Data Storage

SSD Drives Vulnerable To Rowhammer-Like Attacks That Corrupt User Data (bleepingcomputer.com) 48

An anonymous reader writes: NAND flash memory chips, the building blocks of solid-state drives (SSDs), include what could be called "programming vulnerabilities" that can be exploited to alter stored data or shorten the SSD's lifespan. According to research published earlier this year, the programming logic powering of MLC NAND flash memory chips (the tech used for the latest generation of SSDs), is vulnerable to at least two types of attacks.

The first is called "program interference," and takes place when an attacker manages to write data with a certain pattern to a target's SSD. Writing this data repeatedly and at high speeds causes errors in the SSD, which then corrupts data stored on nearby cells. This attack is similar to the infamous Rowhammer attack on RAM chips.

The second attack is called "read disturb" and in this scenario, an attacker's exploit code causes the SSD to perform a large number of read operations in a very short time, which causes a phenomenon of "read disturb errors," that alters the SSD ability to read data from nearby cells, even long after the attack stops.

Bug

Wormable Code-Execution Bug Lurked In Samba For 7 Years (arstechnica.com) 70

Long-time Slashdot reader williamyf was the first to share news of "a wormable bug [that] has remained undetected for seven years in Samba verions 3.5.0 onwards." Ars Technica reports: Researchers with security firm Rapid7...said they detected 110,000 devices exposed on the internet that appeared to run vulnerable versions of Samba. 92,500 of them appeared to run unsupported versions of Samba for which no patch was available... Those who are unable to patch immediately can work around the vulnerability by adding the line nt pipe support = no to their Samba configuration file and restart the network's SMB daemon. The change will prevent clients from fully accessing some network computers and may disable some expected functions for connected Windows machines.
The U.S. Department of Homeland Security's CERT group issued an anouncement urging sys-admins to update their systems, though SC Magazine cites a security researcher arguing this attack surface is much smaller than that of the Wannacry ransomware, partly because Samba is just "not as common as Windows architectures." But the original submission also points out that while the patch came in fast, "the 'Many eyes' took seven years to 'make the bug shallow'."
Bug

Two Different Studies Find Thousands of Bugs In Pacemakers, Insulin Pumps and Other Medical Devices 48

Two studies are warning of thousands of vulnerabilities found in pacemakers, insulin pumps and other medical devices. "One study solely on pacemakers found more than 8,000 known vulnerabilities in code inside the cardiac devices," reports BBC. "The other study of the broader device market found only 17% of manufacturers had taken steps to secure gadgets." From the report: The report on pacemakers looked at a range of implantable devices from four manufacturers as well as the "ecosystem" of other equipment used to monitor and manage them. Researcher Billy Rios and Dr Jonathan Butts from security company Whitescope said their study showed the "serious challenges" pacemaker manufacturers faced in trying to keep devices patched and free from bugs that attackers could exploit. They found that few of the manufacturers encrypted or otherwise protected data on a device or when it was being transferred to monitoring systems. Also, none was protected with the most basic login name and password systems or checked that devices they were connecting to were authentic. Often, wrote Mr Rios, the small size and low computing power of internal devices made it hard to apply security standards that helped keep other devices safe. In a longer paper, the pair said device makers had work to do more to "protect against potential system compromises that may have implications to patient care." The separate study that quizzed manufacturers, hospitals and health organizations about the equipment they used when treating patients found that 80% said devices were hard to secure. Bugs in code, lack of knowledge about how to write secure code and time pressures made many devices vulnerable to attack, suggested the study.
Windows

In a Throwback To the '90s, NTFS Bug Lets Anyone Hang Or Crash Windows 7, 8.1 (arstechnica.com) 122

