Google today released Chrome 79 for Windows, Mac, Linux, Chrome OS, Android, and iOS users. This release comes with security and bug fixes, but also with new features such as built-in support for the Password Checkup tool, real-time blacklisting of malicious sites via the Safe Browsing API, general availability of Predictive Phishing protections, a ban on loading HTTPS "mixed content," support for tab freezing, a new UI for the Chrome Sync profile section, and support for a back-forward caching mechanism. ZDNet has outlined each new feature in-depth.

The admission comes from the author of the snippet itself, Andreas Lundblad, a Java developer at Palantir, and one of the highest-ranked contributors to StackOverflow, a Q&A website for programming-related topics. From a report: An academic paper [PDF] published in 2018 identified a code snippet Lundblad posted on the site as the most copied Java code taken from StackOverflow and then re-used in open source projects. The code snippet was provided as an answer to a StackOverflow question posted in September 2010. The code snippet printed byte counts (123,456,789 bytes) in a human-readable format, like 123.5 MB. Academics found that this code had been copied and embedded in more than 6,000 GitHub Java projects, more than any other StackOverflow Java snippet. In a blog post published last week, Lundblad said that the code had a flaw as it incorrectly converted byte counts into human-readable formats. Lundblad said he revisited the code after learning of the academic paper and its results. He looked at the code again and published a corrected version on his blog.

Microsoft has fixed a vulnerability in its login system that could have been used to trick unsuspecting victims into giving over complete access to their online accounts. TechCrunch reports: The bug allowed attackers to quietly steal account tokens, which websites and apps use to grant users access to their accounts without requiring them to constantly re-enter their passwords. These tokens are created by an app or a website in place of a username and password after a user logs in. That keeps the user persistently logged into the site, but also allows users to access third-party apps and websites without having to directly hand over their passwords. Researchers at Israeli cybersecurity company CyberArk found that Microsoft left open an accidental loophole which, if exploited, could've been used to siphon off these account tokens used to access a victim's account -- potentially without ever alerting the user.

CyberArk's latest research, shared exclusively with TechCrunch, found dozens of unregistered subdomains connected to a handful of apps built by Microsoft. These in-house apps are highly trusted and, as such, associated subdomains can be used to generate access tokens automatically without requiring any explicit consent from the user. With the subdomains in hand, all an attacker would need is to trick an unsuspecting victim into clicking on a specially crafted link in an email or on a website, and the token can be stolen. [...] Luckily, the researchers registered as many of the subdomains they could find from the vulnerable Microsoft apps to prevent any malicious misuse, but warned there could be more.

Security researcher Ivan Rodriguez has proposed a new security standard for iOS apps, which he named Security.plist. From a report: The idea is simple. App makers would create a property list file (plist) named security.plist that they would embed inside the root of their iOS apps. The file would contain all the basic contact details for reporting a security flaw to the app's creator. Security researchers analyzing an app would have an easy way to get in contact with the app's creators. Rodriguez said the idea for Security.plist came from Security.txt, a similar standard for websites, that was proposed in late 2017. Security.txt is currently going through an official standardization process at the Internet Engineering Task Force (IETF), but it has been widely adopted already, and companies like Google, GitHub, LinkedIn, and Facebook, all have a security.txt file hosted on their sites, so bug hunters can get in touch with their respective security teams. Rodriguez, who is an amateur bug hunter in iOS apps, said he decided to propose a similar thing for iOS apps because getting in touch with an app's dev or security team has been a problem in the past. "I spend most of my free time poking mobile applications which has lead me to find many vulnerabilities and I have yet to find one that has an easy way to find the correct channel to responsibly disclose these issues,"Rodriguez told ZDNet.

On Tuesday, lawyers representing current and former employees of Israeli surveillance contractor NSO Group took legal action against Facebook to try and get their accounts reinstated after being banned by the social media giant. Motherboard reports: Last month, Facebook itself sued NSO in California for leveraging a vulnerability in the WhatsApp chat program that NSO Group clients used to hack targets. As part of that, Facebook also banned the personal Facebook and Instagram accounts of multiple current and former NSO employees. The new lawsuit argues that Facebook violated its own terms of service by blocking the NSO employees, and it used personal information they shared with Facebook in order to identify them, in violation of an Israeli privacy law. As relief, the lawyers ask the court to make Facebook lift the ban on the accounts. The lawsuit was first reported in Israeli media.

