Security researchers say that a bug in one of Intel's CPU technologies that was patched last year is actually much worse than previously thought. From a report: "Most Intel chipsets released in the last five years contain the vulnerability in question," said Positive Technologies in a report published today. Attacks are impossible to detect, and a firmware patch only partially fixes the problem. To protect devices that handle sensitive operations, researchers recommend replacing CPUs with versions that are not impacted by this bug. Only the latest Intel 10th generation chips are not vulnerable, researchers said. The actual vulnerability is tracked as CVE-2019-0090, and it impacts the Intel Converged Security and Management Engine (CSME), formerly called the Intel Management Engine BIOS Extension (Intel MEBx).

rufey writes: The free SSL certificate provider Let's Encrypt is going to revoke 2.6% of the SSL certs issued by them that are currently active, due to a bug in boulder, the Certificate Authority Authorization (CAA) software Let's Encrypt uses. Ars Technica reports: "Let's Encrypt uses Certificate Authority software called Boulder. Typically, a Web server that services many separate domain names and uses Let's Encrypt to secure them receives a single LE certificate that covers all domain names used by the server rather than a separate cert for each individual domain. The bug LE discovered is that, rather than checking each domain name separately for valid CAA records authorizing that domain to be renewed by that server, Boulder would check a single one of the domains on that server n times (where n is the number of LE-serviced domains on that server). Let's Encrypt typically considers domain validation results good for 30 days from the time of validation -- but CAA records specifically must be checked no more than eight hours prior to certificate issuance. The upshot is that a 30-day window is presented in which certificates might be issued to a particular Web server by Let's Encrypt despite the presence of CAA records in DNS that would prohibit that issuance.

Since Let's Encrypt finds itself in the unenviable position of possibly having issued certificates that it should not have, it is revoking all current certificates that might not have had proper CAA record checking on Wednesday, March 4. Users whose certificates are scheduled to be revoked will need to manually force-renewal before then. If an admin does not perform this manual renewal step, browsers reaching their websites will show TLS security warnings due to the revoked certificates. Let's Encrypt certificates are issued for 90-day intervals, and Certbot automatically renews them only when 30 days or less are left on the cert -- so this could mean roughly two months of browser errors if the manual forced renewal isn't performed."

The CAB Forum, which oversees the public CAA space, has a ticket for this specific issue. According to a community post on Let's Encrypt's website, 3,048,289 of the ~116 million overall active Let's Encrypt certificates are affected.

theodp writes: On its Careers page, zero-commission online broker Robinhood explains its founders "decided it was more important to build products that would provide everyone with access to the financial markets, not just the wealthy. Two years after heading to New York, they moved back to California and built Robinhood -- a company that leverages technology to encourage everyone to participate in our financial system." But on Monday, at least, the advantage went to the wealthy. Bloomberg reports that Robinhood suffered an outage that lasted the entire U.S. trading day and prevented customers from making trades as stocks surged after last week's rout (status). Just another reminder that we're all just one technology fail away from chaos.

"Intel's security plans sound a lot like 'we're going to catch up to AMD,'" argues FOSS advocate and "mercenary sysadmin" Jim Salter at Ars Technica, citing a "present-and-future" presentation by Anil Rao and Scott Woodgate at Intel's Security Day that promised a future with Full Memory Encryption but began with Intel SGX (launched with the Skylake microarchitecture in 2015).

Salter describes SGX as "one of the first hardware encryption technologies designed to protect areas of memory from unauthorized users, up to and including the system administrators themselves." SGX is a set of x86_64 CPU instructions which allows a process to create an "enclave" within memory which is hardware encrypted. Data stored in the encrypted enclave is only decrypted within the CPU -- and even then, it is only decrypted at the request of instructions executed from within the enclave itself. As a result, even someone with root (system administrator) access to the running system can't usefully read or alter SGX-protected enclaves. This is intended to allow confidential, high-stakes data processing to be safely possible on shared systems -- such as cloud VM hosts. Enabling this kind of workload to move out of locally owned-and-operated data centers and into massive-scale public clouds allows for less expensive operation as well as potentially better uptime, scalability, and even lower power consumption.

Intel's SGX has several problems. The first and most obvious is that it is proprietary and vendor-specific -- if you design an application to utilize SGX to protect its memory, that application will only run on Intel processors... Finally, there are potentially severe performance impacts to utilization of SGX. IBM's Danny Harnik tested SGX performance fairly extensively in 2017, and he found that many common workloads could easily see a throughput decrease of 20 to 50 percent when executed inside SGX enclaves. Harnik's testing wasn't 100 percent perfect, as he himself made clear -- in particular, in some cases his compiler seemed to produce less-optimized code with SGX than it had without. Even if one decides to handwave those cases as "probably fixable," they serve to highlight an earlier complaint -- the need to carefully develop applications specifically for SGX use cases, not merely flip a hypothetical "yes, encrypt this please" switch....

