF CON is set to run from August 10 to 13 this year in Las Vegas, USA.

For those participating in the red teaming this summer, the AI Village will provide laptops and timed access to LLMs from various vendors. Currently this includes models from Anthropic, Google, Hugging Face, Nvidia, OpenAI, and Stability. The village people's announcement also mentions this is "with participation from Microsoft," so perhaps hackers will get a go at Bing. We're asked for clarification about this. Red teams will also have access to an evaluation platform developed by Scale AI. There will be a capture-the-flag-style point system to promote the testing of "a wide range of harms," according to the AI Village. Whoever gets the most points wins a high-end Nvidia GPU. The event is also supported by the White House Office of Science, Technology, and Policy; America's National Science Foundation's Computer and Information Science and Engineering (CISE) Directorate; and the Congressional AI Caucus.

Security

Ex-Uber Security Chief Gets Probation for Concealing 2016 Data Breach (axios.com) 8

A judge sentenced Joe Sullivan, the former chief security officer at Uber, to three years' probation and 200 hours of community service on Thursday for covering up a 2016 cyberattack from authorities and obstructing a federal investigation. From a report: Sullivan's case is likely the first time a security executive has faced criminal charges for mishandling a data breach, and the response to Sullivan's case has split the cybersecurity community. In October, a jury found Sullivan guilty of obstructing an active FTC investigation into Uber's security practices and concealing a 2016 data breach that affected 50 million riders and drivers. Uber paid the hackers $100,000 to not release any stolen data and keep the attack quiet. Sullivan and his team routed the payment through the company's bug bounty program, which good-faith security researchers usually use to report flaws. The hack wasn't publicly disclosed until 2017, shortly after Dara Khosrowshahi stepped into the CEO role.

Khosrowshahi fired Sullivan in 2017, telling the jury last fall that he thought the decision to conceal the breach was "the wrong decision." Sullivan then joined Cloudflare as its chief security officer in 2018, and he stayed there until July 2022 when he stepped down to prepare for his trial. "If I have a similar case tomorrow, even if the defendant had the character of Pope Francis, they would be going to prison," Judge William Orrick said during the sentencing on Thursday. "When you go out and talk to your friends, to your CISOs, you tell them that you got a break not because of what you did, not even because of who you are, but because this was just such an unusual one-off," Orrick added.

Microsoft

The Microsoft Surface Duo Is in Trouble (windowscentral.com) 41

Zac Bowden, reporting for WindowsCentral: Microsoft's dual-screen foldable smartphone has seemingly been abandoned. At least, that's how it looks on the outside. The last major software update the Surface Duo received was in October 2022, when the company delivered Android 12L. Since then, movement on new features and bug fixes has pretty much ground to a halt. A major OS update often comes with a couple of months of bug fixing afterward to iron out any new issues that may have popped up with all the new changes that a major OS release brings. That's not the case with Android 12L on the Surface Duo. Microsoft pushed out this update and has fixed just one bug since. Android 12L for Surface Duo was not a perfect release, and it did introduce new issues users assumed would be fixed in due course, but that hasn't happened.

The company has continued to release Android security updates, but the changelogs for these monthly updates make no mention of general OS fixes or improvements, which implies Microsoft is doing the bare minimum for these releases. Even then, the bare minimum clearly wasn't enough in April, as the Surface Duo failed to receive the April 2023 security update, marking the first time since the device launched that Microsoft has failed to issue an up-to-date security patch for the device. And it's not just the OS that's being neglected, Microsoft's own Android app teams seem to have abandoned the Surface Duo too. SwiftKey just recently got updated with Bing AI capabilities, which is awesome and it works across a wide range of Android smartphones, including the latest Samsung devices. But the feature is not available on Surface Duo.

Advertising

Facebook Advertisers Angry About Major Glitch That Temporarily Spiked Prices (gizmodo.com) 45

Last weekend around 2 a.m. Sunday, "Facebook's advertising system went haywire," reports Gizmodo, "overcharging customers and wasting money on ads that didn't work." Reports suggest Meta, the social network's parent company, charged some advertisers more than double what they agreed to pay, ranging from hundreds to hundreds of thousands of dollars. Meta briefly stopped showing ads on part of its network with practically zero communication to its millions of customers.

The company confirmed the bug happened and promised to follow its "normal refund process," but shared very little about what went wrong.

A Meta spokesperson described it as "a technical issue that has now been resolved" (adding that the glitch also appeared to a lesser extent on Instagram).

