Two security researchers have published today details about a vulnerability in the Windows printing service that they say impacts all Windows versions going back to Windows NT 4, released in 1996. From a report: The vulnerability, which they codenamed PrintDemon, is located in Windows Print Spooler, the primary Windows component responsible for managing print operations. The service can send data to be printed to a USB/parallel port for physically connected printers; to a TCP port for printers residing on a local network or the internet; or to a local file, in the rare event the user wants to save a print job for later. In a report published today, security researchers Alex Ionescu & Yarden Shafir said they found a bug in this old component that can be abused to hijack the Printer Spooler internal mechanism. The bug can't be used to break into a Windows client remotely over the internet, so it's not something that could be exploited to hack Windows systems at random over the internet.

Huawei denied on Monday having any official involvement in an insecure patch submitted to the Linux kernel project over the weekend; patch that introduced a "trivially exploitable" vulnerability. From a report: The buggy patch was submitted to the official Linux kernel project via its mailing list on Sunday. Named HKSP (Huawei Kernel Self Protection), the patch allegedly introduced a series of security-hardening options to the Linux kernel. Big tech companies that heavily use Linux in their data centers and online services, often submit patches to the Linux kernel. Companies like Google, Microsoft, Amazon, and others have been known to have contributed code. On Sunday, the HKSP submission sparked interest in the Linux community as could signal Huawei's wish to possibly contribute to the official kernel. Due to this, the patch came under immediate scrutiny, including from the developers of Grsecurity, a project that provides its own set of security-hardening patches for the Linux kernel. In a blog post published on the same day, the Grsecurity team said that it discovered that the HKSP patch was introducing a "trivially exploitable" vulnerability in the kernel code -- if the patch was to be approved.

turp182 writes: What's your story? How are you doing? What do you predict? Below is a summary of the stats I've been following, some assumptions, and an overview of my personal situation. Anyway, how you all doing?

A new set of flaws discovered in the Intel Thunderbolt port has put millions of machines at risk of local hacking. This new research by Eindhoven University's Bjorn Ruytenberg suggests that if a hacker gains access to a machine for just five minutes, they could bypass login methods to gain full data access. From a report: Thunderbolt ports are present in machines with Windows, Linux, and macOS. So, that covers a lot of computers. Ruytenberg said all Thunderbolt versions and systems shipped between 2011 to 2020 are affected and no software patch can fix these vulnerabilities. So, Intel would need to redesign silicon in order to fix these flaws. There's not much you can do here. However, with open-source software called Thunderspy, developed by Ruytenberg and their team, you can check if you're affected by the Thunderbolt bug.

An anonymous reader writes: You really can't make this stuff up, but Americans across the country, out of fear of "murder hornets," have begun killing all kinds of bees en masse. According to Doug Yanega, senior museum scientist for the Department of Entomology at UC Riverside, a national panic has led to the needless slaughter of native wasps and bees, beneficial insects whose populations are already threatened...

"Folks in China, Korea and Japan have lived side by side with these hornets for hundreds of years, and it has not caused the collapse of human society there. My colleagues in Japan, China and Korea are just rolling their eyes in disbelief at what kind of snowflakes we are..."

"I don't want to downplay this — they are logistically dangerous insects. But having people in Tennessee worry about this is just ridiculous. The only people who should be bothering experts with concerns about wasp IDs are living in the northwest quadrant of Washington (state). And really, right now, nobody else in the country should even be thinking about this stuff," he continued.
"The facts are, experts said, two dead hornets were found in Washington last December, a lone Canadian live nest was found and wiped out last September and no live hornets have yet been seen this year," reports the Associated Press.

And when they spoke to the Washington Agriculture Department entomologist working on the state's response, he issued an additional correction for all the journalists covering this story. "They are not 'murder hornets.' "They are just hornets."

An anonymous reader quotes a report from Wired: A little after 6 pm ET on Wednesday, the system started blinking red for iOS developer Clay Jones. Like many devs, Jones uses a Google product called Crashlytics to keep tabs on when his app stops working. Out of nowhere, it registered tens of thousands of crashes. It also pointed to the cause: a chunk of code that Jones' app incorporates to let people log in with their Facebook accounts. By 6:30 pm, Jones had filed a bug report about the flaw in Facebook's software development kit on GitHub, the code repository. He wasn't alone. According to widespread reports and the web monitoring service Down Detector, prominent iOS apps like TikTok, Spotify, Pinterest, Venmo, and more experienced issues on Wednesday. Many users found that they crashed whenever they tried to open the apps, whether or not they used Facebook to log in.

