Apple has pulled an update for its smartwatches after some owners complained the software -- watchOS 5.1 -- had caused their devices to stop working. From a report: The problem appears to have baffled the firm's repair staff, and there appears to be no way at present for owners to restore the products themselves. Several have said they have been told they need to send in the devices for a fix. Apple said it intended to release a revised update soon. Those affected reported that their watches had become stuck in a state showing the Apple logo -- but nothing else -- on their screens. One owner of a newly released Series 4 model said he had been told it would take the firm's repair staff up to a week to decide whether his device needed to be repaired or replaced.

Those of you who detest display notches will find this bug especially unpleasant. A small number of Pixel 3 XL users are reportedly experiencing a bug where an additional notch appears on the right side of the display. Android Police reports: Turns out that it's a real-life bug experienced by several users, including Jessie Burroughs, Kyle Gutschow, and UrAvgConsumer. We're not sure what's causing it, but it could be something to do with the screen rotation setting getting a bit confused about its orientation. In all three of the examples we've seen, the users reported that the issue went away after a restart or fiddling with the developer settings, so at least it's not a permanent problem. Anyone who bought a Pixel 3 XL probably decided that the notch didn't bother them that much, but we're not sure how they'd feel about another one showing up unannounced. Google is aware of this bug and says a fix is "coming soon."

The Register reports that a new security bug in systemd "can be exploited over the network to, at best, potentially crash a vulnerable Linux machine, or, at worst, execute malicious code on the box" by a malicious host on the same network segment as the victim. According to one Red Hat security engineer, "An attacker could exploit this via malicious DHCP server to corrupt heap memory on client machines, resulting in a denial of service or potential code execution." According to the bug description, systemd-networkd "contains a DHCPv6 client which is written from scratch and can be spawned automatically on managed interfaces when IPv6 router advertisements are received."

OneHundredAndTen shared this article from the Register: In addition to Ubuntu and Red Hat Enterprise Linux, systemd has been adopted as a service manager for Debian, Fedora, CoreOS, Mint, and SUSE Linux Enterprise Server. We're told RHEL 7, at least, does not use the vulnerable component by default.

Systemd creator Leonard Poettering has already published a security fix for the vulnerable component -- this should be weaving its way into distros as we type. If you run a systemd-based Linux system, and rely on systemd-networkd, update your operating system as soon as you can to pick up the fix when available and as necessary.

An anonymous reader quotes a report from Bleeping Computer: A vulnerability that is trivial to exploit allows privilege escalation to root level on Linux and BSD distributions using X.Org server, the open source implementation of the X Window System that offers the graphical environment. The flaw is now identified as CVE-2018-14665 (credited to security researcher Narendra Shinde). It has been present in xorg-server for two years, since version 1.19.0 and is exploitable by a limited user as long as the X server runs with elevated permissions.

An advisory on Thursday describes the problem as an "incorrect command-line parameter validation" that also allows an attacker to overwrite arbitrary files. Privilege escalation can be accomplished via the -modulepath argument by setting an insecure path to modules loaded by the X.org server. Arbitrary file overwrite is possible through the -logfile argument, because of improper verification when parsing the option. Apart from OpenBSD, other operating systems affected by the bug include Debian and Ubuntu, Fedora and its downstream distro Red Hat Enterprise Linux along with its community-supported counterpart CentOS.

An anonymous reader quotes a report from Bleeping Computer: Proof-of-concept code for a new zero-day vulnerability in Windows has been released by a security researcher before Microsoft was able to release a fix. The code exploits a vulnerability that allows deleting without permission any files on a machine, including system data, and it has the potential to lead to privilege escalation. The vulnerability could be used to delete application DLLs, thus forcing the programs to look for the missing libraries in other places. If the search reaches a location that grants write permission to the local user, the attacker could take advantage by providing a malicious DLL.