After discussing real-world use of SGX, Rao moved on to future Intel technologies -- specifically, full-memory encryption. Intel refers to its version of full-memory encryption as TME (Total Memory Encryption) or MKTME (Multi-Key Total Memory Encryption). Unfortunately, those features are vaporware for the moment. Although Intel submitted an enormous Linux kernel patchset last May for enabling those features, there are still no real-world processors that offer them... This is probably a difficult time to give exciting presentations on Intel's security roadmap. Speculative prediction vulnerabilities have hurt Intel's processors considerably more than their competitors', and the company has been beaten significantly to market by faster, easier-to-use hardware memory encryption technologies as well. Rao and Woodgate put a brave face on things by talking up how SGX has been and is being used in Azure. But it seems apparent that the systemwide approach to memory encryption already implemented in AMD's Epyc CPUs -- and even in some of their desktop line -- will have a far greater lasting impact.

Intel's slides about their own upcoming full memory encryption are labeled "innovations," but they look a lot more like catching up to their already-established competition.

Apache Tomcat servers released in the last 13 years are vulnerable to a bug named Ghostcat that can allow hackers to take over unpatched systems. From a report: Discovered by Chinese cybersecurity firm Chaitin Tech, Ghostcat is a flaw in the Tomcat AJP protocol. AJP stands for Apache JServ Protocol and is a performance-optimized version of the HTTP protocol in binary format. Tomcat uses AJP to exchange data with nearby Apache HTTPD web servers or other Tomcat instances. Tomcat's AJP connector is enabled by default on all Tomcat servers and listens on the server's port 8009. Chaitin researchers say they discovered a bug in AJP that can be exploited to either read or write files to a Tomcat server.

Facebook filed today a federal lawsuit in a California court against OneAudience, a New Jersey-based data analytics firm. From a report: The social networking giant claims that OneAudience paid app developers to install its Software Development Kit (SDK) in their apps, and later used the control it had over the SDK's code to harvest data on Facebook users. According to court documents obtained by ZDNet, the SDK was embedded in shopping, gaming, and utility-type apps, some of which were made available through the official Google Play Store. "After a user installed one of these apps on their device, the malicious SDK enabled OneAudience to collect information about the user from their device and their Facebook, Google, or Twitter accounts, in instances where the user logged into the app using those accounts," the complaint reads. "With respect to Facebook, OneAudience used the malicious SDK -- without authorization from Facebook -- to access and obtain a user's name, email address, locale (i.e. the country that the user logged in from), time zone, Facebook ID, and, in limited instances, gender," Facebook said. Twitter was the first to expose OneAudience's secret data harvesting practices on November 26, last year.

Hackers have found a bug in PayPal's Google Pay integration and are now using it to carry out unauthorized transactions via PayPal accounts. From a report: Since last Friday, users have reported seeing mysterious transactions pop up in their PayPal history as originating from their Google Pay account. Issues have been reported on numerous platforms, such as PayPal's forums, Reddit, Twitter, and Google Pay's Russian and German support forums. Victims reported that hackers abused Google Pay accounts to buy products using linked PayPal accounts. According to screenshots and various testimonies, most of the illegal transactions are taking place at US stores, and especially at Target stores across New York. Most of the victims appear to be German users.

Bug bounty platform HackerOne paid out $40 million in bounties in 2019, roughly equal to the total for all previous years combined. From a report: Moreover, the company announced that its community almost doubled in the past year to 600,000 registered hackers. The announcement comes as the cybersecurity industry struggles with a workforce shortage, which is in turn compounded by growing cyberattacks that could cost the industry $6 trillion by 2021. As companies invest significant resources in battling external threats, HackerOne aims to pay good actors to find bugs before bad actors enter the fray, reducing the need for costly remediation measures further down the line.

Founded in 2012, HackerOne essentially connects companies with security researchers, or "white hat hackers," who receive cash incentives to find and report software vulnerabilities. The San Francisco-based company has raised north of $100 million since its inception, including a $36.4 million tranche a few months back, and has paid out $82 million in bounties since its inception. According to HackerOne, U.S.-based hackers earned 19% of all bounties in 2019, followed by hackers in India (10%), Russia (8%), China (7%), Germany (5%), and Canada (4%). These figures were released as part of HackerOne's annual hacker report, which included a survey of 3,150 hackers.

