Andy Greenberg writes via Wired: Late last week, government agencies, including the United States Computer Emergency Readiness Team and Cyber Command, sounded the alarm about a particularly nasty vulnerability in a line of BIG-IP products sold by F5. The agencies recommended security professionals immediately implement a patch to protect the devices from hacking techniques that could fully take control of the networking equipment, offering access to all the traffic they touch and a foothold for deeper exploitation of any corporate network that uses them. Now some security companies say they're already seeing the F5 vulnerability being exploited in the wildâ"and they caution that any organization that didn't patch its F5 equipment over the weekend is already too late.

The F5 vulnerability, first discovered and disclosed to F5 by cybersecurity firm Positive Technologies, affects a series of so-called BIG-IP devices that act as load balancers within large enterprise networks, distributing traffic to different servers that host applications or websites. Positive Technologies found a so-called directory traversal bug in the web-based management interface for those BIG-IP devices, allowing anyone who can connect to them to access information they're not intended to. That vulnerability was exacerbated by another bug that allows an attacker to run a "shell" on the devices that essentially lets a hacker run any code on them that they choose. The result is that anyone who can find an internet-exposed, unpatched BIG-IP device can intercept and mess with any of the traffic it touches. Hackers could, for instance, intercept and redirect transactions made through a bank's website, or steal users' credentials. They could also use the hacked device as a hop point to try to compromise other devices on the network. Since BIG-IP devices have the ability to decrypt traffic bound for web servers, an attacker could even use the bug to steal the encryption keys that guarantee the security of an organization's HTTPS traffic with users, warns Kevin Gennuso, a cybersecurity practitioner for a major American retailer. While only a small minority of F5 BIG-IP devices are directly exploitable, Positive Technologies says that still includes 8,000 devices worldwide. "About 40 percent of those are in the U.S., along with 16 percent in China and single-digit percentages in other countries around the globe," reports Wired.

"Owners of those devices have had since June 30, when F5 first revealed the bug along with its patch, to update," adds Wired. "But many may not have immediately realized the seriousness of the vulnerability. Others may have been hesitant to take their load balancing equipment offline to implement an untested patch, points out Gennuso, for fear that critical services might go down, which would further delay a fix."

A LinkedIn spokesperson told ZDNet this week that a bug in the company's iOS app was responsible for a seemingly privacy-intrusive behavior spotted by one of its users on Thursday. From a report: The issue was discovered using the new beta version of iOS 14. For iOS 14, set to be officially released in the fall, Apple has added a new privacy feature that shows a quick popup that lets users know when an app has read content from their clipboard. Using this new mechanism, users spotted last week how Chinese mobile app TikTok was reading content from their clipboard at regular short intervals. TikTok said the feature was part of a fraud detection mechanism and that the company never stole the clipboard content, but promised to remove the behavior anyway, to put users' minds at ease. This week, users continued experimenting with this new iOS 14 clipboard access detection system. Yesterday, a developer from the portfolio-building portal Urspace.io discovered a similar mechanism in the LinkedIn iOS app. In a video shared on Twitter, the Urspace developer showed how LinkedIn's app was reading the clipboard content after every user key press, even accessing the shared clipboard feature that allows iOS apps to read content from a user's macOS clipboard.

Microsoft is removing the ability for business users to defer manually Windows 10 feature updates using Windows Update settings starting with the Windows 10 2004/May Update. Microsoft seemingly made this change public with a change in its Windows 10 2004 for IT Pros documentation on June 23. From a report: Microsoft officials say this change is happening in the name of reducing confusion. Here's the explanation from the Microsoft page (which I saw thanks to WindowsTimes.com), and which I had heard about from a reader last week. (Last week, I assumed this was a bug, but now it seems like it's actually a "feature.") "Last year, we changed update installation policies for Windows 10 to only target devices running a feature update version that is nearing the end of service. As a result, many devices are only updating once a year. To enable all devices to make the most of this policy change, and to prevent confusion, we have removed deferrals from the Windows Update settings Advanced Options page starting on Windows 10, version 2004."

