An anonymous reader quotes a report from TechCrunch: As nostalgia goes, the Fisher-Price Chatter phone doesn't disappoint. The classic retro kids toy was given a modern revamp for the holiday season with the new release for adults which, unlike the original toy designed for kids, can make and receive calls over Bluetooth using a nearby smartphone. The Chatter -- despite a working rotary dial and its trademark wobbly eyes that bob up and down when the wheels turn -- is less a phone and more like a novelty Bluetooth speaker with a microphone, which activates when the handset is lifted. The Chatter didn't spend long on sale; the phone sold out quickly as the waitlists piled up. But security researchers in the U.K. immediately spotted a potential problem. With just the online instruction manual to go on, the researchers feared that a design flaw could allow someone to use the Chatter to eavesdrop. Ken Munro, founder of the cybersecurity company Pen Test Partners, told TechCrunch that chief among the concerns are that the Chatter does not have a secure pairing process to stop unauthorized phones in Bluetooth range from connecting to it. Munro outlined a series of tests that would confirm or allay his concerns. [...] The Chatter doesn't have an app, and Mattel said the Chatter phone was released as "a limited promotional item and a playful spin on a classic toy for adults." But Munro said he's concerned the Chatter's lack of secure pairing could be exploited by a nearby neighbor or a determined attacker, or that the Chatter could be handed down to kids, who could then unknowingly trigger the bug. "It doesn't need kids to interact with it in order for it to become an audio bug. Just leaving the handset off is enough," said Munro.

Read more of this story at Slashdot.

Microsoft has notified earlier this month a select group of Azure customers impacted by a recently discovered bug that exposed the source code of their Azure web apps since at least September 2017. The vulnerability was discovered by cloud security firm Wiz and reported to Microsoft in September. The issue was fixed in November, and Microsoft has spent the last few weeks investigating how many customers were impacted. The Record reports: The issue, nicknamed NotLegit, resides in Azure App Service, a feature of the Azure cloud that allows customers to deploy websites and web apps from a source code repository. Wiz researchers said that in situations where Azure customers selected the "Local Git" option to deploy their websites from a Git repository hosted on the same Azure server, the source code was also exposed online. All PHP, Node, Ruby, and Python applications deployed via this method were impacted, Microsoft said in a blog post today. Only apps deployed on Linux-based Azure servers were impacted, but not those hosted on Windows Server systems. Apps deployed as far back as 2013 were impacted, although the exposure began in September 2017, when the vulnerability was introduced in Azure's systems, the Wiz team said in a report today. [...] The most dangerous exposure scenarios are situations where the exposed source code contained a .git configuration file that, itself, contained passwords and access tokens for other customer systems, such as databases and APIs.

Read more of this story at Slashdot.

segaboy81 writes: Amazon Games is new to the AAA games space, finding tremendous success with their title New World. Since its release in September, YouTubers like Sethphir and Video Game Databank have begun to carve out their own niche in the New World community, seeing their subscriber base soar into the tens of thousands. However, YouTubers may begin to suffer under the watchful eye of New World's leadership. Recently, YouTuber Video Game Databank discovered a serious bug in version 1.2 regarding aptitude levels in a single crafting attempt which purportedly resulted in his loss of 40,000 coins. Dutifully, he reported the bug to Amazon customer support. When they didn't understand his complaint, he shared a video showing the bug in action. He goes on to call this a "fatal mistake" as just two hours later the video is removed from Youtube after a manual copyright claim was invoked by Amazon. While it could be a coincidence, it certainly seems like a hostile action on behalf of the games studio as it was not an automated, AI triggered task. Someone at the studio manually filed the claim.

Read more of this story at Slashdot.