Windows 7 and 8.1 (and also Windows Vista) have a bug that is reminiscent of Windows 98 age, when a certain specially crafted filename could make the operating system crash (think of file:///c:/con/con). From an ArsTechnica report: The new bug, which fortunately doesn't appear to afflict Windows 10, uses another special filename. This time around, the special filename of choice is $MFT. $MFT is the name given to one of the special metadata files that are used by Windows' NTFS filesystem. The file exists in the root directory of each NTFS volume, but the NTFS driver handles it in special ways, and it's hidden from view and inaccessible to most software. Attempts to open the file are normally blocked, but in a move reminiscent of the Windows 9x flaw, if the filename is used as if it were a directory name -- for example, trying to open the file c:\$MFT\123 -- then the NTFS driver takes out a lock on the file and never releases it. Every subsequent operation sits around waiting for the lock to be released. Forever. This blocks any and all other attempts to access the file system, and so every program will start to hang, rendering the machine unusable until it is rebooted.
Mozilla

Firefox Marketing Head Expresses Concerns Over Google's Apparent 'Only Be On Chrome' Push (medium.com) 184

Eric Petitt, head up Firefox marketing, writing in a blog: I use Chrome every day. Works fine. Easy to use. There are multiple things that bug me about the Chrome product, for sure, but I'm OK with Chrome. I just don't like only being on Chrome. And that's what Chrome wants. It wants you to only use Chrome. Chrome is not evil, it's just too big for its britches. Its influence on the internet economy and individuals is out of balance. Chrome, with 4 times the market share of its nearest competitor (Firefox), is an eight-lane highway to the largest advertising company in the world. Google built it to maximize revenue from your searches and deliver display ads on millions of websites. To monetize every... single... click. And today, there exists no meaningful safety valve on its market dominance. Beyond Google, the web looks more and more like a feudal system, where the geography of the web has been partitioned off by the Frightful Five. Google, Facebook, Microsoft, Apple and Amazon are our lord and protectors, exacting a royal sum for our online behaviors. We're the serfs and tenants, providing homage inside their walled fortresses. Noble upstarts are erased or subsumed under their existing order. (Footnote: Petitt has made it clear that the aforementioned views are his own, and not those of Mozilla.)
Security

Stealing Windows Credentials Using Google Chrome (helpnetsecurity.com) 53

Orome1 writes: A default setting in Google Chrome, which allows it to download files that it deems safe without prompting the user for a download location, can be exploited by attackers to mount a Windows credential theft attack using specially-crafted SCF shortcut files, DefenseCode researchers have found. What's more, for the attack to work, the victim does not even have to run the automatically downloaded file. Simply opening the download directory in Windows File Explorer will trigger the code icon file location inserted in the file to run, and it will send the victim's username, domain and NTLMv2 password hash to a remote SMB server operated by the attackers.
Twitter

A Bug in Twitter's Old Vine App May Have Exposed Your Email (cnet.com) 6

An anonymous reader shares a report: If you had a Vine account, there's an alert you may want to know about. The video app, which Twitter bought in 2012 and shut down last year after its six-second videos failed to take off, sent out emails to some users Friday alerting them to a vulnerability in its service. Yeah, that's right, Vine is dead, but your account may have been compromised anyway. Apparently, the "bug" potentially exposed email addresses to hackers or other "third parties under certain circumstances." The vulnerability apparently existed for less than 24 hours, or 14,400 Vine videos. "We take these incidents very seriously, and we're sorry this occurred," Vine wrote in its email. It also said the information exposed could not be used to access accounts, and there were no indications any of the data had been misused.
Operating Systems

ReactOS 0.4.5 Released (reactos.org) 117

An anonymous reader shares Colin Finck's forum post announcing ReactOS version 0.4.5: The ReactOS Project is pleased to release version 0.4.5 as a continuation of its three month cadence. Beyond the usual range of bug fixes and syncs with external dependencies, a fair amount of effort has gone into the graphical subsystem. Thanks to the work of Katayama Hirofumi and Mark Jansen, ReactOS now better serves requests for fonts and font metrics, leading to an improved rendering of applications and a more pleasant user experience. Your continued donations have also funded a contract for Giannis Adamopoulos to fix every last quirk in our theming components. The merits of this work can be seen in ReactOS 0.4.5, which comes with a smoother themed user interface and the future promises to bring even more improvements. In another funded effort, Hermes Belusca-Maito has got MS Office 2010 to run under ReactOS, another application from the list of most voted apps. On top of this, there have been several major fixes in the kernel and drivers that should lead to stability improvements on real hardware and on long-running machines. The general notes, tests, and changelog for the release can be found at their respective links. ISO images and prepared VMs for testing can be downloaded here.
Desktops (Apple)