"Yesterday, a new release of Facebook included a change that triggered crashes in some apps using the Facebook iOS SDK for some users. We identified the issue quickly and resolved it," Facebook said in a statement. That change was quite small, given its outsized impact. "It was something like a server value -- which was supposed to provide a dictionary of things -- was changed to providing a simple YES/NO instead, without warning," says iOS developer Steven Troughton-Smith. "A change that simple can break an app that isn't prepared for it."

"Pretty much all these apps -- Pinterest, Spotify, a lot of the big ones -- use the Facebook SDK for the login button," says Jones. "You'll see 'Login With Facebook.' Everyone has it, super common, great for sign-up rates because it's just a one-click thing." And lots of apps that don't use Login With Facebook still use the SDK, which is why the issue Wednesday was so widespread. [...] The good news is that Facebook did fix the issue with haste, as far as these things go. Jones says it took about two hours for things to return to normal.

"The man behind the world's first major computer virus outbreak has admitted his guilt, 20 years after his software infected millions of machines worldwide," reports the BBC: Filipino Onel de Guzman, now 44, says he unleashed the Love Bug computer worm to steal passwords so he could access the internet without paying. He claims he never intended it to spread globally.

And he says he regrets the damage his code caused. "I didn't expect it would get to the US and Europe. I was surprised," he said in an interview for Crime Dot Com, a forthcoming book on cyber-crime.

The Love Bug pandemic began on 4 May, 2000. Victims received an email attachment entitled LOVE-LETTER-FOR-YOU. It contained malicious code that would overwrite files, steal passwords, and automatically send copies of itself to all contacts in the victim's Microsoft Outlook address book. Within 24 hours, it was causing major problems across the globe, reportedly infecting 45 million machines...

He claims he initially sent the virus only to Philippine victims, with whom he communicated in chat rooms, because he only wanted to steal internet access passwords that worked in his local area. However, in spring 2000 he tweaked the code, adding an auto-spreading feature that would send copies of the virus to victims' Outlook contacts using a flaw in Microsoft's Windows 95 operating system.
"It's not really a virus," wrote CmdrTaco back on May 4, 2000. "It's a trojan that proclaims its love for the recipient and requests that you open its attachment. On a first date even! It then loves you so much that it sends copies of itself to everyone in your address book and starts destroying files on your drive...

"Pine/Elm/Mutt users as always laugh maniacally as the trojan shuffles countless wasted packets over saturated backbones filling overworked SMTP servers everywhere. Sysadmins are seen weeping in the alleys."

An anonymous reader quotes a report from MacRumors: A bug has been discovered in Apple's macOS Image Capture app that needlessly eats up potentially gigabytes of storage space when transferring photos from an iPhone or iPad to a Mac. Discovered by the developers of media asset management app NeoFinder and shared in a blog post called "Another macOS bug in Image Capture," the issue occurs when Apple's Mac tool converts HEIF photos taken by iOS to more standard JPG files. This process happens when users uncheck the "Keep Originals" option in Image Capture's settings, which converts the HEIC files to JPG when copied to Mac. However, the app also inexplicably adds 1.5MBs of empty data to every single file in the process.

It's worth noting that the bug only occurs when transferring photos from Apple devices, not when importing photos from digital cameras using Image Capture. NeoFinder's team says it has notified Apple of the bug, and the developers suggest anyone plagued by the issue can try using a new beta version of the third-party utility Graphic Converter, which includes an option to remove the unwanted empty data from the JPEG files.

XXongo writes: Monitoring parolees released from prison by an app on their smartphone sounds like a good idea, right? The phone has facial recognition and biometric ID, and a GPS system that knows where it is. But what if the app doesn't work? In a story on Gizmodo, the [Telmate Guardian] app's coding is "sloppy" and "irresponsible" and its default privacy settings are wildly invasive, asking for "excessive permissions" to access device data. And the app isn't even accurate on recognizing parolees, nor on knowing location, with one parolee noting that the app set off the high-pitched warning alarm and sent a notification to her parole officers telling him that she was not at home multiple times in the middle of the night, when she was in fact at home and in bed. The device also serves as a covert surveillance bug, with built-in potential to covertly record ambient audio from the phone, even in standby mode -- a feature which is not even legal in many states. "But there's nothing you can do," according to one parolee. "If you don't accept it, then you go back to prison. You're considered their property. That's how they see it."

