The U.S. Supreme Court on Monday asked President Joe Biden's administration to weigh in on whether the justices should hear a case on whether Meta Platforms' WhatsApp can pursue a lawsuit accusing Israel's NSO Group of exploiting a bug in the messaging app to install spy software. From a report: The justices are considering NSO's appeal of a lower court's decision allowing the lawsuit to move forward. NSO has argued that it is immune from being sued because it was acting as an agent for unidentified foreign governments when it installed the "Pegasus" spyware. WhatsApp has said the software was used for the surveillance of 1,400 people, including journalists, human rights activists and dissidents. The Supreme Court on Monday asked the Justice Department to file a brief offering its views on the legal issue.

"An actively exploited Microsoft zero-day flaw still has no patch," Wired wrote Friday (in an article they've designated as "free for a limited time only.")

Microsoft first received reports of the flaw on April 21st, the article points out, and researchers have now seen malicious Word documents exploiting Follina for targets in Russia, India, the Philippines, Belarus, and Nepal. Yet "The company continues to downplay the severity of the Follina vulnerability, which remains present in all supported versions of Windows." Researchers warned last weekend that a flaw in Microsoft's Support Diagnostic Tool could be exploited using malicious Word documents to remotely take control of target devices. Microsoft released guidance on Monday, including temporary defense measures. By Tuesday, the United States Cybersecurity and Infrastructure Security Agency had warned that "a remote, unauthenticated attacker could exploit this vulnerability," known as Follina, "to take control of an affected system." But Microsoft would not say when or whether a patch is coming for the vulnerability, even though the company acknowledged that the flaw was being actively exploited by attackers in the wild. And the company still had no comment about the possibility of a patch when asked by WIRED [Thursday].

The Follina vulnerability in a Windows support tool can be easily exploited by a specially crafted Word document. The lure is outfitted with a remote template that can retrieve a malicious HTML file and ultimately allow an attacker to execute Powershell commands within Windows. Researchers note that they would describe the bug as a "zero-day," or previously unknown vulnerability, but Microsoft has not classified it as such. "After public knowledge of the exploit grew, we began seeing an immediate response from a variety of attackers beginning to use it," says Tom Hegel, senior threat researcher at security firm SentinelOne. He adds that while attackers have primarily been observed exploiting the flaw through malicious documents thus far, researchers have discovered other methods as well, including the manipulation of HTML content in network traffic....

The vulnerability is present in all supported versions of Windows and can be exploited through Microsoft Office 365, Office 2013 through 2019, Office 2021, and Office ProPlus. Microsoft's main proposed mitigation involves disabling a specific protocol within Support Diagnostic Tool and using Microsoft Defender Antivirus to monitor for and block exploitation.

But incident responders say that more action is needed, given how easy it is to exploit the vulnerability and how much malicious activity is being detected.
The Register adds that the flaw works in Microsoft Word even when macros are disabled. (Thanks to long-time Slashdot reader Z00L00K for sharing the story!)

Friday Microsoft went into the vulnerability's official CVE report and added this update.

"Microsoft is working on a resolution and will provide an update in an upcoming release."

Lotus-1-2-3, an ancient spreadsheet program from Lotus Software (and later IBM), has been ported to a new operating system. drewsup writes: As reported by The Register, a Lotus 1-2-3 enthusiast called Tavis Ormandy (who is also a bug-hunter for Google Project Zero), managed to successfully port the program onto Linux, which seems to be quite the feat of reverse engineering. It's important to stress that this isn't an emulated program, but rather the original 1990 Lotus 1-2 -- for x86 Unix running natively on modern x86 Linux.

This week Google began a rolling release for stable Chrome version 102 "with 32 security fixes for browser on Windows, Mac and Linux," reports ZDNet: Chrome 102 for the desktop includes 32 security fixes reported to Google by external researchers. There's one critical flaw, while eight are high severity, nine are medium severity, and seven are low severity. Google also creates other fixes for issues found through internal testing...

