A Bug in Browser Extension Grammarly, Now Patched, Could Have Allowed an Attacker To Read Everything Users Wrote Online ( 57

Copyediting app Grammarly included a gaping security hole that left users of its browser extension open to more embarrassment than just misspelled words. From a report: The Grammarly browser extension for Chrome and Firefox contained a "high severity bug" that was leaking authentication tokens, according to a bug report by Tavis Ormandy, a security researcher with Google's Project Zero. This meant that any website a Grammarly user visited could access the user's "documents, history, logs, and all other data," according to Ormandy. Grammarly provides automated copyediting for virtually anything you type into a browser that has the extension enabled, from blogs to tweets to emails to your attorney. In other words, there is an unfathomable number of scenarios in which this kind of major vulnerability could result in disastrous real-world consequences. Grammarly has approximately 22 million users, according to Ormandy, and the company told Gizmodo in an email that it "has no evidence that any user information was compromised" by the security hole. "We're continuing to monitor actively for any unusual activity," a Grammarly spokesperson said.

iPhone X Bug Leaves Some Users Unable To Answer Calls ( 65

Mark Wilson writes: A number of iPhone X users are complaining about a bug that leaves them unable to answer incoming calls. Reports of the bug are spreading through Apple's support forums, and the company says it is looking into the problem. People who are experiencing the bug say that when they receive a call, their iPhone X rings, but the screen does not wake up. While the problem has been around for a couple of months, complaints seem to be growing in number at the moment.

Apple Launches Free Repair Program For 'No Service' IPhone 7 Bug ( 61

Mark Wilson writes: Apple has launched a new repair program aimed at iPhone 7 users who are experiencing a "No Service" problem. Apple says that affected models that were sold since September 2016 will be repaired free of charge. The company explains that the No Service bug only affects a "small number" of handsets, and it is caused by a failed component on the main logic board...

Apple says that the problematic iPhone 7s were sold in China, Hong Kong, Japan, Macao, and the US between September 2016 and February 2018. The specific model numbers are A1660, A1780 and A1779 and anyone whose phone is displaying a "No Service" message even when signal is available is told to contact their nearest Apple Authorized Service Provider, Apple Retail Store or Apple Technical Support.


Microsoft Releases Skype As a Snap For Linux ( 166

BrianFagioli writes: While Microsoft has long been viewed as an enemy of the Linux community -- and it still is by some -- the company has actually transformed into an open source champion. One of Microsoft's biggest Linux contributions, however, is Skype -- the wildly popular communication software. By offering that program to desktop Linux users, Microsoft enables them to easily communicate with friends and family that aren't on Linux, thanks to its cross-platform support. Today, Microsoft further embraces Linux by releasing Skype as a Snap. This comes after two other very popular apps became available in Snap form -- Spotify and Slack.

"Skype is used by millions of users globally to make free video and voice calls, send files, video and instant messages and to share both special occasions and everyday moments with the people who matter most. Skype has turned to snaps to ensure its users on Linux, are automatically delivered to its latest versionupon release. And with snaps' roll-back feature, whereby applications can revert back to the previous working version in the event of a bug, Skype's developers can ensure a seamless user experience," says Canonical.


Apple is Postponing Release of New Features To iOS This Year To Focus on Reliability and Performance: Report ( 106

For a change, Apple plans to not push new features to iOS devices this year so that it could focus on reliability and quality of the software instead, Axios reported on Tuesday. From the report: Apple has been criticized of late, both for security issues and for a number of quality issues, as well as for how it handles battery issues on older devices. Software head Craig Federighi announced the revised plan to employees at a meeting earlier this month, shortly before he and some top lieutenants headed to a company offsite. Pushed into 2019 are a number of features including a refresh of the home screen and in-car user interfaces, improvements to core apps like mail and updates to the picture-taking, photo editing and sharing experiences.

Microsoft Issues Windows Out-of-Band Update That Disables Spectre Mitigations ( 90

An anonymous reader quotes BleepingComputer: Microsoft has issued on Saturday an emergency out-of-band Windows update that disables patches for the Spectre Variant 2 bug (CVE-2017-5715). The update -- KB4078130 -- targets Windows 7 (SP1), Windows 8.1, all versions of Windows 10, and all supported Windows Server distributions. Microsoft shipped mitigations for the Meltdown and Spectre bugs on January 3. The company said it decided to disable mitigations for the Spectre Variant 2 bug after Intel publicly admitted that the microcode updates it developed for this bug caused "higher than expected reboots and other unpredictable system behavior" that led to "data loss or corruption."

HP, Dell, and Red Hat took previous steps during the past week.

