"Although the JavaScript library jQuery is no longer as popular as it was, it is still widely used. As a result at least six in ten websites are impacted by jQuery XSS vulnerabilities," reports I Programmer: Even more security issues are introduced by the jQuery libraries used to extend jQuery's capabilities. These findings come from open source security platform, Snyk and are included in "The state of JavaScript frameworks security report 2019". While this report is mainly devoted to a security review of the two leading JavaScript frameworks, Angular and React, it takes a "sneak peek" into the security vulnerabilities in three other frontend JavaScript ecosystem projects - Vue.js, Bootstrap and jQuery.

jQuery was downloaded more than 120 million times in the last 12 months, which is equivalent to the number of downloads for Vue.js (40 million) and Bootstrap (79 million) combined. Snyk reports that four vulnerabilities had been found for Vue.js, all of which have been fixed. Bootstrap contained seven cross-site scripting (XSS) vulnerabilities. Three of these were disclosed in 2019 and there are no security fixes or upgrade paths to avoid them. In the case of jQuery, Snyk tracked six security vulnerabilities affecting jQuery across all of its releases to date. Four are medium severity Cross-Site Scripting vulnerabilities, one is a medium severity Prototype Pollution vulnerability, and the final one is a low severity Denial of Service vulnerability.

The report concludes that unless you are using jQuery 3.4.0 and above then you are using vulnerable jQuery versions.

Long-time Slashdot reader slack_justyb shares this story from Ars Technica: Scammers are actively exploiting a bug in Firefox that causes the browser to lock up after displaying a message warning the computer is running a pirated version of Windows that has been hacked... The message then advises the person to call a toll-free number in the next five minutes or face having the computer disabled...

Jérôme Segura, head of threat intelligence at security provider Malwarebytes, said the Firefox bug is being exploited by several sites... On Monday, Segura reported the bug to the Bugzilla forum. He said he has since received word Mozilla is actively working on a fix. In a statement sent seven hours after this post went live, a Mozilla representative wrote: "We are working on a fix to the authentication prompt bug that we expect to land in the next couple of releases (either in Firefox 71 or 72)."

Something strange is happening with text messages in the US right now. Overnight, a multitude of people received text messages that appear to have originally been sent on or around Valentine's Day 2019. From a report: These people never received the text messages in the first place; the people who sent the messages had no idea that they had never been received, and they did nothing to attempt to resend them overnight. Delayed messages were sent from and received by both iPhones and Android phones, and the messages seem to have been sent and received across all major carriers in the US. Many of the complaints involve T-Mobile or Sprint, although AT&T and Verizon have been mentioned as well. People using regional US carriers, carriers in Canada, and even Google Voice also seem to have experienced delays. At fault seems to be a system that multiple cell carriers use for messaging. A Sprint spokesperson said a "maintenance update" last night caused the error.

Dubbed the "infinite money cheat code" by users of Reddit's WallStreetBets forum, the bug is being exploited, according to users on the forum. One trader bragged about a $1 million position funded by a $4,000 deposit. From a report: Robinhood is "aware of the isolated situations and communicating directly with customers," spokesperson Lavinia Chirico said in an email response to questions. The Menlo Park, California-based money-management software designer touts trading "free from commission fees." Robinhood Gold customers are invited to "supercharge" their investing by paying $5 a month to trade on margin, or money borrowed from the company. Here's how the trade works. Users of Robinhood Gold are selling covered calls using money borrowed from Robinhood. Nothing wrong with that. The problem arises when Robinhood incorrectly adds the value of those calls to the user's own capital. And that means that the more money a user borrows, the more money Robinhood will lend them for future trading. One trader managed to turn his $2,000 deposit into $50,000 worth of purchasing power, which he used to buy Apple puts.

