Netgear has fixed a high-severity vulnerability affecting multiple WiFi router models and advised customers to update their devices to the latest available firmware as soon as possible. BleepingComputer reports: The flaw impacts multiple Wireless AC Nighthawk, Wireless AX Nighthawk (WiFi 6), and Wireless AC router models. Although Netgear did not disclose any information about the component affected by this bug or its impact, it did say that it is a pre-authentication buffer overflow vulnerability. The impact of a successful buffer overflow exploitation can range from crashes following denial of service to arbitrary code execution, if code execution is achieved during the attack. Attackers can exploit this flaw in low-complexity attacks without requiring permissions or user interaction. In a security advisory published on Wednesday, Netgear said it "strongly recommends that you download the latest firmware as soon as possible." A list of vulnerable routers and the patched firmware versions can be found here.

It's still possible to learn a lot of interesting things about old operating systems. Sometimes those things were documented, or at least hinted at, in blog posts that miraculously still exist. One such quirk showed up recently when someone noticed how Microsoft made sure that SimCity and other popular apps worked on Windows 95. From a report: A recent tweet by @Kalyoshika highlights an excerpt from a blog post by Fog Creek Software co-founder, Stack Overflow co-creator, and longtime software blogger Joel Spolsky. The larger post is about chicken-and-egg OS/software appeal and demand. The part that caught the eye of a Hardcore Gaming 101 podcast co-host is how the Windows 3.1 version of SimCity worked on the Windows 95 system. Windows 95 merged MS-DOS and Windows apps, upgraded APIs from 16 to 32-bit, and was hyper-marketed. A popular app like SimCity, which sold more than 5 million copies, needed to work without a hitch. Spolsky's post summarizes how SimCity became Windows 95-ready, as he heard it, without input from Maxis or user workarounds.

Jon Ross, who wrote the original version of SimCity for Windows 3.x, told me that he accidentally left a bug in SimCity where he read memory that he had just freed. Yep. It worked fine on Windows 3.x, because the memory never went anywhere. Here's the amazing part: On beta versions of Windows 95, SimCity wasn't working in testing. Microsoft tracked down the bug and added specific code to Windows 95 that looks for SimCity. If it finds SimCity running, it runs the memory allocator in a special mode that doesn't free memory right away. That's the kind of obsession with backward compatibility that made people willing to upgrade to Windows 95.

Spolsky (in 2000) considers this a credit to Microsoft and an example of how to break the chicken-and-egg problem: "provide a backwards compatibility mode which either delivers a truckload of chickens, or a truckload of eggs, depending on how you look at it, and sit back and rake in the bucks."

Mozilla recently fixed a bug that was first reported 18 years ago in Firebox 1.0, reports How-to Geek: Bug 290125 was first reported on April 12, 2005, only a few days before the release of Firefox 1.0.3, and outlined an issue with how Firefox rendered text with the ::first-letter CSS pseudo-element. The author said, "when floating left a :first-letter (to produce a dropcap), Gecko ignores any declared line-height and inherits the line-height of the parent box. [...] Both Opera 7.5+ and Safari 1.0+ correctly handle this."

The initial problem was that the Mac version of Firefox handled line heights differently than Firefox on other platforms, which was fixed in time for Firefox 3.0 in 2007. The issue was then re-opened in 2014, when it was decided in a CSS Working Group meeting that Firefox's special handling of line heights didn't meet CSS specifications and was causing compatibility problems. It led to some sites with a large first letter in blocks of text, like The Verge and The Guardian, render incorrectly in Firefox compared to other browsers.

The issue was still marked as low priority, so progress continued slowly, until it was finally marked as fixed on December 20, 2022. Firefox 110 should include the updated code, which is expected to roll out to everyone in February 2023.

