An anonymous reader shares an excerpt from a ZDNet article, written by Liam Tung: [A] survey has come up with another reason why your engineers might want to quit -- their fellow developers' terrible code. Software engineers have long struggled with 'technical debt' created by past coding practices that might have been clever but also were undocumented and exotic. At a high level, technical debt is the price paid by supporting legacy systems rather than overhauling them or implementing a better, new system. The term can span everything from a major IT implementation, such as a core banking system that requires a decade of bug fixes, to the choice of programming language to build backend systems. In the latter case, subsequent language updates can require today's developers to rewrite old code written by long-gone developers who wrote under different conditions and who might not have documented what they did and why they did it. That's a big problem for companies that have millions of lines of code written in a language.

Stepsize, a firm that focuses on technical debt by tracking development issues in major code editors such as VS Code, conducted a fairly small survey of 200 software engineers to find out why they leave their jobs. The company said that 51% of engineers in its survey have considered leaving or left a job because of technical debt. Of that group who feel irked by technical debt issues, some 20% said that type of debt is the main reason they left a company. The results should be taken in context: the company's key selling point is trying to solve technical debt challenges that organizations face, but at the same time, technical debt could be one area worthy of attention considering how hard it is to hire and retain software engineers.

Technical debt, or 'code quality and codebase health', was the fourth most important issue cited by respondents. Salary still trumped it, with 82% citing it as one of the "most important factors" when interviewing for a new role. The survey allowed respondents to choose several primary factors. "Technical challenges and growth opportunities" was the second priority, with 75% choosing it as the one of the most important factors. Some 68% of respondents said remote work was the most important actor, while 62% put said 'code quality and codebase health' was one of those prime factors. Slashdot reader ellithligraw first shared the report, adding: "Yet another reason developers are quitting... to escape the technical debt, or schlock code, or code rot. COBOL anyone?"

A serious bug in the iOS 15 Messages app can cause some saved photos to be deleted, according to multiple complaints reported by MacRumors readers and Twitter users. From the report: If you save a photo from a Messages thread and then go on to delete that thread, the next time an iCloud Backup is performed, the photo will disappear. Even though the image is saved to your personal iCloud Photo Library, it appears to still be linked to the Messages app in "iOS 15," and saving it does not persist through the deletion of the thread and an "iCloud" backup. This is a concern because most users keep the "iCloud" Backup feature enabled and it's something that happens automatically. If you're someone who regularly deletes message threads, if there's a photo that you want to keep, you won't be able to keep it with "iCloud" Backup turned on.

To replicate this bug, the following steps must be taken:
1. Save a photo from a Messages conversation to your Camera Roll.
2. Check to see that the photo has been saved.
3. Delete the Messages conversation the photo came from. The photo will still be in your "iCloud Photo Library" at this point.
4. Perform an "iCloud" Backup, and the photo disappears.

An anonymous reader quotes a report from Krebs On Security: The new $30 AirTag tracking device from Apple has a feature that allows anyone who finds one of these tiny location beacons to scan it with a mobile phone and discover its owner's phone number if the AirTag has been set to lost mode. But according to new research, this same feature can be abused to redirect the Good Samaritan to an iCloud phishing page -- or to any other malicious website. The AirTag's "Lost Mode" lets users alert Apple when an AirTag is missing. Setting it to Lost Mode generates a unique URL at https://found.apple.com/ and allows the user to enter a personal message and contact phone number. Anyone who finds the AirTag and scans it with an Apple or Android phone will immediately see that unique Apple URL with the owner's message.

When scanned, an AirTag in Lost Mode will present a short message asking the finder to call the owner at at their specified phone number. This information pops up without asking the finder to log in or provide any personal information. But your average Good Samaritan might not know this. That's important because Apple's Lost Mode doesn't currently stop users from injecting arbitrary computer code into its phone number field -- such as code that causes the Good Samaritan's device to visit a phony Apple iCloud login page. The vulnerability was discovered and reported to Apple by Bobby Rauch, a security consultant and penetration tester based in Boston. Rauch told KrebsOnSecurity the AirTag weakness makes the devices cheap and possibly very effective physical trojan horses.

