Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Microsoft

Microsoft's Security Bulletins Will End In February (computerworld.com) 39

Remember how Microsoft switched to cumulative updates? Now Computerworld points out that that's bringing another change. An anonymous reader quotes their report: Microsoft next month will stop issuing detailed security bulletins, which for nearly 20 years have provided individual users and IT professionals information about vulnerabilities and their patches... A searchable database of support documents will replace the bulletins; that database has been available, albeit in preview, since November on the portal Microsoft dubbed the "Security Updates Guide," or SUG. The documents stored in the database are specific to a vulnerability on an edition of Windows, or a version of another Microsoft product. They can be sorted and filtered by the affected software, the patch's release date, its CVE identifier, and the numerical label of the KB, or "knowledge base" support document.
Redmond Magazine reports that Microsoft still plans to continue to issue its security advisories, and to issue "out-of-band" security update releases as necessary.
Ubuntu

Windows 10 Upgrade Bug Disabled Cntrl-C In Bash (infoworld.com) 277

An anonymous reader quotes InfoWorld: A massive set of changes to the Windows Subsystem for Linux (WSL) was rolled into Windows Insider build 15002... If this is any hint, Microsoft's goal is nothing short of making it a credible alternative to other Linux distributions... Some of the fixes also implement functionality that wasn't available before to Linux apps in WSL, such as support for kernel memory overcommit and previously omitted network stack options. Other changes enhance integration between WSL and the rest of Windows...

[O]ne major issue in build 15002 is that Ctrl-C in a Bash session no longer works. Microsoft provided an uncommon level of detail for how this bug crept in, saying it had to do with synchronization between the Windows and Bash development teams. The next Insider build should have a fix. But for people doing serious work with Linux command-line apps, not having Ctrl-C is a little like driving a car when only the front brakes work.

Security

Security Experts Rebut The Guardian's Report That Claimed WhatsApp Has a Backdoor (gizmodo.com) 111

William Turton, writing for Gizmodo: This morning, the Guardian published a story with an alarming headline: "WhatsApp backdoor allows snooping on encrypted messages." If true, this would have massive implications for the security and privacy of WhatsApp's one-billion-plus users. Fortunately, there's no backdoor in WhatsApp, and according to Alec Muffett, an experienced security researcher who spoke to Gizmodo, the Guardian's story is a "major league fuckwittage." [...] Fredric Jacobs, who was the iOS developer at Open Whisper Systems, the collective that designed and maintains the Signal encryption protocol, and who most recently worked at Apple, said, "Nothing new. Of course, if you don't verify keys Signal/WhatsApp/... can man-in-the-middle your communications." "I characterize the threat posed by such reportage as being fear and uncertainty and doubt on an 'anti-vaccination' scale," Muffett, who previously worked on Facebook's engineering security infrastructure team, told Gizmodo. "It is not a bug, it is working as designed and someone is saying it's a 'flaw' and pretending it is earth shattering when in fact it is ignorable." The supposed "backdoor" the Guardian is describing is actually a feature working as intended, and it would require significant collaboration with Facebook to be able to snoop on and intercept someone's encrypted messages, something the company is extremely unlikely to do. "There's a feature in WhatsApp that -- when you swap phones, get a new phone, factory reset, whatever -- when you install WhatsApp freshly on the new phone and continue a conversation, the encryption keys get re-negotiated to accommodate the new phone," Muffett told Gizmodo. Other security experts and journalists have also criticized The Guardian's story.
Operating Systems

