Google has announced a new platform and community designed to host all its Vulnerability Rewards Programs (VRP) under the same roof. From a report: Since launching its first VRP more than ten years ago, the company has rewarded 2,022 security researchers from 84 different countries worldwide for reporting over 11,000 bugs. [...] "To celebrate our anniversary and ensure the next 10 years are just as (or even more) successful and collaborative, we are excited to announce the launch of our new platform, bughunters.google.com," Google said.

"This new site brings all of our VRPs (Google, Android, Abuse, Chrome and Play) closer together and provides a single intake form that makes it easier for bug hunters to submit issues." The new VRP platform should provide researchers with per-country leaderboards, healthier competition via gamification, awards/badges for specific bugs, and more opportunities for interaction. Google also launched a new Bug Hunter University, which would allow bug hunters to brush up on their skills or start a hunting learning streak.

"Software research is a train wreck," says Hillel Wayne, a Chicago-based software consultant who specialises in formal methods, instancing the received wisdom that bugs are way more expensive to fix once software is deployed. Wayne did some research, noting that "if you Google 'cost of a software bug' you will get tons of articles that say 'bugs found in requirements are 100x cheaper than bugs found in implementations.' They all use this chart from the 'IBM Systems Sciences Institute'... There's one tiny problem with the IBM Systems Sciences Institute study: it doesn't exist." The Register: Laurent Bossavit, an Agile methodology expert and technical advisor at software consultancy CodeWorks in Paris, has dedicated some time to this matter, and has a post on GitHub called "Degrees of intellectual dishonesty". Bossavit referenced a successful 1987 book by Roger S Pressman called Software Engineering: a Practitioner's Approach, which states: "To illustrate the cost impact of early error detection, we consider a series of relative costs that are based on actual cost data collected for large software projects [IBM81]." The reference to [IBM81] notes that the information comes from "course notes" at the IBM Systems Sciences Institute. Bossavit discovered, though, that many other publications have referenced Pressman's book as the authoritative source for this research, disguising its tentative nature.

Bossavit took the time to investigate the existence of the IBM Systems Science Institute, concluding that it was "an internal training program for employees." No data was available to support the figures in the chart, which shows a neat 100x the cost of fixing a bug once software is in maintenance. "The original project data, if any exist, are not more recent than 1981, and probably older; and could be as old as 1967," said Bossavit, who also described "wanting to crawl into a hole when I encounter bullshit masquerading as empirical support for a claim, such as 'defects cost more to fix the later you fix them'."

An anonymous reader quotes a report from BleepingComputer: MITRE has shared this year's top 25 list of most common and dangerous weaknesses plaguing software throughout the previous two years. MITRE developed the top 25 list using Common Vulnerabilities and Exposures (CVE) data from 2019 and 2020 obtained from the National Vulnerability Database (NVD) (roughly 27,000 CVEs). "A scoring formula is used to calculate a ranked order of weaknesses that combines the frequency that a CWE is the root cause of a vulnerability with the projected severity of its exploitation," MITRE explained. "This approach provides an objective look at what vulnerabilities are currently seen in the real world, creates a foundation of analytical rigor built on publicly reported vulnerabilities instead of subjective surveys and opinions, and makes the process easily repeatable."

MITRE's 2021 top 25 bugs are dangerous because they are usually easy to discover, have a high impact, and are prevalent in software released during the last two years. They can also be abused by attackers to potentially take complete control of vulnerable systems, steal targets' sensitive data, or trigger a denial-of-service (DoS) following successful exploitation. The list [here] provides insight to the community at large into the most critical and current software security weaknesses.

Google says it has fixed a major Chrome OS bug that locked users out of their devices. Google's bulletin says that Chrome OS version 91.0.4472.165, which was briefly available this week, renders users unable to log in to their devices, essentially bricking them. From a report: Chrome OS automatically downloads updates and switches to the new version after a reboot, so users who reboot their devices are suddenly locked out them. The go-to advice while this broken update is out there is to not reboot. The bulletin says that a new build, version 91.0.4472.167, is rolling out now to fix the issue, but it could take a "few days" to hit everyone. Users affected by the bad update can either wait for the device to update again or "powerwash" their device -- meaning wipe all the local data -- to get logged in. Chrome OS is primarily cloud-based, so if you're not doing something advanced like running Linux apps, this solution presents less of an inconvenience than it would on other operating systems. Still, some users are complaining about lost data.

