An anonymous reader quotes a report from Ars Technica: Google and Intel are warning of a high-severity Bluetooth flaw in all but the most recent version of the Linux Kernel. While a Google researcher said the bug allows seamless code execution by attackers within Bluetooth range, Intel is characterizing the flaw as providing an escalation of privileges or the disclosure of information. The flaw resides in BlueZ, the software stack that by default implements all Bluetooth core protocols and layers for Linux. Besides Linux laptops, it's used in many consumer or industrial Internet-of-things devices. It works with Linux versions 2.4.6 and later. So far, little is known about BleedingTooth, the name given by Google engineer Andy Nguyen, who said that a blog post will be published "soon." A Twitter thread and a YouTube video provide the most detail and give the impression that the bug provides a reliable way for nearby attackers to execute malicious code of their choice on vulnerable Linux devices that use BlueZ for Bluetooth.

Intel, meanwhile, has issued this bare-bones advisory that categorizes the flaw as privilege-escalation or information-disclosure vulnerability. The advisory assigned a severity score of 8.3 out of a possible 10 to CVE-2020-12351, one of three distinct bugs that comprise BleedingTooth. "Potential security vulnerabilities in BlueZ may allow escalation of privilege or information disclosure," the advisory states. "BlueZ is releasing Linux kernel fixes to address these potential vulnerabilities." Intel, which is a primary contributor to the BlueZ open source project, said that the most effective way to patch the vulnerabilities is to update to Linux kernel version 5.9, which was published on Sunday. Those who can't upgrade to version 5.9 can install a series of kernel patches the advisory links to. Maintainers of BlueZ didn't immediately respond to emails asking for additional details about this vulnerability. Ars Technica points out that since BleedingTooth requires proximity to a vulnerable device, there's not much reason for people to worry about this vulnerability. "It also requires highly specialized knowledge and works on only a tiny fraction of the world's Bluetooth devices," it adds.

The Xplora 4 smartwatch, made by Chinese outfit Qihoo 360 Technology Co, and marketed to children under the Xplora brand in the US and Europe, can covertly take photos and record audio when activated by an encrypted SMS message, says Norwegian security firm Mnemonic. The Register reports: This backdoor is not a bug, the finders insist, but a deliberate, hidden feature. Around 350,000 watches have been sold so far, Xplora says. Exploiting this security hole is non-trivial, we note, though it does reveal the kind of remotely accessible stuff left in the firmware of today's gizmos. "The backdoor itself is not a vulnerability," said infosec pros Harrison Sand and Erlend Leiknes in a report on Monday. "It is a feature set developed with intent, with function names that include remote snapshot, send location, and wiretap. The backdoor is activated by sending SMS commands to the watch."

The researchers suggest these smartwatches could be used to capture photos covertly from its built-in camera, to track the wearer's location, and to conduct wiretapping via the built-in mic. They have not claimed any such surveillance has actually been done. The watches are marketed as a child's first phone, we're told, and thus contain a SIM card for connectivity (with an associated phone number). Parents can track the whereabouts of their offspring by using an app that finds the wearer of the watch. Xplora contends the security issue is just unused code from a prototype and has now been patched. But the company's smartwatches were among those cited by Mnemonic and Norwegian Consumer Council in 2017 for assorted security and privacy concerns.

With the appropriate Android intent, an incoming encrypted SMS message received by the Qihoo SMS app could be directed through the command dispatcher in the Persistent Connection Service to trigger an application command, like a remote memory snapshot. Exploiting this backdoor requires knowing the phone number of the target device and its factory-set encryption key. This data is available to those to Qihoo and Xplora, according to the researchers, and can be pulled off the device physically using specialist tools. This basically means ordinary folks aren't going to be hacked, either by the manufacturer under orders from Beijing or opportunistic miscreants attacking gizmos in the wild, though it is an issue for persons of interest. It also highlights the kind of code left lingering in mass-market devices.

A security flaw in a hi-tech chastity belt for men made it possible for hackers to remotely lock all the devices in use simultaneously. The BBC reports: Qiui's Cellmate Chastity Cage is sold online for about $190 and is marketed as a way for owners to give a partner control over access to their body. Pen Test Partners believe about 40,000 devices have been sold based on the number of IDs that have been granted by its Guangdong-based creator. The cage wirelessly connects to a smartphone via a Bluetooth signal, which is used to trigger the device's lock-and-clamp mechanism. But to achieve this, the software relies on sending commands to a computer server used by the manufacturer.

