What do Heartbleed, WannaCry, and million dollar iPhone bugs have in common? From a report: One bug affects iPhones, another affects Windows, and the third affects servers running Linux. At first glance these might seem unrelated, but in reality all three were made possible because the software that was being exploited was written in programming languages which allow a category of errors called "memory unsafety." By allowing these types of vulnerabilities, languages such as C and C++ have facilitated a nearly unending stream of critical computer security vulnerabilities for years.

Imagine you had a program with a list of 10 numbers. What should happen if you asked the list for its 11th element? Most of us would say an error of some sort should occur, and in a memory safe programming language (for example, Python or Java) that's what would happen. In a memory unsafe programming language, it'll look at wherever in memory the 11th element would be (if it existed) and try to access it. Sometimes this will result in a crash, but in many cases you get whatever happens to be at that location in memory, even if that portion of memory has nothing to do with our list. This type of vulnerability is called a "buffer-overflow," and it's one of the most common types of memory unsafety vulnerabilities. HeartBleed, which impacted 17 percent of the secure web servers on the internet, was a buffer-overflow exploit, letting you read 60 kilobytes past the end of a list, including passwords and other users' data.

Freelance videographer Dave Cooper has filed a class action lawsuit against Adobe, alleging that an update to Premiere Pro came with a flaw in the way it handles file management that resulted in the deletion of 500 hours of video clips that he claims were worth around $250,000. Adobe has since patched the bug. Gizmodo reports: Premiere creates redundant video files that are stored in a "Media Cache" folder while a user is working on a project. This takes up a lot of hard drive space, and Cooper instructed the video editing suite to place the folder inside a "Videos" directory on an external hard drive, according to court documents. The "Videos" folder contained footage that wasn't associated with a Premiere project, which should've been fine. When a user is done working on a project they typically clear the "Media Cache" and move on with their lives. Unfortunately, Cooper says that when he initiated the "Clean Cache" function it indiscriminately deleted the contents of his "Videos" folder forever.

Cooper claims that he lost around 100,000 individual clips and that it cost him close to $250,000 to capture that footage. After spending three days trying to recover the data, he admitted that all was lost, the lawsuit says. He also apparently lost work files for edits he was working on and says that he's missed out on subsequent licensing opportunities. On behalf of himself and other users who wish to join the suit, he's asking the court for a jury trial and is seeking "monetary damages, including but not limited to any compensatory, incidental, or consequential damages in an amount that the Court or jury will determine, in accordance with applicable law."

Yet another vulnerability has been patched that could have exposed user data. According to security company Imperva, the bug "allowed websites to obtain private information about Facebook users and their friends through unauthorized access to a company API, playing off a specific behavior in the Chrome browser," reports The Verge. From the report: In technical terms, the attack is a cross-site request forgery, using a legitimate Facebook login in unauthorized ways. For the attack to work, a Facebook user must visit a malicious website with Chrome, and then click anywhere on the site while logged into Facebook. From there, attackers could open a new pop-up or tab to the Facebook search page and run any number of queries to extract personal information. Some examples Imperva gives are checking if a user has taken photos in a certain location or country, if the user has written any recent posts that contain specific text, or checking if a user's friends like a company's Facebook page. In essence, the vulnerability exposed the interests of a user and their friends even if privacy settings were set so interests were only visible to a user's friends. Imperva says the vulnerability was not a common technique and the issue has been resolved with Facebook. However, it does mention that these more sophisticated social engineering attacks could become more common in 2019. A Facebook representative told The Verge: "We appreciate this researcher's report to our bug bounty program. We've fixed the issue in our search page and haven't seen any abuse. As the underlying behavior is not specific to Facebook, we've made recommendations to browser makers and relevant web standards groups to encourage them to take steps to prevent this type of issue from occurring in other web applications."

Microsoft on Wednesday resumed the rollout of Windows 10 version 1809. The re-release of the so-called October 2018 Update comes more than five weeks after the company pulled the original installation files from its download servers and stopped its scheduled delivery through Windows Update. From a report: In a blog post, Microsoft's John Cable, the director of Program Management for Windows Servicing and Delivery, says the data-destroying bug that triggered that unprecedented decision, as well as other quality issues that emerged during the unscheduled hiatus, have been "thoroughly investigated and resolved."

