The European Space Agency (ESA) yesterday took action to avoid a collision with a SpaceX broadband satellite after a bug in SpaceX's on-call paging system prevented the company from getting a crucial update. Ars Technica reports: "For the first time ever, ESA has performed a 'collision avoidance maneuver' to protect one of its satellites from colliding with a 'mega constellation,'" the ESA said on Twitter. The "mega constellation" ESA referred to is SpaceX's Starlink broadband system, which is in the early stages of deployment but could eventually include nearly 12,000 satellites. Action had to be taken because the ESA's Aeolus satellite and a Starlink satellite were on a course that carried more than a 1-in-10,000 chance of a collision. According to the ESA, the Earth-observation satellite Aeolus "fired its thrusters, moving it off a collision course with a SpaceX satellite in their Starlink constellation." "SpaceX explained in a statement today that it didn't initially take action because of early estimates that the risk of collision was much lower than it turned out to be," the report adds. "SpaceX said it would have coordinated with ESA to avoid a collision once the estimates got worse, if only the paging-system bug hadn't prevented SpaceX from getting an update on the collision probability. SpaceX said it is trying to fix the bug to prevent such mishaps in the future."

An unprecedented iPhone hacking operation, which attacked "thousands of users a week" until it was disrupted in January, has been revealed by researchers at Google's external security team. From a report: The operation, which lasted two and a half years, used a small collection of hacked websites to deliver malware on to the iPhones of visitors. Users were compromised simply by visiting the sites: no interaction was necessary, and some of the methods used by the hackers affected even fully up-to-date phones.

Once hacked, the user's deepest secrets were exposed to the attackers. Their location was uploaded every minute; their device's keychain, containing all their passwords, was uploaded, as were their chat histories on popular apps including WhatsApp, Telegram and iMessage, their address book, and their Gmail database. The one silver lining is that the implant was not persistent: when the phone was restarted, it was cleared from memory unless the user revisited a compromised site. However, according to Ian Beer, a security researcher at Google: "Given the breadth of information stolen, the attackers may nevertheless be able to maintain persistent access to various accounts and services by using the stolen authentication tokens from the keychain, even after they lose access to the device."

Apple has released today an iOS security update to patch a bug the company accidentally un-patched in an earlier release, introducing a security weakness that allowed hackers to craft new jailbreaks for current iOS versions. From a report: The original bug, discovered by Ned Williamson, a Google Project Zero security engineer, allows a malicious app to exploit a "user-after-free" vulnerability and run code with system privileges in the iOS kernel. iOS version 12.4.1, released today, re-patches this bug that was initially fixed in iOS 12.3 but was accidentally unpatched in iOS 12.4, last month. Sadly, Apple's blunder didn't go unnoticed and earlier this month, a security researcher named Pwn20wnd released a public exploit based on Williamson's bug that could be used to jailbreak up-to-date iOS devices and grant users complete control over their iPhones. But while users taking a risk and jailbreaking their own devices doesn't sound that dangerous, a lesser-known fact is that malware operators and spyware vendors can also use Pwn20wnd's jailbreak as well.

"Were it not for third-party components, the August Android Security Bulletin would have been the first report to be released with only a single critical vulnerability found," reports TechRepublic. "However, with the inclusion of Broadcom and Qualcomm components, there are seven in total."

Meanwhile, Forbes reports on what's being fixed in September's release of Android 10: 193 Android security vulnerabilities needed to be fixed, covering a broad swathe of elevation of privilege, remote code execution, information disclosure and denial of service categories. Two of these are in the Android runtime itself, another two in the library and 24 in the framework. The bulk, however, is split between the Android media framework with 68 vulnerabilities and the Android system with 97. All have been scored as "moderate" severity.

The good news is that all will be fixed by the default Android 10 patch level of 2019-09-01 on release of the new OS. Also on the positive news front, the security bulletin update stated that "we have had no reports of active customer exploitation or abuse of these newly reported issues."

Python's End-of-Life date is 129 days away, warns the UK National Cyber Security Centre (NCSC). "There will be no more bug fixes, or security updates, from Python's core developers."

