Bug

Car 'Splatometer' Tests Reveal Huge Decline In Number of Insects 130

An anonymous reader quotes a report from The Guardian: Two scientific studies of the number of insects splattered by cars have revealed a huge decline in abundance at European sites in two decades. The survey of insects hitting car windscreens in rural Denmark used data collected every summer from 1997 to 2017 and found an 80% decline in abundance. It also found a parallel decline in the number of swallows and martins, birds that live on insects.

The second survey, in the UK county of Kent in 2019, examined splats in a grid placed over car registration plates, known as a "splatometer." This revealed 50% fewer impacts than in 2004. The research included vintage cars up to 70 years old to see if their less aerodynamic shape meant they killed more bugs, but it found that modern cars actually hit slightly more insects. [...] The stream research, published in the journal Conservation Biology, analyzed weekly data from 1969 to 2010 on a stream in a German nature reserve, where the only major human impact is climate change. "Overall, water temperature increased by 1.88C and discharge patterns changed significantly. These changes were accompanied by an 81.6% decline in insect abundance," the scientists reported. "Our results indicate that climate change has already altered [wildlife] communities severely, even in protected areas."
Facebook

Facebook Accidentally Blacked Out an Entire Language (theverge.com) 26

On January 16th, Facebook users received an error message when posting in Jinghpaw, a language spoken by Myanmar's ethnic Kachin and written with a Roman alphabet. From a report: "We couldn't post this. Tap for more info," the message said. When clicking, a second appeared: "Your request couldn't be processed. There was a problem with this request. We're working on getting it fixed as soon as we can." A Facebook representative told The Verge that the issue was caused by "a bug in our language infrastructure," and coincided with the launch, the same day, of an updated language identification model supporting ten new languages, including Jinghpaw. The representative said Facebook fixed the issue within hours of receiving reports on January 17th. But while the disabling of Jinghpaw was not an active move of censorship, it alerted many Kachin people that Facebook had the capability to identify their language, an alarming thought for the embattled minority group. That realization has evoked a visceral reaction from the Kachin, and brought forth new calls for the company to be more transparent about its technology and the ways it will be used.
Privacy

Software Error Exposes the ID Numbers For 1.26 Million Danish Citizens (zdnet.com) 30

A software error in Denmark's government tax portal has accidentally exposed the personal identification (CPR) numbers for 1.26 million Danish citizens, a fifth of the country's total population. From a report: The error lasted for five years (between February 2, 2015, and January 24, 2020) before it was discovered, Danish media reported last week. The software error and the subsequent leak was discovered following an audit by the Danish Agency for Development and Simplification (Udviklings-og Forenklingsstyrelsen, or UFST). According to the UFST, the error occurred on TastSelv Borger, the Danish tax administration's official self-service portal where Danish citizens go to file and pay taxes online. Government officials said the portal contained a software bug that every time a user updated account details in the portal's settings section, their CPR number would be added to the URL.
Microsoft

Suspicion and Anger Towards Microsoft Rises After Windows 10 Search Failure (forbes.com) 173

Earlier this week, searching in Windows 10 was broken, "with a black bar showing where search results should be, even for those who tried to perform a local search of their files." Microsoft issued a fix and blamed the issue on a "third-party networking fiber provider".

But unfortunately, Microsoft's fix isn't working for everyone -- and that's just the beginning. Long-time Slashdot reader Futurepower(R) shares Forbes' report: Second, and more worryingly, Microsoft's explanation doesn't add up and it has prompted serious questions to be asked about how the operating system works and what personal data it is sharing. Popular Microsoft pundit Woody Leonard led the charge, writing: "If you believe that yesterday's worldwide crash of Windows 10 Search was caused by a bad third-party fiber provider, I have a bridge to sell you."

In an open letter to new Windows head Panos Panay, Susan 'Patch Lady' Bradley was similarly sceptical, noting that today "we all found out that our local search boxes are somehow dependent on some service working at Microsoft." She attacked the company for a lack of transparency and gave it a maximum 'Pinocchio score' for a lack of trust... Similarly, Engadget writer Richard Lawler revealed that users were now trying to hack the Windows 10 registry to disconnect their local file searches from Microsoft servers "and I can't say I blame them after this episode. Microsoft owes users a better explanation than this and should make sure it's impossible for offline features to get taken out when the cloud is having an issue."

