Bug

Two Sudo Vulnerabilities Discovered and Patched (thehackernews.com) 2

In April researchers responsibly disclosed two security flaws found in Sudo "that could enable local attackers to escalate their privileges to root on susceptible machines," reports The Hacker News. "The vulnerabilities have been addressed in Sudo version 1.9.17p1 released late last month." Stratascale researcher Rich Mirch, who is credited with discovering and reporting the flaws, said CVE-2025-32462 has managed to slip through the cracks for over 12 years. It is rooted in the Sudo's "-h" (host) option that makes it possible to list a user's sudo privileges for a different host. The feature was enabled in September 2013. However, the identified bug made it possible to execute any command allowed by the remote host to be run on the local machine as well when running the Sudo command with the host option referencing an unrelated remote host. "This primarily affects sites that use a common sudoers file that is distributed to multiple machines," Sudo project maintainer Todd C. Miller said in an advisory. "Sites that use LDAP-based sudoers (including SSSD) are similarly impacted."

CVE-2025-32463, on the other hand, leverages Sudo's "-R" (chroot) option to run arbitrary commands as root, even if they are not listed in the sudoers file. It's also a critical-severity flaw. "The default Sudo configuration is vulnerable," Mirch said. "Although the vulnerability involves the Sudo chroot feature, it does not require any Sudo rules to be defined for the user. As a result, any local unprivileged user could potentially escalate privileges to root if a vulnerable version is installed...."

Miller said the chroot option will be removed completely from a future release of Sudo and that supporting a user-specified root directory is "error-prone."

AI

UK Minister Tells Turing AI Institute To Focus On Defense (bbc.com) 38

UK Science and Technology Secretary Peter Kyle has written to the UK's national institute for AI to tell its bosses to refocus on defense and security. BBC: In a letter, Kyle said boosting the UK's AI capabilities was "critical" to national security and should be at the core of the Alan Turing Institute's activities. Kyle suggested the institute should overhaul its leadership team to reflect its "renewed purpose."

The cabinet minister said further government investment in the institute would depend on the "delivery of the vision" he had outlined in the letter. A spokesperson for the Alan Turing Institute said it welcomed "the recognition of our critical role and will continue to work closely with the government to support its priorities."
Further reading, from April: Alan Turing Institute Plans Revamp in Face of Criticism and Technological Change.
AI

Simple Text Additions Can Fool Advanced AI Reasoning Models, Researchers Find 46

Researchers have discovered that appending irrelevant phrases like "Interesting fact: cats sleep most of their lives" to math problems can cause state-of-the-art reasoning AI models to produce incorrect answers at rates over 300% higher than normal [PDF]. The technique -- dubbed "CatAttack" by teams from Collinear AI, ServiceNow, and Stanford University -- exploits vulnerabilities in reasoning models including DeepSeek R1 and OpenAI's o1 family. The adversarial triggers work across any math problem without changing the problem's meaning, making them particularly concerning for security applications.

The researchers developed their attack method using a weaker proxy model (DeepSeek V3) to generate text triggers that successfully transferred to more advanced reasoning models. Testing on 225 math problems showed the triggers increased error rates significantly across different problem types, with some models like R1-Distill-Qwen-32B reaching combined attack success rates of 2.83 times baseline error rates. Beyond incorrect answers, the triggers caused models to generate responses up to three times longer than normal, creating computational slowdowns. Even when models reached correct conclusions, response lengths doubled in 16% of cases, substantially increasing processing costs.
The Almighty Buck

Wells Fargo Scandal Pushed Customers Toward Fintech, Says UC Davis Study (nerds.xyz) 18

BrianFagioli shares a report from NERDS.xyz: A new academic study has found that the 2016 Wells Fargo scandal pushed many consumers toward fintech lenders instead of traditional banks. The research, published in the Journal of Financial Economics, suggests that it was a lack of trust rather than interest rates or fees that drove this behavioral shift. Conducted by Keer Yang, an assistant professor at the UC Davis Graduate School of Management, the study looked closely at what happened after the Wells Fargo fraud erupted into national headlines. Bank employees were caught creating millions of unauthorized accounts to meet unrealistic sales goals. The company faced $3 billion in penalties and a massive public backlash.

