Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 8 hours 31 min ago

NYC Has Hired Hackers To Hit Back at Stalkerware

Thu, 08/15/2019 - 07:30
Abusers leverage high-tech tools in the oldest of crimes, stalking their victims through tools like Facebook Messenger and Apple Maps. They spy on their targets through stalkerware apps and Amazon Alexas. But hackers are now teaming up with victim advocates to catch up. From a report: In a pilot study the New York City government has been running since 2018, technologists work in collaboration with the Mayor's Office to End Domestic and Gender-Based Violence to offer practical computer security and privacy services to survivors of intimate partner violence. The program, which involves a team of academics from Cornell Tech and New York University, has already seen early success and is growing, Cornell Tech's Sam Havron said on Wednesday at the USENIX Security Symposium in Santa Clara, California. There are hundreds of apps sold on the market today that stalkers use to track a victim's location, secretly record voice audio, steal text messages, or engage in other illegal surveillance. Since November 2018, the New York-based technologists have met with 44 clients and have discovered that 23 of them may have been targeted by spyware, account compromise, or exploitable misconfigurations. Over half the victim cases have connections to digital abuse, according to a newly published paper, "Clinical Computer Security for Victims of Intimate Partner Violence."

The Fashion Line Designed To Trick Surveillance Cameras

Wed, 08/14/2019 - 18:10
Freshly Exhumed shares a report from The Guardian: Automatic license plate readers, which use networked surveillance cameras and simple image recognition to track the movements of cars around a city, may have met their match, in the form of a T-shirt. Or a dress. Or a hoodie. The anti-surveillance garments were revealed at the DefCon cybersecurity conference in Las Vegas on Saturday by the hacker and fashion designer Kate Rose, who presented the inaugural collection of her Adversarial Fashion line. To human eyes, Rose's fourth amendment T-shirt contains the words of the fourth amendment to the U.S. constitution in bold yellow letters. The amendment, which protects Americans from "unreasonable searches and seizures," has been an important defense against many forms of government surveillance: in 2012, for instance, the U.S. supreme court ruled that it prevented police departments from hiding GPS trackers on cars without a warrant. But to an automatic license plate reader (ALPR) system, the shirt is a collection of license plates, and they will get added to the license plate reader's database just like any others it sees. The intention is to make deploying that sort of surveillance less effective, more expensive, and harder to use without human oversight, in order to slow down the transition to what Rose calls "visual personally identifying data collection." "It's a highly invasive mass surveillance system that invades every part of our lives, collecting thousands of plates a minute. But if it's able to be fooled by fabric, then maybe we shouldn't have a system that hangs things of great importance on it," she said.

Researchers Found World-Readable Database Used To Secure Buildings Around the Globe

Wed, 08/14/2019 - 17:30
Researchers said they have found a publicly accessible database containing almost 28 million records -- including plain-text passwords, face photos, and personal information -- that was used to secure buildings around the world. Ars Technica reports: Researchers from vpnMentor reported on Wednesday that the database was used by the Web-based Biostar 2 security system sold by South Korea-based Suprema. Biostar uses facial recognition and fingerprint scans to identify people authorized to enter warehouses, municipal buildings, businesses, and banks. vpnMentor said the system has more than 1.5 million installations in a wide range of countries including the U.S., the UK, Indonesia, India, and Sri Lanka. According to vpnMentor, the 23-gigabyte database contained more than 27.8 million records used by Biostar to secure customer facilities. The data included usernames, passwords and user IDs in plaintext, building access logs, employee records including start dates, personal details, mobile device data, and face images. The researchers said the data also included more than 1 million records containing actual fingerprint scans, but the report provided no data to support the claim. "The vpnMentor researchers said they discovered the exposed database on August 5 and privately reported the finding two days later," reports Ars Technica. "The data wasn't secured until Tuesday, six days later."

Credit Karma Glitch Exposed Users To Other People's Accounts

Wed, 08/14/2019 - 15:30
Users of credit monitoring site Credit Karma have took to Reddit and Twitter to complain that they were served other people's account information when they logged in. TechCrunch has confirmed several screenshots that show other people's accounts, including details about their credit card accounts and their current balance. When contacted, a Credit Karma spokesperson said these users "experienced a technical malfunction that has now been fixed," and that there's "no evidence of a data breach." The company didn't say for how long customers were experiencing issues. TechCrunch reports: One user told TechCrunch that after they were served another person's full credit report, they messaged the user on LinkedIn "to let him know his data was compromised." Another user told us this: "The reports are split into two sections: Credit Factors -- things like number of accounts, inquiries, utilization; and Credit Reports -- personal information like name, address, etc.. The Credit Reports section was my own information, but the Credit Factors section definitely wasn't. It listed four credit card accounts (I have more like 20 on my report), a missed payment (I'm 100% on time with payments), a Honda auto loan (never had one with Honda), student loan financing (mine are paid off and too old to appear on my report), and cards with an issuer that I have no relationship with (Discover)." Another user who was affected said they could read another person's Credit Factors -- including derogatory credit marks -- but that the Credit Report tab with that user's personal information, like names and addresses, was blank. One user said that the login page was pulled offline for a brief period. "We'll be right back," the login page read instead.

