Windows

German Government To Pay Over $850,000 in Windows 7 ESU Fees This Year (zdnet.com) 54

Running an outdated operating system will cost Germany some additional fee. The German federal government stands to pay at least $886,000 this year to Microsoft, according to local media. ZDNet: The sum represents support fees for over 33,000 government workstations that are still running Windows 7, a Microsoft operating system that reached end of support (EoS) on January 14, and for which Microsoft has stopped providing free security updates and bug fixes. Last year, Redmond announced a paid program for governments and enterprise partners. The program, named the are Windows 7 Extended Security Updates (ESU), would provide paid access to Windows 7 security updates until January 10, 2023. ESU updates, for which the German government has recently signed up, cost between $25 to $200 per workstation, depending on the Windows 7 version a company is running (Enterprise or Pro) and the amount of time they'll need the updates.
Communications

Smart Scale Goes Dumb As Under Armour Pulls the Plug On Connected Tech (arstechnica.com) 133

An anonymous reader quotes a report from Ars Technica: Today's example of smart stuff going dumb comes courtesy of Under Armour, which is effectively rendering its fitness hardware line very expensive paperweights. The company quietly pulled its UA Record app from both Google Play and Apple's App Store on New Year's Eve. In an announcement dated sometime around January 8, Under Armour said that not only has the app been removed from all app stores, but the company is no longer providing customer support or bug fixes for the software, which will completely stop working as of March 31.

Under Armour launched its lineup of connected fitness devices in 2016. The trio of trackers included a wrist-worn activity monitor, a smart scale, and a chest-strap-style heart rate monitor. The scale and wristband retailed at $180 each, with the heart monitor going for $80. Shoppers could buy all three together in a $400 bundle called the UA HealthBox. The end of the road is nigh, it seems, and all three products are about to meet their doom as Under Armour kills off Record for good. Users are instead expected to switch to MapMyFitness, which Under Armour bills as "an even better tracking experience." The company also set the UA Record Twitter account to private, effectively taking it offline to anyone except the 133 accounts it follows. Current device owners also can't export all their data. While workout data can be exported and transferred to some other tracking app, Record users cannot capture weight or other historical data to carry forward with them.

Wine

Wine 5.0 Released (bleepingcomputer.com) 60

An anonymous reader quotes a report from BleepingComputer: Wine 5.0 has been released today and contains over 7,400 bug fixes and numerous audio and graphics improvements that will increase performance in gaming on Linux. With the release of Wine 5.0, WineHQ hopes to resolve many of these issues, with the main improvements being:

-Builtin modules in PE format: To make games think Wine is a real Windows environment, most Wine 5.0 modules have been converted into the PE format rather than ELF binaries. It is hoped that this will allow copy-protection and anti-cheat programs to not flag games running under Wine as being modified.
-Multi-monitor support: Multiple displays adapters and multi-monitor configurations are now supported under Wine.
-XAudio2 reimplementation: XAudio2 libraries have been added back to Wine and will use the FAudio library for better compatibility.
-Vulkan 1.1 support: "The Vulkan driver supports up to version 1.1.126 of the Vulkan spec."
Here are the release notes, download locations for the binary packages (when available) and source.
Security

Researchers Find Serious Flaws In WordPress Plugins Used On 400K Sites (arstechnica.com) 11

An anonymous reader quotes a report from Ars Technica: Serious vulnerabilities have recently come to light in three WordPress plugins that have been installed on a combined 400,000 websites, researchers said. InfiniteWP, WP Time Capsule, and WP Database Reset are all affected. The highest-impact flaw is an authentication bypass vulnerability in the InfiniteWP Client, a plugin installed on more than 300,000 websites. It allows administrators to manage multiple websites from a single server. The flaw lets anyone log in to an administrative account with no credentials at all. From there, attackers can delete contents, add new accounts, and carry out a wide range of other malicious tasks.

The critical flaw in WP Time Capsule also leads to an authentication bypass that allows unauthenticated attackers to log in as an administrator. WP Time Capsule, which runs on about 20,000 sites, is designed to make backing up website data easier. By including a string in a POST request, attackers can obtain a list of all administrative accounts and automatically log in to the first one. The bug has been fixed in version 1.21.16. Sites running earlier versions should update right away. Web security firm WebARX has more details.

