bug

Auto Added by WPeMatico

Software Bug Behind Biggest Telephony Outage In US History

Software Bug Behind Biggest Telephony Outage In US History

An anonymous reader writes: A software bug in a telecom provider’s phone number blacklisting system caused the largest telephony outage in US history, according to a report released by the US Federal Communications Commission (FCC) at the start of the month. The telco is Level 3, now part of CenturyLink, and the outage took place on October 4, 2016. According to the FCC’s investigation, the outage began after a Level 3 employee entered phone numbers suspected of malicious activity in the company’s network management software. The employee wanted to block incoming phone calls from these numbers and had entered each number in fields provided by the software’s GUI. The problem arose when the Level 3 technician left a field empty, without entering a number. Unbeknownst to the employee, the buggy software didn’t ignore the empty field, like most software does, but instead viewed the empty space as a “wildcard” character. As soon as the technician submitted his input, Level 3’s network began blocking all incoming and outgoing telephone calls — over 111 million in total.

Read more of this story at Slashdot.

Go to Source

Posted by amiller in Blog, bug
Apple's Newest iPhone X Ad Captures an Embarrassing iOS 11 Bug

Apple's Newest iPhone X Ad Captures an Embarrassing iOS 11 Bug

Tom Warren, writing for The Verge: If you blink during Apple’s latest iPhone ad, you might miss a weird little animation bug. It’s right at the end of a slickly produced commercial, where the text from an iMessage escapes the animated bubble it’s supposed to stay inside. It’s a minor issue and easy to brush off, but the fact it’s captured in such a high profile ad just further highlights Apple’s many bugs in iOS 11. 9to5Mac writer Benjamin Mayo spotted the bug in Apple’s latest ad, and he’s clearly surprised “that this was signed off for the commercial,” especially as he highlighted it months ago and has filed a bug report with Apple.

Read more of this story at Slashdot.

Go to Source

Posted by amiller in Blog, bug
Planting GMOs Kills So Many Bugs That It Helps Non-GMO Crops

Planting GMOs Kills So Many Bugs That It Helps Non-GMO Crops

An anonymous reader quotes a report from Ars Technica: One of the great purported boons of GMOs is that they allow farmers to use fewer pesticides, some of which are known to be harmful to humans or other species. Bt corn, cotton, and soybeans have been engineered to express insect-killing proteins from the bacterium Bacillus thuringiensis, and they have indeed been successful at controlling the crops’ respective pests. They even protect the non-Bt versions of the same crop that must be planted in adjacent fields to help limit the evolution of Bt resistance. But new work shows that Bt corn also controls pests in other types of crops planted nearby, specifically vegetables. In doing so, it cuts down on the use of pesticides on these crops, as well.

Entomologists and ecologists compared crop damage and insecticide use in four agricultural mid-Atlantic states: New Jersey, Delaware, Maryland, and Virginia. Their data came from the years before Bt corn was widespread (1976-1996) and continued after it was adopted (1996-2016). They also looked at the levels of the pests themselves: two different species of moths, commonly known as the European corn borer and corn earworm. They were named as scourges of corn, but their larvae eat a number of different crops, including peppers and green beans. After Bt corn was planted in 1996, the number of moths captured for analysis every night in vegetable fields dropped by 75 percent. The drop was a function of the percentage of Bt corn planted in the area and occurred even though moth populations usually go up with temperature. So the Bt corn more than counteracted the effect of the rising temperatures we’ve experienced over the quarter century covered by the study.

Read more of this story at Slashdot.

Go to Source

Posted by amiller in Blog, bug
How Are Sysadmins Handling Spectre/Meltdown Patches?

How Are Sysadmins Handling Spectre/Meltdown Patches?

Esther Schindler (Slashdot reader #16,185) writes that the Spectre and Meltdown vulnerabilities have become “a serious distraction” for sysadmins trying to apply patches and keep up with new fixes, sharing an HPE article described as “what other sysadmins have done so far, as well as their current plans and long-term strategy, not to mention how to communicate progress to management.”
Everyone has applied patches. But that sounds ever so simple. Ron, an IT admin, summarizes the situation succinctly: “More like applied, applied another, removed, I think re-applied, I give up, and have no clue where I am anymore.” That is, sysadmins are ready to apply patches — when a patch exists. “I applied the patches for Meltdown but I am still waiting for Spectre patches from manufacturers,” explains an IT pro named Nick… Vendors have released, pulled back, re-released, and re-pulled back patches, explains Chase, a network administrator. “Everyone is so concerned by this that they rushed code out without testing it enough, leading to what I’ve heard referred to as ‘speculative reboots’…”
The confusion — and rumored performance hits — are causing some sysadmins to adopt a “watch carefully” and “wait and see” approach… “The problem is that the patches don’t come at no cost in terms of performance. In fact, some patches have warnings about the potential side effects,” says Sandra, who recently retired from 30 years of sysadmin work. “Projections of how badly performance will be affected range from ‘You won’t notice it’ to ‘significantly impacted.'” Plus, IT staff have to look into whether the patches themselves could break something. They’re looking for vulnerabilities and running tests to evaluate how patched systems might break down or be open to other problems.
The article concludes that “everyone knows that Spectre and Meltdown patches are just Band-Aids,” with some now looking at buying new servers. One university systems engineer says “I would be curious to see what the new performance figures for Intel vs. AMD (vs. ARM?) turn out to be.”