The Zero Day Initiative, a zero-day security research firm, announced a new Linux kernel security bug that allows authenticated remote users to disclose sensitive information and run code on vulnerable Linux kernel versions. ZDNet reports: Originally, the Zero Day Initiative ZDI rated it a perfect 10 on the 0 to 10 common Vulnerability Scoring System scale. Now, the hole's "only" a 9.6....

The problem lies in the Linux 5.15 in-kernel Server Message Block (SMB) server, ksmbd. The specific flaw exists within the processing of SMB2_TREE_DISCONNECT commands. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the kernel context. This new program, which was introduced to the kernel in 2021, was developed by Samsung. Its point was to deliver speedy SMB3 file-serving performance....

Any distro using the Linux kernel 5.15 or above is potentially vulnerable. This includes Ubuntu 22.04, and its descendants; Deepin Linux 20.3; and Slackware 15.

Ars Technica reports on a dangerously "wormable" Windows vulnerability that allowed attackers to execute malicious code with no authentication required — a vulnerability that was present "in a much broader range of network protocols, giving attackers more flexibility than they had when exploiting the older vulnerability." Microsoft fixed CVE-2022-37958 in September during its monthly Patch Tuesday rollout of security fixes. At the time, however, Microsoft researchers believed the vulnerability allowed only the disclosure of potentially sensitive information. As such, Microsoft gave the vulnerability a designation of "important." In the routine course of analyzing vulnerabilities after they're patched, IBM security researcher Valentina Palmiotti discovered it allowed for remote code execution in much the way EternalBlue did [the flaw used to detonate WannaCry]. Last week, Microsoft revised the designation to critical and gave it a severity rating of 8.1, the same given to EternalBlue....

One potentially mitigating factor is that a patch for CVE-2022-37958 has been available for three months. EternalBlue, by contrast, was initially exploited by the NSA as a zero-day. The NSA's highly weaponized exploit was then released into the wild by a mysterious group calling itself Shadow Brokers. The leak, one of the worst in the history of the NSA, gave hackers around the world access to a potent nation-state-grade exploit. Palmiotti said there's reason for optimism but also for risk: "While EternalBlue was an 0-Day, luckily this is an N-Day with a 3 month patching lead time," said Palmiotti.
There's still some risk, Palmiotti tells Ars Technica. "As we've seen with other major vulnerabilities over the years, such as MS17-010 which was exploited with EternalBlue, some organizations have been slow deploying patches for several months or lack an accurate inventory of systems exposed to the internet and miss patching systems altogether."

Thanks to Slashdot reader joshuark for sharing the article.

Keylogger-like behavior has some Corsair K100 keyboard customers concerned. Several users have reported their peripheral randomly entering text into their computer that they previously typed days or weeks ago. However, Corsair told Ars Technica that the behavior is a bug, not keylogging, and it's possibly related to the keyboard's macro recording feature. From a report: A reader tipped us off to an ongoing thread on Corsair's support forum that a user started in August. The user claimed that their K100 started typing on its own while they use it with a MacBook Pro, gaming computer, and KVM switch. "Every couple of days, the keyboard has started randomly typing on its own while I am working on the MacBook. It usually seems to type messages that I previously typed on the gaming PC and it won't stop until I unplug the keyboard and plug it back in," the user, "brendenguy," wrote.

Ten users seemingly responded to the thread (we can't verify the validity of each claim or account, but Corsair confirmed this is a known issue), reporting similar experiences. [...] Corsair confirmed to Ars that it's received "several" reports of the K100 acting like this but affirmed that "there's no hardware function on the keyboard that operates as a key logger." The company didn't immediately respond to follow-up questions about how many keyboards were affected. "Corsair keyboards unequivocally do not log user input in any way and do not have the ability to log individual keystrokes," Corsair's rep told Ars Technica.

