Data Storage

Windows 10 Bug Corrupts Your Hard Drive On Seeing This File's Icon (bleepingcomputer.com) 96

An unpatched zero-day in Microsoft Windows 10 allows attackers to corrupt an NTFS-formatted hard drive with a one-line command. Bleeping Computer reports: In August 2020, October 2020, and finally this week, infosec researcher Jonas L drew attention to an NTFS vulnerability impacting Windows 10 that has not been fixed. When exploited, this vulnerability can be triggered by a single-line command to instantly corrupt an NTFS-formatted hard drive, with Windows prompting the user to restart their computer to repair the corrupted disk records. The researcher told BleepingComputer that the flaw became exploitable starting around Windows 10 build 1803, the Windows 10 April 2018 Update, and continues to work in the latest version. What's worse is, the vulnerability can be triggered by standard and low privileged user accounts on Windows 10 systems. [...] It is unclear why accessing this attribute corrupts the drive, and Jonas told BleepingComputer that a Registry key that would help diagnose the issue doesn't work.

One striking finding shared by Jonas with us was that a crafted Windows shortcut file (.url) that had its icon location set to C:\:$i30:$bitmap would trigger the vulnerability even if the user never opened the file! As observed by BleepingComputer, as soon as this shortcut file is downloaded on a Windows 10 PC, and the user views the folder it is present in, Windows Explorer will attempt to display the file's icon. To do this, Windows Explorer would attempt to access the crafted icon path inside the file in the background, thereby corrupting the NTFS hard drive in the process. Next, "restart to repair hard drive" notifications start popping up on the Windows PC -- all this without the user even having opened or double-clicked on the shortcut file.

Security

Amazon's Ring Neighbors App Exposed Users' Precise Locations and Home Addresses (techcrunch.com) 19

A security flaw in Ring's Neighbors app was exposing the precise locations and home addresses of users who had posted to the app. From a report: Ring, the video doorbell and home security startup acquired by Amazon for $1 billion, launched Neighbors in 2018 as a breakaway feature in its own standalone app. Neighbors is one of several neighborhood watch apps, like Nextdoor and Citizen, that lets users anonymously alert nearby residents to crime and public-safety issues. While users' posts are public, the app doesn't display names or precise locations -- though most include video taken by Ring doorbells and security cameras. The bug made it possible to retrieve the location data on users who posted to the app, including those who are reporting crimes. But the exposed data wasn't visible to anyone using the app. Rather, the bug was retrieving hidden data, including the user's latitude and longitude and their home address, from Ring's servers. Another problem was that every post was tied to a unique number generated by the server that incremented by one each time a user created a new post. Although the number was hidden from view to the app user, the sequential post number made it easy to enumerate the location data from previous posts -- even from users who aren't geographically nearby.
Mozilla

Firefox To Block Backspace Key From Working as 'Back' Button (zdnet.com) 130

Mozilla developers plan to remove support for using the Backspace key as a Back button inside Firefox. From a report: The change is currently active in the Firefox Nightly version and is expected to go live in Firefox 86, scheduled to be released next month, in late February 2021. The removal of the Backspace key as a navigational element didn't come out of the blue. It was first proposed back in July 2014, in a bug report opened on Mozilla's bug tracker. At the time, Mozilla engineers argued that many users who press the Backspace key don't always mean to navigate to the previous page (the equivalent of pressing the Back button).
Bug

NVIDIA Fixes High Severity Flaws Affecting Windows, Linux devices (bleepingcomputer.com) 24

Bleeping Computer reports: NVIDIA has released security updates to address six security vulnerabilities found in Windows and Linux GPU display drivers, as well as ten additional flaws affecting the NVIDIA Virtual GPU (vGPU) management software. The vulnerabilities expose Windows and Linux machines to attacks leading to denial of service, escalation of privileges, data tampering, or information disclosure.

All these security bugs require local user access, which means that potential attackers will first have to gain access to vulnerable devices using an additional attack vector. Following successful exploitation of one of the vulnerabilities patched today, attackers can easily escalate privileges to gain permissions above the default ones granted by the OS.