Apple Releases macOS 10.12.5, iOS 10.3.2, watchOS 3.2.2, tvOS 10.2.1 (macworld.com) 45

On Monday, Apple released point updates to all its operating systems. Starting with the desktop, the macOS 10.12.5 update for Sierra is the fifth major update since the operating system was released in September of 2016. The iPhone-maker also released the iOS 10.3.2 for iPhones, iPads and iPods to the public. The update for Macs offers a range of bug fixes, improvements to Night Shift, and a long list of security patches. The iOS 10.3.2 update offers "bug fixes and improves the security." More details -- including what's new in tvOS, and watchOS -- here.
Security

PCs Connected To the Internet Will Get Infected With WanaDecrypt0r In Minutes (bleepingcomputer.com) 82

An anonymous reader writes: "The Wana Decrypt0r ransomware -- also known as WCry, WannaCry, WannaCrypt, and WanaCrypt0r -- infected a honeypot server made to look like a vulnerable Windows computer six times in the span of 90 minutes, according to an experiment carried out by a French security researcher that goes online by the name of Benkow," reports BleepingComputer. "During one of those infections, Wana Decrypt0r infected the honeypot in a mere three minutes after it was reset, showing the aggressive nature of the ransomware's scanning module, which helps it spread to new victims... Three minutes is about the same amount of time IoT malware will infect a vulnerable home router left connected to the Internet without patches."

The article also highlights the fact that the group behind this threat is possibly made of inexperienced coders, who just stumbled upon a way to weaponize an NSA exploit. Their three previous WanaDecrypt0r campaigns were mundane, and one researcher called their code "utter [expletive]." This is because WanaDecrypt0r is actually made of two main modules, the ransomware itself, and the SMB worm (based on the NSA exploit). While the SMB worm is top-shelf code, the ransomware itself is quite unsophisticated, making a lot of operational errors, including using only 3 Bitcoin wallets to handle payments, instead of one per infected user, as most top-shelf ransomware does. This makes it difficult to tell which victims paid and who didn't, as anyone could claim "x" transaction is theirs, even if they didn't pay.

Microsoft

As World Reacts To WanaDecrypt0r, Microsoft Issues Patch For Old Windows Systems (bleepingcomputer.com) 150

An anonymous reader quotes the AP: Teams of technicians worked "round the clock" Saturday to restore hospital computer systems in Britain and check bank or transport services in other nations after a global cyberattack hit dozens of countries and crippled the U.K.'s health system. The worldwide attack was so unprecedented that Microsoft quickly changed its policy and announced that it will make security fixes available for free for older Windows systems, which are still used by millions of individuals and smaller businesses. [Windows XP, Windows 8, and Windows Server 2003]
An anonymous reader writes: The patches are available for download from here. Microsoft also advises companies and users to disable the Windows Server Message Block version 1 protocol, as it's an old and outdated protocol, already superseded by newer versions, such as SMBv2 and SMBv3... Microsoft had released a fix for that exploit a month before, in March, in security bulletin MS17-010 [which] included fixes for Windows Vista, Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012, and Windows Server 2016.
Below the fold are more stories about the WanaDecrypt0r ransomware.
Bug

Google Found Over 1,000 Bugs In 47 Open Source Projects (helpnetsecurity.com) 55

Orome1 writes: In the last five months, Google's OSS-Fuzz program has unearthed over 1,000 bugs in 47 open source software projects... So far, OSS-Fuzz has found a total of 264 potential security vulnerabilities: 7 in Wireshark, 33 in LibreOffice, 8 in SQLite 3, 17 in FFmpeg -- and the list goes on...
Google launched the program in December and wants more open source projects to participate, so they're offering cash rewards for including "fuzz" targets for testing in their software. "Eligible projects will receive $1,000 for initial integration, and up to $20,000 for ideal integration" -- or twice that amount, if the proceeds are donated to a charity.
Patents