Basecamp's Hey email app is now open to everyone after Apple "definitively approved" it for the App Store. No invite code is required for users to sign up. Engadget reports: Basecamp CTO and co-founder David Heinemeier Hansson tweeted the news today. Hey will not include any in-app purchases (IAP), so Apple will not get its standard 30 percent commission. At first, Apple objected to the fact that users would download the app from the App Store but have to sign up via the web. Apple's policies require that developers use IAP to unlock paid features or functionality in an app. Hey managed to skirt around those rules by offering a free trial option.

Hey is now open to everyone, and it does not require an invite code. The app promises a more organized approach to email, for $99 per year. But perhaps more importantly, Hey is an example of how developers can avoid paying Apple 30 percent of IAP and subscription fees. "Hopefully this paves an illuminated path for approval for other multi-platform SAAS applications as well. There are still a litany of antitrust questions to answer, but things legitimately got a little better. New policies, new precedence. Apple took a great step forward," Hansson tweeted.

UnknowingFool writes: A former Intel engineer has put forth information that the QA process around Skylake was so terrible that it may have finally driven Apple to use their own processors in upcoming Macs. Not to say that Apple would not have eventually made this move, but Francois Piednoel says Skylake was abnormally bad with Apple finding the largest amount of bugs inside the architecture rivaling Intel itself. That led Apple to reconsider staying on the architecture and hastening their plans to migrate to their own chips. "The quality assurance of Skylake was more than a problem," says Piednoel. "It was abnormally bad. We were getting way too much citing for little things inside Skylake. Basically our buddies at Apple became the number one filer of problems in the architecture. And that went really, really bad. When your customer starts finding almost as much bugs as you found yourself, you're not leading into the right place."

"For me this is the inflection point," added Piednoel. "This is where the Apple guys who were always contemplating to switch, they went and looked at it and said: 'Well, we've probably got to do it.' Basically the bad quality assurance of Skylake is responsible for them to actually go away from the platform."

Apple made the switch official at its developer conference on Monday, announcing that it will introduce Macs featuring Apple-designed, ARM-based processors later this year.

An anonymous reader quotes a report from Wired: When the Natural History Museum of Los Angeles County shut down due to the pandemic in mid-March, Lisa Gonzalez headed home with the expectation that she would be back in a few weeks. But once it became clear that she wouldn't get back anytime soon, Gonzalez, the museum's assistant entomology collection manager, converted her home's craft room into a makeshift lab. Then she began sifting through thousands of insects the museum had previously collected via a citizen science project. [...] Using just her own microscope, Gonzalez identified dozens of insect species by looking at features like tiny hairs or the shape of a fly's wings. She also found some unusual insects that she turned over to her colleague, Brian Brown, the museum's curator of entomology. Using a larger Leica stereoscope that he hauled in from the office, as well as a smaller compound microscope he found on craigslist, Brown discovered nine species of small flies, all new to science. "It's always cool to find new things, and it is one of the great joys of this job," says Brown. "It's not just finding slightly different new things -- we find extravagantly different things all the time."

The insects, mostly small flies, wasps, and wasplike flies, had been collected through the BioSCAN project, which began in 2012 with insect traps set at 30 sites throughout Los Angeles, mostly in backyards or public spaces. The pair recruited volunteers who were then trained in how to use the "Malaise traps," which resemble two-person pup tents that force bugs to fly upward into collecting nets before the volunteers can put them into vials. The BioSCAN project started when Brown bet a museum trustee that he could find a new species of insect in her backyard in West LA. He did, and the project took off. In its first three years, Brown and the backyard collector discovered 30 new species of insects and published their results. The museum team found an additional 13 new species in the past two years, plus he and the staff have discovered nine more since the pandemic shutdown. "The nine new species include phorid flies, some of which are known for their ability to run across surfaces and or enter coffins to consume dead bodies," the report adds. "Brown and Gonzalez have also found botflies, parasites of rats and wasplike flies that have never been seen before in Southern California. They likely arrived from Central America, perhaps hitching a ride on a flowering plant or piece of food."