The problem is with Microsoft Data Sharing Service, present in Windows 10, Server 2016 and 2019 operating systems, which provides data brokering between applications. Will Dormann, a vulnerability analyst at CERT/CC, tested the exploit code successfully on a Windows 10 operating system running the latest security updates. Behind the discovery is a researcher using the online alias SandboxEscaper, also responsible for publicly sharing in late August another security bug in Windows Task Scheduler component. Microsoft hasn't addressed the issue, but there is a temporary fix available through the oPatch platform. "A micropatch candidate was ready seven hours after the zero-day vulnerability announcement, and it blocked the exploit successfully," reports Bleeping Computer. "oPatch now delivers the stable version of the micropatch for fully updated Windows 10 1803.

An anonymous reader quotes a report from Ars Technica: Google's Pixel 3 smartphone is shipping out to the masses, and people hoping to take advantage of the new Qi wireless charging capabilities have run into a big surprise. For some unexplained reason, Google is locking out third-party Qi chargers from reaching the highest charging speeds on the Pixel 3. Third-party chargers are capped to a pokey 5W charging speed. If you want 10 watts of wireless charging, Google hopes you will invest in its outrageously priced Pixel Stand, which is $79.

Android Police reports that a reader purchased an Anker wireless charger for their Pixel 3, and, after noticing the slow charging speed, this person contacted the company. Anker confirmed that something screwy was going on with Google's charging support, saying "Pixel sets a limitation for third-party charging accessories and we are afraid that even our fast wireless charger can only provide 5W for these 2x devices." Normally we would chalk this up to some kind of bug, but apparently Google told Android Police that this was on purpose. The site doesn't have a direct quote, but it writes that, after reaching out to Google PR, it was "told that the Pixel 3 would charge at 10W on the Pixel Stand [and that] due to a 'secure handshake' being established that third-party chargers would indeed be limited to 5W." In an update, Google said the reason has to do with the "proprietary wireless charging technology" it has via its Pixel Stand and other select wireless chargers. The Pixel 3 only supports 5W Qi charging; "Google's 10W proprietary wireless charging technology" is what will allow the phone to charge at faster speeds.

"Google says it is 'certifying' chargers for the Pixel 3 via the 'Made for Google' program and pointed us to one such device, a Belkin charger called the 'Boost Up Wireless Charging Pad 10W for Pixel 3 and Pixel 3 XL,'" reports Ars Technica. "Belkin's description is very enlightening, saying 'Made with the Google Pixel 3 and Pixel 3 XL in mind, this wireless charging pad uses Google's 10W proprietary wireless charging technology. It's certified for Pixel, so you know that the BOOST UP Wireless Charging pad has been made specifically for your Pixel 3 and meets Google's high product standards.'"

A bug in the Google News app for Android is reportedly causing the app to use up excessive amounts of background data, leading to overage charges. "According to dozens of posts on the Google News Help Forum, users have been experiencing this issue as early as June," reports The Verge. "The issue was verified and addressed by a Google News community manager in September, stating that the company was investigating and working toward a fix, but the issue is still ongoing." From the report: Verge reader Zach Dowdle emailed in with his experience, and screenshots of his app and Wi-Fi data usage: "The Google News app is randomly using a ridiculous amount of background data without users' knowledge. The app burned through over 12 gigs of data on my phone while I slept and my Wi-Fi had disconnected. It lead to $75 in overage charges."

According to several users, the app burned through mobile data despite having "Download via Wi-Fi" turned on in the settings. In some extreme cases, the Google News app used up to 24GB of data, leading to overage charges of up to $385, users reported. So far, the only solutions seem to be disabling background data, and deleting the app altogether.

Ever since Microsoft settled on a cadence of two feature updates a year -- one in April, one in October -- the quality of its operating system (taking into consideration the volume of bugs that emerge every few days) has deteriorated, writes Peter Bright of ArsTechnica. From the story: The problem with Windows as a Service is quality. Previous issues with the feature and security updates have already shaken confidence in Microsoft's updating policy for Windows 10. While data is notably lacking, there is at the very least a popular perception that the quality of the monthly security updates has taken a dive with Windows 10 and that installation of the twice-annual feature updates as soon as they're available is madness. These complaints are long-standing, too. The unreliable updates have been a cause for concern since shortly after Windows 10's release.

