A new report from the open source security company WhiteSource asks the question, "Is one programming language more secure than the rest?"

An anonymous reader quotes TechRepublic: To answer this question, the report compiled information from WhiteSource's database, which aggregates information on open source vulnerabilities from sources including the National Vulnerability Database, security advisories, GitHub issue trackers, and popular open source projects issue trackers. Researchers focused in on open source security vulnerabilities in the seven most widely-used languages of the past 10 years to learn which are most secure, and which vulnerability types are most common in each...

The most common vulnerabilities across most of these languages are Cross-SiteScripting (XSS); Input Validation; Permissions, Privileges, and Access Control; and Information Leak / Disclosure, according to the report.
Across the seven most widely-used programming languages, here's how the vulnerabilities were distributed:

• C (47%)
• PHP (17%)
• Java (11%)
• JavaScript (10%)
• Python (5%)
• C++ (5%)
• Ruby (4%)

But the results are full of disclaimers -- for example, that C tops the list because it's the oldest language with "the highest volume of written code" and "is also one of the languages behind major infrastructure like Open SSL and the Linux kernel."

The report also notes a "substantial rise" across all languages for known open source security vulnerabilities over the last two years, attributing this to more awareness about vulnerable components -- thanks to more research, automated security tools, and "the growing investment in bug bounty programs" -- as well as the increasing popularity of open source software. And it also reports a drop in the percentage of critical vulnerabilities for most languages -- except JavaScript and PHP.

The report then concludes that "the Winner Of Most Secure Programming Language is...no one and everyone...! It is not about the language itself that makes it any more or less secure, but how you use it. If you are mitigating your vulnerabilities throughout the software development lifecycle with the proper management approach, then you are far more likely to stay secure."

Coincidentally, WhiteSource sells software which monitors open source components throughout the software development lifecycle to provide alerts about security (and licensing) issues.

A research duo who hacked a Tesla were the big winners at the annual Pwn2Own white hat security contest, reports ZDNet. "The duo earned $375,000 in prize money, of the total of $545,000 awarded during the whole three-day competition... They also get to keep the car." Team Fluoroacetate -- made up of Amat Cama and Richard Zhu -- hacked the Tesla car via its browser. They used a JIT bug in the browser renderer process to execute code on the car's firmware and show a message on its entertainment system... Besides keeping the car, they also received a $35,000 reward. "In the coming days we will release a software update that addresses this research," a Tesla spokesperson told ZDNet today in regards to the Pwn2Own vulnerability.

Not coincidentally, Team Fluoroacetate also won the three-day contest after earning 36 "Master of Pwn" points for successful exploits in Apple Safari, Firefox, Microsoft Edge, VMware Workstation, and Windows 10... [R]esearchers also exploited vulnerabilities in Apple Safari, Microsoft Edge, VMware Workstation, Oracle Virtualbox, and Windows 10.

After being delayed for the better part of one month, LLVM 8.0 officially is finally available. From a report: LLVM release manager Hans Wennborg announced the release a few minutes ago and summed up this half-year update to LLVM and its sub-project as: "speculative load hardening, concurrent compilation in the ORC JIT API, no longer experimental WebAssembly target, a Clang option to initialize automatic variables, improved pre-compiled header support in clang-cl, the /Zc:dllexportInlines- flag, RISC-V support in lld. And as usual, many bug fixes, optimization and diagnostics improvements, etc."

Google researcher James Forshaw discovered a new class of vulnerability in Windows before any bug had actually been exploited. The involved parts of the flaw "showed that there were all the basic elements to create a significant elevation of privilege attack, enabling any user program to open any file on the system, regardless of whether the user should have permission to do so," reports Ars Technica. Thankfully, Microsoft said that the flaw was never actually exposed in any public versions of Windows, but said that it will ensure future releases of Windows will not feature this class of elevation of privilege. Peter Bright explains in detail how the flaw works. Here's an excerpt from his report: The basic rule is simple enough: when a request to open a file is being made from user mode, the system should check that the user running the application that's trying to open the file has permission to access the file. The system does this by examining the file's access control list (ACL) and comparing it to the user's user ID and group memberships. However, if the request is being made from kernel mode, the permissions checks should be skipped. That's because the kernel in general needs free and unfettered access to every file. As well as this security check, there's a second distinction made: calls from user mode require strict parameter validation to ensure that any memory addresses being passed in to the function represent user memory rather than kernel memory. Calls from kernel mode don't need that same strict validation, since they're allowed to use kernel memory addresses.

