The Zero Day Initiative, a zero-day security research firm, announced a new Linux kernel security bug that allows authenticated remote users to disclose sensitive information and run code on vulnerable Linux kernel versions. ZDNet reports: Originally, the Zero Day Initiative ZDI rated it a perfect 10 on the 0 to 10 common Vulnerability Scoring System scale. Now, the hole's "only" a 9.6.... The problem lies in the Linux 5.15 in-kernel Server Message Block (SMB) server, ksmbd. The specific flaw exists within the processing of SMB2_TREE_DISCONNECT commands. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the kernel context. This new program, which was introduced to the kernel in 2021, was developed by Samsung. Its point was to deliver speedy SMB3 file-serving performance.... Any distro using the Linux kernel 5.15 or above is potentially vulnerable. This includes Ubuntu 22.04, and its descendants; Deepin Linux 20.3; and Slackware 15.

Read more of this story at Slashdot.

Ars Technica reports on a dangerously "wormable" Windows vulnerability that allowed attackers to execute malicious code with no authentication required — a vulnerability that was present "in a much broader range of network protocols, giving attackers more flexibility than they had when exploiting the older vulnerability." Microsoft fixed CVE-2022-37958 in September during its monthly Patch Tuesday rollout of security fixes. At the time, however, Microsoft researchers believed the vulnerability allowed only the disclosure of potentially sensitive information. As such, Microsoft gave the vulnerability a designation of "important." In the routine course of analyzing vulnerabilities after they're patched, IBM security researcher Valentina Palmiotti discovered it allowed for remote code execution in much the way EternalBlue did [the flaw used to detonate WannaCry]. Last week, Microsoft revised the designation to critical and gave it a severity rating of 8.1, the same given to EternalBlue.... One potentially mitigating factor is that a patch for CVE-2022-37958 has been available for three months. EternalBlue, by contrast, was initially exploited by the NSA as a zero-day. The NSA's highly weaponized exploit was then released into the wild by a mysterious group calling itself Shadow Brokers. The leak, one of the worst in the history of the NSA, gave hackers around the world access to a potent nation-state-grade exploit. Palmiotti said there's reason for optimism but also for risk: "While EternalBlue was an 0-Day, luckily this is an N-Day with a 3 month patching lead time," said Palmiotti. There's still some risk, Palmiotti tells Ars Technica. "As we've seen with other major vulnerabilities over the years, such as MS17-010 which was exploited with EternalBlue, some organizations have been slow deploying patches for several months or lack an accurate inventory of systems exposed to the internet and miss patching systems altogether." Thanks to Slashdot reader joshuark for sharing the article.

Read more of this story at Slashdot.

Keylogger-like behavior has some Corsair K100 keyboard customers concerned. Several users have reported their peripheral randomly entering text into their computer that they previously typed days or weeks ago. However, Corsair told Ars Technica that the behavior is a bug, not keylogging, and it's possibly related to the keyboard's macro recording feature. From a report: A reader tipped us off to an ongoing thread on Corsair's support forum that a user started in August. The user claimed that their K100 started typing on its own while they use it with a MacBook Pro, gaming computer, and KVM switch. "Every couple of days, the keyboard has started randomly typing on its own while I am working on the MacBook. It usually seems to type messages that I previously typed on the gaming PC and it won't stop until I unplug the keyboard and plug it back in," the user, "brendenguy," wrote. Ten users seemingly responded to the thread (we can't verify the validity of each claim or account, but Corsair confirmed this is a known issue), reporting similar experiences. [...] Corsair confirmed to Ars that it's received "several" reports of the K100 acting like this but affirmed that "there's no hardware function on the keyboard that operates as a key logger." The company didn't immediately respond to follow-up questions about how many keyboards were affected. "Corsair keyboards unequivocally do not log user input in any way and do not have the ability to log individual keystrokes," Corsair's rep told Ars Technica.

Read more of this story at Slashdot.

