Mark Wycislik-Wilson, writing for BetaNews: Some Windows 7 users who installed the KB4534310 update found that their desktops turned black. With the operating system having now reached end of life, the company said that it would only make a fix available to organizations paying for Windows 7 Extended Security Updates (ESU). But Microsoft has changed its mind. It now says that it will make a patch available for all Windows 7 users, addressing the bug introduced by the last ever freely available Windows 7 update. As we reported the other day, Microsoft had already suggested some workarounds for the black desktop problem. The company had said that it was working on a fix that would be released next month: "We are working on a resolution and estimate a solution will be available in mid-February for organizations who have purchased Windows 7 Extended Security Updates (ESU)."

secwatcher writes: When it comes to the release of proof-of-concept (PoC) exploits, more security experts agree that the positives outweigh the negatives, according to a recent and informal Threatpost poll.

In fact, almost 60 percent of 230 security pundits thought it was a "good idea" to publish PoC code for zero days. Up to 38 percent of respondents, meanwhile, argued it wasn't a good idea.
Dr. Richard Gold, head of security engineering at Digital Shadows, told Threatpost that PoC code makes it easier for security teams to do penetration testing: "Rather than having to rely on vendor notifications or software version number comparisons, a PoC allows the direct verification of whether a particular system is exploitable," Gold told Threatpost. "This ability to independently verify an issue allows organizations to better understand their exposure and make more informed decisions about remediation." In fact, up to 85 percent of respondents said that the release of PoC code acts as an "effective motivator" to push companies to patch. Seventy-nine percent say that the disclosure of a PoC exploit has been "instrumental" in preventing an attack. And, 85 percent of respondents said that a PoC code release is acceptable if a vendor won't fix a bug in a timely manner...

On the flip-side of the argument, many argue that the release of the Citrix PoC exploits were a bad idea. They say attacks attempting to exploit the vulnerability skyrocketed as bad actors rushed to exploit the vulnerabilities before they are patched... Matt Thaxton, senior consultant at Crypsis Group, thinks that the "ultimate function of a PoC is to lower the bar for others to begin making use of the exploit... In many cases, PoC's are put out largely for the notoriety/fame of the publisher and for the developer to 'flex' their abilities...."

This issue of a PoC exploit timeline also brings up important questions around patch management for companies dealing with the fallout of publicly-released code. Some, like Thaxton, say that PoC exploit advocates fail to recognize the complexity of patching large environments: "I believe the release of PoC code functions more like an implied threat to anyone that doesn't patch: 'You'd better patch . . . or else,'" he said "This kind of threat would likely be unacceptable outside of the infosec world. This is even more obvious when PoCs are released before or alongside a patch for the vulnerability."
And Joseph Carson, chief security scientist at Thycotic, tells them "Let's be realistic, once a zero-day is known, it is only a matter of time before nation states and cybercriminals are abusing them."

"Cisco is urging customers to update its Firepower Management Center software," ZDNet reported Thursday, "after users informed it of a critical bug that attackers could exploit over the internet." Like many Cisco bugs, the flaw was found in the web-based management interface of its software. The bug has a severity rating of 9.8 out of a possible 10 and means admins should patch sooner rather than later.

The vulnerability is caused by a glitch in the way Cisco's software handles Lightweight Directory Access Protocol (LDAP) authentication responses from an external authentication server. Remote attackers could exploit the flaw by sending specially crafted HTTP requests to the device. Devices are vulnerable if they've been configured to authenticate users of the web interface through an external LDAP server...

How customers should remediate the issue will depend on which release of Firepower Management Center (FMC) they're running. There is no workaround, but hotfix patches are available for several new releases of FMC, and maintenance releases that address the flaw are scheduled for later this year. "Customers may install a fix either by upgrading to a fixed release or by installing a hotfix patch," Cisco notes...

Cisco also disclosed seven high-severity flaws and 19 medium-severity security issues.

This FMC critical flaw follows updates made available earlier this month for three critical flaws affecting Cisco's Data Center Network Manager software. The researcher who reported the flaw has released proof-of-concept exploit code, but Cisco says it is not aware of any malicious use of the flaws.