Consumer Reports Now Recommends MacBook Pros (macrumors.com) 164

Consumer Reports has updated their report on the 2016 MacBook Pros, and is now recommending Apple's latest notebooks. MacRumors reports: In the new test, conducted running a beta version of macOS that fixes the Safari-related bug that caused erratic battery life in the original test, all three MacBook Pro models "performed well." The 13-inch model without a Touch Bar had an average battery life of 18.75 hours, the 13-inch model with a Touch Bar lasted for 15.25 hours on average, and the 15-inch MacBook Pro with Touch Bar had an average battery life of 17.25 hours. "Now that we've factored in the new battery-life measurements, the laptops' overall scores have risen, and all three machines now fall well within the recommended range in Consumer Reports ratings," reports Consumer Reports. Consumer Reports originally denied the 2016 MacBook Pro a purchase recommendation in late December due to extreme battery life variance that didn't match up with Apple's 10 hour battery life claim. Apple worked with Consumer Reports to figure out why the magazine encountered battery life issues, which led to the discovery of an obscure Safari caching bug. Consumer Reports used a developer setting to turn off Safari caching, triggering an "obscure and intermittent bug reloading icons" that drained excessive battery. The bug, fixed by Apple in macOS Sierra 10.12.3 beta 3, is not one the average user will encounter as most people don't turn off the Safari caching option, but it's something done in all Consumer Reports tests to ensure uniform testing conditions. A fix for the issue will be available to the general public when macOS Sierra 10.12.3 is released, but users can get it now by signing up for Apple's beta testing program.
Bug

Buggy Domain Validation Forces GoDaddy To Revoke SSL Certificates (threatpost.com) 33

msm1267 quotes a report from Threatpost: GoDaddy has revoked, and begun the process of re-issuing, new SSL certificates for more than 6,000 customers after a bug was discovered in the registrar's domain validation process. The bug was introduced July 29 and impacted fewer than two percent of the certificates GoDaddy issued from that date through yesterday, said vice president and general manager of security products Wayne Thayer. "GoDaddy inadvertently introduced the bug during a routine code change intended to improve our certificate issuance process," Thayer said in a statement. "The bug caused the domain validation process to fail in certain circumstances." GoDaddy said it was not aware of any compromises related to the bug. The issue did expose sites running SSL certs from GoDaddy to spoofing where a hacker could gain access to certificates and pose as a legitimate site in order to spread malware or steal personal information such as banking credentials. GoDaddy has already submitted new certificate requests for affected customers. Customers will need to take action and log in to their accounts and initiate the certificate process in the SSL Panel, Thayer said.
Portables (Apple)

Consumer Reports Updates Its MacBook Pro Review (consumerreports.org) 246

Reader TheFakeTimCook writes: Last month, the new MacBook Pro failed to receive a purchase recommendation from Consumer Reports due to battery life issues that it encountered during testing. Apple subsequently said it was working with Consumer Reports to understand the results, which it said do not match its "extensive lab tests or field data." According to an article from Consumer Reports, Apple has since concluded its work, and says it learned that Consumer Reports was using a "hidden Safari setting" which triggered an "obscure and intermittent bug" that led to inconsistent battery life results. With "normal user settings" enabled, Apple said Consumer Reports "consistently" achieved expected battery life. Apple stated: "We learned that when testing battery life on Mac notebooks, Consumer Reports uses a hidden Safari setting for developing web sites which turns off the browser cache. This is not a setting used by customers and does not reflect real-world usage. Their use of this developer setting also triggered an obscure and intermittent bug reloading icons which created inconsistent results in their lab. After we asked Consumer Reports to run the same test using normal user settings, they told us their MacBook Pro systems consistently delivered the expected battery life." Apple said it has fixed the Safari bug in the latest macOS Sierra beta seeded to developers and public testers this week.
Microsoft

Ask Slashdot: What Is the Best Way To Thank Users For Reporting Security Issues? 128

An anonymous Slashdot reader writes: I have worked in the IT field long enough to know that many issues can be avoided if users pay attention to pop-ups, security alerts, "from" addresses et al and not just machine gun click their way through things. Unfortunately, most users seem to have the "fuck it" mentality in terms of good security practices. Sometimes I will have users submit a ticket asking if an email is safe to open or if that strange 800 number that popped up in their browser is really Microsoft. When that happens I like to talk to them in person (when possible) to commend them and tell them how much trouble could be avoided if more users followed their example. I'm curious to know if anyone has ever worked somewhere with bug bounty type incentives for corporate users or if you have a unique way of thanking people for not trying to open Urgent_Invoice.exe.
It's funny.  Laugh.