An anonymous reader quotes ZDNet: The UK's cyber-security agency warned developers Thursday to consider moving Python 2.x codebases to the newer 3.x branch due to the looming end-of-life of Python 2, scheduled for January 1, 2020... "If you continue to use unsupported modules, you are risking the security of your organisation and data, as vulnerabilities will sooner or later appear which nobody is fixing."

"If you maintain a library that other developers depend on, you may be preventing them from updating to 3," the agency added. "By holding other developers back, you are indirectly and likely unintentionally increasing the security risks of others... If migrating your code base to Python 3 is not possible, another option is to pay a commercial company to support Python 2 for you," the NCSC said.

The agency warns that companies who don't invest in migrating their Python 2.x code might end up in the same position as Equifax or the WannaCry victims. "At the NCSC we are always stressing the importance of patching. It's not always easy, but patching is one of the most fundamental things you can do to secure your technology," the agency said. "The WannaCry ransomware provides a classic example of what can happen if you run unsupported software," it said. "By making the decision to continue using Python 2 past its end of life, you are accepting all the risks that come with using unsupported software, while knowing that a secure version is available."

An anonymous reader quotes a report from Motherboard: Hackers could have logged into your Nest Cam IQ Indoor and watch whatever was happening in your home by taking advantage of a vulnerability found by security researchers. The hackers could have also prevented you from using the camera, or use access to it to break into your home network. Researchers Lilith Wyatt and Claudio Bozzato of Cisco Talos discovered the vulnerabilities and disclosed them publicly on August 19. The two found eight vulnerabilities that are based in the Nest implementation of the Weave protocol. The Weave protocol is designed specifically for communications among Internet of Things or IoT devices.

Nest has provided a firmware update that the company says will fix the vulnerabilities. The vulnerabilities apply to version 4620002 of the Nest Cam IQ indoor device. You can check the version of your camera on the Nest app. Nest says that the updates will happen automatically if your camera is connected to the internet. "We've fixed the disclosed bugs and started rolling them out to all Nest Camera IQs," Google said in a statement to ZDNet. "The devices will update automatically so there's no action required from users."

An anonymous reader quotes a report from Ars Technica: In an attempt to quell a controversy that has raised the ire of white-hat hackers, the maker of the Steam online game platform said on Thursday it made a mistake when it turned away a researcher who recently reported two separate vulnerabilities. In its statement, Valve Corporation references HackerOne, the reporting service that helps thousands of companies receive and respond to vulnerabilities in their software or hardware. Valve's new HackerOne program rules specifically provide that "any case that allows malware or compromised software to perform a privilege escalation through Steam, without providing administrative credentials or confirming a UAC dialog, is in scope. Any unauthorized modification of the privileged Steam Client Service is also in scope."

The statement and the policy change from Valve came two days after security researcher Vasily Kravets, an independent researcher from Moscow, received an email telling him that Valve's security team would no longer receive his vulnerability reports through the HackerOne bug-reporting service. Valve turned Kravets away after he reported a steam vulnerability that allowed hackers who already had a toe-hold on a vulnerable computer to burrow into privileged parts of an operating system. Valve initially told Kravets such vulnerabilities were out of scope and gave no indication that the one Vasily reported would be fixed. The company later publicly denied that the issue was a vulnerability by incorrectly claiming that the exploit required hackers to have physical access to a vulnerable computer. The company went so far as to dispute the vulnerability in the advisory issued by the National Institute of Standards and Technology.

A Russian security researcher has published details about a zero-day in the Steam gaming client. This is the second Steam zero-day the researcher has made public in the past two weeks. From a report: However, while the security researcher reported the first one to Valve and tried to have it fixed before public disclosure, he said he couldn't do the same with the second because the company banned him from submitting further bug reports via its public bug bounty program on the HackerOne platform. The entire chain of events behind the public disclosure of these two zero-days has caused quite a drama and discussions in the infosec community. All the negative comments have been aimed at Valve and the HackerOne staff, with both being accused of unprofessional behavior. Security researchers and regular Steam users alike are mad because Valve refused to acknowledge the reported issue as a security flaw, and declined to patch it.