But Alex Golick, the CEO of marketing agency Intensify told CNBC it was the worst Facebook glitch he'd seen in the decade he's worked in digital advertising — with one client burning through 90% of its ad budget by 9 a.m. And his entire customer base had similar problems: Golick said that all those advertisers had essentially just wasted most of their money for the day, spending roughly triple the amount they normally would to acquire a customer. "The results were horrendous," Golick told CNBC...

For brands that are already lowering ad costs to manage through a sluggish economy and a mobile ad market that no longer allows for targeting based on user data, Facebook's miscue is more than just an unfortunate blip. In low-margin industries, where every dollar counts, it can turn a profitable weekend into a big loser, while also raising further questions about the reliability of Facebook's ad systems...

Data analytics and marketing firm Varos provided data showing that, of the more than 3,000 ecommerce and direct-to-consumer companies that use its technology, the software bug caused a majority of them to experience a rise in cost per thousand impressions, or what those in the industry call CPMs. About 36% of companies were "very significantly impacted" by the bug, meaning their CPMs at least doubled, Varos said...

Varos CEO Yarden Shaked the glitch resulted in a "bidding war for nothing." Data about the glitch provided by the advertising technology firm Proxima on 108 companies also revealed that these firms spent their "entire day's budget in the first few hours of the day," the company said...

Chrome

Google Releases Emergency Chrome Security Update (hothardware.com) 29

"Earlier this week, Google released an emergency security update for the Chrome browser due to a vulnerability that is being actively exploited in the wild," reports Hot Hardware: On Friday, Google highlighted CVE-2023-2033, reported by Clément Lecigne of Google's own Threat Analysis Group (TAG). This vulnerability is a 'type confusion' bug in the JavaScript engine for Chromium browsers useing the V8 Javascript engine. In short, type confusion is a bug that allows memory to be accessed with the wrong type, allowing for the reading or writing of memory out of bounds. The CVE page says that an attacker could create an HTML page that allows the exploitation of heap corruption.

While there is no Common Vulnerability Scoring System (CVSS) score attached to the vulnerability yet, Google is tracking this as a "high" severity issue. This is likely due in part to the fact that "Google is aware that an exploit for CVE-2023-2033 exists in the wild."

The article notes that Chrome updates are generally done automatically, but you can also check for updates by clicking Chrome's three-dots menu in the top-right corner, then "Help" and "About Chrome."
Cloud

New Spectre-Related 'Medium Severity' Flaw Patched in Linux Kernel (theregister.com) 11

"The Spectre vulnerability that has haunted hardware and software makers since 2018 continues to defy efforts to bury it," reports the Register: On Thursday, Eduardo (sirdarckcat) Vela Nava, from Google's product security response team, disclosed a Spectre-related flaw in version 6.2 of the Linux kernel. The bug, designated medium severity, was initially reported to cloud service providers — those most likely to be affected — on December 31, 2022, and was patched in Linux on February 27, 2023.

"The kernel failed to protect applications that attempted to protect against Spectre v2, leaving them open to attack from other processes running on the same physical core in another hyperthread," the vulnerability disclosure explains. The consequence of that attack is potential information exposure (e.g., leaked private keys) through this pernicous problem....

Spectre v2 — the variant implicated in this particular vulnerability — relies on timing side-channels to measure the misprediction rates of indirect branch prediction in order to infer the contents of protected memory. That's far from optimal in a cloud environment with shared hardware... The bug hunters who identified the issue found that Linux userspace processes to defend against Spectre v2 didn't work on VMs of "at least one major cloud provider."

Privacy

The US Cracked a $3.4 Billion Crypto Heist - and Bitcoin's Anonymity (wsj.com) 59

Federal authorities are making arrests and seizing funds with the help of new tools to identify criminals through cryptocurrency transactions. From a report: James Zhong appeared to have pulled off the perfect crime. In December 2012, he stumbled upon a software bug while withdrawing money from his account on Silk Road, an online marketplace used to hide criminal dealings behind the seemingly bulletproof anonymity of blockchain transactions and the dark web. Mr. Zhong, a 22-year-old University of Georgia computer-science student at the time, used the site to buy cocaine. "I accidentally double-clicked the withdraw button and was shocked to discover that it resulted in allowing me to withdraw double the amount of bitcoin I had deposited," he later said in federal court. After the first fraudulent withdrawal, Mr. Zhong created new accounts and with a few hours of work stole 50,000 bitcoins worth around $600,000, court papers from federal prosecutors show.