Sonos Alarms Are Waking Users a Day Early (engadget.com) 38

Waking up to your favorite music is always nice, but it becomes rather annoying when you can'' turn off said alarm. From a report on Engadget: That's exactly what Sonos users are experiencing and one editor on our staff dealt with the headache first hand. In fact, the alarms are also going off a day early, meaning Saturday wake-up calls were playing this morning. The company posted in its forums this morning that it's looking into the issue and recommends users delete all alarms from the Sonos app for right now. As our editor and many others have experienced, deleting the alarms is the only way to make them stop. We'll have to wait for official word on the cause, but alarms set for December 31st going off on December 30th could be a New Year's or Leap Year bug. Back in 2011, Apple had a problem with iPhone alarms not working correctly on January 1st.
Android

Some Google Pixel Devices Are Shutting Down At 30% Battery (androidauthority.com) 130

An anonymous reader quotes a report from Android Authority: It seems that some Pixel devices are affected by the same infamous shutdown bug that plagued the Nexus 6P where the device would prematurely turn off at 25 to 35 percent. The Huawei Nexus 6P has finally received the Nougat update. But ever since, Google's last ever Nexus device has been on the news, and for all the wrong reasons. Among the problems was a shutdown bug: the phone would shut down when the battery is at 30 percent or so. Well, it looks like the issue isn't unique to those Nexus 6P users. A few Reddit users are reporting that their Pixel devices are also suffering from the same shutdown bug. Some Pixel phones would prematurely shut down at or around 30 percent and would not turn back on until a charger is connected. A user by the name of vrski_15, who started the thread explains: "Twice in last 5 days, has the phone shutdown abruptly while I am in middle of something. In both instances, battery was between 25-35%, and the phone under normal conditions should have lasted for at least next 3-4 hours." With the Nexus 6P, Huawei first ruled that this was not a hardware problem but a software-related one. However, users found that the problem persisted even after downgrading to Android Marshmallow. This led Huawei to investigate further with Google, and although the company hasn't revealed the cause yet, it is probably related to the problem that these Pixel users have been experiencing.
Bug

Nevada Website Bug Leaks Thousands of Medical Marijuana Dispensary Applications (zdnet.com) 55

An anonymous reader quotes a report from ZDNet: Nevada's state government website has leaked the personal data on over 11,700 applicants for dispensing medical marijuana in the state. Each application, eight pages in length, includes the person's full name, home address, citizenship, and even their weight and height, race, and eye and hair color. The applications also include the applicant's citizenship, their driving license number (where applicable), and social security number. Security researcher Justin Shafer found the bug in the state's website portal, allowing anyone with the right web address to access and enumerate the thousands of applications. Though the medical marijuana portal can be found with a crafted Google search query, we're not publishing the web address out of caution until the bug is fixed. A spokesperson for the Nevada Dept. Health and Human Services, which runs the medical marijuana application program, told ZDNet that the website has been pulled offline to limit the vulnerability. The spokesperson added that the leaked data was a "portion" of one of several databases.
Government