An anonymous reader quotes a report from ZDNet: Google patched last month an Android bug that can let hackers spread malware to a nearby phone via a little-known Android OS feature called NFC beaming. NFC beaming works via an internal Android OS service known as Android Beam. This service allows an Android device to send data such as images, files, videos, or even apps, to another nearby device using NFC (Near-Field Communication) radio waves, as an alternative to WiFi or Bluetooth. Typically, apps (APK files) sent via NFC beaming are stored on disk and a notification is shown on screen. The notification asks the device owner if he wants to allow the NFC service to install an app from an unknown source. But, in January this year, a security researcher named Y. Shafranovich discovered that apps sent via NFC beaming on Android 8 (Oreo) or later versions would not show this prompt. Instead, the notification would allow the user to install the app with one tap, without any security warning.

The CVE-2019-2114 bug resided in the fact that the Android Beam app was also whitelisted, receiving the same level of trust as the official Play Store app. Google said this wasn't meant to happen, as the Android Beam service was never meant as a way to install applications, but merely as a way to transfer data from device to device. The October 2019 Android patches removed the Android Beam service from the OS whitelist of trusted sources. However, many millions of users remain at risk. If users have the NFC service and the Android Beam service enabled, a nearby attacker could plant malware (malicious apps) on their phones. Since most newly-sold devices have the NFC feature enabled by default, you'll have to disable Android Beam and NFC or update your phone to receive the October 2019 security updates if you want to protect yourself from this bug.

"In a message to the OpenJDK community, Bruno Borges announced that Microsoft has now formally signed the Oracle Contributor Agreement and has been welcomed to the Java community," reports JAXenter: He went on to reaffirm Microsoft's commitment to Java and that the team is looking forward to giving something back to the Java community. However, the team will not just barge in with a heavy hand, but will start with smaller bug fixes and the like so they can learn how to be "good citizens within OpenJDK."

Borges, himself a former Oracle developer, is Principal Product Manager for Java at Microsoft. He presents Martijn Verburg as the Java engineering team lead who will be working together along with other partners in the Java ecosystem. Verburg is also CEO of jClarity, a leading AdoptOpenJDK contributor acquired by Microsoft in August this year, so presumably he will stay true to form and continue to contribute to the Java world, only now with Microsoft at his back...

Microsoft's acquisition of jClarity was just the latest in their efforts to gain a foothold in the Java community. There are many Java developers and Java champions who now practice their trade under Microsoft's banner... At JAX London a few weeks ago, Program Chair Sebastian Meyen opened the conference by giving a speech in which he said "Microsoft is now a Java shop". He sees this as a great development, as "it's always good when industry giants stand behind Java."

Yesterday, on late Halloween night, Google engineers delivered the best scare of the evening and released an urgent update for the Chrome browser to patch an actively exploited zero-day. From a report: "Google is aware of reports that an exploit for CVE-2019-13720 exists in the wild," Google engineers said in a blog post announcing the new v78.0.3904.87 release. The actively-exploited zero-day was described as a use-aster-free bug in Chrome's audio component. Use-after-free vulnerabilities are memory corruption bugs that occur when an application tries to reference memory that was previously assigned to it but has been freed or deleted in the meantime. This usually causes a program to crash, but can also sometimes lead to other, unintended consequences, such as code execution scenarios. Google credited Anton Ivanov and Alexey Kulaev, two malware researchers from Kaspersky, with reporting the issue. According to a blog post published after this article's publication, Kaspersky said the zero-day was being used to install malware on user devices. It was being deployed on user devices via a Korean-language news portal.

Apple's iOS 13 has had a rocky start since its release last month, with it being among the most buggy Apple software releases in recent memory. Now, iPhone owners are complaining of yet another issue that may be bug-related. From a report: A growing number of iPhone and iPad users have complained about poor RAM management on iOS 13 and iPadOS 13, leading to apps like Safari, YouTube, and Overcast reloading more frequently upon being reopened. We've lightly edited some of the comments to correct things like capitalization.

