Early Friday the principal author of GNU Privacy Guard (the free encryption software) warned that version 1.9.0 of its cryptographic library Libgcrypt, released January 19, had a "severe" security vulnerability and should not be used.

A new version 1.9.1, which fixes the flaw, is available for download, Help Net Security reports: He also noted that Fedora 34 (scheduled to be released in April 2021) and Gentoo Linux are already using the vulnerable version... [I]t's a heap buffer overflow due to an incorrect assumption in the block buffer management code. Just decrypting some data can overflow a heap buffer with attacker controlled data, no verification or signature is validated before the vulnerability occurs.

It was discovered and flagged by Google Project Zero researcher Tavis Ormandy and affects only Libgcrypt v1.9.0.
"Exploiting this bug is simple and thus immediate action for 1.9.0 users is required..." Koch posted on the GnuPG mailing list. "The 1.9.0 tarballs on our FTP server have been renamed so that scripts won't be able to get this version anymore."

Tech blogger Paul Thurrott writes: Firefox 85 now protects users against supercookies, which Mozilla says is "a type of tracker that can stay hidden in your browser and track you online, even after you clear cookies. By isolating supercookies, Firefox prevents them from tracking your web browsing from one site to the next." It also includes small improvements to bookmarks and password management.

Unfortunately, Mozilla has separately — and much more quietly — stopped work on Site Specific Browser (SSB) functionality... This feature allowed users to use Firefox to create apps on the local PC from Progressive Web Apps and other web apps, similar to the functionality provided in Chrome, Microsoft Edge, and other Chromium-based web browsers. "The SSB feature has only ever been available through a hidden [preference] and has multiple known bugs," Mozilla's Dave Townsend explains in a Bugzilla issue tracker. "Additionally, user research found little to no perceived user benefit to the feature and so there is no intent to continue development on it at this time. As the feature is costing us time in terms of bug triage and keeping it around is sending the wrong signal that this is a supported feature, we are going to remove the feature from Firefox."
Thurrott's conclusion? "Mozilla is walking away from a key tenet of modern web apps and, in doing so, they are making themselves irrelevant."

Apple yesterday released a new version of iCloud for Windows 10, and based on multiple reports and the update's release notes, it appears Apple is introducing an iCloud Passwords extension designed for Chrome, which will allow "iCloud" Keychain passwords to be used on Windows machines. MacRumors reports: As noted by The 8-Bit and a few other sources, the update adds support for an "iCloud" Passwords Chrome extension." After installing version 12 of "iCloud" for Windows, there's a new "Passwords" section in the app with an "iCloud" Keychain logo. When attempting to use the feature, though, the "iCloud" app prompts users to download a Chrome extension, but the extension is broken and clicking to install leads to a broken web page.

This is likely a bug that will be addressed in the near future, and it sounds like when it is functional, Windows users will be able to access their "iCloud" Keychain passwords on their Windows machines through the Chrome browser. It's not clear if Apple will offer this extension for Mac machines in the future as well, and it appears to be limited to Windows at this time.

A major vulnerability impacting a large chunk of the Linux ecosystem has been patched today in Sudo, an app that allows admins to delegate limited root access to other users. From a report: The vulnerability, which received a CVE identifier of CVE-2021-3156, but is more commonly known as "Baron Samedit," was discovered by security auditing firm Qualys two weeks ago and was patched earlier today with the release of Sudo v1.9.5p2. In a simple explanation provided by the Sudo team today, the Baron Samedit bug can be exploited by an attacker who has gained access to a low-privileged account to gain root access, even if the account isn't listed in /etc/sudoers -- a config file that controls which users are allowed access to su or sudo commands in the first place.

Google Play's crazy automated app review process strikes again. From a report: This time, the puritan robot overlords that run the Play Store briefly decided that listing support for common subtitle files is enough to get your app banned. The developer for Just (Video) Player wrote in the app's bug tracker, "After a tiny unrelated description update, Just Player got suspended from the Google Play Store for "Sexual Content and Profanity policy". Google finds issues with following: Full description (en_US): "* Subtitles: SRT, SSA, ASS, TTML, VTT."" Yes, just listing standard video player features like support for the "ASS" subtitle format was apparently enough to temporarily earn a suspension. The developer says they "immediately filed an appeal" and today, the app is back up with the ASS subtitle listing still in the description.

