An anonymous reader quotes a report from The Associated Press: Researchers are seeking thousands of volunteers in the U.S. and Europe to test the first potential vaccine against Lyme disease in 20 years -- in hopes of better fighting the tick-borne threat. Lyme is a growing problem, with cases rising and warming weather helping ticks expand their habitat. While a vaccine for dogs has long been available, the only Lyme vaccine for humans was pulled off the U.S. market in 2002 from lack of demand, leaving people to rely on bug spray and tick checks. Now Pfizer and French biotech Valneva are aiming to avoid previous pitfalls in developing a new vaccine to protect both adults and kids as young as 5 from the most common Lyme strains on two continents.

Most vaccines against other diseases work after people are exposed to a germ. The Lyme vaccine offers a different strategy -- working a step earlier to block a tick bite from transmitting the infection, said Dr. Gary Wormser, a Lyme expert at New York Medical College who isn't involved with the new research. How? It targets an "outer surface protein" of the Lyme bacterium called OspA that's present in the tick's gut. It's estimated a tick must feed on someone for about 36 hours before the bacteria spreads to its victim. That delay gives time for antibodies the tick ingests from a vaccinated person's blood to attack the germs right at the source.

In small, early-stage studies, Pfizer and Valneva reported no safety problems and a good immune response. The newest study will test if the vaccine, called VLA15, really protects and is safe. The companies aim to recruit at least 6,000 people in Lyme-prone areas including the Northeast U.S. plus Finland, Germany, the Netherlands, Poland and Sweden. They'll receive three shots, either the vaccine or a placebo, between now and next spring's tick season. A year later, they'll get a single booster dose.

An anonymous reader quotes a report from Ars Technica: Microsoft has published a knowledge base article acknowledging a problem with encryption acceleration in the newest versions of Windows that could result in data corruption. The company recommends installing the June 2022 security updates for Windows 11 and Windows Server 2022 "to prevent further damage," though there are no suggested solutions for anyone who has already lost data because of the bug.

The problems only affect relatively recent PCs and servers that support Vector Advanced Encryption Standard (VAES) instructions for accelerating cryptographic operations. Microsoft says affected systems use AES-XTS or AES-GCM instructions "on new hardware." Part of the AVX-512 instruction set, VAES instructions are supported by Intel's Ice Lake, Tiger Lake, Rocket Lake, and Alder Lake architectures -- these power some 10th-generation Core CPUs for laptops, as well as all 11th- and 12th-gen Core CPUs. AMD's upcoming Zen 4 architecture also supports VAES, though by the time these chips are released in the fall, the patches will have had plenty of time to proliferate. Microsoft says that the problem was caused when it added "new code paths" to support the updated encryption instructions in SymCrypt, Windows' cryptographic function library. These code paths were added in the initial release of Windows 11 and Windows Server 2022, so the problem shouldn't affect older versions like Windows 10 or Windows Server 2019.

The initial fix for the problem, provided in Windows' June 2022 security update package (Windows 11 build 22000.778), will prevent further damage at the cost of reduced performance, suggesting that the initial fix was to disable encryption acceleration on these processors entirely. Using Bitlocker-encrypted disks or the Transport Layer Security (TLS) protocol or accessing encrypted storage on servers will all be slower with the first patch installed, though installing the July 2022 security updates (Windows 11 build 22000.795) should restore performance to its previous level.

Intel's latest generation of CPUs contains a vulnerability that allows attackers to obtain encryption keys and other confidential information protected by the company's software guard extensions, the advanced feature that acts as a digital vault for security users' most sensitive secrets. From a report: Abbreviated as SGX, the protection is designed to provide a fortress of sorts for the safekeeping of encryption keys and other sensitive data, even when the operating system or a virtual machine running on top is maliciously compromised. SGX works by creating trusted execution environments that protect sensitive code and the data it works with from monitoring or tampering by anything else on the system.

