JustAnotherOldGuy quotes Threatpost: A high-severity bug impacting two popular command-line text editing applications, Vim and Neovim, allow remote attackers to execute arbitrary OS commands. Security researcher Armin Razmjou warned that exploiting the bug is as easy as tricking a target into clicking on a specially crafted text file in either editor. Razmjou outlined his research and created a proof-of-concept (PoC) attack demonstrating how an adversary can compromise a Linux system via Vim or Neowim. He said Vim versions before 8.1.1365 and Neovim before 0.3.6 are vulnerable to arbitrary code execution...

Vim and Neovim have both released patches for the bug (CVE-2019-12735) that the National Institute of Standards and Technology warns, "allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline."

"Beyond patching, it's recommended to disable modelines in the vimrc (set nomodeline), to use the securemodelinesplugin, or to disable modelineexpr (since patch 8.1.1366, Vim-only) to disallow expressions in modelines," the researcher said.

The Microsoft Edge developer team held an AMA (Ask Me Anything) session on Reddit this week where they revealed some of their plans on current and upcoming features. From a report: The biggest tease the company dropped was its apparent willingness to release an Edge version for Linux -- a move that was once considered inconceivable. "We don't have any technical blockers to keep us from creating Linux binaries, and it's definitely something we'd like to do down the road. That being said, there is still work to make them 'customer ready' (installer, updaters, user sync, bug fixes, etc.) and something we are proud to give to you, so we aren't quite ready to commit to the work just yet. Right now, we are super focused on bringing stable versions of Edge first to other versions of Windows (as well as macOS), and then releasing our Beta channels," Edge devs said.

Yubico said today it plans to replace certain hardware security keys because of a firmware flaw that reduces the randomness of cryptographic keys generated by its devices. From a report: Affected products include models part of the YubiKey FIPS Series, a line of YubiKey authentication keys certified for use on US government networks (and others) according to the US government's Federal Information Processing Standards (FIPS). According to a Yubico security advisory published today, YubiKey FIPS Series devices that run firmware version 4.4.2 and 4.4.4 contain a bug that keeps "some predictable content" inside the device's data buffer after the power-up operation.

This "predictable content" will influence the randomness of cryptographic keys generated on the device for a short period after the boot-up, until the "predictable content" is all used up, and true random data is present in the buffer. This means that for a short period after booting up YubiKey FIPS Series devices with the affected 4.4.2 and 4.4.4 versions will generate keys that can be either recovered partially, or in full, depending on the cryptographic algorithm the key is working with for a particular authentication operation.

Russ Cox (along with Rob Pike) is the tech lead for Google's Go team and its Go project. This week he responded on the Google group golang-nuts to a blogger who'd argued that "Go is Google's language, not ours."

First Cox points to a talk at Gophercon 2015 -- and its accompanying blog post -- which argued that Go's open source status is critical to its long-term success. He noted this week that "good ideas come from outside Google as often as they come from inside Google.... But getting to yes on every suggested new feature is not and never has been a goal." No one can speak for the entire Go community: it is large, it contains multitudes. As best we can, we try to hear all the many different perspectives of the Go community. We encourage bug reports and experience reports, and we run the annual Go user survey, and we hang out here on golang-nuts and on gophers slack precisely because all those mechanisms help us hear you better. We try to listen not just to the feature requests but the underlying problems people are having, and we try, as I said in the Gophercon talk, to find the small number of changes that solve 90% of the problems instead of the much more complex solution that gets to 99%. We try to add as little as possible to solve as much as possible.

In short, we aim to listen to everyone's problems and address as many of them as possible, but at the same time we don't aim to accept everyone's offered solutions. Instead we aim to create space for thoughtful discussions about the offered solutions and revisions to them, and to work toward a consensus about how to move forward...