An anonymous reader quotes a report from Threatpost: Researchers have released technical details on a high-severity privilege-escalation flaw in HP printer drivers (also used by Samsung and Xerox), which impacts hundreds of millions of Windows machines. If exploited, cyberattackers could bypass security products; install programs; view, change, encrypt or delete data; or create new accounts with more extensive user rights. The bug (CVE-2021-3438) has lurked in systems for 16 years, researchers at SentinelOne said, but was only uncovered this year. It carries an 8.8 out of 10 rating on the CVSS scale, making it high-severity.

According to researchers, the vulnerability exists in a function inside the driver that accepts data sent from User Mode via Input/Output Control (IOCTL); it does so without validating the size parameter. As the name suggests, IOCTL is a system call for device-specific input/output operations. "This function copies a string from the user input using 'strncpy' with a size parameter that is controlled by the user," according to SentinelOne's analysis, released on Tuesday. "Essentially, this allows attackers to overrun the buffer used by the driver." Thus, unprivileged users can elevate themselves into a SYSTEM account, allowing them to run code in kernel mode, since the vulnerable driver is locally available to anyone, according to the firm.

The printer-based attack vector is perfect for cybercriminals, according to SentinelOne, since printer drivers are essentially ubiquitous on Windows machines and are automatically loaded on every startup. "Thus, in effect, this driver gets installed and loaded without even asking or notifying the user," explained the researchers. "Whether you are configuring the printer to work wirelessly or via a USB cable, this driver gets loaded. In addition, it will be loaded by Windows on every boot. This makes the driver a perfect candidate to target since it will always be loaded on the machine even if there is no printer connected." Affected models and associated patches can be found here and here.

"While HP is releasing a patch (a fixed driver), it should be noted that the certificate has not yet been revoked at the time of writing," according to SentinelOne. "This is not considered best practice since the vulnerable driver can still be used in bring-your-own-vulnerable-driver (BYOVD) attacks." Some Windows machines may already have the vulnerable driver without even running a dedicated installation file, since it comes with Microsoft Windows via Windows Update.

Qualys has discovered a new systemd security bug that enables any unprivileged user to cause a denial of service via a kernel panic. Slashdot reader inode_buddha shares the news via ZDNet's Steven J. Vaughan-Nichols: As Bharat Jogi, Qualys's senior manager of Vulnerabilities and Signatures, wrote, "Given the breadth of the attack surface for this vulnerability, Qualys recommends users apply patches for this vulnerability immediately." You can say that again. Systemd is used in almost all modern Linux distributions. This particular security hole arrived in the systemd code in April 2015.

It works by enabling attackers to misuse the alloca() function in a way that would result in memory corruption. This, in turn, allows a hacker to crash systemd and hence the entire operating system. Practically speaking, this can be done by a local attacker mounting a filesystem on a very long path. This causes too much memory space to be used in the systemd stack, which results in a system crash. That's the bad news. The good news is that Red Hat Product Security and systemd's developers have immediately patched the hole.

"Starting September 1, 2021, the Chinese government will require that any Chinese citizen who finds a zero-day vulnerability must pass the details to the Chinese government," reports SecurityWeek, "and must not sell or give the knowledge to any third-party outside of China (apart from the vulnerable product's manufacturer)." Brief details are provided in a report by the Associated Press (AP) published Tuesday, July 13, 2021. No source is provided beyond the statement, "No one may 'collect, sell or publish information on network product security vulnerabilities,' say the rules issued by the Cyberspace Administration of China and the police and industry ministries...."

AP describes this action as "further tightening the Communist Party's control over information". This is unlikely to be the primary motivation for the new rule since the government already has a vice-like grip on data. Companies may not store data on Chinese customers outside of China. Foreign companies selling routers and some other network devices in China must disclose to regulators how any encryption features work.
"I would expect the Chinese Government to weaponize any discovered security vulnerabilities to enhance China's cybersecurity capabilities," Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify, tells SecurityWeek. And Jake Williams, co-founder and CTO at BreachQuest adds that "the defensive advantages of Chinese government organizations being able to mitigate vulnerabilities discovered may well outweigh any offensive gains...."

But he also believes this could rebound against China. "One of the biggest likely issues is brain drain. If Chinese researchers can profit handsomely from their work anywhere else, but can't do so in China, why would they stay? This probably helps China in the short term but harms them in the long term."

