According to Arizona Department of Corrections whistleblowers, hundreds of incarcerated people who should be eligible for release are being held in prison because the inmate management software cannot interpret current sentencing laws. From a report: KJZZ is not naming the whistleblowers because they fear retaliation. The employees said they have been raising the issue internally for more than a year, but prison administrators have not acted to fix the software bug. The sources said Chief Information Officer Holly Greene and Deputy Director Joe Profiri have been aware of the problem since 2019. The Arizona Department of Corrections confirmed there is a problem with the software. As of 2019, the department had spent more than $24 million contracting with IT company Business & Decision, North America to build and maintain the software program, known as ACIS, that is used to manage the inmate population in state prisons. One of the software modules within ACIS, designed to calculate release dates for inmates, is presently unable to account for an amendment to state law that was passed in 2019.

Read more of this story at Slashdot.

A British security researcher has discovered this week that a recent security flaw in the Sudo app also impacts the macOS operating system, and not just Linux and BSD, as initially believed. From a report: The vulnerability, disclosed last week as CVE-2021-3156 (aka Baron Samedit) by security researchers from Qualys, impacts Sudo, an app that allows admins to delegate limited root access to other users. Qualys researchers discovered that they could trigger a "heap overflow" bug in the Sudo app to change the current user's low-privileged access to root-level commands, granting the attacker access to the whole system. The only condition to exploit this bug was that an attacker gain access to a system, which researchers said could be done by either planting malware on a device or brute-forcing a low-privileged service account. In their report last week, Qualys researchers said they only tested the issue on Ubuntu, Debian, and Fedora. They said that are UNIX-like operating systems are also impacted, but most security researchers thought the bug might impact BSD, another major OS that also ships with the Sudo app.

Read more of this story at Slashdot.

Earlier this week security experts disclosed details on seven vulnerabilities impacting Dnsmasq, "a popular DNS software package that is commonly deployed in networking equipment, such as routers and access points," reports ZDNet. "The vulnerabilities tracked as DNSpooq, impact Dnsmasq, a DNS forwarding client for *NIX-based operating systems." Slashdot reader Joe2020 shared Help Net Security's quote from Shlomi Oberman, CEO and researcher at JSOF. "Some of the bigger users of Dnsmasq are Android/Google, Comcast, Cisco, Red Hat, Netgear, and Ubiquiti, but there are many more. All major Linux distributions offer Dnsmasq as a package, but some use it more than others, e.g., in OpenWRT it is used a lot, Red Hat use it as part of their virtualization platforms, Google uses it for Android hotspots (and maybe other things), while, for example Ubuntu just has it as an optional package." More from ZDNet: Dnsmasq is usually included inside the firmware of various networking devices to provide DNS forwarding capabilities by taking DNS requests made by local users, forwarding the request to an upstream DNS server, and then caching the results once they arrive, making the same results readily available for other clients without needing to make a new DNS query upstream. While their role seems banal and insignificant, they play a crucial role in accelerating internet speeds by avoiding recursive traffic... Today, the DNSpooq software has made its way in millions of devices sold worldwide [including] all sorts of networking gear like routers, access points, firewalls, and VPNs from companies like ZTE, Aruba, Redhat, Belden, Ubiquiti, D-Link, Huawei, Linksys, Zyxel, Juniper, Netgear, HPE, IBM, Siemens, Xiaomi, and others. The DNSpooq vulnerabilities, disclosed today by security experts from JSOF, are dangerous because they can be combined to poison DNS cache entries recorded by Dnsmasq servers. Poisoning DNS cache records is a big problem for network administrators because it allows attackers to redirect users to clones of legitimate websites... In total, seven DNSpooq vulnerabilities have been disclosed today. Four are buffer overflows in the Dnsmasq code that can lead to remote code execution scenarios, while the other three bugs allow DNS cache poisoning. On their own, the danger from each is limited, but researchers argue they can be combined to attack any device with older versions of the Dnsmasq software... The JSOF exec told ZDNet that his company has worked with both the Dnsmasq project author and multiple industry partners to make sure patches were made available to device vendors by Tuesday's public disclosure.

Read more of this story at Slashdot.