SGX is a cornerstone of the security assurances many companies provide to users. Servers used to handle contact discovery for the Signal Messenger, for instance, rely on SGX to ensure the process is anonymous. Signal says running its advanced hashing scheme provides a "general recipe for doing private contact discovery in SGX without leaking any information to parties that have control over the machine, even if they were to attach physical hardware to the memory bus." The example is purely hypothetical. Signal spokesperson Jun Harada wrote in an email: "Intel alerted us to this paper... and we were able to verify that the CPUs that Signal uses are not impacted by the findings of this paper and therefore are not vulnerable to the stated attack." Key to the security and authenticity assurances of SGX is its creation of what are called "enclaves," or blocks of secure memory. Enclave contents are encrypted before they leave the processor and are written in RAM. They are decrypted only after they return. The job of SGX is to safeguard the enclave memory and block access to its contents by anything other than the trusted part of the CPU.

Friday the Twitter Privacy Center posted an announcement on their blog:

"We want to let you know about a vulnerability that allowed someone to enter a phone number or email address into the log-in flow in the attempt to learn if that information was tied to an existing Twitter account, and if so, which specific account. We take our responsibility to protect your privacy very seriously and it is unfortunate that this happened...."

Engadget explains: [T]he company said a malicious actor took advantage of a zero-day flaw before Twitter became aware of and patched the issue in January 2022. The vulnerability was discovered by a security researcher who contacted Twitter through the company's bug bounty program. When Twitter first learned of the flaw, it said it had "no evidence" to suggest it had been exploited. However, an individual told Bleeping Computer last month that they took advantage of the vulnerability to obtain data on more than 5.4 million accounts. Twitter said it could not confirm how many users were affected by the exposure.
From the Twitter Privacy Center: This bug resulted from an update to our code in June 2021. When we learned about this, we immediately investigated and fixed it. At that time, we had no evidence to suggest someone had taken advantage of the vulnerability.... After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed.

We will be directly notifying the account owners we can confirm were affected by this issue. We are publishing this update because we aren't able to confirm every account that was potentially impacted, and are particularly mindful of people with pseudonymous accounts who can be targeted by state or other actors.

If you operate a pseudonymous Twitter account, we understand the risks an incident like this can introduce and deeply regret that this happened. To keep your identity as veiled as possible, we recommend not adding a publicly known phone number or email address to your Twitter account.

Microsoft says the Outlook email client will crash when opening and reading emails with tables such as Uber receipt emails. BleepingComputer reports: "When opening, replying, or forwarding some emails that include complex tables, Outlook stops responding," the company explains in a support document. To make matters worse, emails with the same table contents will also cause the Microsoft Word app to stop responding. While the known issue affects Microsoft 365 customers in the Current Channel Version 2206 Build 15330.20196 and higher, it can also trigger freezes in current Beta and Current Channel Preview builds. The Microsoft Word team has already developed a fix that will be released to Beta channel customers soon, after undergoing verification. Microsoft added that customers using Outlook versions in the Current Channel would receive the fix as part of this month's Patch Tuesday, on August 9, 2022. For those unable to wait for the fix, Microsoft has provided a workaround that requires users to revert to an older build.

"Google has released security updates for Google Chrome browser for Windows, Mac and Linux, addressing vulnerabilities that could allow a remote attacker to take control of systems," reports ZDNet: There are 11 fixes in total, including five that are classed as high-severity. As a result, CISA has issued an alert encouraging IT administrators and regular users to install the updates as soon as possible to ensure their systems are not vulnerable to the flaws.

Among the most severe vulnerabilities that are patched by the Google Chrome update is CVE-2022-2477, a vulnerability caused by a use-after-free flaw in Guest View, which could allow a remote attacker to execute arbitrary code on systems or crash them... Another of the vulnerabilities, CVE-2022-2480, relates to a use-after-free flaw in the Service Worker API, which which acts as a proxy server that sit between web applications, the browser and the network in order to improve offline experiences, among other things.

CNN reports: An "unsubscribe" option that's a little too hard to find. A tiny box you click, thinking it simply takes you to the next page, but it also grants access to your data. And any number of unexpected charges that appear during checkout that weren't made clearer earlier in the process. Countless popular websites and apps, from retailers and travel services to social media companies, make use of so-called "dark patterns," or gently coercive design tactics that critics say are used to manipulate peoples' digital behaviors.