An anonymous reader quotes a report from Ars Technica: A recently discovered botnet has taken control of an eye-popping 100,000 home and small-office routers made from a range of manufacturers, mainly by exploiting a critical vulnerability that has remained unaddressed on infected devices more than five years after it came to light. Researchers from Netlab 360, who reported the mass infection late last week, have dubbed the botnet BCMUPnP_Hunter. The name is a reference to a buggy implementation of the Universal Plug and Play protocol built into Broadcom chipsets used in vulnerable devices. An advisory released in January 2013 warned that the critical flaw affected routers from a raft of manufacturers, including Broadcom, Asus, Cisco, TP-Link, Zyxel, D-Link, Netgear, and US Robotics. The finding from Netlab 360 suggests that many vulnerable devices were allowed to run without ever being patched or locked down through other means. Last week's report documents 116 different types of devices that make up the botnet from a diverse group of manufacturers. Once under the attackers' control, the routers connect to a variety of well-known email services. This is a strong indication that the infected devices are being used to send spam or other types of malicious mail.

"A Russian security researcher has published details about a zero-day vulnerability affecting VirtualBox, an Oracle software application for running virtual machines," reports ZDNet. According to a text file uploaded on GitHub, Saint Petersburg-based researcher Sergey Zelenyuk has found a chain of bugs that can allow malicious code to escape the VirtualBox virtual machine (the guest OS) and execute on the underlying (host) operating system. Once out of the VirtualBox VM, the malicious code runs in the OS' limited userspace (kernel ring 3), but Zelenyuk said that attackers can use many of the already known privilege escalation bugs to gain kernel-level access (ring 0). "The exploit is 100% reliable," Zelenyuk said. "It means it either works always or never because of mismatched binaries or other, more subtle reasons I didn't account."

The Russian researcher says the zero-day affects all current VirtualBox releases, works regardless of the host or guest operating system the user is running, and is reliable against the default configuration of newly created VMs. Besides a detailed write-up of the entire exploit chain, Zelenyuk has also published video proof, showing the zero-day in action against an Ubuntu VM running inside VirtualBox on an Ubuntu host OS.
Long-time Slashdot reader Artem Tashkinov warns that the exploit utilizes "bugs in the data link layer of the default E1000 network interface adapter which makes this vulnerability critical for everyone who uses virtualization to run untrusted code." According to ZDNet, the same security researcher "found and reported a similar issue in mid-2017, which Oracle took over 15 months to fix."

"This lengthy and drawn-out patching process appears to have angered Zelenyuk, who instead of reporting this bug to Oracle, has decided to publish details online without notifying the vendor."

Microsoft has released a free AV1 video codec for Windows 10 devices that's available via the Microsoft Store.

"Play AV1 videos on your Windows 10 device. This extension is an early beta version of the AV1 software decoder that lets you play videos that have been encoded using the AV1 video coding standard developed by the Alliance for Open Media," the company says. "Since this is an early release, you might see some performance issues when playing AV1 videos. We're continuing to improve this extension. If you allow apps to be updated automatically, you should get the latest updates and improvements when we release them." Softpedia reports: Oddly enough, the codec can only be installed on devices running Windows 10 October 2018 Update, which is no longer up for grabs after Microsoft pulled it last month. It remains to be seen how often Microsoft updates the codec in the coming months, but I've already tried it out for a test earlier today and the initial release seems to be running just fine. You can install the codec from the Microsoft Store to be notified when new versions are out, and make sure you report any potential issues to Microsoft for more bug fixes.

Ukrainian vulnerability researcher has found a bug that would have allowed him to download all the activation keys (also known as CD keys) made available through the Steam gaming platform, for any game, ever. From a report: Discovered by Artem Moskowsky, the bug resided in Steamworks, a platform that Valve runs to help developers with building and publishing games via its Steam gaming client. Moskowsky found the bug in a Steam web API located at partner.steamgames.com/partnercdkeys/assignkeys/. This is the API that lets game developers or affiliates retrieve CD keys made available to Steam users so their customers can activate a game installed via the Steam client. This API is accessible using a regular Steam account and takes several parameters, but the ones most relevant are appid (representing the game), keyid (representing the identifier of a set of CD keys), and keycount (representing the number of CD keys that Steam needs to return inside a CD key set).