Google today launched Android Studio 3.5, the latest version of its integrated development environment (IDE), with a specific focus on "product quality." From a report: This release is the last one under Project Marble, a fancy name for an initiative Google announced late last year to improve Android Studio. For eight months, the team focused "on making the fundamental features and flows of Android Studio & Emulator rock-solid." All the improvements were either to system health, feature polish, or bug fixes. To improve system health, Google created a new set of infrastructure and internal dashboards to better detect performance problems. The team ultimately fixed over 600 bugs, 50 memory leaks, and 20 IDE hangs, and improved XML & Kotlin typing latency. For the Android Emulator, the team decreased the CPU and memory impact. The team also took a look at app deployment flow to a device, replacing Instant Run with Apply Changes. The new system no longer modifies an APK during your build. Instead, it uses runtime instrumentation to redefine classes on the fly.

Apple has mistakenly made it a bit easier to hack iPhone users who are on the latest version of its mobile operating system iOS by unpatching a vulnerability it had already fixed. From a report: Hackers quickly jumped on this over the weekend, and publicly released a jailbreak for current, up-to-date iPhones -- the first free public jailbreak for a fully updated iPhone that's been released in years. Security researchers found this weekend that iOS 12.4, the latest version released in June, reintroduced a bug found by a Google hacker that was fixed in iOS 12.3. That means it's currently relatively easy to not only jailbreak up to date iPhones, but also hack iPhone users, according to people who have studied the issue.

"Due to 12.4 being the latest version of iOS currently available and the only one which Apple allows upgrading to, for the next couple of days (till 12.4.1 comes out), all devices of this version (or any 11.x and 12.x below 12.3) are jail breakable -- which means they are also vulnerable to what is effectively a 100+ day exploit," said Jonathan Levin, a security researcher and trainer who specializes in iOS, referring to the fact that this vulnerability can be exploited with code that was found more than 100 days ago. Pwn20wnd, a security researcher who develops iPhone jailbreaks, published a jailbreak for iOS 12.4 on Monday.

Intel's latest patches "stomped out three high-severity vulnerabilities and five medium-severity flaws," reports Threatpost: One of the more serious vulnerabilities exist in the Intel Processor Identification Utility for Windows, free software that users can install on their Windows machines to identify the actual specification of their processors. The flaw (CVE-2019-11163) has a score of 8.2 out of 10 on the CVSS scale, making it high severity. It stems from insufficient access control in a hardware abstraction driver for the software, versions earlier than 6.1.0731. This glitch "may allow an authenticated user to potentially enable escalation of privilege, denial of service or information disclosure via local access" according to Intel. Users are urged to update to version 6.1.0731.

Intel stomped out another high-severity vulnerability in its Computing Improvement Program, which is program that Intel users can opt into that uses information about participants' computer performance to make product improvement and detect issues. However, the program contains a flaw (CVE-2019-11162) in the hardware abstraction of the SEMA driver that could allow escalation of privilege, denial of service or information disclosure...

A final high-severity flaw was discovered in the system firmware of the Intel NUC (short for Next Unit of Computing), a mini-PC kit used for gaming, digital signage and more. The flaw (CVE-2019-11140) with a CVSS score of 7.5 out of 10, stems from insufficient session validation in system firmware of the NUC. This could enable a user to potentially enable escalation of privilege, denial of service and information disclosure. An exploit of the flaw would come with drawbacks -- a bad actor would need existing privileges and local access to the victim system.
The article notes that the patches "come on the heels of a new type of side-channel attack revealed last week impacting millions of newer Intel microprocessors manufactured after 2012."

In July Google was sued by Tulsi Gabbard, one of 23 Democrats running for president, after Google mistakenly suspended her advertising account.

"I believe I can provide assistance on where to focus your discovery efforts," posted former YouTube/Google senior software engineer Zach Vorhies (now a harsh critic of Google's alleged bias against conservatives). He says he witnessed the deactivation of another high-profile Google account triggered by a malicious third party. I had the opportunity to inspect the bug report as a full-time employee. What I found was that Google had a technical vulnerability that, when exploited, would take any gmail account down. Certain unknown 3rd party actors are aware of this secret vulnerability and exploit it.

