Google’s New Bug Bounties Include Their Custom Linux Kernel’s Experimental Security Mitigations

Google uses Linux “in almost everything,” according to the leader of Google’s “product security response” team — including Chromebooks, Android smartphones, and even Google Cloud.

“Because of this, we have heavily invested in Linux’s security — and today, we’re announcing how we’re building on those investments and increasing our rewards.”

In 2020, we launched an open-source Kubernetes-based Capture-the-Flag (CTF) project called, kCTF. The kCTF Vulnerability Rewards Program lets researchers connect to our Google Kubernetes Engine (GKE) instances, and if they can hack it, they get a flag, and are potentially rewarded.

All of GKE and its dependencies are in scope, but every flag caught so far has been a container breakout through a Linux kernel vulnerability.

We’ve learned that finding and exploiting heap memory corruption vulnerabilities in the Linux kernel could be made a lot harder. Unfortunately, security mitigations are often hard to quantify, however, we think we’ve found a way to do so concretely going forward….

First, we are indefinitely extending the increased reward amounts we announced earlier this year, meaning we’ll continue to pay $20,000 — $91,337 USD for vulnerabilities on our lab kCTF deployment to reward the important work being done to understand and improve kernel security. This is in addition to our existing patch rewards for proactive security improvements.

Second, we’re launching new instances with additional rewards to evaluate the latest Linux kernel stable image as well as new experimental mitigations in a custom kernel we’ve built. Rather than simply learning about the current state of the stable kernels, the new instances will be used to ask the community to help us evaluate the value of both our latest and more experimental security mitigations. Today, we are starting with a set of mitigations we believe will make most of the vulnerabilities (9/10 vulns and 10/13 exploits) we received this past year more difficult to exploit. For new exploits of vulnerabilities submitted which also compromise the latest Linux kernel, we will pay an additional $21,000 USD. For those which compromise our custom Linux kernel with our experimental mitigations, the reward will be another $21,000 USD (if they are clearly bypassing the mitigations we are testing). This brings the total rewards up to a maximum of $133,337 USD.

We hope this will allow us to learn more about how hard (or easy) it is to bypass our experimental mitigations…..

With the kCTF VRP program, we are building a pipeline to analyze, experiment, measure and build security mitigations to make the Linux kernel as safe as we can with the help of the security community. We hope that, over time, we will be able to make security mitigations that make exploitation of Linux kernel vulnerabilities as hard as possible.

“We don’t care about vulnerabilities; we care about exploits,” Vela told the Register. “We expect the vulnerabilities are there, they will get patched, and that’s nice and all. But the whole idea is what do to beyond just patching a couple of vulnerabilities.”
In total, Google paid out $8.7 million in rewards to almost 700 researchers across its various VPRs last year. “We are just one actor in the whole community that happens to have economic resources, financial resources, but we need the community to help us make the Kernel better,” Vela said.

“If the community is engaged and helps us validate the mitigations that we have, then, we will continue growing on top of that. But the whole idea is that we need to see where the community wants us to go with this….”

[I]t’s not always about the cash payout, according to Vela, and different bug hunters have different motivations. Some want money, some want fame and some just want to solve an interesting problem, Vela said. “We are trying to find the right combination to captivate people.”

Read more of this story at Slashdot.

Google Docs Crashes On Seeing ‘And. And. And. And. And.’

A bug in Google Docs is causing it to crash when a series of words are typed into a document opened with the online word processor. BleepingComputer reports: It’s official — Google Docs crashes at the sight of “And. And. And. And. And.” when the “Show grammar suggestion” is turned on. A Google Docs user, Pat Needham brought up the issue on Google Docs Editors Help forum. […] Another user, Sergii Dymchenko, said strings like “But. But. But. But. But.” triggered the same response. Some also noticed putting any of the terms like “Also, Therefore, And, Anyway, But, Who, Why, Besides, However,” in the same format achieved the outcome.

Once crashed, you may not be able to easily re-access the document as doing so would trigger the crash again. BleepingComputer was able to reproduce the issue last night and reached out to Google. Google told us it is aware of the bug and working on a fix. […] Until Google has an answer as to what causes this problem, it might be wise to turn off grammar suggestions by navigating to Tools, Spelling and grammar and unticking ‘Show grammar suggestions.’ If the bug has already been triggered and you’re locked out of the Google Doc in question, there might be a workaround. Use the Google Docs mobile app to access the document, remove the offending words and the file should now open up gracefully on your Google Docs web version too.

Read more of this story at Slashdot.