Google

Google's iOS Apps Haven't Been Updated in Weeks. Could Apple's Privacy Labels Be the Reason? (fastcompany.com) 51

Not a single one of Google's iOS apps have been updated in almost a month -- an unusually long period for a tech behemoth not to release, at the very least, even a minor bug fix or stability update for one of its dozens of insanely popular iPhone and iPad apps. From a report: And after reviewing the latest release dates for all of Google's iOS apps, one reason for this lack of updates seems more likely than others: It could be related to Apple's new App Store privacy labels. The last time any Google iOS app was updated was on December 7. This includes updates to major Google apps like Google Drive, YouTube, Google Docs, Google Sheets, YouTube Music, Google Duo, Google Authenticator, and Gboard. Why is December 7 a significant date? Because starting on December 8, Apple mandated that any new apps or app updates submitted to the App Store would require the developer to fill out the privacy label information for the app it was submitting. This privacy label reveals exactly what data the app is collecting about the user and how that user data is being used. The label can then be viewed on an app's App Store listing page. The feature is part of Apple's push to make developers be more transparent in the ways they collect and use user data, so users can make more informed choices about the apps they choose to download.
Firefox

Mozilla Is Working On a Firefox Design Refresh (ghacks.net) 246

Mozilla is "investigating" a design refresh for its Firefox browser. Ghacks reports that the refresh is referred to internally as "Photon." Information about the design refresh is limited at this point in time. Mozilla created a meta bug on Bugzilla as a reference to keep track of the changes. While there are not any mockups or screenshots posted on the site, the names of the bugs provide information on the elements that will get a refresh. These are:

- The Firefox address bar and tabs bar.
- The main Firefox menu.
- Infobars.
- Doorhangers.
- Context Menus.
- Modals.
Most user interface elements are listed in the meta bug. Mozilla plans to release the new design in Firefox 89; the browser is scheduled for a mid-2021 release. Its release date is set to May 18, 2021...

[Developer/Firefox extension author] Sören Hentzschel revealed that he saw some of the Firefox Proton mockups... He notes that Firefox will look more modern when the designs land and that Mozilla plans to introduce useful improvements, especially in regards to the user experience. Hentzschel mentions two examples of potential improvements to the user experience: a mockup that displays vertical tabs in a compact mode, and another that shows the grouping of tabs on the tab bar.

Operating Systems

Redox OS 0.6 Released With Many Fixes, Rewritten Kernel Memory Manager (phoronix.com) 63

Redox OS, the micro-kernel based Rust-written operating system, is out with a new Christmas release. From a report: Redox OS 0.6 was released on Christmas Eve with many bug fixes and new features. Redox OS 0.6 features a complete rewrite of its RMM kernel memory manager, improvements to its Relibc C library implementation, Pkgar as a new package format, and Rust code compatibility updates. It's been the better part of two years since Redox 0.5 was released but moving forward they hope to start releasing new updates more often.
Google

Microsoft and Google Join Facebook's Legal Battle Against Hacking Company NSO (venturebeat.com) 22

Tech giants, including Microsoft and Google, have joined Facebook's legal battle against hacking company NSO, filing an amicus brief in federal court that warned the Israeli firm's tools were "powerful, and dangerous." From a report: The brief, filed before the U.S. Court of Appeals for the Ninth Circuit, opens up a new front in Facebook's lawsuit against NSO, which it filed last year after it was revealed that the cyber surveillance firm had exploited a bug in Facebook-owned instant messaging program WhatsApp to help surveil more than 1,400 people worldwide. NSO has argued that because it sells digital break-in tools to police and spy agencies, it should benefit from "sovereign immunity" -- a legal doctrine that generally insulates foreign governments from lawsuits. NSO lost that argument in the Northern District of California in July and has since appealed to the Ninth Circuit to have the ruling overturned. Microsoft, Alphabet-owned Google, Cisco, Dell Technologies-owned VMWare, and the Washington-based Internet Association joined forces with Facebook to argue against that, saying that awarding sovereign immunity to NSO would lead to a proliferation of hacking technology and "more foreign governments with powerful and dangerous cyber surveillance tools."
Bug

