Microsoft

Microsoft Edge On Windows 10: the Browser That Will Finally Kill IE 208 208

An anonymous reader writes: Windows 10 launches today and with it comes a whole new browser, Microsoft Edge. You can still use Internet Explorer if you want, but it's not the default. IE turns 20 in less than a month, which is ancient in internet years, so it's not surprising that Microsoft is shoving it aside. Still, leaving behind IE and launching a new browser built from the ground up marks the end of an era for Microsoft. “Knowing that browsing is still one of the very top activities that people do on a PC, we knew there was an opportunity, and really an obligation, to push the web browsing experience and so that’s what we’ve done with Microsoft Edge," Drew DeBruyne, director of program management at Microsoft told VentureBeat.
Android

Maliciously Crafted MKV Video Files Can Be Used To Crash Android Phones 82 82

itwbennett writes: Just days after publication of a flaw in Android's Stagefright, which could allow attackers to compromise devices with a simple MMS message, researchers have found another Android media processing flaw. The latest vulnerability is located in Android's mediaserver component, more specifically in how the service handles files that use the Matroska video container (MKV), Trend Micro researchers said. "When the process opens a malformed MKV file, the service may crash (and with it, the rest of the operating system). The vulnerability is caused by an integer overflow when the mediaserver service parses an MKV file. It reads memory out of buffer or writes data to NULL address when parsing audio data."
Bug

Honeywell Home Controllers Open To Any Hacker Who Can Find Them Online 83 83

Trailrunner7 writes: Security issues continue to crop up within the so-called "smart home." A pair of vulnerabilities have been reported for the Tuxedo Touch controller made by Honeywell, a device that's designed to allow users to control home systems such as security, climate control, lighting, and others. The controller, of course, is accessible from the Internet. Researcher Maxim Rupp discovered that the vulnerabilities could allow an attacker to take arbitrary actions, including unlocking doors or modifying the climate controls in the house.
Programming

.NET 4.6 Optimizer Bug Causes Methods To Get Wrong Parameters 144 144

tobiasly writes: A serious bug in the just-released .NET 4.6 runtime causes the JIT compiler to generate incorrectly-optimized code which results in methods getting called with different parameters than what were passed in. Nick Craver of Stack Exchange has an excellent write-up of the technical details and temporary workarounds; Microsoft has acknowledged the problem and submitted an as-yet unreleased patch.

This problem is compounded by Microsoft's policy of replacing the existing .NET runtime, as opposed to the side-by-side runtimes which were possible until .NET 2.0. This means that even if your project targets .NET 4.5, it will get the 4.6 runtime if it was installed on that machine. Since it's not possible to install the just-released Visual Studio 2015 without .NET 4.6, this means developers must make the difficult choice between using the latest tools or risking crippling bugs such as this one.
Security

Steam Bug Allowed Password Resets Without Confirmation 57 57

An anonymous reader writes: Valve has fixed a bug in their account authentication system that allowed attackers to easily reset the password to a Steam account. When a Steam user forgets a password, he goes to an account recovery page and asks for a reset. The page then sends a short code to the email address registered with the account. The problem was that Steam wasn't actually checking the codes sent via email. Attackers could simply request a reset and then submit a blank field when prompted for the code. Valve says the bug was active from July 21-25. A number of accounts were compromised, including some prominent streamers and Dota 2 pros. Valve issued password resets to those accounts with "suspicious" changes over the past several days.
Bug

The OpenSSH Bug That Wasn't 55 55

badger.foo writes: Get your facts straight before reporting, is the main takeaway from Peter Hansteen's latest piece, The OpenSSH Bug That Wasn't. OpenSSH servers that are set up to use PAM for authentication and with a very specific (non-default on OpenBSD and most other places) setup are in fact vulnerable, and fixing the configuration is trivial.
Privacy

After Progressive Insurance's Snapshot Hacked, Manufacturer Has Been, Too 3 3

An anonymous reader writes: Progressive Insurance sells a tracking device called Snapshot that is advertised as a "little device [that] turns your safe driving into savings." However Snapshot itself has been hacked, and Xirgo Technologies, which makes Snapshot, is currently hacked due to out-of-date software on their website — and has been that way since at least May 5th of 2015. Given that Chrysler just did a recall of 1.4 million cars, people should really think twice before blindly trusting the safety of their cars to any random company, especially if that company can't even keep their WordPress up-to-date or remove hacked code from their site.
OS X

