Artem S. Tashkinov writes: Researchers from security company Eclypsium have discovered that more than forty drivers from at least twenty different vendors -- including every major BIOS vendor, as well as hardware vendors like ASUS, Toshiba, NVIDIA, and Huawei -- include critical vulnerabilities allowing an escalation of privileges to full system level access.

Considering how widespread these drivers are, and the fact that they are digitally signed by Microsoft, they allow an attacker to more successfully penetrate target systems and networks, as well as remain hidden. Also while some of these drivers "are designed to update firmware, the driver is providing not only the necessary privileges, but also the mechanism to make changes" which means the attacker can gain a permanent foothold. Eclypsium has already notified Microsoft about the issues and at least NVIDIA has already released fixed drivers.

Long-time Slashdot reader Artem S. Tashkinov writes: A security researcher has published proof-of-concept (PoC) code for a vulnerability in the KDE software framework. A fix is not available at the time of writing. The bug was discovered by Dominik "zer0pwn" Penner and impacts the KDE Frameworks package 5.60.0 and below. The KDE Frameworks software library is at the base of the KDE desktop environment v4 and v5 (Plasma), currently included with a large number of Linux distributions.

The vulnerability occurs because of the way the KDesktopFile class (part of KDE Frameworks) handles .desktop or .directory files. It was discovered that malicious .desktop and .directory files could be created that could be used to run malicious code on a user's computer. When a user opens the KDE file viewer to access the directory where these files are stored, the malicious code contained within the .desktop or .directory files executes without user interaction — such as running the file.

Zero user interaction is required to trigger code execution — all you have to do is to browse a directory with a malicious file using any of KDE file system browsing applications like Dolphin.
When ZDNet contacted KDE for a comment Tuesday, their spokesperson provided this response.

"We would appreciate if people would contact security@kde.org before releasing an exploit into the public, rather than the other way around, so that we can decide on a timeline together."

itwbennett writes: Researchers from security firm Bitdefender discovered and reported a year ago a new CPU vulnerability that 'abuses a system instruction called SWAPGS and can bypass mitigations put in place for previous speculative execution vulnerabilities like Spectre,' writes Lucian Constantin for CSO.

There are three attack scenarios involving SWAPGS, the most serious of which 'can allow attackers to leak the contents of arbitrary kernel memory addresses. This is similar to the impact of the Spectre vulnerability.' Microsoft released mitigations for the vulnerability in July's Patch Tuesday, although details were withheld until August 6 when Bitdefender released its whitepaper and Microsoft published a security advisory.

Apple says it will offer up to $1 million for hackers who can find vulnerabilities in iPhones and Macs. "That's up from $200,000, and in the fall the program will be open to all researchers," reports Forbes. "Previously only those on the company's invite-only bug bounty program were eligible to receive rewards." From the report: As Forbes reported on Monday, Apple is also launching a Mac bug bounty, which was confirmed Thursday, but it's also extending it to watchOS and its Apple TV operating system. The announcements came in Las Vegas at the Black Hat conference, where Apple's head of security engineering Ivan Krstic gave a talk on iOS and macOS security. Forbes also revealed on Monday that Apple was to give bug bounty participants "developer devices" -- iPhones that let hackers dive further into iOS. They can, for instance, pause the processor to look at what's happening with data in memory. Krstic confirmed the iOS Security Research Device program would be by application only. It will arrive next year.

The full $1 million will go to researchers who can find a hack of the kernel -- the core of iOS -- with zero clicks required by the iPhone owner. Another $500,000 will be given to those who can find a "network attack requiring no user interaction." There's also a 50% bonus for hackers who can find weaknesses in software before it's released. Apple is increasing those rewards in the face of an increasingly profitable private market where hackers sell the same information to governments for vast sums.

Twitter has disclosed more bugs related to how it uses personal data for ad targeting that means it may have shared users data with advertising partners even when a user had expressly told it not to. TechCrunch reports: Back in May the social network disclosed a bug that in certain conditions resulted in an account's location data being shared with a Twitter ad partner, during real-time bidding (RTB) auctions. In a blog post on its Help Center about the latest "issues" Twitter says it "recently" found, it admits to finding two problems with users' ad settings choices that mean they "may not have worked as intended." It claims both problems were fixed on August 5. Though it does not specify when it realized it was processing user data without their consent.