A bug in Apple's App Store removed more than 20 million ratings from apps both big and small. "The issue began on October 23, 2019 and wasn't resolved until yesterday, October 29," reports TechCrunch. "Apple hasn't yet explained how such a sizable and impactful change to app ratings occurred." From the report: This massive ratings drop was spotted by the mobile app insights platform Appfigures. The firm found that more than 300 apps from over 200 developers were affected by the sweep, which wiped out a total of 22 million app reviews from the App Store. On average, apps saw a 50% decrease in ratings in the affected countries, which included the U.S.

The U.S. was hit the hardest, however, as some 10 million ratings disappeared. But the sweep was global in nature, hitting all 155 countries Apple supports. China, the U.K., South Korea, Russia and Australia also felt a noticeable impact. A few apps were hit harder than others. Hulu, for example, lost a whopping 95% of ratings in the U.S., while Dropbox and Chase lost 85%. Several companies affected by the bug declined to comment, but told us that the rating removals weren't done at their request -- they were just as surprised as everyone else. Of the more than 300 apps that got hit, about half (154) saw a drop of more than 100 ratings, Appfigures said. Some of the impacted companies (and Appfigures) confirmed to TechCrunch the missing ratings were restored as of yesterday.

An anonymous reader quotes a report from TechCrunch: An amateur radio rig exposed to the internet and discovered by a security researcher was collecting real-time medical data and health information broadcast by hospitals and ambulances across U.K. towns and cities. The rig, operated out of a house in North London, was picking up radio waves from over the air and translating them into readable text. The hobbyist's computer display was filling up with messages about real-time medical emergencies from across the region. For some reason, the hobbyist had set up an internet-connected webcam pointed at the display. But because there was no password on the webcam, anyone who knew where to look could also see what was on the rig's computer display.

Daley Borda, a security researcher and bug bounty hunter, stumbled upon the exposed webcam. The live stream was grainy, and the quality of the images so poor that it was just possible to make out the text on the display. "You can see details of calls coming in -- their name, address, and injury," he told TechCrunch. TechCrunch verified his findings. Messages spilling across the screen appeared to direct nearby ambulances where to go following calls to the 999 emergency services. One message said a 98-year-old man had fallen at his home address. A few moments later, another message said a 49-year-old male was complaining of chest pains at a nearby residence. One after the other, messages were flooding in, describing accidents, incidents and medical emergencies, often including their home addresses. "The hobbyist was picking up and decoding pager communications from a nearby regional National Health Service trust," adds TechCrunch. These devices remain a fixture in UK hospitals and "allow anyone to send messages to one or many pagers at once by calling a dedicated phone number, often manned by an operator, which are then broadcast as radio waves over the pager network."

While the NHS still uses about 130,000 pagers, according to the UK government, it's not clear how many trusts are exposing medical information -- if at all.

nickwinlund77 shares this story from ZDNet: A recently patched security flaw in modern versions of the PHP programming language is being exploited in the wild to take over servers, ZDNet has learned from threat intelligence firm Bad Packets. The vulnerability is a remote code execution (RCE) in PHP 7, the newer branch of PHP, the most common programming language used to build websites.

The issue, tracked as CVE-2019-11043, lets attackers run commands on servers just by accessing a specially-crafted URL. Exploiting the bug is trivial, and public proof-of-concept exploit code has been published on GitHub earlier this week. Only NGINX servers with PHP-FPM enabled are vulnerable. PHP-FPM, or FastCGI Process Manager, is an alternative PHP FastCGI implementation with some additional features, and according to reports, a common server configuration option.

SmartAboutThings tipped us off to an interesting bug reported by ZDNet Thursday: For the fourth time in three months, a Symantec security product is crashing user apps, and this time it's the latest Chrome release, v78, which rolled out earlier this week, on Tuesday, October 22. According to reports on Reddit [1, 2] the Google support forums [1, 2], and in comments on the official Google Chrome blog, Symantec Endpoint Protection 14 is crashing Chrome 78 instances with an "Aw, Snap! Something went wrong while displaying this webpage" error... The errors have been plaguing users for the past two days, with the vast majority of reports coming from enterprise environments, where SEP installs are more prevalent....