The U.S. National Security Agency is warning that Chinese government-backed hackers are exploiting a zero-day vulnerability in two widely used Citrix networking products to gain access to targeted networks. From a report: The flaw, tracked as CVE-2022-27518, affects Citrix ADC, an application delivery controller, and Citrix Gateway, a remote access tool, and are both popular in enterprise networks. The critical-rated vulnerability allows an unauthenticated attacker to remotely run malicious code on vulnerable devices -- no passwords needed. Citrix also says the flaw is being actively exploited by threat actors. "We are aware of a small number of targeted attacks in the wild using this vulnerability," Peter Lefkowitz, chief security and trust officer at Citrix, said in a blog post. "Limited exploits of this vulnerability have been reported." Citrix hasn't specified which industries the targeted organizations are in or how many have been compromised.

An anonymous reader quotes a report from TechCrunch: Apple has confirmed that an iPhone software update it released two weeks ago fixed a zero-day security vulnerability that it now says was actively exploited. The update, iOS 16.1.2, landed on November 30 and rolled out to all supported iPhones -- including iPhone 8 and later -- with unspecified "important security updates."

In a disclosure to its security updates page on Tuesday, Apple said the update fixed a flaw in WebKit, the browser engine that powers Safari and other apps, which if exploited could allow malicious code to run on the person's device. The bug is called a zero-day because the vendor is given zero days notice to fix the vulnerability. Apple said security researchers at Google's Threat Analysis Group, which investigates nation state-backed spyware, hacking and cyberattacks, discovered and reported the WebKit bug.

Apple said in its Tuesday disclosure that it is aware that the vulnerability was exploited "against versions of iOS released before iOS 15.1," which was released in October 2021. As such, and for those who have not yet updated to iOS 16, Apple also released iOS and iPadOS 15.7.2 to fix the WebKit vulnerability for users running iPhones 6s and later and some iPad models. The bug is tracked as CVE-2022-42856, or WebKit 247562. It's not clear for what reason Apple withheld details of the bug for two weeks.

An anonymous reader quotes a report from 9to5Google: Google was originally set to phase out Chrome support for old Manifest v2 extensions in 2023, but that's now being postponed. In 2021, Google announced its deprecation plans and last provided an update this September. On Friday, the company said that the "Manifest V2 deprecation timelines are under review and the experiments scheduled for early 2023 are being postponed."

The original plan called for Chrome Beta, Dev, and Canary builds to start experiments that turned off Manifest V2 extension support. Additionally, Manifest V3 would be required to get the "Featured" badge in the Chrome Web Store. After "monitoring comments from the developer community," Google identified "common challenges posed by the migration": "...specifically the service worker's inability to use DOM capabilities and the current hard limit on extension service worker lifetimes. We're mitigating the former with the Offscreen Documents API (added in Chrome 109) and are actively pursuing a solution to the latter."

Google says it's "committed to providing developers solutions to migration challenges with new functionality, bug fixes, and adequate time for adoption." With the first step delayed, Google is also "evaluating all downstream milestones as well." This includes the original June 2023 plan to start testing the deprecation in Chrome Stable. The final step in January 2024 would have been to remove all MV2 Chrome extensions from the Web Store. Google will provide an "updated phase-out plan and schedule by March of 2023." Compared to the previous iteration, Manifest V3 is prioritizing privacy, though some complain that it's at the expense of ad blockers.

"Linux kernel 6.2 should contain fixes for some problems handling floppy disks," reports the Register, "a move which shows that someone somewhere is still using them." This isn't the only such fix in recent years. As a series of articles on Phoronix details, there has been a slow but steady flow of fixes for the kernel's handling of floppy drives since at least kernel 5.17, as The Register mentioned when it came out....

Back in July 2016, SUSE kernel developer Jiri Kosina submitted a patch. The problem arose because this change broke something else and later got reverted, and so the problem hung around. In July last year, he sent in a new patch that fixed it again for the 5.12 kernel, and was later back-ported to 5.10, an LTS version, and again into kernel 5.15 — another an LTS version, and the one you're running today if you're on the current Ubuntu LTS release, or something built from it such as Linux Mint 21....