Cloudflare Declares War On a Patent Troll With a $50,000 Bounty (fortune.com) 54

Internet security company Cloudflare has declared war on a company called Blackbird that consists of a group of lawyers who file patent lawsuits against tech and retail firms. In a blog post titled "Standing Up to a Dangerous New Breed of Patent Troll," Cloudflare called Blackbird's business model destruction and unethical, and announced a $50,000 bounty to anyone who would help invalidate Blackbird's patents. Fortune reports: "There's no social value here. There's no support for a maligned inventor. There's no competing business or product. There's no validation of an incentive structure that supports innovation. This is a shakedown where a patent troll, Blackbird Tech, creates as much nuisance as it can so its attorney-principals can try to grab some cash. Cloudflare does not intend to play along," said the blog post. While patent trolling has been around for years -- and is a particular bug bear of the tech industry -- Cloudflare says Blackbird's model of trolling involves a new and unethical twist. Specifically, the company says Blackbird's lawyer-executives are violating their professional obligations by buying the claims of potential clients and engaging in questionable fee-splitting arrangements. Here is how Cloudflare, which says it is filing complaints with the state bars of Massachusetts and Illinois, explains it: "Blackbird's 'new model' seems to be only that its operations set out to distort the traditional Attorney-Client relationship. Blackbird's website makes a direct pitch of its legal services to recruit clients with potential claims and then, instead of taking them on as a client, purchases their claims and provides additional consideration that likely gives the client an ongoing interest in the resulting litigation. In doing so, Blackbird is flouting its ethical obligations meant to protect clients and distorting the judicial process by obfuscating and limiting potential counterclaims against the real party in interest."
Programming

Only 36 Percent of Indian Engineers Can Write Compilable Code, Says Study (itwire.com) 210

New submitter troublemaker_23 quotes a report from ITWire: Only 36% of software engineers in India can write compilable code based on measurements by an automated tool that is used across the world, the Indian skills assessment company Aspiring Minds says in a report. The report is based on a sample of 36,800 from more than 500 colleges across India. Aspiring Minds said it used the automated tool Automata which is a 60-minute test taken in a compiler integrated environment and rates candidates on programming ability, programming practices, run-time complexity and test case coverage. It uses advanced artificial intelligence technology to automatically grade programming skills. "We find that out of the two problems given per candidate, only 14% engineers are able to write compilable codes for both and only 22% write compilable code for exactly one problem," the study said. It further found that of the test subjects only 14.67% were employable by an IT services company. When it came to writing fully functional code using the best practices for efficiency and writing, only 2.21% of the engineers studied made the grade.
Google

Google Researchers Find Wormable 'Crazy Bad' Windows Exploit (bleepingcomputer.com) 74

An anonymous reader quotes a report from BleepingComputer: Two Google security experts have found a severe remote code execution (RCE) bug in the Windows OS, which they've described as "crazy bad." The two experts are Natalie Silvanovich and Tavis Ormandy, both working for Project Zero, a Google initiative for discovering and helping patch zero-days in third-party software products. The two didn't release in-depth details about the vulnerability, but only posted a few cryptic tweets regarding the issue. Drilled with questions by the Twitter's infosec community, Ormandy later revealed more details: the attacker and the victim don't necessarily need to be on the same LAN; the attack works on a default Windows install, meaning victims don't need to install extra software on their systems to become vulnerable; the attack is wormable (can self-replicate). The tweets came days before Microsoft's May 2017 Patch Tuesday, scheduled tomorrow, May 9. The researchers said a report is coming, alluding the vulnerability might be patched this month, and they'll be free to publish their findings.
Debian

Debian 8.8 Released (debian.org) 65

prisoninmate quotes Softpedia: The Debian Project announced today Debian GNU/Linux 8.8, the most advanced stable version of the Jessie series, which brings corrections for numerous packages and various security flaws discovered and patched since the release of the Debian GNU/Linux 8.7 maintenance update back in mid-January 2017... "This update mainly adds corrections for security problems to the stable release, along with a few adjustments for serious problems. Security advisories were already published separately and are referenced where available," reads today's announcement.