An anonymous reader quotes a report from Phys.Org: Bumble bees play, according to new research led by Queen Mary University of London published in Animal Behavior. It is the first time that object play behavior has been shown in an insect, adding to mounting evidence that bees may experience positive "feelings." The team of researchers set up numerous experiments to test their hypothesis, which showed that bumble bees went out of their way to roll wooden balls repeatedly despite there being no apparent incentive for doing so. The study also found that younger bees rolled more balls than older bees, mirroring human behavior of young children and other juvenile mammals and birds being the most playful, and that male bees rolled them for longer than their female counterparts. The study followed 45 bumble bees in an arena and gave them the options of walking through an unobstructed path to reach a feeding area or deviating from this path into the areas with wooden balls. Individual bees rolled balls between 1 and, impressively, 117 times over the experiment. The repeated behavior suggested that ball-rolling was rewarding. This was supported by a further experiment where another 42 bees were given access to two colored chambers, one always containing movable balls and one without any objects. When tested and given a choice between the two chambers, neither containing balls, bees showed a preference for the color of the chamber previously associated with the wooden balls. The set-up of the experiments removed any notion that the bees were moving the balls for any greater purpose other than play. Rolling balls did not contribute to survival strategies, such as gaining food, clearing clutter, or mating and was done under stress-free conditions. [...] The new research showed the bees rolling balls repeatedly without being trained and without receiving any food for doing so -- it was voluntary and spontaneous -- therefore akin to play behavior as seen in other animals. Study first-author, Samadi Galpayage, Ph.D. student at Queen Mary University of London says that "it is certainly mind-blowing, at times amusing, to watch bumble bees show something like play. They approach and manipulate these 'toys' again and again. It goes to show, once more, that despite their little size and tiny brains, they are more than small robotic beings." "They may actually experience some kind of positive emotional states, even if rudimentary, like other larger fluffy, or not so fluffy, animals do. This sort of finding has implications to our understanding of sentience and welfare of insects and will, hopefully, encourage us to respect and protect life on Earth ever more."

Read more of this story at Slashdot.

Discovering and reporting critical security flaws that could allow foreign spies to steal sensitive US government data or launch cyberattacks via the Department of Defense's IT systems doesn't carry a high reward. The Register reports: The Pentagon, in its most recent week-long Hack US program conducted with HackerOne, paid out $75,000 in bug bounties and another $35,000 in bonuses and awards to ethical hackers who disclosed critical- and high-severity vulnerabilities in Uncle Sam's networks. [...] According to bug bounty platform HackerOne and the DoD, the Hack US initiative received 648 submissions from 267 security researchers who uncovered 349 security holes. Information disclosure flaws were the most commonly reported vulnerabilities, followed by improper access controls and SQL injection. The Pentagon didn't say how many bug hunters received rewards, or how much they each earned. However, in announcing the contest earlier this year, it pledged to pay $500 or more for high-severity flaws, $1,000 for critical holes, and as much as $5,000 for specific achievements, such as $3,000 for the best finding for *.army.mil. Meanwhile, Microsoft paid $13.7 million in bug rewards spread out over 335 researchers last year, with a $200,000 Hyper-V Bounty payout as its biggest prize. And Google awarded $8.7 million during 2021. [...] It's also worth noting that the DoD's pilot vulnerability disclosure program, which ended in April, didn't pay any monetary rewards. So at least Hack US, with its paid (albeit measly) bug bounties, is a step up from that. "The most successful bug bounty programs strike an even balance between monetary and social benefits," Google's Eduardo Vela, who leads the Product Security Response Team, told The Register. "For bug hunters, there must be a monetary incentive to get them to participate -- but, there's also value in creating a space where folks can get together, connect with one another, and hack as a team. Bringing together the top bug hunters requires both -- one without the other is not enough."

Read more of this story at Slashdot.

