Compare cell phone plans using Wirefly's innovative plan comparison tool ×
Bug

FalseCONNECT Vulnerability Affects Software From Apple, Microsoft, Oracle, More (softpedia.com) 32

An anonymous reader writes from a report via Softpedia: "Researcher Jerry Decime revealed details about a security vulnerability that allows an attacker to gain a Man-in-the-Middle position and intercept HTTPS traffic thanks to flaws in the implementation of proxy authentication procedures in various products," reports Softpedia. The flaw can be used to collect user credentials by tricking victims into re-authenticating, sending data to a third-party. Multiple software vendors deploy applications that can handle proxy connections. Until now, Apple, Microsoft, Oracle, and Opera have acknowledged their products are affected. Lenovo said this bug does not impact its software. Other software vendors that are still evaluating the FalseCONNECT bug and may be affected include multiple Linux distros, Cisco, Google, HP, IBM, Juniper, Mozilla, Nokia, OpenBSD, SAP, Sony, and others.
Android

Linux Traffic Hijack Flaw Also Affects Most Android Phones, Tablets (zdnet.com) 39

Zack Whittaker, writing for ZDNet: As many as 80 percent of Android devices are vulnerable to a recently disclosed Linux kernel vulnerability. Security firm Lookout said in a blog post on Monday that the flaw affects all phones and tablets that are running Android 4.4 KitKat and later, which comes with the affected Linux kernel 3.6 or newer. According to recent statistics, the number of devices affected might run past 1.4 billion phones and tablets -- including devices running the Android Nougat developer preview. Windows and Macs are not affected by the vulnerability. The flaw, disclosed at the Usenix security conference last week, is complicated and difficult to exploit. If an attacker can pull off an exploit, they could inject malicious code into unencrypted web traffic from "anywhere". However, the source and destination IP address would need to be known in order to intercept the traffic, adding to the complexity of carrying out a successful attack.The exploitability isn't easy, though.
Businesses

Linux Developer Loses GPL Suit Against VMware (itwire.com) 162

An anonymous Slashdot reader quotes ITWire: Linux kernel developer Christoph Hellwig has lost his case against virtualisation company VMware, which he had sued in March 2015 for violation of version 2 of the GNU General Public Licence... The case claimed that VMware had been using Hellwig's code right from 2007 and not releasing source code as required. The Linux kernel, which is released under the GNU GPL version 2, stipulates that anyone who distributes it has to provide source code for the same...

In its ruling, the court said that Hellwig had failed to prove which specific lines of code VMware had used, from among those over which he claimed ownership.

In a statement, Hellwig said he plans to appeal, adding that "The ruling concerned German evidence law; the Court did not rule on the merits of the case, i.e. the question whether or not VMware has to license the kernel of its product vSphere ESXi 5.5.0 under the terms of the GNU General Public License, version 2." The Software Freedom Conservancy has described the lawsuit as "the regretful but necessary next step in both Hellwig and Conservancy's ongoing effort to convince VMware to comply properly with the terms of the GPLv2, the license of Linux and many other Open Source and Free Software included in VMware's ESXi products."
Cloud

New RancherOS Offers Lean Linux Functionality Within Docker Containers (rancher.com) 49

RancherOS is a lean Linux distribution aiming to offer "the minimum necessary to get Docker up and running," and tucking many actual Linux services into Docker containers. An anonymous Slashdot reader quotes Distrowatch: Josh Curl has announced the release of a new version of RancherOS [which] moves the project out of its alpha status and introduces new features, including an official Raspberry Pi image... "We're especially excited about this since it offers users a cheap method of getting started with Docker and RancherOS."
Open Source

New FreeBSD 11.0 Release Candidate Tested By Phoronix (phoronix.com) 61

"The first release candidate for the upcoming FreeBSD 11.0 is ready for testing," reports Distrowatch, noting various changes. ("A NULL pointer dereference in IPSEC has been fixed; support for SSH protocol 1 has been removed; OpenSSH DSA keys have been disabled by default...") Now an anonymous Slashdot reader writes: Sunday Phoronix performed some early benchmark testing, comparing FreeBSD 10.3 to FreeBSD 11.0 as well as DragonFlyBSD, Ubuntu, Intel Clear Linux and CentOS Linux 7. They reported mixed results -- some wins and some losses for FreeBSD -- using a clean install with the default package/settings on the x86_64/amd64 version for each operating system.

FreeBSD 11.0 showed the fastest compile times, and "With the SQLite benchmark, the BSDs came out ahead of Linux [and] trailed slightly behind DragonFlyBSD 4.6 with HAMMER. The 11.0-BETA4 performance does appear to regress slightly for SQLite compared to FreeBSD 10.3... With the BLAKE2 crypto test, all four Linux distributions were faster than DragonFlyBSD and FreeBSD... with the Apache web server benchmark, FreeBSD was able to outperform the Linux distributions..."

