An anonymous reader quotes a report from Motherboard: Hackers could have logged into your Nest Cam IQ Indoor and watch whatever was happening in your home by taking advantage of a vulnerability found by security researchers. The hackers could have also prevented you from using the camera, or use access to it to break into your home network. Researchers Lilith Wyatt and Claudio Bozzato of Cisco Talos discovered the vulnerabilities and disclosed them publicly on August 19. The two found eight vulnerabilities that are based in the Nest implementation of the Weave protocol. The Weave protocol is designed specifically for communications among Internet of Things or IoT devices.

Nest has provided a firmware update that the company says will fix the vulnerabilities. The vulnerabilities apply to version 4620002 of the Nest Cam IQ indoor device. You can check the version of your camera on the Nest app. Nest says that the updates will happen automatically if your camera is connected to the internet. "We've fixed the disclosed bugs and started rolling them out to all Nest Camera IQs," Google said in a statement to ZDNet. "The devices will update automatically so there's no action required from users."

An anonymous reader quotes a report from Ars Technica: In an attempt to quell a controversy that has raised the ire of white-hat hackers, the maker of the Steam online game platform said on Thursday it made a mistake when it turned away a researcher who recently reported two separate vulnerabilities. In its statement, Valve Corporation references HackerOne, the reporting service that helps thousands of companies receive and respond to vulnerabilities in their software or hardware. Valve's new HackerOne program rules specifically provide that "any case that allows malware or compromised software to perform a privilege escalation through Steam, without providing administrative credentials or confirming a UAC dialog, is in scope. Any unauthorized modification of the privileged Steam Client Service is also in scope."

The statement and the policy change from Valve came two days after security researcher Vasily Kravets, an independent researcher from Moscow, received an email telling him that Valve's security team would no longer receive his vulnerability reports through the HackerOne bug-reporting service. Valve turned Kravets away after he reported a steam vulnerability that allowed hackers who already had a toe-hold on a vulnerable computer to burrow into privileged parts of an operating system. Valve initially told Kravets such vulnerabilities were out of scope and gave no indication that the one Vasily reported would be fixed. The company later publicly denied that the issue was a vulnerability by incorrectly claiming that the exploit required hackers to have physical access to a vulnerable computer. The company went so far as to dispute the vulnerability in the advisory issued by the National Institute of Standards and Technology.

A Russian security researcher has published details about a zero-day in the Steam gaming client. This is the second Steam zero-day the researcher has made public in the past two weeks. From a report: However, while the security researcher reported the first one to Valve and tried to have it fixed before public disclosure, he said he couldn't do the same with the second because the company banned him from submitting further bug reports via its public bug bounty program on the HackerOne platform. The entire chain of events behind the public disclosure of these two zero-days has caused quite a drama and discussions in the infosec community. All the negative comments have been aimed at Valve and the HackerOne staff, with both being accused of unprofessional behavior. Security researchers and regular Steam users alike are mad because Valve refused to acknowledge the reported issue as a security flaw, and declined to patch it.

Google today launched Android Studio 3.5, the latest version of its integrated development environment (IDE), with a specific focus on "product quality." From a report: This release is the last one under Project Marble, a fancy name for an initiative Google announced late last year to improve Android Studio. For eight months, the team focused "on making the fundamental features and flows of Android Studio & Emulator rock-solid." All the improvements were either to system health, feature polish, or bug fixes. To improve system health, Google created a new set of infrastructure and internal dashboards to better detect performance problems. The team ultimately fixed over 600 bugs, 50 memory leaks, and 20 IDE hangs, and improved XML & Kotlin typing latency. For the Android Emulator, the team decreased the CPU and memory impact. The team also took a look at app deployment flow to a device, replacing Instant Run with Apply Changes. The new system no longer modifies an APK during your build. Instead, it uses runtime instrumentation to redefine classes on the fly.

Apple has mistakenly made it a bit easier to hack iPhone users who are on the latest version of its mobile operating system iOS by unpatching a vulnerability it had already fixed. From a report: Hackers quickly jumped on this over the weekend, and publicly released a jailbreak for current, up-to-date iPhones -- the first free public jailbreak for a fully updated iPhone that's been released in years. Security researchers found this weekend that iOS 12.4, the latest version released in June, reintroduced a bug found by a Google hacker that was fixed in iOS 12.3. That means it's currently relatively easy to not only jailbreak up to date iPhones, but also hack iPhone users, according to people who have studied the issue.