The latest problem has brought this to a head, with commentators saying that two feature updates a year is too many and Redmond should cut back to one, and that Microsoft needs to stop developing new features and just fix bugs. Some worry that the company is dangerously close to a serious loss of trust over updates, and for some Windows users, that trust may already have been broken. These are not the first calls for Microsoft to slow down with its feature updates -- there have been concerns that there's too much churn for both IT and consumer audiences alike to handle -- but with the obvious problems of the latest update, the calls take on a new urgency.

Github engineers are trying to repair the data storage system underpinning the code hosting website, which has been presenting users with a "What!?" error for much of the Sunday. From a report: Depending on where you are, you may have been working on some Sunday evening programming, or getting up to speed with work on a Monday morning, using resources on GitHub.com -- and possibly failing miserably as a result of the outage. From about 4pm US West Coast time on Sunday, the website has been stuttering and spluttering. Specifically, the site is still up and serving pages -- it's just intermittently serving out-of-date files, and ignoring submitted Gists, bug reports, and posts. Sometimes, it appears to be serving a read-only cache or older backup of itself, although some fresh code pushes are coming through onto the site. From the status page, it appears a data storage system died, forcing the platform's engineers to move the dot-com's files over to another box. In the meantime, some older versions of files and repos are being served to visitors and users. "We're continuing to work on migrating a data storage system in order to restore access to GitHub.com," the team said just after 5pm PT, adding in the past few minutes: "We are continuing to repair a data storage system for GitHub.com. You may see inconsistent results during this process."

An anonymous reader quotes Gizmodo: When it was discovered earlier this month that the 1809 build of Windows 10 was deleting user files just because, Microsoft halted the update until the problem was fixed. Shame, then, that another not-as-bad-but-still-bad file overwriting bug has now reared its head. in 1809, overwriting files by extracting from an archive using File Explorer doesn't result in an overwrite prompt dialogue and also doesn't replace any files at all; it just fails silently. There are also some reports that it did overwrite items, but did so silently without asking.
Ars Technica speculates that there's a larger program with Microsoft's testing process: [M]any of the preview builds had a bug wherein deleting a directory that was synced to OneDrive crashed the machine. Not only was this bug integrated into the Windows code, it was allowed to ship to end users. This tells us some fundamental things about how Windows is being developed. Either tests do not exist at all for this code (and I've been told that yes, it's permitted to integrate code without tests, though I would hope this isn't the norm), or test failures are being regarded as acceptable, non-blocking issues, and developers are being allowed to integrate code that they know doesn't work properly...

Microsoft's new development process has, proportionately, a greater amount of time spent writing new features, and a reduced amount of time stabilizing and fixing those features. That would be fine if the quality of the features were higher to start with, with the testing infrastructure to support it and higher standards before new code was integrated. But the experience with Windows 10 thus far is that Microsoft hasn't developed the processes and systems needed to sustain this new approach.

America's Multi-State Information Sharing & Analysis Center is operated in collaboration with its Department of Homeland Security's Office of Cybersecurity and Communications -- and they've got some bad news. MS-ISAC released an advisory warning government agencies, businesses, and home users of multiple high-risk security issues in PHP that can allow attackers to execute arbitrary code. Furthermore, if the PHP vulnerabilities are not successfully exploited, attackers could still induce a denial-of-service condition rendering the probed servers unusable... The PHP Group has issued fixes in the PHP 7.1.23 and 7.2.11 releases for all the high-risk bugs that could lead to DoS and arbitrary code execution in all vulnerable PHP 7.1 and 7.2 versions before these latest updates.
But meanwhile, Threatpost reported this week that 62% of the world's web sites are still running PHP version 5 -- even though its end of life is December 31st. "The deadlines will not be extended, and it is critical that PHP-based websites are upgraded to ensure that security support is provided," warned a recent CERT notice.