The first bug relates to tracking ad conversions. This meant that if a Twitter user clicked or viewed an ad for a mobile application on the platform and subsequently interacted with the mobile app Twitter says it "may have shared certain data (e.g., country code; if you engaged with the ad and when; information about the ad, etc)" with its ad measurement and advertising partners -- regardless of whether the user had agreed their personal data could be shared in this way. It suggests this leak of data has been happening since May 2018 -- which is also the day when Europe's updated privacy framework, GDPR, came into force. Twitter specifies that it does not share users' names, Twitter handles, email or phone number with ad partners. However it does share a user's mobile device identifier, which GDPR treats as personal data as it acts as a unique identifier. The second issue Twitter discloses in the blog post also relates to tracking users' wider web browsing to serve them targeted ads. Here Twitter admits that, since September 2018, it may have served targeted ads that used inferences made about the user's interests based on tracking their wider use of the Internet -- even when the user had not given permission to be tracked.

An anonymous reader shares a column [Editor's note: the link may be paywalled]: Few television shows in recent years have been as compelling, yet as difficult to watch, as Chernobyl. The story of the hours and days following the 1986 nuclear reactor meltdown, and the many awful ways that radiation can kill, was expertly told. But it was the antithesis of one of the prevailing objectives of today's TV producers: to make a programme viewers love so much that they binge it all in one go. Chernobyl's horrors were so richly realised that it was unbingeable. Even though I was watching the show on Sky's streaming service, Now TV, I found that watching in nightly instalments rather than rushing through it served only to heighten my appreciation of it. The internet has been built on instant gratification, but Chernobyl got me wondering whether we occasionally need something to hold us back.

[...] A new approach to scheduling could crank up anticipation for the next instalment or build the loyalty that comes with habit. Chernobyl had a brilliant podcast commentary that delineated the boundary between fact and fiction; I wished I had listened to it between episodes rather than at the end of the series. There are billions of smartphones in the world today. While Silicon Valley is obsessing over what comes next -- whether that is augmented reality headsets or smart speakers -- the versatility and ubiquity of the smartphone still provide plenty of room to experiment. From instant streaming to next-day deliveries, technology has broken the idea that good things come to those who wait. But with a little imagination, making something unbingeable could be a feature, not a bug.

At Black Hat 2019 today, Microsoft announced the Azure Security Lab, a sandbox-like environment for security researchers to test its cloud security. The company also doubled the top Azure bug bounty to $40,000. From a report: Bug bounty programs are a great complement to existing internal security programs. They help motivate individuals and groups of hackers to not only find flaws but disclose them properly, instead of using them maliciously or selling them to parties that will. Microsoft shared today that it has issued $4.4 million in bounty rewards over the past 12 months. The Azure Security Lab takes the idea to the next level. It's essentially a set of dedicated cloud hosts isolated from Azure customers so security researchers can test attacks against cloud scenarios. The isolation means researchers can not only research vulnerabilities in Azure, they can attempt to exploit them.

Monzo, a mobile-only bank operating in the UK, admitted today to storing payment card PINs inside internal logs. From a report: The company is now notifying all impacted customers and urging users to change card PINs the next time they use a cash machine. Monzo described the issue as a "bug" that occurred when Monzo customers used two specific features of their Monzo mobile apps -- namely the feature that reminds users of their card number and the feature for canceling standing orders. When Monzo customers used one of these two features, they'd be asked to enter their account PIN, for authorization purposes, but unbeknowst to them, the PIN would also be logged inside Monzo's internal logs. Monzo said these logs were encrypted and that only a few employees had access to the data stored inside. The company said it discovered the bug on Friday, August 2, and spent all weekend removing PIN numbers from its internal logs.