"We're updating our bug bounty policy and payouts to make it more appealing to researchers and reflect the more hardened security stance we adopted after moving to a multi-process, sandboxed architecture," reports the Mozilla security blog: Besides rewarding duplicate submissions, we're clarifying our payout criteria and raising the payouts for higher impact bugs. Now, sandbox escapes and related bugs will be eligible for a baseline $8,000, with a high quality report up to $10,000. Additionally, proxy bypass bugs are eligible for a baseline of $3,000, with a high quality report up to $5,000...

Additionally, we'll be publishing more posts about how to get started testing Firefox — which is something we began by talking about the HTML Sanitization we rely on to prevent UXSS. By following the instructions there you can immediately start trying to bypass our sanitizer using your existing Firefox installation in less than a minute...

Lastly, we would like to let you know that we have cross-posted this to our new Attack & Defense blog. This new blog is a vehicle for tailored content specifically for engineers, security researchers, and Firefox bug bounty participants.
They point out that Firefox has one of the world's oldest bug bounty programs, dating back to 2004 -- and it's still going strong. "From 2017-2019, we paid out $965,750 to researchers across 348 bugs, making the average payout $2,775 — but as you can see in the graph below, our most common payout was actually $4,000!"

This week Python's core developer blog announced the very last production release of Python 2.7. Hackaday reports: The intention was for it to coincide with PyCon 2020, but just like so many of the events planned for the first half of the year, the in-person conference had to be canceled in favor of a virtual one due to the COVID-19 epidemic. That might have stymied the celebration somewhat, but the release of Python 2.7.18 will still be looked on as a special moment for everyone involved.
"Thank you @gutworth for being the 2.7 release manager during 11 long years," Guido van Rossum announced on Twitter.

"It's time for the CPython community to say a fond but firm farewell to Python 2," reads the announcement on the core developer's blog. Python 2.7 has been under active development since the release of Python 2.6, more than 11 years ago. Over all those years, CPython's core developers and contributors sedulously applied bug fixes to the 2.7 branch, no small task as the Python 2 and 3 branches diverged.

There were large changes midway through Python 2.7's life such as PEP 466's feature backports to the ssl module and hash randomization. Traditionally, these features would never have been added to a branch in maintenance mode, but exceptions were made to keep Python 2 users secure. Thank you to CPython's community for such dedication.

Python 2.7 was lucky to have the services of two generations of binary builders and operating system experts, Martin von Löwis and Steve Dower for Windows, and Ronald Oussoren and Ned Deily for macOS. The reason we provided binary Python 2.7 releases for macOS 10.9, an operating system obsoleted by Apple 4 years ago, or why the "Microsoft Visual C++ Compiler for Python 2.7" exists is the dedication of these individuals.

Python 3 would be nowhere without the dedication of the wider community. Library maintainers followed CPython by maintaining Python 2 support for many years butalso threw their weight behind the Python 3 statement. Linux distributors chased Python 2 out of their archives. Users migrated hundreds of millions of lines of code, developed porting guides, and kept Python 2 in their brain while Python 3 gained 10 years of improvements.

Finally, thank you to GvR for creating Python 0.9, 1, 2, and 3.

Long live Python 3+!

"Is BGP Safe Yet" is a new site that names and shames internet service providers that don't tend to their routing. From a report: For more than an hour at the beginning of April, major sites like Google and Facebook sputtered for large swaths of people. The culprit wasn't a hack or a bug. It was problems with the internet data routing standard known as the Border Gateway Protocol, which had allowed significant amounts of web traffic to take an unexpected detour through a Russian telecom. For Cloudflare CEO Matthew Prince, it was the last straw. BGP disruptions happen frequently, generally by accident. But BGP can also be hijacked for large-scale spying, data interception, or as a sort of denial of service attack.

[...] On Friday, the company launched Is BGP Safe Yetâ, a site that makes it easier for anyone to check whether their internet service provider has added the security protections and filters that can make BGP more stable. Those improvements are most effective with wide adoption from ISPs, content delivery networks like Cloudflare, and other cloud providers. Cloudflare estimates that so far about half of the internet is more protected thanks to heavy hitters like AT&T, the Swedish telecom Telia, and the Japanese telecom NTT adopting BGP improvements. And while Cloudflare says it doesn't seem like the Rostelecom incident was intentional or malicious, Russian telecoms do have a history of suspicious BGP meddling, and similar problems will keep cropping up until the whole industry is on board.