"It appears that Facebook used the [NSO employees'] personal data...in order to identify them as NSO employees (or former employees), in service of imposing 'collective punishment' on them, in the form of blocking their personal accounts," the lawsuit reads in Hebrew. The lawsuit argues that the personal data used to identify them as NSO employees belonged to the individuals, and not Facebook. The legal action says that the NSO employees were banned without warning even though they are "private people, who make private use of the social networks, whose only 'sin' was any association with NSO, as employees or former employees." The lawsuit includes a screenshot of an email Facebook allegedly sent to someone who had their account suspended. Facebook told Motherboard in a statement on Tuesday, "In October we filed a legal complaint which attributed a sophisticated cyber attack to the NSO Group and its employees that was directed at WhatsApp and its users in violation of our terms of service and U.S. law. Such actions warranted disabling relevant accounts and continue to be necessary for security reasons, including preventing additional attacks."

Facebook and Twitter announced on Monday that the companies were notified about malicious software development kits (SDKs) that allowed certain apps to collect users' data from the apps without their permission. Paul Thurrott reports: The main culprits here are One Audience and Mobiburn, developers of the malicious SDKs that apparently paid developers to use the SDKs and secretly collect users data. Twitter noted that the issue isn't due to a vulnerability in its software. The breach was caused by "the lack of isolation between SDKs within an application," according to the company. The company also said that the malicious SDKs could allow apps to access personal information like your email, username, and your last tweet without your permission. "We have evidence that this SDK was used to access people's personal data for at least some Twitter account holders using Android, however, we have no evidence that the iOS version of this malicious SDK targeted people who use Twitter for iOS," the company said. The two social networks said that they will notify the affected users about the breach.

OnePlus has sent out an email informing recent OnePlus customers of a security issue. "This 'Security Notification' from OnePlus informs customers that an 'unauthorized party' was able to access order information from the company's online store," reports 9to5Google. "OnePlus says that payment information as well as account details were not accessed, but names, addresses, emails, and phone numbers 'may' have been exposed. The company says it will continue to investigate the matter, but obviously this is no small issue." From the report: Speaking to Droid-Life, OnePlus says that they took "immediate steps to stop the intruder and reinforce security," and that they are currently "working with the relevant authorities to further investigate this incident." OnePlus didn't explain what went wrong, but they are apparently working to start a bug bounty program by the end of this year.

This isn't the first time the company's store has fallen victim to a security issue like this. In early 2018, OnePlus customers found evidence of credit card fraud stemming from the Store that triggered OnePlus to shut down credit card payments temporarily. Just a day later, OnePlus' investigation into the matter revealed that 40,000 credit card numbers had been exposed. OnePlus has a thread on its forums with more details about the breach.

Google announced today that it is willing to dish out bug bounty cash rewards of up to $1.5 million if security researchers find and report bugs in the Android operating system that can also compromise its new Titan M security chip. From a report: Launched last year, the Titan M chip is currently part of Google Pixel 3 and Pixel 4 devices. It's a separate chip that's included in both phones and is dedicated solely to processing sensitive data and processes, like Verified Boot, on-device disk encryption, lock screen protections, secure transactions, and more. Google says that if researchers manage to find "a full chain remote code execution exploit with persistence" that also compromises data protected by Titan M, they are willing to pay up to $1 million to the bug hunter who finds it. If the exploit chain works against a preview version of the Android OS, the reward can go up to $1.5 million.

Debian "is heading toward a new general resolution to decide at what level init systems other than systemd should be supported," reports LWN.net.

"I'm absolutely convinced we've reached a point where in order to respect the people trying to get work done, we need to figure out where we are as a project," writes Debian project leader Sam Hartman. "We can either decide that this is work we want to facilitate, or work that we as a project decide is not important."

LWN.net reports: The immediate motivation for a reconsideration would appear to be the proposed addition of elogind, a standalone fork of the systemd-logind daemon, to Debian. Elogind would provide support for systemd's D-Bus-based login mechanism -- needed to support small projects like the GNOME desktop -- without the need for systemd itself. The addition of elogind has been controversial; it is a difficult package to integrate for a number of reasons. Much of the discussion has evidently been carried out away from the mailing lists, but some context on the problem can be found in this bug report. In short: merging elogind appears to be complex enough that it would be hard to justify in the absence of a strong commitment to the support of non-systemd init systems. It seems possible that this commitment no longer exists across the distribution as a whole; the purpose of a general resolution would be to determine whether that is the case or not.

