Ukrainian vulnerability researcher has found a bug that would have allowed him to download all the activation keys (also known as CD keys) made available through the Steam gaming platform, for any game, ever. From a report: Discovered by Artem Moskowsky, the bug resided in Steamworks, a platform that Valve runs to help developers with building and publishing games via its Steam gaming client. Moskowsky found the bug in a Steam web API located at partner.steamgames.com/partnercdkeys/assignkeys/. This is the API that lets game developers or affiliates retrieve CD keys made available to Steam users so their customers can activate a game installed via the Steam client. This API is accessible using a regular Steam account and takes several parameters, but the ones most relevant are appid (representing the game), keyid (representing the identifier of a set of CD keys), and keycount (representing the number of CD keys that Steam needs to return inside a CD key set).

If you're having trouble activating your Windows 10 Pro computer today, you're not alone. Forums and social media networks are getting flooded with complaints from users who say their machines have automatically become deactivated. Users say they are having trouble connecting with Microsoft's activation servers, with some saying they are being prompted to downgrade to Windows 10 Home. According to Microsoft Answers, the company is working to resolve the issue. Only users who had upgraded their computers to Windows 10 by using product keys of Windows 7 or Windows 8.1 appear to be impacted.

Emil Protalinski, writing for VentureBeat: After upgrading to Android Pie, most users have either seen a slight improvement in battery life or reported no perceivable difference. But soon after we published our story, some users told us that they are experiencing the opposite: significantly higher battery drain after upgrading to Pie. We've been tracking this issue for the past few months, during which the Pixel 3 and Pixel 3 XL launched with Android Pie out-of-the-box and new device owners reported similar problems. Some Android Pie users simply don't expect their phones to make it through the day.

Users on Reddit, the Pixel forums, and Google's issue tracker have been discussing battery life issues on existing devices after upgrading to Android Pie, and some even on new devices (although there are naturally fewer of those cases). VentureBeat was able to independently confirm the issue on a Pixel 2 XL and a Pixel 3 -- we sent the details to Google. Given that Adaptive Battery is the main feature highlight when it comes to battery improvement in Android Pie, many suspected it could be the culprit. Users have reported, however, that turning it off didn't help the situation much, if at all. We were also able to independently verify that Adaptive Battery is not the cause. Adaptive Battery is only available in Pie, but in our tests battery life only drained faster with the feature off. We did, however, confirm that the problem is unique to Android Pie. Users have reported significant battery drain when their phones are idle, anywhere between 10 percent to 20 percent drained in an hour.

With iOS 12.1, Apple introduced a bunch of new features like Group FaceTime and dozens of new emoji. But the company also elected to add a controversial new performance management feature to the iPhone 8, iPhone 8 Plus, and iPhone X. From a report: For the uninitiated, back in December 2017, Apple confirmed that it would sometimes slow down older iPhones through a software update in order to prevent unexpected shutdowns. The result was that certain models -- iPhone 6, 6 Plus, 6S, 6S Plus, 7, and 7 Plus -- would often perform poorly after being updated to the newest version of iOS. Users had long suspected Apple was throttling older iPhones, but it wasn't until Geekbench published an expose that the company publicly admitted it was, indeed, slowing down older iPhones -- albeit, for a good reason. Apple said in its explanation of the throttling issue that its goal was "to deliver the best experience for customers" and essentially argued the practice of throttling was a feature -- not a bug as it had been reported. Apple's solution was to give iPhone owners some extra control over the feature and offer a reduced cost for battery replacements.

Apple has pulled an update for its smartwatches after some owners complained the software -- watchOS 5.1 -- had caused their devices to stop working. From a report: The problem appears to have baffled the firm's repair staff, and there appears to be no way at present for owners to restore the products themselves. Several have said they have been told they need to send in the devices for a fix. Apple said it intended to release a revised update soon. Those affected reported that their watches had become stuck in a state showing the Apple logo -- but nothing else -- on their screens. One owner of a newly released Series 4 model said he had been told it would take the firm's repair staff up to a week to decide whether his device needed to be repaired or replaced.