"With the help of tens of thousands of insects collected through the BioSCAN project, over the years Brown and Gonzalez have expanded the count of known insect species in the Los Angeles basin from 3,500 during the last census in 1993 to around 20,000 today."

Apple today announced two major changes to how it handles App Store disputes with third-party developers. The first is that Apple will now allow developers to appeal a specific violation of an App Store guideline, and that there will also be a separate process for challenging the guideline itself. Additionally, Apple says it will no longer delay app updates intended to fix bugs and other core functions over App Store disputes. The Verge reports: The changes come in the wake of Apple's high-profile showdown with Hey, a new email service from software developer Basecamp. The service launched last week as an invite-only website and a companion iOS app, with a full launch slated for July. But after initially approving the app, Apple later rejected Basecamp's subsequent updates and kicked off what became a very public feud between the company and Basecamp's co-founders, CEO Jason Fried and CTO David Heinemeier Hansson, over whether Hey could exist in the App Store in its current form at all. The feud, inconveniently for Apple, coincided with the announcement of two antitrust probes from the European Union last week that were spurred in part from complaints from longtime Apple rivals like Spotify.

The central dispute in this case was whether Hey qualified for an exemption to rules around in-app purchases, which Basecamp decided not to include because the company does not want to give Apple its standard App Store revenue cut. Apple said Hey did not and claimed Basecamp's iOS app violated three App Store guidelines by not allowing you to sign up or purchase access to Hey from mobile. Fried and Heinemeier Hansson claimed that the decision was evidence of inconsistency and greed on Apple's part given the numerous apps, like Netflix and business software, that do qualify for such exemptions and have existed in the App Store without in-app purchase options for years. Apple last week tried to head off any future escalation of the feud by outlining its reasoning in a letter signed from the App Review Board, which it disseminated to Basecamp and media organizations. Apple marketing chief Phil Schiller also conducted interviews with members of the press. [...] On Monday, ahead of the keynote, Apple capitulated, allowing Hey's updates to go through only after a compromise from Basecamp in which the company now lets you sign up for a burner account that expires after two weeks.

After rejecting an update last week, Apple has approved a new version of the subscription email app Hey. From a report: The approval, which came last week, ahead of today's Apple Worldwide Developer Conference, is meant to lower the temperature after Apple's initial app rejection drew widespread condemnation from lawmakers and other developers. But the approval is also only temporary in spirit, meant to give Hey developer Basecamp time to develop a version of the app more in line with Apple's policies -- and Basecamp's approach to that challenge is very aggressive, as a letter posted to its website today details.

Earlier this week, Apple told Basecamp, the company that makes the brand new email app called Hey, that it cannot distribute its app on the iPhone unless it makes it possible for users to sign up via Apple's own prescribed methods -- which gives Apple a 30 percent cut. Apple told Basecamp that by avoiding giving an option in its iOS app to sign up and support in-app purchases, it was violating Apple's App Store policy, 3.1.1, which says: If you want to unlock features or functionality within your app, (by way of example: subscriptions, in-game currencies, game levels, access to premium content, or unlocking a full version), you must use in-app purchase. Apps may not use their own mechanisms to unlock content or functionality, such as license keys, augmented reality markers, QR codes, etc. Apps and their metadata may not include buttons, external links, or other calls to action that direct customers to purchasing mechanisms other than in-app purchase. Dieter Bohn, writing for The Verge: The key thing to know is that the text of this policy is not actually the policy. Or rather, as with any law, the text is only one of the things you need to understand. You also need to know how it is enforced and how the enforcers interpret that text. It should not surprise you to know that Apple's interpretation of its text often seems capricious at best and at worst seems like it's motivated by self-dealing. And the enforcement consequently often seems unfair.

