Android

Google, Qualcomm Will Support 8 Years of Android Updates (9to5google.com) 19

An anonymous reader quotes a report from 9to5Google: Starting with the Snapdragon 8 Elite, Qualcomm will offer device manufacturers (OEMs) the "ability to provide support for up to eight consecutive years of Android software and security updates." Qualcomm today announced a "program" in partnership with Google: "What this means is that support for platform software included in this program will be made available to OEMs for eight consecutive years, including both Android OS and kernel upgrades, without requiring significant changes or upgrades to the platform and OEM code on the device (a separation commonly referred as 'Project Treble' or the 'vendor implementation'). While kernel changes will require updating kernel mode drivers, the vendor code can remain unchanged while the software support is being provided."

This program specifically includes "two upgrades to the mobile platform's Android Common Kernel (ACK) to support the eight-year window." It's ultimately up to manufacturers to update their devices, but the bottleneck going forward won't be the chip. Qualcomm today notes how the extended software support it's providing can "lower costs for OEMs interested in supporting their devices longer." The first devices to benefit are Snapdragon 8 Elite-powered smartphones launching with Android 15. Notably, the program runs for the "next five generations" of SoCs, including Snapdragon 8 and 7-series chips launching "later this year." Older chipsets will not benefit from this program.

Encryption

VPN Providers Consider Exiting France Over 'Dangerous' Blocking Demands (torrentfreak.com) 44

An anonymous reader quotes a report from TorrentFreak: In France, rightsholders have taken legal action to compel large VPN providers to support their pirate site blocking program. The aim is to reinforce existing blocking measures, but VPN providers see this as a dangerous move, leading to potential security issues and overblocking. As a result, some are considering leaving France altogether if push comes to shove. [...] Earlier this month, sports rightsholders Canal+ and LFP requested blocking injunctions that would require popular VPNs to start blocking pirate sites and services. The full requests are not public, but the details available show that Cyberghost, ExpressVPN, NordVPN, ProtonVPN, and Surfshark are listed as respondents. [...]

The blocking request has yet to be approved and several of the targeted VPN providers have reserved detailed commentary, for now. That said, the VPN Trust Initiative (VTI), which includes ExpressVPN, NordVPN and Surfshark as members, has been vocal in its opposition. VTI is part of the i2Coalition and while it doesn't speak directly for any of the members, the coalition's Executive Director Christian Dawson has been in regular discussions with VPN providers. From this, it became clear that VPN providers face difficult decisions. If VPN providers are ordered to block pirate sites, some are considering whether to follow in the footsteps of Cisco, which discontinued its OpenDNS service in the country, to avoid meddling with its DNS resolver.

Speaking with TorrentFreak, VTI's Dawson says that VPNs have previously left markets like India and Pakistan in response to restrictive requirements. This typically happens when privacy or security principles are at risk, or if the technical implementation of blocking measures is infeasible. VTI does not rule out that some members may choose to exit France for similar reasons, if required to comply with blocking measures. "We've seen this before in markets like India and Pakistan, where regulatory requirements forced some VPN services to withdraw rather than compromise on encryption standards or log-keeping policies," Dawson says. "France's potential move to force VPN providers to block content could put companies in a similar position -- where they either comply with measures that contradict their purpose or leave the market altogether."
"This case in France is part of a broader global trend of regulatory overreach, where governments attempt to control encrypted services under the guise of content regulation. We've already seen how China, Russia, Myanmar, and Iran have imposed VPN restrictions as part of broader censorship efforts."

"The best path forward is for policymakers to focus on targeted enforcement measures that don't undermine Internet security or create a precedent for global Internet fragmentation," concludes Dawson. "As seen in other cases, blanket blocking measures do not effectively combat piracy but instead create far-reaching consequences that disrupt the open Internet."
Microsoft

Microsoft Trims More CPUs From Windows 11 Compatibility List (theregister.com) 95

Microsoft has updated its CPU compatibility list for Windows 11 24H2, excluding pre-11th-generation Intel processors for OEMs building new PCs. The Register reports: Windows 11 24H2 has been available to customers for months, yet Microsoft felt compelled in its February update to confirm that builders, specifically, must use Intel's 11th-generation or later silicon when building brand new PCs to run its most recent OS iteration. "These processors meet the design principles around security, reliability, and the minimum system requirements for Windows 11," Microsoft says.