The critical flaw, labelled as CVE-2022-1853, is a 'use after free in IndexedDB', an interface for applications to store data in a user's browser.... "My guess is that an attacker could construct a specially crafted website and take over the visitor's browser by manipulating the IndexedDB," says Pieter Arntz, a malware intelligence researcher at Malwarebytes. None of the flaws fixed in this Chrome 102 stable release were zero days, meaning flaws that were exploited before Google released a patch for it.

Google's Project Zero (GPZ) team last year counted 58 zero-day exploits for popular software in 2021. Twenty-five of these were in browsers, of which 14 affected Chrome. Google engineers argue zero-day counts are rising because vendors are improving detection, fixes and disclosure. However, GPZ researchers argue the industry as a whole is not making zero days hard enough for attackers, who often rely on tweaking existing flaws rather than being forced to conjure up entirely new exploitation methods.
Linux/Mac/Windows users of Chrome can check Help/About to see if the update has already rolled out to their system — or if they need to update manually.

As Pwn2Own Vancouver comes to a close, a whopping $1,115,000 has been awarded by Trend Micro and Zero Day Initiative. The 15th anniversary edition saw 17 "contestants" attacking 21 targets, reports Hot Hardware — though "the biggest payouts were for serious exploits against Microsoft's Teams utility." While Teams isn't technically a part of Windows, it does come bundled with all new installs of Windows 11, which means that these exploits are practically Windows exploits. Hector "p3rr0" Peralta, Masato Kinugawa, and STAR Labs each earned $150,000 for major exploits of the utility.

Windows 11 itself wasn't spared, though. Marcin Wiazowski and STAR Labs each earned $40,000 for privilege escalation exploits on Microsoft's operating system on day one, and on day two, TO found a similar bug for a $40,000 payout of his own. Day three saw no less than three more fresh exploits against Windows 11, all in the serious privilege escalation category; all three winners pocketed another $40,000....

Other targets attacked at Pwn2Own 2022 included Mozilla Firefox (hacked), Apple Safari (hacked), and Ubuntu Desktop (hacked)... Of course, details of the hacks aren't made public, because they're zero-days, after all. That means that they haven't been patched yet, so releasing details of the exploits could allow malicious actors to make use of the bugs. Details will be revealed 3 months from now, during which time Microsoft, Tesla, Apple, and others should have their software all sewn up.
With all the points totalled, the winner was Singapore-based cybersecurity company Star Labs, which was officially crowned "Master of Pwn" on Saturday. "They won $270,000 and 27 points during the contest," explains the official Twitter feed for Zero Day Initiative (the judges for the event).

A blog post from Zero Day Initiative describes all 21 attacks, including six successful attacks against Windows, three successful attacks against Teams — and four against Ubuntu Desktop.

An anonymous reader quotes a report from Ars Technica: When you use your phone to unlock a Tesla, the device and the car use Bluetooth signals to measure their proximity to each other. Move close to the car with the phone in hand, and the door automatically unlocks. Move away, and it locks. This proximity authentication works on the assumption that the key stored on the phone can only be transmitted when the locked device is within Bluetooth range. Now, a researcher has devised a hack that allows him to unlock millions of Teslas -- and countless other devices -- even when the authenticating phone or key fob is hundreds of yards or miles away. The hack, which exploits weaknesses in the Bluetooth Low Energy standard adhered to by thousands of device makers, can be used to unlock doors, open and operate vehicles, and gain unauthorized access to a host of laptops and other security-sensitive devices.
[...]
[The] attack uses custom software and about $100 worth of equipment. [Sultan Qasim Khan, a principal security consultant and researcher at security firm NCC Group] has confirmed it works against the Tesla Model 3 and Model Y and Kevo smart locks marketed under the Kwikset and Weiser brand names. But he says virtually any BLE device that authenticates solely on proximity -- as opposed to also requiring user interaction, geolocation querying, or something else -- is vulnerable. "The problem is that BLE-based proximity authentication is used in places where it was never safe to do so," he explained. "BLE is a standard for devices to share data; it was never meant to be a standard for proximity authentication. However, various companies have adopted it to implement proximity authentication."