The last vulnerable plugin is WP Database Reset, which is installed on about 80,000 sites. One flaw allows any unauthenticated person to reset any table in the database to its original WordPress state. The bug is caused by reset functions that aren't secured by the standard capability checks or security nonces. Exploits can result in the complete loss of data or a site reset to the default WordPress settings. A second security flaw in WP Database Reset causes a privilege-escalation vulnerability that allows any authenticated user -- even those with minimal system rights -- to gain administrative rights and lock out all other users. All site administrators using this plugin should update to version 3.15, which patches both vulnerabilities. Wordfence has more details about both flaws here.

Security

Proof-of-Concept Exploits Published for the Microsoft-NSA Crypto Bug (zdnet.com) 25

Security researchers have published proof-of-concept (PoC) code for exploiting a recently-patched vulnerability in the Windows operating system, a vulnerability that has been reported to Microsoft by the US National Security Agency (NSA). From a report: The bug, which some have started calling CurveBall, impacts CryptoAPI (Crypt32.dll), the component that handles cryptographic operations in the Windows OS. According to a high-level technical analysis of the bug from cyber-security researcher Tal Be'ery, "the root cause of this vulnerability is a flawed implementation of the Elliptic Curve Cryptography (ECC) within Microsoft's code." According to both the NSA, the DHS, and Microsoft, when exploited, this bug (tracked as CVE-2020-0601) can allow an attacker to: 1. Launch MitM (man-in-the-middle) attacks and intercept and fake HTTPS connections. 2. Fake signatures for files and emails. 3. Fake signed-executable code launched inside Windows.
Bug

CNCF, Google, and HackerOne Launch Kubernetes Bug Bounty Program 4

An anonymous reader quotes a report from VentureBeat: The Cloud Native Computing Foundation (CNCF) today announced it is funding a bug bounty program for Kubernetes. Security researchers who find security vulnerabilities in Kubernetes' codebase, as well as the build and release processes, will be rewarded with bounties ranging from $100 to $10,000. Bug bounty programs motivate individuals and hacker groups to not only find flaws but disclose them properly, instead of using them maliciously or selling them to parties that will. Originally designed by Google and now run by the CNCF, Kubernetes is an open source container orchestration system for automating application deployment, scaling, and management. Given the hundreds of startups and enterprises that use Kubernetes in their tech stacks, it's significantly cheaper to proactively plug security holes than to deal with the aftermath of breaches.
Windows

Cryptic Rumblings Ahead of First 2020 Patch Tuesday (krebsonsecurity.com) 37

Brian Krebs: Sources tell KrebsOnSecurity that Microsoft is slated to release a software update on Tuesday to fix an extraordinarily serious security vulnerability in a core cryptographic component present in all versions of Windows. Those sources say Microsoft has quietly shipped a patch for the bug to branches of the U.S. military and to other high-value customers/targets that manage key Internet infrastructure, and that those organizations have been asked to sign agreements preventing them from disclosing details of the flaw prior to Jan. 14, the first Patch Tuesday of 2020. According to sources, the vulnerability in question resides in a Windows component known as crypt32.dll, a Windows module that Microsoft says handles "certificate and cryptographic messaging functions in the CryptoAPI." The Microsoft CryptoAPI provides services that enable developers to secure Windows-based applications using cryptography, and includes functionality for encrypting and decrypting data using digital certificates. NSA said on Tuesday that it spotted the vulnerability and reported it to Microsoft. NSA said Microsoft will report later today that it has seen no active exploitation of this vulnerability. NSA's Director of Cybersecurity, Anne Neuberger, says the critical cryptographic vulnerability resides in Windows 10 and Windows Server 2016, and that the concern about this particular flaw is that it "makes trust vulnerable."
Security

