America's Multi-State Information Sharing & Analysis Center is operated in collaboration with its Department of Homeland Security's Office of Cybersecurity and Communications -- and they've got some bad news. MS-ISAC released an advisory warning government agencies, businesses, and home users of multiple high-risk security issues in PHP that can allow attackers to execute arbitrary code. Furthermore, if the PHP vulnerabilities are not successfully exploited, attackers could still induce a denial-of-service condition rendering the probed servers unusable... The PHP Group has issued fixes in the PHP 7.1.23 and 7.2.11 releases for all the high-risk bugs that could lead to DoS and arbitrary code execution in all vulnerable PHP 7.1 and 7.2 versions before these latest updates.
But meanwhile, Threatpost reported this week that 62% of the world's web sites are still running PHP version 5 -- even though its end of life is December 31st. "The deadlines will not be extended, and it is critical that PHP-based websites are upgraded to ensure that security support is provided," warned a recent CERT notice.

So far Drupal is the only CMS posting an official notice requiring upgrades to PHP 7 (by March, three months after the PHP 5.6's end of life deadline). Threatpost notes that "There has been no such notice from WordPress or Joomla."

An anonymous reader quotes Martin Monperrus, a professor of software at Stockholm's KTH Royal Institute of Technology: Repairnator is a bot. It constantly monitors software bugs discovered during continuous integration of open-source software and tries to fix them automatically. If it succeeds to synthesize a valid patch, Repairnator proposes the patch to the human developers, disguised under a fake human identity. To date, Repairnator has been able to produce 5 patches that were accepted by the human developers and permanently merged in the code base...

It analyzes bugs and produces patches, in the same way as human developers involved in software maintenance activities. This idea of a program repair bot is disruptive, because today humans are responsible for fixing bugs. In others words, we are talking about a bot meant to (partially) replace human developers for tedious tasks.... [F]or a patch to be human-competitive 1) the bot has to synthesize the patch faster than the human developer 2) the patch has to be judged good-enough by the human developer and permanently merged in the code base.... We believe that Repairnator prefigures a certain future of software development, where bots and humans will smoothly collaborate and even cooperate on software artifacts.
Their fake identity was a software engineer named Luc Esape, with a profile picture that "looks like a junior developer, eager to make open-source contributions... humans tend to have a priori biases against machines, and are more tolerant to errors if the contribution comes from a human peer. In the context of program repair, this means that developers may put the bar higher on the quality of the patch, if they know that the patch comes from a bot."

The researchers proudly published the approving comments on their merged patches -- although a conundrum arose when repairnator submitted a patch for Eclipse Ditto, only to be told that "We can only accept pull-requests which come from users who signed the Eclipse Foundation Contributor License Agreement."

"We were puzzled because a bot cannot physically or morally sign a license agreement and is probably not entitled to do so. Who owns the intellectual property and responsibility of a bot contribution: the robot operator, the bot implementer or the repair algorithm designer?"

Winamp, the world's most famous media player, has released version 5.8 to make it compatible with today's modern operating systems such as Windows 8.1 and Windows 10. Bleeping Computer notes that there hasn't been a new updates released since 2014, when Radionomy purchased Winamp from AOL. Some other new features include standalone audio player support, an auto-fullscreen option for videos, updates scrollbars and buttons, and bug fixes.

From the report: Radionomy has stated that they are not stopping here and have big plans for Winamp. In an interview with TechCrunch, Radionomy CEO Alexandre Saboundjian, revealed that a massive release is planned for 2019 that aims to add cloud support for streaming music, podcasts, and more. "There will be a completely new version next year, with the legacy of Winamp but a more complete listening experience," Saboundjian stated in the interview. "You can listen to the MP3s you may have at home, but also to the cloud, to podcasts, to streaming radio stations, to a playlist you perhaps have built."