An anonymous reader quotes a report from the Washington Post: A new estimate for the total number of ants burrowing and buzzing on Earth comes to a whopping total of nearly 20 quadrillion individuals. That staggering sum -- 20,000,000,000,000,000, or 20,000 trillion -- reveals ants' astonishing ubiquity even as scientists grow concerned a possible mass die off of insects could upend ecosystems. In a paper released Monday by the Proceedings of the National Academy of Sciences, a group of scientists from the University of Hong Kong analyzed 489 studies and concluded that the total mass of ants on Earth weighs in at about 12 megatons of dry carbon. Put another way: If all the ants were plucked from the ground and put on a scale, they would outweigh all the wild birds and mammals put together. "It's unimaginable," said Patrick Schultheiss, a lead author on the study who is now a researcher at the University of Wurzburg in Germany, in a Zoom interview. "We simply cannot imagine 20 quadrillion ants in one pile, for example. It just doesn't work." Counting all those insects -- or at least enough of them to come up with a sound estimate -- involved combining data from "thousands of authors in many different countries" over the span of a century, Schultheiss added. To tally insects as abundant as ants, there are two ways to do it: Get down on the ground to sample leaf litter -- or set tiny pitfall traps (often just a plastic cup) and wait for the ants to slip in. Researchers have gotten their boots dirty with surveys in nearly every corner of the world, though some spots in Africa and Asia lack data. "It's a truly global effort that goes into these numbers," Schultheiss said.

Read more of this story at Slashdot.

An anonymous reader quotes a report from CNET: In a new study, published Monday in the journal npj Flexible Electronics, an international team of researchers revealed it has engineered a system to remotely control the legs of cockroaches from afar. The system, which is basically a cockroach backpack wired into the creature's nervous system, has a power output about 50 times higher than previous devices and is built with an ultrathin and flexible solar cell that doesn't hinder the roach's movement. Pressing a button sends a shock to the backpack that tricks the roach into moving a certain direction. Cockroach cyborgs are not a new idea. Back in 2012, researchers at North Carolina State University were experimenting with Madagascar hissing cockroaches and wireless backpacks, showing the critters could be remotely controlled to walk along a track. The way scientists do this is by attaching the backpack and connecting wires to a cockroach's "cerci," two appendages at the end of the abdomen that are basically sensory nerves. One on the left, one on the right. Previous studies have shown electrical impulses to either side can stimulate the roach into moving in that direction, giving researchers some control over locomotion. But to send and receive signals, you need to power the backpack. You might be able to use a battery but, eventually, a battery will run out of power and the cyborg cockroach will be free to disappear into the leaf litter. The team at Riken crafted the system to be solar-powered and rechargeable. They attached a battery and stimulation module to the cockroach's thorax (the upper segment of its body). That was the first step. The second step was to make sure the solar cell module would adhere to the cockroach's abdomen, the segmented lower section of its body. [T]he Riken team tested a number of thin electronic films, subjecting their roaches to a bunch of experiments and watching how the roaches moved depending on the thickness of the film. This helped them decide on a module about 17 times thinner than a human hair. It adhered to the abdomen without greatly limiting the degree of freedom the roaches had and also stuck around for about a month, greatly outlasting previous systems. "The current system only has a wireless locomotion control system, so it's not enough to prepare an application such as urban rescue," said Kenjiro Fukuda, an expert in flexible electronics at Japan's Riken. "By integrating other required devices such as sensors and cameras, we can use our cyborg insects for such purposes." Fukuda notes the design of the ultrathin solar cell could be applied to other insects, like beetles and cicadas.

Read more of this story at Slashdot.