Companies and governments around the world rushed over the weekend to fend off cyberattacks looking to exploit a serious flaw in a widely used piece of Internet software that security experts warn could give hackers sweeping access to networks. From a report: Cybersecurity researchers said the bug, hidden in an obscure piece of server software called Log4j, represents one of the biggest risks seen in recent years because the code is so widely used on corporate networks. The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency issued an urgent alert about the vulnerability and urged companies to take action. CISA Director Jen Easterly said on Saturday, "To be clear, this vulnerability poses a severe risk. We will only minimize potential impacts through collaborative efforts between government and the private sector." Germany's cybersecurity organization over the weekend issued a "red alert" about the bug. Australia called the issue "critical." Security experts warned that it could take weeks or more to assess the extent of the damage and that hackers exploiting the vulnerability could access sensitive data on networks and install back doors they could use to maintain access to servers even after the flawed software has been patched. "It is one of the most significant vulnerabilities that I've seen in a long time," said Aaron Portnoy, principal scientist with the security firm Randori. Security experts noted that many companies have other processes in place that would prevent a malicious hacker from running software and breaking into these companies, potentially limiting the fallout from the bug. Microsoft, in an alert to customers, said "attackers are probing all endpoints for vulnerability." Amazon.com, Twitter and Cisco were among the companies that have said they were carrying out investigations into the depth of the problem. Amazon, the world's biggest cloud computing company, said in a security alert, "We are actively monitoring this issue, and are working on addressing it."

Read more of this story at Slashdot.

Rockstar has issued an apology for the "unexpected technical issues" that marred the release of Grand Theft Auto: The Trilogy - The Definitive Edition last week and led to the quick removal of the PC version from Rockstar's online store. From a report: Last week, Rockstar said that the PC version of the game was being taken down "as we remove files unintentionally included in these versions." That led to reports that the package included copies of original soundtrack songs that had not been re-licensed for the new release. Other reports suggested that the original package accidentally included uncompiled source code and revealed some interesting programmer comments, including references to the infamous "hot coffee" scene that caused the game so much controversy back in 2005. Today, though, the developer admitted in a blog post that "the updated versions of these classic games did not launch in a state that meets our own standards of quality, or the standards our fans have come to expect." We noted some of the remaster's many issues in our initial impressions, which recommended that you skip the bundle for now. Since then, players have chronicled countless bugs and questionable "remastering" decisions. Those range from disturbing textures to eye-searing rainfall to hilariously broken cutscenes to car-inflating wiggles to odd-looking character models and plain old typos that weren't in the original game.

Read more of this story at Slashdot.

An indie developer has found an interesting observation: Though only 5.8% of his game's buyers were playing on Linux, they generated over 38% of the bug reports. Not because the Linux platform was buggier, either. Only 3 of the roughly 400 bug reports submitted by Linux users were platform specific, that is, would only happen on Linux. PC Gamer reports: The developer, posting as Koderski for developer Kodera Software on Reddit, makes indie game [Delta] V: Rings of Saturn -- that's Delta V, or DV, for the non-rocket-science-literate. [...] Koderski says he's sold a little over 12,000 copies of his game, and about 700 of those were bought by Linux players. "I got 1040 bug reports in total, out of which roughly 400 are made by Linux players," says Koderski's post. "That's one report per 11.5 users on average, and one report per 1.75 Linux players. That's right, an average Linux player will get you 650% more bug reports." Koderski's numbers are a limited sample size drawn from one person's experience, but tell a compelling story. Koderski also says that very few of those bugs were specific to Linux, being clear that "This 5.8% of players found 38% of all the bugs that affected everyone." The bug reports themselves were also pretty high quality, he said, including software and OS versions, logs, and steps for replication. Multiple commenters on the post chalked this up to the kind of people who use Linux: Software professionals, IT employees, and engineers who would already be familiar with official bug reporting processes. It's a strong theory as to why this might be, though the sheer passion that the gaming on Linux community has for anyone who supports their favorite hobby may be another.

Read more of this story at Slashdot.

