×
Security

Ubuntu Linux Impacted By Decade-Old 'needrestart' Flaw That Gives Root (bleepingcomputer.com) 30

Five local privilege escalation (LPE) vulnerabilities in the Linux utility "needrestart" -- widely used on Ubuntu to manage service updates -- allow attackers with local access to escalate privileges to root. The flaws were discovered by Qualys in needrestart version 0.8, and fixed in version 3.8. BleepingComputer reports: Complete information about the flaws was made available in a separate text file, but a summary can be found below:

- CVE-2024-48990: Needrestart executes the Python interpreter with a PYTHONPATH environment variable extracted from running processes. If a local attacker controls this variable, they can execute arbitrary code as root during Python initialization by planting a malicious shared library.
- CVE-2024-48992: The Ruby interpreter used by needrestart is vulnerable when processing an attacker-controlled RUBYLIB environment variable. This allows local attackers to execute arbitrary Ruby code as root by injecting malicious libraries into the process.
- CVE-2024-48991: A race condition in needrestart allows a local attacker to replace the Python interpreter binary being validated with a malicious executable. By timing the replacement carefully, they can trick needrestart into running their code as root.
- CVE-2024-10224: Perl's ScanDeps module, used by needrestart, improperly handles filenames provided by the attacker. An attacker can craft filenames resembling shell commands (e.g., command|) to execute arbitrary commands as root when the file is opened.
- CVE-2024-11003: Needrestart's reliance on Perl's ScanDeps module exposes it to vulnerabilities in ScanDeps itself, where insecure use of eval() functions can lead to arbitrary code execution when processing attacker-controlled input.
The report notes that attackers would need to have local access to the operation system through malware or a compromised account in order to exploit these flaws. "Apart from upgrading to version 3.8 or later, which includes patches for all the identified vulnerabilities, it is recommended to modify the needrestart.conf file to disable the interpreter scanning feature, which prevents the vulnerabilities from being exploited," adds BleepingComputer.
Security

D-Link Tells Users To Trash Old VPN Routers Over Bug Too Dangerous To Identify (theregister.com) 112

Owners of older models of D-Link VPN routers are being told to retire and replace their devices following the disclosure of a serious remote code execution (RCE) vulnerability. From a report: Most of the details about the bug are being kept under wraps given the potential for wide exploitation. The vendor hasn't assigned it a CVE identifier or really said much about it at all other than that it's a buffer overflow bug that leads to unauthenticated RCE.

Unauthenticated RCE issues are essentially as bad as vulnerabilities get, and D-Link warned that if customers continued to use the affected products, the devices connected to them would also be put at risk. Previous bugs in similar products from other vendors have carried warnings that attackers could exploit them to install rootkits and use that persistent access to surveil an organization's web traffic, potentially stealing data such as credentials.
Further reading: D-Link Won't Fix Critical Flaw Affecting 60,000 Older NAS Devices.
Security

Apple Says Mac Users Targeted in Zero-Day Cyberattacks (techcrunch.com) 7

Apple has pushed out security updates that it says are "recommended for all users," after fixing a pair of security bugs used in active cyberattacks targeting Mac users. From a report: In a security advisory on its website, Apple said it was aware of two vulnerabilities that "may have been actively exploited on Intel-based Mac systems." The bugs are considered "zero day" vulnerabilities because they were unknown to Apple at the time they were exploited.

[...] The vulnerabilities were reported by security researchers at Google's Threat Analysis Group, which investigates government-backed hacking and cyberattacks, suggesting that a government actor may be involved in the attacks.

Microsoft

Microsoft Rolls Out Recovery Tools After CrowdStrike Incident 55

Microsoft has announced sweeping changes to Windows security architecture, including new recovery capabilities designed to prevent system-wide outages following July's CrowdStrike incident that disabled 8.5 million Windows devices.

The Windows Resiliency Initiative introduces Quick Machine Recovery, allowing IT administrators to remotely fix unbootable systems through an enhanced Windows Recovery Environment. Microsoft is also mandating stricter testing and deployment practices for security vendors under its Microsoft Virus Initiative, including gradual rollouts and monitoring procedures.

The company is also developing a framework to move antivirus processing outside the Windows kernel, with a preview planned for security partners in July 2025.
Security

Court Documents: Spyware Group NSO's Pegasus Targeted Up To 'Tens of Thousands' 18

WhatsApp's newly unsealed court documents have exposed the extensive reach of NSO Group's Pegasus spyware operation, which targeted "between hundreds and tens of thousands" of devices, according to testimony from the company's head of research and development. The Israeli surveillance firm charged government customers up to $6.8 million for one-year licenses, generating at least $31 million in revenue in 2019 alone, TechCrunch first reported.