The new law does encourage network operators and product vendors to set up a reward mechanism for reported vulnerabilities, according to the Record. But Katie Moussouris, founder and CEO of Luta Security, also raises the issue of western-based bug bounty platforms that have been working with Chinese security researchers for the past years. "If Western-based bug bounty platforms comply with this requirement in order to continue to legally receive bug reports from Chinese researchers, we must assume they will be required to hand over vulnerability data to the Ministry within two days of receiving the reports," Moussouris said. "That requirement will effectively introduce a backdoor straight to the Chinese government in any VDP [vulnerability disclosure program] or bug bounty program where Chinese researchers submit bugs via platforms, even to non-Chinese companies."

Facebook is adding a new perk to its bug bounty program that will pay bonus rewards to researchers based on the time it takes the social network to fix a vulnerability after it's found and reported by bug hunters. ZDNet reports: Essentially, Facebook is acknowledging that it's sometimes slow to reach a bounty decision and is using this bonus payment to encourage patience among the researchers in its bug bounty community. The Payout Time Bonus will reward reports that are paid more than 30 days from the time Facebook receives all the necessary information for a successful reproduction of the report and its impact, Facebook said. The bonuses will be paid on a sliding scale, with payouts made between 30-59 days receiving a 5% bonus; payouts made between 60-89 days receiving a 7.5% bonus; and payouts made after 90 days or more receiving a 10% bonus. Reports that require clarification from the researcher will have the payments adjusted accordingly.

An anonymous reader shares a report: If you're an iPhone user, the weather is always a particularly nice 70 degrees. Or 68 degrees. Any temperature but 69 degrees, actually, because it turns out that the built-in weather app on some versions of iOS -- including the current version, iOS 14.6 -- will refuse to display the internet's favorite number, even if the actual temperature in a given location is, in fact, 69 degrees. It's not clear if this is a bug or an intentional attempt from Apple to cut down on 69-related humor. The rounding is only visible in the weather app itself: clicking through to Apple's source data from Weather.com will show the proper temperature, as does Apple's home screen widgets.

Microsoft awarded $13.6 million to security researchers in the past 12 months, From a report: Microsoft said it awarded more than $13.6 million as monetary rewards to security researchers through its public bug bounty programs over the past 12 months. According to Microsoft:
The funds were awarded for 1,261 bugs reported by 341 security researchers across 17 bug bounty platforms between July 1, 2020 and June 30, 2021.

The highest awarded bounty was $200,000 for a vulnerability reported in Hyper-V, Microsoft's OS virtualization technology.
The average bounty was more than $10,000 per valid bug report across all programs.
Most bug reports came from researchers residing in China, the US, and Israel.
The company said it plans to announce the 2021 Most Valuable Security Researcher next month.
The sum awarded this year is identical to what Microsoft reported one year ago when the company said it awarded $13.7 million to 327 security researchers for 1,226 vulnerability reports across 15 bug bounty programs in the previous 12 months (July 1, 2019 to June 30, 2020).

Microsoft is changing its famous Blue Screen of Death (BSOD) to black in Windows 11. The Verge reports: The software giant started testing its new design changes in a Windows 11 preview earlier this week, but the Black Screen of Death isn't fully enabled yet. The Verge understands Microsoft will be switching to a Black Screen of Death for Windows 11, matching the new black logon and shutdown screens. It's the first major change to the BSOD since Microsoft added a sad face to the screen in Windows 8 in 2012, and QR codes in 2016. Microsoft first introduced the BSOD in Windows 3.0, offering a way for IT professionals and support personnel to diagnose hardware and memory faults. A BSOD is Windows' own kernel error or bug check, and it usually includes a dump of data that can help system administrators analyze what system fault caused the blue screen. While Microsoft is switching to a Black Screen of Death in Windows 11, the screen is identical to the one found in Windows 10 otherwise. The sad face remains, as does the stop code and crash dump. The current preview of Windows 11 includes a green BSOD, a color that Microsoft has been using for Windows Insider builds since 2016.

While it will come as no comfort to those who had their Western Digital My Book Live NAS drives wiped last week, it seems they were attacked by a combination of two exploits, and possibly caught in the fallout of a rivalry between two different teams of hackers. Tom's Hardware reports: Initially, after the news broke on Friday, it was thought a known exploit from 2018 was to blame, allowing attackers to gain root access to the devices. However, it now seems that a previously unknown exploit was also triggered, allowing hackers to remotely perform a factory reset without a password and to install a malicious binary file. A statement from Western Digital, updated today, reads: "My Book Live and My Book Live Duo devices are under attack by exploitation of multiple vulnerabilities present in the device ... The My Book Live firmware is vulnerable to a remotely exploitable command injection vulnerability when the device has remote access enabled. This vulnerability may be exploited to run arbitrary commands with root privileges. Additionally, the My Book Live is vulnerable to an unauthenticated factory reset operation which allows an attacker to factory reset the device without authentication. The unauthenticated factory reset vulnerability [has] been assigned CVE-2021-35941."