"We are also offering a new option -- available for advanced users on impacted devices -- to manually disable and enable the mitigation against Spectre Variant 2 (CVE 2017-5715) independently via registry setting changes..." Microsoft writes.

"We recommend Windows customers, when appropriate, reenable the mitigation against CVE-2017-5715 when Intel reports that this unpredictable system behavior has been resolved for your device. "

Malwarebytes Released Two Bad Web Protection Updates ( 70

Malwarebytes had a bad day Saturday, pushing out an update "that gobbled up memory and CPU resources and turned off web protection," reports CSO. The company's forums lit up with complaints that the software was hogging 90 percent or more of memory and CPU resources. One thread about RAM usage currently is 37-pages long. Aware of the problem, Malwarebytes tweeted that "all hands" were on deck to resolve the issue. Unfortunately, even though a new update package was pushed out in about an hour, it did not fix the problem. Even after rebooting their computers, some users reported that their systems locked up as soon as the Malwarebytes Service process started as it ate large amounts of RAM.
"Two bad updates later, Malwarebytes released a fix," CSO reports, noting the company's blog post with steps to resolve the issue.

Long-time Slashdot reader marquis111 shares a link to an apology from Malwarebytes CEO Marcin Kleczynski, who says that he'll be "personally available" to discuss the problem on both the forums and at his personal email address.

'How We Made Starship Troopers' ( 589

The Guardian quotes Paul Verhoeven, the director of Starship Troopers: Robert Heinlein's original 1959 science-fiction novel was militaristic, if not fascistic. So I decided to make a movie about fascists who aren't aware of their fascism... I was looking for the prototype of blond, white and arrogant, and Casper Van Dien was so close to the images I remembered from Leni Riefenstahl's films. I borrowed from Triumph of the Will in the parody propaganda reel that opens the film, too. I was using Riefenstahl to point out, or so I thought, that these heroes and heroines were straight out of Nazi propaganda...

With a title like Starship Troopers, people were expecting a new Star Wars. They got that, but not really: it stuck in your throat. It said: "Here are your heroes and your heroines, but by the way -- they're fascists."

The actors weren't even clear on what the giant arachnids would look like, since their "Bug" battles were filmed entirely with green screens, remembers one of the movie's stars, Denise Richards. Instead Verhoeven "would be there jumping up and down with a broom in the air so we would have a sense of how big they were."

Verhoeven told one interviewer that he never actually read Robert Heinlein's original book. "I stopped after two chapters because it was so boring. It is really quite a bad book."

Dell and HP Advise All Their Customers To Not Install Spectre BIOS Updates ( 88

An anonymous reader writes: The Spectre and Meltdown mess continues with Dell now recommending their customers to not install the BIOS updates that are supposed to resolve the Spectre (Variant 2) vulnerabilities. These updates have been causing numerous problems for users including performance issues, boot issues, reboot issues, and general system stability. Due to this, Dell EMC has updated its knowledgebase article with a statement advising customers to not install the BIOS update and to potentially rollback to the previous BIOS if their computers are exhibiting "unpredictable system behavior". ZDNet reports that HP too has issued a similar advisory. The computer manufacturer pulled its softpaqs BIOS updates with Intel's patches from its website, and said it would be releasing a BIOS update with a previous version of Intel's microcode on Thursday.

Apple Releases Meltdown and Spectre Fixes For Older Versions of MacOS ( 39

An anonymous reader quotes a report from Neowin: Apple released its round of bug fix/security updates -- including iOS 11.2.5, macOS 10.13.3 High Sierra, watchOS 4.2.2, and tvOS 11.2.5 -- today. In doing so, it also offered some security updates for Macs running older versions of its OS, including OS X 10.11 El Capitan and macOS 10.12 Sierra. The security updates mainly focus on the Meltdown and Spectre vulnerabilities, which were fixed for High Sierra users a couple of weeks ago. OS X 10.11.6 El Capitan got the smallest update, including fixes for IOHIDFamily, Kernel, QuartzCore, and Wi-Fi. As for the Sierra update, it's available for machines that are running macOS 10.12.6. It includes the above fixes, but it also includes improvements for Audio, LinkPresentation, Security, and there's an additional Kernel fix.

Intel Urges OEMs and End Users To Stop Deploying Spectre Patch As It May 'Introduce Higher Than Expected Reboots' ( 155

Intel executive vice president Neil Shenoy said on Monday that the chip-maker has identified the source of some of the recent problems, so it is now recommended that users skip the available patches. From the blog post: We recommend that OEMs, cloud service providers, system manufacturers, software vendors and end users stop deployment of current versions, as they may introduce higher than expected reboots and other unpredictable system behavior.