Unpatched Citrix Vulnerability Now Exploited, Patch Weeks Away 5

An anonymous reader quotes a report from Ars Technica: On December 16, 2019, Citrix revealed a vulnerability in the company's Application Delivery Controller and Gateway products -- commercial virtual-private-network gateways formerly marketed as NetScaler and used by tens of thousands of companies. The flaw, discovered by Mikhail Klyuchnikov of Positive Technologies, could give an attacker direct access to the local networks behind the gateways from the Internet without the need for an account or authentication using a crafted Web request. Citrix has published steps to reduce the risk of the exploit. But these steps, which simply configure a responder to handle requests using the text that targets the flaw, breaks under some circumstances and might interfere with access to the administration portal for the gateways by legitimate users. A permanent patch will not be released until January 20. And as of January 12, over 25,000 servers remain vulnerable, based on scans by Bad Packets.

This is not surprising, considering the number of Pulse Secure VPNs that have not yet been patched over six months after a fix was made available, despite Pulse Secure executives saying that they have "worked aggressively" to get customers to patch that vulnerability. And given that vulnerable Pulse Secure servers have been targeted now for ransomware attacks, the same will likely be true for unprotected Citrix VPN servers -- especially since last week, proof-of-concept exploits of the vulnerability began to appear, including at least two published on GitHub, as ZDNet's Catalin Cimpanu reported.
"The vulnerability allows the remote execution of commands in just two HTTP requests, thanks to a directory traversal bug in the implementation of the gateway's Web interface," the report adds. "The attacks use a request for the directory '/vpn/../vpns/' to fool the Apache Web server on the gateway to point to the '/vpns/' directory without authentication. The attacks then inject a command based on the template returned from the first request."

You can check for the vulnerability here.
Bug

This Year's Y2K20 Bug Came Directly From 'A Lazy Fix' to the Y2K Bug (newscientist.com) 160

Slashdot reader The8re still remembers the Y2K bug. Now he shares a New Scientist article explaining how it led directly to this year's Y2020 bug -- which affected more than just parking meters: WWE 2K20, a professional wrestling video game, also stopped working at midnight on 1 January 2020. Within 24 hours, the game's developers, 2K, issued a downloadable fix. Another piece of software, Splunk, which ironically looks for errors in computer systems, was found to be vulnerable to the Y2020 bug in November. The company rolled out a fix to users the same week -- which include 92 of the Fortune 100, the top 100 companies in the US....

The Y2020 bug, which has taken many payment and computer systems offline, is a long-lingering side effect of attempts to fix the Y2K, or millennium bug. Both stem from the way computers store dates. Many older systems express years using two numbers -- 98, for instance, for 1998 -- in an effort to save memory. The Y2K bug was a fear that computers would treat 00 as 1900, rather than 2000. Programmers wanting to avoid the Y2K bug had two broad options: entirely rewrite their code, or adopt a quick fix called "windowing", which would treat all dates from 00 to 20, as from the 2000s, rather than the 1900s. An estimated 80 percent of computers fixed in 1999 used the quicker, cheaper option. "Windowing, even during Y2K, was the worst of all possible solutions because it kicked the problem down the road," says Dylan Mulvin at the London School of Economics....

Another date storage problem also faces us in the year 2038. The issue again stems from Unix's epoch time: the data is stored as a 32-bit integer, which will run out of capacity at 3.14 am on 19 January 2038.

Facebook

A Facebook Bug Exposed Anonymous Admins of Pages (wired.com) 17

An anonymous reader quotes a report from Wired: Facebook Pages give public figures, businesses, and other entities a presence on Facebook that isn't tied to an individual profile. The accounts behind those pages are anonymous unless a Page owner opts to make the admins public. You can't see, for example, the names of the people who post to Facebook on WIRED's behalf. But a bug that was live from Thursday evening until Friday morning allowed anyone to easily reveal the accounts running a Page, essentially doxing anyone who posted to one. All software has flaws, and Facebook quickly pushed a fix for this one -- but not before word got around on message boards like 4chan, where people posted screenshots that doxed the accounts behind prominent pages. All it took to exploit the bug was opening a target page and checking the edit history of a post. Facebook mistakenly displayed the account or accounts that made edits to each post, rather than just the edits themselves.