A powerful antibiotic that kills some of the most dangerous drug-resistant bacteria in the world has been discovered using artificial intelligence. The Guardian reports: To find new antibiotics, the researchers first trained a "deep learning" algorithm to identify the sorts of molecules that kill bacteria. To do this, they fed the program information on the atomic and molecular features of nearly 2,500 drugs and natural compounds, and how well or not the substance blocked the growth of the bug E coli. Once the algorithm had learned what molecular features made for good antibiotics, the scientists set it working on a library of more than 6,000 compounds under investigation for treating various human diseases. Rather than looking for any potential antimicrobials, the algorithm focused on compounds that looked effective but unlike existing antibiotics. This boosted the chances that the drugs would work in radical new ways that bugs had yet to develop resistance to.

Jonathan Stokes, the first author of the study, said it took a matter of hours for the algorithm to assess the compounds and come up with some promising antibiotics. One, which the researchers named "halicin" after Hal, the astronaut-bothering AI in the film 2001: A Space Odyssey, looked particularly potent. Writing in the journal Cell, the researchers describe how they treated numerous drug-resistant infections with halicin, a compound that was originally developed to treat diabetes, but which fell by the wayside before it reached the clinic. Tests on bacteria collected from patients showed that halicin killed Mycobacterium tuberculosis, the bug that causes TB, and strains of Enterobacteriaceae that are resistant to carbapenems, a group of antibiotics that are considered the last resort for such infections. Halicin also cleared C difficile and multidrug-resistant Acinetobacter baumannii infections in mice. Three days after being set loose on a database of about 1.5 billion compounds, the algorithm returned a shortlist of 23 potential antibiotics, of which two appear to be particularly potent.

"[The senior researcher] now wants to use the algorithm to find antibiotics that are more selective in the bacteria they kill," adds The Guardian. "This would mean that taking the antibiotic kills only the bugs causing an infection, and not all the healthy bacteria that live in the gut. More ambitiously, the scientists aim to use the algorithm to design potent new antibiotics from scratch."

An anonymous reader quotes a report from ZDNet: WordPress site owners who use commercial themes provided by ThemeGrill are advised to update one of the plugins that come installed with these themes in order to patch a critical bug that can let attackers wipe their sites. The vulnerability resides in ThemeGrill Demo Importer, a plugin that ships with themes sold by ThemeGrill, a web development company that sells commercial WordPress themes. The plugin, which is installed on more than 200,000 sites, allows site owners to import demo content inside their ThemeGrill themes so they'll have examples and a starting point on which they can build their own sites.

However, in a report published yesterday, WordPress security firm WebARX says that older versions of the ThemeGrill Demo Importer are vulnerable to remote attacks from unauthenticated attackers. Remote hackers can send a specially crafted payload to vulnerable sites and trigger a function inside the plugin. The vulnerable function resets the site's content to zero, effectively wiping the content of all WordPress sites where a ThemeGrill theme is active, and the vulnerable plugin is installed. Furthermore, if the site's database contains a user named "admin," then the attacker is granted access to that user with full administrator rights over the site.

Slashdot reader golden_donkey quotes Forbes: Are you booting up your Windows 10 machine and discovering you can't log in to your profile? It appears you're not alone. Reports are increasing across Twitter and Microsoft forums that following the most recent Patch Tuesday update (KB4532693), users are complaining that their profiles and desktop files are missing, and that custom icons and wallpaper have all been reset to their default state...

The KB4532693 update is allegedly causing much more serious headaches for some users. A newer report by Windows Latest cites multiple users in their comments section complaining that the data is nowhere to be found and allegedly not recoverable.
Microsoft has now "yanked KB4524244 from its update servers..." reports ZDNet, "after acknowledging reports of 'an issue affecting a sub-set of devices.'" Microsoft says customers who have successfully installed the update don't need to take any further steps. Those who have configured PCs to defer installation of updates by at least four days should also be unaffected.

For those who are experiencing issues related to this update, Microsoft recommends uninstalling the update.
Forbes also shared a video "on a related note." Its title? "How To Choose A Linux Distro That's Right For You..."

An anonymous reader quotes a report from The Guardian: Two scientific studies of the number of insects splattered by cars have revealed a huge decline in abundance at European sites in two decades. The survey of insects hitting car windscreens in rural Denmark used data collected every summer from 1997 to 2017 and found an 80% decline in abundance. It also found a parallel decline in the number of swallows and martins, birds that live on insects.