UPDATE (1/25/2018): NASA has successfully unfrozen Curiosity, which will now live to rove another day.

But here's the original report shared by a reader detailing what the concerns were: NASA reports that Curiosity has suffered a system failure that left the robot unaware of its position and attitude on the red planet. Until it recovers, Curiosity is frozen in place. Mars is far enough away that we can't directly control Curiosity in real-time -- the rover gets batches of commands and then carries them out. That means it needs to have precise awareness of the state of all its joints, as well as environmental details like the location of nearby obstacles and the slope of the ground. This vital information ensures the rover doesn't bump anything with its arm or clip large rocks as it rolls along.

Curiosity stores all this attitude data in memory, but something went wrong during operations several days ago. As the rover was carrying out its orders, it suddenly lost track of its orientation. The attitude data didn't add up, so Curiosity froze in place to avoid damaging itself. While the rover is physically stuck in place, it's still in communication with the team here on Earth. Since everything else is working on the rover, NASA was able to develop a set of instructions that should get the rover moving again. When transmitted, the data will inform Curiosity of its attitude and confirm its current state. This should allow the rover to recover and keep performing its safety checks. However, NASA also hopes to gather data on what caused the issue in the first place. The hope is they can avoid another freeze-up in the future.

On Tuesday, Sonos announced that come May 2020, a number of its older products will no longer receive software updates. Naturally, this frustrated many longtime customers, prompting Sonos CEO Patrick Spence to issue a statement to try to clear up the confusion. The Verge reports: "We heard you," is how Spence begins the letter to customers. "We did not get this right from the start." Spence apologizes for any confusion and reiterates that the so-called legacy products will "continue to work as they do today." "Many of you have invested heavily in your Sonos systems, and we intend to honor that investment for as long as possible."

Similarly, Spence pledges that Sonos will deliver bug fixes and security patches to legacy products "for as long as possible" -- without any hard timeline. Most interesting, he says "if we run into something core to the experience that can't be addressed, we'll work to offer an alternative solution and let you know about any changes you'll see in your experience." The letter from Sonos' CEO doesn't retract anything that the company announced earlier this week; Spence is just trying to be as clear as possible about what's happening come May. Spence again confirms that Sonos is planning a way for customers to fork any legacy devices they might own off of their main Sonos system with more modern speakers. (Sonos architected its system so that all devices share the same software. Once one product is no longer eligible for updates, the whole setup stops receiving them. This workaround is designed to avoid that problem.)

Running an outdated operating system will cost Germany some additional fee. The German federal government stands to pay at least $886,000 this year to Microsoft, according to local media. ZDNet: The sum represents support fees for over 33,000 government workstations that are still running Windows 7, a Microsoft operating system that reached end of support (EoS) on January 14, and for which Microsoft has stopped providing free security updates and bug fixes. Last year, Redmond announced a paid program for governments and enterprise partners. The program, named the are Windows 7 Extended Security Updates (ESU), would provide paid access to Windows 7 security updates until January 10, 2023. ESU updates, for which the German government has recently signed up, cost between $25 to $200 per workstation, depending on the Windows 7 version a company is running (Enterprise or Pro) and the amount of time they'll need the updates.

An anonymous reader quotes a report from Ars Technica: Today's example of smart stuff going dumb comes courtesy of Under Armour, which is effectively rendering its fitness hardware line very expensive paperweights. The company quietly pulled its UA Record app from both Google Play and Apple's App Store on New Year's Eve. In an announcement dated sometime around January 8, Under Armour said that not only has the app been removed from all app stores, but the company is no longer providing customer support or bug fixes for the software, which will completely stop working as of March 31.

Under Armour launched its lineup of connected fitness devices in 2016. The trio of trackers included a wrist-worn activity monitor, a smart scale, and a chest-strap-style heart rate monitor. The scale and wristband retailed at $180 each, with the heart monitor going for $80. Shoppers could buy all three together in a $400 bundle called the UA HealthBox. The end of the road is nigh, it seems, and all three products are about to meet their doom as Under Armour kills off Record for good. Users are instead expected to switch to MapMyFitness, which Under Armour bills as "an even better tracking experience." The company also set the UA Record Twitter account to private, effectively taking it offline to anyone except the 133 accounts it follows. Current device owners also can't export all their data. While workout data can be exported and transferred to some other tracking app, Record users cannot capture weight or other historical data to carry forward with them.