Earlier this week security experts disclosed details on seven vulnerabilities impacting Dnsmasq, "a popular DNS software package that is commonly deployed in networking equipment, such as routers and access points," reports ZDNet. "The vulnerabilities tracked as DNSpooq, impact Dnsmasq, a DNS forwarding client for *NIX-based operating systems."

Slashdot reader Joe2020 shared Help Net Security's quote from Shlomi Oberman, CEO and researcher at JSOF. "Some of the bigger users of Dnsmasq are Android/Google, Comcast, Cisco, Red Hat, Netgear, and Ubiquiti, but there are many more. All major Linux distributions offer Dnsmasq as a package, but some use it more than others, e.g., in OpenWRT it is used a lot, Red Hat use it as part of their virtualization platforms, Google uses it for Android hotspots (and maybe other things), while, for example Ubuntu just has it as an optional package."

More from ZDNet: Dnsmasq is usually included inside the firmware of various networking devices to provide DNS forwarding capabilities by taking DNS requests made by local users, forwarding the request to an upstream DNS server, and then caching the results once they arrive, making the same results readily available for other clients without needing to make a new DNS query upstream. While their role seems banal and insignificant, they play a crucial role in accelerating internet speeds by avoiding recursive traffic...

Today, the DNSpooq software has made its way in millions of devices sold worldwide [including] all sorts of networking gear like routers, access points, firewalls, and VPNs from companies like ZTE, Aruba, Redhat, Belden, Ubiquiti, D-Link, Huawei, Linksys, Zyxel, Juniper, Netgear, HPE, IBM, Siemens, Xiaomi, and others. The DNSpooq vulnerabilities, disclosed today by security experts from JSOF, are dangerous because they can be combined to poison DNS cache entries recorded by Dnsmasq servers. Poisoning DNS cache records is a big problem for network administrators because it allows attackers to redirect users to clones of legitimate websites...

In total, seven DNSpooq vulnerabilities have been disclosed today. Four are buffer overflows in the Dnsmasq code that can lead to remote code execution scenarios, while the other three bugs allow DNS cache poisoning. On their own, the danger from each is limited, but researchers argue they can be combined to attack any device with older versions of the Dnsmasq software...

The JSOF exec told ZDNet that his company has worked with both the Dnsmasq project author and multiple industry partners to make sure patches were made available to device vendors by Tuesday's public disclosure.

Legendary programmer Jamie Zawinski has worked on everything from the earliest releases of the Netscape Navigator browser to XEmacs, Mozilla, and, of course, the XScreenSaver project.

Now Slashdot reader e432776 writes: JWZ continues to track issues with screensavers on Linux (since 2004!), and discusses a new bug in cinnamon-screensaver. Long-standing topics like X11, developer interaction, and code licensing all feature. Solutions to these long-standing issues remain elusive.
Jamie titled his blog post "I told you so, 2021 edition": You will recall that in 2004 , which is now seventeen years ago, I wrote a document explaining why I made the design trade-offs that I did in XScreenSaver, and in that document I predicted this exact bug as my example of, "this is what will happen if you don't do it this way."

And they went and made that happen.

Repeatedly.

Every time this bug is re-introduced, someone pipes up and says something like, "So what, it was a bug, they've fixed it." That's really missing the point. The point is not that such a bug existed, but that such a bug was even possible. The real bug here is that the design of the system even permits this class of bug. It is unconscionable that someone designing a critical piece of security infrastructure would design the system in such a way that it does not fail safe .

Especially when I have given them nearly 30 years of prior art demonstrating how to do it right, and a two-decades-old document clearly explaining What Not To Do that coincidentally used this very bug as its illustrative strawman!

These bugs are a shameful embarrassment of design -- as opposed to merely bad code...
ZDNet reports that Linux Mint has issued a patch for Cinnamon that fixes the screensaver bug. But HotHardware notes that it was discovered when "one Dad let the kids play with the keyboard. This button-mashing actually crashed the machine's screensaver by sheer luck, allowing them onto the desktop, ultimately leading to the discovery of a high priority security vulnerability for the Linux Mint team."

But that's not the only thing bothering Jamie Zawinski: Just to add insult to injury, it has recently come to my attention that not only are Gnome-screensaver, Mint-screensaver and Cinnamon-screensaver buggy and insecure dumpster fires, but they are also in violation of my license and infringing my copyright.

XScreenSaver was released under the BSD license, one of the oldest and most permissive of the free software licenses. It turns out, the Gnome-screensaver authors copied large parts of XScreenSaver into their program, removed the BSD license and slapped a GPL license on my code instead -- and also removed my name. Rude...