FDA Releases New Cybersecurity Guidelines For Medical Devices (theverge.com) 40

An anonymous reader quotes a report from The Verge: The U.S. Food and Drug Administration released its recommendations for how medical device manufacturers should maintain the security of internet-connected devices, even after they've entered hospitals, patient homes, or patient bodies. Unsecured devices can allow hackers to tamper with how much medication is delivered by the device -- with potentially deadly results. First issued in draft form last January, this guidance is more than a year in the making. The 30-page document (PDF) encourages manufacturers to monitor their medical devices and associated software for bugs, and patch any problems that occur. But the recommendations are not legally enforceable -- so they're largely without teeth. The FDA issued an earlier set of recommendations in October 2014 (PDF), which recommended ways for manufacturers to build cybersecurity protections into medical devices as they're being designed and developed. Today's guidance focuses on how to maintain medical device cybersecurity after devices have left the factory. The guidelines lay out steps for recognizing and addressing ongoing vulnerabilities. And they recommend that manufacturers join together in an Information Sharing and Analysis Organization (ISAO) to share details about security risks and responses as they occur. Most patches and updates intended to address security vulnerabilities will be considered routine enhancements, which means manufacturers don't have to alert the FDA every time they issue one. That is, unless someone dies or is seriously harmed because of a bug -- then the manufacturer needs to report it. Dangerous bugs identified before they harm or kill anyone won't have to be reported to the FDA as long as the manufacturer tells customers and device users about the bug within 30 days, fixes it within 60 days, and shares information about the vulnerability with an ISAO.
PHP

Millions of Websites Vulnerable Due To Security Bug In Popular PHP Script (bleepingcomputer.com) 104

An anonymous reader writes from a report via BleepingComputer: A security flaw discovered in a common PHP class allows knowledgeable attackers to execute code on a website that uses a vulnerable version of the script, which in turn can allow an attacker to take control over the underlying server. The vulnerable library is PHPMailer, a PHP script that allows developers to automate the task of sending emails using PHP code, also included with WordPress, Drupal, Joomla, and more. The vulnerability was fixed on Christmas with the release of PHPMailer version 5.2.18. Nevertheless, despite the presence of a patched version, it will take some time for the security update to propagate. Judging by past incidents, millions of sites will never be updated, leaving a large chunk of the Internet open to attacks. Even though the security researcher who discovered the flaw didn't publish any in-depth details about his findings, someone reverse-engineered the PHPMailer patch and published their own exploit code online, allowing others to automate attacks using this flaw, which is largely still unpatched due to the holiday season.
Android

Some Pixels Have Problems (techtimes.com) 69

An anonymous reader quotes Tech Times: Pixel owners have so far reported on camera issues, audio issues, LTE band 4 connectivity problems and others, but the random freezing remains among the most persistent ones. While most previous issues have already received a fix, users have been complaining about the Google Pixel or Pixel XL randomly freezing since November and it seems Google has yet to get to the bottom of this. The official Pixel User Community forum has a long thread on the matter and the discussion started a good while back [in early November]...

[U]sers reporting on the Pixel Community Forum run different apps and they haven't found a common denominator just yet, and some don't have any third-party apps at all, further suggesting that the issue might not be caused by a third-party app. On the other hand, some Pixel owners got rid of this issue by uninstalling a third-party app called Live360 Family Locator, but others didn't even have the app installed and still experienced the issues.

Despite the problems, "most Pixel owners thus far have been quite pleased with their device," notes BGR -- though Softpedia also reports on some users complaining about "static and distorted sounds when at the three highest volume levels."
Twitter

Twitter Admits It Recently Overcharged For Ads (cnn.com) 24

An anonymous reader quotes a CBS report about more bad news for Twitter: The microblogging service has acknowledged that it inadvertently overcharged some advertisers for video ads, capping off a year that has featured a failed sale of the company, the departure of six of its 10 top executives and a nearly 30% drop in its stock price. As Business Insider reported, a bug in a recent version of Twitter's Android App inflated some metrics by as much as 35% for video ad campaigns that ran between November 7 and December 12.

The San Francisco-based company issued refunds to the affected advertisers, which in many cases were for minimal amounts of money, a person familiar with the situation said. "The impact was limited given this happened only on Android clients over the course of a month," the San Francisco-based company said in a statement. "This was a technical error, not a policy or definition issue, so it has been resolved."