Analysis of WD's firmware suggests code meant to prevent the issue had been commented out, preventing it from running, by WD itself, and an authentication type was not added to component_config.php which results in the drives not asking for authentication before performing the factory reset. The question then arises of why one hacker would use two different exploits, particularly an undocumented authentication bypass when they already had root access through the command injection vulnerability, with venerable tech site Ars Technica speculating that more than one group could be at work here, with one bunch of bad guys trying to take over, or sabotage, another's botnet. Western Digital advises users to disconnect their device(s) from the internet. They are offering data recovery services beginning in July, and a trade-in program to switch the obsolete My Book Live drives for more modern My Cloud devices.

AmiMoJo writes: Security researchers have found four major security vulnerabilities in the BIOSConnect feature of Dell SupportAssist, allowing attackers to remotely execute code within the BIOS of impacted devices. According to Dell's website, the SupportAssist software is 'preinstalled on most Dell devices running Windows operating system,' while BIOSConnect provides remote firmware update and OS recovery features. The chain of flaws discovered by Eclypsium researchers comes with a CVSS base score of 8.3/10 and enables privileged remote attackers to impersonate Dell.com and take control of the target device's boot process to break OS-level security controls. "Such an attack would enable adversaries to control the device's boot process and subvert the operating system and higher-layer security controls," Eclypsium researchers explain in a report shared in advance with BleepingComputer. "The issue affects 129 Dell models of consumer and business laptops, desktops, and tablets, including devices protected by Secure Boot and Dell Secured-core PCs," with roughly 30 million individual devices exposed to attacks.

McAfee has discovered a vulnerability "that allows hackers to access Peloton's bike screen," reports CNN, "and potentially spy on riders using its microphone and camera."

"However, the threat most likely affects only the $2,495 bike used in public spaces, such as in hotels or gyms, because the hacker needs to physically access the screen using a USB drive containing a malicious code." According to McAfee's Advanced Threat Research team, a hacker can discreetly control the stationary bike's screen remotely and interfere with its operating system. That means hackers could, for example, install apps that look like Netflix or Spotify and steal the users' log-in information. Perhaps more alarmingly, the cybersecurity team was able spy on users via the camera and microphone, which is normally used for video chats with other users.

"As a result, an unsuspecting gym-goer taking the Peloton Bike+ for a spin could be in danger of having their personal data compromised and their workout unknowingly watched," the report said. It also warned the hacker could configure this spyware at any point, including during the supply chain or delivery process, without the owner knowing... Peloton released a mandatory software update that fixes the issue to users earlier this month.

The security risk doesn't affect the lower-priced Peloton Bike because it uses a different type of touchscreen....

This report marks the second security concern for Peloton in two months. In May, the fitness firm released a security update that sealed a leak that was revealing personal account information, such as a user's age, city and weight.

Websites of dozens of financial institutions and airlines in Australia and the United States were briefly down on Thursday, in the second major blackout in just over a week caused by a glitch in an important piece of internet infrastructure. From a report: Server-related glitches at content delivery network provider Akamai had hampered services at Australian banks, while many U.S. airlines, including American Airlines and Southwest Airlines, also reported an hour-long outage. The disruption linked to technical issues at Akamai follows an outage at rival Fastly that affected a number of popular websites last week. The impacted platform is now up and running, an Akamai spokesperson said, adding that the company was "continuing to validate services." The outage was caused by a bug in Akamai's software that has since been fixed, and was not caused by a cyber-attack or vulnerability, the spokesperson added.

Long-time Slashdot reader wildstoo writes: In a blog post on Thursday, GitHub security researcher Kevin Backhouse announced that Polkit, a Linux system service included in several modern Linux distros that provides an organized way for non-privileged processes to communicate with privileged ones, has been harbouring a major security bug for seven years.

The bug, assigned (CVE-2021-3560) allows a non-privileged user to gain administrative shell access with a handful of standard command line tools. The bug was fixed on June 3, 2021 in a coordinated disclosure.
"It's used by systemd," GitHub's blog post points out, "so any Linux distribution that uses systemd also uses polkit..."

"It's very simple and quick to exploit, so it's important that you update your Linux installations as soon as possible. Any system that has polkit version 0.113 (or later) installed is vulnerable. That includes popular distributions such as RHEL 8 and Ubuntu 20.04."