The rule states that if you want to sell digital goods, you have to use Apple's payment system. Except that's not how 3.1.1 has been interpreted to date. It has been interpreted as allowing people to access services they paid for elsewhere on their iOS devices, but not allowing those apps to try to get around the Apple payment rules when people sign up on those devices. That's convoluted, but that interpretation is what keeps Netflix from having an account sign-up in its app. It's the policy that has enraged Spotify and keeps you from buying Kindle books on your iPhone without jumping through a million weird Safari hoops. That was already a very bad rule, if you ask me. Now, with this email app, Apple is apparently changing its interpretation to be more strict. David Pierce, in an update to his news report about Hey-Apple debacle: Apple told me that its actual mistake was approving the app in the first place, when it didn't conform to its guidelines. Apple allows these kinds of client apps -- where you can't sign up, only sign in -- for business services but not consumer products. That's why Basecamp, which companies typically pay for, is allowed on the App Store when Hey, which users pay for, isn't. One other distinction: Apple allows "Reader" apps -- things like Netflix and Kindle and Dropbox, where you're using the app to access existing subscriptions -- as long as they don't offer a way to sign up. But email, messaging, etc. don't count as Reader apps. John Gruber, writing at DaringFireball: The lone instance of "consumer" refers to the "Consumer Health Records API". The price that Basecamp pays for not supporting in-app purchase in their iOS app is that they lose whatever number of users would have signed up in-app but won't sign up out-of-app. That's competition. Again, putting aside arguments that Apple should allow apps to use their own payment systems in apps, or be able to link to a website for sign up, or at the very least just tell users how to sign up -- the makers of an app should be able to say "OK, we won't even tell users how to sign up within our app; our app is only for existing customers and we'll obtain all of them outside the app." [...]

Second, how could such a distinction be made in writing? There are some apps that are definitely "business services" and some that are definitely "consumer products" (games for example), but to say that the area in between encompasses many shades of gray is an understatement. The entire mobile era of computing -- an era which Apple itself has inarguably largely defined -- is about the obliteration of distinct lines between business and consumer products. [...] At some level there's a clear distinction here -- Netflix and Kindle are clearly consumption services. But Dropbox? Dropbox is a lot closer to an email or messaging service like Hey than it is to Netflix or Kindle. The stuff in my Dropbox account is every bit as personal as the stuff in my email account. When you put Dropbox in the same bucket with Netflix and Amazon Kindle, it seems to me like the distinction is not so much between what is and isn't a "reader" app or what is or isn't a "business" app, but between companies which are too big for Apple to push around and those they can.

Basecamp launched its email product Hey earlier this week. David Heinemeier Hansson, the co-founder of Basecamp, tweeted on Tuesday that Apple is already creating challenges for the firm. In a series of tweets, he said: Apple just doubled down on their rejection of HEY's ability to provide bug fixes and new features, unless we submit to their outrageous demand of 15-30% of our revenue. Even worse: We're told that unless we comply, they'll remove the app. On the day the EU announced their investigation into Apple's abusive App Store practices, HEY is subject to those very same capricious, exploitive, and inconsistent policies of shakedown. It's clear they feel embolden to tighten the screws with no fear of regulatory consequences. He adds: Apple has been capriciously, inconsistently, and in a few cases, cruelly, enforcing their App Store policies for years. But most of the abuses were suffered by smaller developers without a platform and without recurse. Apple saw that it worked, and that it paid. Now moving up. This is exactly the issue I gave testimony in front of congress earlier this year! We hadn't yet launched HEY, but I said it worried me, what Apple might do, if you're in direct competition with them. And now we know what they'd do. Attempt to crush us. But while I'm sure Apple's attempt to cut off the air supply to the likes of Spotify is board-room stuff, I think what we're facing is simply the banality of bureaucracy. Apple has publicly pivoted to services for growth, so KPIs and quarterly targets trickle down. And frankly, it's hard to see what they have to fear. Who cares if Apple shakes down individual software developers for 30% of their revenue, by threatening to destroy their business? There has been zero consequences so far! Most such companies quietly cave or fail. We won't. There is no chance in bloody hell that we're going to pay Apple's ransom. I will burn this house down myself, before I let gangsters like that spin it for spoils. This is profoundly, perversely abusive and unfair.