If you're having trouble activating your Windows 10 Pro computer today, you're not alone. Forums and social media networks are getting flooded with complaints from users who say their machines have automatically become deactivated. Users say they are having trouble connecting with Microsoft's activation servers, with some saying they are being prompted to downgrade to Windows 10 Home. According to Microsoft Answers, the company is working to resolve the issue. Only users who had upgraded their computers to Windows 10 by using product keys of Windows 7 or Windows 8.1 appear to be impacted.

Emil Protalinski, writing for VentureBeat: After upgrading to Android Pie, most users have either seen a slight improvement in battery life or reported no perceivable difference. But soon after we published our story, some users told us that they are experiencing the opposite: significantly higher battery drain after upgrading to Pie. We've been tracking this issue for the past few months, during which the Pixel 3 and Pixel 3 XL launched with Android Pie out-of-the-box and new device owners reported similar problems. Some Android Pie users simply don't expect their phones to make it through the day.

Users on Reddit, the Pixel forums, and Google's issue tracker have been discussing battery life issues on existing devices after upgrading to Android Pie, and some even on new devices (although there are naturally fewer of those cases). VentureBeat was able to independently confirm the issue on a Pixel 2 XL and a Pixel 3 -- we sent the details to Google. Given that Adaptive Battery is the main feature highlight when it comes to battery improvement in Android Pie, many suspected it could be the culprit. Users have reported, however, that turning it off didn't help the situation much, if at all. We were also able to independently verify that Adaptive Battery is not the cause. Adaptive Battery is only available in Pie, but in our tests battery life only drained faster with the feature off. We did, however, confirm that the problem is unique to Android Pie. Users have reported significant battery drain when their phones are idle, anywhere between 10 percent to 20 percent drained in an hour.

With iOS 12.1, Apple introduced a bunch of new features like Group FaceTime and dozens of new emoji. But the company also elected to add a controversial new performance management feature to the iPhone 8, iPhone 8 Plus, and iPhone X. From a report: For the uninitiated, back in December 2017, Apple confirmed that it would sometimes slow down older iPhones through a software update in order to prevent unexpected shutdowns. The result was that certain models -- iPhone 6, 6 Plus, 6S, 6S Plus, 7, and 7 Plus -- would often perform poorly after being updated to the newest version of iOS. Users had long suspected Apple was throttling older iPhones, but it wasn't until Geekbench published an expose that the company publicly admitted it was, indeed, slowing down older iPhones -- albeit, for a good reason. Apple said in its explanation of the throttling issue that its goal was "to deliver the best experience for customers" and essentially argued the practice of throttling was a feature -- not a bug as it had been reported. Apple's solution was to give iPhone owners some extra control over the feature and offer a reduced cost for battery replacements.

Apple has pulled an update for its smartwatches after some owners complained the software -- watchOS 5.1 -- had caused their devices to stop working. From a report: The problem appears to have baffled the firm's repair staff, and there appears to be no way at present for owners to restore the products themselves. Several have said they have been told they need to send in the devices for a fix. Apple said it intended to release a revised update soon. Those affected reported that their watches had become stuck in a state showing the Apple logo -- but nothing else -- on their screens. One owner of a newly released Series 4 model said he had been told it would take the firm's repair staff up to a week to decide whether his device needed to be repaired or replaced.

Those of you who detest display notches will find this bug especially unpleasant. A small number of Pixel 3 XL users are reportedly experiencing a bug where an additional notch appears on the right side of the display. Android Police reports: Turns out that it's a real-life bug experienced by several users, including Jessie Burroughs, Kyle Gutschow, and UrAvgConsumer. We're not sure what's causing it, but it could be something to do with the screen rotation setting getting a bit confused about its orientation. In all three of the examples we've seen, the users reported that the issue went away after a restart or fiddling with the developer settings, so at least it's not a permanent problem. Anyone who bought a Pixel 3 XL probably decided that the notch didn't bother them that much, but we're not sure how they'd feel about another one showing up unannounced. Google is aware of this bug and says a fix is "coming soon."