Accordingly, the kernel API used for opening files in NT's I/O Manager component looks to see if the caller is calling from user mode or kernel mode. Then the API passes this information on to the next layer of the system: the Object Manager, which examines the file name and figures out whether it corresponds to a local filesystem, a network filesystem, or somewhere else. The Object manager then calls back in to the I/O Manager, directing the file-open request to the specific driver that can handle it. Throughout this, the indication of the original source of the request -- kernel or user mode -- is preserved and passed around. If the call comes from user mode, each component should perform strict validation of parameters and a full access check; if it comes from kernel mode, these should be skipped. Unfortunately, this basic rule isn't enough to handle every situation. For various reasons, Windows allows exceptions to the basic user-mode/kernel-mode split. Both kinds of exceptions are allowed: kernel code can force drivers to perform a permissions check even if the attempt to open the file originated from kernel mode, and contrarily, kernel code can tell drivers to skip the parameter check even if the attempt to open the file appeared to originate from user mode. This behavior is controlled through additional parameters passed among the various kernel functions and into filesystem drivers: there's the basic user-or-kernel mode parameter, along with a flag to force the permissions check and another flag to skip the parameter validation...

"Last month it was discovered that WinRAR, software used to open .zip archive files, has been vulnerable for the last 19 years to a bug that's easily exploited by hackers and malware distributors," writes SlashGear. A Slashdot reader quotes their report: Check Point, the security researchers that revealed the WinRAR bug, explain that the software is exploited by giving malicious files a RAR extension, so that when opened they can automatically extract malware programs. These programs are installed in a PC's startup folder, allowing them to start running anytime the computer is turned on, all without the user's knowledge.

Once the bug was disclosed, however, hacker groups really began using it to their advantage, with various nations becoming the target of state-backed cyber-espionage campaigns attempting to collect intelligence. The latest comes from McAfee, the software security firm, which notes that it has identified over 100 unique exploits that use the WinRAR bug, most of them targeting the U.S.
WinRar 5.70, released in late January, patches the behavior, but "it must be manually downloaded and installed from the website, leaving most users unaware of the critical update," the article warns.

It also estimates that during the last 19 years WinRar has been downloaded over 500 million times.

Microsoft is reportedly working on a new functionality that will automatically remove botched updates from Windows 10 to fix startup issues and other bugs preventing the PC from booting. "The support document was quietly published a couple of hours ago and for some reasons, Microsoft has also blocked the search engines from crawling or indexing the page," reports Windows Latest. "In the document, Microsoft explains that Windows may automatically install updates in order to keep your device secure and smooth." From the report: Due to various reasons, including software and driver compatibility issues, Windows Updates are vulnerable to mistakes and hardware errors. In some cases, Windows Update may fail to install. After installing a recent update, if your PC experience startup failures and automatic recovery attempts are unsuccessful, Windows may try to resolve the failure by uninstalling recently installed updates. In this case, users may receive a notification with the following message: "We removed some recently installed updates to recover your device from a startup failure."

Microsoft says that Windows will also automatically block the problematic updates from installing automatically for the next 30 days. During these 30 days, Microsoft and its partners will investigate the failure and attempt to fix the issues. When the issues are fixed, Windows will again try to install the updates. Users still have the freedom to reinstall the updates. If you believe that the update should not be removed, you can manually reinstall the driver or quality updates which were uninstalled earlier.

Michael Stapelberg, maintains "a bunch" of Debian packages and services, and says the free software Linux distro "has been in my life for well over 10 years at this point."