The term "dark patterns" was coined by Harry Brignull, a U.K.-based user experience specialist and researcher of human-computer interactions. Brignull began noticing that when he reported to one of his clients that most test subjects felt deceived by an aspect of their website or app design, the client seemed to welcome the feedback. "That was always intriguing for me as a researcher, because normally the name of the game is to find the flaws and fix them," Brignull told CNN Business. "Now we're finding 'flaws' that the client seems to like, and want to keep."

To put it in the parlance of Silicon Valley, he realized it was a feature, not a bug....

Brignull, for his part, said he has spent time testifying as an expert witness in some class action lawsuits related to dark patterns in the UK. "The scams don't work when the victim knows what the scammer is trying to do," Brignull said. "If they know what the scam is, then they're not going to get taken in — and that's why I've enjoyed so much exposing these things, and showing it to other consumers."
The article notes that America's Federal Trade Commission "is ramping up its enforcement in response to 'a rising number of complaints about the financial harms caused by deceptive sign-up tactics, including unauthorized charges or ongoing billing that is impossible cancel.'"

Twitter faced a brief outage on Thursday, leaving thousands of users without service for about an hour. From a report: At the peak, at 8:20 a.m. in New York, 54,582 users reported problems on Downdetector.com, an outage tracking platform. Twitter's website displayed an error message and prompted users to reload the page. It wasn't immediately clear what caused the outage. A message on Twitter's support account posted at 9:10 a.m. said: "Some of you are having issues accessing Twitter and we're working to get it back up and running for everyone. Thanks for sticking with us." By 9:16 a.m., about 1,600 users reported they were still having trouble. The last time Twitter faced an outage was in February, when the site crashed due to a "technical bug" on the page. In its early days, Twitter was famous for crashing amid high traffic, leading to the iconic "fail whale" image that popped up when service was down.

As noted by a Reddit user and confirmed by Ars Technica, Microsoft's xCloud game streaming looks noticeable worse when running on Linux than Windows. From the report: With the Linux User-Agent, edges are generally less sharp and colors are a little more washed out. The difference is even more apparent if you zoom in on the Forza logo and menu text, which shows a significant reduction in clarity. Interestingly, the dip in quality seems to go away if you enable "Clarity Boost, an Edge-exclusive feature that "provid[es] the optimal look and feel while playing Xbox games from the cloud," according to Microsoft. That's great for Linux users who switched over to Microsoft Edge when it launched on Linux last November. But Linux users who stick with Firefox, Chrome, or other browsers are currently stuck with apparently reduced streaming quality.

That Linux quality dip has led some to speculate that Microsoft is trying to reserve the best xCloud streaming performance for Windows machines in an attempt to attract more users to its own operating system. But using a Macintosh User-Agent string provides streaming performance similar to that on Windows, which would seem to be a big omission if that theory were true. Microsoft also hasn't published any kind of "best on Windows"-style marketing in promoting xCloud streaming, which would seemingly be a key component of trying to attract new Windows users. (The quality difference could be a roundabout attempt to get Linux users to switch to the Edge browser, where Clarity Boost offers the best possible quality. But that still wouldn't fully explain why Windows users on other browsers, without Clarity Boost, also get better streaming quality than their Linux brethren.)

Others have suggested that the downgrade could simply be a bug caused by Microsoft's naive parsing of the User-Agent strings. That's because the User-Agent strings for Android browsers generally identify themselves as some version of Linux ("Linux; Android 11; HD1905," for example). Microsoft's xCloud code might simply see the "Linux" in that string, assume the user is running Android, then automatically throttle the streaming quality to account for the (presumably) reduced screen size of an Android phone or tablet.

To much surprise, the lead developer of systemd Lennart Poettering who also led the creation of PulseAudio, Avahi, and has been a prolific free software contributor has reportedly left Red Hat. Michael Larabel writes via Phoronix: So far no public announcement appears to have been made, but according to a source has been reportedly removed from Red Hat's internal employee database. Yesterday Lennart did comment on the public Fedora devel mailing list to having now created a personal Red Hat Bugzilla account for his Fedora contributions after it was raised in bug reports and brought up on the mailing list that Lennart's Red Hat account is disabled. Emailing his Red Hat address this morning indeed yields an auto-response that it's no longer in use.