"Apparently a bug in GPSD, the daemon responsible for deriving time from the GPS system, is going to trigger on October 24, 2021, jumping the time back to March of 2002," writes Slashdot reader suutar. "There's a fix that's been committed since August, but of course not everything is up to date." ZDNet's Steven J. Vaughan-Nichols writes: This will be ugly. Or, as Stephen Williams, who uncovered the bug put it, "I have a feeling that there will be some 'interesting moments' in the early morning when a bunch of the world's stratum 1 NTP servers using GPSD take the long strange trip back to 2002." GPSD maintainer Gary E. Miller has acknowledged the problem, and a fix has been made to the code. To be exact, the fix is in August 2021's GPSD 3.23 release. So, what's the problem if the fix is already in? Well, there are two problems. First, it won't be backported to previous releases. If you're still using an older version, you may be out of luck. Second, as Miller observed, not all distros "pick up GPSD updates or upstream their patches. [This] is a very sore spot with me." So, just because your operating system is up to date does not mean that it will have the necessary GPSD fix. Miller suggests that you check it and do it yourself: "I [am] gonna fall back on Greg K_H's dictum: All users must update." Oh, wondering what the mysterious root cause of all this commotion GPS Week Rollover? It's a legacy GPS problem. The GPS signal GPS week number uses a 10-bit code with a maximum value of 1,023. This means every 19.7 years; the GPS week number rolls over to zero. Or, as Miller noted, "This code is a 1024 week time warp waiting to happen." So, check your systems now for this problem. And, if, like most of us, you're relying on someone upstream from you for the correct time, check with them to make sure they've taken care of this forthcoming trouble.

Read more of this story at Slashdot.

LibreOffice and OpenOffice have pushed updates to address a vulnerability that makes it possible for an attacker to manipulate documents to appear as signed by a trusted source. Although the severity of the flaw is classified as moderate, the implications could be dire. BleepingComputer reports: The discovery of the flaw, which is tracked as CVE-2021-41832 for OpenOffice, was the work of four researchers at the Ruhr University Bochum. The same flaw impacts LibreOffice, which is a fork of OpenOffice spawned from the main project over a decade ago, and for their project is tracked as CVE-2021-25635. If you're using either of the open-source office suites, you're advised to upgrade to the latest available version immediately. For OpenOffice, that would be 4.1.10 and later, and for LibreOffice, 7.0.5 or 7.1.1 and later. Since neither of these two applications offer auto-updating, you should do it manually by downloading the latest version from the respective download centers -- LibreOffice, OpenOffice. If you're using Linux and the aforementioned versions aren't available on your distribution's package manager yet, you are advised to download the "deb", or "rpm" package from the Download center or build LibreOffice from source. If updating to the latest version is not possible for any reason, you can always opt to completely disable the macro features on your office suite, or avoid trusting any documents containing macros.

Read more of this story at Slashdot.

An anonymous reader quotes a report from Ars Technica: Telegram patched another image self-destruction bug in its app earlier this year. This flaw was a different issue from the one reported in 2019. But the researcher who reported the bug isn't pleased with Telegram's months-long turnaround time -- and an offered $1,159 bounty award in exchange for his silence. In February 2021, Telegram introduced a set of such auto-deletion features in its 2.6 release: Set messages to auto-delete for everyone 24 hours or 7 days after sending; Control auto-delete settings in any of your chats, as well as in groups and channels where you are an admin; and To enable auto-delete, right-click on the chat in the chat list > Clear History > Enable Auto-Delete. But in a few days, mononymous researcher Dmitrii discovered a concerning flaw in how the Telegram Android app had implemented self-destruction. Messages that should be auto-deleted from participants in private and private group chats were only 'deleted' visually [in the messaging window], but in reality, picture messages remained on the device [in] the cache," the researcher wrote in a roughly translated blog post published last week. Tracked as CVE-2021-41861, the flaw is rather simple. In the Telegram Android app versions 7.5.0 to 7.8.0, self-destructed images remain on the device in the /Storage/Emulated/0/Telegram/Telegram Image directory after approximately two to four uses of the self-destruct feature. But the UI appears to indicate to the user that the media was properly destroyed. But for a simple bug like this, it wasn't easy to get Telegram's attention, Dmitrii explained. The researcher contacted Telegram in early March. And after a series of emails and text correspondence between the researcher and Telegram spanning months, the company reached out to Dmitrii in September, finally confirming the existence of the bug and collaborating with the researcher during beta testing. For his efforts, Dmitrii was offered a $1,159 bug bounty reward. Since then, the researcher claims he has been ghosted by Telegram, which has given no response and no reward. "I have not received the promised reward from Telegram in [$1,159] or any other," he wrote.

Read more of this story at Slashdot.