In fact, Forbes writes that "the aforementioned Windows 10 registry hack appears to be the only 100% fix for this issue and it also disconnects Bing and Cortana online services from Windows 10 search."

And then on Saturday the Windows Latest blog also noticed that Microsoft's release notes for Windows 10 20H1 Build 19035 reveal that Microsoft is apparently now delaying the roll-out of a widely-anticipated "Optional Updates" option. "It appears that the new Optional updates experience will come out in October/November 2020, not this spring as previously planned."
Bug

Windows 7 Bug Prevents Users From Shutting Down Or Rebooting Computers (zdnet.com) 59

An anonymous reader writes: A weird bug of unknown origins has been hitting Windows 7 computers this week, according to multiple reports online. Windows 7 users have been reporting that they are receiving a popup message that reads "You don't have permission to shut down this computer" every time they attempt to shut down or reboot their systems...

Windows 7 reached official end of life (EOL) on January 14, 2020 and is not scheduled to receive new fixes. Last month, Microsoft made an exception to this rule when it provided a fix for a bug that broke wallpaper display for Windows 7 users. Seeing that rebooting or shutting down your computer is a more important OS feature than wallpaper support, Microsoft will most likely need to make a another exception and deliver a second post-EOL update pretty soon.

Android

Google Fixes No-User-Interaction Bug In Android's Bluetooth Component (zdnet.com) 22

An anonymous reader quotes a report from ZDNet: Google has patched this week a critical security flaw in Android's Bluetooth component. If left unpatched, the vulnerability can be exploited without any user interaction and can even be used to create self-spreading Bluetooth worms. Researchers said that exploiting the bug requires no user interaction. All that is required is that the user has Bluetooth enabled on his device. However, while this requirement would have limited the attack surface in past years, it does not today since modern Android OS versions ship with Bluetooth enabled by default and many Android users use Bluetooth-based headphones meaning the Bluetooth service is likely to be enabled on many handsets. The bug can lead to remote code execution and the hijacking of a device. Fixes for the bug are available via the Android February 2020 Security Bulletin, which has been available for download starting this week. Android 9 and earlier are impacted.
Software

NASA Safety Panel Calls For Reviews After Second Starliner Software Problem (spacenews.com) 83

A second software problem during a CST-100 Starliner test flight is prompting a NASA safety panel to recommend a review of Boeing's software verification processes. Space News reports: That new software problem, not previously discussed by NASA or Boeing, was discussed during a Feb. 6 meeting of NASA's Aerospace Safety Advisory Panel that examined the December uncrewed test flight of Starliner that was cut short by a timer error. That anomaly was discovered during ground testing while the spacecraft was in orbit, panel member Paul Hill said. "While this anomaly was corrected in flight, if it had gone uncorrected, it would have led to erroneous thruster firings and uncontrolled motion during [service module] separation for deorbit, with the potential for a catastrophic spacecraft failure," he said.

The exact cause of the failure remains under investigation by Boeing and NASA, who are also still examining the timer failure previously reported. Those problems, Hill said, suggested broader issues with how Boeing develops and tests the software used by the spacecraft. "The panel has a larger concern with the rigor of Boeing's verification processes," he said. The panel called for reviews of Boeing's flight software integration and testing processes. "Further, with confidence at risk for a spacecraft that is intended to carry humans in space, the panel recommends an even broader Boeing assessment of, and corrective actions in, Boeing's [systems engineering and integration] processes and verification testing." The panel added that all those investigations and reviews be completed as "required input for a formal NASA review to determine flight readiness for either another uncrewed flight test or proceeding directly to a crewed test flight."