Mint-screensaver and Cinnamon-screensaver, being forks and descendants of Gnome-screensaver, have inherited this license violation and continue to perpetuate it. Every Linux distro is shipping this copyright- and license-infringing code.

I eagerly await hearing how they're going to make this right.

An unpatched zero-day in Microsoft Windows 10 allows attackers to corrupt an NTFS-formatted hard drive with a one-line command. Bleeping Computer reports: In August 2020, October 2020, and finally this week, infosec researcher Jonas L drew attention to an NTFS vulnerability impacting Windows 10 that has not been fixed. When exploited, this vulnerability can be triggered by a single-line command to instantly corrupt an NTFS-formatted hard drive, with Windows prompting the user to restart their computer to repair the corrupted disk records. The researcher told BleepingComputer that the flaw became exploitable starting around Windows 10 build 1803, the Windows 10 April 2018 Update, and continues to work in the latest version. What's worse is, the vulnerability can be triggered by standard and low privileged user accounts on Windows 10 systems. [...] It is unclear why accessing this attribute corrupts the drive, and Jonas told BleepingComputer that a Registry key that would help diagnose the issue doesn't work.

One striking finding shared by Jonas with us was that a crafted Windows shortcut file (.url) that had its icon location set to C:\:$i30:$bitmap would trigger the vulnerability even if the user never opened the file! As observed by BleepingComputer, as soon as this shortcut file is downloaded on a Windows 10 PC, and the user views the folder it is present in, Windows Explorer will attempt to display the file's icon. To do this, Windows Explorer would attempt to access the crafted icon path inside the file in the background, thereby corrupting the NTFS hard drive in the process. Next, "restart to repair hard drive" notifications start popping up on the Windows PC -- all this without the user even having opened or double-clicked on the shortcut file.

A security flaw in Ring's Neighbors app was exposing the precise locations and home addresses of users who had posted to the app. From a report: Ring, the video doorbell and home security startup acquired by Amazon for $1 billion, launched Neighbors in 2018 as a breakaway feature in its own standalone app. Neighbors is one of several neighborhood watch apps, like Nextdoor and Citizen, that lets users anonymously alert nearby residents to crime and public-safety issues. While users' posts are public, the app doesn't display names or precise locations -- though most include video taken by Ring doorbells and security cameras. The bug made it possible to retrieve the location data on users who posted to the app, including those who are reporting crimes. But the exposed data wasn't visible to anyone using the app. Rather, the bug was retrieving hidden data, including the user's latitude and longitude and their home address, from Ring's servers. Another problem was that every post was tied to a unique number generated by the server that incremented by one each time a user created a new post. Although the number was hidden from view to the app user, the sequential post number made it easy to enumerate the location data from previous posts -- even from users who aren't geographically nearby.

Mozilla developers plan to remove support for using the Backspace key as a Back button inside Firefox. From a report: The change is currently active in the Firefox Nightly version and is expected to go live in Firefox 86, scheduled to be released next month, in late February 2021. The removal of the Backspace key as a navigational element didn't come out of the blue. It was first proposed back in July 2014, in a bug report opened on Mozilla's bug tracker. At the time, Mozilla engineers argued that many users who press the Backspace key don't always mean to navigate to the previous page (the equivalent of pressing the Back button).

Bleeping Computer reports: NVIDIA has released security updates to address six security vulnerabilities found in Windows and Linux GPU display drivers, as well as ten additional flaws affecting the NVIDIA Virtual GPU (vGPU) management software. The vulnerabilities expose Windows and Linux machines to attacks leading to denial of service, escalation of privileges, data tampering, or information disclosure.

All these security bugs require local user access, which means that potential attackers will first have to gain access to vulnerable devices using an additional attack vector. Following successful exploitation of one of the vulnerabilities patched today, attackers can easily escalate privileges to gain permissions above the default ones granted by the OS.

Not a single one of Google's iOS apps have been updated in almost a month -- an unusually long period for a tech behemoth not to release, at the very least, even a minor bug fix or stability update for one of its dozens of insanely popular iPhone and iPad apps. From a report: And after reviewing the latest release dates for all of Google's iOS apps, one reason for this lack of updates seems more likely than others: It could be related to Apple's new App Store privacy labels. The last time any Google iOS app was updated was on December 7. This includes updates to major Google apps like Google Drive, YouTube, Google Docs, Google Sheets, YouTube Music, Google Duo, Google Authenticator, and Gboard. Why is December 7 a significant date? Because starting on December 8, Apple mandated that any new apps or app updates submitted to the App Store would require the developer to fill out the privacy label information for the app it was submitting. This privacy label reveals exactly what data the app is collecting about the user and how that user data is being used. The label can then be viewed on an app's App Store listing page. The feature is part of Apple's push to make developers be more transparent in the ways they collect and use user data, so users can make more informed choices about the apps they choose to download.