Slashdot reader Artem S. Tashkinov writes: Mathy Vanhoef and Eyal Ronen have recently disclosed two new additional bugs impacting WPA3. The security researched duo found the new bugs in the security recommendations the WiFi Alliance created for equipment vendors in order to mitigate the initial Dragonblood attacks [found by the same two security researchers]. "Just like the original Dragonblood vulnerabilities from April, these two new ones allow attackers to leak information from WPA3 cryptographic operations and brute-force a WiFi network's password," reports ZDNet.
More from ZDNet: "[The] Wi-Fi standard is now being updated with proper defenses, which might lead to WPA3.1," Vanhoef said. "Although this update is not backwards-compatible with current deployments of WPA3, it does prevent most of our attacks," the researchers said.

But besides just disclosing the two new Dragonblood vulnerabilities, the two researchers also took the chance to criticize the WiFi Alliance again for its closed standards development process that doesn't allow for the open-source community to contribute and prevent big vulnerabilities from making it into the standard in the first place.

"This demonstrates that implementing Dragonfly and WPA3 without side-channel leaks is surprisingly hard," the researchers said. "It also, once again, shows that privately creating security recommendations and standards is at best irresponsible and at worst inept."
While these type of feedback might be ignored when coming from other researchers, it means more when it comes from Vanhoef. The Belgian researchers is the one who discovered the KRACK attack that broke the WPA2 WiFi authentication standard and forced the WiFi Alliance to develop the WPA3 standard, which it launched in June 2018.

The Google Project Zero team said that around 95.8% of the security bugs they find in other software and report to their respective vendors get fixed before the 90-day deadline for a public disclosure expires. From a report: That's quite the batting average for one of world's most infamous cybersecurity programs. In a statistic shared on Wednesday, Google's elite security team said that during its whole history -- from July 17, 2014, when Project Zero was created and until July 30, this week -- its researchers found and reported a total of 1,585 vulnerabilities to a wide range of hardware and software vendors. Of these, Google said that vendors failed to deliver a patch before the final deadline expired only for 66 reports. As a result, its researchers were forced to make vulnerability technical details public before a fix was made available to users.

Google researchers have shared details of five flaws in Apple's iMessage software that could make its devices vulnerable to attack. The BBC reports: In one case, the researchers said the vulnerability was so severe that the only way to rescue a targeted iPhone would be to delete all the data off it. Another example, they said, could be used to copy files off a device without requiring the owner to do anything to aid the hack. Apple released fixes last week. But the researchers said they had also flagged a sixth problem to Apple, which had not been rectified in the update to its mobile operating system.

Apple's own notes about iOS 12.4 indicate that the unfixed flaw could give hackers a means to crash an app or execute commands of their own on recent iPhones, iPads and iPod Touches if they were able to discover it. Apple has not commented on this specific issue, but has urged users to install the new version of iOS, which addresses Google's other discoveries as well as a further range of glitches and threats. One of the two Google researchers involved - Natalie Silvanovich - intends to share more details of her findings at a presentation at the Black Hat conference in Las Vegas next month.

Truecaller, a service that helps users screen robocalls, has rolled out an update to its app in India, its largest market, after a previous software release covertly signed up an unspecified number of users to its payments service. From a report: A number of users in India began to complain late Monday that Truecaller, which has amassed over 100 million daily users in the country, had registered them to its payments service without their consent. In a statement to TechCrunch, Truecaller acknowledged the error and said a bug in the previous software update caused the issue. The bug led the app to quietly send a text message to a bank to verify their account -- which is part of the procedure to sign up to the payments service.

An anonymous reader quotes Vice: In May, Microsoft released a patch for a bug in several versions of Windows that is so bad that the company felt it even had to release a fix for Windows XP, an operating system that (has been unsupported) for five years. That vulnerability is known as BlueKeep, and it has kept a lot of security researchers up at night. They are worried that someone could write an exploit for it and make a worm that could wreak havoc the way WannaCry or NotPetya -- two viruses that spread almost uncontrollably all over the world locking thousands of computers -- did.... Researchers were so worried about this vulnerability that for months, no one has published the code for a proof-of-concept exploit. In other words, no one wanted to be the guy to even prove that this type of malware was even possible to write.

Until now.

On Tuesday, Immunity, a long time US government contractor, announced that it had developed an exploit for BlueKeep and included it into its penetration testing toolkit Canvas, which is available only to paying subscribers. Canvas customers, can now exploit this bug using Immunity's own code.
ZDNet notes that Canvas licenses "cost between thousands and tens of thousands of US dollars," but also adds that "hackers have been known to pirate or legitimately buy penetration testing tools."