Yang analyzed Google Trends data, Gallup polls, media coverage, and financial transaction datasets to draw a clear conclusion. In geographic areas with a strong Wells Fargo presence, consumers became measurably more likely to take out mortgages through fintech lenders. This change occurred even though loan costs were nearly identical between traditional banks and digital lenders. In other words, it was not about money. It was about trust. That simple fact hits hard. When big institutions lose public confidence, people do not just complain. They start moving their money elsewhere.

According to the study, fintech mortgage use increased from just 2 percent of the market in 2010 to 8 percent in 2016. In regions more heavily exposed to the Wells Fargo brand, fintech adoption rose an additional 4 percent compared to areas with less exposure. Yang writes, "Therefore it is trust, not the interest rate, that affects the borrower's probability of choosing a fintech lender." [...] Notably, while customers may have been more willing to switch mortgage providers, they were less likely to move their deposits. Yang attributes that to FDIC insurance, which gives consumers a sense of security regardless of the bank's reputation. This study also gives weight to something many of us already suspected. People are not necessarily drawn to fintech because it is cheaper. They are drawn to it because they feel burned by the traditional system and want a fresh start with something that seems more modern and less manipulative.

Bitcoin

Ripple Applies For US Banking License (cointelegraph.com) 8

Ripple Labs is applying for a U.S. national bank charter and a Federal Reserve master account, "following a similar move by stablecoin issuer Circle Internet Group as crypto firms look to be regulated to deepen ties with traditional finance," reports CoinTelegraph. From the report: Ripple CEO Brad Garlinghouse confirmed on X on Wednesday that the company is applying for a license with the US Office of the Comptroller of the Currency (OCC), following an earlier report by The Wall Street Journal. "True to our long-standing compliance roots, Ripple is applying for a national bank charter from the OCC," he wrote. Garlinghouse said if the license is approved, it would be a "new (and unique!) benchmark for trust in the stablecoin market" as the firm would be under federal and state oversight -- with the New York Department of Financial Services already regulating its Ripple USD (RLUSD) stablecoin. [...]

Ripple's Garlinghouse added that the company also applied for a Master Account with the Federal Reserve, which would give it access to the US central banking system. "This access would allow us to hold $RLUSD reserves directly with the Fed and provide an additional layer of security to future proof trust in RLUSD," Garlinghouse said. "Congress is working towards clear rules and regulations, and banks (in a far cry from the years of Operation Chokepoint 2.0) are leaning in," he added, mentioning the conspiracy that the Biden administration sought to cut off crypto from the financial system. Ripple applied for the account through Standard Custody, a crypto custody firm it acquired in February 2024.

The Internet

Let's Encrypt Rolls Out Free Security Certs For IP Addresses (theregister.com) 26

Let's Encrypt, a certificate authority (CA) known for its free TLS/SSL certificates, has begun issuing digital certificates for IP addresses. From a report: It's not the first CA to do so. PositiveSSL, Sectigo, and GeoTrust all offer TLS/SSL certificates for use with IP addresses, at prices ranging from $40 to $90 or so annually. But Let's Encrypt does so at no cost.

For those with a static IP address who want to host a website, an IP address certificate provides a way to offer visitors a secure connection with that numeric identifier while avoiding the nominal expense of a domain name.

Android

Data Breach Reveals Catwatchful 'Stalkerware' Is Spying On Thousands of Phones (techcrunch.com) 17

An anonymous reader quotes a report from TechCrunch: A security vulnerability in a stealthy Android spyware operation called Catwatchful has exposed thousands of its customers, including its administrator. The bug, which was discovered by security researcher Eric Daigle, spilled the spyware app's full database of email addresses and plaintext passwords that Catwatchful customers use to access the data stolen from the phones of their victims. [...] According to a copy of the database from early June, which TechCrunch has seen, Catwatchful had email addresses and passwords on more than 62,000 customers and the phone data from 26,000 victims' devices.