An anonymous reader quotes a report from Ars Technica: Microsoft has published a knowledge base article acknowledging a problem with encryption acceleration in the newest versions of Windows that could result in data corruption. The company recommends installing the June 2022 security updates for Windows 11 and Windows Server 2022 "to prevent further damage," though there are no suggested solutions for anyone who has already lost data because of the bug. The problems only affect relatively recent PCs and servers that support Vector Advanced Encryption Standard (VAES) instructions for accelerating cryptographic operations. Microsoft says affected systems use AES-XTS or AES-GCM instructions "on new hardware." Part of the AVX-512 instruction set, VAES instructions are supported by Intel's Ice Lake, Tiger Lake, Rocket Lake, and Alder Lake architectures -- these power some 10th-generation Core CPUs for laptops, as well as all 11th- and 12th-gen Core CPUs. AMD's upcoming Zen 4 architecture also supports VAES, though by the time these chips are released in the fall, the patches will have had plenty of time to proliferate. Microsoft says that the problem was caused when it added "new code paths" to support the updated encryption instructions in SymCrypt, Windows' cryptographic function library. These code paths were added in the initial release of Windows 11 and Windows Server 2022, so the problem shouldn't affect older versions like Windows 10 or Windows Server 2019. The initial fix for the problem, provided in Windows' June 2022 security update package (Windows 11 build 22000.778), will prevent further damage at the cost of reduced performance, suggesting that the initial fix was to disable encryption acceleration on these processors entirely. Using Bitlocker-encrypted disks or the Transport Layer Security (TLS) protocol or accessing encrypted storage on servers will all be slower with the first patch installed, though installing the July 2022 security updates (Windows 11 build 22000.795) should restore performance to its previous level.

Read more of this story at Slashdot.

Microsoft says the Outlook email client will crash when opening and reading emails with tables such as Uber receipt emails. BleepingComputer reports: "When opening, replying, or forwarding some emails that include complex tables, Outlook stops responding," the company explains in a support document. To make matters worse, emails with the same table contents will also cause the Microsoft Word app to stop responding. While the known issue affects Microsoft 365 customers in the Current Channel Version 2206 Build 15330.20196 and higher, it can also trigger freezes in current Beta and Current Channel Preview builds. The Microsoft Word team has already developed a fix that will be released to Beta channel customers soon, after undergoing verification. Microsoft added that customers using Outlook versions in the Current Channel would receive the fix as part of this month's Patch Tuesday, on August 9, 2022. For those unable to wait for the fix, Microsoft has provided a workaround that requires users to revert to an older build.

Read more of this story at Slashdot.

"An actively exploited Microsoft zero-day flaw still has no patch," Wired wrote Friday (in an article they've designated as "free for a limited time only.") Microsoft first received reports of the flaw on April 21st, the article points out, and researchers have now seen malicious Word documents exploiting Follina for targets in Russia, India, the Philippines, Belarus, and Nepal. Yet "The company continues to downplay the severity of the Follina vulnerability, which remains present in all supported versions of Windows." Researchers warned last weekend that a flaw in Microsoft's Support Diagnostic Tool could be exploited using malicious Word documents to remotely take control of target devices. Microsoft released guidance on Monday, including temporary defense measures. By Tuesday, the United States Cybersecurity and Infrastructure Security Agency had warned that "a remote, unauthenticated attacker could exploit this vulnerability," known as Follina, "to take control of an affected system." But Microsoft would not say when or whether a patch is coming for the vulnerability, even though the company acknowledged that the flaw was being actively exploited by attackers in the wild. And the company still had no comment about the possibility of a patch when asked by WIRED [Thursday]. The Follina vulnerability in a Windows support tool can be easily exploited by a specially crafted Word document. The lure is outfitted with a remote template that can retrieve a malicious HTML file and ultimately allow an attacker to execute Powershell commands within Windows. Researchers note that they would describe the bug as a "zero-day," or previously unknown vulnerability, but Microsoft has not classified it as such. "After public knowledge of the exploit grew, we began seeing an immediate response from a variety of attackers beginning to use it," says Tom Hegel, senior threat researcher at security firm SentinelOne. He adds that while attackers have primarily been observed exploiting the flaw through malicious documents thus far, researchers have discovered other methods as well, including the manipulation of HTML content in network traffic.... The vulnerability is present in all supported versions of Windows and can be exploited through Microsoft Office 365, Office 2013 through 2019, Office 2021, and Office ProPlus. Microsoft's main proposed mitigation involves disabling a specific protocol within Support Diagnostic Tool and using Microsoft Defender Antivirus to monitor for and block exploitation. But incident responders say that more action is needed, given how easy it is to exploit the vulnerability and how much malicious activity is being detected. The Register adds that the flaw works in Microsoft Word even when macros are disabled. (Thanks to long-time Slashdot reader Z00L00K for sharing the story!) Friday Microsoft went into the vulnerability's official CVE report and added this update. "Microsoft is working on a resolution and will provide an update in an upcoming release."