Facebook says the bug was the result of a code update that it pushed Thursday evening. Facebook points out that no information beyond a name and public profile link were available, but that information isn't supposed to appear in the edit history at all. And for people, say, running anti-regime Pages under a repressive government, making even that much information public is plenty alarming.

Mozilla

Mozilla Says a New Firefox Security Bug is Under Active Attack (techcrunch.com) 68

Mozilla has warned Firefox users to update their browser to the latest version after security researchers found a vulnerability that hackers were actively exploiting in "targeted attacks" against users. From a report: The vulnerability, found by Chinese security company Qihoo 360, was found in Firefox's just-in-time compiler. The compiler is tasked with speeding up performance of JavaScript to make websites load faster. But researchers found that the bug could allow malicious JavaScript to run outside of the browser on the host computer. In practical terms, that means an attacker can quietly break into a victim's computer by tricking the victim into accessing a website running malicious JavaScript code. But Qihoo did not say precisely how the bug was exploited, who the attackers were, or who was targeted.
Security

Starbucks Devs Leave API Key in GitHub Public Repo (bleepingcomputer.com) 26

"One misstep from developers at Starbucks left exposed an API key that could be used by an attacker to access internal systems and manipulate the list of authorized users," reports Bleeping Computer: Vulnerability hunter Vinoth Kumar reported the oversight on October 17 and close to three weeks later Starbucks responded it demonstrated "significant information disclosure" and that it qualified for a bug bounty... Along with identifying the GitHub repository and specifying the file hosting the API key, Kumar also provided proof-of-concept (PoC) code demonstrating what an attacker could do with the key. Apart from listing systems and users, adversaries could also take control of the Amazon Web Services (AWS) account, execute commands on systems, and add or remove users with access to the internal systems.

Once Starbucks was content with the remediation steps taken, the company paid Kumar a $4,000 bounty for the disclosure, which is the maximum reward for critical vulnerabilities. Most bounties from Starbucks are between $250-$375. The company solved 834 reports since launching the bug bounty program in 2016, and 369 of them were reported in the past three months. For them, Starbucks spent $40,000.

Education

How Should Students Respond To Their School's Surveillance Systems? (gizmodo.com.au) 138

Hundreds of thousands of American students are being tracked by their colleges to monitor attendance, analyze behavior and assess their mental health, the Washington Post reported this week. That article has now provoked some responses...

Jay Balan, chief security researcher at Bitdefender, told Gizmodo that the makers of the student-tracking apps should at least offer bug bounties and disclose their source code -- while rattling off easily foreseeable scenarios like the stalking of students. Gizmodo notes one app's privacy policy actually allows them to "collect or infer" students' approximate location -- even when students have turned off location tracking -- and allows third parties to "set and access their own tracking technologies on your devices."

And cypherpunk Lance R. Vick tweeted in response to the article, "If you are at one of these schools asking you to install apps on your phone to track you, hit me up for some totally hypothetical academic ideas..."

Gizmodo took him up on his offer -- and here's a bit of what he said: Students could reverse engineer the app to develop their own app beacon emulators to tell the tracking beacons that all students are present all the time. They could also perhaps deploy their own rogue tracking beacons to publish the anonymised attendance data for all students to show which teachers are the most boring as evidenced by lack of attendance. If one was hypothetically in an area without laws against harmful radio interference (like outside the U.S.) they could use one of many devices on the market to disrupt all Bluetooth communications in a target area so no one gets tracked... If nothing else, you could potentially just find a call in the API that takes a bit longer to come back than the rest. This tells you it takes some amount of processing on their side. What happens if you run that call a thousand times a second? Or only call it partway over and over again? This often brings poorly designed web services to a halt very quickly...

Assuming explorations on the endpoints like the phone app or beacon firmware fail you could still potentially learn useful information exploring the wireless traffic itself using popular SDR tools like a HackRF, Ubertooth, BladeRF. Here you potentially see how often they transmit, what lives in each packet, and how you might convert your own devices, perhaps a Raspberry Pi with a USB Bluetooth dongle, to be a beacon of your own.

