Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Bug

Adobe Flash Responsible For Six of the Top 10 Bugs Used By Exploit Kits In 2016 (onthewire.io) 60

Trailrunner7 quotes a report from On the Wire: Vulnerabilities in Flash and Internet Explorer dominated the exploit kit landscape in the last year, with a high-profile bug in Flash being found in seven separate kits, new research shows. Exploit kits have long been a key tool in the arsenal of many attackers, from low-level gangs to highly organized cybercrime crews. Their attraction stems from their ease of use and the ability for attackers to add exploits for new vulnerabilities as needed. While there are dozens of exploit kits available, a handful of them attract the most use and attention, including Angler, Neutrino, Nuclear, and Rig. Researchers at Recorded Future looked at more than 140 exploit kits and analyzed which exploits appeared in the most kits in the last year, and it's no surprise that Flash and IE exploits dominated the landscape. Six of the top 10 most-refquently targeted vulnerabilities in the last year were in Flash, while the other four were in Microsoft products, including IE, Windows, and Silverlight. Flash has been a favorite target for attackers for a long time, for two main reasons: it's deployed on hundreds of millions of machines, and it has plenty of vulnerabilities. Recorded Future's analysis shows that trend is continuing, and one Flash bug disclosed October 2015 was incorporated into seven individual exploit kits. The flaw was used by a number of high-level attackers, including some APT groups. "Adobe Flash Player's CVE-2015-7645, number 10 in terms of references to exploit kits, stands out as the vulnerability with the most adoption by exploit kits. Exploit kits adopting the Adobe bug in the past year include Neutrino, Angler, Magnitude, RIG, Nuclear Pack, Spartan, and Hunter," the analysis by Recorded Future says.
Bug

Nintendo Offers Up To $20,000 To Hack the 3DS (silicon.co.uk) 39

Mickeycaskill writes: Nintendo will pay up to $20,000 for system and software vulnerabilities in the Nintendo 3DS family of handheld gaming consoles. The company is looking to prevent activities such as piracy, cheating and the circulation of inappropriate content to children. The stated goal is to "provide a secure environment for our customers so that they can enjoy our games and services. In order to achieve this goal, Nintendo is interested in receiving vulnerability information that researchers may discover regarding Nintendo's platforms." Silicon.co.uk reports: "Rewards will range from $100 to $20,000, with one given per 'qualifying piece of vulnerability information.' Hackers looking to claim a reward will have to provide Nintendo with either a proof-of-concept or a piece of functional exploit code in order to qualify."
Iphone

Apple Says Air Exposure Is Causing iPhone 6s Battery Problems (arstechnica.com) 74

Last month, Apple announced a repair program for a "small number" of iPhone 6s phones that suffer from faulty batteries. The phones that were affected by this fault were manufactured between September and October 2015. Two weeks later, Apple now says the fault was caused by overexposure to "controlled ambient air." Ars Technica reports: The same press release -- issued only in China so far, but available in English if you scroll down -- says that some owners of later iPhone 6S models are also reporting problems with unexpected shutdowns. Apple isn't replacing those batteries just yet, but the company says that an iOS update "available next week" will add "additional diagnostic capability" that will allow Apple to better track down and diagnose the causes of these shutdowns. It "may potentially help [Apple] improve the algorithms used to manage battery performance and shutdown," as well. Those improvements will be included in future iOS updates. Apple says that the battery problem "is not a safety issue," an important thing to note given the way the Galaxy Note 7 blew up in Samsung's face. The software update that Apple mentions in the release is almost certainly iOS 10.2, which is currently in its sixth beta build. The update will be the first major bug-fix release since October's iOS 10.1, and it also includes a handful of other changes like new and redesigned emoji, the TV app that Apple demoed at its last product event, and other features.
Firefox