Read more of this story at Slashdot.

Go to Source

Posted by amiller in Blog, bug
'Critical' T-Mobile Bug Allowed Hackers To Hijack Users' Accounts

'Critical' T-Mobile Bug Allowed Hackers To Hijack Users' Accounts

An anonymous reader quotes a report from Motherboard: The vulnerability was found and reported by a security researcher on December 19 of last year, but it hasn’t been revealed until now. Within a day, T-Mobile classified it as “critical,” patched the bug, and gave the researcher a $5,000 reward. That’s good news, but it’s unclear how long the site was vulnerable and whether any malicious hackers found and exploited the bug before it was fixed. The newly disclosed bug allowed hackers to log into T-Mobile’s account website as any customer. “It’s literally like logging into your account and then stepping away from the keyboard and letting the attacker sit down,” Scott Helme, a security researcher who reviewed the bug report, told Motherboard in an online chat. Shortly after we published this story, a T-Mobile spokesperson sent us a statement: “This bug was confidentially reported through our Bug Bounty program in December and fixed within a matter of hours,” the emailed statement read. “We found no evidence of customer information being compromised.”

Read more of this story at Slashdot.

Go to Source

Posted by amiller in Blog, bug
Botched npm Update Crashes Linux Systems, Forces Users to Reinstall

Botched npm Update Crashes Linux Systems, Forces Users to Reinstall

Catalin Cimpanu, reporting for BleepingComputer: A bug in npm (Node Package Manager), the most widely used JavaScript package manager, will change ownership of crucial Linux system folders, such as /etc, /usr, /boot. Changing ownership of these files either crashes the system, various local apps, or prevents the system from booting, according to reports from users who installed npm v5.7.0. — the buggy npm update. Users who installed this update — mostly developers and software engineers — will likely have to reinstall their system from scratch or restore from a previous system image.

Read more of this story at Slashdot.

Go to Source

Posted by amiller in Blog, bug
Skype Can't Fix a Nasty Security Bug Without a Massive Code Rewrite

Skype Can't Fix a Nasty Security Bug Without a Massive Code Rewrite

ZDNet reports of a security flaw in Skype’s updater process that “can allow an attacker to gain system-level privileges to a vulnerable computer.” If the bug is exploited, it “can escalate a local unprivileged user to the full ‘system’ level rights — granting them access to every corner of the operating system.” What’s worse is that Microsoft, which owns Skype, won’t fix the flaw because it would require the updater to go through “a large code revision.” Instead, Microsoft is putting all its resources on building an altogether new client. From the report: Security researcher Stefan Kanthak found that the Skype update installer could be exploited with a DLL hijacking technique, which allows an attacker to trick an application into drawing malicious code instead of the correct library. An attacker can download a malicious DLL into a user-accessible temporary folder and rename it to an existing DLL that can be modified by an unprivileged user, like UXTheme.dll. The bug works because the malicious DLL is found first when the app searches for the DLL it needs. Once installed, Skype uses its own built-in updater to keep the software up to date. When that updater runs, it uses another executable file to run the update, which is vulnerable to the hijacking. The attack reads on the clunky side, but Kanthak told ZDNet in an email that the attack could be easily weaponized. He explained, providing two command line examples, how a script or malware could remotely transfer a malicious DLL into that temporary folder.

Read more of this story at Slashdot.

Go to Source

Posted by amiller in Blog, bug
A Flaw In Hotspot Shield Can Expose VPN Users, Locations

A Flaw In Hotspot Shield Can Expose VPN Users, Locations

An anonymous reader quotes a report from ZDNet: A security researcher has found a way to identify users of Hotspot Shield, a popular free virtual private network service that promises its users anonymity and privacy. Hotspot Shield, developed by AnchorFree, has an estimated 500 million users around the world relying on its privacy service. By bouncing a user’s internet and browsing traffic through its own encrypted pipes, the service makes it harder for others to identify individual users and eavesdrop on their browsing habits. But an information disclosure bug in the privacy service results in a leak of user data, such as which country the user is located, and the user’s Wi-Fi network name, if connected. That information leak can be used to narrow down users and their location by correlating Wi-Fi network name with public and readily available data.

Read more of this story at Slashdot.

Go to Source

Posted by amiller in Blog, bug
GE Fixing Bug in Software After Warning About Power Grid Hacks

GE Fixing Bug in Software After Warning About Power Grid Hacks

General Electric said on Wednesday it is fixing a bug in software used to control the flow of electricity in a utility’s power systems after researchers found that hackers could shut down parts of an electric grid. From a report: The vulnerability could enable attackers to gain remote control of GE protection relays, enabling them to “disconnect sectors of the power grid at will,” according to an abstract posted late last week on the Black Hat security conference website. Protection relays are circuit breakers that utilities program to open and halt power transmission when dangerous conditions surface.

Read more of this story at Slashdot.

Go to Source

Posted by amiller in Blog, bug