So far Drupal is the only CMS posting an official notice requiring upgrades to PHP 7 (by March, three months after the PHP 5.6's end of life deadline). Threatpost notes that "There has been no such notice from WordPress or Joomla."

An anonymous reader quotes Martin Monperrus, a professor of software at Stockholm's KTH Royal Institute of Technology: Repairnator is a bot. It constantly monitors software bugs discovered during continuous integration of open-source software and tries to fix them automatically. If it succeeds to synthesize a valid patch, Repairnator proposes the patch to the human developers, disguised under a fake human identity. To date, Repairnator has been able to produce 5 patches that were accepted by the human developers and permanently merged in the code base...

It analyzes bugs and produces patches, in the same way as human developers involved in software maintenance activities. This idea of a program repair bot is disruptive, because today humans are responsible for fixing bugs. In others words, we are talking about a bot meant to (partially) replace human developers for tedious tasks.... [F]or a patch to be human-competitive 1) the bot has to synthesize the patch faster than the human developer 2) the patch has to be judged good-enough by the human developer and permanently merged in the code base.... We believe that Repairnator prefigures a certain future of software development, where bots and humans will smoothly collaborate and even cooperate on software artifacts.
Their fake identity was a software engineer named Luc Esape, with a profile picture that "looks like a junior developer, eager to make open-source contributions... humans tend to have a priori biases against machines, and are more tolerant to errors if the contribution comes from a human peer. In the context of program repair, this means that developers may put the bar higher on the quality of the patch, if they know that the patch comes from a bot."

The researchers proudly published the approving comments on their merged patches -- although a conundrum arose when repairnator submitted a patch for Eclipse Ditto, only to be told that "We can only accept pull-requests which come from users who signed the Eclipse Foundation Contributor License Agreement."

"We were puzzled because a bot cannot physically or morally sign a license agreement and is probably not entitled to do so. Who owns the intellectual property and responsibility of a bot contribution: the robot operator, the bot implementer or the repair algorithm designer?"

Winamp, the world's most famous media player, has released version 5.8 to make it compatible with today's modern operating systems such as Windows 8.1 and Windows 10. Bleeping Computer notes that there hasn't been a new updates released since 2014, when Radionomy purchased Winamp from AOL. Some other new features include standalone audio player support, an auto-fullscreen option for videos, updates scrollbars and buttons, and bug fixes.

From the report: Radionomy has stated that they are not stopping here and have big plans for Winamp. In an interview with TechCrunch, Radionomy CEO Alexandre Saboundjian, revealed that a massive release is planned for 2019 that aims to add cloud support for streaming music, podcasts, and more. "There will be a completely new version next year, with the legacy of Winamp but a more complete listening experience," Saboundjian stated in the interview. "You can listen to the MP3s you may have at home, but also to the cloud, to podcasts, to streaming radio stations, to a playlist you perhaps have built."

Some users on Reddit and Google's support forums are reporting an issue in which taking a photo using Google Camera occasionally fails to save. The issue appears to be widespread, "affecting original Pixel phones as well as the Pixel 2 / 2 XL," reports The Verge. From the report: The issue occurs specifically in cases when the user takes a photo with Google Camera, and switches to another app or locks the phone immediately after. Users are able to see a thumbnail of the photo in the Camera gallery circle, but upon tapping it, the photo disappears. In some occasions, the photo doesn't appear at all at first, but it will reappear in their gallery a day later.

There's also some reports of Galaxy S9, Moto Z2, Moto E4, and Nexus 5X owners experiencing the issue after using Google Camera, so it's unclear whether the issue is limited to Pixel phones or if it's connected to a larger Android bug. For now, users have come up with a workaround for an issue they believe is related to HDR photo processing time. Reddit user erbat suggests leaving the camera app open until HDR processing completes or turning off the HDR function completely.