Intel's 11th-generation chips arrived in 2020 and were discontinued last year. It would be surprising, if not unheard of, for OEMs to build machines with unsupported chips. Intel has already transitioned many pre-11th generation chips to "a legacy software support model," so Microsoft's decision to omit the chips from the OEM list is understandable. However, this could be seen as a creeping problem. Chips made earlier than that were present very recently, in the list of supported Intel processors for Windows 11 22H2 and 23H2.

This new OEM list may add to worries of some users looking at the general hardware compatibility specs for Windows 11 and wondering if the latest information means that even the slightly newer hardware in their org's fleet will soon no longer meet the requirements of Microsoft's flagship operating system. It's a good question, and the answer -- currently -- appears to be that those "old" CPUs are still suitable. Microsoft has a list of hardware compatibility requirements that customers can check, and they have not changed much since the outcry when they were first published.

Google

Google To Eliminate SMS Authentication in Gmail, Implement QR Codes (forbes.com) 164

Google is preparing to abandon SMS verification codes for Gmail authentication in favor of QR codes, Gmail spokesperson Ross Richendrfer told Forbes. The move aims to address significant security vulnerabilities inherent in SMS-based verification while combating fraudulent exploitation of Google's messaging infrastructure, he said.

"Just like we want to move past passwords with the use of things like passkeys, we want to move away from sending SMS messages for authentication," Richendrfer said. The transition will target "rampant, global SMS abuse" that undermines security and enables criminal schemes. SMS verification currently serves dual purposes at Google: confirming user identity and preventing service abuse. However, these codes are vulnerable to phishing, dependent on carrier security practices, and frequently exploited in "traffic pumping" scams where fraudsters profit from artificially triggered SMS messages.

The forthcoming implementation will display QR codes that users scan with their phone cameras instead of entering six-digit codes. This approach eliminates shareable verification codes and reduces dependency on telecom carriers. The changes will roll out "over the next few months," the company said.
Programming

Greg Kroah-Hartman Supports Rust in the Kernel (phoronix.com) 82

An anonymous Slashdot reader shared this report from Phoronix: Linux's second-in-command Greg Kroah-Hartman has also been a big proponent of Rust kernel code. He's crafted another Linux kernel mailing list post [Wednesdsay] outlining the benefits of Rust and encouraging new kernel code/drivers to be in Rust rather than C. Greg KH makes the case that the majority of the kernel bugs are due to "stupid little corner cases in C that are totally gone in Rust."
"As someone who has seen almost EVERY kernel bugfix and security issue for the past 15+ years... and who sees EVERY kernel CVE issued, I think I can speak on this topic," Kroah-Hartman began. Here's some excerpts from his remarks. Citing corner cases like overwrites of memory, error path cleanups, use-after-free mistakes and forgetting to check error values, Kroah-Hartman says he's "all for... making these types of problems impossible to hit." That's why I'm wanting to see Rust get into the kernel, these types of issues just go away, allowing developers and maintainers more time to focus on the REAL bugs that happen (i.e. logic issues, race conditions, etc.)... [F]or new code / drivers, writing them in Rust where these types of bugs just can't happen (or happen much much less) is a win for all of us, why wouldn't we do this...? Rust isn't a "silver bullet" that will solve all of our problems, but it sure will help in a huge number of places, so for new stuff going forward, why wouldn't we want that...?

Yes, mixed language codebases are rough, and hard to maintain, but we are kernel developers dammit, we've been maintaining and strengthening Linux for longer than anyone ever thought was going to be possible. We've turned our development model into a well-oiled engineering marvel creating something that no one else has ever been able to accomplish. Adding another language really shouldn't be a problem, we've handled much worse things in the past and we shouldn't give up now on wanting to ensure that our project succeeds for the next 20+ years. We've got to keep pushing forward when confronted with new good ideas, and embrace the people offering to join us in actually doing the work to help make sure that we all succeed together.