Those of you who detest display notches will find this bug especially unpleasant. A small number of Pixel 3 XL users are reportedly experiencing a bug where an additional notch appears on the right side of the display. Android Police reports: Turns out that it's a real-life bug experienced by several users, including Jessie Burroughs, Kyle Gutschow, and UrAvgConsumer. We're not sure what's causing it, but it could be something to do with the screen rotation setting getting a bit confused about its orientation. In all three of the examples we've seen, the users reported that the issue went away after a restart or fiddling with the developer settings, so at least it's not a permanent problem. Anyone who bought a Pixel 3 XL probably decided that the notch didn't bother them that much, but we're not sure how they'd feel about another one showing up unannounced. Google is aware of this bug and says a fix is "coming soon."

The Register reports that a new security bug in systemd "can be exploited over the network to, at best, potentially crash a vulnerable Linux machine, or, at worst, execute malicious code on the box" by a malicious host on the same network segment as the victim. According to one Red Hat security engineer, "An attacker could exploit this via malicious DHCP server to corrupt heap memory on client machines, resulting in a denial of service or potential code execution." According to the bug description, systemd-networkd "contains a DHCPv6 client which is written from scratch and can be spawned automatically on managed interfaces when IPv6 router advertisements are received."

OneHundredAndTen shared this article from the Register: In addition to Ubuntu and Red Hat Enterprise Linux, systemd has been adopted as a service manager for Debian, Fedora, CoreOS, Mint, and SUSE Linux Enterprise Server. We're told RHEL 7, at least, does not use the vulnerable component by default.

Systemd creator Leonard Poettering has already published a security fix for the vulnerable component -- this should be weaving its way into distros as we type. If you run a systemd-based Linux system, and rely on systemd-networkd, update your operating system as soon as you can to pick up the fix when available and as necessary.

An anonymous reader quotes a report from Bleeping Computer: A vulnerability that is trivial to exploit allows privilege escalation to root level on Linux and BSD distributions using X.Org server, the open source implementation of the X Window System that offers the graphical environment. The flaw is now identified as CVE-2018-14665 (credited to security researcher Narendra Shinde). It has been present in xorg-server for two years, since version 1.19.0 and is exploitable by a limited user as long as the X server runs with elevated permissions.

An advisory on Thursday describes the problem as an "incorrect command-line parameter validation" that also allows an attacker to overwrite arbitrary files. Privilege escalation can be accomplished via the -modulepath argument by setting an insecure path to modules loaded by the X.org server. Arbitrary file overwrite is possible through the -logfile argument, because of improper verification when parsing the option. Apart from OpenBSD, other operating systems affected by the bug include Debian and Ubuntu, Fedora and its downstream distro Red Hat Enterprise Linux along with its community-supported counterpart CentOS.

An anonymous reader quotes a report from Bleeping Computer: Proof-of-concept code for a new zero-day vulnerability in Windows has been released by a security researcher before Microsoft was able to release a fix. The code exploits a vulnerability that allows deleting without permission any files on a machine, including system data, and it has the potential to lead to privilege escalation. The vulnerability could be used to delete application DLLs, thus forcing the programs to look for the missing libraries in other places. If the search reaches a location that grants write permission to the local user, the attacker could take advantage by providing a malicious DLL.

The problem is with Microsoft Data Sharing Service, present in Windows 10, Server 2016 and 2019 operating systems, which provides data brokering between applications. Will Dormann, a vulnerability analyst at CERT/CC, tested the exploit code successfully on a Windows 10 operating system running the latest security updates. Behind the discovery is a researcher using the online alias SandboxEscaper, also responsible for publicly sharing in late August another security bug in Windows Task Scheduler component. Microsoft hasn't addressed the issue, but there is a temporary fix available through the oPatch platform. "A micropatch candidate was ready seven hours after the zero-day vulnerability announcement, and it blocked the exploit successfully," reports Bleeping Computer. "oPatch now delivers the stable version of the micropatch for fully updated Windows 10 1803.

An anonymous reader quotes a report from Ars Technica: Google's Pixel 3 smartphone is shipping out to the masses, and people hoping to take advantage of the new Qi wireless charging capabilities have run into a big surprise. For some unexplained reason, Google is locking out third-party Qi chargers from reaching the highest charging speeds on the Pixel 3. Third-party chargers are capped to a pokey 5W charging speed. If you want 10 watts of wireless charging, Google hopes you will invest in its outrageously priced Pixel Stand, which is $79.