'Cyberpunk 2077' Players Are Fixing Parts of the Game Before CD Projekt (vice.com) 79

Cyberpunk 2077 is here in all its glory and pain. On some machines, it's a visual spectacle pushing the limits of current technology and delivering on the promise of Deus Ex, but open world. On other machines, including last-gen consoles, it's a unoptimized and barely playable nightmare. Developer CD Projekt Red has said it's working to improve the game, but fans already have a number of fixes, particularly if you're using an AMD CPU. From a report: Fans aren't waiting for the developer however and over the weekend AMD CPU users discovered that a few small tweaks could improve performance on their PCs. Some players reported performance gains of as much as 60 percent. Cyberpunk 2077 seems to be a CPU intensive game and, at release, it isn't properly optimized for AMD chips. "If you run the game on an AMD CPU and check your usage in task manager, it seems to utilise 4 (logical, 2 physical) cores in frequent bursts up to 100% usage, whereas the rest of the physical cores sit around 40-60%, and their logical counterparts remain idle," Redditor BramblexD explained in a post on the /r/AMD subreddit. Basically, Cyberpunk 2077 is only utilizing a portion of any AMD chips power.

Digital Foundry, a YouTube channel that does in-depth technical analysis of video games, noticed the AMD issue as well. "It really looks like Cyberpunk is not properly using the hyperthreads on Ryzen CPUs," Digital Foundry said in a recent video. To fix this issue, the community has developed three separate solutions. One involves altering the game's executable with a hex editor, the other involves editing a config file, and a third is an unofficial patch built by the community. All three do the same thing -- unleash the power of AMDs processors. "Holy shit are you a wizard or something? The game is finally playable now!" One redditor said of the hex editing technique. "With this tweak my CPU usage went from 50% to ~75% and my frametime is so much more stable now."

Open Source

Open Source Developers Say Securing Their Code Is 'Insufferably Boring' and 'Soul-Withering' (techrepublic.com) 150

"A new survey of the free and open-source software (FOSS) community conducted by the Linux Foundation suggests that contributors spend less than 3% of their time on security issues and have little desire to increase this," reports TechRepublic: Moreover, responses indicated that many respondents had little interest in increasing time and effort on security. One respondent commented that they "find the enterprise of security a soul-withering chore and a subject best left for the lawyers and process freaks," while another said: "I find security an insufferably boring procedural hindrance."

The researchers concluded that a new approach to the security and auditing of FOSS would be needed to improve security practices, while limiting the burden on contributors. Some of the most requested tools from contributors were bug and security fixes, free security audits, and simplified ways to add security-related tools to their continuous integration (CI) pipelines.

"There is a clear need to dedicate more effort to the security of FOSS, but the burden should not fall solely on contributors," read the report. "Developers generally do not want to become security auditors; they want to receive the results of audits..."

The researchers continued: "One way to improve a rewrite's security is to switch from memory-unsafe languages (such as C or C++ ) into memory-safe languages (such as nearly all other languages)," researchers said. "This would eliminate entire classes of vulnerabilities such as buffer overflows and double-frees."

Also interesting: money "scored very low in developers' motivations for contributing to open-source projects, as did a desire for recognition amongst peers," according to TechRepublic.

"Instead, developers said they were purely interested in finding features, fixes and solutions to the open-source projects they were working on. Other top motivations included were enjoyment and a desire to contribute back to the FOSS projects that they used."
Security

Spotify Resets Passwords After a Security Bug Exposed Users' Private Account Information (techcrunch.com) 19

Jerry Rivers shares a report from TechCrunch, adding: "...and it took the music service seven months to notice." From the report: In a data breach notification filed with the California attorney general's office, the music streaming giant said the data exposed "may have included email address, your preferred display name, password, gender, and date of birth only to certain business partners of Spotify." The company did not name the business partners, but added that Spotify "did not make this information publicly accessible." The company says the vulnerability existed as far back as April 9 but wasn't discovered until November 12. It didn't say what the vulnerability was or how user account data became exposed.