A Tweet-Sized Exploit Can Get Root On OS X 10.10 129 129

vivaoporto writes: The Register reports a root-level privilege-escalation exploit that allows one to gain administrator-level privileges on an OS X Yosemite Mac using code so small that fits in a tweet. The security bug, documented by iOS and OS X guru Stefan Esserwhich, can be exploited by malware and attackers to gain total control of the computer. This flaw is present in the latest version of Yosemite, OS X 10.10.4, and the beta, version 10.10.5 but is already fixed in the preview beta of El Capitan (OS X 10.11) Speaking of exploits: Reader trailrunner 7 notes that "HP’s Zero Day Initiative has released four new zero days in Internet Explorer that can lead to remote code execution."
Bug

Bug Exposes OpenSSH Servers To Brute-Force Password Guessing Attacks 157 157

itwbennett writes: OpenSSH servers with keyboard-interactive authentication enabled, which is the default setting on many systems, including FreeBSD ones, can be tricked to allow many authentication retries over a single connection, according to a security researcher who uses the online alias Kingcope, who disclosed the issue on his blog last week. According to a discussion on Reddit, setting PasswordAuthentication to 'no' in the OpenSSH configuration and using public-key authentication does not prevent this attack, because keyboard-interactive authentication is a different subsystem that also relies on passwords.
Spam

Gmail Spam Filter Changes Bite Linus Torvalds 136 136

An anonymous reader points out The Register's story that recent changes to the spam filters that Google uses to pare down junk in gmail evidently are a bit overzealous. Linus Torvalds, who famously likes to manage by email, and whose email flow includes a lot of mailing lists, isn't happy with it. Ironically perhaps, it was only last week that the Gmail team blogged that its spam filter's rate of false positives is down to less than 0.05 per cent. In his post, Torvalds said his own experience belies that claim, and that around 30 per cent of the mail in his spam box turned out not to be spam. "It's actually at the point where I'm noticing missing messages in the email conversations I see, because Gmail has been marking emails in the middle of the conversation as spam. Things that people replied to and that contained patches and problem descriptions," Torvalds wrote.
Graphics

LibreOffice Ported To Run On Wayland 216 216

An anonymous reader writes: LibreOffice has lost its X11 dependency on Linux and can now run smoothly under Wayland. LibreOffice has been ported to Wayland by adding GTK3 tool-kit support to the office suite over the past few months. LibreOffice on Wayland is now in good enough shape that the tracker bug has been closed and it should work as well as X11 except for a few remaining bugs. LibreOffice 5.0 will be released next month with this support and other changes outlined by the 5.0 release notes.
IT

Techies Hire Witch To Protect Computers From Viruses and Offices From Spirits 231 231

schwit1 writes: It may seem like your computer or smartphone is possessed by an evil spirit sometimes when a mysterious bug keeps causing an app to crash, but if you truly think your machine has been invaded by an evil spirit, there's someone who will take your call — Reverend Joey Talley. A Wiccan witch from the San Francisco Bay Area, Talley claims to solve supernatural issues for techies. Business Insider reports: "Talley’s website says she welcomes issues too unusual or dangerous to take the the straight world of Western helpers. But she also says no problem is too big or small, even, perhaps, your printer malfunctioning. However before you jump on the phone, you should be aware that Talley’s services do not come cheap. She charges $200 an hour (though a phone consultation is free)."
Bug

New Unicode Bug Discovered For Common Japanese Character "No" 196 196

AmiMoJo writes: Some users have noticed that the Japanese character "no", which is extremely common in the Japanese language (forming parts of many words, or meaning something similar to the English word "of" on its own). The Unicode standard has apparently marked the character as sometimes being used in mathematical formulae, causing it to be rendering in a different font to the surrounding text in certain applications. Similar but more widespread issues have plagued Unicode for decades due to the decision to unify dissimilar characters in Chinese, Japanese and Korean.
Bug

