Apple today pushed software updates for a range of its computing platforms. They are all minor releases that simply offer a few bug fixes and security updates, with no new features -- and there are no new features in any of the beta releases for these versions of the operating systems, either. From a report: iOS 12.1.3 fixes a scrolling bug in Messages, an iPad Pro-specific audio bug, and a graphical error in some photos, and it addresses some CarPlay disconnects experienced by owners of the three new iPhone models released in late 2018. It also fixes two minor bugs related to the company's HomePod smart speaker.

Many organizations may find they're better off hiring pen testers and in-house security researchers directly than running bug bounty programs, according to new MIT research. From a report: The New Solutions for Cybersecurity paper features a surprising analysis of bug bounty programs in the chapter, Fixing a Hole: The Labor Market for Bugs. It studied 61 HackerOne bounty programs over 23 months -- including those run for Twitter, Coinbase, Square and other big names -- and one Facebook program over 45 months. It claimed that, contrary to industry hype, organizations running these programs don't benefit from a large pool of white hats probing their products. Instead, an elite few produce the biggest volume and highest quality of bug reports across multiple products, earning the biggest slice of available rewards. It's also claimed that even these elite "top 1%" ethical hackers can't make a decent wage by Western standards.

Embedi security researcher Denis Selianin has discovered a vulnerability affecting the firmware of a popular Wi-Fi chipset deployed in a wide range of devices, such as laptops, smartphones, gaming rigs, routers, and Internet of Things (IoT) devices. According to Selianin, the vulnerability impacts ThreadX, a real-time operating system that is used as firmware for billions of devices. ZDNet reports: In a report published today, Selianin described how someone could exploit the ThreadX firmware installed on a Marvell Avastar 88W8897 wireless chipset to execute malicious code without any user interaction. The researcher chose this WiFi SoC (system-on-a-chip) because this is one of the most popular WiFi chipsets on the market, being deployed with devices such as Sony PlayStation 4, Xbox One, Microsoft Surface laptops, Samsung Chromebooks, Samsung Galaxy J1 smartphones, and Valve SteamLink cast devices, just to name a few.

"I've managed to identify ~4 total memory corruption issues in some parts of the firmware," said Selianin. "One of the discovered vulnerabilities was a special case of ThreadX block pool overflow. This vulnerability can be triggered without user interaction during the scanning for available networks." The researcher says the firmware function to scan for new WiFi networks launches automatically every five minutes, making exploitation trivial. All an attacker has to do is send malformed WiFi packets to any device with a Marvell Avastar WiFi chipset and wait until the function launches, to execute malicious code and take over the device. Selianin says he also "identified two methods of exploiting this technique, one that is specific to Marvell's own implementation of the ThreadX firmware, and one that is generic and can be applied to any ThreadX-based firmware, which, according to the ThreatX homepage, could impact as much as 6.2 billion devices," the report says. Patches are reportedly being worked on.

Kevin C. Tofel, writing for About Chromebooks: I've been following the bug report that tracks progress on adding GPU acceleration for the Linux container in Chrome OS and there's good news today. The first two Chrome OS boards should now, or very soon, be able to try GPU hardware acceleration with the new startup parameter found last month. The bug report says the -enable-gpu argument was added to the Eve and Nami boards.

There's only one Eve and that's the Pixelbook. Nami is used on a number of newer devices, including: Dell Inspiron 14, Lenovo Yoga Chromebook C630, Acer Chromebook 13, Acer Chromebook Spin 13, and HP X360 Chromebook 14.

Twitter disclosed on its Help Center page today that some Android users had their private tweets revealed for years due to a security flaw. "The issue caused the Twitter for Android app to disable the 'Protect your Tweets' setting for some Android users who made changes to their account settings, such as changing the email address associated with their account, between November 3rd, 2014 and January 14th, 2019," reports The Verge. From the report: Though the company says the issue was fixed earlier this week and that iOS or web users weren't affected, it doesn't yet know how many Android accounts were affected. Twitter says it's reached out to affected users and turned the setting back on for them, but it still recommends that users review their privacy settings to make sure it reflects their desired preferences.