Today he released a 2,255-word essay explaining why he's "winding down" his involvement in Debian to a minimum, citing numerous complaints including Debian's complicated build stack, waits of up to seven hours before package uploads can be installed, leading to "asynchronous" feedback -- and Debian's lack of tooling for large changes.
The closest to "sending out a change for review" is to open a bug report with an attached patch... Culturally, reviews and reactions are slow. There are no deadlines. I literally sometimes get emails notifying me that a patch I sent out a few years ago (!!) is now merged. This turns projects from a small number of weeks into many years, which is a huge demotivator for me.

Interestingly enough, you can see artifacts of the slow online activity manifest itself in the offline culture as well: I don't want to be discussing systemd's merits 10 years after I first heard about it.

Lastly, changes can easily be slowed down significantly by holdouts who refuse to collaborate. My canonical example for this is rsync, whose maintainer refused my patches to make the package use debhelper purely out of personal preference. Granting so much personal freedom to individual maintainers prevents us as a project from raising the abstraction level for building Debian packages, which in turn makes tooling harder.
There's also several complaints about old infrastructure -- for example, "I dread interacting with the Debian bug tracker. debbugs is a piece of software (from 1994) which is only used by Debian and the GNU project these days." Stapelberg also complains that the "painful" experience of developing using Debian "leaves a lot to be desired," and adds that "It baffles me that in 2019, we still don't have a conveniently browsable threaded archive of mailing list discussions."

"My frustration level ultimately exceeded the threshold," Stapelberg writes in the essay, adding "I hope this post inspires someone, ideally a group of people, to improve the developer experience within Debian." He'll soon transition packages to be team-maintained "where it makes sense," but also "orphan packages where I am the sole maintainer... For all intents and purposes, please treat me as permanently on vacation..."

"I will try to keep up best-effort maintenance of the manpages.debian.org service and the codesearch.debian.net service, but any help would be much appreciated."

"Two popular smart alarm systems for cars had major security flaws that allowed potential hackers to track the vehicles, unlock their doors and, in some cases, cut off the engine," reports CNET: The vulnerabilities could be exploited with two simple steps, security researchers from Pen Test Partners, who discovered the flaw, said Friday. The problems were found in alarm systems made by Viper [known as Clifford in the U.K.] and Pandora Car Alarm System, two of the largest smart car alarm makers in the world. The two brands have as many as 3 million customers between them and make high-end devices that can cost thousands...

Both apps' API didn't properly authenticate for update requests, including requests to change the password or email address. Ken Munro, founder of Pen Test Partners, said that all his team needed to do was send the request to a specific host URL and they were able to change an account's password and email address without notifying the victim that anything happened. Once they had access to the account, the researchers had full control of the smart car alarm. This allowed them to learn where a car was and unlock it. You don't have to be near the car to do this, and the accounts can be taken over remotely, Munro said. Potential attackers could also use the apps' API to target specific types of cars, the security researcher added...

Pandora's alarm system also contained a microphone that would've allowed potential hackers to listen in on live audio, the security company found.
Both companies fixed the issue in less than a week, CNET reports, possibly due to the seriousness of the issue. In a video demonstrating the severity of the bug, security researcher Munro even uses the driver's app to set off a car's alarms remotely. When that driver began pulling over, Munro then used the app to cut off the car's engine. "So simple, so serious," he said.

ZDNet notes that one of the companies had been advertising their "smart" alarms as "unhackable".

Google's bug-hunting researchers known as Project Zero have revealed a fresh zero-day vulnerability in macOS called "BuggyCow." "The attack takes advantage of an obscure oversight in Apple's protections on its machines' memory to enable so-called privilege escalation, allowing a piece of malware with limited privileges to, in some cases, pierce into deeper, far more trusted parts of a victim's Mac," reports Wired. "The trick's name is based on a loophole the hackers found in the so-called copy-on-write, or CoW, protection built into how MacOS manages a computer's memory." From the report: Some programs, when dealing with large quantities of data, use an efficiency trick that leaves data on a computer's hard drive rather than potentially clog up resources by pulling it into memory. That data, like any data in a computer's memory, can sometimes be used by multiple processes at once. The MacOS memory manager keeps a map of its physical location to help coordinate, but if one of those processes tries to change the data, the memory manager's copy-on-write safeguard requires it to make its own copy. Which is to say, a program can't simply change the data shared by all the other processes -- some of which could be more highly privileged, sensitive programs than the one requesting the change.