"Due to 12.4 being the latest version of iOS currently available and the only one which Apple allows upgrading to, for the next couple of days (till 12.4.1 comes out), all devices of this version (or any 11.x and 12.x below 12.3) are jail breakable -- which means they are also vulnerable to what is effectively a 100+ day exploit," said Jonathan Levin, a security researcher and trainer who specializes in iOS, referring to the fact that this vulnerability can be exploited with code that was found more than 100 days ago. Pwn20wnd, a security researcher who develops iPhone jailbreaks, published a jailbreak for iOS 12.4 on Monday.

Intel's latest patches "stomped out three high-severity vulnerabilities and five medium-severity flaws," reports Threatpost: One of the more serious vulnerabilities exist in the Intel Processor Identification Utility for Windows, free software that users can install on their Windows machines to identify the actual specification of their processors. The flaw (CVE-2019-11163) has a score of 8.2 out of 10 on the CVSS scale, making it high severity. It stems from insufficient access control in a hardware abstraction driver for the software, versions earlier than 6.1.0731. This glitch "may allow an authenticated user to potentially enable escalation of privilege, denial of service or information disclosure via local access" according to Intel. Users are urged to update to version 6.1.0731.

Intel stomped out another high-severity vulnerability in its Computing Improvement Program, which is program that Intel users can opt into that uses information about participants' computer performance to make product improvement and detect issues. However, the program contains a flaw (CVE-2019-11162) in the hardware abstraction of the SEMA driver that could allow escalation of privilege, denial of service or information disclosure...

A final high-severity flaw was discovered in the system firmware of the Intel NUC (short for Next Unit of Computing), a mini-PC kit used for gaming, digital signage and more. The flaw (CVE-2019-11140) with a CVSS score of 7.5 out of 10, stems from insufficient session validation in system firmware of the NUC. This could enable a user to potentially enable escalation of privilege, denial of service and information disclosure. An exploit of the flaw would come with drawbacks -- a bad actor would need existing privileges and local access to the victim system.
The article notes that the patches "come on the heels of a new type of side-channel attack revealed last week impacting millions of newer Intel microprocessors manufactured after 2012."

In July Google was sued by Tulsi Gabbard, one of 23 Democrats running for president, after Google mistakenly suspended her advertising account.

"I believe I can provide assistance on where to focus your discovery efforts," posted former YouTube/Google senior software engineer Zach Vorhies (now a harsh critic of Google's alleged bias against conservatives). He says he witnessed the deactivation of another high-profile Google account triggered by a malicious third party. I had the opportunity to inspect the bug report as a full-time employee. What I found was that Google had a technical vulnerability that, when exploited, would take any gmail account down. Certain unknown 3rd party actors are aware of this secret vulnerability and exploit it.

This is how it worked: Take a target email address, change exactly one letter in that email address, and then create a new account with that changed email address. Malicious actors repeated this process over and over again until a network of spoof accounts for Jordan B. Peterson existed. Then these spoof accounts started generating spam emails. These email-spam blasts caught the attention of an AI system which fixed the problem by deactivating the spam accounts... and then ALSO the original account belonging to Jordan B. Peterson!

To my knowledge, this bug has never been fixed.
"Gabbard, however, claims the suspension was based on her criticism of Google and other major tech companies," reports the Verge. But they also quote the campaign as saying that Gmail "sends communications from Tulsi into people's Spam folders at a disproportionately high rate."

"Google may blame this on automated systems, but the reality is that there is no transparency whatsoever, which makes it difficult to determine the truth."

"This week's Windows updates fix critical 'wormable' [Bluekeep] flaws but may also break Visual Basic apps, macros, and scripts," warns ZDNet: "After installing this update, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an 'invalid procedure call error'," Microsoft says. The issue affects all supported versions of Windows 10, Windows 7, Windows 8.1, and their corresponding server versions. "Microsoft is presently investigating this issue and will provide an update when available," the company said.