According to the antivirus maker, the issues are only affecting SEP 14 users on Windows 10 RS1, Windows Server 2012, and Windows Server 2016 operating systems. Symantec users on other OS versions can fix this by updating to the latest SEP 14.2 release. Users of Microsoft Edge Chromium are also impacted, but the Chromium-based Edge version has not been officially released; hence there are almost no users impacted by this issue in the real world...

Symantec blamed the issue on Microsoft's Code Integrity security feature, which Google uses to protect the Chrome browser process. As a temporary solution, Symantec recommends that users exclude Chrome from receiving protection from their antivirus product, or modify their Chrome clients, so the browser starts without Code Integrity protections. However, this opens the browser to various attacks and is not recommended as long as users can simply use another browser until this is fixed.
ZDNet adds that the issue "should have not surprised Symantec staff, who received early warnings about this more than three months ago, according to a bug report filed in early August while Chrome 78 was still in testing in the Canary channel."

David Shayer, who worked as a software engineer at Apple for 18 years across iPod, the Apple Watch, and Apple's bug-tracking system Radar, among other projects, looks at the current iOS and macOS releases and tries to work out why they are so buggy. He writes: 1. Overloaded Feature Lists Lead to Schedule Chicken: Apple is aggressive about including significant features in upcoming products. Tight schedules and ambitious feature sets mean software engineers and quality assurance (QA) engineers routinely work nights and weekends as deadlines approach. Inevitably some features are postponed for a future release, as we saw with iCloud Drive Folder Sharing. In a well-run project, features that are lagging behind are cut early, so engineers can devote their time to polishing the features that will actually ship. But sometimes managers play "schedule chicken" since no one wants to admit in the departmental meeting that their part of the project is behind. Instead, they hope someone else working on another aspect of that feature is running even later, so they reap the benefit of the feature being delayed without taking the hit of being the one who delayed it. But if no one blinks, engineers continue to work on a feature that can't possibly be completed in time and that eventually gets pushed off to a future release.

2. Crash Reports Don't Identify Non-Crashing Bugs: If you have reporting turned on (which I recommend), Apple's built-in crash reporter automatically reports application crashes, and even kernel crashes, back to the company. A crash report includes a lot of data. Especially useful is the stack trace, which shows exactly where the code crashed, and more importantly, how it got to that point. A stack trace often enables an engineer to track down the crash and fix it. Crash reports are uniquely identified by the stack trace. The same stack trace on multiple crash reports means all those users are seeing the same crash. The crash reporter backend sorts crash reports by matching the stack traces, and those that occur most often get the highest priority. Apple takes crash reports seriously and tries hard to fix them. As a result, Apple software crashes a lot less than it used to. Unfortunately, the crash reporter can't catch non-crashing bugs. It's blind to the photos that never upload to iCloud, the contact card that just won't sync from my Mac to my iPhone, the Time Capsule backups that get corrupted and have to be restarted every few months, and the setup app on my new iPhone 11 that got caught in a loop repeatedly asking me to sign in to my iCloud account, until I had to call Apple support. (These are all real problems I've experienced.) Shayer has offered several more possible explanations in the original post.

Long-time Slashdot reader Kekke shared this article from Ars Technica: A potentially serious vulnerability in Linux may make it possible for nearby devices to use Wi-Fi signals to crash or fully compromise vulnerable machines, a security researcher said.

The flaw is located in the RTLWIFI driver, which is used to support Realtek Wi-Fi chips in Linux devices. The vulnerability triggers a buffer overflow in the Linux kernel when a machine with a Realtek Wi-Fi chip is within radio range of a malicious device. At a minimum, exploits would cause an operating-system crash and could possibly allow a hacker to gain complete control of the computer. The flaw dates back to version 3.10.1 of the Linux kernel released in 2013...