The "proposal review" group meets roughly weekly to review proposal issues and make sure the process is working. We handle trivial yes and trivial no answers, but our primary job is to shepherd suggested proposals, bring in the necessary voices, and make sure discussions are proceeding constructively. We have talked in the past about whether to explicitly look for people outside Google to sit in our weekly meeting, but if that's really important, then we are not doing our job right. Again, our primary job is to make sure the issues get appropriate discussion on the issue tracker, where everyone can participate, and to lead that discussion toward a solution with broad agreement and acceptance. If you skim through any of the accepted proposals you will see how we spend most of our meetings nudging conversations along and trying to make sure we hear from everyone who has a stake in a particular decision.

It remains an explicit goal to enable anyone with a good piece of code or a good idea to be able to contribute it to the project, and we've continued to revise both the code contribution and proposal contribution docs as we find gaps. But as I said in 2015, the most important thing we the original authors of Go can do is to provide consistency of vision, to keep Go feeling like a coherent system, to keep Go Go. People may disagree with individual decisions. We may get some flat wrong. But we hope that the overall result still works well for everyone, and the decision process we have seems far more likely to preserve a coherent, understandable system than a standards committee or other process.
His conclusion? The Go language belongs to the Go community -- and, because it's open source, "the freedom to fork hopefully keeps me and the other current Go leadership honest."

Trailrunner7 shares a report: All of the current versions of Docker have a vulnerability that can allow an attacker to get read-write access to any path on the host server. The weakness is the result of a race condition in the Docker software and while there's a fix in the works, it has not yet been integrated. The bug is the result of the way that the Docker software handles some symbolic links, which are files that have paths to other directories or files. Researcher Aleksa Sarai discovered that in some situations, an attacker can insert his own symlink into a path during a short time window between the time that the path has been resolved and the time it is operated on. This is a variant of the time of check to time of use (TOCTOU) problem, specifically with the "docker cp" command, which copies files to and from containers.

"The basic premise of this attack is that FollowSymlinkInScope suffers from a fairly fundamental TOCTOU attack. The purpose of FollowSymlinkInScope is to take a given path and safely resolve it as though the process was inside the container. After the full path has been resolved, the resolved path is passed around a bit and then operated on a bit later (in the case of 'docker cp' it is opened when creating the archive that is streamed to the client)," Sarai said in his advisory on the problem. "If an attacker can add a symlink component to the path after the resolution but beforeit is operated on, then you could end up resolving the symlink path component on the host as root. In the case of 'docker cp' this gives you read and write access to any path on the host."

An anonymous reader quotes a report from The Guardian: Scientists have created the world's first living organism that has a fully synthetic and radically altered DNA code. In a two-year effort, researchers at the laboratory of molecular biology, at Cambridge University, read and redesigned the DNA of the bacterium Escherichia coli (E coli), before creating cells with a synthetic version of the altered genome. The artificial genome holds 4m base pairs, the units of the genetic code spelled out by the letters G, A, T and C. Printed in full on A4 sheets, it runs to 970 pages, making the genome the largest by far that scientists have ever built. The DNA coiled up inside a cell holds the instructions it needs to function. When the cell needs more protein to grow, for example, it reads the DNA that encodes the right protein. The DNA letters are read in trios called codons, such as TCG and TCA.

The Cambridge team set out to redesign the E coli genome by removing some of its superfluous codons. Working on a computer, the scientists went through the bug's DNA. Whenever they came across TCG, a codon that makes an amino acid called serine, they rewrote it as AGC, which does the same job. They replaced two more codons in a similar way. More than 18,000 edits later, the scientists had removed every occurrence of the three codons from the bug's genome. The redesigned genetic code was then chemically synthesized and, piece by piece, added to E coli where it replaced the organism's natural genome. The result, reported in Nature, is a microbe with a completely synthetic and radically altered DNA code. Known as Syn61, the bug is a little longer than normal, and grows more slowly, but survives nonetheless.

Longtime Slashdot reader Andy Smith writes: Gamers enjoying the single-player campaign in The Division 2 have been bitten by a bug in the latest update that spawned a range of server connection issues. While you might expect this to affect only multiplayer games, The Division 2 controversially requires a continuous server connection for the single-player campaign to work. Since Tuesday, campaign players have reported being kicked out of the game and losing their items, skills, and mission progress. Not surprisingly, developer Massive has been inundated with complaints . The company said: "We are aware of the connectivity issues some players are experiencing. We are investigating and working on a solution."