The security researchers said they discovered a way to fool the server into disclosing the registered name of each device owner, among other personal details, as well as the co-ordinates of every location from where the app had been used. In addition, they said, they could reveal a unique code that had been assigned to each device. These could be used to make the server ignore app requests to unlock any of the identified chastity toys, they added, leaving wearers locked in.

The sex toy's app has been fixed by its Chinese developer after a team of UK security professionals flagged the bug. They have also published a workaround. This could be useful to anyone still using the old version of the app who finds themselves locked in as a result of an attacker making use of the revelation. Any other attempt to cut through the device's plastic body poses a risk of harm.

Apple has confirmed several problems including "increased battery drain" for some users who upgraded their iPhone to iOS 14. But ZDNet warns Apple's proposed solution "sounds pretty drastic."

Forbes reports: In an official post, Apple reveals seven significant data and battery-related problems with iOS 14 and watchOS 7, and the company states the only fix is to "erase all content and settings from your iPhone".

Breaking these down, Apple classifies six as related to its Activity, Health and Fitness apps as well as the broader problem of "Increased battery drain on your iPhone or Apple Watch." The latter will not be a surprise to anyone who has seen the growing number of complaints directed at the company's @AppleSupport Twitter account since iOS 14 was released...

On the plus side, Apple's belief that these problems can be fixed without an iOS update is good news. That said, a complete data wipe is also the nuclear option, so Apple is not messing around... I would also be amazed if iOS 14.0.2 is not being fast tracked as we speak.

"Hello Chrome OS Community," posted one of Google's community managers Wednesday. "Thank you for raising this issue, and for your patience as we work to resolve this. Our team has identified the issue and is rolling out a fix to affected devices."

The issue? ChromeOS users reported the latest updates "cause a Google Play Store service to utilize 100 percent of their CPUs..." according to TechRadar, "making their devices hot and leading to performance issues." As reported by BleepingComputer, after upgrading their devices to ChromeOS version 85.0.4183.108 and later users have faced a number of issues including apps that are running erratically, devices getting hot, fans running at high speed and batteries draining much too quickly. Upon investigating these issues further, users discovered that they were caused by the Google Play 'com.android.vending:download_service' utilizing 95 to 100 percent of their devices CPU for an extended period. This service is used to download new updates from the Google Play Store when they become available. However, a bug in the service causes the CPU to run at 100 percent power all of the time even when a new update is not available.
Bleeping Computer reported last Sunday that the issues didn't affect all Chromebooks, but was reported by users of Acer Chromebooks, ASUS Chromebook Flip, and Galaxy Chromebooks. "One user stated they resolved this issue by rolling back to an older Google Play Store version."

"Google is hiring to create a special Android security team that will be tasked with finding vulnerabilities in highly sensitive apps on the Google Play Store," reports ZDNet: "As a Security Engineering Manager in Android Security... Your team will perform application security assessments against highly sensitive, third party Android apps on Google Play, working to identify vulnerabilities and provide remediation guidance to impacted application developers," reads a new Google job listing posted on Wednesday.

Applications that this new team will focus on include the likes of COVID-19 contact tracing apps and election-related applications, with others to follow, according to Sebastian Porst, Software Engineering Manager for Google Play Protect.

"Anyone can access portions of a web portal used by law enforcement to request customer data from Amazon," reports TechCrunch, "even though the portal is supposed to require a verified email address and password..." Only time sensitive emergency requests can be submitted without an account, but this requires the user to "declare and acknowledge" that they are an authorized law enforcement officer before they can submit a request.

The portal does not display customer data or allow access to existing law enforcement requests. But parts of the website still load without needing to log in, including its dashboard and the "standard" request form used by law enforcement to request customer data... Assuming this was a bug, we sent Amazon several emails prior to publication but did not hear back...

Motherboard reported a similar issue earlier this month that allowed anyone with an email address to access law enforcement portals set up by Facebook and WhatsApp.

"Mozilla has fixed a bug that can be abused to hijack all the Firefox for Android browsers on the same Wi-Fi network and force users to access malicious sites, such as phishing pages," reports ZDNet: The bug was discovered by Chris Moberly, an Australian security researcher working for GitLab. The actual vulnerability resides in the Firefox SSDP component. SSDP stands for Simple Service Discovery Protocol and is the mechanism through which Firefox finds other devices on the same network in order to share or receive content (i.e., such as sharing video streams with a Roku device).