Google's BuggyCow trick, however, takes advantage of the fact that when a program mounts a new file system on a hard drive -- basically loading a whole collection of files rather than altering just one -- the memory manager isn't warned. So a hacker can unmount a file system, remount it with new data, and in doing so silently replace the information that some sensitive, highly privileged code is using. Technically, as a zero-day vulnerability with no patch in sight, BuggyCow applies to anyone with an Apple laptop or desktop. But given the technical skill and access needed to pull it off, you shouldn't lose much sleep over it. To even start carrying out this Rube Goldberg -- style attack, a hacker would need a victim to already have some form of malware running on their computer. And while BuggyCow would allow that malware to potentially mess with the inner workings of higher-privileged parts of the computer, it could do so only if it found a highly privileged program that kept its sensitive data on the hard drive rather than memory. Project Zero says it warned Apple about BuggyCow back in November, but Apple hadn't acted to patch it ahead of last week's public reveal.

Exploit vendor Zerodium said today it would pay up to $500,000 for zero-days in popular cloud products and services such as Microsoft's Hyper-V and (Dell) VMware's vSphere. From a report: Both Hyper-V and vSphere are what experts call virtualization software, also called hypervisors -- software that lets a single "host" server create and run one or more virtual "guest" operating systems. Virtualization software is often found in cloud-powered data centers. Hyper-V is the technology at the core of Microsoft's Azure cloud computing platform, while VMware's vSphere is used by Amazon Web Services and SAP.

With cloud services growing in adoption, especially for hosting websites and crucial IT infrastructure, the importance of both technologies has been slowly increasing in recent years. This paradigm shift hasn't gone unnoticed in the exploit market, where Zerodium -- a Washington, DC-based exploit vendor -- is by far the leading company. In a tweet earlier today, Zerodium announced plans to pay up to $500,000 for fully-working zero-days in Hyper-V and vSphere that would allow an attacker to escape from the virtualized guest operating system to the host server's OS.

Over the weekend, a disturbed Android TV owner took to Twitter when he realized, through the Google Home app, he could access a massive list of random accounts, as well as photos they'd added to their Google Photos albums. From a report: If someone were to click on "linked accounts" while setting your Google Photos screensaver, the Google Home bug apparently showed a giant, scrolling list of users. From there, the bug allowed limited access to users' personal images in Google Photos, which could then be displayed as Ambient Mode screensavers. That is, someone could have theoretically displayed your photos as screensavers on their Android TV without you knowing it. The user who discovered this bug theorized that the list of accounts were other users with the same TV model, but that hasn't been confirmed yet. There's no answer yet on where this bug came from, but Google is working on a fix and has disabled Google Photos screensavers in the meantime.

An anonymous reader quotes a report from Quartz: Riders in Switzerland and New Zealand have reported the front wheels of their electric scooters locking suddenly mid-ride, hurling riders to the ground. The malfunction has resulted in dozens of injuries ranging from bruises to broken jaws. Lime pulled all its scooters from Swiss streets in January when reports of the incidents surfaced there. When the city of Auckland, New Zealand voted to suspend the company earlier this week following 155 reported cases of sudden braking, the company acknowledged that a software glitch was causing the chaos. The company claims that fewer than 0.0045% of all rides worldwide have been affected, adding that "any injury is one too many." An initial fix reduced the number of incidents, it said, and a final update underway on all scooters will soon be complete. "Recently we detected a bug in the firmware of our scooter fleet that under rare circumstances could cause sudden excessive braking during use," Lime wrote in a blog post Saturday. "[I]n very rare cases -- usually riding downhill at top speed while hitting a pothole or other obstacle -- excessive brake force on the front wheel can occur, resulting in a scooter stopping unexpectedly."

An anonymous reader quotes a report from Motherboard: Switzerland made headlines this month for the transparency of its internet voting system when it launched a public penetration test and bug bounty program to test the resiliency of the system to attack. But after source code for the software and technical documentation describing its architecture were leaked online last week, critics are already expressing concern about the system's design and about the transparency around the public test. Cryptography experts who spent just a few hours examining the leaked code say the system is a poorly constructed and convoluted maze that makes it difficult to follow what's going on and effectively evaluate whether the cryptography and other security measures deployed in the system are done properly.