This is how it worked: Take a target email address, change exactly one letter in that email address, and then create a new account with that changed email address. Malicious actors repeated this process over and over again until a network of spoof accounts for Jordan B. Peterson existed. Then these spoof accounts started generating spam emails. These email-spam blasts caught the attention of an AI system which fixed the problem by deactivating the spam accounts... and then ALSO the original account belonging to Jordan B. Peterson!

To my knowledge, this bug has never been fixed.
"Gabbard, however, claims the suspension was based on her criticism of Google and other major tech companies," reports the Verge. But they also quote the campaign as saying that Gmail "sends communications from Tulsi into people's Spam folders at a disproportionately high rate."

"Google may blame this on automated systems, but the reality is that there is no transparency whatsoever, which makes it difficult to determine the truth."

"This week's Windows updates fix critical 'wormable' [Bluekeep] flaws but may also break Visual Basic apps, macros, and scripts," warns ZDNet: "After installing this update, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an 'invalid procedure call error'," Microsoft says. The issue affects all supported versions of Windows 10, Windows 7, Windows 8.1, and their corresponding server versions. "Microsoft is presently investigating this issue and will provide an update when available," the company said.

Microsoft didn't offer an explanation for the problem but it did flag earlier this month that it will move ahead with sunsetting VBScript, by disabling it in IE11 by default via an update in this week's patch. "The change to disable VBScript will take effect in the upcoming cumulative updates for Windows 7, 8, and 8.1 on August 13, 2019," Microsoft warned in a blog post. The change brought these versions of Windows in line with Windows 10. However, it's not clear that the issues under investigation are related to this measure. Regardless of the cause, the error could be a hassle for organizations that rely on Microsoft's various incarnations of Visual Basic...
In a blog post shared by Slashdot reader CaptainDork, Microsoft warned that "any future malware that exploits these could propagate from vulnerable computer to vulnerable computer without user interaction."

"The affected versions of Windows are Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, and all supported versions of Windows 10, including server versions."

Runkeeper this week announced that it will discontinue its Wear OS app in the next few weeks. From a report: The update was emailed to users this week, where the company told users that it decided to end support because "the integration didn't work well / work consistently for most users." In a response to users, Runkeeper elaborated that only a small percentage of Runkeeper users were actually using the Wear OS app. "It was a very buggy experience and difficult for us to maintain and fix," a representative said in an email. "Because we're a small team with limited resources, and having done our research, we ultimately concluded that trying to maintain a partnership that wasn't working well would not be good practice for us."

Apple has filed a lawsuit against Corellium, accusing the software company of illegally selling virtual copies of iOS under the guise of helping discover security flaws. "Apple said the software company Corellium has copied the operating system, graphical user interface and other aspects of the devices without permission, and wants a federal judge to stop the violations," reports Bloomberg. From the report: Apple said it supports "good-faith security research," offering a $1 million "bug bounty" for anyone who discovers flaws in its system and gives custom versions of the iPhone to "legitimate" researchers. Corellium, the iPhone maker said, goes further than that. "Although Corellium paints itself as providing a research tool for those trying to discover security vulnerabilities and other flaws in Apple's software, Corellium's true goal is profiting off its blatant infringement," Apple said in the complaint. "Far from assisting in fixing vulnerabilities, Corellium encourages its users to sell any discovered information on the open market to the highest bidder."

Corellium creates copies of the Apple iOS, and says that it's all to help white-hat hackers discover security flaws. Instead, according to Apple, any information is sold to people who can then exploit those flaws. Corellium, in a posting dated July 4 on its website, said it "respects the intellectual property rights of others and expects its users to do the same." Corellium's products allow the creation of a virtual Apple device, according to the suit. It copies new versions of Apple works as soon as they are announced, and doesn't require users to disclose flaws to Apple, the Cupertino, California-based company said in the complaint. Apple also wants a court order forcing Corellium to notify its customers that they are in violation of Apple's rights, destruction of any products using Apple copyrights, and cash compensation.

Users of credit monitoring site Credit Karma have took to Reddit and Twitter to complain that they were served other people's account information when they logged in. TechCrunch has confirmed several screenshots that show other people's accounts, including details about their credit card accounts and their current balance.