The Record reports: The Electronic Frontier Foundation said it is preparing to retire the famous HTTPS Everywhere browser extension after HTTPS adoption has picked up and after several web browsers have introduced HTTPS-only modes." "After the end of this year, the extension will be in 'maintenance mode' for 2022," said Alexis Hancock, Director of Engineering at the EFF. Maintenance mode means the extension will receive minor bug fixes next year but no new features or further development.

No official end-of-life date has been decided, a date after which no updates will be provided for the extension whatsoever.

Launched in June 2010, the HTTPS Everywhere browser extension is one of the most successful browser extensions ever released. The extension worked by automatically switching web connections from HTTP to HTTPS if websites had an HTTPS option available. At the time it was released, it helped upgrade site connections to HTTPS when users clicked on HTTP links or typed domains in their browser without specifying the "https://" prefix. The extension reached cult status among privacy advocates and was integrated into the Tor Browser and, after that, in many other privacy-conscious browsers. But since 2010, HTTPS is not a fringe technology anymore. Currently, around 86.6% of all internet sites support HTTPS connections. Browser makers such as Chrome and Mozilla previously reported that HTTPS traffic usually accounts for 90% to 95% of their daily connections.
From EFF's announcement: The goal of HTTPS Everywhere was always to become redundant. That would mean we'd achieved our larger goal: a world where HTTPS is so broadly available and accessible that users no longer need an extra browser extension to get it. Now that world is closer than ever, with mainstream browsers offering native support for an HTTPS-only mode.

With these simple settings available, EFF is preparing to deprecate the HTTPS Everywhere web extension as we look to new frontiers of secure protocols like SSL/TLS... We know many different kinds of users have this tool installed, and want to give our partners and users the needed time to transition.
The announcement also promises to inform users of browser-native HTTPS-only options before the day when the extension reaches its final sunsetting — and ends with instructions for how to activate the native HTTPS-only features in Firefox, Chrome, Edge, and Safari, "and celebrate with us that HTTPS is truly everywhere for users."

According to multiple databases, researchers, and cybersecurity companies who spoke to MIT Technology Review, 2021 has had the highest number of zero-day exploits on record. "At least 66 zero-days have been found in use this year, according to databases such as the 0-day tracking project -- almost double the total for 2020, and more than in any other year on record," the report says. From the report: One contributing factor in the higher rate of reported zero-days is the rapid global proliferation of hacking tools. Powerful groups are all pouring heaps of cash into zero-days to use for themselves -- and they're reaping the rewards. At the top of the food chain are the government-sponsored hackers. China alone is suspected to be responsible for nine zero-days this year, says Jared Semrau, a director of vulnerability and exploitation at the American cybersecurity firm FireEye Mandiant. The US and its allies clearly possess some of the most sophisticated hacking capabilities, and there is rising talk of using those tools more aggressively.

Attackers are exploiting the same types of software vulnerabilities over and over again, because companies often miss the forest for the trees. And cybercriminals, too, have used zero-day attacks to make money in recent years, finding flaws in software that allow them to run valuable ransomware schemes. "Financially motivated actors are more sophisticated than ever," Semrau says. "One-third of the zero-days we've tracked recently can be traced directly back to financially motivated actors. So they're playing a significant role in this increase which I don't think many people are giving credit for."