"We have conducted an internal investigation and have contacted all of our business partners that may have had access to your account information to ensure that any personal information that may have been inadvertently disclosed to them has been deleted," the letter read.
Iphone

Original Jailbreak App Store Cydia Sues Apple for its Monopoly (vice.com) 102

The iPhone's original -- and unofficial -- app store has sued Apple, accusing the company of having a monopoly on the distribution of apps. Cydia, an app store created and launched in 2007 by Jay "Saurik" Freeman, one of the original jailbreakers filed the lawsuit against Apple on Thursday. From a report: "Were it not for Apple's anti competitive acquisition and maintenance of an illegal monopoly over iOS app distribution, users today would actually be able to choose how and where to locate and obtain iOS apps, and developers would be able to use the iOS app distributor of their choice," the lawsuit reads. Before Apple created the App Store, Freeman and a group of iPhone hackers created an unofficial app store where users that were willing to jailbreak -- a technique to exploit one or more bug to disable the iPhone security mechanism called code-signing enforcement that allows for only Apple-approved code to run on the phone -- could download and install apps. In 2010, according to Freeman, Cydia had around 4.5 million users.
Bug

Cyberpunk 2077 Bugs Hit CD Projekt (bloomberg.com) 148

An anonymous reader shares a report: Numerous glitches reported by players as the long-awaited Cyberpunk 2077 game went live robbed creator CD Projekt of a stock surge on the back of encouraging advance-order sales figures. Poland's biggest computer-games studio sold more than eight million copies of the futuristic title prior to its official release, mainly using higher-margin digital distribution. Excitement around Wednesday's launch saw player numbers peak at more than one million, the most ever for a premier night on the Steam platform, and an industry record for a single-player production. Less positively, in excess of 17,000 Steam users gave Cyberpunk a rating of just 71%, with their complaints of bugs in the game pushing CD Projekt's shares as much as 7.5% lower.

Before the release, Cyberpunk's average rating was 91% on Metacritic, a website that aggregated journalists reviews. That less-than-perfect verdict also weighed on the stock earlier this week, paring its gains of almost 60% in 2020 as of last Friday. The stakes are high for CD Projekt as, after eight years of developing Cyberpunk, the game is the studio's only new franchise. The company said Thursday it's already working on fixes and is confident they will be resolved and that it wants to publish initial sales data before Christmas.

Security

iPhone Zero-Click Wi-Fi Exploit is One of the Most Breathtaking Hacks Ever (arstechnica.com) 114

Dan Goodin, writing for ArsTechnica: Earlier this year, Apple patched one of the most breathtaking iPhone vulnerabilities ever: a memory corruption bug in the iOS kernel that gave attackers remote access to the entire device -- over Wi-Fi, with no user interaction required at all. Oh, and exploits were wormable -- meaning radio-proximity exploits could spread from one nearby device to another, once again, with no user interaction needed. This Wi-Fi packet of death exploit was devised by Ian Beer, a researcher at Project Zero, Google's vulnerability research arm. In a 30,000-word post published on Tuesday afternoon, Beer described the vulnerability and the proof-of-concept exploit he spent six months developing single-handedly. Almost immediately, fellow security researchers took notice.

"This is a fantastic piece of work," Chris Evans, a semi-retired security researcher and executive and the founder of Project Zero, said in an interview. "It really is pretty serious. The fact you don't have to really interact with your phone for this to be set off on you is really quite scary. This attack is just you're walking along, the phone is in your pocket, and over Wi-Fi someone just worms in with some dodgy Wi-Fi packets." Beer's attack worked by exploiting a buffer overflow bug in a driver for AWDL, an Apple-proprietary mesh networking protocol that makes things like Airdrop work. Because drivers reside in the kernel -- one of the most privileged parts of any operating system -- the AWDL flaw had the potential for serious hacks. And because AWDL parses Wi-Fi packets, exploits can be transmitted over the air, with no indication that anything is amiss.