An anonymous reader quotes a report from BleepingComputer: Wine 5.0 has been released today and contains over 7,400 bug fixes and numerous audio and graphics improvements that will increase performance in gaming on Linux. With the release of Wine 5.0, WineHQ hopes to resolve many of these issues, with the main improvements being:

-Builtin modules in PE format: To make games think Wine is a real Windows environment, most Wine 5.0 modules have been converted into the PE format rather than ELF binaries. It is hoped that this will allow copy-protection and anti-cheat programs to not flag games running under Wine as being modified.
-Multi-monitor support: Multiple displays adapters and multi-monitor configurations are now supported under Wine.
-XAudio2 reimplementation: XAudio2 libraries have been added back to Wine and will use the FAudio library for better compatibility.
-Vulkan 1.1 support: "The Vulkan driver supports up to version 1.1.126 of the Vulkan spec." Here are the release notes, download locations for the binary packages (when available) and source.

An anonymous reader quotes a report from Ars Technica: Serious vulnerabilities have recently come to light in three WordPress plugins that have been installed on a combined 400,000 websites, researchers said. InfiniteWP, WP Time Capsule, and WP Database Reset are all affected. The highest-impact flaw is an authentication bypass vulnerability in the InfiniteWP Client, a plugin installed on more than 300,000 websites. It allows administrators to manage multiple websites from a single server. The flaw lets anyone log in to an administrative account with no credentials at all. From there, attackers can delete contents, add new accounts, and carry out a wide range of other malicious tasks.

The critical flaw in WP Time Capsule also leads to an authentication bypass that allows unauthenticated attackers to log in as an administrator. WP Time Capsule, which runs on about 20,000 sites, is designed to make backing up website data easier. By including a string in a POST request, attackers can obtain a list of all administrative accounts and automatically log in to the first one. The bug has been fixed in version 1.21.16. Sites running earlier versions should update right away. Web security firm WebARX has more details.

The last vulnerable plugin is WP Database Reset, which is installed on about 80,000 sites. One flaw allows any unauthenticated person to reset any table in the database to its original WordPress state. The bug is caused by reset functions that aren't secured by the standard capability checks or security nonces. Exploits can result in the complete loss of data or a site reset to the default WordPress settings. A second security flaw in WP Database Reset causes a privilege-escalation vulnerability that allows any authenticated user -- even those with minimal system rights -- to gain administrative rights and lock out all other users. All site administrators using this plugin should update to version 3.15, which patches both vulnerabilities. Wordfence has more details about both flaws here.

Security researchers have published proof-of-concept (PoC) code for exploiting a recently-patched vulnerability in the Windows operating system, a vulnerability that has been reported to Microsoft by the US National Security Agency (NSA). From a report: The bug, which some have started calling CurveBall, impacts CryptoAPI (Crypt32.dll), the component that handles cryptographic operations in the Windows OS. According to a high-level technical analysis of the bug from cyber-security researcher Tal Be'ery, "the root cause of this vulnerability is a flawed implementation of the Elliptic Curve Cryptography (ECC) within Microsoft's code." According to both the NSA, the DHS, and Microsoft, when exploited, this bug (tracked as CVE-2020-0601) can allow an attacker to: 1. Launch MitM (man-in-the-middle) attacks and intercept and fake HTTPS connections. 2. Fake signatures for files and emails. 3. Fake signed-executable code launched inside Windows.