He's still active in systemd world with new commits made as of today, so it will be interesting to see where he ends up or his next moves with his vast Linux ecosystem expertise and pivotal role in spearheading systemd's direction.

Bug bounty platform HackerOne has "a steadfast commitment to disclosing security incidents," according to a new blog post, "because we believe that sharing security information far and wide is essential to building a safer internet."

But now they've had an incident of their own: On June 22nd, 2022, a customer asked us to investigate a suspicious vulnerability disclosure made outside of the HackerOne platform. The submitter of this off-platform disclosure reportedly used intimidating language in communication with our customer. Additionally, the submitter's disclosure was similar to an existing disclosure previously submitted through HackerOne... Upon investigation by the HackerOne Security team, we discovered a then-employee had improperly accessed security reports for personal gain. The person anonymously disclosed this vulnerability information outside the HackerOne platform with the goal of claiming additional bounties.

This is a clear violation of our values, our culture, our policies, and our employment contracts. In under 24 hours, we worked quickly to contain the incident by identifying the then-employee and cutting off access to data. We have since terminated the employee, and further bolstered our defenses to avoid similar situations in the future. Subject to our review with counsel, we will also decide whether criminal referral of this matter is appropriate.
The blog post includes a detailed timeline of HackerOne's investigation. (They remotely locked the laptop, later taking possession of it for analysis, along with reviewing all data accessed "during the entirety of their two and a half months of employment" and notification of seven customers "known or suspected to be in contact with threat actor.")

"We are confident the insider access is now contained," the post concludes — outlining how they'll respond and the lessons learned. "We are happy that our previous investments in logging enabled an expedient investigation and response.... To ensure we can proactively detect and prevent future threats, we are adding additional employees dedicated to insider threats that will bolster detection, alerting, and response for business operations that require human access to disclosure data...."

"We are allocating additional engineering resources to invest further in internal models designed to identify anomalous access to disclosure data and trigger proactive investigative responses.... We are planning additional simulations designed to continuously evaluate and improve our ability to effectively resist insider threats."

Switzerland-based software developer Jean-Christophe Collet writes: A long time ago I got involved with the development of NetHack, a very early computer role playing game, and soon joined the DevTeam, as we've been known since the early days. I was very active for the first 10 years then progressively faded out even though I am still officially (or semi-officially as there is nothing much really "official" about NetHack, but more on that later) part of the team.

This is how, as we were closing on the 35th anniversary of the project, I learned that NetHack was being added to the collection of the Museum of Modern Art of New York. It had been selected by the Architecture and Design department for its small collection of video games, and was going to be displayed as part of the Never Alone exhibition this fall.
From its humble beginnings as a fork of the 1982 dungeon-exploring game "Hack" (based on the 1980 game Rogue), Nethack influenced both Diablo and Torchlight, Collet writes. But that's just the beginning: It is one of the oldest open-source projects still in activity. It actually predates the term "open-source" (it was "free software" back then) and even the GPL by a few years. It is also one of the first, if not the first software project to be developed entirely over the Internet by a team distributed across the globe (hence the "Net" in "NetHack").

In the same spirit, it is one of the first projects to take feedback, suggestions, bug reports and bug fixes from the online community (mostly over UseNet at the time) long, long before tools like GitHub (or Git for that matter), BugZilla or Discord were even a glimmer of an idea in the minds of their creators....

So what did I learn working as part of the NetHack DevTeam?

First, I learned that you should always write clean code that you won't be embarrassed by, 35 years later, when it ends up in a museum....
Collet praises things like asynchronous communication and distributed teams, before closing with the final lesson he learned. "Having fun is the best way to boost your creativity and productivity to the highest levels.

"There is no substitute.... I am incredibly grateful to have been part of that adventure."