While there may be an increasing number of people developing or buying zero-days, the record number reported isn't necessarily a bad thing. In fact, some experts say it might be mostly good news. No one we spoke to believes that the total number of zero-day attacks more than doubled in such a short period of time -- just the number that have been caught. That suggests defenders are becoming better at catching hackers in the act. You can look at the data, such as Google's zero-day spreadsheet, which tracks nearly a decade of significant hacks that were caught in the wild. One change the trend may reflect is that there's more money available for defense, not least from larger bug bounties and rewards put forward by tech companies for the discovery of new zero-day vulnerabilities. But there are also better tools. Defenders have clearly gone from being able to catch only relatively simple attacks to detecting more complex hacks, says Mark Dowd, founder of Azimuth Security. "I think this denotes an escalation in the ability to detect more sophisticated attacks," he says. Further reading: Emergency Software Patches Are on the Rise

On the day Apple released iOS 15, a Spanish security researcher disclosed an iPhone lock screen bypass that can be exploited to grant attackers access to a user's notes. From a report: In an interview with The Record, Jose Rodriguez said he published details about the lock screen bypass after Apple downplayed similar lock screen bypass issues he reported to the company earlier this year. "Apple values reports of issues like this with up to $25,000 but for reporting a more serious issue, I was awarded with $5,000," the researcher wrote on Twitter last week. [...] Because of the unprofessional way Apple handled his bug report, the researcher published today a variation of the same bypass, but this time one that uses the Apple Siri and VoiceOver services to access the Notes app from behind the screen lock. Further reading: Apple Pays Hackers Six Figures To Find Bugs in Its Software. Then It Sits On their Findings.

An anonymous reader shares a report: Hackers associated with the hacktivist collective Anonymous say they have leaked gigabytes of data from Epik, a web host and domain registrar that provides services to far-right sites like Gab, Parler and 8chan, which found refuge in Epik after they were booted from mainstream platforms. In a statement attached to a torrent file of the dumped data this week, the group said the 180 gigabytes amounts to a "decade's worth" of company data, including "all that's needed to trace actual ownership and management" of the company. The group claimed to have customer payment histories, domain purchases and transfers, and passwords, credentials and employee mailboxes. The cache of stolen data also contains files from the company's internal web servers, and databases that contain customer records for domains that are registered with Epik.

The hackers did not say how they obtained the breached data or when the hack took place, but timestamps on the most recent files suggest the hack likely happened in late February. Epik initially told reporters it was unaware of a breach, but an email sent out by founder and chief executive Robert Monster on Wednesday alerted users to an "alleged security incident." TechCrunch has since learned that Epik was warned of a critical security flaw weeks before its breach. Security researcher Corben Leo contacted Epik's chief executive Monster over LinkedIn in January about a security vulnerability on the web host's website. Leo asked if the company had a bug bounty or a way to report the vulnerability. LinkedIn showed Monster had read the message but did not respond.

An anonymous reader quotes a report from Ars Technica: Travis CI is a popular software-testing tool due to its seamless integration with GitHub and Bitbucket. As the makers of the tool explain: "When you run a build, Travis CI clones your GitHub repository into a brand-new virtual environment and carries out a series of tasks to build and test your code. If one or more of those tasks fail, the build is considered broken. If none of the tasks fail, the build is considered passed and Travis CI can deploy your code to a web server or application host." But this month, researcher Felix Lange found a security vulnerability that caused Travis CI to include secure environment variables of all public open source repositories that use Travis CI into pull request builds. Environment variables can include sensitive secrets like signing keys, access credentials, and API tokens. If these variables are exposed, attackers can abuse the secrets to obtain lateral movement into the networks of thousands of organizations.

Tracked as CVE-2021-41077, the bug is present in Travis CI's activation process and impacts certain builds created between September 3 and September 10. As a part of this activation process, developers are supposed to add a ".travis.yml" file to their open source project repository. This file tells Travis CI what to do and may contain encrypted secrets. Another place encrypted secrets may be defined is Travis' web UI. But, these secrets are not meant to be exposed. In fact, Travis CI's docs have always stated, "Encrypted environment variables are not available to pull requests from forks due to the security risk of exposing such information to unknown code." Ideally, Travis is expected to run in a manner that prevents public access to any secret environment variables specified. [...] This vulnerability caused these sorts of secrets to be unexpectedly exposed to just about anyone forking a public repository and printing files during a build process. Fortunately, the issue didn't last too long -- around eight days, thanks to Lange and other researchers who notified the company of the bug on September 7. But out of caution, all projects relying on Travis CI are advised to rotate their secrets.