Cloud

Researchers Warn Linux Vendors About Cloud-Memory Hacking Trick (thestack.com) 73

An anonymous Slashdot reader writes: Hacking researchers have uncovered a new attack technique which can alter the memory of virtual machines in the cloud. The team, based at Vrije Universiteit, Amsterdam, introduced the attack, dubbed Flip Feng Shui (FFS)...and explained that hackers could use the technique to crack the keys of secured VMs or install malicious code without it being noticed...

Using FFS, the attacker rents a VM on the same host as their chosen victim. They then write a memory page which they know exists on the vulnerable memory location and let it de-duplicate. The identical pages, with the same information, will merge in order to save capacity and be stored in the same part of memory of the physical computer. This allows the hacker to change information in the general memory of the computer.

The researchers demonstrated two attacks on Debian and Ubuntu systems -- flipping a bit to change a victim's RSA public key, and installing a software package infected with malware by altering a URL used by apt-get. "Debian, Ubuntu and other companies involved in the research were notified before the paper was published, and have all responded to the issue."
Google

Google Working On New 'Fuchsia' OS (digitaltrends.com) 146

An anonymous reader writes: Google is working on a new operating system dubbed Fuchsia OS for smartphones, computers, and various other devices. The new operating system was spotted in the Git repository, where the description reads: "Pick + Purple == Fuchsia (a new Operating System). Hacker News reports that Travis Geiselbrech, who worked on NewOS, BeOS, Danger, Palm's webOS and iOS, and Brian Swetland, who also worked on BeOS and Android will be involved in this project. Magenta and LK kernel will be powering the operating system. "LK is a kernel designed for small systems typically used in imbedded applications," reads the repository. "On the other hand, Magenta targets modern phones and modern personal computers with fast processors, non-trivial amounts of RAM with arbitrary peripherals doing open-ended computation." It's too early to tell exactly what this OS is meant for. Whether it's for an Android and Chrome OS merger or something completely new, it's exciting nonetheless.
Operating Systems

Linux 4.9 Will Be the Next LTS Kernel Branch, Says Greg Kroah-Hartman (softpedia.com) 30

Reader prisoninmate writes: Renowned Linux kernel developer and maintainer Greg Kroah-Hartman said on Friday that the next LTS (Long-Term Support) kernel branch will be Linux 4.9. The development cycle of a new Linux kernel branch doesn't take more than a month and a half or a maximum of two months, depending if the respective series will receive seven or eight Release Candidate (RC) milestones, but LTS releases are picked by veteran kernel developers from time to time when older ones reach end of life (EOL). If Linux kernel 4.8 will be a normal release with a total of seven RCs and it'll be announced on day of September 25, then the development cycle of the Linux 4.9 kernel should start with the first Release Candidate development snapshot on October 9, 2016. But if Linux kernel 4.8 will have eight RCs, then we should see Linux kernel 4.9 LTS RC1 one week later, on October 16.
Operating Systems

Canonical Releases Snapcraft 2.14 For Ubuntu With New Rust Plugin, Improvements (softpedia.com) 44

Marius Nestor, reporting for Softpedia News: Canonical, through Sergio Schvezov, has had the great pleasure of announcing the release and general availability of Snapcraft 2.14 Snap creator tool for the Ubuntu 16.04 LTS (Xenial Xerus) operating system. Coming hot on the heels of Snapcraft 2.13, the new 2.14 maintenance update is here to introduce a bunch of new plugins, namely rust, godeps, and dump. You can find more information about each one by running the "snapcraft help " command in a terminal window. Also new in the Snapcraft 2.14 release is support for alternate relocation mechanisms in the "make" plugin (for example, you can use DESTDIR alternatives), as well as many improvements to the "go" plugin, such as support for local sources, which are now preferred instead of fetching new ones, and proper handling of the source entry. The list of improvements implemented in Snapcraft 2.14 continues with support for building a kernel Snaps for multiple hardware architectures using a single snapcraft.yaml file, support for "oneshot" daemons, better wiki parser source management, as well as proper setting of "shebangs" and support for requirement files in the "python" plugin.
Operating Systems

Arch Linux Is Now Officially Powered by Linux Kernel 4.7, Update Your Systems 54

Marius Nestor, writing for Softpedia: After a few weeks from its official release, it finally happened, Linux kernel 4.7 has just landed in the stable software repositories of the popular, lightweight and highly customizable Arch Linux operating system. Linux kernel 4.7 is the most stable and advanced kernel branch, and only a few GNU/Linux distributions have adopted since its launch on July 24, 2016. It's still marked as "mainline" not "stable" or "longterm" on the kernel.org website, which means that it didn't receive a maintenance update at the moment of writing this article. As for its new features, Linux kernel 4.7 comes with an updated AMDGPU graphics driver with support for AMD Radeon RX 480 GPUs, LoadPin, a brand new security module that ensures all modules loaded by the kernel originate from the same filesystem, and support for upgrading firmware using the EFI "Capsule" mechanism. Linux kernel 4.7 also marks the sync_file fencing mechanism used in the Android mobile operating system as stable and ready for production, implements support for generating virtual USB Device Controllers in USB/IP, supports parallel directory lookups, and introduces the "schedutil" frequency governor, which is faster and more accurate than the current ones.
Databases