Security

Serious Flaw That Lurked In Sudo For 9 Years Hands Over Root Privileges (arstechnica.com) 96

An anonymous reader quotes a report from Ars Technica: Sudo, a utility found in dozens of Unix-like operating systems, has received a patch for a potentially serious bug that allows unprivileged users to easily obtain unfettered root privileges on vulnerable systems. The vulnerability, tracked as CVE-2019-18634, is the result of a stack-based buffer-overflow bug found in versions 1.7.1 through 1.8.25p1. It can be triggered only when either an administrator or a downstream OS, such as Linux Mint and Elementary OS, has enabled an option known as pwfeedback. With pwfeedback turned on, the vulnerability can be exploited even by users who aren't listed in sudoers, a file that contains rules that users must follow when using the sudo command.

"Exploiting the bug does not require sudo permissions, merely that pwfeedback be enabled," an advisory published by sudo developers said. "The bug can be reproduced by passing a large input to sudo via a pipe when it prompts for a password." The advisory lists two flaws that lead to the vulnerability. The first: pwfeedback isn't ignored as it should be when reading from something other than a terminal. As a result, the saved version of a line erase character remains at its initialized value of 0. The second contributor is that the code that erases the line of asterisks doesn't properly reset the buffer position if there is an error writing data. Instead, the code resets only the remaining buffer length. As a result, input can write past the end of the buffers. Systems with unidirectional pipe allow an attempt to write to the read end of the pipe to result in a write error. Because the remaining buffer length isn't reset correctly when write errors result from line erasures, the stack buffer can be overflowed.
The report notes the vulnerability was introduced in 2009 and remained active until 2018, with the release of 1.8.26b1. "Systems or software using a vulnerable version should move to version 1.8.31 as soon as practical," reports Ars. "Those who can't update right away can prevent exploits by making sure pwfeedback is disabled."
Chrome

Google Cuts Chrome 'Patch Gap' in Half, From 33 Days To 15 (zdnet.com) 10

Google security engineers said last week they have successfully cut down the "patch gap" in Google Chrome from 33 days to only 15 days. From a report: The term "patch gap" refers to the time it takes from when a security bug is fixed in an open source library to when the same fix lands in software that uses that particular library. In today's software landscape where many apps rely on open source components, the "patch gap" is considered a major security risk. The reason is because when a security bug is fixed in an open source library, details about that bug become public, primarily due to the public nature and openness of most open source projects. Hackers can then use details about these security flaws to craft exploits and launch attacks against software that relies on the vulnerable component, before the software maker has a chance to release a patch. If the software maker is on a fixed release schedule, with updates coming out every few weeks or months, the patch gap can provide hackers with an attack window that most software projects can't deal with.
Google

Google May Have Shared Your Videos With Strangers (betanews.com) 17

If you used Google Takeout to download an archive of your Google Photos content, there's a chance that someone else may have ended up with your videos. From a report: The company has admitted that for a few days in November last year, "some videos in Google Photos were exported to unrelated users' archives." This means that not only could your videos have ended up on a stranger's computer, but also that you may have received random videos belonging to someone else. Google is not making much of the "technical issue" which it says has now been resolved. But the company apologizes for the "inconvenience" that may have been caused for people downloading their Google Photos archive between November 21 and 25, 2019.
Bug

OpenBSD Mail Server Bug Allowed Remotely Executing Shell Commands As Root (zdnet.com) 39

This week a remotely-exploitable vulnerability (granting root privileges) was discovered in OpenSMTPD (OpenBSD's implementation of server-side SMTP).

ZDNet notes that the library's "portable" version "has also been incorporated into other OSes, such as FreeBSD, NetBSD, and some Linux distros, such as Debian, Fedora, Alpine Linux, and more." To exploit this issue, an attacker must craft and send malformed SMTP messages to a vulnerable server... OpenSMTPD developers have confirmed the vulnerability and released a patch earlier Wednesday -- OpenSMTPD version 6.6.2p1...

The good news is that the bug was introduced in the OpenSMTPD code in May 2018 and that many distros may still use older library versions, not affected by this issue. For example, only in-dev Debian releases are affected by this issue, but not Debian stable branches, which ship with older OpenSMTPD versions.