Read more of this story at Slashdot.

A bug in Google Docs is causing it to crash when a series of words are typed into a document opened with the online word processor. BleepingComputer reports: It's official -- Google Docs crashes at the sight of "And. And. And. And. And." when the "Show grammar suggestion" is turned on. A Google Docs user, Pat Needham brought up the issue on Google Docs Editors Help forum. [...] Another user, Sergii Dymchenko, said strings like "But. But. But. But. But." triggered the same response. Some also noticed putting any of the terms like "Also, Therefore, And, Anyway, But, Who, Why, Besides, However," in the same format achieved the outcome. Once crashed, you may not be able to easily re-access the document as doing so would trigger the crash again. BleepingComputer was able to reproduce the issue last night and reached out to Google. Google told us it is aware of the bug and working on a fix. [...] Until Google has an answer as to what causes this problem, it might be wise to turn off grammar suggestions by navigating to Tools, Spelling and grammar and unticking 'Show grammar suggestions.' If the bug has already been triggered and you're locked out of the Google Doc in question, there might be a workaround. Use the Google Docs mobile app to access the document, remove the offending words and the file should now open up gracefully on your Google Docs web version too.

Read more of this story at Slashdot.

An anonymous reader quotes a report from Scientific American: New research, published in the journal Physiological Entomology, suggests that the palm-sized Joro spider, which swarmed North Georgia by the millions last September, has a special resilience to the cold. This has led scientists to suggest that the 3-inch (7.6 centimeters) bright-yellow-striped spiders -- whose hatchlings disperse by fashioning web parachutes to fly as far as 100 miles (161 kilometers) -- could soon dominate the Eastern Seaboard. Since the spider hitchhiked its way to the northeast of Atlanta, Georgia, inside a shipping container in 2014, its numbers and range have expanded steadily across Georgia, culminating in an astonishing population boom last year that saw millions of the arachnids drape porches, power lines, mailboxes and vegetable patches across more than 25 state counties with webs as thick as 10 feet (3 meters) deep, Live Science previously reported. Common to China, Taiwan, Japan and Korea, the Joro spider is part of a group of spiders known as "orb weavers" because of their highly symmetrical, circular webs. The spider gets its name from Jorgumo, a Japanese spirit, or Ykai, that is said to disguise itself as a beautiful woman to prey upon gullible men. True to its mythical reputation, the Joro spider is stunning to look at, with a large, round, jet-black body cut across with bright yellow stripes, and flecked on its underside with intense red markings. But despite its threatening appearance and its fearsome standing in folklore, the Joro spider's bite is rarely strong enough to break through the skin, and its venom poses no threat to humans, dogs or cats unless they are allergic. That's perhaps good news, as the spiders are destined to spread far and wide across the continental U.S., researchers say. The scientists came to this conclusion after comparing the Joro spider to a close cousin, the golden silk spider, which migrated from tropical climates 160 years ago to establish an eight-legged foothold in the southern United States. By tracking the spiders' locations in the wild and monitoring their vitals as they subjected caught specimens to freezing temperatures, the researchers found that the Joro spider has about double the metabolic rate of its cousin, along with a 77% higher heart rate and a much better survival rate in cold temperatures. Additionally, Joro spiders exist in most parts of their native Japan -- warm and cold -- which has a very similar climate to the U.S. and sits across roughly the same latitude. [...] While most invasive species tend to destabilize the ecosystems they colonize, entomologists are so far optimistic that the Joro spider could actually be beneficial, especially in Georgia where, instead of lovesick men, they kill off mosquitos, biting flies and another invasive species -- the brown marmorated stink bug, which damages crops and has no natural predators. In fact, the researchers say that the Joro is much more likely to be a nuisance than a danger, and that it should be left to its own devices.