We did everything we were supposed to with the iOS app. Try downloading it (while you can?). You can't sign up, because Apple says no. We don't mention subscriptions. You can't upgrade. You can't access billing. We did all of it! Wasn't enough. We've been in the App Store with Basecamp for years. We know the game. It was always rigged. It was always customer-hostile, deeply confusing, but the unstated lines were reasonably clear. Now Apple has altered the deal, and all we can do is pray they don't alter it further.

Ahead of Apple's Worldwide Developer Conference starting next week, the company has today launched a new version of its Apple Developer App to better support its plans for the virtual event. TechCrunch reports: Notably, the app has been made available for Mac for the first time, in addition to a redesign and other minor feature updates. With the needs of an entirely virtual audience in mind, Apple has redesigned the app's Discover section to make it easier for developers to catch up on the latest stories, news, videos and more, the company says. This section will be regularly updated with "actionable" content, Apple notes, including the latest news, recommendations on implementing new features, and information about inspiring engineers and designers, alongside new videos.

It has also updated its Browse tab where users search for existing sessions, videos, articles and news, including the over 100 technical and design-focused videos found in the WWDC tab. The WWDC tab has also been updated in preparation for the live event starting on Monday, June 22. The redesign has added a way to favorite individual articles, in addition to session content and videos. Plus it includes new iMessage stickers along with other enhancements and bug fixes. The app, which was previously available on iPhone, iPad and Apple TV, is also now offered on Mac.

Google is pressing on with new plans to hide all parts of web addresses except the domain name. Android Police reports: A few new feature flags have appeared in Chrome's Dev and Canary channels (V85), which modify the appearance and behavior of web addresses in the address bar. The main flag is called "Omnibox UI Hide Steady-State URL Path, Query, and Ref" which hides everything in the current web address except the domain name. For example, "https://www.androidpolice.com/2020/06/07/lenovo-ideapad-flex-5-chromebook-review/" is simply displayed as "androidpolice.com." There are two additional flags that modify this behavior. One reveals the full address once you hover over the address bar (instead of having to click it), while the other only hides the address bar once you interact with the page. An issue page on the Chromium Bug tracker has also been created for keeping track of the changes, though there aren't any additional details there.

There's no public explanation yet for why Google is pressing ahead with these changes, but the company has said in the past that it believes showing the full address can make it harder to tell if the current site is legitimate. "Showing the full URL may detract from the parts of the URL that are more important to making a security decision on a webpage," Chromium software engineer Livvie Lin said in a design document earlier this year. Google has since clarified how the experiment will work and what opt-out options will be available.

"We think this is an important problem area to explore because phishing and other forms of social engineering are still rampant on the web," a Chromium developer on the bug tracker for the change said, "and much research shows that browsers' current URL display patterns aren't effective defenses. We're implementing this simplified domain display experiment so that we can conduct qualitative and quantitative research to understand if it helps users identify malicious websites more accurately."

It was also confirmed that Google will keep the opt-out mechanism that is already present -- an 'Always show full URLs' setting that appears when you right-click the address bar. "We plan to support this opt-out option indefinitely," the same developer said.

An anonymous reader writes: FreeBSD has has adopted a new LLVM-derived code of conduct. The code of conduct requires users to: be friendly and patient,
be welcoming,
be considerate,
be respectful,
be careful in the words that you choose and be kind to others,
when we disagree, try to understand why.