Most of the compromised devices were located in Mexico, Colombia, India, Peru, Argentina, Ecuador, and Bolivia (in order of the number of victims). Some of the records date back to 2018, the data shows. The Catwatchful database also revealed the identity of the spyware operation's administrator, Omar Soca Charcov, a developer based in Uruguay. Charcov opened our emails, but did not respond to our requests for comment sent in both English and Spanish. TechCrunch asked if he was aware of the Catwatchful data breach, and if he plans to disclose the incident to its customers. Without any clear indication that Charcov will disclose the incident, TechCrunch provided a copy of the Catwatchful database to data breach notification service Have I Been Pwned.
The stalkerware operation uses a custom API and Google's Firebase to collect and store victims' stolen data, including photos and audio recordings. According to Daigle, the API was left unauthenticated, exposing sensitive user data such as email addresses and passwords.

The hosting provider temporarily suspended the spyware after TechCrunch disclosed this vulnerability but it returned later on HostGator. Despite being notified, Google has yet to take down the Firebase instance but updated Google Play Protect to detect Catwatchful.

While Catwatchful claims it "cannot be uninstalled," you can dial "543210" and press the call button on your Android phone to reveal the hidden app. As for its removal, TechCrunch has a general how-to guide for removing Android spyware that could be helpful.
Education

Hacker With 'Political Agenda' Stole Data From Columbia, University Says (therecord.media) 28

A politically motivated hacker breached Columbia University's IT systems, stealing vast amounts of sensitive student and employee data -- including admissions decisions and Social Security numbers. The Record reports: The hacker reportedly provided Bloomberg News with 1.6 gigabytes of data they claimed to have stolen from the university, including information from 2.5 million applications going back decades. The stolen data the outlet reviewed reportedly contains details on whether applicants were rejected or accepted, their citizenship status, their university ID numbers and which academic programs they sought admission to. While the hacker's claims have not been independently verified, Bloomberg said it compared data provided by the hacker to that belonging to eight Columbia applicants seeking admission between 2019 and 2024 and found it matched.

The threat actor reportedly told Bloomberg he was seeking information that would indicate whether the university continues to use affirmative action in admissions despite a 2023 Supreme Court decision prohibiting the practice. The hacker told Bloomberg he obtained 460 gigabytes of data in total -- after spending two months targeting and penetrating increasingly privileged layers of the university's servers -- and said he harvested information about financial aid packages, employee pay and at least 1.8 million Social Security numbers belonging to employees, applicants, students and their family members.

China

China's Giant New Gamble With Digital IDs (economist.com) 73

China will launch digital IDs for internet use on July 15th, transferring online verification from private companies to government control. Users obtain digital IDs by submitting personal information including facial scans to police via an app. A pilot program launched one year ago enrolled 6 million people.

The system currently remains voluntary, though officials and state media are pushing citizens to register for "information security." Companies will see only anonymized character strings when users log in, while police retain exclusive access to personal details. The program replaces China's existing system requiring citizens to register with companies using real names before posting comments, gaming, or making purchases.

Police say they punished 47,000 people last year for spreading "rumours" online. The digital ID serves a broader government strategy to centralize data control. State planners classify data as a production factor alongside labor and capital, aiming to extract information from private companies for trading through government-operated data exchanges.
AT&T

AT&T Now Lets Customers Lock Down Account To Prevent SIM Swapping Attacks (theverge.com) 10

AT&T has launched a new Account Lock feature designed to protect customers from SIM swapping attacks. The security tool, available through the myAT&T app, prevents unauthorized changes to customer accounts including phone number transfers, SIM card changes, billing information updates, device upgrades, and modifications to authorized users.