Android Police reports that a reader purchased an Anker wireless charger for their Pixel 3, and, after noticing the slow charging speed, this person contacted the company. Anker confirmed that something screwy was going on with Google's charging support, saying "Pixel sets a limitation for third-party charging accessories and we are afraid that even our fast wireless charger can only provide 5W for these 2x devices." Normally we would chalk this up to some kind of bug, but apparently Google told Android Police that this was on purpose. The site doesn't have a direct quote, but it writes that, after reaching out to Google PR, it was "told that the Pixel 3 would charge at 10W on the Pixel Stand [and that] due to a 'secure handshake' being established that third-party chargers would indeed be limited to 5W." In an update, Google said the reason has to do with the "proprietary wireless charging technology" it has via its Pixel Stand and other select wireless chargers. The Pixel 3 only supports 5W Qi charging; "Google's 10W proprietary wireless charging technology" is what will allow the phone to charge at faster speeds.

"Google says it is 'certifying' chargers for the Pixel 3 via the 'Made for Google' program and pointed us to one such device, a Belkin charger called the 'Boost Up Wireless Charging Pad 10W for Pixel 3 and Pixel 3 XL,'" reports Ars Technica. "Belkin's description is very enlightening, saying 'Made with the Google Pixel 3 and Pixel 3 XL in mind, this wireless charging pad uses Google's 10W proprietary wireless charging technology. It's certified for Pixel, so you know that the BOOST UP Wireless Charging pad has been made specifically for your Pixel 3 and meets Google's high product standards.'"

A bug in the Google News app for Android is reportedly causing the app to use up excessive amounts of background data, leading to overage charges. "According to dozens of posts on the Google News Help Forum, users have been experiencing this issue as early as June," reports The Verge. "The issue was verified and addressed by a Google News community manager in September, stating that the company was investigating and working toward a fix, but the issue is still ongoing." From the report: Verge reader Zach Dowdle emailed in with his experience, and screenshots of his app and Wi-Fi data usage: "The Google News app is randomly using a ridiculous amount of background data without users' knowledge. The app burned through over 12 gigs of data on my phone while I slept and my Wi-Fi had disconnected. It lead to $75 in overage charges."

According to several users, the app burned through mobile data despite having "Download via Wi-Fi" turned on in the settings. In some extreme cases, the Google News app used up to 24GB of data, leading to overage charges of up to $385, users reported. So far, the only solutions seem to be disabling background data, and deleting the app altogether.

Ever since Microsoft settled on a cadence of two feature updates a year -- one in April, one in October -- the quality of its operating system (taking into consideration the volume of bugs that emerge every few days) has deteriorated, writes Peter Bright of ArsTechnica. From the story: The problem with Windows as a Service is quality. Previous issues with the feature and security updates have already shaken confidence in Microsoft's updating policy for Windows 10. While data is notably lacking, there is at the very least a popular perception that the quality of the monthly security updates has taken a dive with Windows 10 and that installation of the twice-annual feature updates as soon as they're available is madness. These complaints are long-standing, too. The unreliable updates have been a cause for concern since shortly after Windows 10's release.

The latest problem has brought this to a head, with commentators saying that two feature updates a year is too many and Redmond should cut back to one, and that Microsoft needs to stop developing new features and just fix bugs. Some worry that the company is dangerously close to a serious loss of trust over updates, and for some Windows users, that trust may already have been broken. These are not the first calls for Microsoft to slow down with its feature updates -- there have been concerns that there's too much churn for both IT and consumer audiences alike to handle -- but with the obvious problems of the latest update, the calls take on a new urgency.

Github engineers are trying to repair the data storage system underpinning the code hosting website, which has been presenting users with a "What!?" error for much of the Sunday. From a report: Depending on where you are, you may have been working on some Sunday evening programming, or getting up to speed with work on a Monday morning, using resources on GitHub.com -- and possibly failing miserably as a result of the outage. From about 4pm US West Coast time on Sunday, the website has been stuttering and spluttering. Specifically, the site is still up and serving pages -- it's just intermittently serving out-of-date files, and ignoring submitted Gists, bug reports, and posts. Sometimes, it appears to be serving a read-only cache or older backup of itself, although some fresh code pushes are coming through onto the site. From the status page, it appears a data storage system died, forcing the platform's engineers to move the dot-com's files over to another box. In the meantime, some older versions of files and repos are being served to visitors and users. "We're continuing to work on migrating a data storage system in order to restore access to GitHub.com," the team said just after 5pm PT, adding in the past few minutes: "We are continuing to repair a data storage system for GitHub.com. You may see inconsistent results during this process."