The presence and relatively quick patching of the flaw aside, Travis CI's concise security bulletin and overall handling of the coordinated disclosure process has infuriated the developer community. In a long Twitter thread, Peter Szilagyi details the arduous process that his group endured as it waited for Travis CI to take action and release a brief security bulletin on an obscure webpage. "After 3 days of pressure from multiple projects, [Travis CI] silently patched the issue on the 10th. No analysis, no security report, no post mortem, not warning any of their users that their secrets might have been stolen," tweeted Szilagyi. After Szilagyi and Lange asked GitHub to ban Travis CI over its poor security posture and vulnerability disclosure processes, an advisory showed up. "Finally, after multiple ultimatums from multiple projects, [they] posted this lame-ass post hidden deep where nobody will read it... Not even a single 'thank you.' [No] acknowledgment of responsible disclosure. Not even admitting the gravity of it all," said Szilagyi, while referring to the security bulletin -- and especially its abridged version, which included barely any details. Szilagyi was joined by several members of the community in criticizing the bulletin. Boston-based web developer Jake Jarvis called the disclosure an "insanely embarrassing 'security bulletin.'" "Travis CI implemented a series of security patches starting on Sept 3rd that resolves this issue," concluded Mendy on behalf of the Travis CI team. "As a reminder, cycling your secrets is something that all users should do on a regular basis. If you are unsure how to do this, please contact Support."

An anonymous reader quotes a report from Ars Technica: Amazon's Kindle e-readers get new software updates regularly, and they're mostly of the nondescript, invisible "performance improvements and bug fixes" variety. But the most recent operating system update (version 5.13.7) is rolling out now, and it refreshes the device's user interface for the first time since 2016 or so. Amazon says that redesigns for the Home and Library screens, which are mostly untouched in the current Kindle update, will be coming "later this year." The software update that enables the new interface began rolling out in August, but because Kindles only install updates automatically when they're charging and connected to Wi-Fi, it will be a few weeks or months before all supported Kindles will have a chance to grab the update (mine only installed it over this past weekend).

The new update is available on most Kindles released in or after 2015, including the 7th- and 10th-generation Kindle Paperwhite, the 8th-, 9th-, and 10th-generation Kindle Oasis, and the 8th- and 10th-generation standard Kindle. Older "7th-generation" Kindle devices like 2014's Kindle Voyage don't appear to be supported. [...] The new update doesn't fix Amazon's confusing Kindle naming scheme, which groups different devices into "generations" that are numbered based roughly on when they were released, not on what generation of product they actually are; the "10th-generation" Paperwhite is actually only the fourth Paperwhite Amazon has released. But you now can head into the Device Info screen and see which Kindle you're using instead of having to guess.

Lack of communication, confusion about payments and long delays have security researchers fed up with Apple's bug bounty program. The Washington Post: Hoping to discover hidden weaknesses, Apple for five years now has invited hackers to break into its services and its iconic phones and laptops, offering up to $1 million to learn of its most serious security flaws. [...] But many who are familiar with the program say Apple is slow to fix reported bugs and does not always pay hackers what they believe they're owed. Ultimately, they say, Apple's insular culture has hurt the program and created a blind spot on security. "It's a bug bounty program where the house always wins," said Katie Moussouris, CEO and founder of Luta Security, which worked with the Defense Department to set up its first bug bounty program. She said Apple's bad reputation in the security industry will lead to "less secure products for their customers and more cost down the line."

Apple said its program, launched in 2016, is a work in progress. Until 2019, the program was not officially opened to the public, although researchers say the program was never exclusive. [...] In interviews with more than two dozen security researchers, some of whom spoke on the condition of anonymity because of nondisclosure agreements, the approaches taken by Apple's rivals were held up for comparison. Facebook, Microsoft and Google publicize their programs and highlight security researchers who receive bounties in blog posts and leader boards. They hold conferences and provide resources to encourage a broad international audience to participate. And most of them pay more money each year than Apple, which is at times the world's most valuable company.

