Malware authors, ad farmers, and scammers are abusing a Firefox bug to trap users on malicious sites. From a report: This wouldn't be a big deal, as the web is fraught with this kind of malicious sites, but these websites aren't abusing some new never-before-seen trick, but a Firefox bug that Mozilla engineers appear to have failed to fix in the 11 years ever since it was first reported back in April 2007. The bug narrows down to a malicious website embedding an iframe inside their source code. The iframe makes an HTTP authentication request on another domain.

[...] For the past few years, malware authors, ad farmers, and scammers have been abusing this bug to lure users on sites where they show all sorts of nasties, such as tech support scams, ad farms that reload the page with new ads in a loop, pages that push users to buy fake gift cards, or sites that offer malware-laced software updates. Whenever users try to leave, the owners of these shady sites trigger the authentification modal in a loop.

Long-time Slashdot reader mspohr shares a Guardian article which argues that Apple Store employees "are underpaid, overhyped and characters in a well-managed fiction story" who "use emotional guile to sell products": When customers run into trouble with their products, geniuses are encouraged to sympathize, but only by apologizing that customers feel bad, lest they implicate Apple's products as the source of the trouble. In this gas-lit performance of a "problem free" brand philosophy, many words are actually verboten for staff. Do not use words like crash, hang, bug, or problem, employees are told. Instead say does not respond, stops responding, condition, issue, or situation. Avoid saying incompatible; instead use does not work with. Staff have reported the absurdist dialogues that can result, like when they are not allowed to tell customers that they cannot help even in the most hopeless cases, leading customers into circular conversations with employees able neither to help nor to refuse to do so....

[I]n a move so ridiculous it's almost certain to be a hit, the Genius Bar has been rebranded the "Genius Grove". Windows are opened to blur the distinction between inside and outside, and the stores are promoted as quasi-public spaces. "We actually don't call them stores any more," the new head of retail at Apple, former Burberry executive Angela Ahrendts (2017 salary: $24,216,072), recently told the press. "We call them town squares."
The article argues that since there launch in 2001, Apple Stores "have raked in more money -- in total and per square foot -- than any other retailer on the planet, transforming Apple into the world's richest company in the process."

But it also complains that Apple's wealth "flows from the privatization of publicly funded research, mixed with the ability to command the low-wage labor of our Chinese peers, sold by empathetic retailers forbidden from saying 'crash'."

Gmail users are reporting that promotional emails (meant to showcase deals, offers, and other marketing emails) from companies are ending up in their main "Primary" inbox (meant for person-to-person conversations and messages that don't appear in other tabs.). The company says it is working on a fix. From a report: Google told BuzzFeed News it's working on a fix, but it did not specify when users should expect inboxes to go back to normal. In a statement, a spokesperson said, "We are aware of an issue in Gmail causing certain promotional email to be incorrectly categorized. We are rolling out a fix shortly."

Kubernetes has become the most popular cloud container orchestration system by far, so it was only a matter of time until its first major security hole was discovered. And the bug, CVE-2018-1002105, aka the Kubernetes privilege escalation flaw, is a doozy. It's a CVSS 9.8 critical security hole. From a report: With a specially crafted network request, any user can establish a connection through the Kubernetes application programming interface (API) server to a backend server. Once established, an attacker can send arbitrary requests over the network connection directly to that backend. Adding insult to injury, these requests are authenticated with the Kubernetes API server's Transport Layer Security (TLS) credentials. Can you say root? I knew you could. Worse still, "In default configurations, all users (authenticated and unauthenticated) are allowed to perform discovery API calls that allow this escalation." So, yes, anyone who knows about this hole can take command of your Kubernetes cluster.

An anonymous reader quotes a report from Quartz: Far fewer [monarch butterflies] were heading south this year, and those that have arrived did so a month late, according to Xeres, a non-profit conservation group for invertebrates. One researcher said it was the fewest monarch butterflies in central California in 46 years. Surveyors at 97 sites found only 20,456 monarchs compared to 148,000 at the same sites last year, an 86% decline. It's possible more insects will make the journey late this year, says Xeres, but that now seems unlikely. The minimum population size before the species experiences "migration collapse" is unknown, but a 2017 modeling paper in Biological Conservation (pdf) found that 30,000 butterflies adult butterflies are probably the smallest viable population. Without this critical mass, there aren't enough insects in the western monarch population to continue one of the world's most remarkable lifecycles.