Firefox Zero-Day Can Be Used To Unmask Tor Browser Users (computerworld.com) 55

An anonymous reader quotes a report from Computerworld: A Firefox zero-day being used in the wild to target Tor users is using code that is nearly identical to what the FBI used in 2013 to unmask Tor-users. A Tor browser user notified the Tor mailing list of the newly discovered exploit, posting the exploit code to the mailing list via a Sigaint darknet email address. A short time later, Roger Dingledine, co-founder of the Tor Project Team, confirmed that the Firefox team had been notified, had "found the bug" and were "working on a patch." On Monday, Mozilla released a security update to close off a different critical vulnerability in Firefox. Dan Guido, CEO of TrailofBits, noted on Twitter, that "it's a garden variety use-after-free, not a heap overflow" and it's "not an advanced exploit." He added that the vulnerability is also present on the Mac OS, "but the exploit does not include support for targeting any operating system but Windows." Security researcher Joshua Yabut told Ars Technica that the exploit code is "100% effective for remote code execution on Windows systems." "The shellcode used is almost exactly the shellcode of the 2013 one," tweeted a security researcher going by TheWack0lian. He added, "When I first noticed the old shellcode was so similar, I had to double-check the dates to make sure I wasn't looking at a 3-year-old post." He's referring to the 2013 payload used by the FBI to deanonymize Tor-users visiting a child porn site. The attack allowed the FBI to tag Tor browser users who believed they were anonymous while visiting a "hidden" child porn site on Freedom Hosting; the exploit code forced the browser to send information such as MAC address, hostname and IP address to a third-party server with a public IP address; the feds could use that data to obtain users' identities via their ISPs.
Bug

iOS 10.1.1 Is Causing Battery Issues For Many iPhone Users (itwire.com) 91

An anonymous reader writes: A recent iOS update to 10.1.1 fix Apple's Health application has had unintended consequences for many users -- shutdown at 30% battery remaining and lack of audio using Apple Earpods. Users on an Apple forum report that the battery indicator jumps from 30% to 1% (dubbed the 30% bug) and a reboot is required where the phone then runs for a few more hours. Some have taken the iPhone back to receive a replacement only to find the same thing happens. Apple has not responded to the 11 pages of forum complaints but apparently, Genius Bar staff have identified unusual discharging of the battery -- which does not make sense if a reboot temporarily fixes the issue and returns the battery indicator to 30%. It also appears to affect all versions of iPhone that support iOS 10.x.
Bug

Malicious Video Link Can Cause Any iOS Device To Freeze (9to5mac.com) 53

A new bug in iOS has surfaced that will cause any iOS device to freeze when trying to view a certain .mp4 video in Safari. YouTube channel EverythingApplePro explains the bug in a video titled "This Video Will CRASH ANY iPhone!" 9to5Mac reports: As you'll see in the video below from EverythingApplePro, viewing a certain video in Safari will cause iOS to essentially overload and gradually become unusable. We won't link the infectious video here for obvious reasons, but you can take our word for it when we say that it really does render your device unusable. It's not apparently clear as to why this happens. The likely reason is that it's simply a corrupted video that's some sort of memory leak and when played, iOS isn't sure how to properly handle it, but there's like more to it than that. Because of the nature of the flaw, it isn't specific to a certain iOS build. As you can see in the video below, playing the video on an iPhone running as far back as iOS 5 will cause the device to freeze and become unusable. Interestingly, with iOS 10.2 beta 3, if you let an iPhone affected by the bug sit there for long enough, it will power off and indefinitely display the spinning wheel that you normally see during the shutdown process. If someone sends you the malicious link and you fall for it, this is luckily a pretty easy problem to fix. All you have to do is hard reboot your device. For any iPhone but the iPhone 7, this can be done by long-pressing the power and Home buttons at the same time. The iPhone 7, of course, uses a new non-mechanical Home button. In order to reboot an iPhone 7, you must long-press the power button and volume down button at the same time.
Iphone

Apple Launches 'Touch Disease' Repair Program For iPhone 6 Plus (macrumors.com) 176

Apple has ignored one of the biggest problems plaguing iPhone 6 Plus devices -- until now. The company today launched a new "Touch Disease" repair program for the iPhone 6 Plus, finally addressing complaints about a hardware defect that causes the display of the devices to become unresponsive to touch, or less responsive overall. If you have an iPhone 6 Plus that is affected by this defect, you will be able to have your device fixed for a service price of $149. You will be reimbursed by Apple if you paid more than $149 to have your device fixed before the repair program was implemented. MacRumors provides some extra details: Complaints about the iPhone 6 Plus touchscreen issue started in August, after iFixit published a video highlighting the bug and dubbed it "Touch Disease." Touch Disease presents as a gray flickering bar at the top of the screen and a display that becomes unresponsive or less responsive to touch. The problem is believed to be caused by the touchscreen controller chips soldered to the logic board of the phone, making repairs difficult. Third-party repair outlets speculated that the issue could be linked to the same structural design flaw that caused the major "Bendgate" controversy, and Apple's suggestion that it is caused by repeated physical damage seems to confirm that. Customers who have an iPhone 6 Plus with Multi-Touch issues can visit an Apple Authorized Service Provider or an Apple retail store to see if they qualify for the $149 repair fee.
Music

Shazam Keeps Your Mac's Microphone Always On, Even When You Turn It Off (vice.com) 126