Some users on Reddit and Google's support forums are reporting an issue in which taking a photo using Google Camera occasionally fails to save. The issue appears to be widespread, "affecting original Pixel phones as well as the Pixel 2 / 2 XL," reports The Verge. From the report: The issue occurs specifically in cases when the user takes a photo with Google Camera, and switches to another app or locks the phone immediately after. Users are able to see a thumbnail of the photo in the Camera gallery circle, but upon tapping it, the photo disappears. In some occasions, the photo doesn't appear at all at first, but it will reappear in their gallery a day later.

There's also some reports of Galaxy S9, Moto Z2, Moto E4, and Nexus 5X owners experiencing the issue after using Google Camera, so it's unclear whether the issue is limited to Pixel phones or if it's connected to a larger Android bug. For now, users have come up with a workaround for an issue they believe is related to HDR photo processing time. Reddit user erbat suggests leaving the camera app open until HDR processing completes or turning off the HDR function completely.

Security researchers have found flaws in four popular connected storage drives that they say could let hackers access a user's private and sensitive data. From a report: The researchers Paulos Yibelo and Daniel Eshetu said the software running on three of the devices they tested -- NetGear Stora, Seagate Home and Medion LifeCloud -- can allow an attacker to remotely read, change and delete data without requiring a password. Yibelo, who shared the research with TechCrunch this week and posted the findings Friday, said that many other devices may be at risk.

The software, Hipserv, built by tech company Axentra, was largely to blame for three of the four flaws they found. Hipserv is Linux-based, and uses several web technologies -- including PHP -- to power the web interface. But the researchers found that bugs could let them read files on the drive without any authentication. It also meant they could run any command they wanted as "root" -- the built-in user account with the highest level of access -- making the data on the device vulnerable to prying eyes or destruction.

Apple has not documented some high-severity bugs it patched that were reported to it by Google's Project Zero researchers. From a report: While it's good news that Apple beat Project Zero's 90-day deadline for patching or disclosing the bugs it finds, the group's Ivan Fratric recently argued that the practice endangered users by not fully informing them why an update should be installed. This time the criticism comes from Project Zero's Ian Beer, who's been credited by Apple with finding dozens of serious security flaws in iOS and macOS over the years. Beer posted a blog about several vulnerabilities in iOS 7 he found in 2014 that share commonalities with several bugs he has found in iOS 11.4.1, some of which he's now released exploits for.

Beer notes that none of the latest issues is mentioned in the iOS 12 security bulletin even though Apple did fix them. The absence of information about them is a "disincentive" for iOS users to patch, Beer argues. "Apple are still yet to assign CVEs for these issues or publicly acknowledge that they were fixed in iOS 12," wrote Beer. "In my opinion a security bulletin should mention the security bugs that were fixed. Not doing so provides a disincentive for people to update their devices since it appears that there were fewer security fixes than there really were."

An anonymous reader quotes a report from Bloomberg: Although the century-old technology has disappeared from most people's daily view, magnetic tape lives on as the preferred medium for safely archiving critical cloud data in case, say, a software bug deletes thousands of Gmail messages, or a natural disaster wipes out some hard drives. The world's electronic financial, health, and scientific records, collected on state-of-the-art cloud servers belonging to Amazon.com, Microsoft, Google, and others, are also typically recorded on tape around the same time they are created. Usually the companies keep one copy of each tape on-site, in a massive vault, and send a second copy to somebody like Iron Mountain. Unfortunately for the big tech companies, the number of tape manufacturers has shrunk over the past three years from six to just two -- Sony and Fujifilm -- and each seems to think that's still one too many.

The Japanese companies have said the tape business is a mere rounding error as far as they're concerned, but each has spent millions of dollars arguing before the U.S. International Trade Commission to try to ban the other from importing tapes to America. [...] The tech industry worries that if Sony or Fujifilm knocks the other out of the U.S., the winner will hike prices, meaning higher costs for the big cloud providers; for old-line storage makers, including IBM, HPE, and Quantum; and, ultimately, for all those companies' customers. [...] Although Sony and Fujifilm have each assured the trade commission that they could fill the gap if their rival's products were shut out of the U.S., the need for storage continues to grow well beyond old conceptions. Construction is slated to begin as soon as next year on the Square Kilometer Array, a radio telescope with thousands of antennas in South Africa and Australia meant to detect signals emitted more than 13 billion years ago. It's been estimated the project could generate an exabyte (1 billion gigabytes) of raw data every day, the equivalent of 300 times the material in the U.S. Library of Congress and a huge storage headache all by itself.