The Register reports that a new security bug in systemd "can be exploited over the network to, at best, potentially crash a vulnerable Linux machine, or, at worst, execute malicious code on the box" by a malicious host on the same network segment as the victim. According to one Red Hat security engineer, "An attacker could exploit this via malicious DHCP server to corrupt heap memory on client machines, resulting in a denial of service or potential code execution." According to the bug description, systemd-networkd "contains a DHCPv6 client which is written from scratch and can be spawned automatically on managed interfaces when IPv6 router advertisements are received."

OneHundredAndTen shared this article from the Register: In addition to Ubuntu and Red Hat Enterprise Linux, systemd has been adopted as a service manager for Debian, Fedora, CoreOS, Mint, and SUSE Linux Enterprise Server. We're told RHEL 7, at least, does not use the vulnerable component by default.

Systemd creator Leonard Poettering has already published a security fix for the vulnerable component -- this should be weaving its way into distros as we type. If you run a systemd-based Linux system, and rely on systemd-networkd, update your operating system as soon as you can to pick up the fix when available and as necessary.

An anonymous reader quotes a report from Bleeping Computer: A vulnerability that is trivial to exploit allows privilege escalation to root level on Linux and BSD distributions using X.Org server, the open source implementation of the X Window System that offers the graphical environment. The flaw is now identified as CVE-2018-14665 (credited to security researcher Narendra Shinde). It has been present in xorg-server for two years, since version 1.19.0 and is exploitable by a limited user as long as the X server runs with elevated permissions.

An advisory on Thursday describes the problem as an "incorrect command-line parameter validation" that also allows an attacker to overwrite arbitrary files. Privilege escalation can be accomplished via the -modulepath argument by setting an insecure path to modules loaded by the X.org server. Arbitrary file overwrite is possible through the -logfile argument, because of improper verification when parsing the option. Apart from OpenBSD, other operating systems affected by the bug include Debian and Ubuntu, Fedora and its downstream distro Red Hat Enterprise Linux along with its community-supported counterpart CentOS.

An anonymous reader quotes a report from Bleeping Computer: Proof-of-concept code for a new zero-day vulnerability in Windows has been released by a security researcher before Microsoft was able to release a fix. The code exploits a vulnerability that allows deleting without permission any files on a machine, including system data, and it has the potential to lead to privilege escalation. The vulnerability could be used to delete application DLLs, thus forcing the programs to look for the missing libraries in other places. If the search reaches a location that grants write permission to the local user, the attacker could take advantage by providing a malicious DLL.

The problem is with Microsoft Data Sharing Service, present in Windows 10, Server 2016 and 2019 operating systems, which provides data brokering between applications. Will Dormann, a vulnerability analyst at CERT/CC, tested the exploit code successfully on a Windows 10 operating system running the latest security updates. Behind the discovery is a researcher using the online alias SandboxEscaper, also responsible for publicly sharing in late August another security bug in Windows Task Scheduler component. Microsoft hasn't addressed the issue, but there is a temporary fix available through the oPatch platform. "A micropatch candidate was ready seven hours after the zero-day vulnerability announcement, and it blocked the exploit successfully," reports Bleeping Computer. "oPatch now delivers the stable version of the micropatch for fully updated Windows 10 1803.

An anonymous reader quotes a report from Ars Technica: Google's Pixel 3 smartphone is shipping out to the masses, and people hoping to take advantage of the new Qi wireless charging capabilities have run into a big surprise. For some unexplained reason, Google is locking out third-party Qi chargers from reaching the highest charging speeds on the Pixel 3. Third-party chargers are capped to a pokey 5W charging speed. If you want 10 watts of wireless charging, Google hopes you will invest in its outrageously priced Pixel Stand, which is $79.