Read more of this story at Slashdot.

An anonymous reader quotes a report from TechCrunch: When Erik Johnson couldn't get his university's mobile student ID app to reliably work, he sought to find a workaround. The app is fairly important, since it allows him and every other student at his university to pay for meals, get into events and even unlock doors to dorm rooms, labs and other facilities across campus. The app is called GET Mobile, and it's developed by CBORD, a technology company that brings access control and payment systems to hospitals and universities. But Johnson -- and the many who left the app one-star reviews in frustration -- said the app was slow and would take too long to load. There had to be a better way. And so by analyzing the app's network data at the same time he unlocked his dorm room door, Johnson found a way to replicate the network request and unlock the door by using a one-tap Shortcut button on his iPhone. For it to work, the Shortcut has to first send his precise location along with the door unlock request or his door won't open. Johnson said as a security measure students have to be physically in proximity to unlock doors using the app, seen as a measure aimed at preventing accidental door openings across campus. It worked, but why stop there? If he could unlock a door without needing the app, what other tasks could he replicate? Johnson didn't have to look far for help. CBORD publishes a list of commands available through its API, which can be controlled using a student's credentials, like his. But he soon found a problem: The API was not checking if a student's credentials were valid. That meant Johnson, or anyone else on the internet, could communicate with the API and take over another student's account without having to know their password. Johnson said the API only checked the student's unique ID, but warned that these are sometimes the same as a university-issued student username or student ID number, which some schools publicly list on their online student directories, and as such cannot be considered a secret. Johnson described the password bug as a "master key" to his university -- at least to the doors that are controlled by CBORD. As for needing to be in close proximity to a door to unlock it, Johnson said the bug allowed him to trick the API into thinking he was physically present -- simply by sending back the approximate coordinates of the lock itself. The vulnerability was fixed and session keys were invalidated shortly after TechCrunch shared details of the bug with CBORD.

Read more of this story at Slashdot.

Linux programmers fixed bugs faster than anyone — in an average of just 25 days (improving from 32 days in 2019 to just 15 in 2021). That's the conclusion of Google's "Project Zero" security research team, which studied the speed of bug-fixing from January 2019 to December 2021. ZDNet reports that Linux's competition "didn't do nearly as well." For instance, Apple, 69 days; Google, 44 days; and Mozilla, 46 days. Coming in at the bottom was Microsoft, 83 days, and Oracle, albeit with only a handful of security problems, with 109 days. By Project Zero's count, others, which included primarily open-source organizations and companies such as Apache, Canonical, Github, and Kubernetes, came in with a respectable 44 days. Generally, everyone's getting faster at fixing security bugs. In 2021, vendors took an average of 52 days to fix reported security vulnerabilities. Only three years ago the average was 80 days. In particular, the Project Zero crew noted that Microsoft, Apple, and Linux all significantly reduced their time to fix over the last two years. As for mobile operating systems, Apple iOS with an average of 70 days is a nose better than Android with its 72 days. On the other hand, iOS had far more bugs, 72, than Android with its 10 problems. Browsers problems are also being fixed at a faster pace. Chrome fixed its 40 problems with an average of just under 30 days. Mozilla Firefox, with a mere 8 security holes, patched them in an average of 37.8 days. Webkit, Apple's web browser engine, which is primarily used by Safari, has a much poorer track record. Webkit's programmers take an average of over 72 days to fix bugs.

Read more of this story at Slashdot.