An anonymous reader quotes a report from Motherboard: What's that song? On your cellphone, the popular app Shazam is able to answer that question by listening for just a few seconds, as if it were magic. On Apple's computers, Shazam never turns the microphone off, even if you tell it to. When a user of Shazam's Mac app turns the app "OFF," the app actually keeps the microphone on in the background. For the security researcher who discovered that the mic is always on, it's a bug that users should know about. For Shazam, it's just a feature that makes the app work better. Patrick Wardle, a former NSA hacker who now develops free Mac security tools, discovered this issue thanks to his latest software OverSight, which is designed to alert users when apps use their webcam and microphone. After he released OverSight, Wardle received an email from a user who noticed that the security app alerted him that Shazam was still listening even after he had switched the toggle to "off." Curious about this discovery, and worried his own software might be issuing a false alarm, Wardle reverse engineered the Shazam app to figure out what was happening. After a few hours analyzing the code, Wardle found out that, in fact, Shazam never stops listening, as he explained in a blog post published on Monday. James Pearson, VP of global communications for Shazam, said in a statement to Motherboard: "There is no privacy issue since the audio is not processed unless the user actively turns the app 'ON.' If the mic wasn't left on, it would take the app longer to both initialize the mic and then start buffering audio, and this is more likely to result in a poor user experience where users 'miss out' on a song they were trying to identify."
Java

Java's Open Sourcing Still Controversial Ten Years Later (infoworld.com) 89

An anonymous reader quotes InfoWorld: Sun Microsystems officially open-sourced Java on November 13, 2006... "The source code for Java was available to all from the first day it was released in 1995," says [Java creator James] Gosling, who is now chief architect at Liquid Robotics. "What we wanted out of that was for the community to help with security analysis, bug reporting, performance enhancement, understanding corner cases, and a whole lot more. It was very successful." Java's original license, Gosling says, allowed people to use the source code internally but not redistribute. "It wasn't 'open' enough for the 'open source' crowd," he says... While Gosling has taken Oracle to task for its handling of Java at times, he sees the [2006] open-sourcing as beneficial. "It's one of the most heavily scrutinized and solid bodies of software you'll find. Community participation was vitally important..."

A former Oracle Java evangelist, however, sees the open source move as watered down. "Sun didn't open-source Java per se," says Reza Rahman, who has led a recent protest against Oracle's handling of enterprise Java. "What they did was to open-source the JDK under a modified GPL license. In particular, the Java SE and Java EE TCKs [Technology Compatibility Kits] remain closed source."

Rahman adds that "Without open-sourcing the JDK, I don't think Java would be where it is today."
Security

1 Billion Mobile Apps Exposed To Account Hijacking Through OAuth 2.0 Flaw (threatpost.com) 77

Threatpost, the security news service of Kaspersky Lab, is reporting a new exploit which allows hijacking of third-party apps that support single sign-on from Google or Facebook (and support the OAuth 2.0 protocol). msm1267 quotes their article: Three Chinese University of Hong Kong researchers presented at Black Hat EU last week a paper called "Signing into One Billion Mobile LApp Accounts Effortlessly with OAuth 2.0"... The researchers examined 600 top U.S. and Chinese mobile apps that use OAuth 2.0 APIs from Facebook, Google and Sina -- which operates Weibo in China -- and support single sign-on for third-party apps. The researchers found that 41.2% of the apps they tested were vulnerable to their attack... None of the apps were named in the paper, but some have been downloaded hundreds of millions of times and can be exploited for anything from free phone calls to fraudulent purchases.
"The researchers said the apps they tested had been downloaded more than 2.4 billion times in aggregate."
Programming

'Here Be Dragons': The Seven Most Vexing Problems In Programming (infoworld.com) 497

InfoWorld has identified "seven of the gnarliest corners of the programming world," which Slashdot reader snydeq describes as "worthy of large markers reading, 'Here be dragons.'" Some examples:
  • Multithreading. "It sounded like a good idea," according to the article, but it just leads to a myriad of thread-managing tools, and "When they don't work, it's pure chaos. The data doesn't make sense. The columns don't add up. Money disappears from accounts with a poof. It's all bits in memory. And good luck trying to pin down any of it..."
  • NP-complete problems. "Everyone runs with fear from these problems because they're the perfect example of one of the biggest bogeymen in Silicon Valley: algorithms that won't scale."

The other dangerous corners include closures, security, encryption, and identity management, as well as that moment "when the machine runs out of RAM." What else needs to be on a definitive list of the most dangerous "gotchas" in professional programming?