Kroah-Hartman emphasized later that "a huge majority of the stupid things we do in C just don't happen in the same code implemented in Rust (i.e. memory leaks, error path cleanups, return value checking, etc.) "

The complete thread contains over 140 messages — including Linus Torvalds' observation that " #pragma is complete garbage and should never be used."
Power

New EV Batteries are Making Electric Cars Cheaper and Safer (msn.com) 92

The Washington Post looks at a new kind of battery that "could make American EVs cheaper and safer, experts say." If you bought an EV with a lithium iron phosphate (LFP) battery, you could expect lower car payments, less fire risk and more years of use out of your car — but you wouldn't be able to go as far on a single charge as you could with the nickel manganese cobalt (NMC) batteries commonly found in American and European electric cars. That trade-off has made LFP batteries the go-to choice for standard-range EVs in China, helping to make electric cars more affordable and limit pollution. Now, American companies are starting to build their own LFP batteries to catch up to their Chinese rivals... But there are plenty of barriers for U.S. companies that want to adopt a technology dominated by Chinese firms. Tariffs and tax credit restrictions have made it too expensive for most American automakers to import LFP batteries from China, and national security concerns have made it hard for American companies to partner with Chinese battery makers to build factories in the United States...

Although American scientists invented LFP batteries in 1997, U.S. automakers didn't invest in the technology. Instead, they bet on NMC batteries because they have longer range, a big concern for American EV buyers. "Everyone in the West thought LFP was a nonstarter five or six years ago," said Adrian Yao, who founded STEER, a technology research group within Stanford University. "We really did have a myopic focus on" range, he added. That left the door open for Chinese companies to perfect LFP batteries, which have a few advantages. Instead of pricey nickel and cobalt, they use iron, which makes them 20 percent cheaper than NMC batteries, according to the International Energy Agency. While NMC batteries can be recharged up to about 1,000 times before they go kaput — which is enough to put 200,000 miles on most EVs — LFP batteries can last two or three times as long, according to Moura. Plus, LFP batteries' chemistry makes them less likely to catch fire and easier to extinguish. An NMC battery, on the other hand, is so flammable that "you could put it underwater or in space, and it'll keep burning because the oxygen it needs to keep the flame going is embedded within itself," Moura said.

That safety advantage is key, because Chinese firms figured out they could pack LFP cells closer together inside a battery pack without risking a fire. That meant they could cram more energy into LFP batteries and nearly catch up to the range of NMC batteries. Last year, the Chinese battery giant CATL made the first LFP battery with more than 600 miles of range. Since LFP batteries are made from common materials and last longer, they also have a smaller environmental footprint than NMC batteries.

Ford used LFP batteries in its Mach-E sedan (2023) and F-150 Lightning pickup trucks (2024), according to the article, "while Rivian began using them in the basic trims of its R1S SUV and R1T pickup truck this year... American LFP factories are slated to open this year in St. Louis and next year in Arizona." And an environmental engineering professor at the University of California at Berkeley predicts LFP battery factories in the U.S. will "grow quite rapidly over the next five to 10 years."
Programming

Rust Developer Survey Finds Increasing Usage, Especially on Linux (rust-lang.org) 26

This year's "State of Rust" survey was completed by 7,310 Rust developers. DevClass note some key findings: When asked about their biggest worries for Rust's future, 45.5 percent cited "not enough usage in the tech industry," up from 42.5 percent last year, just ahead of the 45.2 percent who cited complexity as a concern... Only 18.6 percent declared themselves "not worried," though this is a slight improvement on 17.8 percent in 2023...

Another question asks whether respondents are using Rust at work. 38.2 percent claimed to use it for most of their coding [up from 34% in 2023], and 13.4 percent a few times a week, accounting for just over half of responses. At the organization level there is a similar pattern. 45.5 percent of organizations represented by respondents make "non-trivial use of Rust," up from 38.7 percent last year.

More details from I Programmer: On the up are "Using Rust helps us achieve or goals", now 82% compared to 72% in 2022; "We're likely to use Rust again in the future", up 3% to 78%; and "Using Rust has been worth the cost of Adoption". Going down are "Adopting Rust has been challenging", now 34.5% compared to 38.5% in 2022; and "Overall adopting Rust has slowed down our team" down by over 2% to 7%.
"According to the survey, organizations primarily choose Rust for building correct and bug-free software (87.1%), performance characteristics (84.5%), security and safety properties (74.8%), and development enjoyment (71.2%)," writes The New Stack: Rust seems to be especially popular for creating server backends (53.4%), web and networking services, cloud technologies and WebAssembly, the report said. It also seems to be gaining more traction for embedded use cases... Regarding the preferred development environment, Linux remains the dominant development platform (73.7%).

However, although VS Code remains the leading editor, its usage dropped five percentage points, from 61.7% to 56.7%, but the Zed editor gained notable traction, from 0.7% to 8.9%. Also, "nine out of 10 Rust developers use the current stable version, suggesting strong confidence in the language's stability," the report said...