Mozilla is "investigating" a design refresh for its Firefox browser. Ghacks reports that the refresh is referred to internally as "Photon." Information about the design refresh is limited at this point in time. Mozilla created a meta bug on Bugzilla as a reference to keep track of the changes. While there are not any mockups or screenshots posted on the site, the names of the bugs provide information on the elements that will get a refresh. These are:

- The Firefox address bar and tabs bar.
- The main Firefox menu.
- Infobars.
- Doorhangers.
- Context Menus.
- Modals.
Most user interface elements are listed in the meta bug. Mozilla plans to release the new design in Firefox 89; the browser is scheduled for a mid-2021 release. Its release date is set to May 18, 2021...

[Developer/Firefox extension author] Sören Hentzschel revealed that he saw some of the Firefox Proton mockups... He notes that Firefox will look more modern when the designs land and that Mozilla plans to introduce useful improvements, especially in regards to the user experience. Hentzschel mentions two examples of potential improvements to the user experience: a mockup that displays vertical tabs in a compact mode, and another that shows the grouping of tabs on the tab bar.

Redox OS, the micro-kernel based Rust-written operating system, is out with a new Christmas release. From a report: Redox OS 0.6 was released on Christmas Eve with many bug fixes and new features. Redox OS 0.6 features a complete rewrite of its RMM kernel memory manager, improvements to its Relibc C library implementation, Pkgar as a new package format, and Rust code compatibility updates. It's been the better part of two years since Redox 0.5 was released but moving forward they hope to start releasing new updates more often.

Tech giants, including Microsoft and Google, have joined Facebook's legal battle against hacking company NSO, filing an amicus brief in federal court that warned the Israeli firm's tools were "powerful, and dangerous." From a report: The brief, filed before the U.S. Court of Appeals for the Ninth Circuit, opens up a new front in Facebook's lawsuit against NSO, which it filed last year after it was revealed that the cyber surveillance firm had exploited a bug in Facebook-owned instant messaging program WhatsApp to help surveil more than 1,400 people worldwide. NSO has argued that because it sells digital break-in tools to police and spy agencies, it should benefit from "sovereign immunity" -- a legal doctrine that generally insulates foreign governments from lawsuits. NSO lost that argument in the Northern District of California in July and has since appealed to the Ninth Circuit to have the ruling overturned. Microsoft, Alphabet-owned Google, Cisco, Dell Technologies-owned VMWare, and the Washington-based Internet Association joined forces with Facebook to argue against that, saying that awarding sovereign immunity to NSO would lead to a proliferation of hacking technology and "more foreign governments with powerful and dangerous cyber surveillance tools."

Cyberpunk 2077 is here in all its glory and pain. On some machines, it's a visual spectacle pushing the limits of current technology and delivering on the promise of Deus Ex, but open world. On other machines, including last-gen consoles, it's a unoptimized and barely playable nightmare. Developer CD Projekt Red has said it's working to improve the game, but fans already have a number of fixes, particularly if you're using an AMD CPU. From a report: Fans aren't waiting for the developer however and over the weekend AMD CPU users discovered that a few small tweaks could improve performance on their PCs. Some players reported performance gains of as much as 60 percent. Cyberpunk 2077 seems to be a CPU intensive game and, at release, it isn't properly optimized for AMD chips. "If you run the game on an AMD CPU and check your usage in task manager, it seems to utilise 4 (logical, 2 physical) cores in frequent bursts up to 100% usage, whereas the rest of the physical cores sit around 40-60%, and their logical counterparts remain idle," Redditor BramblexD explained in a post on the /r/AMD subreddit. Basically, Cyberpunk 2077 is only utilizing a portion of any AMD chips power.