Linus Torvalds Calls Intel Patches 'Complete and Utter Garbage' ( 507

An anonymous reader writes: On the Linux Kernel Mailing List, Linus Torvalds ended up responding to a long-time kernel developer (and former Intel engineer) who'd been describing a new microcode feature addressing Indirect Branch Restricted Speculation "where a future CPU will advertise 'I am able to be not broken' and then you have to set the IBRS bit once at boot time to *ask* it not to be broken."

Linus calls it "very much part of the whole 'this is complete garbage' issue. The whole IBRS_ALL feature to me very clearly says 'Intel is not serious about this, we'll have a ugly hack that will be so expensive that we don't want to enable it by default, because that would look bad in benchmarks'. So instead they try to push the garbage down to us. And they are doing it entirely wrong, even from a technical standpoint. I'm sure there is some lawyer there who says 'we'll have to go through motions to protect against a lawsuit'. But legal reasons do not make for good technology, or good patches that I should apply."

Later Linus says forcefully that these "complete and utter garbage" patches are being pushed by someone "for unclear reasons" -- and adds another criticism. The whole point of having cpuid and flags from the microarchitecture is that we can use those to make decisions. But since we already know that the IBRS overhead is huge on existing hardware, all those hardware capability bits are just complete and utter garbage. Nobody sane will use them, since the cost is too damn high. So you end up having to look at "which CPU stepping is this" anyway. I think we need something better than this garbage.

Top Bug Hunters Make 2.7 Times More Money Than an Average Software Engineer ( 67

An anonymous reader shares a report: A survey of 1,700 bug bounty hunters registered on the HackerOne platform reveals that top white-hat hackers make on average 2.7 times more money than the average salary of a software engineer in the same country. The reported numbers are different for each country and may depend on a bug bunter's ability to find bugs, but the survey's results highlight the rising popularity of bug hunting as a sustainable profession, especially in less developed countries, where it can help talented programmers live a financially care-free life. According to HackerOne's report, it pays to be a vulnerability researcher in India, where top bug hunters can make 16 times more compared to the average salary of a software engineer. Other countries where bug hunting can assure someone a comfortable living are Argentina (x15.6), Egypt (x8.1), Hong Kong (x7.6), the Philippines (x5.4), and Latvia (x5.2).
Wireless Networking

Google Releases Fix For Chromecast Wi-Fi Crashes ( 32

An anonymous reader quotes a report from ZDNet: Google on Wednesday said it will release an update Jan. 18 to fix a bug in Cast software on Android phones that dramatically slows down WiFi networks. Reports have been circulating this week that the Google Home Max speaker can knock the TP-Link Archer C7 router offline. In a support page, Google explains a bug caused the Cast software that connects with Chromecast devices to send a large amount of network traffic routers can't handle. Google said the update will roll out via a Google Play services update. Until the update is released, Google advises users to try rebooting their Android phone, and check that their WiFi router is updated with the latest firmware. Google didn't list specific routers impacted by the bug, but reports have indicated routers from Linksys and Synology are seeing network crashes as well.

'Text Bomb' Is Latest Apple Bug ( 60

An anonymous reader quotes a report from the BBC: A new "text bomb" affecting Apple's iPhone and Mac computers has been discovered. Abraham Masri, a software developer, tweeted about the flaw which typically causes an iPhone to crash and in some cases restart. Simply sending a message containing a link which pointed to Mr Masri's code on programming site GitHub would be enough to activate the bug -- even if the recipient did not click the link itself. Mr Masri said he "always reports bugs" before releasing them. Apple has not yet commented on the issue. On a Mac, the bug reportedly makes the Safari browser crash, and causes other slowdowns. Security expert Graham Cluley wrote on his blog that the bug does not present anything to be particularly worried about -- it's merely very annoying. After the link did the rounds on social media, Mr Masri removed the code from GitHub, therefore disabling the "attack" unless someone was to replicate the code elsewhere.

Intel Says Newer Chips Also Hit by Unwanted Reboots After Patch ( 115

Intel says the unexpected reboots triggered by patching older chips affected by Meltdown and Spectre are happening to its newer chips, too. From a report: Intel confirmed in an update late Wednesday that not only are its older Broadwell and Haswell chips tripping up on the firmware patches, but newer CPUs through to the latest Kaby Lake chips are too. The firmware updates do protect Intel chips against potential Spectre attacks, but machines with Ivy Bridge, Sandy Bridge, Skylake, and Kaby Lake architecture processors are rebooting more frequently once the firmware has been updated, Intel said. Intel has also updated its original Meltdown-Spectre advisory with a new warning about the stability issues and recommends OEMs and cloud providers test its beta silicon microcode updates before final release. These beta releases, which mitigate the Spectre Variant 2 CVE-2017-5715 attack on CPU speculative execution, will be available next week.