Bleeping Computer reports: NVIDIA has released security updates to address six security vulnerabilities found in Windows and Linux GPU display drivers, as well as ten additional flaws affecting the NVIDIA Virtual GPU (vGPU) management software. The vulnerabilities expose Windows and Linux machines to attacks leading to denial of service, escalation of privileges, data tampering, or information disclosure. All these security bugs require local user access, which means that potential attackers will first have to gain access to vulnerable devices using an additional attack vector. Following successful exploitation of one of the vulnerabilities patched today, attackers can easily escalate privileges to gain permissions above the default ones granted by the OS.

Read more of this story at Slashdot.

Cyberpunk 2077 is here in all its glory and pain. On some machines, it's a visual spectacle pushing the limits of current technology and delivering on the promise of Deus Ex, but open world. On other machines, including last-gen consoles, it's a unoptimized and barely playable nightmare. Developer CD Projekt Red has said it's working to improve the game, but fans already have a number of fixes, particularly if you're using an AMD CPU. From a report: Fans aren't waiting for the developer however and over the weekend AMD CPU users discovered that a few small tweaks could improve performance on their PCs. Some players reported performance gains of as much as 60 percent. Cyberpunk 2077 seems to be a CPU intensive game and, at release, it isn't properly optimized for AMD chips. "If you run the game on an AMD CPU and check your usage in task manager, it seems to utilise 4 (logical, 2 physical) cores in frequent bursts up to 100% usage, whereas the rest of the physical cores sit around 40-60%, and their logical counterparts remain idle," Redditor BramblexD explained in a post on the /r/AMD subreddit. Basically, Cyberpunk 2077 is only utilizing a portion of any AMD chips power. Digital Foundry, a YouTube channel that does in-depth technical analysis of video games, noticed the AMD issue as well. "It really looks like Cyberpunk is not properly using the hyperthreads on Ryzen CPUs," Digital Foundry said in a recent video. To fix this issue, the community has developed three separate solutions. One involves altering the game's executable with a hex editor, the other involves editing a config file, and a third is an unofficial patch built by the community. All three do the same thing -- unleash the power of AMDs processors. "Holy shit are you a wizard or something? The game is finally playable now!" One redditor said of the hex editing technique. "With this tweak my CPU usage went from 50% to ~75% and my frametime is so much more stable now."

Read more of this story at Slashdot.

An anonymous reader shares a report: Numerous glitches reported by players as the long-awaited Cyberpunk 2077 game went live robbed creator CD Projekt of a stock surge on the back of encouraging advance-order sales figures. Poland's biggest computer-games studio sold more than eight million copies of the futuristic title prior to its official release, mainly using higher-margin digital distribution. Excitement around Wednesday's launch saw player numbers peak at more than one million, the most ever for a premier night on the Steam platform, and an industry record for a single-player production. Less positively, in excess of 17,000 Steam users gave Cyberpunk a rating of just 71%, with their complaints of bugs in the game pushing CD Projekt's shares as much as 7.5% lower. Before the release, Cyberpunk's average rating was 91% on Metacritic, a website that aggregated journalists reviews. That less-than-perfect verdict also weighed on the stock earlier this week, paring its gains of almost 60% in 2020 as of last Friday. The stakes are high for CD Projekt as, after eight years of developing Cyberpunk, the game is the studio's only new franchise. The company said Thursday it's already working on fixes and is confident they will be resolved and that it wants to publish initial sales data before Christmas.

Read more of this story at Slashdot.

A new bug in the PlayStation game Spider-Man: Miles Morales "turns Miles into various inanimate objects, including bricks, cardboard boxes, and even a trash can," reports GameSpot: Despite Miles' changed appearance, he can still perform many of his heroic antics, including web-swinging and beating up bad guys. It's an important lesson to all of us in these trying times: You might look like trash, but you can still do your job. Today Engadget reports that the glitch even turns Spider-Man into a patio heater: If you've ever wanted to keep people toasty warm while fighting crime, now's your chance. We've asked [the game's creator] Insomniac Games for comment, although it already tweeted that the hiccup was "equally embarrassing as it is heart-warming." Into the Spider-Verse's Phil Lord joked that the heater would find its way into the sequel if the team had "any self respect at all."

Read more of this story at Slashdot.