Security researchers have found flaws in four popular connected storage drives that they say could let hackers access a user's private and sensitive data. From a report: The researchers Paulos Yibelo and Daniel Eshetu said the software running on three of the devices they tested -- NetGear Stora, Seagate Home and Medion LifeCloud -- can allow an attacker to remotely read, change and delete data without requiring a password. Yibelo, who shared the research with TechCrunch this week and posted the findings Friday, said that many other devices may be at risk.

The software, Hipserv, built by tech company Axentra, was largely to blame for three of the four flaws they found. Hipserv is Linux-based, and uses several web technologies -- including PHP -- to power the web interface. But the researchers found that bugs could let them read files on the drive without any authentication. It also meant they could run any command they wanted as "root" -- the built-in user account with the highest level of access -- making the data on the device vulnerable to prying eyes or destruction.

Apple has not documented some high-severity bugs it patched that were reported to it by Google's Project Zero researchers. From a report: While it's good news that Apple beat Project Zero's 90-day deadline for patching or disclosing the bugs it finds, the group's Ivan Fratric recently argued that the practice endangered users by not fully informing them why an update should be installed. This time the criticism comes from Project Zero's Ian Beer, who's been credited by Apple with finding dozens of serious security flaws in iOS and macOS over the years. Beer posted a blog about several vulnerabilities in iOS 7 he found in 2014 that share commonalities with several bugs he has found in iOS 11.4.1, some of which he's now released exploits for.

Beer notes that none of the latest issues is mentioned in the iOS 12 security bulletin even though Apple did fix them. The absence of information about them is a "disincentive" for iOS users to patch, Beer argues. "Apple are still yet to assign CVEs for these issues or publicly acknowledge that they were fixed in iOS 12," wrote Beer. "In my opinion a security bulletin should mention the security bugs that were fixed. Not doing so provides a disincentive for people to update their devices since it appears that there were fewer security fixes than there really were."

An anonymous reader quotes a report from Bloomberg: Although the century-old technology has disappeared from most people's daily view, magnetic tape lives on as the preferred medium for safely archiving critical cloud data in case, say, a software bug deletes thousands of Gmail messages, or a natural disaster wipes out some hard drives. The world's electronic financial, health, and scientific records, collected on state-of-the-art cloud servers belonging to Amazon.com, Microsoft, Google, and others, are also typically recorded on tape around the same time they are created. Usually the companies keep one copy of each tape on-site, in a massive vault, and send a second copy to somebody like Iron Mountain. Unfortunately for the big tech companies, the number of tape manufacturers has shrunk over the past three years from six to just two -- Sony and Fujifilm -- and each seems to think that's still one too many.

The Japanese companies have said the tape business is a mere rounding error as far as they're concerned, but each has spent millions of dollars arguing before the U.S. International Trade Commission to try to ban the other from importing tapes to America. [...] The tech industry worries that if Sony or Fujifilm knocks the other out of the U.S., the winner will hike prices, meaning higher costs for the big cloud providers; for old-line storage makers, including IBM, HPE, and Quantum; and, ultimately, for all those companies' customers. [...] Although Sony and Fujifilm have each assured the trade commission that they could fill the gap if their rival's products were shut out of the U.S., the need for storage continues to grow well beyond old conceptions. Construction is slated to begin as soon as next year on the Square Kilometer Array, a radio telescope with thousands of antennas in South Africa and Australia meant to detect signals emitted more than 13 billion years ago. It's been estimated the project could generate an exabyte (1 billion gigabytes) of raw data every day, the equivalent of 300 times the material in the U.S. Library of Congress and a huge storage headache all by itself.

Ars Technica reports of "a four-year-old bug in the Secure Shell implementation known as libssh that makes it trivial for just about anyone to gain unfettered administrative control of a vulnerable server." It's not clear how many sites or devices may be vulnerable since neither the widely used OpenSSH nor Github's implementation of libssh was affected. From the report: The vulnerability, which was introduced in libssh version 0.6 released in 2014, makes it possible to log in by presenting a server with a SSH2_MSG_USERAUTH_SUCCESS message rather than the SSH2_MSG_USERAUTH_REQUEST message the server was expecting, according to an advisory published Tuesday. Exploits are the hacking equivalent of a Jedi mind trick, in which an adversary uses the Force to influence or confuse weaker-minded opponents. The last time the world saw an authentication-bypass bug with such serious consequences and requiring so little effort was 11 months ago, when Apple's macOS let people log in as admin without entering a password.

