What's the story with these ads on Slashdot? Check out our new blog post to find out. ×
Security

Abusing Symbolic Links Like It's 1999 53

An anonymous reader writes with this snippet from James Forshaw's recent post at Google's Project Zero, which begins For the past couple of years I've been researching Windows elevation of privilege attacks. This might be escaping sandboxing or gaining system privileges. One of the techniques I've used multiple times is abusing the symbolic link facilities of the Windows operating system to redirect privileged code to create files or registry keys to escape the restrictive execution context. Symbolic links in themselves are not vulnerabilities, instead they're useful primitives for exploiting different classes of vulnerabilities such as resource planting or time-of-check time-of-use. Click through that link to see examples of this abuse in action, but also information about how the underlying risks have been (or can be) mitigated.
Android

Many Android Users Susceptible To Plug-In Exploit -- And Many Of Them Have It 61

Ars Technica reports that a recently reported remote access vulnerability in Android is no longer just theoretical, but is being actively exploited. After more than 100,000 downloads of a scanning app from Check Point to evaluate users' risk from the attack, says Ars, In a blog post published today, Check Point researchers share a summary of that data—a majority (about 58 percent) of the Android devices scanned were vulnerable to the bug, with 15.84 percent actually having a vulnerable version of the remote access plug-in installed. The brand with the highest percentage of devices already carrying the vulnerable plug-in was LG—over 72 percent of LG devices scanned in the anonymized pool had a vulnerable version of the plug-in.
Bug

Backwards S-Pen Can Permanently Damage Note 5 157

tlhIngan writes: Samsung recently released a new version of its popular Galaxy Note series phablet, the Note 5. However, it turns out that there is a huge design flaw in the design of its pen holder (which Samsung calls the S-pen). If you insert it backwards (pointy end out instead of in), it's possible for it get stuck damaging the S-pen detection features. While it may be possible to fix it (Ars Technica was able to, Android Police was not), there's also a chance that your pen is also stuck the wrong way in permanently as the mechanism that holds the pen in grabs the wrong end and doesn't let go.
Security

Why Car Info Tech Is So Thoroughly At Risk 192

Cory Doctorow reflects in a post at Boing Boing on the many ways in which modern cars' security infrastructure is a white-hot mess. And as to the reasons why, this seems to be the heart of the matter, and it applies to much more than cars: [M]anufacturers often view bugs that aren't publicly understood as unimportant, because it costs something to patch those bugs, and nothing to ignore them, even if those bugs are exploited by bad guys, because the bad guys are going to do everything they can to keep the exploit secret so they can milk it for as long as possible, meaning that even if your car is crashed (or bank account is drained) by someone exploiting a bug that the manufacturer has been informed about, you may never know about it. There is a sociopathic economic rationality to silencing researchers who come forward with bugs.
Iphone

Apple Launches Free iPhone 6 Plus Camera Replacement Program 68

Mark Wilson writes: Complaints about the camera of the iPhone 6 Plus have been plentiful, and Apple has finally acknowledged that there is a problem. It's not something that affects all iPhone 6 Plus owners, but the company says that phones manufactured between September 2014 and January 2015 could include a failed camera component. Apple has set up a replacement program which enables those with problems with the rear camera to obtain a replacement. Before you get too excited, it is just replacement camera components that are on offer, not replacement iPhones. You'll need to check to see if your phone is eligible at the program website. (Also at TechCrunch.)
Bug

Air Traffic Snafu: FAA System Runs Out of Memory 234

minstrelmike writes: Over the weekend, hundreds of flights were delayed or canceled in the Washington, D.C. area after air traffic systems malfunctioned. Now, the FAA says the problem was related to a recent software upgrade at a local radar facility. The software had been upgraded to display customized windows of reference data that were supposed to disappear once deleted. Unfortunately, the systems ended up running out of memory. The FAA's report is vague about whether it was operator error or software error: "... as controllers adjusted their unique settings, those changes remained in memory until the storage limit was filled." Wonder what programming language they used?
Internet Explorer