Technical details and proof of concept exploit code are available in the Qualys CVE-2020-7247 security advisory.

Hackaday has a more detailed description of the vulnerability, while the Register looks at the buggy C code.

Interestingly, Qualys researchers exploited this vulnerability using a technique from the Morris Worm of 1988.
Social Networks

Social Media Boosting Service Exposed Thousands of Instagram Passwords (techcrunch.com) 11

An anonymous reader quotes a report from TechCrunch: A social media boosting startup, which bills itself as a service to increase a user's Instagram followers, has exposed thousands of Instagram account passwords. The company, Social Captain, says it helps thousands of users to grow their Instagram follower counts by connecting their accounts to its platform. Users are asked to enter their Instagram username and password into the platform to get started. But TechCrunch learned this week Social Captain was storing the passwords of linked Instagram accounts in unencrypted plaintext. Any user who viewed the web page source code on their Social Captain profile page could see their Instagram username and password in plain sight, so long as they had connected their account to the platform.

Making matters worse, a website bug allowed anyone access to any Social Captain user's profile without having to log in -- simply plugging in a user's unique account ID into the company's web address would grant access to their Social Captain account -- and their Instagram login credentials. Because the user account IDs were for the most part sequential, it was possible to access any user's account and view their Instagram password and other account information with relative ease.
The security researcher who reported the vulnerability provided a spreadsheet of about 10,000 scraped user accounts to TechCrunch.

"The spreadsheet contained about 4,700 complete sets of Instagram usernames and passwords," the report says. "The rest of the records contained just the user's name and their email address."
Security

Google Has Paid Security Researchers Over $21 Million for Bug Bounties, $6.5 Million in 2019 Alone (venturebeat.com) 18

An anonymous reader shares a report: Google has paid out over $21 million since launching its bug bounty program in November 2010. In the past year alone, the company distributed $6.5 million to 461 different security researchers, almost double the previous record set in 2018: $3.4 million to 317 different security researchers. Bug bounty programs motivate individuals and hacker groups to not only find flaws but disclose them properly, instead of using them maliciously or selling them to parties that will. Rewarding security researchers with bounties costs peanuts compared to paying for a serious security snafu.
Privacy

LabCorp Security Lapse Exposed Thousands of Medical Documents (techcrunch.com) 15

A security flaw in LabCorp's website exposed thousands of medical documents, like test results containing sensitive health data. From a report: It's the second incident in the past year after LabCorp said in June that 7.7 million patients had been affected by a credit card data breach of a third-party payments processor. The breach also hit several other laboratory testing companies, including Quest Diagnostics. This latest security lapse was caused by a vulnerability on a part of LabCorp's website, understood to host the company's internal customer relationship management system. Although the system appeared to be protected with a password, the part of the website designed to pull patient files from the back-end system was left exposed. That unprotected web address was visible to search engines and was later cached by Google, making it accessible to anyone who knew where to look. The cached search result only returned one document -- a document containing a patient's health information. But changing and incrementing the document number in the web address made it possible to access other documents. The bug is now fixed.
Government

Maryland Bill Would Outlaw Ransomware, Keep Researchers From Reporting Bugs (arstechnica.com) 85

A proposed law introduced in Maryland's state senate last week would criminalize the possession of ransomware and other criminal activities with a computer. However, CEO of Luta Security Katie Moussouris warns that the current bill "would prohibit vulnerability disclosure unless the specific systems or data accessed by the helpful security researcher were explicitly authorized ahead of time and would prohibit public disclosure if the reports were ignored." Ars Technica reports: The bill, Senate Bill 3, covers a lot of ground already covered by U.S. Federal law. But it classifies the mere possession of ransomware as a misdemeanor punishable by up to 10 years of imprisonment and a fine of up to $10,000. The bill also states (in all capital letters in the draft) that "THIS PARAGRAPH DOES NOT APPLY TO THE USE OF RANSOMWARE FOR RESEARCH PURPOSES."