Anyone doing this sort of thing should check their local and federal laws and approach it with caution. But these exact sorts of situations can, for some, be the start of a different type of education path -- a path into security research. Bypassing annoying digital restrictions at colleges was a part of how I got my start, so maybe a new generation can do similar. :)

Gizmodo calls his remarks "hypothetical hacking that you (a student with a bright future who doesn't want any trouble) should probably not do because you might be breaking the law."

But then how should students respond to their school's surveillance systems?
Transportation

Mazda3 Bug Activates Emergency Brake System For No Reason (engadget.com) 55

Mazda says "incorrect programming" in its Smart Braking System (SBS) can make fourth-generation Mazda 3 vehicles falsely detect on object in their path while driving and automatically apply the brakes while driving. "The problem affects 35,390 2019 and 2020 model year cars in the U.S., but Mazda says it is not aware of any injuries or deaths as a result of the defect," reports Engadget. From the report: If the issue occurs, the driver will notice because their car has suddenly stopped, and also as an alarm sounds and a message is displayed on the in-car warning screen. Some Reddit posters report experiencing situations of the system activating while driving with nothing around, and note that while the system can be disabled, it appears to re-enable itself every time the car starts.

Autoblog reports that while some vehicles will simply need to have the system updated or reprogrammed, certain cars with early build dates might need to have their entire instrument cluster replaced or reprogrammed. It's a scary issue, but we've seen Mazda update its cars software to deal with real-life bugs, and the newly-redesigned Mazda3 has already seen a recall to make sure its wheels don't fall off.

Bug

A Twitter App Bug Was Used To Match 17 Million Phone Numbers To User Accounts (techcrunch.com) 5

Security researcher Ibrahim Balic said he has matched 17 million phone numbers to Twitter user accounts by exploiting a flaw in Twitter's Android app. TechCrunch reports: Ibrahim Balic found that it was possible to upload entire lists of generated phone numbers through Twitter's contacts upload feature. "If you upload your phone number, it fetches user data in return," he told TechCrunch. He said Twitter's contact upload feature doesn't accept lists of phone numbers in sequential format -- likely as a way to prevent this kind of matching. Instead, he generated more than two billion phone numbers, one after the other, then randomized the numbers, and uploaded them to Twitter through the Android app. (Balic said the bug did not exist in the web-based upload feature.)

Over a two-month period, Balic said he matched records from users in Israel, Turkey, Iran, Greece, Armenia, France and Germany, he said, but stopped after Twitter blocked the effort on December 20. Balic provided TechCrunch with a sample of the phone numbers he matched. Using the site's password reset feature, we verified his findings by comparing a random selection of usernames with the phone numbers that were provided. While he did not alert Twitter to the vulnerability, he took many of the phone numbers of high-profile Twitter users -- including politicians and officials -- to a WhatsApp group in an effort to warn users directly.
A Twitter spokesperson told TechCrunch the company was working to "ensure this bug cannot be exploited again."

"Upon learning of this bug, we suspended the accounts used to inappropriately access people's personal information. Protecting the privacy and safety of the people who use Twitter is our number one priority and we remain focused on rapidly stopping spam and abuse originating from use of Twitter's APIs," the spokesperson said.
Social Networks

Twitter Bans Animated PNG Files After Online Attackers Targeted Users With Epilepsy (theverge.com) 78

Twitter is banning animated PNG image files (APNGs) from its platform, after an attack on the Epilepsy Foundation's Twitter account sent out similar animated images that could potentially cause seizures in photosensitive people. The Verge reports: Twitter discovered a bug that allowed users to bypass its autoplay settings, and allow several animated images in a single tweet using the APNG file format. "We want everyone to have a safe experience on Twitter," the company says in a tweet from the Twitter Accessibility handle. "APNGs were fun, but they don't respect autoplay settings, so we're removing the ability to add them to Tweets. This is for the safety of people with sensitivity to motion and flashing imagery, including those with epilepsy."

