"Security researchers are blasting Apple for a feature in the latest Big Sur release of macOS that allows some Apple apps to bypass content filters and VPNs..." reports Threatpost. "While users assumed Apple would fix the flaw before the OS emerged from beta into full release, this doesn't appear to have happened." "Beginning with macOS Catalina released last year, Apple added a list of 50 Apple-specific apps and processes that were to be exempted from firewalls like Little Snitch and Lulu," explains Ars Technica: The undocumented exemption, which didn't take effect until firewalls were rewritten to implement changes in Big Sur, first came to light in October. Patrick Wardle, a security researcher at Mac and iOS enterprise developer Jamf, further documented the new behavior over the weekend. To demonstrate the risks that come with this move, Wardle — a former hacker for the NSA — demonstrated how malware developers could exploit the change to make an end-run around a tried-and-true security measure... Wardle tweeted a portion of a bug report he submitted to Apple during the Big Sur beta phase. It specifically warns that "essential security tools such as firewalls are ineffective" under the change. Apple has yet to explain the reason behind the change.

Read more of this story at Slashdot.

An anonymous reader quotes a report from NPR: Remember the "murder hornets"? You know, the terrifyingly large Asian giant hornets that are threatening to wipe out the North American bee population? Entomologists with the Washington State Department of Agriculture have now located a nest of them -- the first to be found in the U.S., the agency says. The nest was discovered in the cavity of a tree on a property in the city of Blaine, near the Canadian border. This achievement closely follows another advance: State entomologists had recently had luck trapping the hornets. This week, they were able to collect four live Asian giant hornets using a new type of trap -- and managed to attach radio trackers to three of them. One of those tagged hornets led staffers to the nest. The plan now? Destroy the nest. The agency says it intends to eradicate it on Saturday, removing the tree if necessary. Asian giant hornets are an invasive pest that prey on honeybees and other insects. "Only a couple of hornets can slaughter an entire healthy honeybee hive in just a matter of a few hours," Sven-Erik Spichiger, chief entomologist for the state's agriculture department, told NPR last week.

Read more of this story at Slashdot.

An anonymous reader quotes ZDNet: Microsoft has finally published a support document detailing its workaround for the August 2020 Patch Tuesday update for Windows 10 version 2004 that caused blue screens of deaths (BSODs) on newer Lenovo ThinkPads and broke Windows Hello biometric login... It's the same as Lenovo's earlier workaround but comes with a stern security warning from Microsoft. Microsoft also explains how Lenovo Vantage violates Microsoft's security controls in Windows. Users might bypass the BSOD screen, but they are endangering their computers by implementing the workaround, according to Microsoft. The workaround also affects some of Microsoft's latest security features for Windows 10, such as Hypervisor Code Integrity for shielding the OS from malicious drivers, as well as Windows Defender Credential Guard. "This workaround may make a computer or a network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk," Microsoft states.... The good news for affected ThinkPad users is that Microsoft and Lenovo are working together on a fix. However, Microsoft hasn't said when that will be available.

Read more of this story at Slashdot.

A team of academics from Columbia University has developed a custom tool to dynamically analyze Android applications and see if they're using cryptographic code in an unsafe way. From a report: Named CRYLOGGER, the tool was used to test 1,780 Android applications, representing the most popular apps across 33 different Play Store categories, in September and October 2019. Researchers say the tool, which checked for 26 basic cryptography rules (mentioned in the source story), found bugs in 306 Android applications. Some apps broke one rule, while others broke multiple.

Read more of this story at Slashdot.

A two-day-old decentralized cryptocurrency called YAM collapsed this week after its creators revealed that a software bug had effectively vetoed human governance. From a report: "At approximately 6PM UTC, on Wednesday, August 12, we discovered a bug in the YAM rebasing contract that would mint far more YAM than intended to sell to the Uniswap YAM/yCRV pool, sending a large amount of excess YAM to the protocol reserve," the YAM project explained in a post on Thursday. "Given YAM's governance module, this bug would render it impossible to reach quorum, meaning no governance action would be possible and funds in the treasury would be locked." The bug followed from this line of code... totalSupply = initSupply.mul(yamsScalingFactor); ...which was supposed to be⦠totalSupply = initSupply.mul(yamsScalingFactor).div(BASE); YAM, a decentralized finance experiment, implements a governance system (for making protocol changes) based on supposed smart contracts that allocates votes based on assets. [...] The code flaw locked up about $750,000 worth of Curve (yCRV) tokens in the YAM treasury, assets intended to serve as a reserve currency to support the value of YAM tokens.

Read more of this story at Slashdot.