An anonymous reader quotes a report from VentureBeat: The Cloud Native Computing Foundation (CNCF) today announced it is funding a bug bounty program for Kubernetes. Security researchers who find security vulnerabilities in Kubernetes' codebase, as well as the build and release processes, will be rewarded with bounties ranging from $100 to $10,000. Bug bounty programs motivate individuals and hacker groups to not only find flaws but disclose them properly, instead of using them maliciously or selling them to parties that will. Originally designed by Google and now run by the CNCF, Kubernetes is an open source container orchestration system for automating application deployment, scaling, and management. Given the hundreds of startups and enterprises that use Kubernetes in their tech stacks, it's significantly cheaper to proactively plug security holes than to deal with the aftermath of breaches.

Brian Krebs: Sources tell KrebsOnSecurity that Microsoft is slated to release a software update on Tuesday to fix an extraordinarily serious security vulnerability in a core cryptographic component present in all versions of Windows. Those sources say Microsoft has quietly shipped a patch for the bug to branches of the U.S. military and to other high-value customers/targets that manage key Internet infrastructure, and that those organizations have been asked to sign agreements preventing them from disclosing details of the flaw prior to Jan. 14, the first Patch Tuesday of 2020. According to sources, the vulnerability in question resides in a Windows component known as crypt32.dll, a Windows module that Microsoft says handles "certificate and cryptographic messaging functions in the CryptoAPI." The Microsoft CryptoAPI provides services that enable developers to secure Windows-based applications using cryptography, and includes functionality for encrypting and decrypting data using digital certificates. NSA said on Tuesday that it spotted the vulnerability and reported it to Microsoft. NSA said Microsoft will report later today that it has seen no active exploitation of this vulnerability. NSA's Director of Cybersecurity, Anne Neuberger, says the critical cryptographic vulnerability resides in Windows 10 and Windows Server 2016, and that the concern about this particular flaw is that it "makes trust vulnerable."

An anonymous reader quotes a report from Ars Technica: On December 16, 2019, Citrix revealed a vulnerability in the company's Application Delivery Controller and Gateway products -- commercial virtual-private-network gateways formerly marketed as NetScaler and used by tens of thousands of companies. The flaw, discovered by Mikhail Klyuchnikov of Positive Technologies, could give an attacker direct access to the local networks behind the gateways from the Internet without the need for an account or authentication using a crafted Web request. Citrix has published steps to reduce the risk of the exploit. But these steps, which simply configure a responder to handle requests using the text that targets the flaw, breaks under some circumstances and might interfere with access to the administration portal for the gateways by legitimate users. A permanent patch will not be released until January 20. And as of January 12, over 25,000 servers remain vulnerable, based on scans by Bad Packets.

This is not surprising, considering the number of Pulse Secure VPNs that have not yet been patched over six months after a fix was made available, despite Pulse Secure executives saying that they have "worked aggressively" to get customers to patch that vulnerability. And given that vulnerable Pulse Secure servers have been targeted now for ransomware attacks, the same will likely be true for unprotected Citrix VPN servers -- especially since last week, proof-of-concept exploits of the vulnerability began to appear, including at least two published on GitHub, as ZDNet's Catalin Cimpanu reported. "The vulnerability allows the remote execution of commands in just two HTTP requests, thanks to a directory traversal bug in the implementation of the gateway's Web interface," the report adds. "The attacks use a request for the directory '/vpn/../vpns/' to fool the Apache Web server on the gateway to point to the '/vpns/' directory without authentication. The attacks then inject a command based on the template returned from the first request."

You can check for the vulnerability here.

Slashdot reader The8re still remembers the Y2K bug. Now he shares a New Scientist article explaining how it led directly to this year's Y2020 bug -- which affected more than just parking meters: WWE 2K20, a professional wrestling video game, also stopped working at midnight on 1 January 2020. Within 24 hours, the game's developers, 2K, issued a downloadable fix. Another piece of software, Splunk, which ironically looks for errors in computer systems, was found to be vulnerable to the Y2020 bug in November. The company rolled out a fix to users the same week -- which include 92 of the Fortune 100, the top 100 companies in the US....