Tweets with existing APNG images won't be deleted from the platform, but only GIFs will be able to animate images moving forward. According to Yahoo, Twitter has further clarified that APNG files were not used to target the Epilepsy Foundation, but the bug meant such files could have been used to do so in the future had Twitter not moved to squash it. The attacks on the Epilepsy Foundation's Twitter handle occurred last month -- National Epilepsy Awareness Month -- with trolls using its hashtags and Twitter handle to post animated images with strobing light effects. It's not clear how many people may have been affected by the attack, but the foundation said it's cooperating with law enforcement officials and has filed criminal complaints against accounts believed to have been involved.

The Internet

DNS Over HTTPS: Not As Private As Some Think? (sans.edu) 83

Long-time Slashdot reader UnderAttack writes: DNS over HTTPS has been hailed as part of a "poor mans VPN". Its use of HTTPS to send DNS queries makes it much more difficult to detect and block the use of the protocol.

But there are some kinks in the armor. Current clients, and most current DoH services, do not implement the optional passing option, which is necessary to obscure the length of the requested hostname. The length of the hostname can also be used to restrict which site a user may have access [to].

The Internet Storm Center is offering some data to show how this can be done.

Their article is by Johannes B. Ullrich, Ph.D. and Dean of Research at the SANS Technology Institute.

It notes that Firefox "seems to be the most solid DoH implementation. Firefox DoH queries look like any other Firefox HTTP2 connection except for the packet size I observed." And an open Firefox bug already notes that "With the availability of encrypted DNS transports in Firefox traffic analysis mitigations like padding are becoming relevant."
Bug

Apple Opens Public Bug Bounty Program, Publishes Official Rules (zdnet.com) 10

Apple has formally opened its bug bounty program today to all security researchers, after announcing the move earlier this year in August at the Black Hat security conference in Las Vegas. From a report: Until today, Apple ran an invitation-based bug bounty program for selected security researchers only and was accepting only iOS security bugs. Starting today, the company will accept vulnerability reports for a much wider spectrum of products that also includes as iPadOS, macOS, tvOS, watchOS, and iCloud. In addition, the company has also increased its maximum bug bounty reward from $200,000 to $1,500,000, depending on the exploit chain's complexity and severity.
Security

Npm Team Warns of New 'Binary Planting' Bug (zdnet.com) 17

The team behind npm, the biggest package manager for JavaScript libraries, issued a security alert yesterday, advising all users to update to the latest version (6.13.4) to prevent "binary planting" attacks. From a report: Npm (Node.js Package Manager) devs say the npm command-line interface (CLI) client is impacted by a security bug -- a combination between a file traversal and an arbitrary file (over)write issue. The bug can be exploited by attackers to plant malicious binaries or overwrite files on a user's computer. The vulnerability can be exploited only during the installation of a boobytrapped npm package via the npm CLI. "However, as we have seen in the past, this is not an insurmountable barrier," said the npm team, referring to past incidents where attackers planed backdoored or boobytrapped packages on the official npm repository. Npm devs say they've been scanning the npm portal for packages that may contain exploit code designed to exploit this bug, but have not seen any suspicious cases. "That does not guarantee that it hasn't been used, but it does mean that it isn't currently being used in published packages on the [official npm] registry," npm devs said.
Chrome

Google Halts Chrome 79 Rollout After It Breaks Some Android Apps (9to5google.com) 19

Chrome 79 is creating an issue with WebView (the Android component that allows apps to display content from the web), reports 9to5Google: On Friday morning, Android developers reliant on WebView and local storage began encountering an issue where their apps lost data after users updated to version 79 of WebView. Those affected took to Chromium's bug tracker, and have described the incident as a "catastrophe" and "major issue." To end users, it's as if apps were entirely reset and just downloaded for the first time. This includes saved data disappearing or being logged out. Given the level of system opacity, most will blame developers for a problem that's out of their hands.

By that afternoon, Google engineers responded and isolated the issue to "profile layout changes" where "local storage was missed off the list of files migrated." A member of the Chromium team apologized Saturday morning, with the Chrome/WebView rollout halted after 50% of devices already received the update. At the highest priority level (P0), Google is currently "working on a solution that minimizes the data loss, and that can be rolled out safely." The last guidance for a patch is 5-7 days.

Slashdot Top Deals