Overall, 82% of respondents report that Rust helped their company achieve its goals, and daily Rust usage increased to 53% (up four percentage points from 2023). When asked why they use Rust at work, 47% of respondents cited a need for precise control over their software, which is up from 37% when the question was asked two years ago.

Windows

Glitches for Windows 11 Update Include Breaking File Explorer (zdnet.com) 57

Five days ago on Patch Tuesday, Microsoft released patch KB5051987 for Windows 11 version 24H2, writes the XDA Developers site.

But "As reported by Windows Latest and various communities like Reddit and Microsoft's help forum, many users have encountered a major issue..."

Some have reported that, in addition to File Explorer failing to launch, they're unable to open folders from the desktop, save Office files, or even download files. Clicking on a folder icon may display its subfolders, but the contents within remain inaccessible... Some users on Microsoft's help forum and Reddit have also reported that the KB5051987 patch fails to install entirely. The update gets stuck at a certain percentage for hours before eventually displaying an error code. While these are among the most widely reported issues, others have surfaced as well, including problems with Taskbar preview animations, the camera, and more.
"Microsoft keeps running into brick walls with the 2024 version of Windows 11," writes ZDNet. "Each new update designed to fix the outstanding bugs ends up introducing other problems..." Among the glitches resolved were ones that affected digital audio converters, USB audio drivers, USB cameras, and passkeys. The update also patched several security vulnerabilities, including some that were deemed critical....

Other glitches that may pop up include a stuttering mouse, an undetectable camera, .NET apps that cannot be installed inside the Windows Sandbox, and the Taskbar's new preview animation that does not work properly. You may also encounter other roadblocks. One person in the Windows Feedback Hub said that after installing the update, the battery life shows only 2.5 hours versus 6 hours previously. Another person found that the clipboard history no longer copies items from Microsoft Word...

Each annual Windows update can suffer from bugs, especially after being rolled out to millions of users. However, Windows 11 24H2 has been more problematic than usual. Since its official launch last October, the 2024 version has carried with it a host of known issues, many of which still haven't been resolved.

Privacy

California Sues Data-Harvesting Company NPD, Enforcing Strict Privacy Law (msn.com) 6

California sued to fine a data-harvesting company, reports the Washington Post, calling it "a rare step to put muscle behind one of the strongest online privacy laws in the United States." Even when states have tried to restrict data brokers, it has been tough to make those laws stick. That has generally been a problem for the 19 states that have passed broad laws to protect personal information, said Matt Schwartz, a policy analyst for Consumer Reports. He said there has been only 15 or so public enforcement actions by regulators overseeing all those laws. Partly because companies aren't held accountable, they're empowered to ignore the privacy standards. "Noncompliance is fairly widespread," Schwartz said. "It's a major problem."

That's why California is unusual with a data broker law that seems to have teeth. To make sure state residents can order all data brokers operating in the state to delete their personal records [with a single request], California is now requiring brokers to register with the state or face a fine of $200 a day. The state's privacy watchdog said Thursday that it filed litigation to force one data broker, National Public Data, to pay $46,000 for failing to comply with that initial phase of the data broker law. NPD declined to comment through an attorney... This first lawsuit for noncompliance, Schwartz said, shows that California is serious about making companies live up to their privacy obligations... "If they can successfully build it and show it works, it will create a blueprint for other states interested in this idea," he said.

Last summer NPD "spilled hundreds of millions of Americans' Social Security Numbers, addresses, and phone numbers online," according to the blog Krebs on Security, adding that another NPD data broker sharing access to the same consumer records "inadvertently published the passwords to its back-end database in a file that was freely available from its homepage..."

California's attempt to regulate the industry inspired the nonprofit Consumer Reports to create an app called Permission Slip that reveals what data companies collect and, for people in U.S. states, will "work with you to file a request, telling companies to stop selling your personal information."

Other data-protecting options suggested by The Washington Post:
  • Use Firefox, Brave or DuckDuckGo, "which can automatically tell websites not to sell or share your data. Those demands from the web browsers are legally binding or will be soon in at least nine states."
  • Use Privacy Badger, an EFF browser extension which the EFF says "automatically tells websites not to sell or share your data including where it's required by state law."