Researchers at cybersecurity firm Check Point say three vulnerabilities chained together could have allowed hackers to take control of any of Fortnite's 200 million players. "The flaws, if exploited, would have stolen the account access token set on the gamer's device once they entered their password," reports TechCrunch. "Once stolen, that token could be used to impersonate the gamer and log in as if they were the account holder, without needing their password." From the report: The researchers say that the flaw lies in how Epic Games, the maker of Fortnite, handles login requests. Researchers said they could send any user a crafted link that appears to come from Epic Games' own domain and steal an access token needed to break into an account.

Here's how it works: The user clicks on a link, which points to an epicgames.com subdomain, which the hacker embeds a link to malicious code on their own server by exploiting a cross-site weakness in the subdomain. Once the malicious script loads, unbeknownst to the Fortnite player, it steals their account token and sends it back to the hacker. "If the victim user is not logged into the game, he or she would have to log in first," a researcher said. "Once that person is logged in, the account can be stolen." Epic Games has since fixed the vulnerability.

An anonymous reader quotes a report from The Guardian: Scientist Brad Lister returned to Puerto Rican rainforest after 35 years to find 98% of ground insects had vanished. His return to the Luquillo rainforest in Puerto Rico after 35 years was to reveal an appalling discovery. The insect population that once provided plentiful food for birds throughout the mountainous national park had collapsed. On the ground, 98% had gone. Up in the leafy canopy, 80% had vanished. The most likely culprit by far is global warming. "It was just astonishing," Lister said. "Before, both the sticky ground plates and canopy plates would be covered with insects. You'd be there for hours picking them off the plates at night. But now the plates would come down after 12 hours in the tropical forest with a couple of lonely insects trapped or none at all."

"We are essentially destroying the very life support systems that allow us to sustain our existence on the planet, along with all the other life on the planet," Lister said. "It is just horrifying to watch us decimate the natural world like this." Lister calls these impacts a "bottom-up trophic cascade", in which the knock-on effects of the insect collapse surge up through the food chain. "I don't think most people have a systems view of the natural world," he said. "But it's all connected and when the invertebrates are declining the entire food web is going to suffer and degrade. It is a system-wide effect." To understand the global scale of an insect collapse that has so far only been glimpsed, Lister says, there is an urgent need for much more research in many more habitats. "More data, that is my mantra," he said.

The Model 3 will be entered into Pwn2Own this year, the first time a car has been included in the annual high-profile hacking contest. The prize for the winning security researchers: a Model 3. TechCrunch reports: Pwn2Own, which is in its 12th year and run by Trend Micro's Zero Day Initiative, is known as one of the industry's toughest hacking contests. ZDI has awarded more than $4 million over the lifetime of the program. Pwn2Own's spring vulnerability research competition, Pwn2Own Vancouver, will be held March 20 to 22 and will feature five categories, including web browsers, virtualization software, enterprise applications, server-side software and the new automotive category. The targets, chosen by ZDI, include software products from Apple, Google, Microsoft, Mozilla, Oracle and VMware. And, of course, Tesla . Pwn2Own is run in conjunction with the CanSec West conference. There will be "more than $900,000 worth of prizes available for attacks that subvert a variety of [the Model 3's] onboard systems," reports Ars Technica. "The biggest prize will be $250,000 for hacks that execute code on the car's getaway, autopilot, or VCSEC."

"A gateway is the central hub that interconnects the car's powertrain, chassis, and other components and processes the data they send. The autopilot is a driver assistant feature that helps control lane changing, parking, and other driving functions. Short for Vehicle Controller Secondary, VCSEC is responsible for security functions, including the alarm."