Microsoft Patches Remote Code Execution Hole for Internet Explorer 56

mask.of.sanity writes: Microsoft has released an out-of-band patch for Internet Explorer versions seven to 11 that closes a dangerous remote code execution flaw allowing attackers to commandeer machines. From their advisory: "An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Systems where Internet Explorer is used frequently, such as workstations or terminal servers, are at the most risk from this vulnerability." The attack could assist in watering hole and malvertising campaigns. The Windows 10 Edge browser is not impacted.
Bug

Multiple Vulnerabilities Exposed In Pocket 88

vivaoporto writes: Clint Ruoho reports on gnu.gl blog the process of discovery, exploitation and reporting of multiple vulnerabilities in Pocket, the third party web-based service chosen by Mozilla (with some backslash) as the default way to save articles for future reading in Firefox. The vulnerabilities, exploitable by an attacker with only a browser, the Pocket mobile app and access to a server in Amazon EC2 costing 2 cents an hour, would give an attacker unrestricted root access to the server hosting the application.

The entry point was exploiting the service's main functionality itself — adding a server internal address in the "read it later" user list — to retrieve sensitive server information like the /etc/passwd file, its internal IP and the ssh private key needed to connect to it without a password. With this information it would be possible to SSH into the machine from another instance purchased in the same cloud service giving the security researcher unrestricted access. All the vulnerabilities were reported by the researcher to Pocket, and the disclosure was voluntarily delayed for 21 days from the initial report to allow Pocket time to remediate the issues identified. Pocket does not provide monetary compensation for any identified or possible vulnerability.
Toys

The Tech Problems Inside Nintendo's Amiibo Toys 70

An anonymous reader writes: Nintendo's line of amiibo figurines are coveted by fans and collectors, even scalpers and robbers, with some harder to come by models fetching high sums on auction sites. But as a new article points out, every model suffers from similar technical drawbacks when it comes to interacting with the Japanese games giant's Wii U and 3DS consoles: there is currently only one game for instance that uses the write function of each figure's NFC chip, rather than simply reading it. But if there were more, Nintendo would be faced with another problem: where to store the data for each, since amiibo can currently only store one title's data at a time. The company may be looking to solve some of these issues with its upcoming NX system, but will it be too little too late?
Bug

SteamOS Has Dropped Support For Suspend 378

jones_supa writes: As pointed out by a Redditor, it seems that suspending the machine is not officially supported by SteamOS anymore. A SteamOS user opened a bug report due to his controllers being unresponsive after a suspend cycle. To this, a Valve engineer bluntly reported that "suspend is no longer supported". He further explained the issue by saying that given the state of hardware and software support throughout the graphics stack on Linux, the team didn't think that they could make the feature work reliably.
Firefox

How to Quash Firefox's Silent Requests 294

An anonymous reader writes: Unlike older versions of Firefox, more recent versions will make a request to a destination server just by hovering over a link. No CSS, no JavaScript, no prefetch required. Try it for yourself. Disable CSS and JavaScript and fire up iftop or Windows Resource Monitor, hover over some links and watch the fun begin. There once was a time when you hovered over a link to check the 'real link' before you clicked on it. Well no more. Just looking at it makes a 'silent request.' This behavior is the result of the Mozilla speculative connect API . Here is a bug referencing the API when hovering over a thumbnail on the new tab page. And another bug requesting there be an option to turn it off. Strangely enough the latter bug is still labeled WONTFIX even though the solution is in the comments (setting network.http.speculative-parallel-limit to 0).