The documents detail previously unknown hacking tools named "Hummingbird," "Eden," and "Heaven," developed specifically to compromise WhatsApp users' devices. The revelations emerge from WhatsApp's ongoing 2019 lawsuit against NSO Group for alleged violations of U.S. anti-hacking laws.

Further reading: NSO, Not Government Clients, Operates Its Spyware.
Windows

Windows 365 Link is a $349 Mini PC That Streams Windows From the Cloud (theverge.com) 117

Microsoft is planning to launch a new purpose-built miniature PC for its Windows 365 cloud service next year. The Verge: Windows 365 Link is a $349 device that acts like a thin client PC to connect to the cloud and stream a version of Windows 11. The Link device is designed to be a compact, fanless, and easy-to-use cloud PC for your local monitors and peripherals. It's meant to be the ideal companion to Microsoft's Windows 365 service, which lets businesses transition employees over to virtual machines that exist in the cloud and can be streamed securely to multiple devices. Windows 365 Link cannot run local apps.
Windows

After 30 Years, We Finally Know Why Windows 95's Installer Juggled Three Operating Systems 80

In a technical blog post, Microsoft veteran Raymond Chen has explained why Windows 95's installation process required users to pass through three different operating systems -- MS-DOS, Windows 3.1, and Windows 95. The design choice stemmed from the need to support upgrades from multiple starting points while maintaining a graphical user interface throughout the process.

Rather than creating separate installers for MS-DOS, Windows 3.1, and Windows 95 users, developers opted for a unified approach using three chained setup programs. The process began with installing a minimal version of Windows 3.1 when starting from MS-DOS, followed by a 16-bit Windows application that handled core installation tasks, and concluded with a 32-bit Windows 95 program for final configuration steps.
Apple

Apple Appears Set To Discontinue Lightning-to-Headphone Adapter (macrumors.com) 86

Apple has stopped selling its Lightning-to-3.5mm headphone jack adapter in the U.S. and most countries, with limited stock remaining only in select European markets. The $9 accessory, introduced with iPhone 7 in 2016 (after the "courageous" move to stop including the headphone jack in iPhones), allowed users to connect traditional headphones to Lightning port iPhones. The discontinuation comes as Apple transitions to USB-C ports across its iPhone lineup.
Government

What Happened When a Washington County Tried a 32-Hour Workweek? (cnn.com) 117

On a small network of islands north of Seattle, Washington, San Juan County just completed its first full year of 32-hour workweeks, reports CNN.

And Tuesday the county released a report touting "a host of positive outcomes — from recruiting to retention to employee happiness — and a cost savings of more than $975,000 compared to what the county would have paid if it met the union's pay increase demands." The county said the 32-hour workweek has attracted a host of new talent: Applications have spiked 85.5% and open positions are being filled 23.75% faster, while more employees are staying in their jobs — separation (employees quitting or retiring) dropped by 48%. And 84% of employees said their work-life balance was better. "This is meeting many of the goals that we set out to do when we implemented it," County Manager Jessica Hudson said. said, noting the county is looking for opportunities to expand the initiative...

Departments across San Juan County have implemented the 32-hour workweek differently, some staggering staffing to maintain their previous availability to the public while others have shortened schedules to be open just four days a week... "I tell people, you're not going to see things change from your perspective," said Joe Ingman, a park manager in the county. "Offices are going to stay open, bathrooms are going to get cleaned, grass is going to get mowed." His department adjusted schedules to stay staffed seven days a week, and while communication across shifts was an initial hurdle, issues were quickly ironed out. "It was probably the smoothest summer I've had, and I've been working in parks for over a decade," he said, crediting the new schedule as a boon for recruiting. While job postings used to languish unfilled for months, last summer the applicant pool was not only bigger but more qualified, and the two staffers he hired both cited coming to the county because of the 32-hour workweek.

"It's no more cost to the public to work 32 hours — but we have better applicants," he said. Ingman also said the four-day workweek has done wonders for his job satisfaction; he'd watched colleagues burn out for years, but now sees a path for his own future in the department... County employees have used their extra time off to spend less money on childcare, volunteer in their kids' schools, and contribute to the community... While San Juan County's motivation in adopting a shortened workweek was financial, the benefits its employees cite speak to a larger trend, as workplaces around the country increasingly explore flexible schedules to combat burnout and attract and retain talent.