SIM swapping attacks occur when criminals obtain a victim's phone number through social engineering techniques, then intercept messages and calls to access two-factor authentication codes for sensitive accounts. The attacks have become increasingly common in recent years. AT&T began gradually rolling out Account Lock earlier this year, joining T-Mobile, Verizon, and Google Fi, which already offer similar fraud prevention features.
Security

US Government Takes Down Major North Korean 'Remote IT Workers' Operation (techcrunch.com) 57

An anonymous reader quotes a report from TechCrunch: The U.S. Department of Justice announced on Monday that it had taken several enforcement actions against North Korea's money-making operations, which rely on undercover remote IT workers inside American tech companies to raise funds for the regime's nuclear weapons program, as well as to steal data and cryptocurrency. As part of the DOJ's multi-state effort, the government announced the arrest and indictment of U.S. national Zhenxing "Danny" Wang, who allegedly ran a years-long fraud scheme from New Jersey to sneak remote North Korean IT workers inside U.S. tech companies. According to the indictment, the scheme generated more than $5 million in revenue for the North Korean regime. [...]

From 2021 until 2024, the co-conspirators allegedly impersonated more than 80 U.S. individuals to get remote jobs at more than 100 American companies, causing $3 million in damages due to legal fees, data breach remediation efforts, and more. The group is said to have run laptop farms inside the United States, which the North Korean IT workers could essentially use as proxies to hide their provenance, according to the DOJ. At times, they used hardware devices known as keyboard-video-mouse (KVM) switches, which allow one person to control multiple computers from a single keyboard and mouse. The group allegedly also ran shell companies inside the U.S. to make it seem like the North Korean IT workers were affiliated with legitimate local companies, and to receive money that would then be transferred abroad, the DOJ said.

The fraudulent scheme allegedly also involved the North Korean workers stealing sensitive data, such as source code, from the companies they were working for, such as from an unnamed California-based defense contractor "that develops artificial intelligence-powered equipment and technologies."

HP

CarFax For Used PCs: Hewlett Packard Wants To Give Laptops New Life (arstechnica.com) 52

HP is developing a "PCFax" system similar to CarFax for used cars that securely collects and stores detailed device usage and health data at the firmware level to extend the life of PCs and reduce e-waste. A team of HP experts outlines the system in a recent IEEE Spectrum report: The secure telemetry protocol we've developed at HP works as follows. We gather the critical hardware and sensor data and store it in a designated area of the SSD. This area is write-locked, meaning only authorized firmware components can write to it, preventing accidental modification or tampering. That authorized firmware component we us is the Endpoint Security Controller, a dedicated piece of hardware embedded in business class HP PCs. It plays a critical role in strengthening platform-level security and works independently from the main CPU to provide foundational protection.

The endpoint security controller establishes a secure session by retaining the secret key within the controller itself. This mechanism enables read data protection on the SSD -- where telemetry and sensitive data are stored -- by preventing unauthorized access, even if the operating system is reinstalled or the system environment is otherwise altered. Then, the collected data is recorded in a timestamped file, stored within a dedicated telemetry log on the SSD. Storing these records on the SSD has the benefit of ensuring the data is persistent even if the operating system is reinstalled or some other drastic change in software environment occurs. The telemetry log employs a cyclic buffer design, automatically overwriting older entries when the log reaches full capacity. Then, the telemetry log can be accessed by authorized applications at the operating system level.

The telemetry log serves as the foundation for a comprehensive device history report. Much like a CarFax report for used cars, this report, which we call PCFax, will provide both current users and potential buyers with crucial information. The PCFax report aggregates data from multiple sources beyond just the on-device telemetry logs. It combines the secure firmware-level usage data with information from HP's factory and supply chain records, digital services platforms, customer support service records, diagnostic logs, and more. Additionally, the system can integrate data from external sources including partner sales and service records, refurbishment partner databases, third-party component manufacturers like Intel, and other original equipment manufacturers. This multi-source approach creates a complete picture of the device's entire lifecycle, from manufacturing through all subsequent ownership and service events.