Microsoft didn't offer an explanation for the problem but it did flag earlier this month that it will move ahead with sunsetting VBScript, by disabling it in IE11 by default via an update in this week's patch. "The change to disable VBScript will take effect in the upcoming cumulative updates for Windows 7, 8, and 8.1 on August 13, 2019," Microsoft warned in a blog post. The change brought these versions of Windows in line with Windows 10. However, it's not clear that the issues under investigation are related to this measure. Regardless of the cause, the error could be a hassle for organizations that rely on Microsoft's various incarnations of Visual Basic...
In a blog post shared by Slashdot reader CaptainDork, Microsoft warned that "any future malware that exploits these could propagate from vulnerable computer to vulnerable computer without user interaction."

"The affected versions of Windows are Windows 7 SP1, Windows Server 2008 R2 SP1, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, and all supported versions of Windows 10, including server versions."

Runkeeper this week announced that it will discontinue its Wear OS app in the next few weeks. From a report: The update was emailed to users this week, where the company told users that it decided to end support because "the integration didn't work well / work consistently for most users." In a response to users, Runkeeper elaborated that only a small percentage of Runkeeper users were actually using the Wear OS app. "It was a very buggy experience and difficult for us to maintain and fix," a representative said in an email. "Because we're a small team with limited resources, and having done our research, we ultimately concluded that trying to maintain a partnership that wasn't working well would not be good practice for us."

Apple has filed a lawsuit against Corellium, accusing the software company of illegally selling virtual copies of iOS under the guise of helping discover security flaws. "Apple said the software company Corellium has copied the operating system, graphical user interface and other aspects of the devices without permission, and wants a federal judge to stop the violations," reports Bloomberg. From the report: Apple said it supports "good-faith security research," offering a $1 million "bug bounty" for anyone who discovers flaws in its system and gives custom versions of the iPhone to "legitimate" researchers. Corellium, the iPhone maker said, goes further than that. "Although Corellium paints itself as providing a research tool for those trying to discover security vulnerabilities and other flaws in Apple's software, Corellium's true goal is profiting off its blatant infringement," Apple said in the complaint. "Far from assisting in fixing vulnerabilities, Corellium encourages its users to sell any discovered information on the open market to the highest bidder."

Corellium creates copies of the Apple iOS, and says that it's all to help white-hat hackers discover security flaws. Instead, according to Apple, any information is sold to people who can then exploit those flaws. Corellium, in a posting dated July 4 on its website, said it "respects the intellectual property rights of others and expects its users to do the same." Corellium's products allow the creation of a virtual Apple device, according to the suit. It copies new versions of Apple works as soon as they are announced, and doesn't require users to disclose flaws to Apple, the Cupertino, California-based company said in the complaint. Apple also wants a court order forcing Corellium to notify its customers that they are in violation of Apple's rights, destruction of any products using Apple copyrights, and cash compensation.

Users of credit monitoring site Credit Karma have took to Reddit and Twitter to complain that they were served other people's account information when they logged in. TechCrunch has confirmed several screenshots that show other people's accounts, including details about their credit card accounts and their current balance.

When contacted, a Credit Karma spokesperson said these users "experienced a technical malfunction that has now been fixed," and that there's "no evidence of a data breach." The company didn't say for how long customers were experiencing issues. TechCrunch reports: One user told TechCrunch that after they were served another person's full credit report, they messaged the user on LinkedIn "to let him know his data was compromised." Another user told us this: "The reports are split into two sections: Credit Factors -- things like number of accounts, inquiries, utilization; and Credit Reports -- personal information like name, address, etc.. The Credit Reports section was my own information, but the Credit Factors section definitely wasn't. It listed four credit card accounts (I have more like 20 on my report), a missed payment (I'm 100% on time with payments), a Honda auto loan (never had one with Honda), student loan financing (mine are paid off and too old to appear on my report), and cards with an issuer that I have no relationship with (Discover)."

Another user who was affected said they could read another person's Credit Factors -- including derogatory credit marks -- but that the Credit Report tab with that user's personal information, like names and addresses, was blank. One user said that the login page was pulled offline for a brief period. "We'll be right back," the login page read instead.