Now Meltdown Patches Are Making Industrial Control Systems Lurch ( 98

Patches for the Meltdown vulnerability are causing stability issues in industrial control systems. From a report: SCADA vendor Wonderware admitted that Redmond's Meltdown patch made its Historian product wobble. "Microsoft update KB4056896 (or parallel patches for other Operating System) causes instability for Wonderware Historian and the inability to access DA/OI Servers through the SMC," an advisory on Wonderware's support site explains. Rockwell Automation revealed that the same patch had caused issues with Studio 5000, FactoryTalk View SE, and RSLinx Classic (a widely used product in the manufacturing sector). "In fairness [this] may be RPC [Remote Procedure Call] change related," said cybersecurity vulnerability manager Kevin Beaumont.

VMware Bug Allowed Root Access ( 33

c4231 quotes Ars Technica: While everyone was screaming about Meltdown and Spectre, another urgent security fix was already in progress for many corporate data centers and cloud providers who use products from Dell's EMC and VMware units. A trio of critical, newly reported vulnerabilities in EMC and VMware backup and recovery tools -- EMC Avamar, EMC NetWorker, EMC Integrated Data Protection Appliance, and vSphere Data Protection -- could allow an attacker to gain root access to the systems or to specific files, or inject malicious files into the server's file system. These problems can only be fixed with upgrades. While the EMC vulnerabilities were announced late last year, VMware only became aware of its vulnerability last week.

Erroneous 'Spam' Flag Affected 102 npm Packages ( 84

There was some trouble last weekend at the world's largest package repository. An anonymous reader quotes the official npm blog: On Saturday, January 6, 2018, we incorrectly removed the user floatdrop and blocked the discovery and download of all 102 of their packages on the public npm Registry. Some of those packages were highly depended on, such as require-from-string, and removal disrupted many users' installations... Within 60 seconds, it became clear that floatdrop was not a spammer -- and that their packages were in heavy use in the npm ecosystem. The staffer notified colleagues and we re-activated the user and began restoring the packages to circulation immediately. Most of the packages were restored quickly, because the restoration was a matter of unsetting the deleted tombstones in our database, while also restoring package data tarballs and package metadata documents. However, during the time between discovery and restoration, other npm users published a number of new packages that used the names of deleted packages. We locked this down once we discovered it, but cleaning up the overpublished packages and inspecting their contents took additional time...

In cases where the npm staff accepts a user's request to delete a package, we publish a replacement package by the same name -- a security placeholder. This both alerts those who had depended on it that the original package is no longer available and prevents others from publishing new code using that package name. At the time of Saturday's incident, however, we did not have a policy to publish placeholders for packages that were deleted if they were spam. This made it possible for other users to publish new versions of eleven of the removed packages. After a thorough examination of the replacement packages' contents, we have confirmed that none was malicious or harmful. Ten were exact replacements of the code that had just been removed, while the eleventh contained strings of text from the Bible -- and its publisher immediately contacted npm to advise us of its publication.

They're now implementing a 24-hour cooldown on republication of any deleted package names -- and are also updating their review process. "As a general rule, the npm Registry is and ought to be immutable, just like other package registries such as RubyGems and However, there are legitimate cases for removing a package once it has been published. In a typical week, most of the npm support team's work is devoted to handling user requests for package deletion, which is more common than you might expect. Many people publish test packages then ask to have them deprecated or deleted. There also is a steady flow of requests to remove packages that contain contain private code that users have published inadvertently or inappropriately."
The Almighty Buck

Cryptocurrency Exchange Kraken Suddenly Goes Dark For Two Days ( 118

An anonymous reader quotes the San Francisco Chronicle: One of the biggest cryptocurrency exchanges was down more than 40 hours this week, causing clients to freak out... San Francisco's Kraken went offline at 9 p.m. on Wednesday for maintenance that was initially scheduled to last two hours, plus an additional two to three hours for withdrawals, according to an announcement on the company's website. "We are still working to resolve the issues that we have identified and our team is working around the clock to ensure a smooth upgrade," according to a status update on Kraken's website posted early Friday. "This means it may still take several hours before we can relaunch." Shortly after noon, the company said it was "still working to track down an elusive bug which is holding up launch." It promised customers "a substantial amount of free trading" after the problem was resolved. In previous updates, Kraken mentioned it is working on "unexpected and delicate issues" and assured clients their funds were secure, adding that "Yes, this is our new record for downtime since we launched in 2013. No, we're not proud of it."
It's 53 hours after the downtime began, and their web page is still showing the same announcement.

"Kraken is presently offline for maintenance."

Slashdot Top Deals