"Researchers at MIT have discovered an unfixable vulnerability in Apple Silicon that could allow attackers to bypass a chip's 'last line of defense'," writes the Apple Insider blog, "but most Mac users shouldn't be worried." More specifically, the team at MIT's Computer Science & Artificial Intelligence Laboratory found that Apple's implementation of pointer authentication in the M1 system-on-chip can be overcome with a specific hardware attack they've dubbed "PACMAN." Pointer authentication is a security mechanism in Apple Silicon that makes it more difficult for attackers to modify pointers in memory. By checking for unexpected changes in pointers, the mechanism can help defend a CPU if attackers gain memory access.... The flaw comes into play when an attacker successfully guesses the value of a pointer authentication code and disables it.

The researchers found that they could use a side-channel attack to brute-force the code. PACMAN echoes similar speculative execution attacks like Spectre and Meltdown, which also leveraged microarchitectural side channels. Because it's a flaw in the hardware, it can't be fixed with a software patch.

[A]ctually carrying out the PACMAN attack requires physical access to a device, meaning the average Mac user isn't going to be at risk of exploit. The flaw affects all kinds of ARM-based chips — not just Apple's. The vulnerability is more of a technological demonstration of a wider issue with pointer authentication in ARM chips, rather than an issue that could lead to your Mac getting hacked.
MIT has made more information available at the site PACMANattack.com — including answers to frequently asked questions. Q: Is PACMAN being used in the wild?
A: No.
Q: Does PACMAN have a logo?
A: Yeah!
The MIT team says their discovery represents "a new way of thinking about how threat models converge in the Spectre era." But even then, MIT's announcement warns the flaw "isn't a magic bypass for all security on the M1 chip." PACMAN can only take an existing bug that pointer authentication protects against, and unleash that bug's true potential for use in an attack by finding the correct PAC. There's no cause for immediate alarm, the scientists say, as PACMAN cannot compromise a system without an existing software bug....

The team showed that the PACMAN attack even works against the kernel, which has "massive implications for future security work on all ARM systems with pointer authentication enabled," says Ravichandran. "Future CPU designers should take care to consider this attack when building the secure systems of tomorrow. Developers should take care to not solely rely on pointer authentication to protect their software."
TechCrunch obtained a comment from Apple: Apple spokesperson Scott Radcliffe provided the following: "We want to thank the researchers for their collaboration as this proof of concept advances our understanding of these techniques. Based on our analysis as well as the details shared with us by the researchers, we have concluded this issue does not pose an immediate risk to our users and is insufficient to bypass operating system security protections on its own."

Hirrolot's blog: When you use Rust, it is sometimes outright preposterous how much knowledge of language, and how much of programming ingenuity and curiosity you need in order to accomplish the most trivial things. When you feel particularly desperate, you go to rust/issues and search for a solution for your problem. Suddenly, you find an issue with an explanation that it is theoretically impossible to design your API in this way, owing to some subtle language bug. The issue is Open and dated Apr 5, 2017.

I entered Rust four years ago. To this moment, I co-authored teloxide and dptree, wrote several publications and translated a number of language release announcements. I also managed to write some production code in Rust, and had a chance to speak at one online meetup dedicated to Rust. Still, from time to time I find myself disputing with Rust's borrow checker and type system for no practical reason. Yes, I am no longer stupefied by such errors as cannot return reference to temporary value - over time, I developed multiple heuristic strategies to cope with lifetimes...

But one recent situation has made me to fail ignominiously. [...]

The U.S. Supreme Court on Monday asked President Joe Biden's administration to weigh in on whether the justices should hear a case on whether Meta Platforms' WhatsApp can pursue a lawsuit accusing Israel's NSO Group of exploiting a bug in the messaging app to install spy software. From a report: The justices are considering NSO's appeal of a lower court's decision allowing the lawsuit to move forward. NSO has argued that it is immune from being sued because it was acting as an agent for unidentified foreign governments when it installed the "Pegasus" spyware. WhatsApp has said the software was used for the surveillance of 1,400 people, including journalists, human rights activists and dissidents. The Supreme Court on Monday asked the Justice Department to file a brief offering its views on the legal issue.

"An actively exploited Microsoft zero-day flaw still has no patch," Wired wrote Friday (in an article they've designated as "free for a limited time only.")