CTF, a little-known Microsoft protocol used by all Windows operating system versions since Windows XP, is insecure and can be exploited with ease. From a report: According to Tavis Ormandy, a security researcher with Google's Project Zero elite security team and the one who discovered the buggy protocol, hackers or malware that already have a foothold on a user's computer can use the protocol to take over any app, high-privileged applications, or the entire OS, as a whole. Currently, there are no patches for these bugs, and a quick fix isn't expected, as the vulnerabilities are deeply ingrained in the protocol and its design.

What CTF stands is currently unknown. Even Ormandy, a well-known security researcher, wasn't able to find what it means in all of Microsoft documentation. What Ormandy found out was that CTF is part of of the Windows Text Services Framework (TSF), the system that manages the text shown inside Windows and Windows applications. When users start an app, Windows also starts a CTF client for that app. The CTF client receives instructions from a CTF server about the OS system language and the keyboard input methods. It is unclear how Microsoft will patch the CTF problem.

Epic Games is being sued over security breaches that allowed hackers to access the personal information of Epic Games accounts. From a report: The class-action lawsuit, filed by Franklin D. Azar & Associates in U.S. District Court in North Carolina, alleges Epic's "failure to maintain adequate security measures and notify users of the security breach in a timely manner." The lawsuit states that "there are more than 100 class members." In January, Epic acknowledged that a bug in Fortnite may have exposed personal information for millions of user accounts.

Artem S. Tashkinov writes: Researchers from security company Eclypsium have discovered that more than forty drivers from at least twenty different vendors -- including every major BIOS vendor, as well as hardware vendors like ASUS, Toshiba, NVIDIA, and Huawei -- include critical vulnerabilities allowing an escalation of privileges to full system level access.

Considering how widespread these drivers are, and the fact that they are digitally signed by Microsoft, they allow an attacker to more successfully penetrate target systems and networks, as well as remain hidden. Also while some of these drivers "are designed to update firmware, the driver is providing not only the necessary privileges, but also the mechanism to make changes" which means the attacker can gain a permanent foothold. Eclypsium has already notified Microsoft about the issues and at least NVIDIA has already released fixed drivers.

Long-time Slashdot reader Artem S. Tashkinov writes: A security researcher has published proof-of-concept (PoC) code for a vulnerability in the KDE software framework. A fix is not available at the time of writing. The bug was discovered by Dominik "zer0pwn" Penner and impacts the KDE Frameworks package 5.60.0 and below. The KDE Frameworks software library is at the base of the KDE desktop environment v4 and v5 (Plasma), currently included with a large number of Linux distributions.

The vulnerability occurs because of the way the KDesktopFile class (part of KDE Frameworks) handles .desktop or .directory files. It was discovered that malicious .desktop and .directory files could be created that could be used to run malicious code on a user's computer. When a user opens the KDE file viewer to access the directory where these files are stored, the malicious code contained within the .desktop or .directory files executes without user interaction — such as running the file.

Zero user interaction is required to trigger code execution — all you have to do is to browse a directory with a malicious file using any of KDE file system browsing applications like Dolphin.
When ZDNet contacted KDE for a comment Tuesday, their spokesperson provided this response.

"We would appreciate if people would contact security@kde.org before releasing an exploit into the public, rather than the other way around, so that we can decide on a timeline together."

itwbennett writes: Researchers from security firm Bitdefender discovered and reported a year ago a new CPU vulnerability that 'abuses a system instruction called SWAPGS and can bypass mitigations put in place for previous speculative execution vulnerabilities like Spectre,' writes Lucian Constantin for CSO.

There are three attack scenarios involving SWAPGS, the most serious of which 'can allow attackers to leak the contents of arbitrary kernel memory addresses. This is similar to the impact of the Spectre vulnerability.' Microsoft released mitigations for the vulnerability in July's Patch Tuesday, although details were withheld until August 6 when Bitdefender released its whitepaper and Microsoft published a security advisory.

Apple says it will offer up to $1 million for hackers who can find vulnerabilities in iPhones and Macs. "That's up from $200,000, and in the fall the program will be open to all researchers," reports Forbes. "Previously only those on the company's invite-only bug bounty program were eligible to receive rewards." From the report: As Forbes reported on Monday, Apple is also launching a Mac bug bounty, which was confirmed Thursday, but it's also extending it to watchOS and its Apple TV operating system. The announcements came in Las Vegas at the Black Hat conference, where Apple's head of security engineering Ivan Krstic gave a talk on iOS and macOS security. Forbes also revealed on Monday that Apple was to give bug bounty participants "developer devices" -- iPhones that let hackers dive further into iOS. They can, for instance, pause the processor to look at what's happening with data in memory. Krstic confirmed the iOS Security Research Device program would be by application only. It will arrive next year.