Ars Technica reports of "a four-year-old bug in the Secure Shell implementation known as libssh that makes it trivial for just about anyone to gain unfettered administrative control of a vulnerable server." It's not clear how many sites or devices may be vulnerable since neither the widely used OpenSSH nor Github's implementation of libssh was affected. From the report: The vulnerability, which was introduced in libssh version 0.6 released in 2014, makes it possible to log in by presenting a server with a SSH2_MSG_USERAUTH_SUCCESS message rather than the SSH2_MSG_USERAUTH_REQUEST message the server was expecting, according to an advisory published Tuesday. Exploits are the hacking equivalent of a Jedi mind trick, in which an adversary uses the Force to influence or confuse weaker-minded opponents. The last time the world saw an authentication-bypass bug with such serious consequences and requiring so little effort was 11 months ago, when Apple's macOS let people log in as admin without entering a password.

On the brighter side, there were no immediate signs of any big-name sites being bitten by the bug, which is indexed as CVE-2018-10933. While Github uses libssh, the site officials said on Twitter that "GitHub.com and GitHub Enterprise are unaffected by CVE-2018-10933 due to how we use the library." In a follow-up tweet, GitHub security officials said they use a customized version of libssh that implements an authentication mechanism separate from the one provided by the library. Out of an abundance of caution, GitHub has installed a patch released with Tuesday's advisory. Another limitation: only vulnerable versions of libssh running in server mode are vulnerable, while the client mode is unaffected. Peter Winter-Smith, a researcher at security firm NCC who discovered the bug and privately reported it to libssh developers, told Ars the vulnerability is the result of libssh using the same machine state to authenticate clients and servers. Because exploits involve behavior that's safe in the client but unsafe in the server context, only servers are affected.

An anonymous reader quotes a report from The Washington Post: Insects around the world are in a crisis, according to a small but growing number of long-term studies showing dramatic declines in invertebrate populations. A new report suggests that the problem is more widespread than scientists realized. Huge numbers of bugs have been lost in a pristine national forest in Puerto Rico (Warning: source may be paywalled; alternative source), the study found, and the forest's insect-eating animals have gone missing, too. The latest report, published Monday in the Proceedings of the National Academy of Sciences, shows that this startling loss of insect abundance extends to the Americas. The study's authors implicate climate change in the loss of tropical invertebrates.

Bradford Lister, a biologist at Rensselaer Polytechnic Institute in New York, has been studying rain forest insects in Puerto Rico since the 1970s. "We went down in '76, '77 expressly to measure the resources: the insects and the insectivores in the rain forest, the birds, the frogs, the lizards," Lister said. He came back nearly 40 years later, with his colleague Andrés García, an ecologist at the National Autonomous University of Mexico. What the scientists did not see on their return troubled them. "Boy, it was immediately obvious when we went into that forest," Lister said. Fewer birds flitted overhead. The butterflies, once abundant, had all but vanished. García and Lister once again measured the forest's insects and other invertebrates, a group called arthropods that includes spiders and centipedes. The researchers trapped arthropods on the ground in plates covered in a sticky glue, and raised several more plates about three feet into the canopy. The researchers also swept nets over the brush hundreds of times, collecting the critters that crawled through the vegetation. Each technique revealed the biomass (the dry weight of all the captured invertebrates) had significantly decreased from 1976 to the present day. The sweep sample biomass decreased to a fourth or an eighth of what it had been. Between January 1977 and January 2013, the catch rate in the sticky ground traps fell 60-fold. The study also found a 30-percent drop in anole lizards, which eat arthropods. Some anole species have disappeared entirely from the interior forest. Another research team captured insect-eating frogs and birds in 1990 and 2005, and found a 50 percent decrease in the number of captures. The authors attribute this decline to the changing climate.