An anonymous reader quotes a report from Ars Technica: The important data loss bug that interrupted the rollout of the Windows 10 October 2018 Update, version 1809, may be fixed, but it turns out there are plenty of other weird problems with the release. As spotted by Paul Thurrott, the update also breaks the seek bar in Windows Media Player when playing "specific files." Microsoft does promise to fix the bug, but the timeframe is vaguely open-ended: it will be "in an upcoming release."

Also in the "how did that happen" category comes another bug: some Win32 programs can't be set as the default program for a given file type. So if you want certain files to always open in Notepad, for example, you're currently out of luck. A fix for this is promised by the end of the month. Setting default program associations is something that's been in Windows for 20-something years, so it's a little alarming that it should be broken. On top of this, there continue to be complaints that Windows 10 version 1809 doesn't work with iCloud, and machines with the iCloud client are currently blacklisted to prevent them from receiving the 1809 update. It's not immediately clear whose fault this one is -- it could be Microsoft's, but it's also possible that Apple is to blame.

Earlier this week software developer Tim Cotten discovered a serious glitch in Gmail. An anonymous reader quotes BleepingComputer: Tampering with the 'From:' header by replacing some text with an <object>, <script> or <img> tag causes the interface to show a blank space instead of the sender's address.... Opening the email does not help, either, as the sender's address continues to remain hidden and shows no info even when hovering on it, an action that typically reveals the details.... Trying to reply to the message is also of no help. Cotten attempted this thinking that Gmail would read the original email headers and determine the destination. "Wrong again! Gmail is at a complete loss at what to do!" Cotten writes in a blog post that details his new finding....

Using the Show Original option, which allows users with more experience to trace an email, the desired detail is still unavailable in the user-friendly view. Looking at the raw info, however, shows the source address buried at the end of the <img> tag Cotten used in his experiment. He didn't even have to spell correctly the data type to trigger the bug. Unfortunately, it is highly unlikely that the average Gmail user will be able to navigate to this area and determine who the apparently anonymous message is coming from. Due to this, for these users the risk of phishing is high.
Cotten's bug report "relies on his previous discovery that proved how a malformed 'From:' header allows placing an arbitrary email address in the sender field," the article points out, also noting a third recently-reported Gmail bug that "allows fraudsters to create a 'mailto:' link that populates the destination field in the app with whatever address they want; the latter was reported about 19 months ago to Google and is still present in the Gmail app for Android."

"According to the developer, one solution Google could implement to avoid forging the From field is to properly check the email headers and deny communication with an anomalous structure in the sender or recipient fields. Another method proposed by Cotten is Joran Greef's project Ronomon, which can trigger errors when email specifications are not followed."

Threatpost reported Tuesday that Google "did not respond to a request for comment."

Long-time Microsoft programmer Raymond Chen recently shared a memory about an unusual single-line instruction that was once added into the Windows kernel code -- accompanied by an "incredulous" comment from the Microsoft programmer who added it:

;
; Invalidate the processor cache so that any stray gamma
; rays (I'm serious) that may have flipped cache bits
; while in S1 will be ignored.
;
; Honestly. The processor manufacturer asked for this.
; I'm serious.
invd

"Less than three weeks later, the INVD instruction was commented out," writes Chen. "But the comment block remains.

"In case we decide to resume trying to deal with gamma rays corrupting the the processor cache, I guess."

If you're a tab-hoarder, and you use Chrome browser, Google may have some news for you soon. The company is working on a scrollable tabstrip to make it easier for users to navigate through tabs, a developer was quoted as saying. Peter Casting, who works on Chrome UI, said, "scrollable tabstrip is in the works. In the meantime, try shift-clicking and ctrl-clicking to select multiple tabs at once, then drag out to separate Windows to group tabs by Window." TechDows, which first reported the development: We're expecting this as the related bug, the 'UI: tab overflow' bug created 10 years back, reports opening too many tabs causes add tab button (+) to disappear and tabs do not scroll then, the expected result has been mentioned as 'scrollable tabs.' Further reading: Google is raiding Firefox for Chrome's next UI features.