Additionally, the bill would outlaw unauthorized intentional access or attempts to access "all or part of a computer network, computer control language, computer, computer software, computer system, computer service, or computer database; or copy, attempt to copy, possess, or attempt to possess the contents of all or part of a computer database accessed." It also would criminalize under Maryland law any act intended to "cause the malfunction or interrupt the operation of all or any part" of a network, the computers on it, or their software and data, or "possess, identify, or attempt to identify a valid access code; or publicize or distribute a valid access code to an unauthorized person." There are no research exclusions in the bill for these provisions.
"While access or attempted access would be a misdemeanor (punishable by a fine of $1,000, three years of imprisonment, or both), breaching databases would be a felony if damages were determined to be greater than $10,000 -- punishable by a sentence of up to 10 years, a fine of $10,000, or both," the report adds. "The punishments go up if systems belonging to the state government, electric and gas utilities, or public utilities are involved, with up to 10 years of imprisonment and a $25,000 fine if more than $50,000 in damage is done."
Microsoft

Microsoft Says it Will Release Black Desktop Bug Fix To All Windows 7 Users For Free (betanews.com) 41

Mark Wycislik-Wilson, writing for BetaNews: Some Windows 7 users who installed the KB4534310 update found that their desktops turned black. With the operating system having now reached end of life, the company said that it would only make a fix available to organizations paying for Windows 7 Extended Security Updates (ESU). But Microsoft has changed its mind. It now says that it will make a patch available for all Windows 7 users, addressing the bug introduced by the last ever freely available Windows 7 update. As we reported the other day, Microsoft had already suggested some workarounds for the black desktop problem. The company had said that it was working on a fix that would be released next month: "We are working on a resolution and estimate a solution will be available in mid-February for organizations who have purchased Windows 7 Extended Security Updates (ESU)."
Security

Do Proof-of-Concept Exploits Do More Harm Than Good? (threatpost.com) 37

secwatcher writes: When it comes to the release of proof-of-concept (PoC) exploits, more security experts agree that the positives outweigh the negatives, according to a recent and informal Threatpost poll.

In fact, almost 60 percent of 230 security pundits thought it was a "good idea" to publish PoC code for zero days. Up to 38 percent of respondents, meanwhile, argued it wasn't a good idea.

Dr. Richard Gold, head of security engineering at Digital Shadows, told Threatpost that PoC code makes it easier for security teams to do penetration testing: "Rather than having to rely on vendor notifications or software version number comparisons, a PoC allows the direct verification of whether a particular system is exploitable," Gold told Threatpost. "This ability to independently verify an issue allows organizations to better understand their exposure and make more informed decisions about remediation." In fact, up to 85 percent of respondents said that the release of PoC code acts as an "effective motivator" to push companies to patch. Seventy-nine percent say that the disclosure of a PoC exploit has been "instrumental" in preventing an attack. And, 85 percent of respondents said that a PoC code release is acceptable if a vendor won't fix a bug in a timely manner...

On the flip-side of the argument, many argue that the release of the Citrix PoC exploits were a bad idea. They say attacks attempting to exploit the vulnerability skyrocketed as bad actors rushed to exploit the vulnerabilities before they are patched... Matt Thaxton, senior consultant at Crypsis Group, thinks that the "ultimate function of a PoC is to lower the bar for others to begin making use of the exploit... In many cases, PoC's are put out largely for the notoriety/fame of the publisher and for the developer to 'flex' their abilities...."

This issue of a PoC exploit timeline also brings up important questions around patch management for companies dealing with the fallout of publicly-released code. Some, like Thaxton, say that PoC exploit advocates fail to recognize the complexity of patching large environments: "I believe the release of PoC code functions more like an implied threat to anyone that doesn't patch: 'You'd better patch . . . or else,'" he said "This kind of threat would likely be unacceptable outside of the infosec world. This is even more obvious when PoCs are released before or alongside a patch for the vulnerability."

