bug

Auto Added by WPeMatico

Trump Orders Government To Stop Work On Y2K Bug, 17 Years Later

Trump Orders Government To Stop Work On Y2K Bug, 17 Years Later

The federal government will finally stop preparing for the Y2K bug, seventeen years after it came and went. Yes, you read that right. Bloomberg reports: The Trump administration announced Thursday that it would eliminate dozens of paperwork requirements for federal agencies, including an obscure rule that requires them to continue providing updates on their preparedness for a bug that afflicted some computers at the turn of the century. As another example, the Pentagon will be freed from a requirement that it file a report every time a small business vendor is paid, a task that consumed some 1,200 man-hours every year. Seven of the more than 50 paperwork requirements the White House eliminated on Thursday dealt with the Y2K bug, according to a memo OMB released. Officials at the agency estimate the changes could save tens of thousands of man-hours across the federal government. The agency didn’t provide an estimate of how much time is currently spent on Y2K paperwork, but Linda Springer, an OMB senior adviser, acknowledged that it isn’t a lot since those requirements are already often ignored in practice.

Read more of this story at Slashdot.

Go to Source

Posted by amiller in Blog, bug
Google Chrome Bug Lets Sites Record Audio and Video Without a Visual Indicator

Google Chrome Bug Lets Sites Record Audio and Video Without a Visual Indicator

New submitter aafrn writes: “Ran Bar-Zik, a web developer at AOL, has discovered and reported a bug in Google Chrome that allows websites to record audio and video without showing a visual indicator,” reports BleepingComputer. “The bug is not as bad as it sounds, as the malicious website still needs to get the user’s permission to access audio and video components, but there are various ways in which this issue could be weaponized to record audio or video without the user’s knowledge. The bug’s central element is a ‘red circle and dot’ icon that Chrome usually shows when recording audio or video streams.” Bar-Zik discovered that if the JavaScript code that does the actual audio and video recording is launched inside a small popup, the icon is not shown anymore. This opens the door for various types of scenarios, where an attacker that has tricked a user into granting him permission to record audio and video records user data but when the user doesn’t expect this (no visual indicator). For example, an attacker could disguise audio/video recording code inside popup ads. If the user doesn’t close the popup, the popup continues to stream audio and video from the victim’s house. Google declined to consider this a security bug.

Read more of this story at Slashdot.

Go to Source

Posted by amiller in Blog, bug
Wormable Code-Execution Bug Lurked In Samba For 7 Years

Wormable Code-Execution Bug Lurked In Samba For 7 Years

Long-time Slashdot reader williamyf was the first to share news of “a wormable bug [that] has remained undetected for seven years in Samba verions 3.5.0 onwards.” Ars Technica reports:
Researchers with security firm Rapid7…said they detected 110,000 devices exposed on the internet that appeared to run vulnerable versions of Samba. 92,500 of them appeared to run unsupported versions of Samba for which no patch was available… Those who are unable to patch immediately can work around the vulnerability by adding the line nt pipe support = no to their Samba configuration file and restart the network’s SMB daemon. The change will prevent clients from fully accessing some network computers and may disable some expected functions for connected Windows machines.

The U.S. Department of Homeland Security’s CERT group issued an anouncement urging sys-admins to update their systems, though SC Magazine cites a security researcher arguing this attack surface is much smaller than that of the Wannacry ransomware, partly because Samba is just “not as common as Windows architectures.” But the original submission also points out that while the patch came in fast, “the ‘Many eyes’ took seven years to ‘make the bug shallow’.”

Read more of this story at Slashdot.

Go to Source

Posted by amiller in Blog, bug
Two Different Studies Find Thousands of Bugs In Pacemakers, Insulin Pumps and Other Medical Devices

Two Different Studies Find Thousands of Bugs In Pacemakers, Insulin Pumps and Other Medical Devices