ExpressVPN has updated its bug bounty program to make it more inviting to ethical hackers, now offering a one-time $100,000 bug bounty to whoever can compromise its systems. Bleeping Computer reports: Today, ExpressVPN announced that they are now offering a $100,000 bug bounty for critical vulnerabilities in their in-house technology, TrustedServer. "This is the highest single bounty offered on the Bugcrowd platform and 10 times higher than the top reward previously offered by ExpressVPN," the company shared in an email to BleepingComputer. The new $100,000 one-time bounty is offered with the following conditions: - The first person to submit a valid vulnerability, granting unauthorized access or exposing customer data, will receive the $100,000 bounty. This one-time bonus is valid until the prize has been claimed. - The one-time $100,000 bounty is only eligible for vulnerabilities in ExpressVPN's VPN Server. - Activities should remain in scope to the TrustedServer platform. If unsure that your testing is considered in-scope, please reach out to [email protected] to confirm first. ExpressVPN also invites security researchers to uncover possible ways to leak the actual IP address of clients and monitor user traffic. The bug bounty program is run through BugCrowd, which offers a safe harbor for researchers who attempt to breach ExpressVPN's servers as part of the program.

Read more of this story at Slashdot.

T-Mobile has officially acknowledged a bug that has blocked some subscribers from using iCloud Private Relay when connected to cellular networking. In a statement to 9to5Mac, T-Mobile blamed this situation on a bug in iOS 15.2 and said that it has "not broadly blocked" iCloud Private Relay. From the report: It's also important to note that this bug is not only affecting T-Mobile subscribers, as the company says in its statement. Instead, it's a bug that seems to affect iOS 15.2 broadly rather than T-Mobile specifically. The issue is also still present in the latest release of iOS 15.3 beta. The full statement reads: "Overnight our team identified that in the 15.2 iOS release, some device settings default to the feature being toggled off. We have shared this with Apple. This is not specific to T-Mobile. Again though, we have not broadly blocked iCloud Phone Relay." A solution to the problem that has worked for 9to5Mac in testing is to go to Settings, then choose Cellular, then choose your plan, and ensure that "Limit IP Address Tracking" is enabled. Make sure to complete these steps while WiFi is disabled and you are connected to your cellular network. T-Mobile has, however, acknowledged that are situations in which it is required to block iCloud Private Relay due to technical reasons. Namely, if your account or line has content moderation features or parental controls enabled, you will be unable to use iCloud Private Relay when connected to cellular. [...] A source has also confirmed to 9to5Mac that this also applies to certain legacy plans that include the Netflix on Us perk and have Family Allowances enabled.

Read more of this story at Slashdot.

Security researcher Trevor Spiniolas has discovered a vulnerability "capable of locking iOS devices into a spiral of freezing, crashing, and rebooting if a user connects to a sabotaged Apple Home device," reports The Verge. From the report: The vulnerability [...] can be exploited through Apple's HomeKit API, the software interface that allows an iOS app to control compatible smart home devices. If an attacker creates a HomeKit device with an extremely long name -- around 500,000 characters -- then an iOS device that connects to it will become unresponsive once it reads the device name and enter a cycle of freezing and rebooting that can only be ended by wiping and restoring the iOS device. What's more, since HomeKit device names are backed up to iCloud, signing in to the same iCloud account with a restored device will trigger the crash again, with the cycle continuing until the device owner switches off the option to sync Home devices from iCloud. Though it's possible that an attacker could compromise a user's existing HomeKit-enabled device, the most likely way the exploit would be triggered is if the attacker created a spoof Home network and tricked a user into joining via a phishing email. To guard against the attack, the main precaution for iOS users is to instantly reject any invitations to join an unfamiliar Home network. Additionally, iOS users who currently use smart home devices can protect themselves by entering the Control Center and disabling the setting "Show Home Controls." (This won't prevent Home devices from being used but limits which information is accessible through the Control Center.)

Read more of this story at Slashdot.