The second survey, in the UK county of Kent in 2019, examined splats in a grid placed over car registration plates, known as a "splatometer." This revealed 50% fewer impacts than in 2004. The research included vintage cars up to 70 years old to see if their less aerodynamic shape meant they killed more bugs, but it found that modern cars actually hit slightly more insects. [...] The stream research, published in the journal Conservation Biology, analyzed weekly data from 1969 to 2010 on a stream in a German nature reserve, where the only major human impact is climate change. "Overall, water temperature increased by 1.88C and discharge patterns changed significantly. These changes were accompanied by an 81.6% decline in insect abundance," the scientists reported. "Our results indicate that climate change has already altered [wildlife] communities severely, even in protected areas."

On January 16th, Facebook users received an error message when posting in Jinghpaw, a language spoken by Myanmar's ethnic Kachin and written with a Roman alphabet. From a report: "We couldn't post this. Tap for more info," the message said. When clicking, a second appeared: "Your request couldn't be processed. There was a problem with this request. We're working on getting it fixed as soon as we can." A Facebook representative told The Verge that the issue was caused by "a bug in our language infrastructure," and coincided with the launch, the same day, of an updated language identification model supporting ten new languages, including Jinghpaw. The representative said Facebook fixed the issue within hours of receiving reports on January 17th. But while the disabling of Jinghpaw was not an active move of censorship, it alerted many Kachin people that Facebook had the capability to identify their language, an alarming thought for the embattled minority group. That realization has evoked a visceral reaction from the Kachin, and brought forth new calls for the company to be more transparent about its technology and the ways it will be used.

A software error in Denmark's government tax portal has accidentally exposed the personal identification (CPR) numbers for 1.26 million Danish citizens, a fifth of the country's total population. From a report: The error lasted for five years (between February 2, 2015, and January 24, 2020) before it was discovered, Danish media reported last week. The software error and the subsequent leak was discovered following an audit by the Danish Agency for Development and Simplification (Udviklings-og Forenklingsstyrelsen, or UFST). According to the UFST, the error occurred on TastSelv Borger, the Danish tax administration's official self-service portal where Danish citizens go to file and pay taxes online. Government officials said the portal contained a software bug that every time a user updated account details in the portal's settings section, their CPR number would be added to the URL.

Earlier this week, searching in Windows 10 was broken, "with a black bar showing where search results should be, even for those who tried to perform a local search of their files." Microsoft issued a fix and blamed the issue on a "third-party networking fiber provider".

But unfortunately, Microsoft's fix isn't working for everyone -- and that's just the beginning. Long-time Slashdot reader Futurepower(R) shares Forbes' report: Second, and more worryingly, Microsoft's explanation doesn't add up and it has prompted serious questions to be asked about how the operating system works and what personal data it is sharing. Popular Microsoft pundit Woody Leonard led the charge, writing: "If you believe that yesterday's worldwide crash of Windows 10 Search was caused by a bad third-party fiber provider, I have a bridge to sell you."

In an open letter to new Windows head Panos Panay, Susan 'Patch Lady' Bradley was similarly sceptical, noting that today "we all found out that our local search boxes are somehow dependent on some service working at Microsoft." She attacked the company for a lack of transparency and gave it a maximum 'Pinocchio score' for a lack of trust... Similarly, Engadget writer Richard Lawler revealed that users were now trying to hack the Windows 10 registry to disconnect their local file searches from Microsoft servers "and I can't say I blame them after this episode. Microsoft owes users a better explanation than this and should make sure it's impossible for offline features to get taken out when the cloud is having an issue."
In fact, Forbes writes that "the aforementioned Windows 10 registry hack appears to be the only 100% fix for this issue and it also disconnects Bing and Cortana online services from Windows 10 search."

And then on Saturday the Windows Latest blog also noticed that Microsoft's release notes for Windows 10 20H1 Build 19035 reveal that Microsoft is apparently now delaying the roll-out of a widely-anticipated "Optional Updates" option. "It appears that the new Optional updates experience will come out in October/November 2020, not this spring as previously planned."

An anonymous reader writes: A weird bug of unknown origins has been hitting Windows 7 computers this week, according to multiple reports online. Windows 7 users have been reporting that they are receiving a popup message that reads "You don't have permission to shut down this computer" every time they attempt to shut down or reboot their systems...

Windows 7 reached official end of life (EOL) on January 14, 2020 and is not scheduled to receive new fixes. Last month, Microsoft made an exception to this rule when it provided a fix for a bug that broke wallpaper display for Windows 7 users. Seeing that rebooting or shutting down your computer is a more important OS feature than wallpaper support, Microsoft will most likely need to make a another exception and deliver a second post-EOL update pretty soon.