A survey of CEOs this spring found nearly one third of large US companies were looking into solutions like four-day or four-and-a-half-day workweeks... Even without a reduction in total hours, a Gallup poll last year found a third day off would be widely embraced: 77% of US workers said a 4-day, 40-hour workweek would have a positive impact on their wellbeing.

One worker shared their thoughts with CNN. "Life shouldn't be about just working yourself into the ground..." And they added that "So far, I feel happy; I feel seen as an employee and as a human, and I feel like it could be a beautiful step forward for other people if we just trust it and try it."

They even had some advice for other employers. "Change happens by somebody actually doing the change. The only way we're going to find out if it works is by doing."
Businesses

Amazon Makes It Harder for Disabled Employees to Work From Home (yahoo.com) 63

"Amazon is making it harder for disabled employees to get permission to work from home," reports Bloomberg, a move they say shows Amazon's "determination" to enforce a five-days-a-week return to the office. The company recently told employees with disabilities that it was implementing a more rigorous vetting process, both for new requests to work from home and applications to extend existing arrangements. Affected workers must submit to a "multilevel leader review" and could be required to return to the office for monthlong trials to determine if accommodations meet their needs... Affected employees are receiving calls from "accommodation consultants" who explain how the new policy works. They review medical documentation and discuss how effective working from home has been for employees who've already received an accommodation as well as any previous attempts to help the person work in the office. If the consultant agrees that the person should be allowed to work from home, another Amazon manager must sign off. If they don't, the request goes to a third manager...

Some workers fear the process was designed to make requests less likely to be approved, two employees said. In internal chat rooms, according to one of them, employees have accused [Chief Executive Officer Andy] Jassy of hypocrisy because the bureaucratic process belies his stated determination to cut through red tape that he says is slowing Amazon down.

"Jassy says the return-to-office requirement will strengthen the company's culture, which he believes has suffered since the pandemic and become overly bureaucratic," the article points out. But it adds that down at the workforce level, the move "is seen by some employees as a way to get people to quit and shrink the workforce."
Stats

Is Remote Working Causing an Exodus to the Exurbs? (apnews.com) 117

Last year 30,000 people moved into central Florida's Polk County — more than to any other county in America. Its largest city has just 112,641 people, living a full 35 miles east of the 3.1 million residents in the metropolitan area around Tampa.

But the Associated Press says something similar is happening all over the country: "the rise of the far-flung exurbs." Outlying communities on the outer margins of metro areas — some as far away as 60 miles (97 kilometers) from a city's center — had some of the fastest-growing populations last year, according to the U.S. Census Bureau. Those communities are primarily in the South, like Anna, Texas on the outskirts of the Dallas-Fort Worth metro area; Fort Mill, South Carolina [just 18 miles from North Carolina city Charlotte]; Lebanon, Tennessee outside Nashville; and Polk County's Haines City... [C]ommuting to work can take up to an hour and a half one-way. But [Marisol] Ortega, who lives in Haines City about 40 miles (64 kilometers) from her job in Orlando, says it's worth it. "I love my job. I love what I do, but then I love coming back home, and it's more tranquil," Ortega said.

The rapid growth of far-flung exurbs is an after-effect of the COVID-19 pandemic, according to the Census Bureau, as rising housing costs drove people further from cities and remote working allowed many to do their jobs from home at least part of the week... Recent hurricanes and citrus diseases in Florida also have made it more attractive for some Polk County growers to sell their citrus groves to developers who build new residences or stores...

Anna, Texas, more than 45 miles (72 kilometers) north of downtown Dallas, is seeing the same kind of migration. It was the fourth-fastest growing city in the U.S. last year and its population has increased by a third during the 2020s to 27,500 residents. Like Polk County, Anna has gotten a little older, richer and more racially diverse.