Android Police reports that a reader purchased an Anker wireless charger for their Pixel 3, and, after noticing the slow charging speed, this person contacted the company. Anker confirmed that something screwy was going on with Google's charging support, saying "Pixel sets a limitation for third-party charging accessories and we are afraid that even our fast wireless charger can only provide 5W for these 2x devices." Normally we would chalk this up to some kind of bug, but apparently Google told Android Police that this was on purpose. The site doesn't have a direct quote, but it writes that, after reaching out to Google PR, it was "told that the Pixel 3 would charge at 10W on the Pixel Stand [and that] due to a 'secure handshake' being established that third-party chargers would indeed be limited to 5W." In an update, Google said the reason has to do with the "proprietary wireless charging technology" it has via its Pixel Stand and other select wireless chargers. The Pixel 3 only supports 5W Qi charging; "Google's 10W proprietary wireless charging technology" is what will allow the phone to charge at faster speeds.

"Google says it is 'certifying' chargers for the Pixel 3 via the 'Made for Google' program and pointed us to one such device, a Belkin charger called the 'Boost Up Wireless Charging Pad 10W for Pixel 3 and Pixel 3 XL,'" reports Ars Technica. "Belkin's description is very enlightening, saying 'Made with the Google Pixel 3 and Pixel 3 XL in mind, this wireless charging pad uses Google's 10W proprietary wireless charging technology. It's certified for Pixel, so you know that the BOOST UP Wireless Charging pad has been made specifically for your Pixel 3 and meets Google's high product standards.'"

A bug in the Google News app for Android is reportedly causing the app to use up excessive amounts of background data, leading to overage charges. "According to dozens of posts on the Google News Help Forum, users have been experiencing this issue as early as June," reports The Verge. "The issue was verified and addressed by a Google News community manager in September, stating that the company was investigating and working toward a fix, but the issue is still ongoing." From the report: Verge reader Zach Dowdle emailed in with his experience, and screenshots of his app and Wi-Fi data usage: "The Google News app is randomly using a ridiculous amount of background data without users' knowledge. The app burned through over 12 gigs of data on my phone while I slept and my Wi-Fi had disconnected. It lead to $75 in overage charges."

According to several users, the app burned through mobile data despite having "Download via Wi-Fi" turned on in the settings. In some extreme cases, the Google News app used up to 24GB of data, leading to overage charges of up to $385, users reported. So far, the only solutions seem to be disabling background data, and deleting the app altogether.

Ever since Microsoft settled on a cadence of two feature updates a year -- one in April, one in October -- the quality of its operating system (taking into consideration the volume of bugs that emerge every few days) has deteriorated, writes Peter Bright of ArsTechnica. From the story: The problem with Windows as a Service is quality. Previous issues with the feature and security updates have already shaken confidence in Microsoft's updating policy for Windows 10. While data is notably lacking, there is at the very least a popular perception that the quality of the monthly security updates has taken a dive with Windows 10 and that installation of the twice-annual feature updates as soon as they're available is madness. These complaints are long-standing, too. The unreliable updates have been a cause for concern since shortly after Windows 10's release.

The latest problem has brought this to a head, with commentators saying that two feature updates a year is too many and Redmond should cut back to one, and that Microsoft needs to stop developing new features and just fix bugs. Some worry that the company is dangerously close to a serious loss of trust over updates, and for some Windows users, that trust may already have been broken. These are not the first calls for Microsoft to slow down with its feature updates -- there have been concerns that there's too much churn for both IT and consumer audiences alike to handle -- but with the obvious problems of the latest update, the calls take on a new urgency.

Github engineers are trying to repair the data storage system underpinning the code hosting website, which has been presenting users with a "What!?" error for much of the Sunday. From a report: Depending on where you are, you may have been working on some Sunday evening programming, or getting up to speed with work on a Monday morning, using resources on GitHub.com -- and possibly failing miserably as a result of the outage. From about 4pm US West Coast time on Sunday, the website has been stuttering and spluttering. Specifically, the site is still up and serving pages -- it's just intermittently serving out-of-date files, and ignoring submitted Gists, bug reports, and posts. Sometimes, it appears to be serving a read-only cache or older backup of itself, although some fresh code pushes are coming through onto the site. From the status page, it appears a data storage system died, forcing the platform's engineers to move the dot-com's files over to another box. In the meantime, some older versions of files and repos are being served to visitors and users. "We're continuing to work on migrating a data storage system in order to restore access to GitHub.com," the team said just after 5pm PT, adding in the past few minutes: "We are continuing to repair a data storage system for GitHub.com. You may see inconsistent results during this process."