ExpressVPN Offering $100,000 To First Person Who Hacks Its Servers

ExpressVPN has updated its bug bounty program to make it more inviting to ethical hackers, now offering a one-time $100,000 bug bounty to whoever can compromise its systems. Bleeping Computer reports: Today, ExpressVPN announced that they are now offering a $100,000 bug bounty for critical vulnerabilities in their in-house technology, TrustedServer. “This is the highest single bounty offered on the Bugcrowd platform and 10 times higher than the top reward previously offered by ExpressVPN,” the company shared in an email to BleepingComputer. The new $100,000 one-time bounty is offered with the following conditions:

– The first person to submit a valid vulnerability, granting unauthorized access or exposing customer data, will receive the $100,000 bounty. This one-time bonus is valid until the prize has been claimed.
– The one-time $100,000 bounty is only eligible for vulnerabilities in ExpressVPN’s VPN Server.
– Activities should remain in scope to the TrustedServer platform. If unsure that your testing is considered in-scope, please reach out to support@bugcrowd.com to confirm first.

ExpressVPN also invites security researchers to uncover possible ways to leak the actual IP address of clients and monitor user traffic. The bug bounty program is run through BugCrowd, which offers a safe harbor for researchers who attempt to breach ExpressVPN’s servers as part of the program.

Read more of this story at Slashdot.

T-Mobile Says It Has ‘Not Broadly Blocked’ iCloud Private Relay, Blames iOS 15.2 Bug For Errors

T-Mobile has officially acknowledged a bug that has blocked some subscribers from using iCloud Private Relay when connected to cellular networking. In a statement to 9to5Mac, T-Mobile blamed this situation on a bug in iOS 15.2 and said that it has “not broadly blocked” iCloud Private Relay. From the report: It’s also important to note that this bug is not only affecting T-Mobile subscribers, as the company says in its statement. Instead, it’s a bug that seems to affect iOS 15.2 broadly rather than T-Mobile specifically. The issue is also still present in the latest release of iOS 15.3 beta. The full statement reads: “Overnight our team identified that in the 15.2 iOS release, some device settings default to the feature being toggled off. We have shared this with Apple. This is not specific to T-Mobile. Again though, we have not broadly blocked iCloud Phone Relay.”

A solution to the problem that has worked for 9to5Mac in testing is to go to Settings, then choose Cellular, then choose your plan, and ensure that “Limit IP Address Tracking” is enabled. Make sure to complete these steps while WiFi is disabled and you are connected to your cellular network. T-Mobile has, however, acknowledged that are situations in which it is required to block iCloud Private Relay due to technical reasons. Namely, if your account or line has content moderation features or parental controls enabled, you will be unable to use iCloud Private Relay when connected to cellular. […] A source has also confirmed to 9to5Mac that this also applies to certain legacy plans that include the Netflix on Us perk and have Family Allowances enabled.

Read more of this story at Slashdot.

‘Year 2022’ Bug Breaks Email Delivery For Microsoft Exchange On-Premise Servers

Kalper (Slashdot reader #57,281) shares news from Bleeping Computer:

Microsoft Exchange on-premise servers cannot deliver email starting on January 1st, 2022, due to a “Year 2022” bug in the FIP-FS anti-malware scanning engine.

Starting with Exchange Server 2013, Microsoft enabled the FIP-FS anti-spam and anti-malware scanning engine by default to protect users from malicious email. According to numerous reports from Microsoft Exchange admins worldwide, a bug in the FIP-FS engine is blocking email delivery with on-premise servers starting at midnight on January 1st, 2022.

Security researcher and Exchange admin Joseph Roosen said that this is caused by Microsoft using a signed int32 variable to store the value of a date, which has a maximum value of 2,147,483,647. However, dates in 2022 have a minimum value of 2,201,010,001 or larger, which is greater than the maximum value that can be stored in the signed int32 variable, causing the scanning engine to fail and not release mail for delivery. When this bug is triggered, an 1106 error will appear in the Exchange Server’s Event Log stating, “The FIP-FS Scan Process failed initialization. Error: 0x8004005. Error Details: Unspecified Error” or “Error Code: 0x80004005. Error Description: Can’t convert “2201010001” to long.” Microsoft will need to release an Exchange Server update that uses a larger variable to hold the date to officially fix this bug.

However, for on-premise Exchange Servers currently affected, admins have found that you can disable the FIP-FS scanning engine to allow email to start delivering again… Unfortunately, with this unofficial fix, delivered mail will no longer be scanned by Microsoft’s scanning engine, leading to more malicious emails and spam getting through to users.

Read more of this story at Slashdot.