Dropbox privately paid top hackers to find bugs in software by the videoconferencing company Zoom, then pressed it to fix them. From a report: One year ago, two Australian hackers found themselves on an eight-hour flight to Singapore to attend a live hacking competition sponsored by Dropbox. At 30,000 feet, with nothing but a slow internet connection, they decided to get a head start by hacking Zoom, a videoconferencing service that they knew was used by many Dropbox employees. The hackers soon uncovered a major security vulnerability in Zoom's software that could have allowed attackers to covertly control certain users' Mac computers. It was precisely the type of bug that security engineers at Dropbox had come to dread from Zoom, according to three former Dropbox engineers.

Now Zoom's videoconferencing service has become the preferred communications platform for hundreds of millions of people sheltering at home, and reports of its privacy and security troubles have proliferated. Zoom's defenders, including big-name Silicon Valley venture capitalists, say the onslaught of criticism is unfair. They argue that Zoom, originally designed for businesses, could not have anticipated a pandemic that would send legions of consumers flocking to its service in the span of a few weeks and using it for purposes -- like elementary school classes and family celebrations -- for which it was never intended.

[...] The former Dropbox engineers, however, say Zoom's current woes can be traced back two years or more, and they argue that the company's failure to overhaul its security practices back then put its business clients at risk. Dropbox grew so concerned that vulnerabilities in the videoconferencing system might compromise its own corporate security that the file-hosting giant took on the unusual step of policing Zoom's security practices itself, according to the former engineers, who spoke on the condition of anonymity because they were not authorized to publicly discuss their work. As part of a novel security assessment program for its vendors and partners, Dropbox in 2018 began privately offering rewards to top hackers to find holes in Zoom's software code and that of a few other companies. The former Dropbox engineers said they were stunned by the volume and severity of the security flaws that hackers discovered in Zoom's code -- and troubled by Zoom's slowness in fixing them.

Researchers from Google Brain, Intel, OpenAI, and top research labs in the U.S. and Europe joined forces this week to release what the group calls a toolbox for turning AI ethics principles into practice. From a report: The kit for organizations creating AI models includes the idea of paying developers for finding bias in AI, akin to the bug bounties offered in security software. This recommendation and other ideas for ensuring AI is made with public trust and societal well-being in mind were detailed in a preprint paper published this week. The bug bounty hunting community might be too small to create strong assurances, but developers could still unearth more bias than is revealed by measures in place today, the authors say.

"Bias and safety bounties would extend the bug bounty concept to AI and could complement existing efforts to better document data sets and models for their performance limitations and other properties," the paper reads. "We focus here on bounties for discovering bias and safety issues in AI systems as a starting point for analysis and experimentation but note that bounties for other properties (such as security, privacy protection, or interpretability) could also be explored."

Microsoft claims to have developed a system that correctly distinguishes between security and non-security software bugs 99% of the time, and that accurately identifies the critical, high-priority security bugs on average 97% of the time. From a report: In the coming months, it plans to open-source the methodology on GitHub, along with example models and other resources. Their work suggests that such a system, which was trained on a data set of 13 million work items and bugs from 47,000 developers at Microsoft stored across AzureDevOps and GitHub repositories, could be used to support human experts. It's estimated that developers create 70 bugs per 1,000 lines of code and that fixing a bug takes 30 times longer than writing a line of code, and that in the U.S., $113 billion is spent annually on identifying and fixing product defects. In the course of architecting the model, Microsoft says that security experts approved the training data and that statistical sampling was used to provide those experts a manageable amount of data to review. The data was then encoded into representations called feature vectors and Microsoft researchers designed the system using a two-step process, in which the model first learned to classify security and non-security bugs and then to apply severity labels -- critical, important, low-impact -- to the security bugs.

The EFF's staff technologist -- also an engineer on Privacy Badger and HTTPS Everywhere, writes: Twitter greeted its users with a confusing notification this week. "The control you have over what information Twitter shares with its business partners has changed," it said. The changes will "help Twitter continue operating as a free service," it assured. But at what cost?

Twitter has changed what happens when users opt out of the "Allow additional information sharing with business partners" setting in the "Personalization and Data" part of its site. The changes affect two types of data sharing that Twitter does... Previously, anyone in the world could opt out of Twitter's conversion tracking (type 1), and people in GDPR-compliant regions had to opt in. Now, people outside of Europe have lost that option. Instead, users in the U.S. and most of the rest of the world can only opt out of Twitter sharing data with Google and Facebook (type 2).
The article explains how last August Twitter discovered that its option for opting out of device-level targeting and conversion tracking "did not actually opt users out." But after fixing that bug, "advertisers were unhappy. And Twitter announced a substantial hit to its revenue... Now, Twitter has removed the ability to opt out of conversion tracking altogether."