Two studies are warning of thousands of vulnerabilities found in pacemakers, insulin pumps and other medical devices. “One study solely on pacemakers found more than 8,000 known vulnerabilities in code inside the cardiac devices,” reports BBC. “The other study of the broader device market found only 17% of manufacturers had taken steps to secure gadgets.” From the report: The report on pacemakers looked at a range of implantable devices from four manufacturers as well as the “ecosystem” of other equipment used to monitor and manage them. Researcher Billy Rios and Dr Jonathan Butts from security company Whitescope said their study showed the “serious challenges” pacemaker manufacturers faced in trying to keep devices patched and free from bugs that attackers could exploit. They found that few of the manufacturers encrypted or otherwise protected data on a device or when it was being transferred to monitoring systems. Also, none was protected with the most basic login name and password systems or checked that devices they were connecting to were authentic. Often, wrote Mr Rios, the small size and low computing power of internal devices made it hard to apply security standards that helped keep other devices safe. In a longer paper, the pair said device makers had work to do more to “protect against potential system compromises that may have implications to patient care.” The separate study that quizzed manufacturers, hospitals and health organizations about the equipment they used when treating patients found that 80% said devices were hard to secure. Bugs in code, lack of knowledge about how to write secure code and time pressures made many devices vulnerable to attack, suggested the study.

Read more of this story at Slashdot.

Go to Source

Posted by amiller in Blog, bug
Google Found Over 1,000 Bugs In 47 Open Source Projects

Google Found Over 1,000 Bugs In 47 Open Source Projects

Orome1 writes:
In the last five months, Google’s OSS-Fuzz program has unearthed over 1,000 bugs in 47 open source software projects… So far, OSS-Fuzz has found a total of 264 potential security vulnerabilities: 7 in Wireshark, 33 in LibreOffice, 8 in SQLite 3, 17 in FFmpeg — and the list goes on…

Google launched the program in December and wants more open source projects to participate, so they’re offering cash rewards for including “fuzz” targets for testing in their software. “Eligible projects will receive $1,000 for initial integration, and up to $20,000 for ideal integration” — or twice that amount, if the proceeds are donated to a charity.

Read more of this story at Slashdot.

Go to Source

Posted by amiller in Blog, bug
GE Fixing Bug in Software After Warning About Power Grid Hacks

GE Fixing Bug in Software After Warning About Power Grid Hacks

General Electric said on Wednesday it is fixing a bug in software used to control the flow of electricity in a utility’s power systems after researchers found that hackers could shut down parts of an electric grid. From a report: The vulnerability could enable attackers to gain remote control of GE protection relays, enabling them to “disconnect sectors of the power grid at will,” according to an abstract posted late last week on the Black Hat security conference website. Protection relays are circuit breakers that utilities program to open and halt power transmission when dangerous conditions surface.

Read more of this story at Slashdot.

Go to Source

Posted by amiller in Blog, bug
Linux 4.11 Delayed For a Week

Linux 4.11 Delayed For a Week

Linux kernel creator Linus Torvalds said over the weekend that v4.11 version of Linux has hit a speed bump in the form of “NVMe power management that apparently causes problems on some machines.” The Register adds: “It’s not entirely clear what caused the [NVMe] issue (it wasn’t just limited to some NVMe hardware, but also particular platforms), but let’s test it.” Which sounds like a good idea, given that flash memory on the PCIe bus is increasingly mainstream. That problem and “a couple of really annoying” bugs mean that Torvalds has decided to do an eighth release candidate for Linux 4.11. “I did get fixes for the issues that popped up, so I could have released 4.11 as-is,” Torvalds wrote, “but it just doesn’t feel right.”

Read more of this story at Slashdot.

Go to Source

Posted by amiller in Blog, bug
IRS Warns Tax Info Leaked By US Financial Aid Site

IRS Warns Tax Info Leaked By US Financial Aid Site

“Hackers accessed the data of up to 100,000 people through a tool that helps students get financial aid,” writes CNN. An anonymous reader quotes their report:

IRS Commissioner John Koskinen testified before the Senate Finance Committee Thursday that a breach had been discovered in the fall. In September, he said, his agency discovered that fraudsters could use someone’s personal data to fill out a financial aid application, and the “Data Retrieval Tool” would populate the application with tax information. That information could be used to file false tax returns. The commissioner said fewer than 8,000 of these returns were processed, and refunds were issued totaling $30 million…
In October, the IRS told the Department of Education that the system could be abused by criminals, but because up to 15 million people use the system for convenience, they kept it available. However, in February, the agency witnessed a pattern of fraudulent activity, and it shut down the automated tool in March.

Now financial aid seekers will have to manually enter their parents’ reported income from previous tax years — at least until a new version of the tool comes online next October. In the meantime, the IRS is alerting 100,000 users who started an application but didn’t finish it, warning them that their tax information may have been compromised.

Read more of this story at Slashdot.

Go to Source

Posted by amiller in Blog, bug