This isn't an exhaustive list of things that you can't do. Rather, take it in the spirit in which it's intended - a guide to make it easier to communicate and participate in the community. This code of conduct applies to all spaces managed by the FreeBSD project. This includes online chat, mailing lists, bug trackers, FreeBSD events such as the developer meetings and socials, and any other forums created by the project that the community uses for communication. It applies to all of your communication and conduct in these spaces, including emails, chats, things you say, slides, videos, posters, signs, or even t-shirts you display in these spaces. In addition, violations of this code outside these spaces may, in rare cases, affect a person's ability to participate within them, when the conduct amounts to an egregious violation of this code.

Security and software development company Quarkslab played around with Google's new Fuchsia operating system, which could one day replace Android on smartphones and Chrome OS on laptops. The researchers "decided to give a quick look at Fuchsia, learn about its inner design, security properties, strengths and weaknesses, and find ways to attack it." Here's what they concluded: Fuchsia's micro kernel is called Zircon. It is written in C++. [...] Contrary to every other major OS, it appears rather difficult to target the Zircon kernel directly. A successful RCE (Remote Code Execution) on the world-facing parts of the system (USB, Bluetooth, network stack, etc) will only give you control over the targeted components, but they run in independent userland processes, not in the kernel. From a component, you then need to escalate privileges to the kernel using the limited number of syscalls you can access with the handles you have. Overall, it seems easier to target other components rather than the kernel, and to focus on components that you can talk to via IPC and that you know have interesting handles.

Overall, Fuchsia exhibits interesting security properties compared to other OSes such as Android. A few days of vulnerability research allowed us to conclude that the common programming bugs found in other OSes can also be found in Fuchsia. However, while these bugs can often be considered as vulnerabilities in other OSes, they turn out to be uninteresting on Fuchsia, because their impact is, for the most part, mitigated by Fuchsia's security properties. We note however that these security properties do not -- and in fact, cannot -- hold in the lowest layers of the kernel related to virtualization, exception handling and scheduling, and that any bug here remains exploitable just like on any other OS. All the bugs we found were reported to Google, and are now fixed.

Again, it is not clear where Fuchsia is heading, and whether it is just a research OS as Google claims or a real OS that is vowed to be used on future products. What's clear, though, is that it has the potential to significantly increase the difficulty for attackers to compromise devices.

Academics from a university in the Netherlands have published details today about a new vulnerability in Intel processors. From a report: The security bug, which they named CrossTalk, enables attacker-controlled code executing on one CPU core to leak sensitive data from other software running on a different core. The Vrije University's Systems and Network Security Group (VUSec) says the CrossTalk vulnerability is another type of MDS (microarchitectural data sampling) attack. MDS attacks target user data while in a "transient" state, as it's being processed inside the CPU and its many data-caching systems. More specifically, CrossTalk attacks data while it's being processed by the CPU's Line Fill Buffer (LBF), one of these aforementioned CPU cache systems. According to the VUSec team, the LBF cache actually works with a previously undocumented memory "staging buffer" that is shared by all CPU cores.

South Korean phone manufacturer LG has released a security update last month to fix a vulnerability that impacts its Android smartphones sold over the past seven years. From a report: The vulnerability, tracked under the identifier of CVE-2020-12753, impacts the bootloader component that ships with LG smartphones. In March this year, US software engineer Max Thomas discovered a vulnerability in the bootloader component that had been added to LG smartphones starting with the LG Nexus 5 series. In a technical breakdown of the vulnerability published on Tuesday, Thomas says the bootloader component's graphics package contains a bug that lets attackers sneak in their own code to run alongside the bootloader's graphics under certain conditions, such as when the battery dies out and when the device is in the bootloader's Download Mode. Thomas says that threat actors who perfectly time an attack can gain the ability to run their own custom code, which could allow them to take over the bootloader, and inherently the entire device.