Firefox's own How to stop Firefox from making automatic connections also mentions setting network.http.speculative-parallel-limit to 0 to to stop predictive connections when a user "hovers their mouse over thumbnails on the New Tab Page or the user starts to search in the Search Bar" but no mention regarding hovering over a normal link. Good thing setting network.http.speculative-parallel-limit to 0 does appear to disable speculative connect on normal links too. One can expect Firefox to make requests in the background to its own servers for things such as checking for updates to plugins etc. But silently making requests to random links on a page (and connecting to those servers) simply by hovering over them is something very different.
Android

Stagefright Patch Incomplete and Zero Day in Android Google Admin App Found 42

msm1267 writes: A patch distributed by Google for the infamous Stagefright vulnerability found in 950 million Android devices is incomplete and users remain exposed to simple attacks targeting the flaw. Researchers at Exodus Intelligence discovered the issue in one of the patches submitted by Zimperium zLabs researcher Joshua Drake. Google responded today by releasing a new patch to open source and promising to distribute it next month in a scheduled OTA update for Nexus devices and to its partners. Drake's original patch failed to account for an integer discrepancy between 32- and 64-bit, Exodus Intelligence said. By inputting a specific 64-bit value, researchers were able to bypass the patch. Exodus, which submitted a bug fix of its own to Google, said it decided to go public with its findings for several reasons, including the fact that the vulnerability was widely publicized by Zimperium before and during Black Hat, not to mention that Google has had the original bug report since April, yet neither party noticed the discrepancy in the patch. The Android security team at Google is having a busy month. Trailrunner7 writes: Researchers at MWR Labs have released information on an unpatched vulnerability that allows an attacker to bypass the Android sandbox.
Security

'Banned' Article About Faulty Immobilizer Chip Published After Two Years 87

An anonymous reader writes: In 2012, three computer security researchers Roel Verdult, Flavio D. Garcia and Baris Ege discovered weaknesses in the Megamos chip, which is widely used in immobilizers for various brands of cars. Based on the official responsible disclosure guidelines, the scientists informed the chip manufacturer months before the intended publication, and they wrote a scientific article that was accepted for publication at Usenix Security 2013. However, the publication never took place because in June 2013 the High Court of London, acting at the request of Volkswagen, pronounced a provisional ban and ruled that the article had to be withdrawn. Two years ago, the lead author of a controversial research paper about flaws in luxury car lock systems was not allowed to give any details in his presentation at Usenix Security 2013. Now, in August 2015, the controversial article Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobilizer that was 'banned' in 2013 is being published after all.
Windows

Broken Windows 10 Update Causes Reboot Loops For Some Users 203

An anonymous reader writes: The Guardian reports that some early adopters of Windows 10 are finding their computers stuck in a reboot loop after installing a particular update. KB3081424 is a cumulative update, packaging together a group of smaller ones for ease of installation. For some users, the update continually fails to finish installing before issuing a reboot command to the PC. "It downloads, reboot to install. Gets to 30% and reboots. Gets to 59% and reboots. Gets to 59% again and then states something went wrong so uninstalling the update. Wait a few minutes and reboot. Back to login screen," said Microsoft forum user BrettDM. "This happens without fail, every single time."
Encryption

OpenSSH 7.0 Released 75

An anonymous reader writes: Today the OpenSSH project maintainers announced the release of version 7.0. This release is focusing on deprecating weak and unsafe cryptographic methods, though some of the work won't be complete until 7.1. This release removes support for the following: the legacy SSH v1 protocol, the 1024-bit diffie-hellman-group1-sha1 key exchange, ssh-dss, ssh-dss-cert-* host and user keys, and legacy v00 cert format. There were also several bug fixes, security tweaks, and new features. In the next release, they plan to retire more legacy cryptography. This includes refusing RSA keys smaller than 1024 bits, disabling MD5-based HMAC algorithms, and disabling these ciphers: blowfish-cbc, cast128-cbc, all arcfour variants and the rijndael-cbc aliases for AES.
Oracle

Oracle Exec: Stop Sending Vulnerability Reports 229

florin writes: Oracle chief security officer Mary Ann Davidson published a most curious rant on the company's corporate blog yesterday, addressing and reprimanding some pesky customers that just will not stop bothering her. As Mary put it: "Recently, I have seen a large-ish uptick in customers reverse engineering our code to attempt to find security vulnerabilities in it." She goes on to describe how the company deals with such shameful activities, namely that "We send a letter to the sinning customer, and a different letter to the sinning consultant-acting-on-customer's behalf — reminding them of the terms of the Oracle license agreement that preclude reverse engineering, So Please Stop It Already."