Unsurprisingly, Debian developers have a variety of opinions on this issue. This response from Russ Allbery is worth reading in its entirety. He argues that the 2014 decision (of which he was a part) never really nailed down the project's position toward other init systems. That was a necessary compromise at the time, he said, but it is causing stress now: "while I feel somewhat vindicated by the fact that this didn't immediately fall apart and has sort of worked, I think it's becoming increasingly untenable".... Josh Triplett zeroed in on one of the issues that is testing the init-system peace now. There is, he said, an increasingly long list of features that are only available with systemd, and application developers want to use those features... The responses to this argument took a couple of different approaches. Ted Ts'o described those features as "the 'embrace, extend, and extinguish' phenomenon of systemd which caused so much fear and loathing."
There's much more information in LWN.net's 1,600-word article -- but where do things stand now? Hartman posted a draft general resolution last week with three choices.

• Affirm init diversity
• Support "exploring" alternatives to systemd, "but believing sysvinit is a distraction in achieving that." [Marco d'Itri later noted that less than 1% of new installs use sysvinit]
• "Systemd without diversity as a priority." There would be no requirement to support anything but systemd in Debian.

"It should be noted, though, that this is explicitly a draft," concludes LWN.net. "It is likely to evolve considerably before it reaches the point where the project will vote on it."

A Google Chrome experiment has gone horribly wrong this week and ended up crashing browsers on thousands, if not more, enterprise networks for nearly two days. From a report: The issue first appeared on Wednesday, November 13. It didn't impact all Chrome users, but only Chrome browsers running on Windows Server "terminal server" setups -- a very common setup in enterprise networks According to hundreds of reports, users said that Chrome tabs were going blank, all of a sudden, in what's called a "White Screen of Death" (WSOD) error. The issue was no joke. System administrators at many companies reported that hundreds and thousands of employees couldn't use Chrome to access the internet, as the active browser tab kept going blank while working. In tightly controlled enterprise environments, many employees didn't have the option to change browsers and were left unable to do their jobs. Similarly, system administrators couldn't just replace Chrome with another browser right away.

It's not yet prime time for 5G networks, which still face logistical and technical hurdles, but they're increasingly coming online in major cities worldwide. Which is why it's especially worrying that new 5G vulnerabilities are being discovered almost by the dozen. From a report: At the Association for Computing Machinery's Conference on Computer and Communications Security in London today researchers are presenting new findings that the 5G specification still has vulnerabilities. And with 5G increasingly becoming a reality, time is running out to catch these flaws. The researchers from Purdue University and the University of Iowa are detailing 11 new design issues in 5G protocols that could expose your location, downgrade your service to old mobile data networks, run up your wireless bills, or even track when you make calls, text, or browse the web. They also found five additional 5G vulnerabilities that carried over from 3G and 4G. They identified all of those flaws with a new custom tool called 5GReasoner.

One purported benefit of 5G is that it protects phone identifiers, like your device's "international mobile subscriber identity," to help prevent tracking or targeted attacks. But downgrade attacks like the ones the researchers found can bump your device down to 4G, or put it into limited service mode, then force it to send its IMSI number unencrypted. Increasingly, networks use an alternative ID called a Temporary Mobile Subscriber Identity that refreshes periodically to stymie tracking. But the researchers also found flaws that could allow them to override TMSI resets, or correlate a device's old and new TMSI, to track devices. Mounting those attacks takes only software-defined radios that cost a few hundred dollars. The 5GReasoner tool also found issues with the part of the 5G standard that governs things like initial device registration, deregistration, and paging, which notifies your phone about incoming calls and texts. Depending on how a carrier implements the standard, attackers could mount "replay" attacks to run up a target's mobile bill by repeatedly sending the same message or command. It's an instance of vague wording in the 5G standard that could cause carriers to implement it weakly.

When you're scrolling through Facebook's app, the social network could be watching you back, in more ways than just your data, concerned users have found. Multiple people have found and reported that their iPhone cameras were turned on in the background while looking at their feed. From a report: The issue came to light with several posts on Twitter, showing that their cameras were activated behind Facebook's app as they were watching videos or looking at photos on the social network. After clicking on the video to full screen, returning it back to normal would create a bug where Facebook's mobile layout was slightly shifted to the right. With the open space on the left, you could now see the phone's camera activated in the background. This was documented in multiple cases, with the earliest incident on November 2.