An anonymous reader quotes a report from ZDNet: Google has patched this week a critical security flaw in Android's Bluetooth component. If left unpatched, the vulnerability can be exploited without any user interaction and can even be used to create self-spreading Bluetooth worms. Researchers said that exploiting the bug requires no user interaction. All that is required is that the user has Bluetooth enabled on his device. However, while this requirement would have limited the attack surface in past years, it does not today since modern Android OS versions ship with Bluetooth enabled by default and many Android users use Bluetooth-based headphones meaning the Bluetooth service is likely to be enabled on many handsets. The bug can lead to remote code execution and the hijacking of a device. Fixes for the bug are available via the Android February 2020 Security Bulletin, which has been available for download starting this week. Android 9 and earlier are impacted.

A second software problem during a CST-100 Starliner test flight is prompting a NASA safety panel to recommend a review of Boeing's software verification processes. Space News reports: That new software problem, not previously discussed by NASA or Boeing, was discussed during a Feb. 6 meeting of NASA's Aerospace Safety Advisory Panel that examined the December uncrewed test flight of Starliner that was cut short by a timer error. That anomaly was discovered during ground testing while the spacecraft was in orbit, panel member Paul Hill said. "While this anomaly was corrected in flight, if it had gone uncorrected, it would have led to erroneous thruster firings and uncontrolled motion during [service module] separation for deorbit, with the potential for a catastrophic spacecraft failure," he said.

The exact cause of the failure remains under investigation by Boeing and NASA, who are also still examining the timer failure previously reported. Those problems, Hill said, suggested broader issues with how Boeing develops and tests the software used by the spacecraft. "The panel has a larger concern with the rigor of Boeing's verification processes," he said. The panel called for reviews of Boeing's flight software integration and testing processes. "Further, with confidence at risk for a spacecraft that is intended to carry humans in space, the panel recommends an even broader Boeing assessment of, and corrective actions in, Boeing's [systems engineering and integration] processes and verification testing." The panel added that all those investigations and reviews be completed as "required input for a formal NASA review to determine flight readiness for either another uncrewed flight test or proceeding directly to a crewed test flight."

An anonymous reader quotes a report from Ars Technica: Sudo, a utility found in dozens of Unix-like operating systems, has received a patch for a potentially serious bug that allows unprivileged users to easily obtain unfettered root privileges on vulnerable systems. The vulnerability, tracked as CVE-2019-18634, is the result of a stack-based buffer-overflow bug found in versions 1.7.1 through 1.8.25p1. It can be triggered only when either an administrator or a downstream OS, such as Linux Mint and Elementary OS, has enabled an option known as pwfeedback. With pwfeedback turned on, the vulnerability can be exploited even by users who aren't listed in sudoers, a file that contains rules that users must follow when using the sudo command.

"Exploiting the bug does not require sudo permissions, merely that pwfeedback be enabled," an advisory published by sudo developers said. "The bug can be reproduced by passing a large input to sudo via a pipe when it prompts for a password." The advisory lists two flaws that lead to the vulnerability. The first: pwfeedback isn't ignored as it should be when reading from something other than a terminal. As a result, the saved version of a line erase character remains at its initialized value of 0. The second contributor is that the code that erases the line of asterisks doesn't properly reset the buffer position if there is an error writing data. Instead, the code resets only the remaining buffer length. As a result, input can write past the end of the buffers. Systems with unidirectional pipe allow an attempt to write to the read end of the pipe to result in a write error. Because the remaining buffer length isn't reset correctly when write errors result from line erasures, the stack buffer can be overflowed. The report notes the vulnerability was introduced in 2009 and remained active until 2018, with the release of 1.8.26b1. "Systems or software using a vulnerable version should move to version 1.8.31 as soon as practical," reports Ars. "Those who can't update right away can prevent exploits by making sure pwfeedback is disabled."

Google security engineers said last week they have successfully cut down the "patch gap" in Google Chrome from 33 days to only 15 days. From a report: The term "patch gap" refers to the time it takes from when a security bug is fixed in an open source library to when the same fix lands in software that uses that particular library. In today's software landscape where many apps rely on open source components, the "patch gap" is considered a major security risk. The reason is because when a security bug is fixed in an open source library, details about that bug become public, primarily due to the public nature and openness of most open source projects. Hackers can then use details about these security flaws to craft exploits and launch attacks against software that relies on the vulnerable component, before the software maker has a chance to release a patch. If the software maker is on a fixed release schedule, with updates coming out every few weeks or months, the patch gap can provide hackers with an attack window that most software projects can't deal with.