Bug

New Videogame Bug Turns Spider-Man Into a Trash Can (gamespot.com) 52

A new bug in the PlayStation game Spider-Man: Miles Morales "turns Miles into various inanimate objects, including bricks, cardboard boxes, and even a trash can," reports GameSpot: Despite Miles' changed appearance, he can still perform many of his heroic antics, including web-swinging and beating up bad guys. It's an important lesson to all of us in these trying times: You might look like trash, but you can still do your job.
Today Engadget reports that the glitch even turns Spider-Man into a patio heater: If you've ever wanted to keep people toasty warm while fighting crime, now's your chance.

We've asked [the game's creator] Insomniac Games for comment, although it already tweeted that the hiccup was "equally embarrassing as it is heart-warming." Into the Spider-Verse's Phil Lord joked that the heater would find its way into the sequel if the team had "any self respect at all."

Security

2FA Bypass Discovered In Web Hosting Software cPanel (zdnet.com) 9

An anonymous reader quotes a report from ZDNet: Security researchers have discovered a major security flaw in cPanel, a popular software suite used by web hosting companies to manage websites for their customers. The bug, discovered by security researchers from Digital Defense, allows attackers to bypass two-factor authentication (2FA) for cPanel accounts. These accounts are used by website owners to access and manage their websites and underlying server settings. Access to these accounts is critical, as once compromised, they grant threat actors full control over a victim's site.

On its website, cPanel boasts that its software is currently used by hundreds of web hosting companies to manage more than 70 million domains across the world. But in a press release today, Digital Defense says that the 2FA implementation on older cPanel & WebHost Manager (WHM) software was vulnerable to brute-force attacks that allowed threat actors to guess URL parameters and bypass 2FA -- if 2FA was enabled for an account. While brute-forcing attacks, in general, usually take hours or days to execute, in this particular case, the attack required only a few minutes, Digital Defense said today. Exploiting this bug also requires that attackers have valid credentials for a targeted account, but these can be obtained from phishing the website owner. The good news is that Digital Defense has privately reported the bug, tracked as SEC-575, to the cPanel team, which has already released patches last week.

Security

'Smart' Doorbells For Sale On Amazon, eBay Came Stocked With Security Vulnerabilities (cyberscoop.com) 30

The U.K.-based security company NCC Group and consumer advocacy group Which? have found vulnerabilities in 11 "smart" doorbells sold on popular platforms like Amazon and eBay. CyberScoop reports: One flaw could allow a remote attacker to break into the wireless network by swiping login credentials. Another critical bug, which has been around for years, could enable attackers to intercept and manipulate data on the network. The investigation focused on doorbells made by often obscure vendors, but which nonetheless earned top reviews and featured prominently on Amazon and eBay. The researchers raised concerns that some of the devices were storing sensitive data, including location data and audio and video captured by the doorbell's camera, on insecure servers. One device made by a company called Victure, for example, sent a user's wireless name and password, unencrypted, to servers in China, according to the researchers.

In a statement, Amazon said it requires products sold on its site to be compliant with applicable laws and regulations, and that it has tools to detect "unsafe or non-compliant products from being listed in our stores." eBay said it takes down listings that violate its safety standards, but that the devices flagged by the researchers did not meet that threshold. Victure did not immediately respond to a request for comment. The NCC Group-Which? team said they tried to contact the various vendors of the vulnerable smart doorbells, with mixed success. The unnamed vendor of one device, for example, removed an online listing for the product after the researchers shared their findings.

Communications

'Code is Sourdough' (increment.com) 70

Romello Goodman, a software engineer at The New York Times, writing at Increment: Like a sourdough starter passed through the hands of many bakers -- some novices, some experienced -- a codebase reflects how teammates communicate with one another. It's a snapshot of our thinking and our best attempts at codifying norms and assumptions. It's a conversation in which each person contributes and is in conversation with those who came before them. With each new feature or bug report, we understand our code better. We identify areas where new logic doesn't quite fit with existing logic. We're constantly in touch with our own past decisions and those of our coworkers. We're working together, trying to harmonize and match one another's thinking patterns and assumptions. We trust one another to make decisions for the good of the team and the organization. Every piece of new code adds to the culture and cultivates our shared understanding.