Google today disclosed a security bug in its Bluetooth Titan Security Key that could allow an attacker in close physical proximity to circumvent the security the key is supposed to provide. From a report: The company says that the bug is due to a "misconfiguration in the Titan Security Keys' Bluetooth pairing protocols" and that even the faulty keys still protect against phishing attacks. Still, the company is providing a free replacement key to all existing users. The bug affects all Titan Bluetooth keys, which sell for $50 in a package that also includes a standard USB/NFC key, that have a "T1" or "T2" on the back.

An anonymous reader quotes a report from the BBC: Security researchers have discovered serious vulnerabilities affecting dozens of Cisco devices. The flaws allow hackers to deceive the part of the product hardware that checks whether software updates come from legitimate sources. Experts believe this could put emails sent within an organization at risk as they may use compromised routers. Messages sent externally constitute less of a risk, however, as they tend to be encrypted. The California-based firm said it is working on "software fixes" for all affected hardware.

"We've shown that we can quietly and persistently disable the Trust Anchor," Red Balloon chief executive Ang Cui, told Wired magazine. "That means we can make arbitrary changes to a Cisco router, and the Trust Anchor will still report that the device is trustworthy. Which is scary and bad, because this is in every important Cisco product. Everything." Security experts believe that the vulnerability could cause a major headache for Cisco, which has listed dozens of its products as vulnerable on its website. "We don't know how many devices could have been affected and it's unlikely Cisco can tell either," said Prof Alan Woodward, a computer security expert based at Surrey University. "It could cost Cisco a lot of money." Security firm Red Balloon has set up a website with more details on the vulnerabilities, which they are calling "Thrangycat."

Twitter today disclosed a bug in its platform that impacted the privacy of some its iOS app's users. From a report: "We have discovered that we were inadvertently collecting and sharing iOS location data with one of our trusted partners in certain circumstances," Twitter said. The company said the bug only occurred on its iOS app where users added a second Twitter account on their phones. If they allowed Twitter access to precise location data in one account, then that setting was applied to both accounts managed via the iOS app. This meant the app sent precise location data to Twitter, which then made it available to "a trusted partner during an advertising process known as real-time bidding," even for accounts users didn't agree to share such info.

Google announced today it's making a change to how its Play Store app ratings work. "[I]nstead of giving developers the choice of when ratings will reset, it will begin to weight app ratings to favor those from more recent releases," reports TechCrunch. Milena Nikolic, an engineering director leading Google Play Console, said that soon the average rating calculation for apps will be updated for all Android apps on Google Play.

"With this update, users will be able to better see, at a glance, the current state of the app -- meaning, any fixes and changes that made it a better experience over the years will now be taken into account when determining the rating," reports TechCrunch. "On the flip side, however, this change also means that once high-quality apps that have since failed to release new updates and bug fixes will now have a rating that reflects their current state of decline." In response to the announcement, Slashdot reader shanen writes: Basically I regard this as a good news story, though in relative terms. Of course the old data should get discounted if newer data is available. Too bad today's Google is certain to mangle the implementation, probably claiming they need more layers of secrecy to prevent more clever gaming of the new ratings system. However, the change I REALLY want to see would be more exposure of the developers' financial models for the apps. Following the money really works.

Long-time Slashdot reader chicksdaddy writes: Some of the world's leading cybersecurity experts have come together to counter electronics and technology industry efforts to paint proposed right to repair laws in 20 states as a cyber security risk. The experts have launched securepairs.org, a group that is galvanizing information security industry support for right to repair laws that are being debated in state capitols.

Among the experts who are stepping forward is a who's who of the information security space, including cryptography experts Bruce Schneier of IBM and Harvard University and Jon Callas of ACLU, secure coding gurus Gary McGraw of Cigital and Chris Wysopal of Veracode, bug bounty pioneer Katie Moussouris of Luta Security, hardware hackers Joe Grand (aka KingPin) and Billy Rios of Whitescope, nmap creator Gordon "Fyodor" Lyon, Johannes Ullrich of SANS Internet Storm Center and Dan Geer, the CISO of In-Q-Tel. Together, they are calling out electronics and technology industry efforts to keep replacement parts, documentation and diagnostic tools for digital devices secret in the name of cyber security.