One analyst told CBS, "I don't think this as fatal as it is embarrassing."
Businesses

At Apple, Mac Is Getting Far Less Attention - How It Handled the New MacBook Pro Is a Living Proof (bloomberg.com) 230

Apple CEO Tim Cook may have assured employees that the company is committed to Mac computers, but people working in the Mac team say the company now pays far less attention to the computer lineup, according to Bloomberg's Mark Gurman, who has been right just about every time with Apple scoops. From his report: Interviews with people familiar with Apple's inner workings reveal that the Mac is getting far less attention than it once did. They say the Mac team has lost clout with the famed industrial design group led by Jony Ive and the company's software team. They also describe a lack of clear direction from senior management, departures of key people working on Mac hardware and technical challenges that have delayed the roll-out of new computers. While the Mac generates about 10 percent of Apple sales, the company can't afford to alienate professional designers and other business customers. After all, they helped fuel Apple's revival in the late 1990s. In a stinging critique, Peter Kirn, founder of a website for music and video creators, wrote: "This is a company with no real vision for what its most creative users actually do with their most advanced machines." If more Mac users switch, the Apple ecosystem will become less sticky -- opening the door to people abandoning higher-value products like the iPhone and iPad. The report also sheds light on battery issues in the new MacBook Pro lineup that many have complained about. From the report: In the run-up to the MacBook Pro's planned debut this year, the new battery failed a key test, according to a person familiar with the situation. Rather than delay the launch and risk missing the crucial holiday shopping season, Apple decided to revert to an older design. The change required roping in engineers from other teams to finish the job, meaning work on other Macs languished, the person said. The new laptop didn't represent a game-changing leap in battery performance, and a software bug misrepresented hours of power remaining. Apple has since removed the meter from the top right-hand corner of the screen.
Bug

Google Releases Tool To Find Common Crypto Bugs (onthewire.io) 22

Trailrunner7 quotes a report from On the Wire: Google has released a new set of tests it uses to probe cryptographic libraries for vulnerabilities to known attacks. The tests can be used against most kinds of crypto algorithms and the company already has found 40 new weaknesses in existing algorithms. The tests are called Project Wycheproof, and Google's engineers designed them to help developers implement crypto libraries without having to become experts. Cryptographic libraries can be quite difficult to implement and making errors can lead to serious security problems. Attackers often will look for weak crypto implementations as a means of circumventing strong encryption in a target app. Among the issues that Google's engineers found with the Project Wycheproof tests is one in ECDH that allows an attacker to recover the private key in some circumstances. The bug is the result of some libraries not checking the elliptic curve points that they get from outside sources. "In cryptography, subtle mistakes can have catastrophic consequences, and mistakes in open source cryptographic software libraries repeat too often and remain undiscovered for too long. Good implementation guidelines, however, are hard to come by: understanding how to implement cryptography securely requires digesting decades' worth of academic literature. We recognize that software engineers fix and prevent bugs with unit testing, and we found that many cryptographic issues can be resolved by the same means," Daniel Bleichenbacher and Thai Duong, security engineers at Google, said in a post announcing the tool release. "Encodings of public keys typically contain the curve for the public key point. If such an encoding is used in the key exchange then it is important to check that the public and secret key used to compute the shared ECDH secret are using the same curve. Some libraries fail to do this check," Google's documentation says.
Security

Does Code Reuse Endanger Secure Software Development? (threatpost.com) 148

msm1267 quotes ThreatPost: The amount of insecure software tied to reused third-party libraries and lingering in applications long after patches have been deployed is staggering. It's a habitual problem perpetuated by developers failing to vet third-party code for vulnerabilities, and some repositories taking a hands-off approach with the code they host. This scenario allows attackers to target one overlooked component flaw used in millions of applications instead of focusing on a single application security vulnerability.