Well-known leaker Universe Ice on Twitter, along with dozens of other users, have discovered that simply setting an image as wallpaper on your phone could cause it to crash and become unable to boot. Android Authority reports: Based on user reports, many models from Samsung and Google are affected, while we've also seen some reports from users of OnePlus, Nokia, and Xiaomi devices (it's not clear if these latter devices ran stock software or custom ROMs). From our own testing and looking at user reports, Huawei devices seem to be less exposed to the wallpaper crash issue. There are a few solutions, depending on how hard the phone is hit. Some users were able to change the wallpaper in the short interval between crashes. Others had success deleting the wallpaper using the recovery tool TWRP. But in most cases, the only solution was to reset the phone to factory settings, losing any data that's not backed up.

The issue affects up-to-date phones running Android 10, but as it turns out, it's not actually new. Users have been reporting similar problems for a couple of years, and just last month Android Police reported on what appears to be a closely related issue specifically impacting Pixel phones running the Google Wallpapers app. [...] An issue with a very similar description has been reported in Google's Android issue tracker back in 2018. At the time, Google developers said they were unable to reproduce the issue and closed it out (Hat tip: inverimus on Reddit).

An anonymous reader quotes Forbes: When Apple announced Sign in with Apple at the June 2019 worldwide developers conference, it called it a "more private way to simply and quickly sign into apps and websites." The idea was, and still is, a good one: replace social logins that can be used to collect personal data with a secure authentication system backed by Apple's promise not to profile users or their app activity... Unsurprisingly, it has been pushed as being a more privacy-oriented option than using your Facebook or Google account.

Fast forward to April 2020, and a security researcher from Delhi uncovered a critical Sign in with Apple vulnerability that could allow an attacker to potentially take over an account with just an email ID. A critical vulnerability that was deemed important enough that Apple paid him $100,000 through its bug bounty program by way of a reward. With the vulnerability already now patched by Apple on the server-side, Bhavuk Jain published his disclosure of the security shocker on May 30.
It applied "only to third-party apps which used Sign in with Apple without taking any further security measures," the article points out , adding that the researcher who found it "said Apple carried out an internal investigation and determined that no account compromises or misuse had occurred before the vulnerability was fixed."

But they also quote an SME application security lead at ImmersiveLabs who said he "would have expected better testing around this from a company such as Apple, especially when it is trying to set itself a reputation as privacy-focused."

An anonymous reader quotes a report from The Register: A very specific software bug made airliners turn the wrong way if their pilots adjusted a pre-set altitude limit. The bug, discovered on Bombardier CRJ-200 aircraft fitted with Rockwell Collins Aerospace-made flight management systems (FMSes), led to airliners trying to follow certain missed approaches turning right instead of left -- or vice versa.

First discovered in 2017, the flaw was only apparent when pilots manually edited a pre-set "climb to" altitude programmed into a "missed approach" procedure following an Instrument Landing System approach. It also arose if pilots used the FMS's temperature compensation function in extremely cold weather. In theory the bug could have led to airliners crashing into the ground, though the presence of two trained and alert humans in the cockpit monitoring what the aircraft was doing made this a remote possibility. "The bug was first uncovered when a CRJ-200 crew flying into Canada's Fort St John airport used the FMS's temperature correction function," the report adds. "They discovered that the software turned their aeroplane in the wrong direction while it was following the published missed approach, something that generally does not happen. The fault was swiftly reported to the authorities and the relevant manufacturers."

Full details, including the maths, are available here. The U.S. Federal Aviation Authorities also published a Powerpoint presentation (PDF) about the bug.

An anonymous reader quotes a report from VentureBeat: Google today launched Android Studio 4.0, the latest version of its integrated development environment (IDE). Android Studio 4.0 is supposed to help developers "code smarter, build faster, and design apps." Version 4.0 includes a new Motion Editor, a Build Analyzer, and Java 8 language APIs. Google also overhauled the CPU Profiler user interface and improved the Layout Inspector. [In the article] you'll find Android Studio 4.0 features broken down by category: design, develop, and build. The new version also includes the usual performance improvements and bug fixes on top of the new features (full release notes). Google didn't share its plans for the next version. Normally we'd get hints at the company's I/O developer conference, but 2020 is a weird year.