The Y2020 bug, which has taken many payment and computer systems offline, is a long-lingering side effect of attempts to fix the Y2K, or millennium bug. Both stem from the way computers store dates. Many older systems express years using two numbers -- 98, for instance, for 1998 -- in an effort to save memory. The Y2K bug was a fear that computers would treat 00 as 1900, rather than 2000. Programmers wanting to avoid the Y2K bug had two broad options: entirely rewrite their code, or adopt a quick fix called "windowing", which would treat all dates from 00 to 20, as from the 2000s, rather than the 1900s. An estimated 80 percent of computers fixed in 1999 used the quicker, cheaper option. "Windowing, even during Y2K, was the worst of all possible solutions because it kicked the problem down the road," says Dylan Mulvin at the London School of Economics....

Another date storage problem also faces us in the year 2038. The issue again stems from Unix's epoch time: the data is stored as a 32-bit integer, which will run out of capacity at 3.14 am on 19 January 2038.

An anonymous reader quotes a report from Wired: Facebook Pages give public figures, businesses, and other entities a presence on Facebook that isn't tied to an individual profile. The accounts behind those pages are anonymous unless a Page owner opts to make the admins public. You can't see, for example, the names of the people who post to Facebook on WIRED's behalf. But a bug that was live from Thursday evening until Friday morning allowed anyone to easily reveal the accounts running a Page, essentially doxing anyone who posted to one. All software has flaws, and Facebook quickly pushed a fix for this one -- but not before word got around on message boards like 4chan, where people posted screenshots that doxed the accounts behind prominent pages. All it took to exploit the bug was opening a target page and checking the edit history of a post. Facebook mistakenly displayed the account or accounts that made edits to each post, rather than just the edits themselves.

Facebook says the bug was the result of a code update that it pushed Thursday evening. Facebook points out that no information beyond a name and public profile link were available, but that information isn't supposed to appear in the edit history at all. And for people, say, running anti-regime Pages under a repressive government, making even that much information public is plenty alarming.

Mozilla has warned Firefox users to update their browser to the latest version after security researchers found a vulnerability that hackers were actively exploiting in "targeted attacks" against users. From a report: The vulnerability, found by Chinese security company Qihoo 360, was found in Firefox's just-in-time compiler. The compiler is tasked with speeding up performance of JavaScript to make websites load faster. But researchers found that the bug could allow malicious JavaScript to run outside of the browser on the host computer. In practical terms, that means an attacker can quietly break into a victim's computer by tricking the victim into accessing a website running malicious JavaScript code. But Qihoo did not say precisely how the bug was exploited, who the attackers were, or who was targeted.

"One misstep from developers at Starbucks left exposed an API key that could be used by an attacker to access internal systems and manipulate the list of authorized users," reports Bleeping Computer: Vulnerability hunter Vinoth Kumar reported the oversight on October 17 and close to three weeks later Starbucks responded it demonstrated "significant information disclosure" and that it qualified for a bug bounty... Along with identifying the GitHub repository and specifying the file hosting the API key, Kumar also provided proof-of-concept (PoC) code demonstrating what an attacker could do with the key. Apart from listing systems and users, adversaries could also take control of the Amazon Web Services (AWS) account, execute commands on systems, and add or remove users with access to the internal systems.

Once Starbucks was content with the remediation steps taken, the company paid Kumar a $4,000 bounty for the disclosure, which is the maximum reward for critical vulnerabilities. Most bounties from Starbucks are between $250-$375. The company solved 834 reports since launching the bug bounty program in 2016, and 369 of them were reported in the past three months. For them, Starbucks spent $40,000.

Hundreds of thousands of American students are being tracked by their colleges to monitor attendance, analyze behavior and assess their mental health, the Washington Post reported this week. That article has now provoked some responses...

Jay Balan, chief security researcher at Bitdefender, told Gizmodo that the makers of the student-tracking apps should at least offer bug bounties and disclose their source code -- while rattling off easily foreseeable scenarios like the stalking of students. Gizmodo notes one app's privacy policy actually allows them to "collect or infer" students' approximate location -- even when students have turned off location tracking -- and allows third parties to "set and access their own tracking technologies on your devices."

And cypherpunk Lance R. Vick tweeted in response to the article, "If you are at one of these schools asking you to install apps on your phone to track you, hit me up for some totally hypothetical academic ideas..."