An anonymous reader quotes Gizmodo: When it was discovered earlier this month that the 1809 build of Windows 10 was deleting user files just because, Microsoft halted the update until the problem was fixed. Shame, then, that another not-as-bad-but-still-bad file overwriting bug has now reared its head. in 1809, overwriting files by extracting from an archive using File Explorer doesn't result in an overwrite prompt dialogue and also doesn't replace any files at all; it just fails silently. There are also some reports that it did overwrite items, but did so silently without asking.
Ars Technica speculates that there's a larger program with Microsoft's testing process: [M]any of the preview builds had a bug wherein deleting a directory that was synced to OneDrive crashed the machine. Not only was this bug integrated into the Windows code, it was allowed to ship to end users. This tells us some fundamental things about how Windows is being developed. Either tests do not exist at all for this code (and I've been told that yes, it's permitted to integrate code without tests, though I would hope this isn't the norm), or test failures are being regarded as acceptable, non-blocking issues, and developers are being allowed to integrate code that they know doesn't work properly...

Microsoft's new development process has, proportionately, a greater amount of time spent writing new features, and a reduced amount of time stabilizing and fixing those features. That would be fine if the quality of the features were higher to start with, with the testing infrastructure to support it and higher standards before new code was integrated. But the experience with Windows 10 thus far is that Microsoft hasn't developed the processes and systems needed to sustain this new approach.

America's Multi-State Information Sharing & Analysis Center is operated in collaboration with its Department of Homeland Security's Office of Cybersecurity and Communications -- and they've got some bad news. MS-ISAC released an advisory warning government agencies, businesses, and home users of multiple high-risk security issues in PHP that can allow attackers to execute arbitrary code. Furthermore, if the PHP vulnerabilities are not successfully exploited, attackers could still induce a denial-of-service condition rendering the probed servers unusable... The PHP Group has issued fixes in the PHP 7.1.23 and 7.2.11 releases for all the high-risk bugs that could lead to DoS and arbitrary code execution in all vulnerable PHP 7.1 and 7.2 versions before these latest updates.
But meanwhile, Threatpost reported this week that 62% of the world's web sites are still running PHP version 5 -- even though its end of life is December 31st. "The deadlines will not be extended, and it is critical that PHP-based websites are upgraded to ensure that security support is provided," warned a recent CERT notice.

So far Drupal is the only CMS posting an official notice requiring upgrades to PHP 7 (by March, three months after the PHP 5.6's end of life deadline). Threatpost notes that "There has been no such notice from WordPress or Joomla."

An anonymous reader quotes Martin Monperrus, a professor of software at Stockholm's KTH Royal Institute of Technology: Repairnator is a bot. It constantly monitors software bugs discovered during continuous integration of open-source software and tries to fix them automatically. If it succeeds to synthesize a valid patch, Repairnator proposes the patch to the human developers, disguised under a fake human identity. To date, Repairnator has been able to produce 5 patches that were accepted by the human developers and permanently merged in the code base...

It analyzes bugs and produces patches, in the same way as human developers involved in software maintenance activities. This idea of a program repair bot is disruptive, because today humans are responsible for fixing bugs. In others words, we are talking about a bot meant to (partially) replace human developers for tedious tasks.... [F]or a patch to be human-competitive 1) the bot has to synthesize the patch faster than the human developer 2) the patch has to be judged good-enough by the human developer and permanently merged in the code base.... We believe that Repairnator prefigures a certain future of software development, where bots and humans will smoothly collaborate and even cooperate on software artifacts.
Their fake identity was a software engineer named Luc Esape, with a profile picture that "looks like a junior developer, eager to make open-source contributions... humans tend to have a priori biases against machines, and are more tolerant to errors if the contribution comes from a human peer. In the context of program repair, this means that developers may put the bar higher on the quality of the patch, if they know that the patch comes from a bot."