Kalper (Slashdot reader #57,281) shares news from Bleeping Computer: Microsoft Exchange on-premise servers cannot deliver email starting on January 1st, 2022, due to a "Year 2022" bug in the FIP-FS anti-malware scanning engine. Starting with Exchange Server 2013, Microsoft enabled the FIP-FS anti-spam and anti-malware scanning engine by default to protect users from malicious email. According to numerous reports from Microsoft Exchange admins worldwide, a bug in the FIP-FS engine is blocking email delivery with on-premise servers starting at midnight on January 1st, 2022. Security researcher and Exchange admin Joseph Roosen said that this is caused by Microsoft using a signed int32 variable to store the value of a date, which has a maximum value of 2,147,483,647. However, dates in 2022 have a minimum value of 2,201,010,001 or larger, which is greater than the maximum value that can be stored in the signed int32 variable, causing the scanning engine to fail and not release mail for delivery. When this bug is triggered, an 1106 error will appear in the Exchange Server's Event Log stating, "The FIP-FS Scan Process failed initialization. Error: 0x8004005. Error Details: Unspecified Error" or "Error Code: 0x80004005. Error Description: Can't convert "2201010001" to long." Microsoft will need to release an Exchange Server update that uses a larger variable to hold the date to officially fix this bug. However, for on-premise Exchange Servers currently affected, admins have found that you can disable the FIP-FS scanning engine to allow email to start delivering again... Unfortunately, with this unofficial fix, delivered mail will no longer be scanned by Microsoft's scanning engine, leading to more malicious emails and spam getting through to users.

Read more of this story at Slashdot.

An anonymous reader quotes a report from TechCrunch: As nostalgia goes, the Fisher-Price Chatter phone doesn't disappoint. The classic retro kids toy was given a modern revamp for the holiday season with the new release for adults which, unlike the original toy designed for kids, can make and receive calls over Bluetooth using a nearby smartphone. The Chatter -- despite a working rotary dial and its trademark wobbly eyes that bob up and down when the wheels turn -- is less a phone and more like a novelty Bluetooth speaker with a microphone, which activates when the handset is lifted. The Chatter didn't spend long on sale; the phone sold out quickly as the waitlists piled up. But security researchers in the U.K. immediately spotted a potential problem. With just the online instruction manual to go on, the researchers feared that a design flaw could allow someone to use the Chatter to eavesdrop. Ken Munro, founder of the cybersecurity company Pen Test Partners, told TechCrunch that chief among the concerns are that the Chatter does not have a secure pairing process to stop unauthorized phones in Bluetooth range from connecting to it. Munro outlined a series of tests that would confirm or allay his concerns. [...] The Chatter doesn't have an app, and Mattel said the Chatter phone was released as "a limited promotional item and a playful spin on a classic toy for adults." But Munro said he's concerned the Chatter's lack of secure pairing could be exploited by a nearby neighbor or a determined attacker, or that the Chatter could be handed down to kids, who could then unknowingly trigger the bug. "It doesn't need kids to interact with it in order for it to become an audio bug. Just leaving the handset off is enough," said Munro.

Read more of this story at Slashdot.

Microsoft has notified earlier this month a select group of Azure customers impacted by a recently discovered bug that exposed the source code of their Azure web apps since at least September 2017. The vulnerability was discovered by cloud security firm Wiz and reported to Microsoft in September. The issue was fixed in November, and Microsoft has spent the last few weeks investigating how many customers were impacted. The Record reports: The issue, nicknamed NotLegit, resides in Azure App Service, a feature of the Azure cloud that allows customers to deploy websites and web apps from a source code repository. Wiz researchers said that in situations where Azure customers selected the "Local Git" option to deploy their websites from a Git repository hosted on the same Azure server, the source code was also exposed online. All PHP, Node, Ruby, and Python applications deployed via this method were impacted, Microsoft said in a blog post today. Only apps deployed on Linux-based Azure servers were impacted, but not those hosted on Windows Server systems. Apps deployed as far back as 2013 were impacted, although the exposure began in September 2017, when the vulnerability was introduced in Azure's systems, the Wiz team said in a report today. [...] The most dangerous exposure scenarios are situations where the exposed source code contained a .git configuration file that, itself, contained passwords and access tokens for other customer systems, such as databases and APIs.

Read more of this story at Slashdot.