Now, in December 2022, a new patch for the forthcoming kernel 6.2 fixes a memory leak that dates back to 5.11 or before.

A security flaw on the Florida Department of Revenue website exposed at least hundreds of taxpayers' Social Security numbers and bank account numbers, a security researcher found. From a report: Kamran Mohsin said the security flaw -- now fixed -- allowed him, or anyone else who was logged in to the state's business tax registration website, to access, modify and delete the personal data of business owners whose information is on file with the state's tax authority by modifying the part of the web address that contains the taxpayers' application number. Mohsin said that application numbers are sequential, allowing anyone to enumerate taxpayers' information by incrementing the application number by a single digit. Mohsin said there were more than 713,000 applications in the system, which the department did not dispute when reached for comment.

"China's control of the internet has become so strong that dissidents must cling to any crack in the so-called Great Firewall," writes Qz.

But as anti-government protests sprung up on campuses and cities in China over the weekend, Qz reminds us that "the country's most widespread show of public dissent in decades will have to manage without a crucial communication tool, because Apple restricted its use in China earlier this month." AirDrop, the file-sharing feature on iPhones and other Apple devices, has helped protestors in many authoritarian countries evade censorship. That's because AirDrop relies on direct connections between phones, forming a local network of devices that don't need the internet to communicate. People can opt into receiving AirDrops from anyone else with an iPhone nearby.

That changed on Nov. 9, when Apple released a new version of its mobile operating system, iOS 16.1.1, to customers worldwide. Rather than listing new features, as it often does, the company simply said, "This update includes bug fixes and security updates and is recommended for all users." Hidden in the update was a change that only applies to iPhones sold in mainland China: AirDrop can only be set to receive messages from everyone for 10 minutes, before switching off. There's no longer a way to keep the "everyone" setting on permanently on Chinese iPhones.

The change, first noticed by Chinese readers of 9to5Mac, doesn't apply anywhere else.

Apple didn't respond to questions about the AirDrop change. It plans to make the "Everyone for 10 Minutes" feature a global standard next year, according to Bloomberg.

An anonymous reader quotes a report from TechCrunch: Microsoft has warned that malicious hackers are exploiting a discontinued web server found in common Internet of Things (IoT) devices to target organizations in the energy sector. In an analysis published on Tuesday, Microsoft researchers said they had discovered a vulnerable open-source component in the Boa web server, which is still widely used in a range of routers and security cameras, as well as popular software development kits (SDKs), despite the software's retirement in 2005. The technology giant identified the component while investigating a suspected Indian electric grid intrusion first detailed by Recorded Future in April, where Chinese state-sponsored attackers used IoT devices to gain a foothold on operational technology (OT) networks, used to monitor and control physical industrial systems.

Microsoft said it has identified one million internet-exposed Boa server components globally over the span of a one-week period, warning that the vulnerable component poses a "supply chain risk that may affect millions of organizations and devices." The company added that it continues to see attackers attempting to exploit Boa flaws, which include a high-severity information disclosure bug (CVE-2021-33558) and another arbitrary file access flaw (CVE-2017-9833). "The known [vulnerabilities] impacting such components can allow an attacker to collect information about network assets before initiating attacks, and to gain access to a network undetected by obtaining valid credentials," Microsoft said, adding that this can allow the attackers to have a "much greater impact" once the attack is initiated. "The company has warned that mitigating these Boa flaws is difficult due to both the continued popularity of the now-defunct web server and the complex nature of how it is built into the IoT device supply chain," reports TechCrunch. "Microsoft recommends that organizations and network operators patch vulnerable devices where possible, identify devices with vulnerable components, and to configure detection rules to identify malicious activity."