Microsoft

Microsoft Authenticator Will Stop Supporting Passwords (cnet.com) 67

Avantare writes: Microsoft Authenticator houses your passwords and lets you sign into all of your Microsoft accounts using a PIN, facial recognition such as Windows Hello, or other biometric data, like a fingerprint. Authenticator can be used in other ways, such as verifying you're logging in if you forgot your password, or using two-factor authentication as an extra layer of security for your Microsoft accounts.
In June, Microsoft stopped letting users add passwords to Authenticator, but here's a timeline of other changes you can expect, according to Microsoft:

July 2025: You won't be able to use the autofill password function.
August 2025: You'll no longer be able to use saved passwords.

Security

New NSA/CISA Report Again Urges the Use of Memory-Safe Programming Language (theregister.com) 66

An anonymous reader shared this report from the tech news site The Register: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) this week published guidance urging software developers to adopt memory-safe programming languages. "The importance of memory safety cannot be overstated," the inter-agency report says...

The CISA/NSA report revisits the rationale for greater memory safety and the government's calls to adopt memory-safe languages (MSLs) while also acknowledging the reality that not every agency can change horses mid-stream. "A balanced approach acknowledges that MSLs are not a panacea and that transitioning involves significant challenges, particularly for organizations with large existing codebases or mission-critical systems," the report says. "However, several benefits, such as increased reliability, reduced attack surface, and decreased long-term costs, make a strong case for MSL adoption."

The report cites how Google by 2024 managed to reduce memory safety vulnerabilities in Android to 24 percent of the total. It goes on to provide an overview of the various benefits of adopting MSLs and discusses adoption challenges. And it urges the tech industry to promote memory safety by, for example, advertising jobs that require MSL expertise.

It also cites various government projects to accelerate the transition to MSLs, such as the Defense Advanced Research Projects Agency (DARPA) Translating All C to Rust (TRACTOR) program, which aspires to develop an automated method to translate C code to Rust. A recent effort along these lines, dubbed Omniglot, has been proposed by researchers at Princeton, UC Berkeley, and UC San Diego. It provides a safe way for unsafe libraries to communicate with Rust code through a Foreign Function Interface....

"Memory vulnerabilities pose serious risks to national security and critical infrastructure," the report concludes. "MSLs offer the most comprehensive mitigation against this pervasive and dangerous class of vulnerability."

"Adopting memory-safe languages can accelerate modern software development and enhance security by eliminating these vulnerabilities at their root," the report concludes, calling the idea "an investment in a secure software future."

"By defining memory safety roadmaps and leading the adoption of best practices, organizations can significantly improve software resilience and help ensure a safer digital landscape."
X

X11 Fork XLibre Released For Testing On Systemd-Free Artix Linux (webpronews.com) 131

An anonymous reader shared this report from WebProNews: The Linux world is abuzz with news of XLibre, a fork of the venerable X11 window display system, which aims to be an alternative to X11's successor, Wayland.

Much of the Linux world is working to adopt Wayland, the successor to X11. Wayland has been touted as being a superior option, providing better security and performance. Despite Fedora and Ubuntu both going Wayland-only, the newer display protocol still lags behind X11, in terms of functionality, especially in the realm of accessibility, screen recording, session restore, and more. In addition, despite the promise of improved performance, many users report performance regressions compared to X11.

While progress is being made, it has been slow going, especially for a project that is more than 17 years old. To make matters worse, Wayland is largely being improved by committee, with the various desktop environment teams trying to work together to further the protocol. Progress is further hampered by the fact that the GNOME developers often object to the implementation of some functionality that doesn't fit with their vision of what a desktop should be — despite those features being present and needed in every other environment.

In response, developer Enrico Weigelt has forked Xll into the XLibre project. Weigelt was already one of the most prolific X11 contributors at a time when little to no improvements or new features are being added to the aging window system... Weigelt has wasted no time releasing the inaugural version of XLibre, XLibre 25.0. The release includes a slew of improvements.