Microsoft paid $13.6 million in the 12-month period beginning July 2020. Google paid $6.7 million in 2020. Apple spent $3.7 million last year, Krstic said in his statement. He said that number is likely to increase this year. Payment amounts aren't the only measure of success, however. The best programs support open conversations between the hackers and the companies. Apple, already known for being tight-lipped, limits communication and feedback on why it chooses to pay or not pay for a bug, according to security researchers who have submitted bugs to the bounty program and a former employee who spoke on the condition of anonymity because of a nondisclosure agreement. Apple also has a massive backlog of bugs that it hasn't fixed, according to the former employee and a current employee, who also spoke on the condition of anonymity because of an NDA.

A bug in the McDonald's Monopoly VIP game in the United Kingdom caused the login names and passwords for the game's database to be sent to all winners. BleepingComputer reports: After skipping a year due to COVID-19, McDonald's UK launched their popular Monopoly VIP game on August 25th, where customers can enter codes found on purchase food items for a chance to win a prize. These prizes include 100,000 pounds in cash, an Ibiza villa or UK getaway holiday, Lay-Z Spa hot tubs, and more. Unfortunately, the game hit a snag over the weekend after a bug caused the user name and passwords for both the production and staging database servers to be in prize redemption emails sent to prize winners.

An unredacted screenshot of the email sent to prize winners was shared with BleepingComputer by Troy Hunt that shows an exception error, including sensitive information for the web application. This information included hostnames for Azure SQL databases and the databases' login names and passwords, as displayed in the redacted email below sent to a Monopoly VIP winner. The prize winner who shared the email with Troy Hunt said that the production server was firewalled off but that they could access the staging server using the included credentials. As these databases may have contained winning prize codes, it could have allowed an unscrupulous person to download unused game codes to claim the prizes. Luckily for McDonald's, the person responsibly disclosed the issue with McDonald's, and while they did not receive a response, they later found that the staging server's password was soon changed.

Proof-of-concept exploit code was published online over the weekend for an unpatched Ghostscript vulnerability that puts all servers that rely on the component at risk of attacks. From a report: Published by Vietnamese security researcher Nguyen The Duc, the proof-of-concept code is available on GitHub and was confirmed to work by several of today's leading security researchers. Released back in 1988, Ghostscript is a small library that allows applications to process PDF documents and PostScript-based files. While its primary use is for desktop software, Ghostscript is also used server-side, where it is typically included with image conversion and file upload processing toolkits, such as the popular ImageMagick. The proof-of-concept code released by Nguyen on Sunday exploits this latter scenario, allowing an attacker to upload a malformed SVG file that escapes the image processing pipeline and runs malicious code on the underlying operating system. While Nguyen released the public exploit for this bug, he is not the one who discovered the vulnerability.

In mid-July this year, Texas-based software provider SolarWinds released an emergency security update to patch a zero-day in its Serv-U file transferring technology that was being exploited in the wild. From a report: At the time, SolarWinds did not share any details about the attacks and only said that it learned of the bug from Microsoft's security team. In a blog post on Thursday, Microsoft revealed more details about the July attacks. The company said the zero-day was the work of a new threat actor the company was tracking as DEV-0322, which Microsoft described as "a group operating out of China, based on observed victimology, tactics, and procedures." Microsoft said the group targeted SolarWinds Serv-U servers "by connecting to the open SSH port and sending a malformed pre-auth connection request," which allowed DEV-0322 operators to run malicious code on the targeted system and take over vulnerable devices. The OS maker did not go into details about what the intruders did once they breached a target. It is unclear if the hackers were interested in cyber-espionage and intelligence collection or if DEV-0322 was a run-of-the-mill crypto-mining gang.

New submitter throx shares a report from Android Police: For months users of the three-year-old Pixel 3 series have been complaining of a common and dreadful problem: seemingly random shutdowns that completely lock their devices. The Pixel 3 and 3 XL have been plagued by the "EDL Mode" bug, which locks the device with no screen or button inputs and makes it more or less impossible to use. To date there's no clear solution to this problem, at least not one that's easily available to even advanced users.