If code is sourdough, we have an opportunity to better appreciate the histories and context that have gone into it. In software, we tend to think of legacy code as something that should be thrown away or rewritten, often conflating a codebase's age with its health and viability. But code doesn't age in a vacuum. If sourdough can be passed down from person to person over decades, then so can code. The preservation of decisions and experience is tied to the preservation of our codebase. Even when the code itself is no longer being updated, documentation around the logic or the underlying platform and adjacent technologies can keep a codebase and its culture vibrant. You can then pass that culture on for another team to bake with. It might just taste better than you'd expect.

Twitter

Twitter's Launch of Fleets: Lag, Some Crashes, Bugs, Skepticism and Cat Pics (cnet.com) 30

CNET reports on Twitter's rocky rollout of "fleets" which disappear after 24 hours: In a blog post, Twitter said global tests of the feature indicated the tool helped people feel more comfortable joining public conversations on the service. "Those new to Twitter found Fleets to be an easier way to share what's on their mind," the company said. "Because they disappear from view after a day, Fleets helped people feel more comfortable sharing personal and casual thoughts, opinions and feelings."

And, apparently, sharing cat content. "Don't really care for fleets," one wrote, "but the fact that 90% of the ones I've seen so far have cats in them brings me joy...."

The feature's debut Tuesday brought its share of complaints about the product, with some people saying the Fleets froze, lagged or made their Twitter crash. "We're aware of some issues people may be having and are working to fix them," a Twitter spokesperson said.

"Earlier this week, Twitter officially rolled out Fleets, a new feature that — ahem — takes inspiration from Instagram Stories and Snapchat Stories," writes Android Central, "and boy do people have opinions on it."

But users should warm up to the feature eventually, experts tell NBC News: [A]lthough users lambasted Fleets...those same users began to use the function almost immediately.

While there are valid critiques of Fleets and how they could be used in regard to misinformation and harassment, experts say the users' first reaction will typically be to resist changes to a site or app that they've grown accustomed to, even though they typically adopt the change as the preferred version of the platform later on.

Yet by the weekend Twitter was already acknowledging its first major bug with fleets, exploitable "through a technical workaround where some Fleets media URLs may be accessible after 24 hours," according to The Verge: The "workaround" referenced appears to be a developer app that could scrape fleets from public accounts via Twitter's API. The Twitter API doesn't return URLs for fleets that are older than 24 hours, according to the company, and once the fix is rolled out, even if someone has a URL for active fleet, it won't work after the expiration point.
The Verge also points out that "while fleets are only visible on users' timelines for 24 hours, Twitter stores fleets on its back end for up to 30 days, longer for fleets that violate its rules and may require enforcement action, the company says."
Bug

Apple Lets Some Network Traffic Bypass Firewalls on MacOS Big Sur (arstechnica.com) 113

"Security researchers are blasting Apple for a feature in the latest Big Sur release of macOS that allows some Apple apps to bypass content filters and VPNs..." reports Threatpost. "While users assumed Apple would fix the flaw before the OS emerged from beta into full release, this doesn't appear to have happened."

"Beginning with macOS Catalina released last year, Apple added a list of 50 Apple-specific apps and processes that were to be exempted from firewalls like Little Snitch and Lulu," explains Ars Technica: The undocumented exemption, which didn't take effect until firewalls were rewritten to implement changes in Big Sur, first came to light in October. Patrick Wardle, a security researcher at Mac and iOS enterprise developer Jamf, further documented the new behavior over the weekend. To demonstrate the risks that come with this move, Wardle — a former hacker for the NSA — demonstrated how malware developers could exploit the change to make an end-run around a tried-and-true security measure...

Wardle tweeted a portion of a bug report he submitted to Apple during the Big Sur beta phase. It specifically warns that "essential security tools such as firewalls are ineffective" under the change.

Apple has yet to explain the reason behind the change.

Slashdot Top Deals