"False and misleading information about the cyber risks of repair is being directed at state legislators who are considering right to repair laws," said Paul Roberts, the founder of securepairs.org and Editor in Chief at The Security Ledger, an independent cyber security blog. "Securepairs.org is a voice of reason that will provide policy makers with accurate information about the security problems plaguing connected devices. We will make the case that right to repair laws will bring about a more secure, not less secure future."

"As cyber security professionals, we have a responsibility to provide accurate information and reliable advice to lawmakers who are considering Right to Repair laws," said Joe Grand of Grand Idea Studio, a hardware hacker and embedded systems security expert.

The group will counter a stealthy but well-funded industry efforts to kill off right to repair legislation where it comes up. That has included the creation of front groups like the Security Innovation Center, which has enlisted technology industry executives and academics to write opinion pieces casting right to repair laws as a giveaway to cybercriminals.

Securepairs organizers say they hope to mobilize information security professionals to help secure the right to repair in their home states: writing letters and emails and providing expert testimony about the real sources of cyber risks in connected devices.

Did you just open Firefox only to find all of your extensions disabled and/or otherwise not working? You're not alone, and it's nothing you did. From a report: Reports are pouring in of a glitch that has spontaneously disabled effectively all Firefox extensions. Each extension is now being listed as a "legacy" extension, alongside a warning that it "could not be verified for use in Firefox and has been disabled." A ticket submitted to Mozilla's Bugzilla bug tracker first hit at around 5:40 PM Pacific, and suggests the sudden failure is due to a code signing certificate built into the browser that expired just after 5 PM (or midnight on May 4th in UTC time). Because the glitch stems from an underlying certificate, re-installing extensions won't work -- if you try, you'll likely just be met with a different error message. Getting extensions back for everyone is going to require Mozilla to issue a patch.
UPDATE (5/5/2019): On Sunday Firefox released the second of two weekend updates to address the problem, tweeting that "There are some issues we're still working on, but we wanted to get this release out and get your add-ons back up & running before Monday."

Fedora 30, the newest release of the venerable Linux distribution that serves (in part) as the staging environment for Red Hat Enterprise Linux, was released Tuesday, bringing with it a number of improvements and performance optimizations. From a report: he most exciting aspect, for workstation/desktop users at least, is the update to GNOME 3.32. Of course, that is hardly the only notable update -- the DNF package manager is getting a performance boost, for instance. In other words, this is a significant operating system upgrade that should delight both existing Fedora users and beginners alike. "Fedora 30 brings enhancements to all editions with updates to the common underlying packages, from bug fixes and performance tweaks to new versions. In Fedora 30, base updates include Bash shell 5.0, Fish 3.0, the GNU Compiler Collection (GCC) 9 and Ruby 2.6. Fedora 30 also now uses the zchunk format for data compression within the DNF repository. When metadata is compressed using zchunk DNF will only download the differences between earlier copies of metadata and the current versions, saving on resources and increasing efficiency," says The Fedora Project.

Devices using Qualcomm chipsets, and especially smartphones and tablets, are vulnerable to a new security bug that can let attackers retrieve private data and encryption keys that are stored in a secure area of the chipset known as the Qualcomm Secure Execution Environment (QSEE). From a report: Qualcomm has deployed patches for this bug (CVE-2018-11976) earlier this month; however, knowing the sad state of Android OS updates, this will most likely leave many smartphones and tablets vulnerable for years to come. The vulnerability impacts how the Qualcomm chips (used in hundreds of millions of Android devices) handles data processed inside the QSEE.