Mozilla will take the next major step in disabling support for the Adobe Flash plugin later this year when it releases Firefox 69. From a report: Firefox 69 will be Mozilla's third last step to completely dropping support for the historically buggy plugin, which will reach end of life on December 31, 2020. Flash is the last remaining NPAPI plugin that Firefox supports. Mozilla flagged the change, spotted by Ghacks, in a new bug report that notes "we'll disable Flash by default in Nightly 69 and let that roll out". Firefox 69 stable will be released in early September, according to Mozilla's release calendar.

secwatcher quotes a report from Threatpost: Researchers hacked the Docker test platform called Play-with-Docker, allowing them to access data and manipulate any test Docker containers running on the host system. The proof-of-concept hack does not impact production Docker instances, according to CyberArk researchers that developed the proof-of-concept attack. "The team was able to escape the container and run code remotely right on the host, which has obvious security implications," wrote researchers in a technical write-up posted Monday.

Play-with-Docker is an open source free in-browser online playground designed to help developers learn how to use containers. While Play-with-Docker has the support of Docker, it was not created by nor is it maintained by the firm. The environment approximates having the Alpine Linux Virtual Machine in browser, allowing users to build and run Docker containers in various configurations. The vulnerability was reported to the developers of the platform on November 6. On January 7, the bug was patched. As for how many instances of Play-with-Docker may have been affected, "CyberArk estimated there were as many as 200 instances of containers running on the platform it analyzed," reports Threatpost. "It also estimates the domain receives 100,000 monthly site visitors."

A security researcher has found, reported and now disclosed a dozen bugs that made it easy to steal sensitive information or take over any customer's account from some of the largest web hosting companies on the internet. From a news report: In some cases, clicking on a simple link would have been enough for Paulos Yibelo, a well-known and respected bug hunter, to take over the accounts of anyone using five large hosting providers -- Bluehost, DreamHost, Hostgator, OVH and iPage. "All five had at least one serious vulnerability allowing a user account hijack," he told TechCrunch, with which he shared his findings before going public. The results of his vulnerability testing likely wouldn't fill customers with much confidence. The bugs, now fixed -- according to Yibelo's writeup -- represent cases of aging infrastructure, complicated and sprawling web-based back-end systems and companies each with a massive user base -- with the potential to go easily wrong. In all, the bugs could have been used to target any number of the collective two million domains under Endurance-owned Bluehost, Hostgator and iPage, DreamHost's one million domains and OVH's four million domains -- totaling some seven million domains.

According to a report from HackenProof, a database containing resumes of over 200 million job seekers in China was exposed last month. "The leaked info included not just the name and working experience of people, but also their mobile phone number, email, marriage status, children, politics, height, weight, driver license, and literacy level as well," reports The Next Web. From the report: Bob Diachenko, Director of Cyber Risk Research at Hacken.io and bug bounty platform HackenProof, found an unprotected instance of MongoDB containing these resumes on December 28. Diachenko found the resumes in the open database search engines Shodan and BinaryEdge. The 854GB database didn't have any password protection and was open to anyone to read.

Diachenko wasn't able to identify who generated the database or who owned it, but a now-defunct GitHub code repository featured a code that used an identical data structure to the leaked database. The database contained scraped data from multiple Chinese classified websites like bj.58.com. However, in a blog post, the website's spokesperson denied the leak. Interestingly, the database was taken down as soon as Diachenko posted about the database on Twitter. Sadly, the MongoDB log showed at least a dozen IP addresses that read the instance before it went off the grid.

In the next major release of Windows 10, Microsoft will reserve 7GB of your device's storage to resolve a Windows 10 bug thrown up by Windows Update not checking whether a PC has enough storage space before launching after big updates. From a report: As Microsoft warned ahead of the Windows 10 October 2018 Update, systems that don't have enough space to install Microsoft's 'quality updates' or new versions of the OS will see an error message explaining there is insufficient storage space. That happens because Windows doesn't check if a device has enough space before initializing. Microsoft's current solution is for users to manually delete unnecessary temporary files and temporarily move important files like photos and videos to external storage devices to make enough space for the update. This problem is more acute for devices with little storage capacity, such as many of the cheap 32GB flash-drive PCs on the market today.