Security

Encrypted Messages Are Being Targeted, Google Security Group Warns (computerweekly.com) 20

Google's Threat Intelligence Group notes "the growing threat to secure messaging applications." While specifically acknowledging "wide ranging efforts to compromise Signal accounts," they add that the threat "also extends to other popular messaging applications such as WhatsApp and Telegram, which are also being actively targeted by Russian-aligned threat groups using similar techniques.

"In anticipation of a wider adoption of similar tradecraft by other threat actors, we are issuing a public warning regarding the tactics and methods used to date to help build public awareness and help communities better safeguard themselves from similar threats."

Computer Weekly reports: Analysts predict it is only a matter of time before Russia starts deploying hacking techniques against non-military Signal users and users of other encrypted messaging services, including WhatsApp and Telegram. Dan Black, principal analyst at Google Threat Intelligence Group, said he would be "absolutely shocked" if he did not see attacks against Signal expand beyond the war in Ukraine and to other encrypted messaging platforms...

Russia-backed hackers are attempting to compromise Signal's "linked devices" capability, which allows Signal users to link their messaging account to multiple devices, including phones and laptops, using a quick response (QR) code. Google threat analysts report that Russia-linked threat actors have developed malicious QR codes that, when scanned, will give the threat actor real-time access to the victim's messages without having to compromise the victim's phone or computer. In one case, according to Black, a compromised Signal account led Russia to launch an artillery strike against a Ukrainian army brigade, resulting in a number of casualties... Google also warned that multiple threat actors have been observed using exploits to steal Signal database files from compromised Android and Windows devices.

The article notes that the attacks "are difficult to detect and when successful there is a high risk that compromised Signal accounts can go unnoticed for a long time." And it adds that "The warning follows disclosures that Russian intelligence created a spoof website for the Davos World Economic Forum in January 2025 to surreptitiously attempt to gain access to WhatsApp accounts used by Ukrainian government officials, diplomats and a former investigative journalist at Bellingcat."

Google's Threat Intelligence Group notes there's a variety of attack methods, though the "linked devices" technique is the most widely used. "We are grateful to the team at Signal for their close partnership in investigating this activity," Google's group says in their blog post, adding that "the latest Signal releases on Android and iOS contain hardened features designed to help protect against similar phishing campaigns in the future. Update to the latest version to enable these features."
AI

Game Developers Revolt Against Microsoft's New AI Gaming Tool (wired.com) 109

Microsoft's newly announced Muse AI model for game development has triggered immediate backlash from industry professionals. "Fuck this shit," responded David Goldfarb, founder of The Outsiders, arguing that such AI tools primarily serve to "reduce capital expenditure" while devaluing developers' collective artistic contributions.

Multiple developers told Wired that the tool is aimed at shareholders rather than actual developers. "Nobody will want this. They don't CARE that nobody will want this," one AAA developer said, noting that internal criticism remains muted due to job security concerns amid industry-wide layoffs.

The resistance comes as developers increasingly view AI initiatives as threats to job security rather than helpful tools. One anonymous developer called it "gross" that they needed to remain unnamed while criticizing Muse, as their studio still depends on potential Game Pass deals with Microsoft. Even in prototyping, where Microsoft sees AI potential, Creative Assembly's Marc Burrage warns that automated shortcuts could undermine crucial learning experiences in game development.
Security

Bybit CEO Confirms Exchange Was Hacked for $1.46B, Says His Firm Can Cover The Loss (coindesk.com) 64

Cryptocurrency exchange Bybit has experienced $1.46 billion worth of "suspicious outflows," according to blockchain sleuth ZachXBT. From a report: The wallet in question appears to have sent 401,346 ETH ($1.1 billion) as well as several other iterations of staked ether (stETH) to a fresh wallet, which is now liquidating mETH and stETH on decentralized exchanges, etherscan shows. The wallet has sold around $200 million worth of stETH so far. Bybit CEO Ben Zhou wrote on X that a hacker "took control of the specific ETH cold wallet and transferred all the ETH in the cold wallet to this unidentified address."
Privacy

New WinRAR Version Strips Windows Metadata In Privacy Push (bleepingcomputer.com) 49

WinRAR 7.10 now lets users remove potentially sensitive metadata from downloaded files while preserving core Windows security features. The file compression tool's latest release introduces a "Zone value only" setting that strips download locations and IP addresses from Windows' Mark-of-the-Web security flags during file extraction.