Microsoft first received reports of the flaw on April 21st, the article points out, and researchers have now seen malicious Word documents exploiting Follina for targets in Russia, India, the Philippines, Belarus, and Nepal. Yet "The company continues to downplay the severity of the Follina vulnerability, which remains present in all supported versions of Windows." Researchers warned last weekend that a flaw in Microsoft's Support Diagnostic Tool could be exploited using malicious Word documents to remotely take control of target devices. Microsoft released guidance on Monday, including temporary defense measures. By Tuesday, the United States Cybersecurity and Infrastructure Security Agency had warned that "a remote, unauthenticated attacker could exploit this vulnerability," known as Follina, "to take control of an affected system." But Microsoft would not say when or whether a patch is coming for the vulnerability, even though the company acknowledged that the flaw was being actively exploited by attackers in the wild. And the company still had no comment about the possibility of a patch when asked by WIRED [Thursday].

The Follina vulnerability in a Windows support tool can be easily exploited by a specially crafted Word document. The lure is outfitted with a remote template that can retrieve a malicious HTML file and ultimately allow an attacker to execute Powershell commands within Windows. Researchers note that they would describe the bug as a "zero-day," or previously unknown vulnerability, but Microsoft has not classified it as such. "After public knowledge of the exploit grew, we began seeing an immediate response from a variety of attackers beginning to use it," says Tom Hegel, senior threat researcher at security firm SentinelOne. He adds that while attackers have primarily been observed exploiting the flaw through malicious documents thus far, researchers have discovered other methods as well, including the manipulation of HTML content in network traffic....

The vulnerability is present in all supported versions of Windows and can be exploited through Microsoft Office 365, Office 2013 through 2019, Office 2021, and Office ProPlus. Microsoft's main proposed mitigation involves disabling a specific protocol within Support Diagnostic Tool and using Microsoft Defender Antivirus to monitor for and block exploitation.

But incident responders say that more action is needed, given how easy it is to exploit the vulnerability and how much malicious activity is being detected.
The Register adds that the flaw works in Microsoft Word even when macros are disabled. (Thanks to long-time Slashdot reader Z00L00K for sharing the story!)

Friday Microsoft went into the vulnerability's official CVE report and added this update.

"Microsoft is working on a resolution and will provide an update in an upcoming release."

Lotus-1-2-3, an ancient spreadsheet program from Lotus Software (and later IBM), has been ported to a new operating system. drewsup writes: As reported by The Register, a Lotus 1-2-3 enthusiast called Tavis Ormandy (who is also a bug-hunter for Google Project Zero), managed to successfully port the program onto Linux, which seems to be quite the feat of reverse engineering. It's important to stress that this isn't an emulated program, but rather the original 1990 Lotus 1-2 -- for x86 Unix running natively on modern x86 Linux.

This week Google began a rolling release for stable Chrome version 102 "with 32 security fixes for browser on Windows, Mac and Linux," reports ZDNet: Chrome 102 for the desktop includes 32 security fixes reported to Google by external researchers. There's one critical flaw, while eight are high severity, nine are medium severity, and seven are low severity. Google also creates other fixes for issues found through internal testing...

The critical flaw, labelled as CVE-2022-1853, is a 'use after free in IndexedDB', an interface for applications to store data in a user's browser.... "My guess is that an attacker could construct a specially crafted website and take over the visitor's browser by manipulating the IndexedDB," says Pieter Arntz, a malware intelligence researcher at Malwarebytes. None of the flaws fixed in this Chrome 102 stable release were zero days, meaning flaws that were exploited before Google released a patch for it.

Google's Project Zero (GPZ) team last year counted 58 zero-day exploits for popular software in 2021. Twenty-five of these were in browsers, of which 14 affected Chrome. Google engineers argue zero-day counts are rising because vendors are improving detection, fixes and disclosure. However, GPZ researchers argue the industry as a whole is not making zero days hard enough for attackers, who often rely on tweaking existing flaws rather than being forced to conjure up entirely new exploitation methods.
Linux/Mac/Windows users of Chrome can check Help/About to see if the update has already rolled out to their system — or if they need to update manually.