Federal officials closed Silk Road a year later on criminal grounds and seized computers that held its transaction records. The records didn't reveal Mr. Zhong's caper at first. Authorities hadn't yet mastered how to track people and groups hidden behind blockchain wallet addresses, the series of letters and numbers used to anonymously send and receive cryptocurrency. One elemental feature of the system was the privacy it gave users. Mr. Zhong moved the stolen bitcoins from one account to another for eight years to cover his tracks. By late 2021, the red-hot crypto market had raised the value of his trove to $3.4 billion. In November 2021, federal agents surprised Mr. Zhong with a search warrant and found the digital keys to his crypto fortune hidden in a basement floor safe and a popcorn tin in the bathroom. Mr. Zhong, who pleaded guilty to wire fraud, is scheduled to be sentenced Friday in New York federal court, where prosecutors are seeking a prison sentence of less than two years.

Mr. Zhong's case is one of the highest-profile examples of how federal authorities have pierced the veil of blockchain transactions. Private and government investigators can now identify wallet addresses associated with terrorists, drug traffickers, money launderers and cybercriminals, all of which were supposed to be anonymous. Law-enforcement agencies, working with cryptocurrency exchanges and blockchain-analytics companies, have compiled data gleaned from earlier investigations, including the Silk Road case, to map the flow of cryptocurrency transactions across criminal networks worldwide. In the past two years, the U.S. has seized more than $10 billion worth of digital currency through successful prosecutions, according to the Internal Revenue Service -- in essence, by following the money. Instead of subpoenas to banks or other financial institutions, investigators can look to the blockchain for an instant snapshot of the money trail.

Firefox

Windows Defender Finally Squashes Firefox Bug That Ate CPUs For 5 Years (pcworld.com) 85

An anonymous reader shares a report: Firefox has a reputation of being something of a resource hog, even among modern browsers. But it might not be entirely earned, because it looks like a CPU bug affecting Firefox users on Windows was actually the fault of Windows Defender. The latest update to the ubiquitous security tool addresses the issue, and should result in measurably lower CPU usage for the Windows version of Firefox. According to Mozilla senior software engineer Yannis Juglaret, the culprit was MsMpEng.exe, which you might recognize from your Task Manager. It handles the Real-Time protection feature that monitors web activity for malicious threats.

The bug was causing Firefox to call on the service much more frequently than comparable browsers like Chrome or Edge, resulting in notable CPU spikes. Said CPU spikes could reduce performance in other applications or affect a laptop's battery life. The issue was first reported on Mozilla's bug tracker system way back in 2018 and quickly assigned to the MsMpEng service, but some more recent and diligent documentation on the part of Juglaret resulted in more swift action from Microsoft's developers.

Operating Systems

OpenBSD 7.3 Released (openbsd.org) 135

metrix007 writes: OpenBSD, the OS that earned an exaggerated reputation for security simply by disabling services by default, has released version 7.3. Plenty of new improvements and bug fixes including to the editor, although still no real security features to help lock down a system, no virtual machine support for non-OpenBSD guests and no modern file system.
Iphone

Texas Dad Says 'Find My iPhone' Glitch is Directing Angry Strangers to his Home (abc13.com) 161

An anonymous reader shares a report from the New York Post: A supposed glitch in the popular "Find My iPhone" app has been directing random strangers to the home of an unsuspecting Texas dad at all hours of the day, falsely accusing him of stealing their electronic devices.

[Software engineer] Scott Schuster told the local news station KTRK that he's been visited by close to a dozen irate people over the past few years, telling him that their missing phone had last pinged at his address. "[I] had to wake up and go answer the door and explain to them that I didn't have their device, and people don't tend to believe you," the dad of two told the outlet.

The Texas resident tells KTRK that his biggest concern was "someone coming to the house potentially with a weapon."

And the same station reports that local sheriff Eric Fagan "said he was so shocked and concerned that he informed his patrol units and dispatchers, just in case anyone called about the address." "Apple needs to do more about this," Fagan said. "Please come out and check on this. This is your expertise. Mine is criminal and keeping our public safe here in Fort Bend County." Fagan added that Apple doing nothing puts a family's safety in jeopardy. "I would ask them to come out and see what they can do. It should be taken seriously. You are putting innocent lives at risk," he said....

There have been other high-profile device pinging errors elsewhere in the country, with at least one that brought armored vehicles to a neighborhood. In 2021, body camera footage captured a Denver police SWAT team raiding the home of a 77-year-old woman in Colorado over a false ping on the app. Denver officers believed she had stolen guns connected to a car theft after tracking a stolen iPhone to her address using the Find My app. That woman later sued the lead detective.

ABC13 has tried contacting the software giant since Tuesday. Someone called back, so we know they are aware of the incident. Still, no one has said if they are going to fix the issue, or at the very least, look into the matter.

Slashdot Top Deals