Mark Wilson, writing for BetaNews: Having released a series of updates for Office 2010, 2013 and 2016 as part of this month's Patch Tuesday, Microsoft has now pulled two of them and advised sysadmins to uninstall the updates if they have already been installed. In both instances -- KB4461522 and KB2863821 -- Microsoft says that the problematic updates can lead to application crashes. While this is not as serious a problem as, say, data loss, it does little to quieten the fears that have been voiced about the quality control Microsoft has over its updates.

An anonymous reader quotes SD Times: Amazon wants to make sure Java is available for free to its users in the long term with the introduction of Amazon Corretto. The solution is a no-cost, multi-platform, production-ready distribution of the Open Java Development Kit (OpenJDK). "Java is one of the most popular languages in use by AWS customers, and we are committed to supporting Java and keeping it free," Arun Gupta, principal open-source technologist at Amazon, wrote in a blog post. "Many of our customers have become concerned that they would have to pay for a long-term supported version of Java to run their workloads. As a first step, we recently re-affirmed long-term support for Java in Amazon Linux. However, our customers and the broader Java community run Java on a variety of platforms, both on and off of AWS."

Amazon Corretto will be available with long-term support and Amazon will continue to make performance enhancements and security fixes to it, the company explained. Amazon plans on making quarterly updates with bug fixes and patches, as well as any urgent fixes necessary outside of its schedule... Corretto 8 is available as a preview with features corresponding to those in OpenJDK 8. General availability for the solution is planned for Q1 2019... "Corretto is designed as a drop-in replacement for all Java SE distributions unless you're using features not available in OpenJDK (e.g., Java Flight Recorder)," Gupta wrote....

According to Gupta, Corretto 8 will be available at no cost until at least June of 2023. The company is working on Corretto 11, which will be available until at least August of 2024. "Amazon has already made several contributions to OpenJDK 8 and we look forward to working closely with the OpenJDK community on future enhancements to OpenJDK 8 and 11," Gupta wrote. "We downstream fixes made in OpenJDK, add enhancements based on our own experience and needs, and then produce Corretto builds. In case any upstreaming efforts for such patches is not successful, delayed, or not appropriate for OpenJDK project, we will provide them to our customers for as long as they add value. If an issue is solved a different way in OpenJDK, we will move to that solution as soon as it is safe to do so."

GitHub saw more than 67 million pull requests this year -- more than a third of GitHub's "lifetime" total of 200 million pull requests since its launch in 2008. It now hosts 96 million repositories, and has over 31 million contributors -- including 8 million who just joined within the last 12 months.

These are among the facts released in GitHub's annual "State of the Octoverse" report -- a surprising number of which involve Microsoft.

• GitHub's top project this year, by contributor count, was Microsoft's Visual Studio Code (with 19,000 contributors), followed by Facebook's React Native (10,000), TensorFlow (9,300) and Angular CLI (8,800) -- as well as Angular (7,600) -- and the open source documentation for Microsoft Azure (7,800).

• Microsoft now has more employees contributing to open source projects than any other company or organization (7,700 employees), followed by Google (5,500), Red Hat (3,300), U.C. Berkeley (2,700), and Intel (2,200).

• The open source documentation for Microsoft Azure is GitHub's fastest-growing open source project, followed by PyTorch (an open source machine learning library for Python).

• Among the "Cool new open source projects" is an Electron app running Windows 95.

But more than 2.1 million organizations are now using GitHub (including public and private repositories) -- which is 40% more than last year -- and the report offers a fun glimpse into the minutiae of life in the coding community.