Linux Trojan Mines For Cryptocurrency Using Misconfigured Redis Servers (softpedia.com) 62

An anonymous reader writes: In another installment of "Linux has malware too," security researchers have discovered a new trojan that targets Linux servers running Redis, where the trojan installs a cryptocurrency miner. The odd fact about this trojan is that it includes a wormable feature that allows it to spread on its own. The trojan, named Linux.Lady, will look for Redis servers that don't have an admin account password, access the database, and then download itself on the new target. The trojan mines for the Monero crypto-currency, the same one used by another worm called PhotoMiner, which targets vulnerable FTP servers. According to a recent Risk Based Security report from last month, there are over 30,000 Redis servers available online without a password, of which 6,000 have already been compromised by various threat actors.
Security

Linux Bug Leaves USA Today, Other Top Sites Vulnerable To Serious Hijacking Attacks (arstechnica.com) 115

Dan Goodin, reporting for Ars Technica: Computer scientists have discovered a serious Internet vulnerability that allows attackers to terminate connections between virtually any two parties and, if the connections aren't encrypted, inject malicious code or content into the parties' communications. The vulnerability resides in the design and implementation of RFC 5961, a relatively new Internet standard that's intended to prevent certain classes of hacking attacks. In fact, the protocol is designed in a way that it can easily open Internet users to so-called blind off-path attacks, in which hackers anywhere on the Internet can detect when any two parties are communicating over an active transmission control protocol connection. Attackers can go on to exploit the flaw to shut down the connection, inject malicious code or content into unencrypted data streams, and possibly degrade privacy guarantees provided by the Tor anonymity network. At the 25th Usenix Security Symposium on Wednesday, researchers with the University of California at Riverside and the US Army Research Laboratory will demonstrate a proof-of-concept exploit that allows them to inject content into an otherwise legitimate USA Today page that asks viewers to enter their e-mail and passwords.
Android

Chrome Is Nearly Ready To Talk To Your Bluetooth Devices (engadget.com) 151

Jon Fingas, writing for Engadget: Don't look now, but your web browser is about to become aware of the devices around you. After months of testing, Google has switched on broader experimental support in Chrome and Chrome OS for Web Bluetooth, which lets websites interact with your nearby Bluetooth gear. You could use a web interface to control your smart home devices, for instance, or send data directly from your heart rate monitor to a fitness coach. At the moment, trying Web Bluetooth requires the stars to align in just the right way. You'll need a pre-release version of Chrome 53, and you'll naturally want to find (or create) a website that uses the tech in the first place.
Microsoft

Linux Kernel 4.8 Adds Microsoft Surface 3 Support (betanews.com) 133

Brian Fagioli, writing for BetaNews:If you are a Windows user, and want a really great computer, you should consider Microsoft's Surface line. Not only do they serve as wonderful tablets, but with the keyboard attachment, they can be solid laptops too. While many Linux users dislike Microsoft, some of them undoubtedly envy Windows hardware. While it is possible to run Linux distros on some Surface tablets, not everything will work flawlessly. Today, release candidate 1 of Linux Kernel 4.8 is announced, and it seems a particularly interesting driver has been added -- the Surface 3 touchscreen controller. "This seems to be building up to be one of the bigger releases lately, but let's see how it all ends up. The merge window has been fairly normal, although the patch itself looks somewhat unusual: over 20 percent of the patch is documentation updates, due to conversion of the drm and media documentation from docbook to the Sphinx doc format. There are other doc updates, but that's the big bulk of it," says Linus Torvalds, Linux creator. Will Microsoft's lower-priced (starting at $499) hybrid computer become the ultimate mobile Linux machine?
Microsoft

Linux on Windows Exposes a New Attack Surface (eweek.com) 228

An anonymous Slashdot reader writes: The Linux in Windows 10 isn't running inside of a hypervisor; it's "running on the raw hardware, getting all the benefits of performance and system access, as well as expanding the potential attack surface." eWeek reports on a new threat discovered by Alex Ionescu, the chief architect at cybersecurity company Crowdstrike, which begins with the fact that "The Windows file system is also mapped to Linux, such that Linux will get access to the same files and directories."

Ionescu says "There are a number of ways that Windows applications could inject code, modify memory and add new threats to a Linux application running on Windows." According to eWeek, "The modified Linux code in turn could then call Windows APIs and get access to system calls to perform malicious actions that might not be mitigated."
Ionescu describes it as "a two-headed beast that can do a little Linux and can also be used to attack the Windows side of the system."

Slashdot Top Deals