Google's official support channels are aware of the issue, and that it seems to be accelerating in terms of users in the last few months. But since more or less every Pixel 3 and 3 XL sold is out of warranty at this point, options are limited. You can start an official support ticket with Google and pay for a repair, or (as one volunteer on the Google support forums suggests) take it into an authorized repair shop to see if their Qualcomm tools can get the phone to wake up. At the time of writing there doesn't seem to be any indication of a user-accessible fix for the EDL issues.

CD Projekt is working on a first expansion of Cyberpunk 2077, Chief Executive Adam Kicinski said after the Polish video games maker reported a first-half beat on its net profit. From a report: Cyberpunk 2077, featuring Hollywood star Keanu Reeves, was one of last year's most anticipated games, but after a bug-ridden start it was kept off Sony's (6758.T) PlayStation Store for six months, only returning in June. CD Projekt did not give an update on how many units of Cyberpunk it had sold in the first half of 2021, but company officials told a conference call that the game was the leading source of revenue in the period. Along with The Witcher 3: Wild Hunt, Cyberpunk drove CD Projekt's revenue 29% higher in the first half of the year to 470.6 million zlotys ($124 million).

CD Projekt said its net profit was 105 million zlotys, which was 28% lower compared to last year but above the 71 million expected by analysts. The planned Cyberpunk expansion would involve a charge to gamers, similar to the ones released for The Witcher, board member Michal Nowakowski said during Wednesday's call. "When we talk about expansions then we talk about bigger things," he said, while declining to give a specific timing for its release.

An anonymous reader quotes a report from The Record, written by Catalin Cimpanu: Hackers are estimated to have stolen more than $29 million in cryptocurrency assets from Cream Finance, a decentralized finance (DeFi) platform that allows users to loan and speculate on cryptocurrency price variations. The company confirmed the hack earlier today, half an hour after blockchain security firm PeckShield noticed signs of an ongoing attack. Cream Finance said the hacker used a "reentrancy attack" in its "flash loan" feature to steal 418,311,571 in AMP tokens (estimated at around $25.1 million at the time of the hack) and 1,308.09 in ETH coins (estimated at around $4.15 million). The term "flash loan" refers to a contract (script) that runs on the Etherium blockchain that allows Cream Finance users to take quick loans from the company's funds and then return them at a later date.

Reentrancy attacks take place when a bug in these contracts allows an attacker to withdraw funds repeatedly, in a loop, before the original transaction is approved or declined or the funds need to be returned. PeckShield and Tal Be'ery, the founder of cryptocurrency wallet app ZenGo, confirmed that the Cream Finance hacker exploited a bug in the ERC777 token contract interface that's used by Cream Finance to interact with the underlying Etherium blockchain. Be'ery told The Record today that ERC777 has enabled several reentrancy attacks on DeFi online services, which keep relying on the feature despite its history of bad implementations, bugs, and hacks. The ZenGo founder also told The Record that DeFi services need to develop or implement a firewall-like system for their platforms in order to filter malicious requests to their underlying contracts, which are the backbone of their services and the targets of most of these hacks.

An anonymous reader writes: A Razer Synapse zero-day vulnerability has been disclosed that allows you to gain Windows admin privileges simply by plugging in a Razer mouse or keyboard.

"What seemed like a small update has, for some, turned into a huge headache," reports ZDNet: Over on Apple's support forum, there are several threads from users complaining that iOS 14.7.1 broke their iPhones, causing a "no service" problem where users are unable to connect to cell service. Ther">e are similar threads on Apple's developer forums as well.

While there doesn't seem to be a pattern to which phones are affected, I've seen reports of everything from the iPhone 6 to iPhone 12 affected, and the cause is clear — upgrading to iOS 14.7.1.
"Users are saying that restarting the phone, removing the SIM, and even resetting network settings didn't help," according to 9to5Mac (in an article shared by long-time Slashdot reader antdude).