The article points out that in Anna, Texas, "close to 3 in 5 households have moved into their homes since 2020, according to the Census Bureau."
Google

What Happened After Google Retrofitted Memory Safety Onto Its C++ Codebase? (googleblog.com) 136

Google's transistion to Safe Coding and memory-safe languages "will take multiple years," according to a post on Google's security blog. So "we're also retrofitting secure-by-design principles to our existing C++ codebase wherever possible," a process which includes "working towards bringing spatial memory safety into as many of our C++ codebases as possible, including Chrome and the monolithic codebase powering our services." We've begun by enabling hardened libc++, which adds bounds checking to standard C++ data structures, eliminating a significant class of spatial safety bugs. While C++ will not become fully memory-safe, these improvements reduce risk as discussed in more detail in our perspective on memory safety, leading to more reliable and secure software... It's also worth noting that similar hardening is available in other C++ standard libraries, such as libstdc++. Building on the successful deployment of hardened libc++ in Chrome in 2022, we've now made it default across our server-side production systems. This improves spatial memory safety across our services, including key performance-critical components of products like Search, Gmail, Drive, YouTube, and Maps... The performance impact of these changes was surprisingly low, despite Google's modern C++ codebase making heavy use of libc++. Hardening libc++ resulted in an average 0.30% performance impact across our services (yes, only a third of a percent) ...

In just a few months since enabling hardened libc++ by default, we've already seen benefits. Hardened libc++ has already disrupted an internal red team exercise and would have prevented another one that happened before we enabled hardening, demonstrating its effectiveness in thwarting exploits. The safety checks have uncovered over 1,000 bugs, and would prevent 1,000 to 2,000 new bugs yearly at our current rate of C++ development...

The process of identifying and fixing bugs uncovered by hardened libc++ led to a 30% reduction in our baseline segmentation fault rate across production, indicating improved code reliability and quality. Beyond crashes, the checks also caught errors that would have otherwise manifested as unpredictable behavior or data corruption... Hardened libc++ enabled us to identify and fix multiple bugs that had been lurking in our code for more than a decade. The checks transform many difficult-to-diagnose memory corruptions into immediate and easily debuggable errors, saving developers valuable time and effort.

The post notes that they're also working on "making it easier to interoperate with memory-safe languages. Migrating our C++ to Safe Buffers shrinks the gap between the languages, which simplifies interoperability and potentially even an eventual automated translation."
Privacy

T-Mobile Hacked In Massive Chinese Breach of Telecom Networks 25

Chinese hackers, reportedly linked to a Chinese intelligence agency, breached T-Mobile as part of a broader cyber-espionage campaign targeting telecom companies to spy on high-value intelligence targets. "T-Mobile is closely monitoring this industry-wide attack, and at this time, T-Mobile systems and data have not been impacted in any significant way, and we have no evidence of impacts to customer information," a company spokesperson told the Wall Street Journal. Reuters reports: It was unclear what information, if any, was taken about T-Mobile customers' calls and communications records, according to the report. On Wednesday, The Federal Bureau of Investigation (FBI) and the U.S. cyber watchdog agency CISA said China-linked hackers have intercepted surveillance data intended for American law enforcement agencies after breaking into an unspecified number of telecom companies. Further reading: U.S. Wiretap Systems Targeted in China-Linked Hack
Cloud

Cloud Migration Is Back (If You Ignore the Actual Numbers) (indiadispatch.com) 40

An anonymous reader shares a report: The cloud migration narrative that powered tech valuations during the pandemic is attempting a comeback, but the underlying data suggests a more complex story.

UBS's new survey of IT services reveals a striking disconnect between industry expectations and customer reality. While executives proclaim "2025 will be far better than what we've seen in 2024," their enterprise clients report having migrated merely 15% of workloads to the cloud, with the remainder presenting increasingly complex challenges.

The numbers are particularly telling: Growth rates for major cloud providers AWS, Azure, and Google Cloud have declined from pandemic peaks of 40-50% to 10-20%. IT budgets for 2024, meanwhile, are projected to be "flattish to up very slightly, maybe a couple percent," marking a significant departure from the explosive growth of recent years.

Science

Academic Papers Yanked After Authors Found To Have Used Unlicensed Software (theregister.com) 75

An academic journal has retracted two papers because it determined their authors used unlicensed software. The Register: Elsevier's Ain Shams Engineering Journal withdrew two papers exploring dam failures after complaints from Flow Science, the Santa Fe, New Mexico-based maker of a computational fluid dynamics application called FLOW-3D.

"Following an editorial investigation as a result of a complaint from the software distributor, the authors admitted that the use of professional software, FLOW-3D program for the results published in the article, was made without a license from the developer," a note from the journal's editor-in-chief explains.

"One of the conditions of submission of a paper for publication is that the article does not violate any intellectual property rights of any person or entity and that the use of any software is made under a license or permission from the software owner."

Slashdot Top Deals