While users in Europe are protected by GDPR, "users in the United States and everywhere else, who don't have the protection of a comprehensive privacy law, are only protected by companies' self-interest..." BoingBoing argues that Twitter "has just unilaterally obliterated all its users' privacy choices, announcing the change with a dialog box whose only button is 'OK.'"

"Soil gets its characteristic earthy smell from certain chemicals produced primarily by soil-dwelling bacteria called Streptomyces," reports New Scientist. But as for why these bacteria produce these odors, researchers at the Swedish University of Agriculture Science in Alnarp discovered that the smell seems to attract invertebrates that help the bacteria disperse their spores. From the report: Paul Becher at the Swedish University of Agricultural Sciences in Alnarp and his colleagues set up field traps in woodland containing colonies of Streptomyces. They thought that the smell may act as a signal to other organisms that they are poisonous, because some bacteria like Streptomyces can be toxic. Instead, the smell -- which comes from gases released by Streptomyces, including geosmin and 2-methylisoborneol (2-MIB) -- seems to attract invertebrates that help the bacteria disperse their spores. Becher and his team found that springtails -- tiny cousins of insects -- that feed on Streptomyces were drawn to the traps containing the bacterial colonies, but weren't drawn to control traps that didn't contain Streptomyces. By comparison, insects and arachnids weren't attracted to the traps containing Streptomyces. The findings have been reported in the journal Nature Microbiology.

Nintendo's Animal Crossing has become a place for Hong Kong protesters to congregate without flouting social distancing rules. Bloomberg reports: Animal Crossing is a simulation game where players live on an idyllic tropical island and befriend anthropomorphic animals. Players can customize their islands with in-game illustrating tools and visit each other's islands online. Pro-democracy content created for the game has gone viral on social media, including Twitter. In a tweet last week, one of Hong Kong's most well-known democracy campaigners, Joshua Wong, said he was playing the game and that the movement had shifted online. In one video posted to Twitter, a group of players use bug-catching nets to hit pictures of the city's leader Carrie Lam on a beach in the game. A nearby poster states "Free Hong Kong. Revolution Now."

A sizeable number of Mac users are experiencing occasional system crashes after updating to macOS Catalina version 10.15.4, released a few weeks ago. From a report: The crashing issue appears to be most prominent when users attempt to make large file transfers. In a forum post, SoftRAID described the issue as a bug and said that it is working with Apple engineers on a fix for macOS 10.15.5, or a workaround. "SoftRAID said the issue extends to Apple-formatted disks: There is a serious issue with 10.15.4. It shows up in different scenarios, even on Apple disks but is more likely when there are lots of IO threads. We think it is a threading issue. So while SoftRAID volumes are hit the hardest (it's now hard to copy more than 30GB of data at a time), all systems are impacted by this. In our bug report to Apple, we used a method to reproduce the problem with ONLY Apple formatted disks. Takes longer to reproduce, but that is more likely to get a faster fix to the user base."

An anonymous reader quotes a report from Wired: Apple has a well-earned reputation for security, but in recent years its Safari browser has had its share of missteps. This week, a security researcher publicly shared new findings about vulnerabilities that would have allowed an attacker to exploit three Safari bugs in succession and take over a target's webcam and microphone on iOS and macOS devices. Apple patched the vulnerabilities in January and March updates. But before the fixes, all a victim would have needed to do is click one malicious link and an attacker would have been able to spy on them remotely.

The bugs Pickren found all stem from seemingly minor oversights. For example, he discovered that Safari's list of the permissions a user has granted to websites treated all sorts of URL variations as being part of the same site, like https://www.example.com, http://example.com and fake://example.com. By "wiggling around," as Pickren puts it, he was able to generate specially crafted URLs that could work with scripts embedded in a malicious site to launch the bait-and-switch that would trick Safari. A hacker who tricked a victim into clicking their malicious link would be able to quietly launch the target's webcam and microphone to capture video, take photos, or record audio. And the attack would work on iPhones, iPads, and Macs alike. None of the flaws are in Apple's microphone and webcam protections themselves, or even in Safari's defenses that keep malicious sites from accessing the sensors. Instead, the attack surmounts all of these barriers just by generating a convincing disguise.