Forbes reports the bug appears to happen when you lose your cellular connection and switch to WiFi calling, "so those living in areas with good reception may never see it. Of course, this scenario also helps to mask the scale of iPhones which might be affected." If you haven't upgraded to iOS 14.7.1 yet, this potentially crippling flaw could (understandably) put you off upgrading. The problem is that the release also contains a critical fix for a new zero-day security flaw...

An anonymous reader quotes a report from BleepingComputer: Security researchers are sounding the alarm on a critical vulnerability affecting tens of millions of devices worldwide connected via ThroughTek's Kalay IoT cloud platform. The security issue impacts products from various manufacturers providing video and surveillance solutions as well as home automation IoT systems that use the Kalay network for easy connectin and communication with a corresponding app. A remote attacker could leverage the bug to gain access to the live audio and video streams, or to take control of the vulnerable device. Researchers at Mandiant's Red Team discovered the vulnerability at the end of 2020 and worked with the U.S. Cybersecurity and Infrastructure Security Agency and ThroughTek to coordinate the disclosure and create mitigation options.

Tracked as CVE-2021-28372, the issue is a device impersonation vulnerability that received a severity score of 9.6 out of 10. It affects the Kalay protocol that is implemented as a software development kit (SDK) that is built into mobile and desktop applications. Mandiant's Jake Valletta, Erik Barzdukas, and Dillon Franke looked at ThroughTek's Kalay protocol and found that registering a device on the Kalay network required only the device's unique identifier (UID). Following this lead, the researchers discovered that a Kalay client, such as a mobile app, usually receives the UID from a web API hosted by the vendor of the IoT device. An attacker with the UID of a target system could register on the Kalay network a device they control and receive all client connection attempts. This would allow them to obtain the login credentials that provide remote access to the victim device audio-video data. The researchers say that this type of access combined with vulnerabilities in device-implemented RPC (remote procedure call) interface can lead to complete device compromise. By the latest data from ThroughTek, its Kalay platform has more than 83 million active devices and manages over 1 billion connections every month. The best way to protect yourself from this vulnerability is to keep your device software and applications updated to the latest version, as well as create complex, unique login passwords. The report also recommends you avoid connecting to IoT devices from an untrusted network.

A fix that was made in early June to the GNU C Library (glibc) introduced a new and nastier problem. Steven J. Vaughan-Nichols writes via ZDNet: The first problem wasn't that bad. As Siddhesh Poyarekar, a Red Hat principal software engineer wrote, "In order to mount a minimal attack using this flaw, an attacker needs many pre-requisites to be able to even crash a program using this mq_notify bug." Still, it needed patching and so it was fixed. Alas, the fix contained an even nastier bug. While checking the patch, Nikita Popov, a member of the CloudLinux TuxCare Team, found the problem. It turns out that it is possible to cause a situation where a segmentation fault could be triggered within the library. This can lead to any application using the library crashing. This, of course, would cause a Denial-of-Service (DoS) issue. This problem, unlike the earlier one, would be much easier to trigger. Whoops.

Red Hat gives the problem in its Common Vulnerability Scoring System (CVSS) a score of 7.5, which is "high." An attack using it would be easy to build and requires no privileges to be made. In short, it's bad news. Popov himself thinks "every Linux application including interpreters of other languages (python, PHP) is linked with glibc. It's the second important thing after the kernel itself, so the impact is quite high." [...] The good news is both the vulnerability and code fix have been submitted to the glibc development team. It has already been incorporated into upstream glibc.

In addition, a new test has been submitted to glibc's automated test suite to pick up this situation and prevent it from happening in the future. The bottom line is sometimes changed in unrelated code paths can lead to behaviors changing elsewhere without the programmer realizing what's going on. This test will catch this situation. The Linux distributors are still working out the best way to deploy the fix. In the meantime, if you want to be extra careful -- and I think you should be -- you should upgrade to the newest stable version of glibc 2.34 or higher.