And Joseph Carson, chief security scientist at Thycotic, tells them "Let's be realistic, once a zero-day is known, it is only a matter of time before nation states and cybercriminals are abusing them."
Networking

Cisco Warns: Patch This Critical Firewall Bug in Firepower Management Center (zdnet.com) 5

"Cisco is urging customers to update its Firepower Management Center software," ZDNet reported Thursday, "after users informed it of a critical bug that attackers could exploit over the internet." Like many Cisco bugs, the flaw was found in the web-based management interface of its software. The bug has a severity rating of 9.8 out of a possible 10 and means admins should patch sooner rather than later.

The vulnerability is caused by a glitch in the way Cisco's software handles Lightweight Directory Access Protocol (LDAP) authentication responses from an external authentication server. Remote attackers could exploit the flaw by sending specially crafted HTTP requests to the device. Devices are vulnerable if they've been configured to authenticate users of the web interface through an external LDAP server...

How customers should remediate the issue will depend on which release of Firepower Management Center (FMC) they're running. There is no workaround, but hotfix patches are available for several new releases of FMC, and maintenance releases that address the flaw are scheduled for later this year. "Customers may install a fix either by upgrading to a fixed release or by installing a hotfix patch," Cisco notes...

Cisco also disclosed seven high-severity flaws and 19 medium-severity security issues.

This FMC critical flaw follows updates made available earlier this month for three critical flaws affecting Cisco's Data Center Network Manager software. The researcher who reported the flaw has released proof-of-concept exploit code, but Cisco says it is not aware of any malicious use of the flaws.

Mars

Mars Rover Temporarily Froze In Place Following Software Error (extremetech.com) 45

UPDATE (1/25/2018): NASA has successfully unfrozen Curiosity, which will now live to rove another day.

But here's the original report shared by a reader detailing what the concerns were: NASA reports that Curiosity has suffered a system failure that left the robot unaware of its position and attitude on the red planet. Until it recovers, Curiosity is frozen in place. Mars is far enough away that we can't directly control Curiosity in real-time -- the rover gets batches of commands and then carries them out. That means it needs to have precise awareness of the state of all its joints, as well as environmental details like the location of nearby obstacles and the slope of the ground. This vital information ensures the rover doesn't bump anything with its arm or clip large rocks as it rolls along.

Curiosity stores all this attitude data in memory, but something went wrong during operations several days ago. As the rover was carrying out its orders, it suddenly lost track of its orientation. The attitude data didn't add up, so Curiosity froze in place to avoid damaging itself. While the rover is physically stuck in place, it's still in communication with the team here on Earth. Since everything else is working on the rover, NASA was able to develop a set of instructions that should get the rover moving again. When transmitted, the data will inform Curiosity of its attitude and confirm its current state. This should allow the rover to recover and keep performing its safety checks. However, NASA also hopes to gather data on what caused the issue in the first place. The hope is they can avoid another freeze-up in the future.

Music

Sonos CEO Apologizes For Confusion, Says Legacy Products Will Work 'As Long As Possible' (theverge.com) 38

On Tuesday, Sonos announced that come May 2020, a number of its older products will no longer receive software updates. Naturally, this frustrated many longtime customers, prompting Sonos CEO Patrick Spence to issue a statement to try to clear up the confusion. The Verge reports: "We heard you," is how Spence begins the letter to customers. "We did not get this right from the start." Spence apologizes for any confusion and reiterates that the so-called legacy products will "continue to work as they do today." "Many of you have invested heavily in your Sonos systems, and we intend to honor that investment for as long as possible."

Similarly, Spence pledges that Sonos will deliver bug fixes and security patches to legacy products "for as long as possible" -- without any hard timeline. Most interesting, he says "if we run into something core to the experience that can't be addressed, we'll work to offer an alternative solution and let you know about any changes you'll see in your experience." The letter from Sonos' CEO doesn't retract anything that the company announced earlier this week; Spence is just trying to be as clear as possible about what's happening come May. Spence again confirms that Sonos is planning a way for customers to fork any legacy devices they might own off of their main Sonos system with more modern speakers. (Sonos architected its system so that all devices share the same software. Once one product is no longer eligible for updates, the whole setup stops receiving them. This workaround is designed to avoid that problem.)

Slashdot Top Deals