"Most of the system is split across hundreds of different files, each configured at various levels," Sarah Jamie Lewis, a former security engineer for Amazon as well as a former computer scientist for England's GCHQ intelligence agency, told Motherboard. "I'm used to dealing with Java code that runs across different packages and different teams, and this code somewhat defeats even my understanding." She said the system uses cryptographic solutions that are fairly new to the field and that have to be implemented in very specific ways to make the system auditable, but the design the programmers chose thwarts this. "It is simply not the standard we would expect," she told Motherboard. [...] It isn't just outside attackers that are a concern; the system raises the possibility for an insider to intentionally misconfigure the system to make it easier to manipulate, while maintaining plausible deniability that the misconfiguration was unintentional. "Someone could wire the thing in the wrong place and suddenly the system is compromised," said Lewis, who is currently executive director of the Open Privacy Research Society, a Canadian nonprofit that develops secure and privacy-enhancing software for marginalized communities. "And when you're talking about code that is supposed to be protecting a national election, that is not a statement someone should be able to make." "You expect secure code to be defensively written that would prevent the implementers of the code from wiring it up incorrectly," Lewis told Motherboard. But instead of building a system that doesn't allow for this, the programmers simply added a comment to their source code telling anyone who compiles and implements it to take care to configure it properly, she said.

The online voting system was developed by Swiss Post, the country's national postal service, and the Barcelona-based company Scytl. "Scytl claims the system uses end-to-end encryption that only the Swiss Electoral Board would be able to decrypt," reports Motherboard. "But there are reasons to be concerned about such claims."

A group of researchers say that it will be difficult to avoid Spectre bugs in the future unless CPUs are dramatically overhauled. From a report: Google researchers say that software alone is not enough to prevent the exploitation of the Spectre flaws present in a variety of CPUs. The team of researchers -- including Ross McIlroy, Jaroslav Sevcik, Tobias Tebbi, Ben L Titzer and Toon Verwaest -- work on Chrome's V8 JavaScript engine. The researchers presented their findings in a paper distributed through ArXiv and came to the conclusion that all processors that perform speculative execution will always remain susceptible to various side-channel attacks, despite mitigations that may be discovered in future.

An anonymous reader writes: Microsoft's Edge browser contains a secret whitelist that lets Facebook run Adobe Flash code behind users' backs. The whitelist allows Facebook's Flash content to bypass Edge security features such as the click-to-play policy that normally prevents websites from running Flash code without user approval beforehand.

The whitelist isn't new. It existed in Edge before, and prior to February 2018, it included 58 entries, including domains and subdomains for Microsoft's main site, the MSN portal, music streaming service Deezer, Yahoo, and Chinese social network QQ. The list was narrowed down to only two Facebook domains (facebook.com and apps.facebook.com) after a Google security researcher found that the whitelist mechanism had some security issues. The bug report also contains the original version of the whitelist, with all the 58 domains.

An anonymous reader writes: Apple's new Mac products might have a serious audio glitch for professional users. The company's newest Mac products with its T2 security chip suffer from a software-related bug that leads to issues with audio performance. The issue seemingly affects devices with the T2 chip -- that includes the iMac Pro, Mac Mini 2018, MacBook Air 2018, and MacBook Pro 2018. Although Apple's T2 chip is designed to offer improved security, it's affecting users in the pro audio industry.

As CDM reports, there is a bug in macOS that leads to dropouts and glitches in audio whenever a Mac automatically updates its system clock through the system time daemon. Users have been reporting the issue across a bunch of different pro audio forums for months, and it seems like the issue has never been acknowledged by Cupertino. The issue here is pretty simple to understand, as explained by a DJ software developer on Reddit: whenever the system time daemon automatically updates the system time, it somehow sends a 'pause-audio-engine' message to the kernel, leading to dropouts and glitches in audio.