Toyota Recalls 625,000 Hybrid Vehicles Over Software Glitch 56 56

hypnosec writes: Yesterday we discussed news that over 65,000 Range Rovers were being recalled over a software issue. Not to be outdone, Japanese car manufacturer Toyota on Wednesday recalled 625,000 hybrid vehicles globally to fix a different software defect. The automaker said the defect in question might lead to shut down of the hybrid system while the car is being driven. The recall was due to software settings that could result in "higher thermal stress" in parts of a power converter, potentially causing it to become damaged. Toyota dealers will update the software for both the motor/generator control ECU and hybrid control ECU in the involved vehicles.
Internet Explorer

Critical Internet Explorer 11 Vulnerability Identified After Hacking Team Breach 58 58

An anonymous reader writes: After analyzing the leaked data from last week's attack on Hacking Team, Vectra researchers discovered a previously unknown high severity vulnerability in Internet Explorer 11, which impacts the browser on both Windows 7 and Windows 8.1. The vulnerability is an exploitable use-after-free (UAF) vulnerability that occurs within a custom heap in JSCRIPT9. Since it exists within a custom heap, it can allow an attacker to bypass protections found in standard memory. Microsoft has published a patch for this vulnerability, and also patched another one pulled from the Hacking Team files by different security researchers.
Bug

65,000+ Land Rovers Recalled Due To Software Bug 97 97

An anonymous reader writes with word that owners of Range Rover and Range Rover Sport SUVs (model year 2013 and newer) will need to get their cars' software updated, which means a visit to a dealer. The update will fix a bug in the cars' locking system, which occasionally resulted in car doors randomly unlocking and opening themselves (in one instance, when the car was moving). This is not the first time that a car manufacturer asked customers to contact dealers for a security update. In July, Ford has recalled over 430,000 cars in North America because of a bug that prevented the engine from shutting down even after the ignition key was put into the "off" position and removed.
Security

First Java 0-Day In 2 Years Exploited By Pawn Storm Hackers 122 122

An anonymous reader writes with Help Net Security's report that a new zero-day vulnerability in Java is being exploited, quoting from which: The flaw was spotted by Trend Micro researchers, who are closely monitoring a targeted attack campaign mounted by the economic and political cyber-espionage operation Pawn Storm. The existence of the flaw was discovered by finding suspicious URLs that hosted the exploit. The exploit allows attackers to execute arbitrary code on target systems with default Java settings. Until a patch is made, disabling Java is the recommended course of action.
Software

Ask Slashdot: How Should Devs Deal With Trademark Trolls? 99 99

An anonymous reader writes: I'll start off by admitting that trademark infringement wasn't something that was on my mind when I released my first application. Like many other developers I was concentrating on functionality, errors, and getting the thing published. I did a cursory Google search and search of the app stores to make sure no other apps were using the same name, but that's about the extent of my efforts to avoid trademark infringement. After all, I'm spending hundreds of hours of my own time to make an app that I'm giving away with the hopes to make some ad money or sell paid versions down the road. Hiring a lawyer for advice and help didn't seem like a reasonable expenditure since I'm pretty sure my income per hour of coding was under $1 for the first year or two. Besides, it's something I do on the side because I enjoy coding, not for my main source of income.

My first app was published in early 2010. I followed up with a paid version, then a couple other small apps that perform functions I wanted on my phone. I continue to maintain my apps and offer bug fixes, user support, and the occasional feature request. My income isn't tremendous, but it's steady. Nothing to brag about, but also not something I'd willingly give up.

Earlier this year I got a notice from Google that someone had submitted a takedown request for one of my applications based on a trademark infringement claim."
(Read on below for the rest of the story, and the question.)
Bug

Linux Foundation's Census Project Ranks Open Source Software At Risk 47 47

jones_supa writes: The Core Infrastructure Initiative, a Linux Foundation effort assembled in the wake of the Heartbleed fiasco to provide development support for key Internet protocols, has opened the doors on its Census Project — an effort to figure out what software projects need support now, instead of waiting for them to break. Census assembles metrics about open source projects found in Debian's package list and on openhub.net, and then scores them based on the amount of risk each presents. Risk scores are an aggregate of multiple factors: how many people are known to have contributed to the project in the last 12 months, how many CVEs have been filed for it, how widely used it is, and how much exposure it has to the network. According to the current iteration of the survey, the programs most in need of attention are not previously cited infrastructure projects, but common core Linux system utilities that have network access and little development activity around them.