A fix that was made in early June to the GNU C Library (glibc) introduced a new and nastier problem. Steven J. Vaughan-Nichols writes via ZDNet: The first problem wasn't that bad. As Siddhesh Poyarekar, a Red Hat principal software engineer wrote, "In order to mount a minimal attack using this flaw, an attacker needs many pre-requisites to be able to even crash a program using this mq_notify bug." Still, it needed patching and so it was fixed. Alas, the fix contained an even nastier bug. While checking the patch, Nikita Popov, a member of the CloudLinux TuxCare Team, found the problem. It turns out that it is possible to cause a situation where a segmentation fault could be triggered within the library. This can lead to any application using the library crashing. This, of course, would cause a Denial-of-Service (DoS) issue. This problem, unlike the earlier one, would be much easier to trigger. Whoops. Red Hat gives the problem in its Common Vulnerability Scoring System (CVSS) a score of 7.5, which is "high." An attack using it would be easy to build and requires no privileges to be made. In short, it's bad news. Popov himself thinks "every Linux application including interpreters of other languages (python, PHP) is linked with glibc. It's the second important thing after the kernel itself, so the impact is quite high." [...] The good news is both the vulnerability and code fix have been submitted to the glibc development team. It has already been incorporated into upstream glibc. In addition, a new test has been submitted to glibc's automated test suite to pick up this situation and prevent it from happening in the future. The bottom line is sometimes changed in unrelated code paths can lead to behaviors changing elsewhere without the programmer realizing what's going on. This test will catch this situation. The Linux distributors are still working out the best way to deploy the fix. In the meantime, if you want to be extra careful -- and I think you should be -- you should upgrade to the newest stable version of glibc 2.34 or higher.

Read more of this story at Slashdot.

Qualys has discovered a new systemd security bug that enables any unprivileged user to cause a denial of service via a kernel panic. Slashdot reader inode_buddha shares the news via ZDNet's Steven J. Vaughan-Nichols: As Bharat Jogi, Qualys's senior manager of Vulnerabilities and Signatures, wrote, "Given the breadth of the attack surface for this vulnerability, Qualys recommends users apply patches for this vulnerability immediately." You can say that again. Systemd is used in almost all modern Linux distributions. This particular security hole arrived in the systemd code in April 2015. It works by enabling attackers to misuse the alloca() function in a way that would result in memory corruption. This, in turn, allows a hacker to crash systemd and hence the entire operating system. Practically speaking, this can be done by a local attacker mounting a filesystem on a very long path. This causes too much memory space to be used in the systemd stack, which results in a system crash. That's the bad news. The good news is that Red Hat Product Security and systemd's developers have immediately patched the hole.

Read more of this story at Slashdot.

Facebook is adding a new perk to its bug bounty program that will pay bonus rewards to researchers based on the time it takes the social network to fix a vulnerability after it's found and reported by bug hunters. ZDNet reports: Essentially, Facebook is acknowledging that it's sometimes slow to reach a bounty decision and is using this bonus payment to encourage patience among the researchers in its bug bounty community. The Payout Time Bonus will reward reports that are paid more than 30 days from the time Facebook receives all the necessary information for a successful reproduction of the report and its impact, Facebook said. The bonuses will be paid on a sliding scale, with payouts made between 30-59 days receiving a 5% bonus; payouts made between 60-89 days receiving a 7.5% bonus; and payouts made after 90 days or more receiving a 10% bonus. Reports that require clarification from the researcher will have the payments adjusted accordingly.

Read more of this story at Slashdot.

AmiMoJo writes: Security researchers have found four major security vulnerabilities in the BIOSConnect feature of Dell SupportAssist, allowing attackers to remotely execute code within the BIOS of impacted devices. According to Dell's website, the SupportAssist software is 'preinstalled on most Dell devices running Windows operating system,' while BIOSConnect provides remote firmware update and OS recovery features. The chain of flaws discovered by Eclypsium researchers comes with a CVSS base score of 8.3/10 and enables privileged remote attackers to impersonate Dell.com and take control of the target device's boot process to break OS-level security controls. "Such an attack would enable adversaries to control the device's boot process and subvert the operating system and higher-layer security controls," Eclypsium researchers explain in a report shared in advance with BleepingComputer. "The issue affects 129 Dell models of consumer and business laptops, desktops, and tablets, including devices protected by Secure Boot and Dell Secured-core PCs," with roughly 30 million individual devices exposed to attacks.