Thelasko writes: The company operates servers at strategic points around the world to help customers move and store content close to their end users. But a customer quite legitimately changing their settings had exposed a bug in a software update issued to customers in mid-May, causing '85% of our network to return errors', it said in a blogpost.

Version 9.4 of the GNU Compiler Collection "encompasses more than 190 bug fixes for GCC 9.3, which has been available since March 2020," reports DevClass.

But they add that in addition, "Developers who want to contribute to the GNU Compiler Collection but don't feel like signing over copyright to the Free Software Foundation can get busy committing now." GCC Steering Committee member David Edelsohn informed contributors via the mailing list that the committee "decided to relax the requirement to assign copyright for all changes" to the FSF. Speaking for the committee, he wrote that the GCC project "will now accept contributions with or without an FSF copyright assignment", a practice thought of as consistent with that "of many other major Free Software projects, such as the Linux kernel". GCC "will continue to be developed, distributed and licensed" under the GPLv3, so nothing should change for those adding to the project under the old assumptions.

There are those who have had troubles with that arrangement before, with Apple often cited as a popular example. They are now free to contribute utilising the Developer Certificate of Origin instead of agreeing to an FSF Copyright Assignment.

A reason was not given, though the last sentence of the statement, which affirms the principles of Free Software, might give a clue. In March 2021, the committee commented on the removal of Richard Stallman from the project's steering committee website with a similar declaration... [T]hey felt like an association with Stallman was not serving the best interests of the GCC developers and user community, given that the "GCC Steering Committee is committed to providing a friendly, safe and welcoming environment for all."
The Register notes that Red Hat senior principal engineer Mark Wielaard asked why there was no public discussion before making the change.

"Just days after violent conflict erupted in Israel and the Palestinian territories, both Facebook and Twitter copped to major faux pas: The companies had wrongly blocked or restricted millions of mostly pro-Palestinian posts and accounts related to the crisis," reports the Washington Post: Activists around the world charged the companies with failing a critical test: whether their services would enable the world to watch an important global event unfold unfettered through the eyes of those affected. The companies blamed the errors on glitches in artificial intelligence software.

In Twitter's case, the company said its service mistakenly identified the rapid-firing tweeting during the confrontations as spam, resulting in hundreds of accounts being temporarily locked and the tweets not showing up when searched for. Facebook-owned Instagram gave several explanations for its problems, including a software bug that temporarily blocked video-sharing and saying its hate speech detection software misidentified a key hashtag as associated with a terrorist group.

The companies said the problems were quickly resolved and the accounts restored. But some activists say many posts are still being censored. Experts in free speech and technology said that's because the issues are connected to a broader problem: overzealous software algorithms that are designed to protect but end up wrongly penalizing marginalized groups that rely on social media to build support... Despite years of investment, many of the automated systems built by social media companies to stop spam, disinformation and terrorism are still not sophisticated enough to detect the difference between desirable forms of expression and harmful ones. They often overcorrect, as in the most recent errors during the Israeli-Palestinian conflict, or they under-enforce, allowing harmful misinformation and violent and hateful language to proliferate...

Jillian York, a director at the Electronic Frontier Foundation, an advocacy group that opposes government surveillance, has researched tech company practices in the Middle East. She said she doesn't believe that content moderation — human or algorithmic — can work at scale... Palestinian activists and experts who study social movements say it was another watershed historical moment in which social media helped alter the course of events...

Payment app Venmo also mistakenly suspended transactions of humanitarian aid to Palestinians during the war. The company said it was trying to comply with U.S. sanctions and had resolved the issues.

After 17 years underground, the Brood X periodical cicadas are slowly emerging in 15 states across the East Coast and Midwest. From a report: They'll shed their skins and spend four to six weeks mating before the females lay eggs and they all die. But some of them are getting wilder in their short lives above ground. A fungus called Massospora, which can produce compounds of cathinone -- an amphetamine -- infects a small number of them and makes them lose control. The fungus takes over their bodies, causing them to lose their lower abdomen and genitals. And it pushes their mating into hyperdrive.

"This is stranger than fiction," Matt Kasson, an associate professor of forest pathology and mycology at West Virginia University, tells NPR's All Things Considered. "To have something that's being manipulated by a fungus, to be hypersexual and to have prolonged stamina and just mate like crazy." Kasson, who has been studying Massospora for about five years, says just before the cicadas rise from the ground, the spores of the fungus start to infect the bug. Once it's above ground and starts to shed its skin to become an adult, its butt falls off. Then a "white plug of fungus" starts to grow in its place.