The U.S. military may have finally found a way to fix a glitch with the world's most high-tech helmet used by pilots flying the most expensive fighter jet in history. From a report: A bug in the $400,000 helmet display screen used by F-35 aviators caused a green glow when flying in very low-light conditions and is now expected to be overcome by using a different type of semiconductor illumination. The distracting green glow was deemed so critical that restrictions were imposed on some night landings on aircraft carriers, and the fault was classified as a "Priority One" fix by the Pentagon's test office. Jittery lines were also visible to some pilots. Defense giant Lockheed Martin has been contracted by the F-35 Joint Program Office for the redesign, modifying headpieces by installing new organic light-emitting diodes to replace traditional liquid crystal displays. "In partnership with the F-35 Joint Program Office and our U.S. Navy customer, we've been working to transition the helmet technology from a traditional LCD to an Organic LED system," Program Manager Jim Gigliotti said by email. Lockheed Martin did not provide a figure for the number of helmets requiring modification or the upgrade cost.

An anonymous reader quotes TechCrunch: Two security researchers have been crowned the top hackers in this year's Pwn2Own hacking contest after developing and testing several high profile exploits, including an attack against an Amazon Echo. Amat Cama and Richard Zhu, who make up Team Fluoroacetate, scored $60,000 in bug bounties for their integer overflow exploit against the latest Amazon Echo Show 5, an Alexa-powered smart display.

The researchers found that the device uses an older version of Chromium, Google's open-source browser projects, which had been forked some time during its development. The bug allowed them to take "full control" of the device if connected to a malicious Wi-Fi hotspot, said Brian Gorenc, director of Trend Micro's Zero Day Initiative, which put on the Pwn2Own contest...

When reached, Amazon said it was "investigating this research and will be taking appropriate steps to protect our devices based on our investigation," but did not say what measures it would take to fix the vulnerabilities -- or when.
The same researchers also compromised Sony and Samsung smart TVs, and the Xiaomi Mi9 smartphone, according to ZDNet, which also reports that "Nobody wanted a piece of the Facebook Portal, and nor did they want to hack Google's Home assistant.

"Security researchers chose to go after the easier targets, like routers and smart TVs, known for running weaker firmware than what you'd usually find on a smart speaker or home automation hub."

"Although the JavaScript library jQuery is no longer as popular as it was, it is still widely used. As a result at least six in ten websites are impacted by jQuery XSS vulnerabilities," reports I Programmer: Even more security issues are introduced by the jQuery libraries used to extend jQuery's capabilities. These findings come from open source security platform, Snyk and are included in "The state of JavaScript frameworks security report 2019". While this report is mainly devoted to a security review of the two leading JavaScript frameworks, Angular and React, it takes a "sneak peek" into the security vulnerabilities in three other frontend JavaScript ecosystem projects - Vue.js, Bootstrap and jQuery.

jQuery was downloaded more than 120 million times in the last 12 months, which is equivalent to the number of downloads for Vue.js (40 million) and Bootstrap (79 million) combined. Snyk reports that four vulnerabilities had been found for Vue.js, all of which have been fixed. Bootstrap contained seven cross-site scripting (XSS) vulnerabilities. Three of these were disclosed in 2019 and there are no security fixes or upgrade paths to avoid them. In the case of jQuery, Snyk tracked six security vulnerabilities affecting jQuery across all of its releases to date. Four are medium severity Cross-Site Scripting vulnerabilities, one is a medium severity Prototype Pollution vulnerability, and the final one is a low severity Denial of Service vulnerability.

The report concludes that unless you are using jQuery 3.4.0 and above then you are using vulnerable jQuery versions.

Long-time Slashdot reader slack_justyb shares this story from Ars Technica: Scammers are actively exploiting a bug in Firefox that causes the browser to lock up after displaying a message warning the computer is running a pirated version of Windows that has been hacked... The message then advises the person to call a toll-free number in the next five minutes or face having the computer disabled...

Jérôme Segura, head of threat intelligence at security provider Malwarebytes, said the Firefox bug is being exploited by several sites... On Monday, Segura reported the bug to the Bugzilla forum. He said he has since received word Mozilla is actively working on a fix. In a statement sent seven hours after this post went live, a Mozilla representative wrote: "We are working on a fix to the authentication prompt bug that we expect to land in the next couple of releases (either in Firefox 71 or 72)."