When devices are found, the Firefox SSDP component gets the location of an XML file where that device's configuration is stored. However, Moberly discovered that in older versions of Firefox, you could hide Android "intent" commands in this XML and have the Firefox browser execute the "intent," which could be a regular command like telling Firefox to access a link...

The bug was fixed in Firefox 79; however, many users may not be running the latest release. Firefox for desktop versions were not impacted.

The supermassive black hole at the center of the M87 galaxy has a shadow crescent that moves, like a dancer in the dark. From a report: Over a year ago, scientists unleashed something incredible on the world: the first photo of a black hole ever taken. By putting together radio astronomy observations made with dishes across four continents, the collaboration known as the Event Horizon Telescope managed to peer 53 million light-years away and look at a supermassive black hole, which is 6.5 million times the mass of the sun and sits at the center of the galaxy Messier 87 (M87). The fiery historic image showed off a bright crescent of ultra-hot gas and debris orbiting the black hole's event horizon, the pitch-black central point-of-no-return that traps anything that goes over, even light. The EHT team had just made one of the most impressive achievements in the history of astronomy, but this was only the beginning. On Wednesday, members of the EHT collaboration published new findings in the Astrophysical Journal about M87's supermassive black hole (known as M87*), revealing two new major insights.

First, the shadow diameter of the event horizon doesn't change over time, which is exactly what Einstein's theory of general relativity predicts for a supermassive black hole of M87*'s size. However, the second insight is that the bright crescent adorning this shadow is far from stable: it wobbles. There's so much turbulent matter surrounding M87* that it makes sense the crescent would bug out and get fidgety. But the fact that we can watch it over time means we now have an established method for studying the physics of one of the most extreme kinds of environment in the entire universe.

Users have found a major bug in Apple's iOS 14 iPhone software. The free software upgrade, which Apple made publicly available last week, includes features many users had long asked for, such as better ways to organize apps, living programs called widgets on the home screen, and the ability to change which default apps the phone uses to browse the web or send an email. That last one doesn't appear to work. From a report: A growing chorus of Twitter users has been posting about the bug in Apple's default email and default web browser options. What happens is that whenever they set the default browser to Google's Chrome, for example, it works as expected, and tapping any link in an app or browser will open Chrome on the iPhone. But then if they restart the phone, iOS 14 changes that default back to Apple's Safari. "We are aware of an issue that can impact default email and browser settings in iOS 14 and iPadOS 14. A fix will be available to users in a software update," Apple said in a statement.

An anonymous reader quotes ZDNet: Microsoft has finally published a support document detailing its workaround for the August 2020 Patch Tuesday update for Windows 10 version 2004 that caused blue screens of deaths (BSODs) on newer Lenovo ThinkPads and broke Windows Hello biometric login... It's the same as Lenovo's earlier workaround but comes with a stern security warning from Microsoft.

Microsoft also explains how Lenovo Vantage violates Microsoft's security controls in Windows.

Users might bypass the BSOD screen, but they are endangering their computers by implementing the workaround, according to Microsoft. The workaround also affects some of Microsoft's latest security features for Windows 10, such as Hypervisor Code Integrity for shielding the OS from malicious drivers, as well as Windows Defender Credential Guard. "This workaround may make a computer or a network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk," Microsoft states....

The good news for affected ThinkPad users is that Microsoft and Lenovo are working together on a fix. However, Microsoft hasn't said when that will be available.

An anonymous reader quotes a report from MacRumors: Apple in iOS 14 added Picture in Picture to the iPhone, a feature designed to let you watch a video in a small screen on your device while you continue to do other things on the phone. The YouTube app doesn't support Picture in Picture, but up until yesterday there was a functional workaround that allowed videos from YouTube.com to be watched in Safari in Picture in Picture mode. As of today, that workaround is gone, and it's not clear if it's a bug or a deliberate removal. Attempting to use Picture in Picture on a video on the mobile YouTube website simply doesn't work. Tapping the Picture in Picture button when in full screen mode pops the video out for a second, but it immediately pops back into the website, so it can't be used as a Picture in Picture window. [...] Picture in Picture appears to work on the mobile YouTube website in Safari for those who are YouTube Premium subscribers, which suggests that the restriction is intentional and not a bug.