When contacted, a Credit Karma spokesperson said these users "experienced a technical malfunction that has now been fixed," and that there's "no evidence of a data breach." The company didn't say for how long customers were experiencing issues. TechCrunch reports: One user told TechCrunch that after they were served another person's full credit report, they messaged the user on LinkedIn "to let him know his data was compromised." Another user told us this: "The reports are split into two sections: Credit Factors -- things like number of accounts, inquiries, utilization; and Credit Reports -- personal information like name, address, etc.. The Credit Reports section was my own information, but the Credit Factors section definitely wasn't. It listed four credit card accounts (I have more like 20 on my report), a missed payment (I'm 100% on time with payments), a Honda auto loan (never had one with Honda), student loan financing (mine are paid off and too old to appear on my report), and cards with an issuer that I have no relationship with (Discover)."

Another user who was affected said they could read another person's Credit Factors -- including derogatory credit marks -- but that the Credit Report tab with that user's personal information, like names and addresses, was blank. One user said that the login page was pulled offline for a brief period. "We'll be right back," the login page read instead.

CTF, a little-known Microsoft protocol used by all Windows operating system versions since Windows XP, is insecure and can be exploited with ease. From a report: According to Tavis Ormandy, a security researcher with Google's Project Zero elite security team and the one who discovered the buggy protocol, hackers or malware that already have a foothold on a user's computer can use the protocol to take over any app, high-privileged applications, or the entire OS, as a whole. Currently, there are no patches for these bugs, and a quick fix isn't expected, as the vulnerabilities are deeply ingrained in the protocol and its design.

What CTF stands is currently unknown. Even Ormandy, a well-known security researcher, wasn't able to find what it means in all of Microsoft documentation. What Ormandy found out was that CTF is part of of the Windows Text Services Framework (TSF), the system that manages the text shown inside Windows and Windows applications. When users start an app, Windows also starts a CTF client for that app. The CTF client receives instructions from a CTF server about the OS system language and the keyboard input methods. It is unclear how Microsoft will patch the CTF problem.

Epic Games is being sued over security breaches that allowed hackers to access the personal information of Epic Games accounts. From a report: The class-action lawsuit, filed by Franklin D. Azar & Associates in U.S. District Court in North Carolina, alleges Epic's "failure to maintain adequate security measures and notify users of the security breach in a timely manner." The lawsuit states that "there are more than 100 class members." In January, Epic acknowledged that a bug in Fortnite may have exposed personal information for millions of user accounts.

Artem S. Tashkinov writes: Researchers from security company Eclypsium have discovered that more than forty drivers from at least twenty different vendors -- including every major BIOS vendor, as well as hardware vendors like ASUS, Toshiba, NVIDIA, and Huawei -- include critical vulnerabilities allowing an escalation of privileges to full system level access.

Considering how widespread these drivers are, and the fact that they are digitally signed by Microsoft, they allow an attacker to more successfully penetrate target systems and networks, as well as remain hidden. Also while some of these drivers "are designed to update firmware, the driver is providing not only the necessary privileges, but also the mechanism to make changes" which means the attacker can gain a permanent foothold. Eclypsium has already notified Microsoft about the issues and at least NVIDIA has already released fixed drivers.

Long-time Slashdot reader Artem S. Tashkinov writes: A security researcher has published proof-of-concept (PoC) code for a vulnerability in the KDE software framework. A fix is not available at the time of writing. The bug was discovered by Dominik "zer0pwn" Penner and impacts the KDE Frameworks package 5.60.0 and below. The KDE Frameworks software library is at the base of the KDE desktop environment v4 and v5 (Plasma), currently included with a large number of Linux distributions.

The vulnerability occurs because of the way the KDesktopFile class (part of KDE Frameworks) handles .desktop or .directory files. It was discovered that malicious .desktop and .directory files could be created that could be used to run malicious code on a user's computer. When a user opens the KDE file viewer to access the directory where these files are stored, the malicious code contained within the .desktop or .directory files executes without user interaction — such as running the file.

Zero user interaction is required to trigger code execution — all you have to do is to browse a directory with a malicious file using any of KDE file system browsing applications like Dolphin.
When ZDNet contacted KDE for a comment Tuesday, their spokesperson provided this response.

"We would appreciate if people would contact security@kde.org before releasing an exploit into the public, rather than the other way around, so that we can decide on a timeline together."