Because the threat isn't caused by a traditional bug or error in either the Bluetooth specification or an implementation of the standard, there's no CVE designation used to track vulnerabilities. Khan added: "In general, any product relying on BLE proximity authentication is vulnerable if it does not require user interaction on the phone or key fob to approve the unlock and does not implement secure ranging with time-of-flight measurement or comparison of the phone/key fob's GPS or cellular location relative to the location of the device being unlocked. GPS or cellular location comparison may also be insufficient to prevent short distance relay attacks (such as breaking into a home's front door or stealing a car from the driveway, when the owner's phone or key fob is inside the house)." There's a few countermeasures one can take to mitigate this attack. "One mechanism is to check the location of the authenticating device to ensure that it is, in fact, physically close to the locked car or other device," reports Ars.

"Another countermeasure is to require the user to provide some form of input to the authenticating device before it's trusted." The phone's accelerometer could also be used to measure its movements.

The advisories published by NCC Group can be found here, here, and here.

A bug in Google Docs is causing it to crash when a series of words are typed into a document opened with the online word processor. BleepingComputer reports: It's official -- Google Docs crashes at the sight of "And. And. And. And. And." when the "Show grammar suggestion" is turned on. A Google Docs user, Pat Needham brought up the issue on Google Docs Editors Help forum. [...] Another user, Sergii Dymchenko, said strings like "But. But. But. But. But." triggered the same response. Some also noticed putting any of the terms like "Also, Therefore, And, Anyway, But, Who, Why, Besides, However," in the same format achieved the outcome.

Once crashed, you may not be able to easily re-access the document as doing so would trigger the crash again. BleepingComputer was able to reproduce the issue last night and reached out to Google. Google told us it is aware of the bug and working on a fix. [...] Until Google has an answer as to what causes this problem, it might be wise to turn off grammar suggestions by navigating to Tools, Spelling and grammar and unticking 'Show grammar suggestions.' If the bug has already been triggered and you're locked out of the Google Doc in question, there might be a workaround. Use the Google Docs mobile app to access the document, remove the offending words and the file should now open up gracefully on your Google Docs web version too.

According to some iPhone users, the Apple Music iOS app is installing itself directly to the iPhone's dock when downloaded, instead of to the phone's home screen. "It's also kicking out other apps users had set up in their dock and taking their spot, which is not something apps would normally do," adds TechCrunch. From the report: Some iPhone owners also found the bug was causing Apple Music to establish itself as the default music service for Siri requests, even if another service had previously been configured for this, like Spotify. It's unclear how widespread the bug is at this time, as we've tested it internally with mixed results. However, we've seen the dock issue taking place across different versions of iOS 15, old and new, so it does not appear to be related to a recent iOS update. It's also been seen impacting different iPhone models. [...] Apple was not able to provide further details about the bug, but said it's looking into it. You can view the "odd behavior" in a video posted on Twitter by iOS developer Kevin Archer.

Hot Hardware warns that on Tuesday, the Stable Channel for Chrome's desktop edition "had an update on April 26, 2022. That update includes 30 security fixes, some of them so bad that Google is urging all users to update immediately." The release notes for Google's Chrome v101.0.4951.41 for Windows, Mac, and Linux has a long list of bug fixes; you can view it here. However, there's also a key statement in that page.

"Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed...."

Effectively the the non-developer translation of the quote above is that something so significant was found, the details are being kept hidden.

Long-time Slashdot reader UnderAttack writes: After Microsoft patched and went public with CVE-2022-26809, the recent Remote Procedure Call vulnerability, the SANS Internet Storm Center set up a complete Windows 10 system exposing port 445/TCP "to the world." The system is not patched for the RPC vulnerability. But so far, while it has seen thousands of attacks against SMB a day, nothing yet for the new RPC vulnerability....