Gizmodo took him up on his offer -- and here's a bit of what he said: Students could reverse engineer the app to develop their own app beacon emulators to tell the tracking beacons that all students are present all the time. They could also perhaps deploy their own rogue tracking beacons to publish the anonymised attendance data for all students to show which teachers are the most boring as evidenced by lack of attendance. If one was hypothetically in an area without laws against harmful radio interference (like outside the U.S.) they could use one of many devices on the market to disrupt all Bluetooth communications in a target area so no one gets tracked... If nothing else, you could potentially just find a call in the API that takes a bit longer to come back than the rest. This tells you it takes some amount of processing on their side. What happens if you run that call a thousand times a second? Or only call it partway over and over again? This often brings poorly designed web services to a halt very quickly...

Assuming explorations on the endpoints like the phone app or beacon firmware fail you could still potentially learn useful information exploring the wireless traffic itself using popular SDR tools like a HackRF, Ubertooth, BladeRF. Here you potentially see how often they transmit, what lives in each packet, and how you might convert your own devices, perhaps a Raspberry Pi with a USB Bluetooth dongle, to be a beacon of your own.

Anyone doing this sort of thing should check their local and federal laws and approach it with caution. But these exact sorts of situations can, for some, be the start of a different type of education path -- a path into security research. Bypassing annoying digital restrictions at colleges was a part of how I got my start, so maybe a new generation can do similar. :)
Gizmodo calls his remarks "hypothetical hacking that you (a student with a bright future who doesn't want any trouble) should probably not do because you might be breaking the law."

But then how should students respond to their school's surveillance systems?

Mazda says "incorrect programming" in its Smart Braking System (SBS) can make fourth-generation Mazda 3 vehicles falsely detect on object in their path while driving and automatically apply the brakes while driving. "The problem affects 35,390 2019 and 2020 model year cars in the U.S., but Mazda says it is not aware of any injuries or deaths as a result of the defect," reports Engadget. From the report: If the issue occurs, the driver will notice because their car has suddenly stopped, and also as an alarm sounds and a message is displayed on the in-car warning screen. Some Reddit posters report experiencing situations of the system activating while driving with nothing around, and note that while the system can be disabled, it appears to re-enable itself every time the car starts.

Autoblog reports that while some vehicles will simply need to have the system updated or reprogrammed, certain cars with early build dates might need to have their entire instrument cluster replaced or reprogrammed. It's a scary issue, but we've seen Mazda update its cars software to deal with real-life bugs, and the newly-redesigned Mazda3 has already seen a recall to make sure its wheels don't fall off.

Security researcher Ibrahim Balic said he has matched 17 million phone numbers to Twitter user accounts by exploiting a flaw in Twitter's Android app. TechCrunch reports: Ibrahim Balic found that it was possible to upload entire lists of generated phone numbers through Twitter's contacts upload feature. "If you upload your phone number, it fetches user data in return," he told TechCrunch. He said Twitter's contact upload feature doesn't accept lists of phone numbers in sequential format -- likely as a way to prevent this kind of matching. Instead, he generated more than two billion phone numbers, one after the other, then randomized the numbers, and uploaded them to Twitter through the Android app. (Balic said the bug did not exist in the web-based upload feature.)

Over a two-month period, Balic said he matched records from users in Israel, Turkey, Iran, Greece, Armenia, France and Germany, he said, but stopped after Twitter blocked the effort on December 20. Balic provided TechCrunch with a sample of the phone numbers he matched. Using the site's password reset feature, we verified his findings by comparing a random selection of usernames with the phone numbers that were provided. While he did not alert Twitter to the vulnerability, he took many of the phone numbers of high-profile Twitter users -- including politicians and officials -- to a WhatsApp group in an effort to warn users directly. A Twitter spokesperson told TechCrunch the company was working to "ensure this bug cannot be exploited again."

"Upon learning of this bug, we suspended the accounts used to inappropriately access people's personal information. Protecting the privacy and safety of the people who use Twitter is our number one priority and we remain focused on rapidly stopping spam and abuse originating from use of Twitter's APIs," the spokesperson said.