Chrome

Scammers Bite Chrome Users With Forgotten 2014 Bug (betanews.com) 35

"Tech support scammers have started exploiting a two-year-old bug in Google Chrome to trick victims into believing their PC is infected with malware," reports security researcher Sophos. It begins by freezing the browser, BrianFagioli reports, sharing an article from Beta News: These bad guys pose as Microsoft tech support and display an in-browser message that says the user's computer is infected with "Virus Trojan.worm! 055BCCAC9FEC". To make matters worse, Google has apparently known about the exploit for more than two years and simply failed to patch it. "The bug was discovered in Chrome 35 in July 2014 in the history.pushState() HTML5 function, a way of adding web pages into the session history without actually loading the page in question. The developer who reported the issue published code showing how to add so many items into Chrome's history list that the browser would effectively freeze", says Sophos...

"Users can either close Chrome using the Task Manager or, in cases where the browser is using up so much processor power that Task Manager doesn't appear, by rebooting the computer. The chances of encountering this particular scam are small -- it's only been spotted on a single website -- but its existence underlines how small bugs that don't seem terribly important may nevertheless be abused by cybercriminals down the line."

Bug

Facebook Bug Tells Users They Are Dead (fortune.com) 62

On Friday afternoon, many Facebook users logged into their accounts to see that the social media site declared them to be dead. Fortune's Jeff John Roberts reports that the bug has impacted their editor Rachel King: The lethal online epidemic is causing Facebook to display a small memorial message above users' regular homepage profile. In the case of my editor, Rachel King, Fortune tech writers who visited her page discovered a "Remembering Rachel King" message, and a wish to remember to remember and celebrate her life. I can assure you that Rachel is very much alive (and reminding me about the Oxford comma). But if you're wondering what it looks like, here's a screenshot. I'm still alive (for now) but it appears the bug is spreading quickly to others in the media, and has reportedly even affected the pages of Facebook CEO Mark Zuckerberg. While Friday's wave of Facebook fatalities was clearly a bug or a hoax of some sort, the social network does offer a function that allows people to turn the profile pages of loved ones into a "Memorial." The company has since fixed the bug and offered an apology: "For a brief period today, a message meant for memorialized profiles was briefly posted to other accounts. This was a terrible error that we now have fixed. We are very sorry that this happened and we worked as quickly as possible to fix it."
Data Storage

Spotify Is Writing Massive Amounts of Junk Data To Storage Drives (arstechnica.com) 196

An anonymous reader quotes a report from Ars Technica: For almost five months -- possibly longer -- the Spotify music streaming app has been assaulting users' storage devices with enough data to potentially take years off their expected lifespans. Reports of tens or in some cases hundreds of gigabytes being written in an hour aren't uncommon, and occasionally the recorded amounts are measured in terabytes. The overload happens even when Spotify is idle and isn't storing any songs locally. The behavior poses an unnecessary burden on users' storage devices, particularly solid state drives, which come with a finite amount of write capacity. Continuously writing hundreds of gigabytes of needless data to a drive every day for months or years on end has the potential to cause an SSD to die years earlier than it otherwise would. And yet, Spotify apps for Windows, Mac, and Linux have engaged in this data assault since at least the middle of June, when multiple users reported the problem in the company's official support forum. Three Ars reporters who ran Spotify on Macs and PCs had no trouble reproducing the problem reported not only in the above-mentioned Spotify forum but also on Reddit, Hacker News, and elsewhere. Typically, the app wrote from 5 to 10 GB of data in less than an hour on Ars reporters' machines, even when the app was idle. Leaving Spotify running for periods longer than a day resulted in amounts as high as 700 GB. According to comments left in the Spotify forum in the past 24 hours, the bug has been fixed in version 1.0.42, which is in the process of being rolled out.
Bug

iOS WebView Bug Can Force iPhones To Make Calls While UI Freezes (bleepingcomputer.com) 22

An anonymous reader writes: "A bug in the iOS WebView component allows an attacker to force someone's iPhone to dial any number, while also locking the user's interface for a few moments, preventing him to cancel the outgoing call," reports BleepingComputer. "The bug was at the heart of the recent accidental DDoS of 911 call centers across the U.S." At the heart of the issue is a Safari bug reported in 2008, which was fixed in iOS 3.0. The same bug also exists in the WebView component used by app makers to show web pages inside other apps. The researcher that found the bug writes in a blog post: "If you think automatically dialing a phone number after clicking a link in an app is not a big issue think again. DoSing 911 is pretty terrible but there are other examples such as expensive 900 numbers where the attacker can actually make money. A stalker can make his victim dial his phone number so he gets his victim's number. Altogether things you don't want to happen. [...] Apple should change the default behavior of WebViews to exclude execution of TEL URIs and make it an explicit feature to avoid this kind of issues in the future."
Bug