An anonymous reader quotes a report from The Register: Some models of Airbus A350 airliners still need to be hard rebooted after exactly 149 hours, despite warnings from the EU Aviation Safety Agency (EASA) first issued two years ago. In a mandatory airworthiness directive (AD) reissued earlier this week, EASA urged operators to turn their A350s off and on again to prevent "partial or total loss of some avionics systems or functions." The revised AD, effective from tomorrow (26 July), exempts only those new A350-941s which have had modified software pre-loaded on the production line. For all other A350-941s, operators need to completely power the airliner down before it reaches 149 hours of continuous power-on time.

Concerningly, the original 2017 AD was brought about by "in-service events where a loss of communication occurred between some avionics systems and avionics network" (sic). The impact of the failures ranged from "redundancy loss" to "complete loss on a specific function hosted on common remote data concentrator and core processing input/output modules." In layman's English, this means that prior to 2017, at least some A350s flying passengers were suffering unexplained failures of potentially flight-critical digital systems.

New submitter Grindop53 shares a report: Widespread reports of a "critical security issue" that supposedly impacted users of VLC media player have been debunked as "completely bogus" by developers. Earlier this week, German computer emergency response team CERT-Bund -- part of the Federal Office for Information Security (BSI) -- pushed out an advisory warning network administrators and other users of a high-impact vulnerability in VLC. It seems that this advisory can be traced back to a ticket that was opened on VLC owner VideoLAN's public bug tracker more than four weeks ago. The alleged heap-based buffer overflow flaw was disclosed by a user named "topsec(zhangwy)," who stated that a malicious .mp4 file could be leveraged by an attacker to take control of VLC media player users' devices. The issue was flagged as high-risk on the CERT-Bund site, and the vulnerability was assigned a CVE entry (CVE-2019-13615).

However, according to VideoLAN president Jean-Baptiste Kempf, the exploit does not work on the latest VLC build. In fact, any potential issues relating to the vulnerability were patched more than a year ago. "There is no security issue in VLC," Kempf told The Daily Swig in a phone conversation this morning. "There is a security issue in a third-party library, and a fix was pushed [out] 18 months ago." When asked how or why this oversight generated so much attention, Kempf noted that the reporter of the supposed vulnerability did not approach VideoLAN through its security reporting email address. "The guy never contacted us," said Kempf, who remains a lead developer at the VLC project. "This is why you don't report security issues on a public bug tracker." Kempf and his team were unable to replicate the issue in the latest version of VLC, leading many to believe that the bug reporter was working on a computer running an outdated version of Ubuntu. "If you report a security issue, at least update your Linux distribution," Kempf said.

A design flaw in Facebook's Messenger Kids app allowed children to enter group chats with unapproved strangers. "For the past week, Facebook has been quietly closing down those group chats and alerting users, but has not made any public statements disclosing the issue," reports The Verge.

The alert reads as follows: "Hi [PARENT],
We found a technical error that allowed [CHILD]'s friend [FRIEND] to create a group chat with [CHILD] and one or more of [FRIEND]'s parent-approved friends. We want you to know that we've turned off this group chat and are making sure that group chats like this won't be allowed in the future. If you have questions about Messenger Kids and online safety, please visit our Help Center and Messenger Kids parental controls. We'd also appreciate your feedback." From the report: The bug arose from the way Messenger Kids' unique permissions were applied in group chats. In a standard one-on-one chat, children can only initiate conversations with users who have been approved by the child's parents. But those permissions became more complex when applied to a group chat because of the multiple users involved. Whoever launched the group could invite any user who was authorized to chat with them, even if that user wasn't authorized to chat with the other children in the group. As a result, thousands of children were left in chats with unauthorized users, a violation of the core promise of Messenger Kids. It's unclear how long the bug was present in the app, which launched with group features in December 2017.

"Everyone knows security needs to be baked into the development lifecycle, but that doesn't mean it is," writes ZDNet, reporting on a new survey they say showed that "long-standing friction between security and development teams remain."