But still, attackers are heavily hitting other vulnerabilities like of course still ETERNALBLUE
From the article: Should you stop rushing out the April patch? Absolutely not. I hope you are already done applying the patch. But the April Windows patch had several additional gems, not just patches for RPC. Chatter about CVE-2022-26809 has died down, but as they say: Sometimes the quiet ones are the dangerous ones, and people able to exploit this vulnerability may not broadcast what they are doing on social media.
The article is credited to Johannes B. Ullrich, Ph.D. , Dean of Research at the security site SANS.edu.

Interestingly, Ullrich's byline is hyperlinked to a Google+ profile which has been unavailable for nearly three years.

"The Register reports Microsoft fixed a Point of Sale bug that delayed Windows 11 startup for 40 minutes," writes Slashdot reader ellithligraw. "So much for the express lane at check-out." From the report: A fresh Windows 11 patch slipped out overnight as an optional update, but contains an impressively long list of fixes for Microsoft's flagship operating system. One bug addressed in KB5012643 could leave Point of Sale terminals hanging for up to 40 minutes during startup. Microsoft stated, "We fixed an issue that delays OS startup by approximately 40 minutes." "Microsoft described the fixes as 'improvements' [and chose to highlight the fact that temperature would now be displayed on top of the weather icon on the taskbar]," added Slashdot reader ellithligraw. "[Y]eah, Windows 11 is great as a PoS."

A former NSA computer scientist is disgusted with the current state of security practices, writes ITWire. Slashdot reader samuel_the_fool shares their report: Patching of vulnerabilities is the security industry's equivalent of thoughts and prayers, a prominent American security expert has said during a debate on the topic "Patching is useless" at a recent online conference named Hack At The Harbor. Dave Aitel, 46, a former NSA computer scientist who ran his own security shop, Immunity, for many years, said the remedies proposed by security vendors and big technology companies had served to lull people into a false sense of security all these years and ensure that all the old problems still remained.... Aitel pointed out that if there were vulnerable devices on a network, then they should be removed and substituted with others, rather than being continuously patched....

Aitel was no less severe on Linux, noting that the biggest contributor to the kernel was the Chinese telecommunications vendor Huawei Technologies, which he claimed had been indicted by the US, and asking how one could rest content if so many patches were coming from a company of this kind.

On the positive side, he had praise for ChromeOS, an operating system that is produced by Google, and recommended the use of Chromebooks rather Windows machines.

Aitel called for vulnerability management, advocating the government as the best entity to handle this. His argument was that no other entity had sufficient power to push back against the lobby of the big software vendors and the security industry.

An anonymous reader shares a report: According to 9to5Google, a recent bug in Google's Messages app on Android phones left the camera running in the background -- a great way to both heat up your phone and run down your battery. The Google Messages app allows you to easily take a photo directly from the app and attach it to a chat message. According to the article in 9to5Google, the camera app would occasionally keep running, even when you did not have it on screen.

Google is issuing fixes for two vulnerabilities in its Chrome web browser, including one flaw that is already being exploited in the wild. From a report: The emergency updates the company issued this week impact the almost 3 billion users of its Chrome browser as well as those using other Chromium-based browsers, such as Microsoft Edge, Brave and Vivaldi. It is the third such emergency update Google has had to issue for Chrome this year. One of the flaws is a type confusion vulnerability tracked as CVE-2022-1364, a high-severity, zero-day bug that is actively being used by attackers. With a type confusion flaw, a program will allocate a resource like a pointer or object using one type but later will access the resource using another, incompatible type. In some languages, like C and C++, the vulnerability can result in out-of-bounds memory access. This incompatibility can cause a browser to crash or trigger logical errors. However, if exploited, it could enable a hacker to execute arbitrary code.