An anonymous reader writes: Three Republican senators have sent a letter to Google demanding the company hand over an internal memo based on which Google decided to cover up a Google+ data leak instead of going public as most companies do. The existence of this internal memo came to light on Monday in a Wall Street Journal article that forced Google to go public with details about a Google+ API bug that could have been used to harvest data on Google users.

According to the report, the internal memo, signed by Google's legal and policy staff, advised Google top execs not to disclose the existence of the API bug fearing "immediate regulatory interest." Google's legal staff also feared that the bug would bring Google "into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal," and would "almost [guarantee] Sundar will testify before Congress," akin to Facebook's CEO. In a letter sent today to Google, three GOP senators want to see this internal memo for themselves by October 30, and also with on-the-record answers to seven questions in regards to what, why, and how Google handled the Google+ API data leak.

An anonymous reader quotes a report from The Verge: For months, Google has been trying to stay out of the way of the growing tech backlash, but yesterday, the dam finally broke with news of a bug in the rarely used Google+ network that exposed private information for as many as 500,000 users. Google found and fixed the bug back in March, around the same time the Cambridge Analytica story was heating up in earnest. [...] The vulnerability itself seems to have been relatively small in scope. The heart of the problem was a specific developer API that could be used to see non-public information. But crucially, there's no evidence that it actually was used to see private data, and given the thin user base, it's not clear how much non-public data there really was to see. The API was theoretically accessible to anyone who asked, but only 432 people actually applied for access (again, it's Google+), so it's plausible that none of them ever thought of using it this way.

The bigger problem for Google isn't the crime, but the cover-up. The vulnerability was fixed in March, but Google didn't come clean until seven months later when The Wall Street Journal got hold of some of the memos discussing the bug. [...] Part of the disconnect comes from the fact that, legally, Google is in the clear. There are lots of laws about reporting breaches -- primarily the GDPR but also a string of state-level bills -- but by that standard, what happened to Google+ wasn't technically a breach. Those laws are concerned with unauthorized access to user information, codifying the basic idea that if someone steals your credit card or phone number, you have a right to know about it. But Google just found that data was available to developers, not that any data was actually taken. With no clear data stolen, Google had no legal reporting requirements. As far as the lawyers were concerned, it wasn't a breach, and quietly fixing the problem was good enough.

WhatsApp developers have fixed a bug in the Android and iOS versions of the WhatsApp mobile app that allowed hackers to take over the application when users answered an incoming video call. From a report: Natalie Silvanovich, a security researcher with Google's Project Zero security research team, discovered the WhatsApp vulnerability at the end of August. She described the vulnerability as a "memory corruption bug in WhatsApp's non-WebRTC video conferencing implementation." "Heap corruption can occur when the WhatsApp mobile application receives a malformed RTP packet," Silvanovich said in a bug report. "This issue can occur when a WhatsApp user accepts a call from a malicious peer." It is unclear how popular the video feature is on WhatsApp, which is used by more than 1.2 billion users. But in July, the company said users were spending over two billion minutes on calls (including voice) each day.

An anonymous reader quotes a report from The Verge: Microsoft is re-releasing its Windows 10 October 2018 Update today, following the company pulling it offline due to data deletion issues over the weekend. The software giant says there were only a few reports of data loss, at a rate of one one-hundredth of one percent. "We have fully investigated all reports of data loss, identified and fixed all known issues in the update, and conducted internal validation," says Microsoft's John Cable, director of program management for Windows Servicing and Delivery. Microsoft is now re-releasing the Windows 10 October 2018 Update to Windows Insiders, before rolling it out more broadly to consumers. "We will carefully study the results, feedback, and diagnostic data from our Insiders before taking additional steps towards re-releasing more broadly," explains Cable.

It appears the bug that caused file deletion was related to Windows 10 users who had enabled Known Folder Redirection to redirect folders like desktop, documents, pictures, and screenshots from the default location. Microsoft introduced code in its latest update to delete the empty and duplicate known folders, but it appears they weren't always empty. Microsoft has developed fixes to address a variety of problems related to these folder moves, and these fixes are now being tested with Windows Insiders.