There are ongoing issues apparently affecting the iCloud for Windows app, particularly in regards to photo and video storage. According to a number of online complaints from users, iCloud for Windows is corrupting certain videos. There are also reports of a more worrying problem: photos from strangers popping up in people's iCloud Photo library. 9to5Mac reports: MacRumors rounded up some of these complaints via complaints posted to their forums. According to an affected user, videos taken with the iPhone 13 Pro and iPhone 14 Pro models aren't being properly synced with iCloud for Windows. When certain videos are recorded and the synced with iCloud for Windows, they then turn "black with scan lines, rendering the videos unwatchable."

While that problem is bad enough, some other users say they are seeing photos and even videos they do not recognize in their photo libraries. The speculation here is that these photos or videos could be from other people's iCloud libraries, though nothing has been confirmed yet. [...] These problems appear to be affecting the dedicated iCloud for Windows app itself, not the recently-launched iCloud Photos integration in Windows 11. The culprit seems to be the handoff of certain file types between the iPhone and iCloud rendering on Windows. The problem certainly appears to be a server-side issue on Apple's side, rather than something on Microsoft's side.

Microsoft has fixed yet another problem in some versions of Windows 10, a bug that makes the taskbar and desktop temporarily vanish or causes the system to ignore you. From a report: According to Redmond, users "might experience an error in which the desktop or taskbar might momentarily disappear, or your device might become unresponsive." The issue affects PCs running Windows 10 versions 22H2, 21H2, 21H1, and 20H2, the company wrote on its Windows Health Dashboard. Microsoft didn't outline the exact cause but notes it was related to the KB5016688 220820_03051 cumulative update and later.

The software giant is using its Known Issue Rollback (KIR) feature -- which enables IT administrators to roll back the unwanted changes of an update -- to resolve the problem, adding that it could take up to 24 hours for the fix to reach non-managed business systems and consumer devices. Restarting the device may accelerate the timeframe. Organizations that use enterprise-managed devices can install and configure a special Group Policy by going to "Computer Configuration" and then "Administrative Templates" and "Group Policy name." If the resolution doesn't work, users can try restarting the Windows device, according to Microsoft. The latest fix comes after a number of other problems were resolved this week.

Google has paid out $70,000 to a security researcher for privately reporting an "accidental" security bug that allowed anyone to unlock Google Pixel phones without knowing its passcode. From a report: The lock screen bypass bug, tracked as CVE-2022-20465, is described as a local escalation of privilege bug because it allows someone, with the device in their hand, to access the device's data without having to enter the lock screen's passcode. Hungary-based researcher David Schutz said the bug was remarkably simple to exploit but took Google about five months to fix.

Schutz discovered anyone with physical access to a Google Pixel phone could swap in their own SIM card and enter its preset recovery code to bypass the Android's operating system's lock screen protections. In a blog post about the bug, published now that the bug is fixed, Schutz described how he found the bug accidentally, and reported it to Google's Android team.

"Apple is working on a big change to how its Siri voice assistant works," reports the blog 9 to 5 Mac: While you currently have to say "Hey Siri" to activate the assistant hands-free, that may not be the case for much longer. Bloomberg reports today that Apple engineers are working to drop the "Hey" part of the phrase, so you'd only have to say "Siri" followed by a command to activate the assistant...

In the latest edition of his Power On newsletter, Bloomberg's Mark Gurman says that this is "a technical challenge that requires a significant amount of AI training and underlying engineering work." Apple has reportedly been working on this change for the last several months and hopes to roll it out either next year or in 2024 depending on the progress of development and testing....

Doing so would match what's offered by Amazon, where you simply have to say "Alexa" to trigger the assistant, not "Hey Alexa."
Although long-time Slashdot reader cstacy complains that already, "I can no longer discuss Amazon Alexa, because she hears just 'Alexa' and wakes up... That's not a feature, that's a bug! Not sure why Apple and Google would want to replicate that."