The Git team has issued an update to fix a bug in Git for Windows that "affects multi-user hardware where untrusted parties have write access to the same hard disk," reports The Register. Specifically, the update is concerned with CVE-2022-24765. From the report: Arguably, if an "untrusted party" has write access to a hard disk, then all bets are off when it comes to the nooks and crannies of a PC anyway. In this case, the miscreants would only need to create the folder c:\.git, "which would be picked up by Git operations run supposedly outside a repository while searching for a Git directory," according to NIST. The result is that Git would use the config in the directory.

NIST went on to list potentially vulnerable products, which included Visual Studio. "Users of the Microsoft fork of Git are vulnerable simply by starting a Git Bash." The Git team was little blunter about the vulnerability, and warned that "Merely having a Git-aware prompt that runs 'git status' (or 'git diff') and navigating to a directory which is supposedly not a Git worktree, or opening such a directory in an editor or IDE such as VS Code or Atom, will potentially run commands defined by that other user." [...] To deal with the issue, the Git team recommends an update. Alternatively, a user could create that .git folder themselves and remove read/write access as workaround or "define or extend 'GIT_CEILING_DIRECTORIES' to cover the parent directory of the user profile," according to NIST.

"Digital purchases are mysteriously expiring on classic PlayStation consoles," Kotaku reports, "rendering a random assortment of games unplayable."

The glitch is "affecting users' ability to play games they ostensibly own." Upon re-downloading the PSOne Classic version of Chrono Cross, for instance, Twitter user Christopher Foose was told the purchase expired on December 31, 1969, preventing him from playing the game on both PlayStation 3 and PlayStation Vita. GamesHub editor Edmond Tran described a similar issue. Trying to boot up Chrono Cross on PlayStation 3, Tran said, gave him the same expiration date and time, only adjusted for his location in Australia. Tran did mention, however, that he was able to download the PSOne Classic from his library and play just fine on Vita despite the game's apparent delisting from the handheld's store.

While at first this felt like an attempt at encouraging Chrono Cross fans to purchase the new Radical Dreamers remaster, Kotaku quickly found evidence of this same problem occurring with different games. Chrono Cross worked just fine for content creator Words, but not its spiritual predecessor Chrono Trigger, the license for which somehow lapsed 40 years before the game was added to the PSOne Classic library.

Steve J over on Twitter asked PlayStation directly why the expiration date for his copy of Final Fantasy VI was changed to 1969, but never received a response....

The only potential explanation I've seen for this issue thus far involves what's known as the "Unix epoch," or the arbitrary date early engineers designated as the beginning of the operating system's lifespan. Some bug or glitch on Sony's backend may be defaulting PlayStation game license expiration dates to the Unix epoch, essentially telling them they can't be played after midnight UTC on January 1, 1970.

Thieves netting massive sums in cybercrime have limited options for laundering the funds. From a report: Many eyes in the crypto world are on a 42-character address on the Ethereum blockchain, which has unclear ownership and is currently home to the equivalent of about $600 million. Hackers stole the funds from players of online game "Axie Infinity" in a March 23 heist uncovered last week. The criminals have moved millions of dollars of assets in recent days, according to blockchain-monitoring tools, but the majority of funds remain in place, leaving victims and outside observers awaiting next moves. Crypto's transparency has turned money laundering into a perverse spectator sport. Transaction records on public blockchains give authorities a bird's-eye view of stolen funds equivalent to tens or hundreds of millions of dollars, often pilfered by targeting poorly secured software bridges that transfer assets between blockchains. The openness leaves successful cyber thieves facing a key question: How do you launder a nine-figure score?

"When there's a hack like that, everyone is watching the wallets," said Kimberly Grauer, director of research at Chainalysis, a blockchain-analytics firm. "So you better damn well know what you're going to do." The fate of the money stolen from "Axie Infinity" users, one of the largest such thefts, has become a topic of speculation. On Etherscan, a monitoring platform where users can see transactions to and from the address in question, commenters claiming to be victims, broke college students or Ukrainian refugees have posted messages asking the hackers to spread their newfound wealth. [...] Last week, blockchain analysts and amateur digital sleuths watched as ether worth about $20 million moved to crypto exchanges based in the Bahamas and Seychelles. On Monday, an additional $12 million of assets flowed into a mixer, which blends different cryptocurrencies to help obscure their sources. Mixers can have their own security compromises and are dependent on having enough crypto on hand to exchange illicit deposits for cleaner funds, said Mitchell Amador, chief executive of Immunefi, a bug-bounty platform focused on decentralized systems.

