Month: June 2019

Enlarge (credit: Michael Theis / Flickr)

Millions of Internet-connected machines running the open source Exim mail server may be vulnerable to a newly disclosed vulnerability that, in some cases, allows unauthenticated attackers to execute commands with all-powerful root privileges.

The flaw, which dates back to version 4.87 released in April 2016, is trivially exploitable by local users with a low-privileged account on a vulnerable system running with default settings. All that's required is for the person to send an email to "${run{...}}@localhost," where "localhost" is an existing local domain on a vulnerable Exim installation. With that, attackers can execute commands of their choice that run with root privileges.

The command execution flaw is also exploitable remotely, albeit with some restrictions. The most likely scenario for remote exploits is when default settings have been made such as:

Enlarge (credit: Garrett Ziegler / Flickr)

One of the more obvious risks of climate change is an increased frequency of extreme heatwaves. Particularly in cities, heatwaves can be more than sticky and unpleasant—they can be deadly.

The emissions cuts pledged so far in the international Paris Agreement in 2015—if followed through—would limit global warming to the neighborhood of 3°C. That won't prevent an increase in deaths due to heatwaves, but just how much worse is 3°C than the international goals of stopping warming at 2°C or event 1.5°C?

To find out, a team led by Eunice Lo at the University of Bristol analyzed the relationship between extreme summer temperatures and deaths for 15 US cities with data: Atlanta, Boston, Chicago, Dallas, Detroit, Houston, Los Angeles, Miami, New York City, Philadelphia, Phoenix, San Francisco, Seattle, St. Louis, and Washington DC.

BROOKLYN, NY - JUNE 04: Anti-vaccine activist Del Bigtree speaks with journalists before entering an anti-vaccine symposium on June 4, 2019. (credit: Getty | The Washington Post)

Prominent anti-vaccine advocates and conspiracy theorists held another rally of misinformation in New York Tuesday as the national tally of measles cases ticked passed 1,000.

The rally was held at an event hall in Brooklyn, an area hard hit by a measles outbreak that began last September. There have been 566 confirmed cases in New York City since then, mostly in unvaccinated children in the Orthodox Jewish community.

The rally—the second of its kind in New York in recent weeks—is part of a pattern of anti-vaccine groups targeting vulnerable communities that are grappling with outbreaks. Like the previous rally, Tuesday’s event featured Rabbi Hillel Handler and Del Bigtree, both prominent anti-vaccine provocateurs known for fear mongering and spreading myths about lifesaving immunizations.

Enlarge (credit: Getty Images | MassimoVernicesole)

The Federal Communications Commission today voted to let phone companies block robocalls by default even when consumers have not opted in to robocall-blocking services.

The FCC said it "approved a Declaratory Ruling to affirm that voice service providers may, as the default, block unwanted calls based on reasonable call analytics, as long as their customers are informed and have the opportunity to opt out of the blocking."

Phone providers already block robocalls on an opt-in basis, sometimes charging consumers for the blocking services. FCC Chairman Ajit Pai says the commission's rules were vague as to whether robocall blocking is legal on an opt-out basis but that today's ruling will fix that problem.

Enlarge (credit: Blizzard Entertainment)

On Wednesday, a vague tweet from a Blizzard game developer hinted at a canceled game project that fans would "never see," then announced his departure from the company. As questions started flying over what that game was, Kotaku super-reporter Jason Schreier showed up one day later with the scoop: the canceled game, which had been in development for two years, was a first-person shooter set in the StarCraft universe.

In addition to citing "three people familiar with goings-on," Schreier received a lengthy official response from Blizzard on Thursday that did not deny the game's existence and cancellation. It reads, in part: "As has been the case at Blizzard numerous times in the past, there is always the possibility that we'll make the decision to not move forward on a given project."

This project, which Schreier says was codenamed "Ares" within Blizzard, began as a Battlefield-like campaign against the series' Zerg aliens whose initial prototypes put players in control of a "Terran marine." The Schreier report says that the team had planned to put players in control of Zerg aliens, as well—but the fact that such content was only hinted at, as opposed to being internally playable, may point to how far along the game had gotten.

(credit: Alexandre Dulaunoy / Flickr)

Criminals in 2017 managed to get an advanced backdoor preinstalled on Android devices before they left the factories of manufacturers, Google researchers confirmed on Thursday.

Triada first came to light in 2016 in articles published by Kaspersky here and here, the first of which said the malware was "one of the most advanced mobile Trojans" the security firm's analysts had ever encountered. Once installed, Triada's chief purpose was to install apps that could be used to send spam and display ads. It employed an impressive kit of tools, including rooting exploits that bypassed security protections built into Android and the means to modify the Android OS' all-powerful Zygote process. That meant the malware could directly tamper with every installed app. Triada also connected to no fewer than 17 command and control servers.

In July 2017, security firm Dr. Web reported that its researchers had found Triada built into the firmware of several Android devices, including the Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20. The attackers used the backdoor to surreptitiously download and install modules. Because the backdoor was embedded into one of the OS libraries and located in the system section, it couldn't be deleted using standard methods, the report said.

• 

  I thought LA had its smog problem under better control. [credit: Larian Studios ]

After the game's existence was hinted at months ago and all but confirmed via website source scouring last week, Larian Studios officially announced it is working on Baldur's Gate III today, nearly 19 years after the release of BioWare's Baldur's Gate II.

If you recognize the Belgian Larian Studios name, it's probably because of the Divinity series of computer RPGs, reborn in recent years as the critically and commercially successful Divinity: Original Sin series.

The Larian team is also working "in close collaboration with the Dungeons & Dragons team at Wizards of the Coast," according to a press release.