An anonymous reader quotes a report from USA Today: The number of monarch butterflies turning up at California's overwintering sites has dropped by about 86 percent compared to only a year ago, according to the Xerces Society, which organizes a yearly count of the iconic creatures. That's bad news for a species whose numbers have already declined an estimated 97 percent since the 1980s. Each year, monarchs in the western United States migrate from inland areas to California's coastline to spend the winter, usually between September and February. Results from the count so far show that the number of monarchs at 97 California overwintering sites has dropped from around 148,000 in 2017 to just over 20,400 this year. Counts for dozens of other sites are still being tabulated, but the outlook is troubling.

What's causing the dramatic drop-off is somewhat of a mystery. Experts believe the decline is spurred by a confluence of unfortunate factors, including late rainy-season storms across California last March, the effects of the state's yearslong drought and the seemingly relentless onslaught of wildfires that have burned acres upon acres of habitat and at times choked the air with toxic smoke. The Thomas Fire last year burned almost 300,000 acres, including areas important for monarch breeding and migration. More recently, the Woolsey Fire damaged at least four monarch butterfly overwintering sites in the Malibu area, according to Lara Drizd, a wildlife biologist with the U.S. Fish and Wildlife Service in Ventura.

An anonymous reader shares a report: Chrome OS was originally a laptop platform, but slowly it's being reworked for tablet form factors. However, as that goes on, there have been some hiccups. Most recently, many have noted the poor performance of tablet mode especially on Chrome OS products like the Pixel Slate, but it seems a fix for that lag is incoming. If you tuned into any hands-on or review coverage of Google's Pixel Slate, you're likely familiar with the performance issues many have described. In tablet mode, Chrome OS has a lot of issues with lag. This is especially evident in the multitasking screen, and it seems that is the first thing Google is looking at to fix these problems. ChromeUnboxed notes a recent bug tracker which reveals how Google plans to start fixing Chrome OS tablet mode lag in the multitasking screen. Somewhat hilariously, it seems a big reason for the poor frame rates in the animations on this screen actually comes down to how the OS renders the rounded corners on this screen.

Julia Reda is a member of Germany's Pirate Party, a member of the European Parliament, and the Vice-President of The Greens-European Free Alliance.

Thursday her official web site announced: In 2014, security vulnerabilities were found in important Free Software projects. One of the issues was found in the Open Source encryption library OpenSSL.... The issue made lots of people realise how important Free and Open Source Software is for the integrity and reliability of the Internet and other infrastructure.... That is why my colleague Max Andersson and I started the Free and Open Source Software Audit project: FOSSA... In 2017, the project was extended for three more years. This time, we decided to go one step further and added the carrying out of Bug Bounties on important Free Software projects to the list of measures we wanted to put in place to increase the security of Free and Open Source Software...

In January the European Commission is launching 14 out of a total of 15 bug bounties on Free Software projects that the EU institutions rely on.
The bounties start at 25.000,00 € -- about $29,000 USD -- rising as high as 90.000,00 € ($103,000). "The amount of the bounty depends on the severity of the issue uncovered and the relative importance of the software," Reda writes.

Click through for a list of the software projects for which bug bounties will be offered.