MrBrklyn (Slashdot reader #4,775) adds that Artix Linux, a rolling-release distro based on Arch Linux which does not use systemd, now offers XLibre ISO images and packages for testing and use. They're all non-systemd based, and "Its a decent undertaking by the Artix development team. The iso is considered to be testing but it is quickly moving to the regular repos for broad public use."
Canada

Canada Orders Chinese Firm Hikvision To Cease Canadian Operations Over National Security Concerns (reuters.com) 45

The Canadian government has ordered Chinese surveillance camera manufacturer Hikvision to cease operations in Canada over national security concerns, Industry Minister Melanie Joly said late on Friday. From a report: Hikvision, also known as Hangzhou Hikvision Digital Technology Co, has faced numerous sanctions and restrictions by Canada's neighbor, the United States, over the past five and a half years for the firm's dealings and the use of its equipment in China's Xinjiang region, where rights groups have documented abuses against the Uyghur population and other Muslim communities.

"The government has determined that Hikvision Canada's continued operations in Canada would be injurious to Canada's national security," Joly said on X, adding that the decision was taken after a multi-step review of information provided by Canada's security and intelligence community."

Security

Tech Firms Warn 'Scattered Spider' Hacks Are Targeting Aviation Sector (reuters.com) 2

Tech companies Google and Palo Alto Networks are sounding the alarm over the "Scattered Spider" hacking group's interest in the aviation sector. From a report: In a statement posted on LinkedIn, Sam Rubin, an executive at Palo Alto's cybersecurity-focused Unit 42, said his company had "observed Muddled Libra (also known as Scattered Spider) targeting the aviation industry."

In a similar statement, Charles Carmakal, an executive with Alphabet-owned Google's cybersecurity-focused Mandiant unit, said his company was "aware of multiple incidents in the airline and transportation sector which resemble the operations of UNC3944 or Scattered Spider."
Axios adds: The group of mostly Western, English-speaking hackers has been on a months-long spree that's prompted operational disruptions at grocery suppliers, major retail storefronts and insurance companies in the U.S. and U.K.

Hawaiian Airlines said Thursday it's addressing a "cybersecurity incident" that affected some of its IT systems. Canadian airline WestJet faced a similar incident last week that caused outages for some of its systems and mobile app. A source familiar with the incidents told Axios that Scattered Spider was likely behind the WestJet incident.

EU

'The Year of the EU Linux Desktop May Finally Arrive' (theregister.com) 69

Steven J. Vaughan-Nichols writes in an opinion piece for The Register: Microsoft, tactically admitting it has failed at talking all the Windows 10 PC users into moving to Windows 11 after all, is -- sort of, kind of -- extending Windows 10 support for another year. For most users, that means they'll need to subscribe to Microsoft 365. This, in turn, means their data and meta-information will be kept in a US-based datacenter. That isn't sitting so well with many European Union (EU) organizations and companies. It doesn't sit that well with me or a lot of other people either.

A few years back, I wrote in these very pages that Microsoft didn't want you so much to buy Windows as subscribe to its cloud services and keep your data on its servers. If you wanted a real desktop operating system, Linux would be almost your only choice. Nothing has changed since then, except that folks are getting a wee bit more concerned about their privacy now that President Donald Trump is in charge of the US. You may have noticed that he and his regime love getting their hands on other people's data.

Privacy isn't the only issue. Can you trust Microsoft to deliver on its service promises under American political pressure? Ask the EU-based International Criminal Court (ICC) which after it issued arrest warrants for Israeli Prime Minister Benjamin Netanyahu for war crimes, Trump imposed sanctions on the ICC. Soon afterward, ICC's chief prosecutor, Karim Khan, was reportedly locked out of his Microsoft email accounts. Coincidence? Some think not. Microsoft denies they had anything to do with this.