Something strange is happening with text messages in the US right now. Overnight, a multitude of people received text messages that appear to have originally been sent on or around Valentine's Day 2019. From a report: These people never received the text messages in the first place; the people who sent the messages had no idea that they had never been received, and they did nothing to attempt to resend them overnight. Delayed messages were sent from and received by both iPhones and Android phones, and the messages seem to have been sent and received across all major carriers in the US. Many of the complaints involve T-Mobile or Sprint, although AT&T and Verizon have been mentioned as well. People using regional US carriers, carriers in Canada, and even Google Voice also seem to have experienced delays. At fault seems to be a system that multiple cell carriers use for messaging. A Sprint spokesperson said a "maintenance update" last night caused the error.

Dubbed the "infinite money cheat code" by users of Reddit's WallStreetBets forum, the bug is being exploited, according to users on the forum. One trader bragged about a $1 million position funded by a $4,000 deposit. From a report: Robinhood is "aware of the isolated situations and communicating directly with customers," spokesperson Lavinia Chirico said in an email response to questions. The Menlo Park, California-based money-management software designer touts trading "free from commission fees." Robinhood Gold customers are invited to "supercharge" their investing by paying $5 a month to trade on margin, or money borrowed from the company. Here's how the trade works. Users of Robinhood Gold are selling covered calls using money borrowed from Robinhood. Nothing wrong with that. The problem arises when Robinhood incorrectly adds the value of those calls to the user's own capital. And that means that the more money a user borrows, the more money Robinhood will lend them for future trading. One trader managed to turn his $2,000 deposit into $50,000 worth of purchasing power, which he used to buy Apple puts.

An anonymous reader quotes a report from ZDNet: Google patched last month an Android bug that can let hackers spread malware to a nearby phone via a little-known Android OS feature called NFC beaming. NFC beaming works via an internal Android OS service known as Android Beam. This service allows an Android device to send data such as images, files, videos, or even apps, to another nearby device using NFC (Near-Field Communication) radio waves, as an alternative to WiFi or Bluetooth. Typically, apps (APK files) sent via NFC beaming are stored on disk and a notification is shown on screen. The notification asks the device owner if he wants to allow the NFC service to install an app from an unknown source. But, in January this year, a security researcher named Y. Shafranovich discovered that apps sent via NFC beaming on Android 8 (Oreo) or later versions would not show this prompt. Instead, the notification would allow the user to install the app with one tap, without any security warning.

The CVE-2019-2114 bug resided in the fact that the Android Beam app was also whitelisted, receiving the same level of trust as the official Play Store app. Google said this wasn't meant to happen, as the Android Beam service was never meant as a way to install applications, but merely as a way to transfer data from device to device. The October 2019 Android patches removed the Android Beam service from the OS whitelist of trusted sources. However, many millions of users remain at risk. If users have the NFC service and the Android Beam service enabled, a nearby attacker could plant malware (malicious apps) on their phones. Since most newly-sold devices have the NFC feature enabled by default, you'll have to disable Android Beam and NFC or update your phone to receive the October 2019 security updates if you want to protect yourself from this bug.

"In a message to the OpenJDK community, Bruno Borges announced that Microsoft has now formally signed the Oracle Contributor Agreement and has been welcomed to the Java community," reports JAXenter: He went on to reaffirm Microsoft's commitment to Java and that the team is looking forward to giving something back to the Java community. However, the team will not just barge in with a heavy hand, but will start with smaller bug fixes and the like so they can learn how to be "good citizens within OpenJDK."

Borges, himself a former Oracle developer, is Principal Product Manager for Java at Microsoft. He presents Martijn Verburg as the Java engineering team lead who will be working together along with other partners in the Java ecosystem. Verburg is also CEO of jClarity, a leading AdoptOpenJDK contributor acquired by Microsoft in August this year, so presumably he will stay true to form and continue to contribute to the Java world, only now with Microsoft at his back...

Microsoft's acquisition of jClarity was just the latest in their efforts to gain a foothold in the Java community. There are many Java developers and Java champions who now practice their trade under Microsoft's banner... At JAX London a few weeks ago, Program Chair Sebastian Meyen opened the conference by giving a speech in which he said "Microsoft is now a Java shop". He sees this as a great development, as "it's always good when industry giants stand behind Java."