The new privacy control, enabled by default, maintains only the basic security zone identifier that triggers Windows' safety prompts for downloaded files. This change prevents recipients of shared archives from accessing metadata that could reveal where files originated. The update from win.rar GmbH, whose compression software claims 500 million users worldwide, also adds performance improvements through larger memory page support and introduces a dark mode interface.
Encryption

Apple Removes Cloud Encryption Feature From UK After Backdoor Order 134

Apple is removing its most advanced, end-to-end encrypted security feature for cloud data in the United Kingdom [alternative source], in a stunning development after the government ordered the company to build a backdoor for accessing user data. From a report: The company said Friday that Advanced Data Protection, an optional feature that adds end-to-end encryption to a wide assortment of user data is no longer available in the UK for new users.

This layer of security covers iCloud data storage, device backups, web bookmarks, voice memos, notes, photos, reminders and text message backups. "We are gravely disappointed that the protections provided by ADP will not be available to our customers in the UK given the continuing rise of data breaches and other threats to customer privacy," the company said in a statement. "ADP protects iCloud data with end-to-end encryption, which means the data can only be decrypted by the user who owns it, and only on their trusted devices."
Security

Ghost Ransomware Continues To Infect Critical Infrastructure, Feds Warn (theregister.com) 6

Mirnotoriety shares a report from The Register: The operators of Ghost ransomware continue to claim victims and score payments, but keeping the crooks at bay is possible by patching known vulnerabilities and some basic infosec actions, according to a joint advisory issued Wednesday by the FBI and US Cybersecurity and Infrastructure Security Agency. The Feds warned orgs to beware of this spectral menace, which is known to have infected critical infrastructure and entities in every sector of a typical economy, and which has been observed scoring ransoms as recently as January. It is said to have racked up victims in more than 70 countries, including some in its China homeland.

Ghost first appeared in 2021, and according to the Feds, the gang will "rotate their ransomware executable payloads, switch file extensions for encrypted files, modify ransom note text, and use numerous ransom email addresses, which has led to variable attribution of this group over time." The Chinese group has therefore been identified as Ghost, Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture over time. The group's favored tactics, however, remain consistent: It targets unpatched systems to exploit known vulnerabilities that allow it to infect targets. [...]

Android

Murena Released a De-Googled Version of the Pixel Tablet (theverge.com) 40

Murena has launched the Murena Pixel Tablet, a de-Googled version of the Pixel Tablet that removes Google's apps and services to enhance user privacy. Priced at $549, it offers /e/OS, an alternative app store, and privacy-focused productivity tools, but lacks Google's speaker dock and direct access to the Play Store. The Verge reports: First announced last December, the Murena Pixel Tablet is available now through the company's online store for $549. That's a steep premium given Google currently sells the same 128GB version of the Pixel Tablet for $399, or $479 as part of a bundle with the charging speaker dock that Murena isn't including. Part of Murena's de-Googling of the Pixel Tablet includes the removal of the Google Play Store. You can still download apps through /e/OS' App Lounge which acts as a front-end for the Play Store allowing you to browse and get free apps anonymously without Google knowing who you are. However, downloading paid apps requires a login to a Google account. Google's various productivity apps aren't included, but the Murena Pixel Tablet comes with privacy-minded alternatives for messaging, email, maps, browsing the web, calendar, contacts, notes, and even voice recordings. In 2022, Murena launched its first smartphone with no Google apps, Google Play Services, or even the Google Assistant.
Security

Palo Alto Firewalls Under Attack As Miscreants Chain Flaws For Root Access (theregister.com) 28

A recently patched Palo Alto Networks vulnerability (CVE-2025-0108) is being actively exploited alongside two older flaws (CVE-2024-9474 and CVE-2025-0111), allowing attackers to gain root access to unpatched firewalls. The Register reports: This story starts with CVE-2024-9474, a 6.9-rated privilege escalation vulnerability in Palo Alto Networks PAN-OS software that allowed an OS administrator with access to the management web interface to perform actions on the firewall with root privileges. The company patched it in November 2024. Dark web intelligence services vendor Searchlight Cyber's Assetnote team investigated the patch for CVE-2024-9474 and found another authentication bypass.

Palo Alto (PAN) last week fixed that problem, CVE-2025-0108, and rated it a highest urgency patch as the 8.8/10 flaw addressed an access control issue in PAN-OS's web management interface that allowed an unauthenticated attacker with network access to the management web interface to bypass authentication "and invoke certain PHP scripts." Those scripts could "negatively impact integrity and confidentiality of PAN-OS."

