Ransomware Attackers Quickly Weaponize PHP Vulnerability With 9.8 Severity Rating
CVE-2024-4577 affects PHP only when it runs in a mode known as CGI, in which a web server parses HTTP requests and passes them to a PHP script for processing. Even when PHP isn’t set to CGI mode, however, the vulnerability may still be exploitable when PHP executables such as php.exe and php-cgi.exe are in directories that are accessible by the web server. This configuration is extremely rare, with the exception of the XAMPP platform, which uses it by default. An additional requirement appears to be that the Windows locale — used to personalize the OS to the local language of the user — must be set to either Chinese or Japanese. The critical vulnerability was published on June 6, along with a security patch. Within 24 hours, threat actors were exploiting it to install TellYouThePass, researchers from security firm Imperva reported Monday. The exploits executed code that used the mshta.exe Windows binary to run an HTML application file hosted on an attacker-controlled server. Use of the binary indicated an approach known as living off the land, in which attackers use native OS functionalities and tools in an attempt to blend in with normal, non-malicious activity.
In a post published Friday, Censys researchers said that the exploitation by the TellYouThePass gang started on June 7 and mirrored past incidents that opportunistically mass scan the Internet for vulnerable systems following a high-profile vulnerability and indiscriminately targeting any accessible server. The vast majority of the infected servers have IP addresses geolocated to China, Taiwan, Hong Kong, or Japan, likely stemming from the fact that Chinese and Japanese locales are the only ones confirmed to be vulnerable, Censys researchers said in an email. Since then, the number of infected sites — detected by observing the public-facing HTTP response serving an open directory listing showing the server’s filesystem, along with the distinctive file-naming convention of the ransom note — has fluctuated from a low of 670 on June 8 to a high of 1,800 on Monday. Censys researchers said in an email that they’re not entirely sure what’s causing the changing numbers.
Read more of this story at Slashdot.
Electricity Bills Forecasted To Climb With Summer Heat
To be sure, the EIA says that weather is “the main source of uncertainty” in its forecasts for folks’ utility bills. If this summer winds up being hotter than expected, households could wind up paying even more. Residential electricity use typically peaks in the summer for most of the US because of air conditioning. Extreme heat can even trigger power outages if demand suddenly rises too sharply. California, the Southwest, the Midwest, Texas, and New England are at “elevated risk” of electricity supply shortages during any extreme weather this summer, according to an assessment (PDF) by the North American Electric Reliability Corporation.
Read more of this story at Slashdot.
OIN Expands Linux Patent Protection Yet Again (But Not To AI)
This latest update extends OIN’s existing patent risk mitigation efforts to cloud-native computing and enterprise software. In the cloud computing realm, OIN has added patent coverage for projects such as Istio, Falco, Argo, Grafana, and Spire. For enterprise computing, packages such as Apache Atlas and Apache Solr — used for data management and search at scale, respectively — are now protected. The update also enhances patent protection for the Internet of Things (IoT), networking, and automotive technologies. OpenThread and packages such as agl-compositor and kukusa.val have been added to the Linux System definition. In the embedded systems space, OIN has supplemented its coverage of technologies like OpenEmbedded by adding the OpenAMP and Matter, the home IoT standard. OIN has included open hardware development tools such as Edalize, cocotb, Amaranth, and Migen, building upon its existing coverage of hardware design tools like Verilator and FuseSoc.
Keith Bergelt, OIN’s CEO, emphasized the importance of this update, stating, “Linux and other open-source software projects continue to accelerate the pace of innovation across a growing number of industries. By design, periodic expansion of OIN’s Linux System definition enables OIN to keep pace with OSS’s growth.” […] Looking ahead, Bergelt said, “We made this conscious decision not to include AI. It’s so dynamic. We wait until we see what AI programs have significant usage and adoption levels.” This is how the OIN has always worked. The consortium takes its time to ensure it extends its protection to projects that will be around for the long haul. The OIN practices patent non-aggression in core Linux and adjacent open-source technologies by cross-licensing their Linux System patents to one another on a royalty-free basis. When OIN signees are attacked because of their patents, the OIN can spring into action.
Read more of this story at Slashdot.
A Growing Number of Americans Are Getting Their News From TikTok
Read more of this story at Slashdot.
Google’s Privacy Sandbox Accused of Misleading Chrome Browser Users
However, according to noyb, the problem is that although Privacy Sandbox is advertised as an improvement over third-party tracking, that tracking doesn’t go away. Instead, it is done within the browser by Google itself. To comply with the rules, Google needs informed consent from users, which is where issues start. Noyb wrote today: “Google’s internal browser tracking was introduced to users via a pop-up that said ‘turn on ad privacy feature’ after opening the Chrome browser. In the European Union, users are given the choice to either ‘Turn it on’ or to say ‘No thanks,’ so to refuse consent.” Users would be forgiven for thinking that ‘turn on ad privacy feature’ would protect them from tracking. However, what it actually does is turn on first-party tracking.
Max Schrems, honorary chairman of noyb, claimed: “Google has simply lied to its users. People thought they were agreeing to a privacy feature, but were tricked into accepting Google’s first-party ad tracking. “Consent has to be informed, transparent, and fair to be legal. Google has done the exact opposite.” Noyb noted that Google had argued “choosing to click on ‘Turn it on’ would indeed be considered consent to tracking under Article 6(1)(a) of the GDPR.”
Read more of this story at Slashdot.