The developer of the popular image editing tool Paint.NET, Rick Brewster, has shared his vision of what the coming year holds for his software. The 2019 roadmap for Paint.NET is an exciting one, promising migration to .NET Core, support for brushes and pressure sensitivity, and an expanded plugin system. BetaNews: Changes are on the cards for app icons and improved high-DPI support -- something that may be seen as mere aesthetic by some, but important changes by others. Switching to .NET Core could have big implications for the software, as Brewter explains: "It's clear that, in the long-term, Paint.NET needs to migrate over to .NET Core. That's where all of the improvements and bug fixes are being made, and it's obvious that the .NET Framework is now in maintenance mode. On the engineering side this is mostly a packaging and deployment puzzle of balancing download size amongst several other variables. My initial estimations shows that the download size for Paint.NET could balloon from ~7.5MB (today) to north of 40MB if .NET Core is packaged 'locally'. That's a big sticker shock... but it may just be necessary."

And, for those who're interested: the move to .NET Core will finally enable a truly portable version of Paint.NET since. Proposals for better DDS support and brushes and pressure sensitivity will be welcomed by digital artists, and there can be few users who are not excited at the prospect of an expanded plugin system.

DarkRookie2 shares a report from Ars Technica: Many users of Logitech's Harmony Hub smart home hub and remote were recently met with a nasty surprise. The device's latest firmware update, version 4.15.206, reportedly cuts off local access for Harmony Hubs. As a result, many users who created home automation and smart home systems using third-party APIs haven't been able to control many, and in some cases, all of their connected IoT devices. Logitech began pushing out firmware update 4.15.206 last week, its release notes stating that it addresses security and bug fixes. Users immediately flocked to Logitech's community forms to complain once they realized the systems they built up to control their smart home devices essentially became unresponsive. Users with Homeseer and Home Assistant APIs have reported parts of their systems broken, preventing them from controlling things like smart TVs, sound systems, and more using the Harmony Hub and its remote. In a statement to Ars, a Logitech representative confirmed that local access was removed in the latest Harmony Hub firmware update for security reasons: "The XMPP interface was used as part of the setup process and was pointed out as an insecure communication. We removed that interface as part of an effort to make to improve the Hub security. That interface was never designed to be used by third parties. The reason for the firmware update was to make the Harmony Hub more secure, therefore we do not have an official downgrade option. We recommend that users do not try to prevent the automatic firmware update process. We update the firmware as security issues are discovered, so users preventing the automatic firmware update process would not benefit from these future fixes."

Earlier this week, a former Microsoft Edge intern alleged that Google deliberately introduced bogus changes to YouTube to break the functionality of the video portal when users on Edge and other browsers tried to access the website. Google today denied the allegation. From a report: Google disputes Bakita's claims, and says the YouTube blank div was merely a bug that was fixed after it was reported. "YouTube does not add code designed to defeat optimizations in other browsers, and works quickly to fix bugs when they're discovered," says a YouTube spokesperson in a statement to The Verge. "We regularly engage with other browser vendors through standards bodies, the Web Platform Tests project, the open-source Chromium project and more to improve browser interoperability." In a statement, Microsoft said, "Google has been a helpful partner and we look forward to the journey as we work on the future of Microsoft Edge."

An anonymous reader quotes a report from Techdirt: By now, of course, you're aware that the Verizon-owned Tumblr (which was bought by Yahoo, which was bought by Verizon and merged into "Oath" with AOL and other no longer relevant properties) has suddenly decided that nothing sexy is allowed on its servers. This took many by surprise because apparently a huge percentage of Tumblr was used by people to post somewhat racy content. Knowing that a bunch of content was about to disappear, the famed Archive Team sprung into action -- as they've done many times in the past. They set out to archive as much of the content on Tumblr that was set to be disappeared down the memory hole as possible... and it turns out that Verizon decided as a final "fuck you" to cut them off. Jason Scott, the mastermind behind the Archive Team announced over the weekend that Verizon appeared to be blocking their IPs. Thankfully, it didn't take long for the Archive Team to get past the blocks. Scott tweeted on Sunday: "why look at that the archiving of tumblr restarted how did that happen must be a bug surely a crack team of activist archivists didn't see an ip block as a small setback and then turned everything up to 11."