Read more of this story at Slashdot.

McAfee has discovered a vulnerability "that allows hackers to access Peloton's bike screen," reports CNN, "and potentially spy on riders using its microphone and camera." "However, the threat most likely affects only the $2,495 bike used in public spaces, such as in hotels or gyms, because the hacker needs to physically access the screen using a USB drive containing a malicious code." According to McAfee's Advanced Threat Research team, a hacker can discreetly control the stationary bike's screen remotely and interfere with its operating system. That means hackers could, for example, install apps that look like Netflix or Spotify and steal the users' log-in information. Perhaps more alarmingly, the cybersecurity team was able spy on users via the camera and microphone, which is normally used for video chats with other users. "As a result, an unsuspecting gym-goer taking the Peloton Bike+ for a spin could be in danger of having their personal data compromised and their workout unknowingly watched," the report said. It also warned the hacker could configure this spyware at any point, including during the supply chain or delivery process, without the owner knowing... Peloton released a mandatory software update that fixes the issue to users earlier this month. The security risk doesn't affect the lower-priced Peloton Bike because it uses a different type of touchscreen.... This report marks the second security concern for Peloton in two months. In May, the fitness firm released a security update that sealed a leak that was revealing personal account information, such as a user's age, city and weight.

Read more of this story at Slashdot.

Long-time Slashdot reader wildstoo writes: In a blog post on Thursday, GitHub security researcher Kevin Backhouse announced that Polkit, a Linux system service included in several modern Linux distros that provides an organized way for non-privileged processes to communicate with privileged ones, has been harbouring a major security bug for seven years. The bug, assigned (CVE-2021-3560) allows a non-privileged user to gain administrative shell access with a handful of standard command line tools. The bug was fixed on June 3, 2021 in a coordinated disclosure. "It's used by systemd," GitHub's blog post points out, "so any Linux distribution that uses systemd also uses polkit..." "It's very simple and quick to exploit, so it's important that you update your Linux installations as soon as possible. Any system that has polkit version 0.113 (or later) installed is vulnerable. That includes popular distributions such as RHEL 8 and Ubuntu 20.04."

Read more of this story at Slashdot.

A Windows Defender bug creates thousands of small files that waste gigabytes of storage space on Windows 10 hard drives. BleepingComputer reports: The bug started with Windows Defender antivirus engine 1.1.18100.5 and will cause the C:\ProgramData\Microsoft\Windows Defender\Scans\History\Store folder to be filled up with thousands of files with names that appear to be MD5 hashes. From a system seen by BleepingComputer, the created files range in size from 600 bytes to a little over 1KB. While the system we looked at only had approximately 1MB of files, other Windows 10 users report that their systems have been filled up with hundreds of thousands of files, which in one case, used up 30GB of storage space. On smaller SSD system drives (C:), this can be a considerable amount of storage space to waste on unnecessary files. According to Deskmodder, who first reported on this issue, the bug has now been fixed in the latest Windows Defender engine, version 1.1.18100.6.

Read more of this story at Slashdot.

A biotechnology firm has released genetically modified mosquitoes into the United States for the first time. Long-time Slashdot reader clovis shares the report via Nature: The experiment, launched this week in the Florida Keys -- over the objections of some local critics -- tests a method for suppressing populations of wild Aedes aegypti mosquitoes, which can carry diseases such as Zika, dengue, chikungunya and yellow fever. [...] Aedes aegypti makes up about 4% of the mosquito population in the Keys, a chain of tropical islands off the southern tip of Florida. But it is responsible for practically all mosquito-borne disease transmitted to humans in the region, according to the Florida Keys Mosquito Control District (FKMCD), which is working closely with Oxitec on the project. [...] In late April of this year, project researchers placed boxes containing Oxitec's mosquito eggs at six locations in three areas of the Keys. The first males are expected to emerge within the first two weeks of May. About 12,000 males will exit the boxes each week over the next 12 weeks. In a second phase later this year, intended to collect even more data, nearly 20 million mosquitoes will emerge over a period of about 16 weeks, according to Oxitec. "There is the usual opposition of the 'It's GMO, so it should not be done' variety," adds clovis. "As for ecological food chain considerations, one should know that aedes aegypti is not native to the western hemisphere. It is believed to have been imported from Africa during the slave trade era."