Digital Foundry, a YouTube channel that does in-depth technical analysis of video games, noticed the AMD issue as well. "It really looks like Cyberpunk is not properly using the hyperthreads on Ryzen CPUs," Digital Foundry said in a recent video. To fix this issue, the community has developed three separate solutions. One involves altering the game's executable with a hex editor, the other involves editing a config file, and a third is an unofficial patch built by the community. All three do the same thing -- unleash the power of AMDs processors. "Holy shit are you a wizard or something? The game is finally playable now!" One redditor said of the hex editing technique. "With this tweak my CPU usage went from 50% to ~75% and my frametime is so much more stable now."

"A new survey of the free and open-source software (FOSS) community conducted by the Linux Foundation suggests that contributors spend less than 3% of their time on security issues and have little desire to increase this," reports TechRepublic: Moreover, responses indicated that many respondents had little interest in increasing time and effort on security. One respondent commented that they "find the enterprise of security a soul-withering chore and a subject best left for the lawyers and process freaks," while another said: "I find security an insufferably boring procedural hindrance."

The researchers concluded that a new approach to the security and auditing of FOSS would be needed to improve security practices, while limiting the burden on contributors. Some of the most requested tools from contributors were bug and security fixes, free security audits, and simplified ways to add security-related tools to their continuous integration (CI) pipelines.

"There is a clear need to dedicate more effort to the security of FOSS, but the burden should not fall solely on contributors," read the report. "Developers generally do not want to become security auditors; they want to receive the results of audits..."

The researchers continued: "One way to improve a rewrite's security is to switch from memory-unsafe languages (such as C or C++ ) into memory-safe languages (such as nearly all other languages)," researchers said. "This would eliminate entire classes of vulnerabilities such as buffer overflows and double-frees."
Also interesting: money "scored very low in developers' motivations for contributing to open-source projects, as did a desire for recognition amongst peers," according to TechRepublic.

"Instead, developers said they were purely interested in finding features, fixes and solutions to the open-source projects they were working on. Other top motivations included were enjoyment and a desire to contribute back to the FOSS projects that they used."

Jerry Rivers shares a report from TechCrunch, adding: "...and it took the music service seven months to notice." From the report: In a data breach notification filed with the California attorney general's office, the music streaming giant said the data exposed "may have included email address, your preferred display name, password, gender, and date of birth only to certain business partners of Spotify." The company did not name the business partners, but added that Spotify "did not make this information publicly accessible." The company says the vulnerability existed as far back as April 9 but wasn't discovered until November 12. It didn't say what the vulnerability was or how user account data became exposed.

"We have conducted an internal investigation and have contacted all of our business partners that may have had access to your account information to ensure that any personal information that may have been inadvertently disclosed to them has been deleted," the letter read.

The iPhone's original -- and unofficial -- app store has sued Apple, accusing the company of having a monopoly on the distribution of apps. Cydia, an app store created and launched in 2007 by Jay "Saurik" Freeman, one of the original jailbreakers filed the lawsuit against Apple on Thursday. From a report: "Were it not for Apple's anti competitive acquisition and maintenance of an illegal monopoly over iOS app distribution, users today would actually be able to choose how and where to locate and obtain iOS apps, and developers would be able to use the iOS app distributor of their choice," the lawsuit reads. Before Apple created the App Store, Freeman and a group of iPhone hackers created an unofficial app store where users that were willing to jailbreak -- a technique to exploit one or more bug to disable the iPhone security mechanism called code-signing enforcement that allows for only Apple-approved code to run on the phone -- could download and install apps. In 2010, according to Freeman, Cydia had around 4.5 million users.

An anonymous reader shares a report: Numerous glitches reported by players as the long-awaited Cyberpunk 2077 game went live robbed creator CD Projekt of a stock surge on the back of encouraging advance-order sales figures. Poland's biggest computer-games studio sold more than eight million copies of the futuristic title prior to its official release, mainly using higher-margin digital distribution. Excitement around Wednesday's launch saw player numbers peak at more than one million, the most ever for a premier night on the Steam platform, and an industry record for a single-player production. Less positively, in excess of 17,000 Steam users gave Cyberpunk a rating of just 71%, with their complaints of bugs in the game pushing CD Projekt's shares as much as 7.5% lower.

Before the release, Cyberpunk's average rating was 91% on Metacritic, a website that aggregated journalists reviews. That less-than-perfect verdict also weighed on the stock earlier this week, paring its gains of almost 60% in 2020 as of last Friday. The stakes are high for CD Projekt as, after eight years of developing Cyberpunk, the game is the studio's only new franchise. The company said Thursday it's already working on fixes and is confident they will be resolved and that it wants to publish initial sales data before Christmas.