The results came from GitLab's "2019 Global Developer Report: DevSecOps" survey of over 4,000 software professionals. Nearly half of security pros surveyed, 49%, said they struggle to get developers to make remediation of vulnerabilities a priority. Worse still, 68% of security professionals feel fewer than half of developers can spot security vulnerabilities later in the life cycle. Roughly half of security professionals said they most often found bugs after code is merged in a test environment.

At the same time, nearly 70% of developers said that while they are expected to write secure code, they get little guidance or help. One disgruntled programmer said, "It's a mess, no standardization, most of my work has never had a security scan." Another problem is it seems many companies don't take security seriously enough. Nearly 44% of those surveyed reported that they're not judged on their security vulnerabilities.
ZDNet also cites Linus Torvalds' remarks on the Linux kernel mailing list in 2017, complaining about how security people celebrate when code is hardened against an invalid access. "[F]rom a developer standpoint, things really are not done. Not even close. From a developer standpoint, the bad access was just a symptom, and it needs to be reported, and debugged, and fixed, so that the bug actually gets corrected. So from a developer standpoint, the end point of hardening is just the starting point, and when you think you're done, we're really only getting started."

Torvalds then pointed out that the user community also has a third set of entirely different expectations, adding that "the number one rule of kernel development is that 'we don't break users'. Because without users, your program is pointless, and all the development work you've done over decades is pointless... and security is pointless too, in the end." Juggling the interest of users and developers, Torvalds suggests security people should adopt "do no harm" as their mantra, and "when adding hardening features, the first step should *ALWAYS* be 'just report it'. Not killing things, not even stopping the access. Report it. Nothing else."

ZDNet: Slack published more details about a password reset operation that ZDNet reported earlier today. According to a statement the company published on its website, the password reset operation is related to the company's 2015 security breach. In March 2015, Slack said hackers gained access to some Slack infrastructure, including databases storing user credentials. Hackers stole hashed passwords, but they also planted code on the company's site to capture plaintext passwords that users entered when logging in. At the time, Slack reset passwords for users who it believed were impacted, and also added support for two-factor authentication for all accounts. But as ZDNet reported earlier today, the company recently received a batch of Slack users credentials, which prompted the company to start an investigation into its source and prepare a password reset procedure. "We immediately confirmed that a portion of the email addresses and password combinations were valid, reset those passwords, and explained our actions to the affected users," Slack said. In a message on its website, Slack said this batch of credentials came via its bug bounty program. The company said it initially believed the data came from users who had their PCs infected with malware, or users who reused passwords across different services.

We're reviving an old Slashdot tradition -- the review. Whenever there's something especially geeky -- or relevant to our present moment -- we'll share some thoughts. And I'd like to start with Jonathan Coulton's amazing 2017 album Solid State, and its trippy accompanying graphic novel adaptation by Matt Fraction. I even tracked down Jonathan Coulton on Friday for his thoughts on how it applies to our current moment in internet time...

"When I started work on Solid State, the only thing I could really think of that I wanted to say was something like, 'The internet sucks now'," Coulton said in 2017 in an epilogue to the graphic novel. "It's a little off-brand for me, so it was a scary place to start..."

So what does he think today? And what did we think of his album...?

This week Intel announced two new patches, according to Tom's Hardware: The flaw in the processor diagnostic tool (CVE-2019-11133) is rated 8.2 out 10 on the CVSS 3.0 scale, making it a high-severity vulnerability. The flaw [found by security researcher Jesse Michael from Eclypsium] "may allow an authenticated user to potentially enable escalation of privilege, information disclosure or denial of service via local access," according to Intel's latest security advisory. Versions of the tool that are older than 4.1.2.24 are affected.

The second vulnerability, found by Intel's internal team, is a medium-severity vulnerability in Intel's SSD DC S4500/S4600 series sold to data center customers. The flaw found in the SSD firmware versions older than SCV10150 obtained a 5.3 score on the CVSS 3.0 scale, so it was labeled medium-severity. The bug may allow an unprivileged user to enable privilege escalation via physical access.

As one of the flaws was uncovered by Intel itself and for the other the Eclypsium research coordinated with Intel for its disclosure, Intel was able to have ready the patches in time for the public announcement.