The vulnerability is tracked as CVE-2019-17666. Linux developers proposed a fix on Wednesday that will likely be incorporated into the OS kernel in the coming days or weeks. Only after that will the fix make its way into various Linux distributions.

Nico Waisman, who is a principal security engineer at Github [and discovered the bug] said he has not yet devised a proof-of-concept attack that exploits the vulnerability in a way that can execute malicious code on a vulnerable machine. "I'm still working on exploitation, and it will definitely... take some time (of course, it might not be possible)," he wrote in a direct message. "On paper, [this] is an overflow that should be exploitable. Worst-case scenario, [this] is a denial of service; best scenario, you get a shell."
The article notes that the flaw "can't be triggered if Wi-Fi is turned off or if the device uses a Wi-Fi chip from a different manufacturer."

Twitter user Kevin Bradley discovered a Lightning port hidden in the Apple TV 4K's ethernet port. There's a number of theories for why the port exists, but one of the more logical explanations is that it's simply there for Apple to use for debugging. 9to5Mac reports: While earlier Apple TV models had Micro USB and USB-C, the Apple TV 4K dropped all outwardly-facing ports other than Ethernet and HDMI. Under the hood, however, there's a hidden Lightning port, as Bradley discovered. The Lightning port is hidden in the ethernet connector on the Apple TV 4K. Bradley teased on Twitter: "None of us looked THAT closely to the hardware of the AppleTV 4K and the magic locked in the ethernet port until fairly recently."

As for getting the Lightning port itself to work, Steven Barker said in a tweet that this is proving to be "difficult." The Lightning port is stuck at the very back of the ethernet port. Ultimately, it's not really clear what the Lightning port discovery could mean. One thing it could lead towards is the expansion of jailbreak capabilities for the Apple TV 4K, though Bradley cautions: "Just because we know it's lightning doesn't mean anything past that. Just because we find a way in doesn't mean anything will DEFINITELY be released due to what we discover. The barrier for entry might be way too high."

Scientists have uncovered a glitch in a piece of code that could have yielded incorrect results in over 100 published studies that cited the original paper. From a report: The glitch caused results of a common chemistry computation to vary depending on the operating system used, causing discrepancies among Mac, Windows, and Linux systems. The researchers published the revelation and a debugged version of the script, which amounts to roughly 1,000 lines of code, last week in the journal Organic Letters. "This simple glitch in the original script calls into question the conclusions of a significant number of papers on a wide range of topics in a way that cannot be easily resolved from published information because the operating system is rarely mentioned," the new paper reads. "Authors who used these scripts should certainly double-check their results and any relevant conclusions using the modified scripts in the [supplementary information]." Yuheng Luo, a graduate student at the University of Hawai'i at Manoa, discovered the glitch this summer when he was verifying the results of research conducted by chemistry professor Philip Williams on cyanobacteria. The aim of the project was to "try to find compounds that are effective against cancer," Williams said.

An anonymous reader shares a report: More than a year has passed since Bloomberg Businessweek grabbed the lapels of the cybersecurity world with a bombshell claim: that Supermicro motherboards in servers used by major tech firms, including Apple and Amazon, had been stealthily implanted with a chip the size of a rice grain that allowed Chinese hackers to spy deep into those networks. Apple, Amazon, and Supermicro all vehemently denied the report. The NSA dismissed it as a false alarm. The Defcon hacker conference awarded it two Pwnie Awards, for "most overhyped bug" and "most epic fail." And no follow-up reporting has yet affirmed its central premise.

But even as the facts of that story remain unconfirmed, the security community has warned that the possibility of the supply chain attacks it describes is all too real. The NSA, after all, has been doing something like it for years, according to the leaks of whistle-blower Edward Snowden. Now researchers have gone further, showing just how easily and cheaply a tiny, tough-to-detect spy chip could be planted in a company's hardware supply chain. And one of them has demonstrated that it doesn't even require a state-sponsored spy agency to pull it off -- just a motivated hardware hacker with the right access and as little as $200 worth of equipment.