Facebook is again being sued for allegedly spying on Instagram users, this time through the unauthorized use of their mobile phone cameras. Bloomberg reports: The lawsuit springs from media reports in July that the photo-sharing app appeared to be accessing iPhone cameras even when they weren't actively being used. Facebook denied the reports and blamed a bug, which it said it was correcting, for triggering what it described as false notifications that Instagram was accessing iPhone cameras.

In the complaint filed Thursday in federal court in San Francisco, New Jersey Instagram user Brittany Conditi contends the app's use of the camera is intentional and done for the purpose of collecting "lucrative and valuable data on its users that it would not otherwise have access to." By "obtaining extremely private and intimate personal data on their users, including in the privacy of their own homes," Instagram and Facebook are able to collect "valuable insights and market research," according to the complaint.

An anonymous reader writes: Researchers have developed and published a proof-of-concept exploit for a recently patched Windows vulnerability that can allow access to an organization's crown jewels -- the Active Directory domain controllers that act as an all-powerful gatekeeper for all machines connected to a network.

CVE-2020-1472, as the vulnerability is tracked, carries a critical severity rating from Microsoft as well as a maximum of 10 under the Common Vulnerability Scoring System. Exploits require that an attacker already have a foothold inside a targeted network, either as an unprivileged insider or through the compromise of a connected device. However, when this condition is met, it's literally game over for the attacked company, as an attacker can hijack its entire network within three seconds by leveraging a bug in the Netlogon authentication protocol cryptography by adding zero characters in certain Netlogon authentication parameters, bypassing authentication procedures and then changing the password for the DC server itself. The technical report from Secura B.V., a Dutch security firm, is available here.

schwit1 shares a report from TechCrunch: A privacy bug in Democratic presidential candidate Joe Biden's official campaign app allowed anyone to look up sensitive voter information on millions of Americans, a security researcher has found. The campaign app, Vote Joe, allows Biden supporters to encourage friends and family members to vote in the upcoming U.S. presidential election by uploading their phone's contact lists to see if their friends and family members are registered to vote. The app uploads and matches the user's contacts with voter data supplied from TargetSmart, a political marketing firm that claims to have files on more than 191 million Americans.

When a match is found, the app displays the voter's name, age and birthday, and which recent election they voted in. This, the app says, helps users find people you know and encourage them to get involved." While much of this data can already be public, the bug made it easy for anyone to access any voter's information by using the app. The App Analyst, a mobile expert who detailed his findings on his eponymous blog, found that he could trick the app into pulling in anyone's information by creating a contact on his phone with the voter's name. The Biden campaign fixed the bug and pushed out an app update on Friday.

"We were made aware about how our third-party app developer was providing additional fields of information from commercially available data that was not needed," Matt Hill, a spokesperson for the Biden campaign, told TechCrunch. "We worked with our vendor quickly to fix the issue and remove the information. We are committed to protecting the privacy of our staff, volunteers and supporters will always work with our vendors to do so."

This week Krebs on Security reported that Microsoft "released updates to remedy nearly 130 security vulnerabilities in its Windows operating system and supported software." None of the flaws are known to be currently under active exploitation, but 23 of them could be exploited by malware or malcontents to seize complete control of Windows computers with little or no help from users. The majority of the most dangerous or "critical" bugs deal with issues in Microsoft's various Windows operating systems and its web browsers, Internet Explorer and Edge. September marks the seventh month in a row Microsoft has shipped fixes for more than 100 flaws in its products, and the fourth month in a row that it fixed more than 120.

Among the chief concerns for enterprises this month is CVE-2020-16875, which involves a critical flaw in the email software Microsoft Exchange Server 2016 and 2019. An attacker could leverage the Exchange bug to run code of his choosing just by sending a booby-trapped email to a vulnerable Exchange server. "That doesn't quite make it wormable, but it's about the worst-case scenario for Exchange servers," said Dustin Childs, of Trend Micro's Zero Day Initiative. "We have seen the previously patched Exchange bug CVE-2020-0688 used in the wild, and that requires authentication. We'll likely see this one in the wild soon. This should be your top priority."