A buggy update for Nokia 9 PureView handsets has apparently impacted the smartphone model's in-screen fingerprint scanner, which can now be bypassed using unregistered fingerprints or even with something as banal as a pack of gum. From a report: Multiple users have complained about this problem over the weekend, after installing an OS update (v4.22) released on April 18. The update was meant to improve the phone's in-screen fingerprint scanner module -- so that users won't have to press their fingers too hard on the screen before the phone unlocks -- yet it had the exact opposite effect the company hoped for. While initially, the reported issues appeared to be new, a video recorded by another user showed the same problem (unlocking phones with unregistered fingerprints) even before the v4.22 update, meaning that the update just made the unlocking bug worse than it already was.

"Red Hat is taking over maintenance responsibilities for OpenJDK 8 and OpenJDK 11 from Oracle," reports InfoWorld: Red Hat will now oversee bug fixes and security patches for the two older releases, which serve as the basis for two long-term support releases of Java. Red Hat's updates will feed into releases of Java from Oracle, Red Hat, and other providers... Previously, Red Hat led the OpenJDK 6 and OpenJDK 7 projects. Red Hat is not taking over OpenJDK 9 or OpenJDK 10, which were short-term releases with a six-month support window.

A "computer glitch" may have been behind the fast-spreading fire that ravaged Notre Dame, Associated Press reported Friday, citing the cathedral's rector. From the report: Speaking during a meeting of local business owners, rector Patrick Chauvet did not elaborate on the exact nature of the glitch, adding that "we may find out what happened in two or three months." On Thursday, Paris police investigators said they think an electrical short-circuit most likely caused the fire. French newspaper Le Parisien has reported that a fire alarm went off at Notre Dame shortly after 6 p.m. Monday but a computer bug showed the fire's location in the wrong place. The paper reported the flames may have started at the bottom of the cathedral's giant spire and may have been caused by an electrical problem in an elevator. Chauvet said there were fire alarms throughout the building, which he described as "well protected."

On April 6, something known as the GPS rollover, a cousin to the dreaded Y2K bug, mostly came and went, as businesses and government agencies around the world heeded warnings and made software or hardware updates in advance. But in New York, something went wrong -- and city officials seem to not want anyone to know. [Editor's note: the link may be paywalled; alternative source] New submitter RAYinNYC shares a report: At 7:59 p.m. E.D.T. on Saturday, the New York City Wireless Network, or NYCWiN, went dark, waylaying numerous city tasks and functions, including the collection and transmission of information from some Police Department license plate readers. The shutdown also interrupted the ability of the Department of Transportation to program traffic lights, and prevented agencies such as the sanitation and parks departments from staying connected with far-flung offices and work sites. The culprit was a long-anticipated calendar reset of the centralized Global Positioning System, which connects to devices and computer networks around the world. There has been no public disclosure that NYCWiN, a $500 million network built for the city by Northrop Grumman, was offline and remains so, even as workers are trying to restore it.

City officials tried to play down the shutdown when first asked about it on Monday, speaking of it as if it were a routine maintenance issue. "The city is in the process of upgrading some components of our private wireless network," Stephanie Raphael, a spokeswoman for the Department of Information Technology and Telecommunications, said in an email on Monday. She referred to the glitch as a "brief software installation period." By Tuesday, the agency acknowledged the network shutdown, but said in an emailed statement that "no critical public safety systems are affected." Ms. Raphael admitted that technicians have been unable to get the network back up and running, adding, "We're working overtime to update the network and bring all of it back online." The problem has raised questions about whether the city had taken appropriate measures to prepare the network for the GPS rollover.

A malware operation previously limited to China's borders has expanded over the past few months to infect users from all over the world, antivirus firm Bitdefender said in a report published today. From a report: Users who have the bad habit of downloading and installing cracked software applications are at the highest risk. According to Bitdefender experts, these apps are laced with a relatively new malware strain named Scranos. The most important piece of this malware is a rootkit driver that's hidden inside the tainted apps and which allows the malware to gain boot persistence and take full control over users' systems in the early stages of an infection. Although Bitdefender describes Scranos as "a work in progress, with many components in the early stage of development," the malware is still very dangerous as it is. That's because Scranos is a modular threat that once it infects a host computer, it can ping its command and control (C&C) server for additional instructions, and then download small modules to execute a fine set of operations.