An excerpt from a report, which looks at the complicated business of funding open source software development: On the surface, the open source software community has never been better. Companies and governments are adopting open source software at rates that would've been unfathomable 20 years ago, and a whole new generation of programmers are cutting their teeth on developing software in plain sight and making it freely available for anyone to use. Go a little deeper, however, and the cracks start to show. The ascendancy of open source has placed a mounting burden on the maintainers of popular software, who now handle more bug reports, feature requests, code reviews, and code commits than ever before.

At the same time, open source developers must also deal with an influx of corporate users who are unfamiliar with community norms when it comes to producing and consuming open source software. This leads to developer burnout and a growing feeling of resentment toward the companies that rely on free labor to produce software that is folded into products and sold back to consumers for huge profits. From this perspective, Heartbleed wasn't an isolated example of developer burnout and lack of funding, but an outgrowth of a systemic disease that had been festering in the open source software community for years. Identifying the symptoms and causes of this disease was the easy part; finding a cure is more difficult. Further reading: How Does Heartbleed Alter the 'Open Source Is Safer' Discussion?

An anonymous reader quotes a report from TechCrunch: Twitter retains direct messages for years, including messages you and others have deleted, but also data sent to and from accounts that have been deactivated and suspended, according to security researcher Karan Saini. Saini found years-old messages in a file from an archive of his data obtained through the website from accounts that were no longer on Twitter. He also reported a similar bug, found a year earlier but not disclosed until now, that allowed him to use a since-deprecated API to retrieve direct messages even after a message was deleted from both the sender and the recipient -- though, the bug wasn't able to retrieve messages from suspended accounts.

Direct messages once let users "unsend" messages from someone else's inbox, simply by deleting it from their own. Twitter changed this years ago, and now only allows a user to delete messages from their account. "Others in the conversation will still be able to see direct messages or conversations that you have deleted," Twitter says in a help page. Twitter also says in its privacy policy that anyone wanting to leave the service can have their account "deactivated and then deleted." After a 30-day grace period, the account disappears, along with its data. But, in our tests, we could recover direct messages from years ago -- including old messages that had since been lost to suspended or deleted accounts. By downloading your account's data, it's possible to download all of the data Twitter stores on you. A Twitter spokesperson said the company was "looking into this further to ensure we have considered the entire scope of the issue."

The Swiss government is offering bug bounties of up to CHF 50,000 (around $50,000) to anyone who can expose vulnerabilities in its internet-based e-voting system in a test later this month. From a report: In total, 150,000 CHF (around $150,000) will be up for grabs for any white hat hackers who register for the "Public Intrusion Test" (PIT). The Swiss Post system will be open for a dummy election between February 24th and March 24th, the length of a typical Swiss federal vote, during which time any registered "white hat" hackers will be free to discover and report vulnerabilities.

This PIT comes as the Swiss government is planning to expand its e-voting capabilities by October 2019 to two thirds of the 26 cantons that make up the Swiss Confederation. The country has conducted more than 300 trials of e-voting systems over the past 14 years, but current rules limit the amount of electronic votes to 10 percent of the total for referendums and 30 percent for constitutional amendments. However, the expansion plans have been met by opposition by politicians who claim current e-voting systems are insecure, expensive, and prone to manipulation.

Video game publisher Ubisoft is working with Mozilla to develop an AI coding assistant called Clever-Commit, head of Ubisoft La Forge Yves Jacquier announced during DICE Summit 2019 on Tuesday. From a report: Clever-Commit reportedly helps programmers evaluate whether or not a code change will introduce a new bug by learning from past bugs and fixes. The prototype, called Commit-Assistant, was tested using data collected during game development, Ubisoft said, and it's already contributing to some major AAA titles. The publisher is also working on integrating it into other brands. "Working with Mozilla on Clever-Commit allows us to support other programming languages and increase the overall performances of the technology. Using this tech in our games and Firefox will allow developers to be more productive as they can spend more time creating the next feature rather than fixing bugs. Ultimately, this will allow us to create even better experiences for our gamers and increase the frequency of our game updates," said Mathieu Nayrolles, technical architect, data scientist, and member of the Technological Group at Ubisoft Montreal.