At least two U.S. states are investigating a breach at Alphabet's Google that may have exposed private profile data of at least 500,000 users to hundreds of external developers. From a report: The investigation follows Google's announcement on Monday that it would shut down the consumer version of its social network Google+ and tighten its data-sharing policies after a "bug" potentially exposed user data that included names, email addresses, occupations, genders and ages. "We are aware of public reporting on this matter and are currently undertaking efforts to gain an understanding of the nature and cause of the intrusion, whether sensitive information was exposed, and what steps are being taken or called for to prevent similar intrusions in the future," Jaclyn Severance, a spokeswoman for Connecticut Attorney General George Jepsen, told Reuters in an email. The New York Attorney General's office also said it was looking into the breach.

Apple has released iOS 12.0.1, the first official update to the iOS 12 OS that brings a number of fixes, including a fix to the charging issue that was affecting some iPhone XS owners. Mac Rumors reports: Today's update fixes several high profile bugs that have been plaguing iOS 12 users. It resolves an issue that could cause some iPhone XS devices not to charge when connected to a Lightning cable, an issue that was discovered shortly after iOS 12 was released. Reports suggested multiple iOS 12 devices were affected rather than just the iPhone XS, and it's likely that if other devices are impacted, the new update solves the problem.

https://www.macrumors.com/2018/10/08/apple-releases-ios-12-0-1-update/ iOS 12.0.1 also fixes a major Wi-Fi bug that could cause some iPhone XS devices to prefer to join a 2.4GHz Wi-Fi network rather than a 5GHz Wi-Fi network, resulting in perceived slower Wi-Fi connection speeds. After this update, many users who were stuck with their phones connecting to a 2.4GHz network should see much faster Wi-Fi connection speeds as the devices once again prefer a 5GHz network. Other bug fixes in this update include a reorientation of the "123" number key on the iPad, which was moved in the iOS 12 update and swapped with the emoji/language key, a fix for a problem that could cause subtitles not to appear in some video apps, and an issue where Bluetooth could become unavailable.

Some Apple Watch Series 4 owners in Australia experienced crashes and reboots on Saturday due to a bug that surfaced because of the daylight saving time change. From a report: According to Reddit users hit by the Apple Watch bug, the root of the problem appears to be the Infograph Modular face's Activity complication, which displays a timeline graph with hourly data for the user's Move calories, Exercise minutes, and Stand hours. When daylight saving time (DST) lops an hour off the typical 24-hour day, the Activity complication is apparently unable to compute the change and draw the timeline graph with only 23 hours, which throws the Apple Watch into an endless reboot loop until the battery runs out.

"Linux runs the world, right? So we want to make sure that things are secure," says Linux kernel maintainer Greg Kroah-Hartman. When asked in a new video interview which bug makes them most angry, he first replies "the whole Spectre/Meltdown problem. What made us so mad, in a way, is we were fixing a bug in somebody else's layer!" One also interesting thing about the whole Spectre/Meltdown is the complexity of that black box of a CPU is much much larger than it used to be. Right? Because they're doing -- in order to eke out all the performance and all the new things like that, you have to do extra-special tricks and things like that. And they have been, and sometimes those tricks come back to bite you in the butt. And they have, in this case. So we have to work around that.
But a companion article on Linux.com notes that "Intel has changed its approach in light of these events. 'They are reworking on how they approach security bugs and how they work with the community because they know they did it wrong,' Kroah-Hartman said." (And the article adds that "for those who want to build a career in kernel space, security is a good place to get started...")

Kroah-Hartman points out in the video interview that "we're doing more and more testing, more and more builds," noting "This infrastructure we have is catching things at an earlier stage -- because it's there -- which is awesome to see." But security issues can persist thanks to outside vendors beyond their control. Linux.com reports: Hardening the kernel is not enough, vendors have to enable the new features and take advantage of them. That's not happening. Kroah-Hartman releases a stable kernel every week, and companies pick one to support for a longer period so that device manufacturers can take advantage of it. However, Kroah-Hartman has observed that, aside from the Google Pixel, most Android phones don't include the additional hardening features, meaning all those phones are vulnerable. "People need to enable this stuff," he said.