Two Critical MySQL Bugs Discovered (infoworld.com) 70

An anonymous reader quotes InfoWorld: Two critical privilege escalation vulnerabilities in MySQL, MariaDB, and PerconaDB can help take control of the whole server, which is very bad for shared environments... Administrators need to check their database versions, as attackers can chain two critical vulnerabilities and completely take over the server hosting the database... The first vulnerability, a privilege escalation/race condition flaw, gives elevated privileges to a local system user with access to a database and allows them to execute arbitrary code as the database system user. This gives an attacker access to all of the databases on the affected server... The privilege escalation/race condition flaw can be chained with another critical vulnerability, a root privilege escalation vulnerability, to further elevate the system level user to gain root on the server.
Bug

App Developers Spend Too Much Time Debugging Errors in Production Systems (betanews.com) 167

According to a new study, 43 percent of app developers spend between 10 and 25 percent of their time debugging application errors discovered in production. BetaNews adds: The survey carried out by ClusterHQ found that a quarter of respondents report encountering bugs discovered in production one or more times per week. Respondents were also asked to identify the most common causes of bugs. These were, inability to fully recreate production environments in testing (33 percent), interdependence on external systems that makes integration testing difficult (27 percent) and testing against unrealistic data before moving into production (26 percent). When asked to identify the environment in which bugs are most costly to fix, 62 percent selected production as the most expensive stage of app development to fix errors, followed by development (18 percent), staging (seven percent), QA (seven percent) and testing (six percent).
Microsoft

Microsoft Says Russia-Linked Hackers Are Exploiting Newly Discovered Flaw In Windows OS (reuters.com) 111

An anonymous reader quotes a report from Reuters: Microsoft Corp said on Tuesday that a hacking group previously linked to the Russian government and U.S. political hacks is behind recent cyber attacks that exploit a newly discovered flaw in its Windows operating system. Microsoft said that a patch to defend Windows users against this sort of attack will be released on Nov. 8. The software maker said in an advisory on its website there had been a small number of attacks using "spear phishing" emails from a hacking group known Strontium, which is more widely known as "Fancy Bear" or APT 28. A U.S. intelligence expert on Russian cyber activity said that Fancy Bear primarily works for or on behalf of the GRU, Russia's military intelligence agency, which U.S. intelligence officials have concluded were responsible for hacks of Democratic Party databases and emails. Microsoft said the attacks exploited a vulnerability in Adobe Systems Inc's Flash software and one in the Windows operating system. Adobe released a patch for that vulnerability on Monday as security researchers with Google went public with details on the attack.
Space

Bad Code May Have Crashed Schiaparelli Mars Lander (nature.com) 163

cadogan west writes "In the accordance with the longstanding tradition of bad software wrecking space probes (See Mariner 1), it appears a coding bug crashed the ESA's latest attempt to land on Mars." Nature reports: Thrusters, designed to decelerate the craft for 30 seconds until it was metres off the ground, engaged for only around 3 seconds before they were commanded to switch off, because the lander's computer thought it was on the ground. The lander even switched on its suite of instruments, ready to record Mars's weather and electrical field, although they did not collect data...

The most likely culprit is a flaw in the craft's software or a problem in merging the data coming from different sensors, which may have led the craft to believe it was lower in altitude than it really was, says Andrea Accomazzo, ESA's head of solar and planetary missions. Accomazzo says that this is a hunch; he is reluctant to diagnose the fault before a full post-mortem has been carried out... But software glitches should be easier to fix than a fundamental problem with the landing hardware, which ESA scientists say seems to have passed its test with flying colours.

Google

Google's 'Project Zero' Hid A Major Vulnerability in Apple's OS and iOS Cores (thestack.com) 88

In June Google's task-force against zero day exploits "identified a coding exploit in the underlying kernel of Apple's OSX and it's mobile operating system iOS, which could allow for root-level escalation of privileges for an attacker in a non-updated version of the OS," according to The Stack.

An anonymous reader writes that Google "initially refused Apple's request for sixty days' grace, but eventually settled on September 21st for disclosure. But when Apple's last-minute September fix turned out to be ineffective, Project Zero agreed to keep quiet, eventually granting Apple nearly five months of silence about the task_t bug -- which has now been fixed in the latest updates to Mac OS and iOS." The fix was released Monday, the Stack reports: Since the task_t bug allows the user to gain any entitlements they may want, it could also nullify kernel code signing, which would allow unauthorized programs to run with elevated privileges on a Mac system. Any current OSX or iOS user who has applied the latest system updates is not susceptible to the task_t vulnerability.

Slashdot Top Deals