"Please note that this update does not constitute a new version of Debian 8 but only updates some of the packages included. There is no need to throw away old 'jessie' CDs or DVDs but only to update via an up-to-date Debian mirror after an installation, to cause any out of date packages to be updated."

Debian 8.8 contains more than 150 bug fixes and security updates.
Intel

Intel Patches Remote Execution Hole That's Been Hidden In Its Chips Since 2008 (theregister.co.uk) 164

Chris Williams reports via The Register: Intel processor chipsets have, for roughly the past nine years, harbored a security flaw that can be exploited to remotely control and infect vulnerable systems with virtually undetectable spyware and other malicious code. Specifically, the bug is in Intel's Active Management Technology (AMT), Standard Manageability (ISM) and Small Business Technology (SBT) firmware versions 6 to 11.6. According to Chipzilla, the security hole allows "an unprivileged attacker to gain control of the manageability features provided by these products." That means hackers exploiting the flaw can silently snoop on a vulnerable machine's users, make changes to files and read them, install rootkits and other malware, and so on. This is possible across the network, or with local access. These management features have been available in various Intel chipsets for years, starting with the Nehalem Core i7 in 2008, all the way up to Kaby Lake Core parts in 2017. According to Intel today, this critical security vulnerability, labeled CVE-2017-5689, was found and reported in March by Maksim Malyutin at Embedi. To get the patch to close the hole, you'll have to pester your machine's manufacturer for a firmware update, or try the mitigations here. These updates are hoped to arrive within the next few weeks.
The Military

Some Of The Pentagon's Critical Infrastructure Still Runs Windows 95 And 98 (defenseone.com) 152

SmartAboutThings writes: The Pentagon is set to complete its Windows 10 transition by the end of this year, but nearly 75% of its control system devices still run Windows XP or other older versions, including Windows 95 and 98. A Pentagon official now wants the bug bounty program of the top U.S. defense agency expanded to scan for vulnerabilities in its critical infrastructure.
DefenseOne raises the possibility of "building and electrical systems, HVAC equipment and other critical infrastructure laden with internet-connected sensors," with one military program manager saying "A lot of these systems are still Windows 95 or 98, and that's OK -- if they're not connected to the internet." Windows Report notes that though Microsoft no longer supports Windows XP, "the Defense Department is paying Microsoft to continue providing support for the legacy OS."
Security

Hackers Exploited Word Flaw For Months While Microsoft Investigated (reuters.com) 46

An anonymous reader writes: To understand why it is so difficult to defend computers from even moderately capable hackers, consider the case of the security flaw officially known as CVE-2017-0199. The bug was unusually dangerous but of a common genre: it was in Microsoft software, could allow a hacker to seize control of a personal computer with little trace, and was fixed April 11 in Microsoft's regular monthly security update. But it had traveled a rocky, nine-month journey from discovery to resolution, which cyber security experts say is an unusually long time. Google's security researchers, for example, give vendors just 90 days' warning before publishing flaws they find. Microsoft declined to say how long it usually takes to patch a flaw. While Microsoft investigated, hackers found the flaw and manipulated the software to spy on unknown Russian speakers, possibly in Ukraine. And a group of thieves used it to bolster their efforts to steal from millions of online bank accounts in Australia and other countries.
Bug

GE Fixing Bug in Software After Warning About Power Grid Hacks (reuters.com) 38

General Electric said on Wednesday it is fixing a bug in software used to control the flow of electricity in a utility's power systems after researchers found that hackers could shut down parts of an electric grid. From a report: The vulnerability could enable attackers to gain remote control of GE protection relays, enabling them to "disconnect sectors of the power grid at will," according to an abstract posted late last week on the Black Hat security conference website. Protection relays are circuit breakers that utilities program to open and halt power transmission when dangerous conditions surface.

Slashdot Top Deals