The third flaw is CVE-2025-0111 a 7.1-rated mess also patched last week to stop authenticated attackers with network access to PAN-OS machines using their web interface to read files accessible to the "nobody" user. On Tuesday, US time, Palo A lot updated its advisory for CVE-2025-0108 with news that it's observed exploit attempts chaining CVE-2024-9474 and CVE-2025-0111 on unpatched and unsecured PAN-OS web management interfaces. The vendor's not explained how the three flaws are chained but we understand doing so allows an attacker to gain more powerful privileges and gain full root access to the firewall.
PAN is urging users to upgrade their PAN-OS operating systems to versions 10.1, 10.2, 11.0, 11.1, and 11.2. A general hotfix is expected by Thursday or sooner, notes the Register.
United States

US Army Soldier Pleads Guilty To AT&T and Verizon Hacks (techcrunch.com) 21

Cameron John Wagenius pleaded guilty to hacking AT&T and Verizon and stealing a massive trove of phone records from the companies, according to court records filed on Wednesday. From a report: Wagenius, who was a U.S. Army soldier, pleaded guilty to two counts of "unlawful transfer of confidential phone records information" on an online forum and via an online communications platform.

According to a document filed by Wagenius' lawyer, he faces a maximum fine of $250,000 and prison time of up to 10 years for each of the two counts. Wagenius was arrested and indicted last year. In January, U.S. prosecutors confirmed that the charges brought against Wagenius were linked to the indictment of Connor Moucka and John Binns, two alleged hackers whom the U.S. government accused of several data breaches against cloud computing services company Snowflake, which were among the worst hacks of 2024.

Security

Hackers Planted a Steam Game With Malware To Steal Gamers' Passwords 31

Valve removed the game PirateFi from Steam after discovering it was laced with the Vidar infostealer malware, designed to steal sensitive user data such as passwords, cookies, cryptocurrency wallets, and more. TechCrunch reports: Marius Genheimer, a researcher who analyzed the malware and works at SECUINFRA Falcon Team, told TechCrunch that judging by the command and control servers associated with the malware and its configuration, "we suspect that PirateFi was just one of multiple tactics used to distribute Vidar payloads en masse." "It is highly likely that it never was a legitimate, running game that was altered after first publication," said Genheimer. In other words, PirateFi was designed to spread malware.

Genheimer and colleagues also found that PirateFi was built by modifying an existing game template called Easy Survival RPG, which bills itself as a game-making app that "gives you everything you need to develop your own singleplayer or multiplayer" game. The game maker costs between $399 and $1,099 to license. This explains how the hackers were able to ship a functioning video game with their malware with little effort.

According to Genheimer, the Vidar infostealing malware is capable of stealing and exfiltrating several types of data from the computers it infects, including: passwords from the web browser autofill feature, session cookies that can be used to log in as someone without needing their password, web browser history, cryptocurrency wallet details, screenshots, and two-factor codes from certain token generators, as well as other files on the person's computer.
Software

'Uber For Armed Guards' Rushes To Market 72

An anonymous reader quotes a report from Gizmodo: Protector, an app that lets you book armed goons the same way you'd call for an Uber, is having a viral moment. The app started doing the rounds on social media after consultant Nikita Bier posted about it on X. Protector lets the user book armed guards on demand. Right now it's only available in NYC and LA. According to its marketing, every guard is either "active duty or retired law enforcement and military." Every booking comes with a motorcade and users get to select the number of Escalades that'll be joining them as well as the uniforms their hired goons will wear.

Protector is currently "#7 in Travel" on Apple's App Store. It's not available for people who use Android devices. [...] The marketing for Protector, which lives on its X account, is surreal. A series of robust and barrel-chested men in ill-fitting black suits deliver their credentials to the camera while sitting in front of a black background. They're all operators. They describe careers in SWAT teams and being deployed to war zones. They show vanity shots of themselves kitted out in operator gear. All of them have a red lapel pin bearing the symbol of Protector.
If the late UnitedHealthcare CEO had used Protector, he might still be alive today, suggests Protector in its marketing materials. A video on X shows "several fantasy versions of the assassination where a Protector is on hand to prevent the assassin from killing the CEO," reports Gizmodo.

The app is a product from parent company Protector Security Solutions, which was founded by Nick Sarath, a former product designer at Meta.

Slashdot Top Deals