As Pwn2Own Vancouver comes to a close, a whopping $1,115,000 has been awarded by Trend Micro and Zero Day Initiative. The 15th anniversary edition saw 17 "contestants" attacking 21 targets, reports Hot Hardware — though "the biggest payouts were for serious exploits against Microsoft's Teams utility." While Teams isn't technically a part of Windows, it does come bundled with all new installs of Windows 11, which means that these exploits are practically Windows exploits. Hector "p3rr0" Peralta, Masato Kinugawa, and STAR Labs each earned $150,000 for major exploits of the utility.

Windows 11 itself wasn't spared, though. Marcin Wiazowski and STAR Labs each earned $40,000 for privilege escalation exploits on Microsoft's operating system on day one, and on day two, TO found a similar bug for a $40,000 payout of his own. Day three saw no less than three more fresh exploits against Windows 11, all in the serious privilege escalation category; all three winners pocketed another $40,000....

Other targets attacked at Pwn2Own 2022 included Mozilla Firefox (hacked), Apple Safari (hacked), and Ubuntu Desktop (hacked)... Of course, details of the hacks aren't made public, because they're zero-days, after all. That means that they haven't been patched yet, so releasing details of the exploits could allow malicious actors to make use of the bugs. Details will be revealed 3 months from now, during which time Microsoft, Tesla, Apple, and others should have their software all sewn up.
With all the points totalled, the winner was Singapore-based cybersecurity company Star Labs, which was officially crowned "Master of Pwn" on Saturday. "They won $270,000 and 27 points during the contest," explains the official Twitter feed for Zero Day Initiative (the judges for the event).

A blog post from Zero Day Initiative describes all 21 attacks, including six successful attacks against Windows, three successful attacks against Teams — and four against Ubuntu Desktop.

An anonymous reader quotes a report from Ars Technica: When you use your phone to unlock a Tesla, the device and the car use Bluetooth signals to measure their proximity to each other. Move close to the car with the phone in hand, and the door automatically unlocks. Move away, and it locks. This proximity authentication works on the assumption that the key stored on the phone can only be transmitted when the locked device is within Bluetooth range. Now, a researcher has devised a hack that allows him to unlock millions of Teslas -- and countless other devices -- even when the authenticating phone or key fob is hundreds of yards or miles away. The hack, which exploits weaknesses in the Bluetooth Low Energy standard adhered to by thousands of device makers, can be used to unlock doors, open and operate vehicles, and gain unauthorized access to a host of laptops and other security-sensitive devices.
[...]
[The] attack uses custom software and about $100 worth of equipment. [Sultan Qasim Khan, a principal security consultant and researcher at security firm NCC Group] has confirmed it works against the Tesla Model 3 and Model Y and Kevo smart locks marketed under the Kwikset and Weiser brand names. But he says virtually any BLE device that authenticates solely on proximity -- as opposed to also requiring user interaction, geolocation querying, or something else -- is vulnerable. "The problem is that BLE-based proximity authentication is used in places where it was never safe to do so," he explained. "BLE is a standard for devices to share data; it was never meant to be a standard for proximity authentication. However, various companies have adopted it to implement proximity authentication."

Because the threat isn't caused by a traditional bug or error in either the Bluetooth specification or an implementation of the standard, there's no CVE designation used to track vulnerabilities. Khan added: "In general, any product relying on BLE proximity authentication is vulnerable if it does not require user interaction on the phone or key fob to approve the unlock and does not implement secure ranging with time-of-flight measurement or comparison of the phone/key fob's GPS or cellular location relative to the location of the device being unlocked. GPS or cellular location comparison may also be insufficient to prevent short distance relay attacks (such as breaking into a home's front door or stealing a car from the driveway, when the owner's phone or key fob is inside the house)." There's a few countermeasures one can take to mitigate this attack. "One mechanism is to check the location of the authenticating device to ensure that it is, in fact, physically close to the locked car or other device," reports Ars.

"Another countermeasure is to require the user to provide some form of input to the authenticating device before it's trusted." The phone's accelerometer could also be used to measure its movements.

The advisories published by NCC Group can be found here, here, and here.