"I went out and bought all the top of the line phones based on kernel 4.4 to see which one actually updated. I found only one company that updated their kernel," he said. "I'm working through the whole supply chain trying to solve that problem because it's a tough problem. There are many different groups involved -- the SoC manufacturers, the carriers, and so on. The point is that they have to push the kernel that we create out to people."
"The good news," according to Linux.com, "is that unlike with consumer electronics, the big vendors like Red Hat and SUSE keep the kernel updated even in the enterprise environment. Modern systems with containers, pods, and virtualization make this even easier. It's effortless to update and reboot with no downtime."

An anonymous reader writes: This October will see the fifth annual Hacktoberfest, "a month-long celebration of open source software run by DigitalOcean in partnership with GitHub and Twilio." Basically you sign up any time in October, then submit five quality pull requests to public GitHub repositories to win a t-shirt and stickers. (Issues and commits don't count, only pull requests created after October 1st -- but pull requests will still count even if they're not accepted or merged, "unless they are spam, irrelevant, or tagged as invalid.") "No contribution is too small -- bug fixes and documentation updates are valid ways of participating."
Here's Microsoft's own announcement about the event from their Open Source blog: We're excited to announce that we're participating in this year's Hacktoberfest! An annual celebration of all things open source, Hacktoberfest launched as a partnership between DigitalOcean and GitHub in 2014 and rallies a global community of contributors, with last year's event drawing more than 30K participants and nearly 240K pull requests.

This October, we'll recognize anyone who submits a pull request to one of our open source projects with a special limited-edition T-shirt (more details below)... Our projects span nearly all areas of computing, from developer tools and frameworks like .NET Core, Microsoft Cognitive Toolkit, Visual Studio Code, and Visual Studio Tools for Xamarin to Kubernetes tooling like Draft and the Service Fabric container orchestrator. Any contributions are welcome, so explore our GitHub repos, find something that interests you, and submit your first (or 100th) pull request.
Microsoft's t-shirt design includes a cameo appearance by.... Clippy, Microsoft's widely beloved default assistant for Office 2000/XP/2003.

Amid reports of users facing a number of issues after updating their computers to Windows 10 October 2018 Update, Microsoft said Saturday it was pausing the rollout of the latest version of its Windows 10 desktop operating system. ZDNet: In a support document updated today, October 6, the Redmond-based OS maker said it took this decision after users complained that v1809 had deleted files after the update. We have paused the rollout of the Windows 10 October 2018 Update (version 1809) for all users as we investigate isolated reports of users missing some files after updating. Microsoft employs a gradual rollout scheme, and not all Windows 10 users have received its latest bi-annual OS update. The October 2018 Update is no longer available for download, and Microsoft urges users who manually downloaded a Windows 10 installation package to wait until new installation media is available. "We will provide an update when we resume rolling out the Windows 10 October 2018 Update to customers," Microsoft said.

Emil Protalinski, reporting for VentureBeat: Until just a few days ago, some Facebook users could not delete their accounts -- the option to do so simply didn't work. After VentureBeat reached out to Facebook regarding the issue, an engineer was able to squash the bug.

Two weeks ago, I got an email from a VentureBeat reader who couldn't delete his Facebook account. He claimed there were others also having issues -- no matter what they tried, they simply could not delete Facebook. I didn't believe him at first. [...] I did my due diligence. The least I could do was help him delete his account. Upon request, the reader was gracious enough to let me log into his Facebook account so I could see for myself. No matter what I tried, and regardless of which browser I used, the Facebook help page for deleting your account would not load when logged into his account. The reporter contacted a Facebook spokesperson, who after looking into the matter concluded that a bug prevented some people with "a large number of posts" from deleting their accounts. Facebook says it has resolved the issue.