On the brighter side, there were no immediate signs of any big-name sites being bitten by the bug, which is indexed as CVE-2018-10933. While Github uses libssh, the site officials said on Twitter that "GitHub.com and GitHub Enterprise are unaffected by CVE-2018-10933 due to how we use the library." In a follow-up tweet, GitHub security officials said they use a customized version of libssh that implements an authentication mechanism separate from the one provided by the library. Out of an abundance of caution, GitHub has installed a patch released with Tuesday's advisory. Another limitation: only vulnerable versions of libssh running in server mode are vulnerable, while the client mode is unaffected. Peter Winter-Smith, a researcher at security firm NCC who discovered the bug and privately reported it to libssh developers, told Ars the vulnerability is the result of libssh using the same machine state to authenticate clients and servers. Because exploits involve behavior that's safe in the client but unsafe in the server context, only servers are affected.

An anonymous reader quotes a report from The Washington Post: Insects around the world are in a crisis, according to a small but growing number of long-term studies showing dramatic declines in invertebrate populations. A new report suggests that the problem is more widespread than scientists realized. Huge numbers of bugs have been lost in a pristine national forest in Puerto Rico (Warning: source may be paywalled; alternative source), the study found, and the forest's insect-eating animals have gone missing, too. The latest report, published Monday in the Proceedings of the National Academy of Sciences, shows that this startling loss of insect abundance extends to the Americas. The study's authors implicate climate change in the loss of tropical invertebrates.

Bradford Lister, a biologist at Rensselaer Polytechnic Institute in New York, has been studying rain forest insects in Puerto Rico since the 1970s. "We went down in '76, '77 expressly to measure the resources: the insects and the insectivores in the rain forest, the birds, the frogs, the lizards," Lister said. He came back nearly 40 years later, with his colleague Andrés García, an ecologist at the National Autonomous University of Mexico. What the scientists did not see on their return troubled them. "Boy, it was immediately obvious when we went into that forest," Lister said. Fewer birds flitted overhead. The butterflies, once abundant, had all but vanished. García and Lister once again measured the forest's insects and other invertebrates, a group called arthropods that includes spiders and centipedes. The researchers trapped arthropods on the ground in plates covered in a sticky glue, and raised several more plates about three feet into the canopy. The researchers also swept nets over the brush hundreds of times, collecting the critters that crawled through the vegetation. Each technique revealed the biomass (the dry weight of all the captured invertebrates) had significantly decreased from 1976 to the present day. The sweep sample biomass decreased to a fourth or an eighth of what it had been. Between January 1977 and January 2013, the catch rate in the sticky ground traps fell 60-fold. The study also found a 30-percent drop in anole lizards, which eat arthropods. Some anole species have disappeared entirely from the interior forest. Another research team captured insect-eating frogs and birds in 1990 and 2005, and found a 50 percent decrease in the number of captures. The authors attribute this decline to the changing climate.

An anonymous reader writes: Three Republican senators have sent a letter to Google demanding the company hand over an internal memo based on which Google decided to cover up a Google+ data leak instead of going public as most companies do. The existence of this internal memo came to light on Monday in a Wall Street Journal article that forced Google to go public with details about a Google+ API bug that could have been used to harvest data on Google users.

According to the report, the internal memo, signed by Google's legal and policy staff, advised Google top execs not to disclose the existence of the API bug fearing "immediate regulatory interest." Google's legal staff also feared that the bug would bring Google "into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal," and would "almost [guarantee] Sundar will testify before Congress," akin to Facebook's CEO. In a letter sent today to Google, three GOP senators want to see this internal memo for themselves by October 30, and also with on-the-record answers to seven questions in regards to what, why, and how Google handled the Google+ API data leak.