Linux magazine explores how to breath fresh life into old Android devices: Every mobile device needs its own Android build because of numerous drivers that are not available in the source code. The need to maintain every version of Android for every mobile device means that many manufacturers eventually stop supporting updates. Often, smartphones or tablets that still work perfectly can no longer be used without worry because the manufacturer has simply ceased to offer bug fixes and security updates....

The LineageOS project, the successor to the CyanogenMod project, which was discontinued in 2016, proves that it is not impossible to keep these devices up-to-date. Unpaid volunteers at LineageOS do the work that many manufacturers do not want to do: They combine current Android releases with the required device-specific drivers.

The LineageOS project (Figure 1) provides Android systems with a fresh patch status every month for around 300 devices. The builds are released weekly, unless there is a problem during the build. The Devices page on the LineageOS Wiki provides the details of whether a LineageOS build is available for your smartphone or tablet....

I recommend the LineageOS project as the first port of call for anyone who wants to protect an older smartphone or tablet that is no longer maintained and doesn't receive Google security patches. The LineageOS derivatives LineageOS for MicroG and /e/OS make it even easier to enjoy a Google-free smartphone without too many restrictions.
The article also describes how to use TWRP to flash a manufacturer-independent recovery system (while also creating a restoreable backup of the existing system) as an alternative to LineageOS's own recovery tools.

And it even explains how to unlock the bootloader — although there may be other locks set up separately by the manufacturer. "Some manufacturers require you to register the device to unlock it, and then — after telling you that the warranty is now void — they hand over a code. Others refuse to unlock the device altogether."

Thanks to Slashdot reader DevNull127 for submitting the article.

joshuark shares a report from BleepingComputer, written by Ax Sharma: Searching for 'GIMP' on Google as recently as last week would show visitors an ad for 'GIMP.org,' the official website of the well known graphics editor, GNU Image Manipulation Program. This ad would appear to be legitimate as it'd state 'GIMP.org' as the destination domain. But clicking on it drove visitors to a lookalike phishing website that provided them with a 700 MB executable disguised as GIMP which, in reality, was malware.

Reddit user ZachIngram04 earlier shared the development stating that the ad previously took users to a Dropbox URL to serve malware, but was soon "replaced with an even more malicious one" which employed a fake replica website 'gilimp.org' to serve malware. BleepingCompuer observed another domain 'gimp.monster' related to this campaign. To pass off the trojanized executable as GIMP in a believable manner to the user, the threat actor artificially inflated the malware, that is otherwise under 5 MB in size, to 700 MB by a simple technique known as binary padding. It still isn't clear if this instance was a slip up caused by a potential bug in Google Ad Manager that allowed malvertising.

An OpenSSL vulnerability once signaled as the first critical-level patch since the Internet-reshaping Heartbleed bug has just been patched. It ultimately arrived as a "high" security fix for a buffer overflow, one that affects all OpenSSL 3.x installations, but is unlikely to lead to remote code execution. From a report: OpenSSL version 3.0.7 was announced last week as a critical security fix release. The specific vulnerabilities (now CVE-2022-37786 and CVE-2022-3602) had been largely unknown until today, but analysts and businesses in the web security field hinted there could be notable problems and maintenance pain. Some Linux distributions, including Fedora, held up releases until the patch was available. Distribution giant Akamai noted before the patch that half of their monitored networks had at least one machine with a vulnerable OpenSSL 3.x instance, and among those networks, between 0.2 and 33 percent of machines were vulnerable. But the specific vulnerabilities -- limited-circumstance, client-side overflows that are mitigated by the stack layout on most modern platforms -- are now patched, and rated as "High." And with OpenSSL 1.1.1 still in its long-term support phase, OpenSSL 3.x is not nearly as widespread. Malware expert Marcus Hutchins points to an OpenSSL commit on GitHub that details the code issues: "fixed two buffer overflows in puny code decoding functions." A malicious email address, verified within an X.509 certificate, could overflow bytes on a stack, resulting in a crash or potentially remote code execution, depending on the platform and configuration.