Later on, in a section intended to highlight how great a job Oracle itself was doing at finding vulnerabilities, the CSO accidentally revealed that customers are in fact contributing a rather significant 1 out of every 10 vulnerabilities: "Ah, well, we find 87 percent of security vulnerabilities ourselves, security researchers find about 3 percent and the rest are found by customers." Unsurprisingly, this revealing insight into the company's regard for its customers was removed later. But not before being saved for posterity.
Security

Severe Deserialization Vulnerabilities Found In Android, 3rd Party Android SDKs 105

An anonymous reader writes: Closely behind the discoveries of the Stagefright flaw, the hole in Android's mediaserver service that can put devices into a coma, and the Certifi-gate bug, comes that of an Android serialization vulnerability that affects Android versions 4.3 to 5.1 (i.e. over 55 percent of all Android phones). The bug (CVE-2015-3825), discovered by IBM's X-Force Application Security Research Team in the OpenSSLX509Certificate class in the Android platform, can be used to turn malicious apps with no privileges into "super" apps that will allow cyber attackers to thoroughly "own" the victim's device. In-depth technical details about the vulnerabilities are available in this paper the researchers are set to present at USENIX WOOT '15.
Windows

Windows 10 RSAT, Windows Server 2016 Technical Preview 3 Coming This Month 26

We've heard a lot lately about the release and reception of Windows 10; however, the Windows family includes more than just the most-seen desktop OS. Mark Wilson writes: Microsoft's Gabe Aul has revealed that the company plans to release a new technical preview of Windows Server 2016 later this month. Responding to questions on Twitter, the company's Corporate Vice President and face of the Windows Insider program also said that Windows 10 RSAT [Remote Server Administration Tools] will be launched in August. Unlike the preview builds of Windows 10, previews of the latest edition of Windows Server have been slower to creep out of Redmond. Sysadmins will be keen to get their hands on the latest builds to see just what direction Microsoft is taking with its server software after the decision to delay the launch. We don't know anything about what the third technical preview of Windows Server 2016 might include, but it is likely to be little more than a collection of bug fixes and tweaks. It's a little late in the game to expect any major changes to be made.
Encryption

Linux Servers' Entropy Pool Too Shallow, Compromising Security 111

The BBC reports that Black Hat presenters Bruce Potter and Sasha Woods described at this year's Black Hat Briefings a security flaw in Linux servers: too few events are feeding the entropy pool from which random numbers are drawn, which leaves the systems "more susceptible to well-known attacks." Unfortunately, [Potter] said, the entropy of the data streams on Linux servers was often very low because the machines were not generating enough raw information for them. Also, he said, server security software did little to check whether a data stream had high or low entropy. These pools often ran dry leaving encryption systems struggling to get good seeds for their random number generators, said Mr Potter. This might meant they were easier to guess and more susceptible to a brute force attack because seeds for new numbers were generated far less regularly than was recommended. Update: 08/10 01:05 GMT by T : Please note that Sasha Woods' name was mis-reported as Sasha Moore; that's now been changed in the text above.
Mozilla

Mozilla Issues Fix For Firefox Zero-Day Bug 115

An anonymous reader writes: Thursday night Mozilla released a Firefox security patch after finding a serious vulnerability that allows malicious attackers to upload files from a user's computer. The update was released about 24 hours after Mozilla learned of the flaw. In a blog post, Mozilla said, "a Firefox user informed us that an advertisement on a news site in Russia was serving a Firefox exploit that searched for sensitive files and uploaded them to a server that appears to be in Ukraine. This morning Mozilla released security updates that fix the vulnerability. All Firefox users are urged to update to Firefox 39.0.3. The fix has also been shipped in Firefox ESR 38.1.1."