The real-world consequences have been demonstrated in the past few years with the Heartbleed vulnerability in OpenSSL, Shellshock in GNU Bash, and a deserialization vulnerability exploited in a recent high-profile attack against the San Francisco Municipal Transportation Agency. These are three instances where developers reuse libraries and frameworks that contain unpatched flaws in production applications... According to security experts, the problem is two-fold. On one hand, developers use reliable code that at a later date is found to have a vulnerability. Second, insecure code is used by a developer who doesn't exercise due diligence on the software libraries used in their project.

That seems like a one-sided take, so I'm curious what Slashdot readers think. Does code reuse endanger secure software development?
Security

Zero-Days Hitting Fedora and Ubuntu Open Desktops To a World of Hurt (arstechnica.com) 164

An anonymous reader writes: It's the year of the Linux desktop getting pwned. Chris Evans (not the red white and blue one) has released a number of linux zero day exploits, the most recent of which employs specially crafted audio files to compromise linux desktop machines. Ars Technica reports: "'I like to prove that vulnerabilities are not just theoretical -- that they are actually exploitable to cause real problems,' Evans told Ars when explaining why he developed -- and released -- an exploit for fully patched systems. 'Unfortunately, there's still the occasional vulnerability disclosure that is met with skepticism about exploitability. I'm helping to stamp that out.' Like Evans' previous Linux zero-day, the proof-of-concept attacks released Tuesday exploit a memory-corruption vulnerability closely tied to GStreamer, a media framework that by default ships with many mainstream Linux distributions. This time, the exploit takes aim at a flaw in a software library alternately known as Game Music Emu and libgme, which is used to emulate music from game consoles. The two audio files are encoded in the SPC music format used in the Super Nintendo Entertainment System console from the 1990s. Both take aim at a heap overflow bug contained in code that emulates the console's Sony SPC700 processor. By changing the .spc extension to .flac and .mp3, GSteamer and Game Music Emu automatically open them."
Businesses

Businesses May No Longer Sue Customers Over Negative Reviews (thenextweb.com) 98

An anonymous reader quotes a report from The Next Web: A few months I wrote about the Consumer Review Fairness Act. In a nutshell, this offers legal protections to consumers who leave negative reviews on sites like Yelp and TripAdvisor. You can now call out the restaurant who gave you food poisoning, or a bed-bug infested hotel without the risk of being dragged into a civil court. The long-overdue bill explicitly bans non-disparagement clauses in contracts between businesses and patrons. Over the years, there's been a rash of people getting sued after speaking their mind online. Today, President Obama signed off on the Consumer Review Fairness Act. It's now law. As great as this is for consumers, it's even better for the likes of TripAdvisor and Yelp, whose business model relies on people being able to speak their minds.
The Internet

David Pogue Calls Out 18 Sites For Failing His Space-Bar Scrolling Test (yahoo.com) 309

An anonymous reader quotes Yahoo Finance's David Pogue: You know this tip, don't you? When you tap the Space bar, the web page you're reading scrolls up exactly one screenful... But in recent years, something clumsy and unfortunate has happened: Web designers have begun slapping toolbars or navigation bars at the top of the page. That's fine -- except when it throws off the Space-bar scrolling! Which, most of the time, it does.

Suddenly, tapping Space doesn't scroll the right amount. The lines you were supposed to read next scroll too high; they're now cut off. Now you have to use your mouse or keyboard to scroll back down again. Which defeats the entire purpose of the Space-bar tip. Over the last few months, I've begun keeping track of which sites do Space-bar scrolling right -- and which are broken. I want to draw the public's attention to this bit of broken code, and maybe inspire the world's webmasters to get with the program.

Pogue's article announces "the world's first Space-Bar Scrolling Report Card," shaming sites like the Wall Street Journal, USA Today, The New Yorker, and Scientific American for their improperly-scrolling web sites. (As well as, ironically, Yahoo -- the parent company of the site Pogue is writing for.) Pogue writes that web programmers "should get their act together so that the scroll works as it's supposed to. (And if you work for one of those sites, and you manage to get the scrolling-bug fixed, email me so I can update this article and congratulate you.)"

Slashdot Top Deals