The full $1 million will go to researchers who can find a hack of the kernel -- the core of iOS -- with zero clicks required by the iPhone owner. Another $500,000 will be given to those who can find a "network attack requiring no user interaction." There's also a 50% bonus for hackers who can find weaknesses in software before it's released. Apple is increasing those rewards in the face of an increasingly profitable private market where hackers sell the same information to governments for vast sums.

Twitter has disclosed more bugs related to how it uses personal data for ad targeting that means it may have shared users data with advertising partners even when a user had expressly told it not to. TechCrunch reports: Back in May the social network disclosed a bug that in certain conditions resulted in an account's location data being shared with a Twitter ad partner, during real-time bidding (RTB) auctions. In a blog post on its Help Center about the latest "issues" Twitter says it "recently" found, it admits to finding two problems with users' ad settings choices that mean they "may not have worked as intended." It claims both problems were fixed on August 5. Though it does not specify when it realized it was processing user data without their consent.

The first bug relates to tracking ad conversions. This meant that if a Twitter user clicked or viewed an ad for a mobile application on the platform and subsequently interacted with the mobile app Twitter says it "may have shared certain data (e.g., country code; if you engaged with the ad and when; information about the ad, etc)" with its ad measurement and advertising partners -- regardless of whether the user had agreed their personal data could be shared in this way. It suggests this leak of data has been happening since May 2018 -- which is also the day when Europe's updated privacy framework, GDPR, came into force. Twitter specifies that it does not share users' names, Twitter handles, email or phone number with ad partners. However it does share a user's mobile device identifier, which GDPR treats as personal data as it acts as a unique identifier. The second issue Twitter discloses in the blog post also relates to tracking users' wider web browsing to serve them targeted ads. Here Twitter admits that, since September 2018, it may have served targeted ads that used inferences made about the user's interests based on tracking their wider use of the Internet -- even when the user had not given permission to be tracked.

An anonymous reader shares a column [Editor's note: the link may be paywalled]: Few television shows in recent years have been as compelling, yet as difficult to watch, as Chernobyl. The story of the hours and days following the 1986 nuclear reactor meltdown, and the many awful ways that radiation can kill, was expertly told. But it was the antithesis of one of the prevailing objectives of today's TV producers: to make a programme viewers love so much that they binge it all in one go. Chernobyl's horrors were so richly realised that it was unbingeable. Even though I was watching the show on Sky's streaming service, Now TV, I found that watching in nightly instalments rather than rushing through it served only to heighten my appreciation of it. The internet has been built on instant gratification, but Chernobyl got me wondering whether we occasionally need something to hold us back.

[...] A new approach to scheduling could crank up anticipation for the next instalment or build the loyalty that comes with habit. Chernobyl had a brilliant podcast commentary that delineated the boundary between fact and fiction; I wished I had listened to it between episodes rather than at the end of the series. There are billions of smartphones in the world today. While Silicon Valley is obsessing over what comes next -- whether that is augmented reality headsets or smart speakers -- the versatility and ubiquity of the smartphone still provide plenty of room to experiment. From instant streaming to next-day deliveries, technology has broken the idea that good things come to those who wait. But with a little imagination, making something unbingeable could be a feature, not a bug.

At Black Hat 2019 today, Microsoft announced the Azure Security Lab, a sandbox-like environment for security researchers to test its cloud security. The company also doubled the top Azure bug bounty to $40,000. From a report: Bug bounty programs are a great complement to existing internal security programs. They help motivate individuals and groups of hackers to not only find flaws but disclose them properly, instead of using them maliciously or selling them to parties that will. Microsoft shared today that it has issued $4.4 million in bounty rewards over the past 12 months. The Azure Security Lab takes the idea to the next level. It's essentially a set of dedicated cloud hosts isolated from Azure customers so security researchers can test attacks against cloud scenarios. The isolation means researchers can not only research vulnerabilities in Azure, they can attempt to exploit them.