Also not great for companies to have around is CVE-2020-1210, which is a remote code execution flaw in supported versions of Microsoft Sharepoint document management software that bad guys could attack by uploading a file to a vulnerable Sharepoint site. Security firm Tenable notes that this bug is reminiscent of CVE-2019-0604, another Sharepoint problem that's been exploited for cybercriminal gains since April 2019.
The article points out that Google also shipped a critical update for Chrome this week "that resolves at least five security flaws that are rated high severity."

A team of academics from Columbia University has developed a custom tool to dynamically analyze Android applications and see if they're using cryptographic code in an unsafe way. From a report: Named CRYLOGGER, the tool was used to test 1,780 Android applications, representing the most popular apps across 33 different Play Store categories, in September and October 2019. Researchers say the tool, which checked for 26 basic cryptography rules (mentioned in the source story), found bugs in 306 Android applications. Some apps broke one rule, while others broke multiple.

"A few years ago, a hacker managed to exploit vulnerabilities in Tesla's servers to gain access and control over the automaker's entire fleet," remembers Electrek (in a story shared by long-time Slashdot reader AmiMoJo).

Tesla enthusiast Jason Hughes had already received a $5,000 bug bounty for reporting a vulnerability, but "knowing that their network wasn't the most secure, to say the least, he decided to go hunting for more bug bounties." After some poking around, he managed to find a bunch of small vulnerabilities. The hacker told Electrek, "I realized a few of these things could be chained together, the official term is a bug chain, to gain more access to other things on their network. Eventually, I managed to access a sort of repository of server images on their network, one of which was 'Mothership'." Mothership is the name of Tesla's home server used to communicate with its customer fleet.

Any kind of remote commands or diagnostic information from the car to Tesla goes through "Mothership." After downloading and dissecting the data found in the repository, Hughes started using his car's VPN connection to poke at Mothership. He eventually landed on a developer network connection. That's when he found a bug in Mothership itself that enabled him to authenticate as if it was coming from any car in Tesla's fleet.

All he needed was a vehicle's VIN number, and he had access to all of those through Tesla's "tesladex" database thanks to his complete control of Mothership, and he could get information about any car in the fleet and even send commands to those cars.
Last week Hughes released an annotated version of the bug report he'd submitted to Tesla. "Hughes couldn't really send Tesla cars driving around everywhere..." reports Electrek, "but he could 'Summon' them..." Telsa gave him a special $50,000 bug report reward — several times higher than their usual maximum — and "used the information provided by Hughes to secure its network."

Electrek calls it "a good example of the importance of whitehat hackers."

Apple on Monday announced that its new App Store appeals process, first revealed at WWDC in June, is now live, meaning developers can challenge Apple over whether their app is in fact violating one of its guidelines. In addition to that, Apple says developers can also suggest changes to the App Store guidelines through a form submission on its online developer portal. From a report "For apps that are already on the App Store, bug fixes will no longer be delayed over guideline violations except for those related to legal issues. You'll instead be able to address guideline violations in your next submission," reads a note posted to Apple's developer website. "And now, in addition to appealing decisions about whether an app violates guidelines, you can suggest changes to the guidelines." These changes were introduced at WWDC on the heels of a rather public feud with software maker Basecamp, the creator of a new email service called Hey. Basecamp openly challenged Apple over whether it could distribute an iOS companion app to its email service without including in-app sign-up options, as Hey costs $99 a year and Basecamp felt it unnecessary to give Apple its standard 30 percent cut of that revenue (although Apple does only take 15 percent of in-app subscription revenue after one year of service). Apple, in response, held up the company's bug fixes and update capability.

An anonymous reader shares a report: Windows 10 May 2020 Update, otherwise known as version 2004, was released in May with at least ten known issues. Microsoft later expanded the list of the problems and acknowledged that this feature update is also plagued with a bug that breaks Drive Optimize tool. After upgrading to Windows 10 version 2004, users observed that Optimize Drives (also known as defragmentation tool) is not correctly recording the last time a drive has been optimized. As a result, when you open the tool, you will see that your SSD drive says it 'Needs Optimization' even though you've manually optimized the drives already or automatic maintenance was run this morning. Since the last optimizations times are forgotten, Windows 10's built-in maintenance tool started defragging an SSD drive much more often when you restart Windows. With Windows 10 Build 19042.487 (20H2) for Insiders, Microsoft has finally resolved all problems with the Optimize Drives (also known as defragmentation tool).