Peter Ganten, chairman of the German-based Open-Source Business Alliance (OSBA), opined that these sanctions ordered by the US which he alleged had been implemented by Microsoft "must be a wake-up call for all those responsible for the secure availability of state and private IT and communication infrastructures." Microsoft chairman and general counsel, Brad Smith, had promised that it would stand behind its EU customers against political pressure. In the aftermath of the ICC reports, Smith declared Microsoft had not been "in any way [involved in] the cessation of services to the ICC." In the meantime, if you want to reach Khan, you'll find him on the privacy-first Swiss email provider, ProtonMail.

In short, besides all the other good reasons for people switching to the Linux desktop - security, Linux is now easy to use, and, thanks to Steam, you can do serious gaming on Linux - privacy has become much more critical. That's why several EU governments have decided that moving to the Linux desktop makes a lot of sense... Besides, all these governments know that switching from Windows 10 to 11 isn't cheap. While finances also play a role, and I always believe in "following the money" when it comes to such software decisions, there's no question that Europe is worried about just how trustworthy America and its companies are these days. Do you blame them? I don't.
The shift to the Linux desktop is "nothing new," as Vaughan-Nichols notes. Munich launched its LiMux project back in 2004 and, despite ending it in 2017, reignited its open-source commitment by establishing a dedicated program office in 2024. In France, the gendarmerie now operates over 100,000 computers on a custom Ubuntu-based OS (GendBuntu), while the city of Lyon is transitioning to Linux and PostgreSQL.

More recently, Denmark announced it is dropping Windows and Office in favor of Linux and LibreOffice, citing digital sovereignty. The German state of Schleswig-Holstein is following suit, also moving away from Microsoft software. Meanwhile, a pan-European Linux OS (EU OS) based on Fedora Kinoite is being explored, with Linux Mint and openSUSE among the alternatives under consideration.
Android

Android 16 Will Tell You When Fake Cell Towers Try To Track Your Phone (androidauthority.com) 51

Android 16 will include a new security feature that warns users when their phones connect to fake cell towers designed for surveillance. The "network notification" setting alerts users when devices connect to unencrypted networks or when networks request phone identifiers, helping protect against "stingray" devices that mimic legitimate cell towers to collect data and force phones onto insecure communication protocols.
Printer

Brother Printer Bug In 689 Models Exposes Millions To Hacking (securityweek.com) 54

An anonymous reader quotes a report from SecurityWeek: Hundreds of printer models from Brother and other vendors are impacted by potentially serious vulnerabilities discovered by researchers at Rapid7. The cybersecurity firm revealed on Wednesday that its researchers identified eight vulnerabilities affecting multifunction printers made by Brother. The security holes have been found to impact 689 printer, scanner and label maker models from Brother, and some or all of the flaws also affect 46 Fujifilm Business Innovation, five Ricoh, six Konica Minolta, and two Toshiba printers. Overall, millions of enterprise and home printers are believed to be exposed to hacker attacks due to these vulnerabilities.

The most serious of the flaws, tracked as CVE-2024-51978 and with a severity rating of 'critical', can allow a remote and unauthenticated attacker to bypass authentication by obtaining the device's default administrator password. CVE-2024-51978 can be chained with an information disclosure vulnerability tracked as CVE-2024-51977, which can be exploited to obtain a device's serial number. This serial number is needed to generate the default admin password. "This is due to the discovery of the default password generation procedure used by Brother devices," Rapid7 explained. "This procedure transforms a serial number into a default password. Affected devices have their default password set, based on each device's unique serial number, during the manufacturing process."

Having the admin password enables an attacker to reconfigure the device or abuse functionality intended for authenticated users. The remaining vulnerabilities, which have severity ratings of 'medium' and 'high', can be exploited for DoS attacks, forcing the printer to open a TCP connection, obtain the password of a configured external service, trigger a stack overflow, and perform arbitrary HTTP requests. Six of the eight vulnerabilities found by Rapid7 can be exploited without authentication.
Brother has patched most of the flaws, but CVE-2024-51978 requires a new manufacturing process to fully resolve, which will apply only to future devices.

Slashdot Top Deals