Long-time Slashdot reader Artem S. Tashkinov quotes Wired: More than a year has passed since Bloomberg Businessweek grabbed the lapels of the cybersecurity world with a bombshell claim: that Supermicro motherboards in servers used by major tech firms, including Apple and Amazon, had been stealthily implanted with a chip the size of a rice grain that allowed Chinese hackers to spy deep into those networks. Apple, Amazon, and Supermicro all vehemently denied the report. The NSA dismissed it as a false alarm. The Defcon hacker conference awarded it two Pwnie Awards, for "most overhyped bug" and "most epic fail." And no follow-up reporting has yet affirmed its central premise.

But even as the facts of that story remain unconfirmed, the security community has warned that the possibility of the supply chain attacks it describes is all too real. The NSA, after all, has been doing something like it for years, according to the leaks of whistle-blower Edward Snowden. Now researchers have gone further, showing just how easily and cheaply a tiny, tough-to-detect spy chip could be planted in a company's hardware supply chain. And one of them has demonstrated that it doesn't even require a state-sponsored spy agency to pull it off -- just a motivated hardware hacker with the right access and as little as $200 worth of equipment.

An anonymous reader quotes a report from Ars Technica: Comcast's data-usage meter gave thousands of customers inaccurate readings for two months because of a software bug, causing the broadband provider to incorrectly charge about 2,000 users for exceeding their monthly data caps. Comcast has admitted the error and told Ars it is giving refunds and additional credits of $50 each to customers who paid data overage fees that shouldn't have been assessed.

Comcast engineers found that the problem began after the company started rolling out a new billing system in early August. The data meter was apparently still collecting accurate data, but the numbers were being reported in the new billing system incorrectly. Comcast said it's still trying to figure out if the bug is in the meter software, the billing software, or in the interaction between the two. What Comcast knows for certain, the spokesperson said, is that the problem was fixed when it rolled back to the previous version of its billing software on October 2. Comcast's statement to Ars said: "While updating our data usage meter to a new system, a software error occurred resulting in a small number of our customers being billed incorrectly. We're very sorry for inconveniencing our customers and here's what we're doing to address it: We fixed the technical issue, we're proactively crediting the accounts affected, and we're giving those customers an additional $50 credit to make it right."

"On Friday, Gizmodo uncovered shocking new evidence that Facebook is using its platform to suppress stories about CEO Mark Zuckerberg..." reports Gizmodo, adding "or maybe his janky, busted-ass website is just bugging out again for no reason. It's hard to say, really. That's sort of the problem..." For some reason, a story about Zuckerberg we posted to our Facebook page was hidden from many readers. The post was fully visible through web browsers in incognito mode, but an unclear percentage of users were told, "Sorry, this content is not available," when they tried to view it while signed in. In short, lots of people (including several Gizmodo staffers and at least one of their parents) could not see the story.

By Friday afternoon, the issue seemed to resolve itself just as mysteriously. Was it a bug, a moderation error, or something more nefarious? Personally, I find it hard to imagine Zuckerberg furiously refreshing Gizmodo's page, just waiting to slam the giant red button on his desk labeled "WRONGTHINK." But it's easy to see why some people believe similar (if less cinematic) conspiracy theories. When Facebook acts strangely -- which is fairly often! -- users have to draw their own conclusions about what's happening. Like most big tech companies, Facebook doesn't offer a phone number to call if you're having issues. If you want a response from a social network about your specific problem, your best bet is to be a journalist, a celebrity, or someone else with the power to give headaches. To understand their experiences with social media, then, most people are left with two choices: trust the system (lol) or develop their own, potentially very wacky, explanations...

Some may believe -- as Zuckerberg himself seems to -- that companies like Facebook are just too big to explain every little thing they do to their millions of users. Maybe so, but is it any surprise, then, that no one fucking trusts them?