"Security researchers are blasting Apple for a feature in the latest Big Sur release of macOS that allows some Apple apps to bypass content filters and VPNs..." reports Threatpost. "While users assumed Apple would fix the flaw before the OS emerged from beta into full release, this doesn't appear to have happened." "Beginning with macOS Catalina released last year, Apple added a list of 50 Apple-specific apps and processes that were to be exempted from firewalls like Little Snitch and Lulu," explains Ars Technica: The undocumented exemption, which didn't take effect until firewalls were rewritten to implement changes in Big Sur, first came to light in October. Patrick Wardle, a security researcher at Mac and iOS enterprise developer Jamf, further documented the new behavior over the weekend. To demonstrate the risks that come with this move, Wardle — a former hacker for the NSA — demonstrated how malware developers could exploit the change to make an end-run around a tried-and-true security measure... Wardle tweeted a portion of a bug report he submitted to Apple during the Big Sur beta phase. It specifically warns that "essential security tools such as firewalls are ineffective" under the change. Apple has yet to explain the reason behind the change.

Read more of this story at Slashdot.

An anonymous reader quotes a report from NPR: Remember the "murder hornets"? You know, the terrifyingly large Asian giant hornets that are threatening to wipe out the North American bee population? Entomologists with the Washington State Department of Agriculture have now located a nest of them -- the first to be found in the U.S., the agency says. The nest was discovered in the cavity of a tree on a property in the city of Blaine, near the Canadian border. This achievement closely follows another advance: State entomologists had recently had luck trapping the hornets. This week, they were able to collect four live Asian giant hornets using a new type of trap -- and managed to attach radio trackers to three of them. One of those tagged hornets led staffers to the nest. The plan now? Destroy the nest. The agency says it intends to eradicate it on Saturday, removing the tree if necessary. Asian giant hornets are an invasive pest that prey on honeybees and other insects. "Only a couple of hornets can slaughter an entire healthy honeybee hive in just a matter of a few hours," Sven-Erik Spichiger, chief entomologist for the state's agriculture department, told NPR last week.

Read more of this story at Slashdot.

An anonymous reader quotes ZDNet: Microsoft has finally published a support document detailing its workaround for the August 2020 Patch Tuesday update for Windows 10 version 2004 that caused blue screens of deaths (BSODs) on newer Lenovo ThinkPads and broke Windows Hello biometric login... It's the same as Lenovo's earlier workaround but comes with a stern security warning from Microsoft. Microsoft also explains how Lenovo Vantage violates Microsoft's security controls in Windows. Users might bypass the BSOD screen, but they are endangering their computers by implementing the workaround, according to Microsoft. The workaround also affects some of Microsoft's latest security features for Windows 10, such as Hypervisor Code Integrity for shielding the OS from malicious drivers, as well as Windows Defender Credential Guard. "This workaround may make a computer or a network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk," Microsoft states.... The good news for affected ThinkPad users is that Microsoft and Lenovo are working together on a fix. However, Microsoft hasn't said when that will be available.

Read more of this story at Slashdot.

A team of academics from Columbia University has developed a custom tool to dynamically analyze Android applications and see if they're using cryptographic code in an unsafe way. From a report: Named CRYLOGGER, the tool was used to test 1,780 Android applications, representing the most popular apps across 33 different Play Store categories, in September and October 2019. Researchers say the tool, which checked for 26 basic cryptography rules (mentioned in the source story), found bugs in 306 Android applications. Some apps broke one rule, while others broke multiple.

Read more of this story at Slashdot.

A two-day-old decentralized cryptocurrency called YAM collapsed this week after its creators revealed that a software bug had effectively vetoed human governance. From a report: "At approximately 6PM UTC, on Wednesday, August 12, we discovered a bug in the YAM rebasing contract that would mint far more YAM than intended to sell to the Uniswap YAM/yCRV pool, sending a large amount of excess YAM to the protocol reserve," the YAM project explained in a post on Thursday. "Given YAM's governance module, this bug would render it impossible to reach quorum, meaning no governance action would be possible and funds in the treasury would be locked." The bug followed from this line of code... totalSupply = initSupply.mul(yamsScalingFactor); ...which was supposed to be⦠totalSupply = initSupply.mul(yamsScalingFactor).div(BASE); YAM, a decentralized finance experiment, implements a governance system (for making protocol changes) based on supposed smart contracts that allocates votes based on assets. [...] The code flaw locked up about $750,000 worth of Curve (yCRV) tokens in the YAM treasury, assets intended to serve as a reserve currency to support the value of YAM tokens.

Read more of this story at Slashdot.