Read on for more details.

secwatcher shares a report from Threatpost: A design flaw affecting all in-display fingerprint sensors -- that left over a half-dozen cellphone models vulnerable to a trivial lock-screen bypass attack -- has been quietly patched. The flaw was tied to a bug in the popular in-display fingerprint reader technology used for user authentication. In-display fingerprint reader technology is widely considered an up-and-coming feature to be used in a number of flagship model phones introduced in 2019 by top OEM phone makers, according to Tencent's Xuanwu Lab which is credited for first identifying the flaw earlier this year. Impacted are all phones tested in the first half of 2018 that had in-display fingerprint sensors. That includes current models of Huawei Technologies' Porsche Design Mate RS and Mate 20 Pro model phones. Researchers said that many more cellphone manufacturers are impacted by the issue. The most popular phone in the U.S. that is impacted by this vulnerability is the OnePlus 6T. "[A]ll an attacker needs to carry out the attack is an opaque reflective material such as aluminum foil," reports Threatpost. "By placing the reflective material over a residual fingerprint on the phone's display the capacitance fingerprint imaging mechanism can be tricked into authenticating a fingerprint."

What do Heartbleed, WannaCry, and million dollar iPhone bugs have in common? From a report: One bug affects iPhones, another affects Windows, and the third affects servers running Linux. At first glance these might seem unrelated, but in reality all three were made possible because the software that was being exploited was written in programming languages which allow a category of errors called "memory unsafety." By allowing these types of vulnerabilities, languages such as C and C++ have facilitated a nearly unending stream of critical computer security vulnerabilities for years.

Imagine you had a program with a list of 10 numbers. What should happen if you asked the list for its 11th element? Most of us would say an error of some sort should occur, and in a memory safe programming language (for example, Python or Java) that's what would happen. In a memory unsafe programming language, it'll look at wherever in memory the 11th element would be (if it existed) and try to access it. Sometimes this will result in a crash, but in many cases you get whatever happens to be at that location in memory, even if that portion of memory has nothing to do with our list. This type of vulnerability is called a "buffer-overflow," and it's one of the most common types of memory unsafety vulnerabilities. HeartBleed, which impacted 17 percent of the secure web servers on the internet, was a buffer-overflow exploit, letting you read 60 kilobytes past the end of a list, including passwords and other users' data.

Freelance videographer Dave Cooper has filed a class action lawsuit against Adobe, alleging that an update to Premiere Pro came with a flaw in the way it handles file management that resulted in the deletion of 500 hours of video clips that he claims were worth around $250,000. Adobe has since patched the bug. Gizmodo reports: Premiere creates redundant video files that are stored in a "Media Cache" folder while a user is working on a project. This takes up a lot of hard drive space, and Cooper instructed the video editing suite to place the folder inside a "Videos" directory on an external hard drive, according to court documents. The "Videos" folder contained footage that wasn't associated with a Premiere project, which should've been fine. When a user is done working on a project they typically clear the "Media Cache" and move on with their lives. Unfortunately, Cooper says that when he initiated the "Clean Cache" function it indiscriminately deleted the contents of his "Videos" folder forever.

Cooper claims that he lost around 100,000 individual clips and that it cost him close to $250,000 to capture that footage. After spending three days trying to recover the data, he admitted that all was lost, the lawsuit says. He also apparently lost work files for edits he was working on and says that he's missed out on subsequent licensing opportunities. On behalf of himself and other users who wish to join the suit, he's asking the court for a jury trial and is seeking "monetary damages, including but not limited to any compensatory, incidental, or consequential damages in an amount that the Court or jury will determine, in accordance with applicable law."

Yet another vulnerability has been patched that could have exposed user data. According to security company Imperva, the bug "allowed websites to obtain private information about Facebook users and their friends through unauthorized access to a company API, playing off a specific behavior in the Chrome browser," reports The Verge. From the report: In technical terms, the attack is a cross-site request forgery, using a legitimate Facebook login in unauthorized ways. For the attack to work, a Facebook user must visit a malicious website with Chrome, and then click anywhere on the site while logged into Facebook. From there, attackers could open a new pop-up or tab to the Facebook search page and run any number of queries to extract personal information. Some examples Imperva gives are checking if a user has taken photos in a certain location or country, if the user has written any recent posts that contain specific text, or checking if a user's friends like a company's Facebook page. In essence, the vulnerability exposed the interests of a user and their friends even if privacy settings were set so interests were only visible to a user's friends. Imperva says the vulnerability was not a common technique and the issue has been resolved with Facebook. However, it does mention that these more sophisticated social engineering attacks could become more common in 2019. A Facebook representative told The Verge: "We appreciate this researcher's report to our bug bounty program. We've fixed the issue in our search page and haven't seen any abuse. As the underlying behavior is not specific to Facebook, we've made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from occurring in other web applications."