The researchers proudly published the approving comments on their merged patches -- although a conundrum arose when repairnator submitted a patch for Eclipse Ditto, only to be told that "We can only accept pull-requests which come from users who signed the Eclipse Foundation Contributor License Agreement."

"We were puzzled because a bot cannot physically or morally sign a license agreement and is probably not entitled to do so. Who owns the intellectual property and responsibility of a bot contribution: the robot operator, the bot implementer or the repair algorithm designer?"

Winamp, the world's most famous media player, has released version 5.8 to make it compatible with today's modern operating systems such as Windows 8.1 and Windows 10. Bleeping Computer notes that there hasn't been a new updates released since 2014, when Radionomy purchased Winamp from AOL. Some other new features include standalone audio player support, an auto-fullscreen option for videos, updates scrollbars and buttons, and bug fixes.

From the report: Radionomy has stated that they are not stopping here and have big plans for Winamp. In an interview with TechCrunch, Radionomy CEO Alexandre Saboundjian, revealed that a massive release is planned for 2019 that aims to add cloud support for streaming music, podcasts, and more. "There will be a completely new version next year, with the legacy of Winamp but a more complete listening experience," Saboundjian stated in the interview. "You can listen to the MP3s you may have at home, but also to the cloud, to podcasts, to streaming radio stations, to a playlist you perhaps have built."

Some users on Reddit and Google's support forums are reporting an issue in which taking a photo using Google Camera occasionally fails to save. The issue appears to be widespread, "affecting original Pixel phones as well as the Pixel 2 / 2 XL," reports The Verge. From the report: The issue occurs specifically in cases when the user takes a photo with Google Camera, and switches to another app or locks the phone immediately after. Users are able to see a thumbnail of the photo in the Camera gallery circle, but upon tapping it, the photo disappears. In some occasions, the photo doesn't appear at all at first, but it will reappear in their gallery a day later.

There's also some reports of Galaxy S9, Moto Z2, Moto E4, and Nexus 5X owners experiencing the issue after using Google Camera, so it's unclear whether the issue is limited to Pixel phones or if it's connected to a larger Android bug. For now, users have come up with a workaround for an issue they believe is related to HDR photo processing time. Reddit user erbat suggests leaving the camera app open until HDR processing completes or turning off the HDR function completely.

Security researchers have found flaws in four popular connected storage drives that they say could let hackers access a user's private and sensitive data. From a report: The researchers Paulos Yibelo and Daniel Eshetu said the software running on three of the devices they tested -- NetGear Stora, Seagate Home and Medion LifeCloud -- can allow an attacker to remotely read, change and delete data without requiring a password. Yibelo, who shared the research with TechCrunch this week and posted the findings Friday, said that many other devices may be at risk.

The software, Hipserv, built by tech company Axentra, was largely to blame for three of the four flaws they found. Hipserv is Linux-based, and uses several web technologies -- including PHP -- to power the web interface. But the researchers found that bugs could let them read files on the drive without any authentication. It also meant they could run any command they wanted as "root" -- the built-in user account with the highest level of access -- making the data on the device vulnerable to prying eyes or destruction.

Apple has not documented some high-severity bugs it patched that were reported to it by Google's Project Zero researchers. From a report: While it's good news that Apple beat Project Zero's 90-day deadline for patching or disclosing the bugs it finds, the group's Ivan Fratric recently argued that the practice endangered users by not fully informing them why an update should be installed. This time the criticism comes from Project Zero's Ian Beer, who's been credited by Apple with finding dozens of serious security flaws in iOS and macOS over the years. Beer posted a blog about several vulnerabilities in iOS 7 he found in 2014 that share commonalities with several bugs he has found in iOS 11.4.1, some of which he's now released exploits for.

Beer notes that none of the latest issues is mentioned in the iOS 12 security bulletin even though Apple did fix them. The absence of information about them is a "disincentive" for iOS users to patch, Beer argues. "Apple are still yet to assign CVEs for these issues or publicly acknowledge that they were fixed in iOS 12," wrote Beer. "In my opinion a security bulletin should mention the security bugs that were fixed. Not doing so provides a disincentive for people to update their devices since it appears that there were fewer security fixes than there really were."