AMD has confirmed to Tom's Hardware that a bug in its GPU driver is, in fact, changing Ryzen CPU settings in the BIOS without permission. This condition has been shown to auto-overclock Ryzen CPUs without the user's knowledge. From the report: Reports of this issue began cropping up on various social media outlets recently, with users reporting that their CPUs had mysteriously been overclocked without their consent. The issue was subsequently investigated and tracked back to AMD's GPU drivers. AMD originally added support for automatic CPU overclocking through its GPU drivers last year, with the idea that adding in a Ryzen Master module into the Radeon Adrenalin GPU drivers would simplify the overclocking experience. Users with a Ryzen CPU and Radeon GPU could use one interface to overclock both. Previously, it required both the GPU driver and AMD's Ryzen Master software.

Overclocking a Ryzen CPU requires the software to manipulate the BIOS settings, just as we see with other software overclocking utilities. For AMD, this can mean simply engaging the auto-overclocking Precision Boost Overdrive (PBO) feature. This feature does all the dirty work, like adjusting voltages and frequency on the fly, to give you a one-click automatic overclock. However, applying a GPU profile in the AMD driver can now inexplicably alter the BIOS settings to enable automatic overclocking. This is problematic because of the potential ill effects of overclocking -- in fact, overclocking a Ryzen CPU automatically voids the warranty. AMD's software typically requires you to click a warning to acknowledge that you understand the risks associated with overclocking, and that it voids your warranty, before it allows you to overclock the system. Unfortunately, that isn't happening here. Until AMD issues a fix, "users have taken to using the Radeon Software Slimmer to delete the Ryzen Master SDK from the GPU driver, thus preventing any untoward changes to the BIOS settings," adds Tom's Hardware.

The Verge reports: A group of Facebook engineers identified a "massive ranking failure" that exposed as much as half of all News Feed views to potential "integrity risks" over the past six months, according to an internal report on the incident obtained by The Verge.

The engineers first noticed the issue last October, when a sudden surge of misinformation began flowing through the News Feed, notes the report, which was shared inside the company last week. Instead of suppressing posts from repeat misinformation offenders that were reviewed by the company's network of outside fact-checkers, the News Feed was instead giving the posts distribution, spiking views by as much as 30 percent globally. Unable to find the root cause, the engineers watched the surge subside a few weeks later and then flare up repeatedly until the ranking issue was fixed on March 11th.

In addition to posts flagged by fact-checkers, the internal investigation found that, during the bug period, Facebook's systems failed to properly demote probable nudity, violence, and even Russian state media the social network recently pledged to stop recommending in response to the country's invasion of Ukraine. The issue was internally designated a level-one SEV, or site event — a label reserved for high-priority technical crises, like Russia's ongoing block of Facebook and Instagram.

GitLab has addressed a critical severity vulnerability that could allow remote attackers to take over user accounts using hardcoded passwords. Bleeping Computer reports: The bug (discovered internally and tracked as CVE-2022-1162) affects both GitLab Community Edition (CE) and Enterprise Edition (EE). This flaw results from static passwords accidentally set during OmniAuth-based registration in GitLab CE/EE. GitLab urged users to immediately upgrade all GitLab installations to the latest versions (14.9.2, 14.8.5, or 14.7.7) to block potential attacks. GitLab also added that it reset the passwords of a limited number of GitLab.com users as part of the CVE-2022-1162 mitigation effort. It also found no evidence that any accounts have been compromised by attackers using this hardcode password security flaw.