Read more of this story at Slashdot.

Hackers could take control of victims' computers just by tricking them into clicking on a Steam invite to play Counter Strike: Global Offensive, Motherboard reports, citing a bug filing review. From a report: A bug in the game engine used in Counter Strike: Global Offensive could be exploited by hackers to take full control of a target's machine. A security researcher alerted Valve about the bug in June of 2019. Valve is the maker of Source Engine, which is used by CS:GO, Team Fortress 2, and several other games. The researcher, who goes by the name Florian, said that while that the bug has been fixed in some games that use the Source engine, it is still present in CS:GO, and he demonstrated it in a call with Motherboard. Florian's correspondence with Valve occurred on HackerOne, the bug bounty platform used by the company to get reports about vulnerabilities. Valve admitted that it was being slow to respond, even though it classified the bug as "critical" in the thread with the researchers, which Motherboard reviewed. "I am honestly very disappointed because they straight up ignored me most of the time," Florian said in an online chat.

Read more of this story at Slashdot.

"OpenSSL, the most widely used software library for implementing website and email encryption, has patched a high-severity vulnerability that makes it easy for hackers to completely shut down huge numbers of servers," reports Ars Technica: On Thursday, OpenSSL maintainers disclosed and patched a vulnerability that causes servers to crash when they receive a maliciously crafted request from an unauthenticated end user. CVE-2021-3449, as the denial-of-server vulnerability is tracked, is the result of a null pointer dereference bug. Cryptographic engineer Filippo Valsorda said on Twitter that the flaw could probably have been discovered earlier than now. "Anyway, sounds like you can crash most OpenSSL servers on the Internet today," he added. Hackers can exploit the vulnerability by sending a server a maliciously formed renegotiating request during the initial handshake that establishes a secure connection between an end user and a server... The maintainers have rated the severity high. Researchers reported the vulnerability to OpenSSL on March 17. Nokia developers Peter Kästle and Samuel Sapalski provided the fix. Ars Technica also reports that OpenSSL "fixed a separate vulnerability that, in edge cases, prevented apps from detecting and rejecting TLS certificates that aren't digitally signed by a browser-trusted certificate authority."

Read more of this story at Slashdot.

"Three recently unearthed vulnerabilities in the Linux kernel, located in the iSCSI module used for accessing shared data storage facilities, could allow root privileges to anyone with a user account," reports SC Media: "If you already had execution on a box, either because you have a user account on the machine, or you've compromised some service that doesn't have repaired permissions, you can do whatever you want basically," said Adam Nichols, principal of the Software Security practice at GRIMM. While the vulnerabilities "are in code that is not remotely accessible, so this isn't like a remote exploit," said Nichols, they are still troublesome. They take "any existing threat that might be there. It just makes it that much worse," he explained. "And if you have users on the system that you don't really trust with root access it, it breaks them as well." Referring to the theory that 'many eyes make all bugs shallow,' Linux code "is not getting many eyes or the eyes are looking at it and saying that seems fine," said Nichols. "But, [the bugs] have been in there since the code was first written, and they haven't really changed over the last 15 years...." That the flaws slipped detection for so long has a lot to do with the sprawl of the the Linux kernel. It "has gotten so big" and "there's so much code there," said Nichols. "The real strategy is make sure you're loading as little code as possible." The bugs are in all Linux distributions, Nichols said, although the kernel driver is not loaded by default. Whether a normal user can load the vulnerable kernel module varies. They can, for instance, on all Red Hat based distros that GRIMM tested, he said. "Even though it's not loaded by default, you can get it loaded and then of course you can exploit it without any trouble...." The bugs have been patched in the following kernel releases: 5.11.4, 5.10.21, 5.4.103, 4.19.179, 4.14.224, 4.9.260, and 4.4.260. All older kernels are end-of- life and will not receive patches.

Read more of this story at Slashdot.