Microsoft on Wednesday resumed the rollout of Windows 10 version 1809. The re-release of the so-called October 2018 Update comes more than five weeks after the company pulled the original installation files from its download servers and stopped its scheduled delivery through Windows Update. From a report: In a blog post, Microsoft's John Cable, the director of Program Management for Windows Servicing and Delivery, says the data-destroying bug that triggered that unprecedented decision, as well as other quality issues that emerged during the unscheduled hiatus, have been "thoroughly investigated and resolved."

An anonymous reader quotes a report from Ars Technica: A recently discovered botnet has taken control of an eye-popping 100,000 home and small-office routers made from a range of manufacturers, mainly by exploiting a critical vulnerability that has remained unaddressed on infected devices more than five years after it came to light. Researchers from Netlab 360, who reported the mass infection late last week, have dubbed the botnet BCMUPnP_Hunter. The name is a reference to a buggy implementation of the Universal Plug and Play protocol built into Broadcom chipsets used in vulnerable devices. An advisory released in January 2013 warned that the critical flaw affected routers from a raft of manufacturers, including Broadcom, Asus, Cisco, TP-Link, Zyxel, D-Link, Netgear, and US Robotics. The finding from Netlab 360 suggests that many vulnerable devices were allowed to run without ever being patched or locked down through other means. Last week's report documents 116 different types of devices that make up the botnet from a diverse group of manufacturers. Once under the attackers' control, the routers connect to a variety of well-known email services. This is a strong indication that the infected devices are being used to send spam or other types of malicious mail.

"A Russian security researcher has published details about a zero-day vulnerability affecting VirtualBox, an Oracle software application for running virtual machines," reports ZDNet. According to a text file uploaded on GitHub, Saint Petersburg-based researcher Sergey Zelenyuk has found a chain of bugs that can allow malicious code to escape the VirtualBox virtual machine (the guest OS) and execute on the underlying (host) operating system. Once out of the VirtualBox VM, the malicious code runs in the OS' limited userspace (kernel ring 3), but Zelenyuk said that attackers can use many of the already known privilege escalation bugs to gain kernel-level access (ring 0). "The exploit is 100% reliable," Zelenyuk said. "It means it either works always or never because of mismatched binaries or other, more subtle reasons I didn't account."

The Russian researcher says the zero-day affects all current VirtualBox releases, works regardless of the host or guest operating system the user is running, and is reliable against the default configuration of newly created VMs. Besides a detailed write-up of the entire exploit chain, Zelenyuk has also published video proof, showing the zero-day in action against an Ubuntu VM running inside VirtualBox on an Ubuntu host OS.
Long-time Slashdot reader Artem Tashkinov warns that the exploit utilizes "bugs in the data link layer of the default E1000 network interface adapter which makes this vulnerability critical for everyone who uses virtualization to run untrusted code." According to ZDNet, the same security researcher "found and reported a similar issue in mid-2017, which Oracle took over 15 months to fix."

"This lengthy and drawn-out patching process appears to have angered Zelenyuk, who instead of reporting this bug to Oracle, has decided to publish details online without notifying the vendor."

Microsoft has released a free AV1 video codec for Windows 10 devices that's available via the Microsoft Store.

"Play AV1 videos on your Windows 10 device. This extension is an early beta version of the AV1 software decoder that lets you play videos that have been encoded using the AV1 video coding standard developed by the Alliance for Open Media," the company says. "Since this is an early release, you might see some performance issues when playing AV1 videos. We're continuing to improve this extension. If you allow apps to be updated automatically, you should get the latest updates and improvements when we release them." Softpedia reports: Oddly enough, the codec can only be installed on devices running Windows 10 October 2018 Update, which is no longer up for grabs after Microsoft pulled it last month. It remains to be seen how often Microsoft updates the codec in the coming months, but I've already tried it out for a test earlier today and the initial release seems to be running just fine. You can install the codec from the Microsoft Store to be notified when new versions are out, and make sure you report any potential issues to Microsoft for more bug fixes.