The Video Game Industry Claims Its Products Avoid Politics, But That's a Lie.

Wed, 08/14/2019 - 11:23
Josh Tucker, writing for The Outline: Retired Lieutenant Colonel Oliver North was a Marine platoon commander in Vietnam, a U.S. Senate candidate, and eventually, a National Rifle Association president. At the National Security Council under Ronald Reagan, he helped manage a number of violent imperial operations, including the U.S. invasion of Grenada. Due to televised hearings in the Summer of 1987 where he gave horrifying testimony about the things that he and the United States government had allegedly done, he is probably best known for his role in the Iran-Contra scandal. Alternatively, you might instead recognize North as a minor character from Call of Duty: Black Ops II. In the game, he makes an appearance, service ribbons and all, to talk a retired Alex Mason -- the game's protagonist -- into joining a covert mission in Angola. The cameo was accompanied by North's role as an advisor and pitchman for the 2012 title. It was very bizarre, and, according to the developers, not at all political. In an interview with Treyarch head Mark Lamia, Kotaku's Stephen Totilo asked if the studio had expected the controversy around using North as a consultant. "We're not trying to make a political statement with our game," Lamia responded. "We're trying to make a piece of art and entertainment." This answer would be farcical under any circumstances, but to be clear, Black Ops II was already a jingoistic first-person shooter in a series full of dubious storylines and straight-up propaganda. Its writer and director, Dave Anthony, would later go on to a fellowship at D.C.'s Atlantic Council, advising on "The Future of Unknown Conflict." Regardless, Lamia felt comfortable insisting on record that there was nothing political about getting the Iran-Contra fall guy to shill for its game. In the time since, this brazen corporate line has become the standard for blockbuster games, including the upcoming Call of Duty: Modern Warfare. "Are games political?" continues to be exhaustingly rehashed, because game companies continue to sell an apolitical delusion.

Major Breach Found in Biometrics System Used By Banks, UK Police and Defence Firms

Wed, 08/14/2019 - 08:42
The fingerprints of over 1 million people, as well as facial recognition information, unencrypted usernames and passwords, and personal information of employees, was discovered on a publicly accessible database for a company used by the likes of the UK Metropolitan police, defence contractors and banks, The Guardian reported Wednesday. From the report: Suprema is the security company responsible for the web-based Biostar 2 biometrics lock system that allows centralised control for access to secure facilities like warehouses or office buildings. Biostar 2 uses fingerprints and facial recognition as part of its means of identifying people attempting to gain access to buildings. Last month, Suprema announced its Biostar 2 platform was integrated into another access control system -- AEOS. AEOS is used by 5,700 organisations in 83 countries, including governments, banks and the UK Metropolitan police. The Israeli security researchers Noam Rotem and Ran Locar working with vpnmentor, a service that reviews virtual private network services, have been running a side project to scans ports looking for familiar IP blocks, and then use these blocks to find holes in companies' systems that could potentially lead to data breaches. In a search last week, the researchers found Biostar 2's database was unprotected and mostly unencrypted. They were able to search the database by manipulating the URL search criteria in Elasticsearch to gain access to data.

Huawei Technicians Helped African Governments Spy on Political Opponents

Wed, 08/14/2019 - 08:02
phalse phace writes: A WSJ investigation appears to have uncovered multiple instances where the African governments in Uganda and Zambia, with the help of Huawei technicians, used Huawei's communications equipment to spy on and censor political opponents and its citizens. From the report, writes phalse phace: Huawei Technologies dominates African markets, where it has sold security tools that governments use for digital surveillance and censorship. But Huawei employees have provided other services, not disclosed publicly. Technicians from the Chinese powerhouse have, in at least two cases, personally helped African governments spy on their political opponents, including intercepting their encrypted communications and social media, and using cell data to track their whereabouts, according to senior security officials working directly with the Huawei employees in these countries. It should be noted that while the findings "show how Huawei employees have used the company's technology and other companies' products to support the domestic spying of those governments," the investigation didn't turn up evidence of spying by or on behalf of Beijing in Africa. Nor did it find that Huawei executives in China knew of, directed or approved the activities described. It also didn't find that there was something particular about the technology in Huawei's network that made such activities possible. Details of the operations, however, offer evidence that Huawei employees played a direct role in government efforts to intercept the private communications of opponents.

Cray Is Building a Supercomputer To Manage the US' Nuclear Stockpile

Wed, 08/14/2019 - 05:00
An anonymous reader quotes a report from Engadget: The U.S. Department of Energy (DOE) and National Nuclear Security Administration (NNSA) have announced they've signed a contract with Cray Computing for the NNSA's first exascale supercomputer, "El Capitan." El Capitan's job will be to will perform essential functions for the Stockpile Stewardship Program, which supports U.S. national security missions in ensuring the safety, security and effectiveness of the nation's nuclear stockpile in the absence of underground testing. Developed as part of the second phase of the Collaboration of Oak Ridge, Argonne and Livermore (CORAL-2) procurement, the computer will be used to make critical assessments necessary for addressing evolving threats to national security and other issues such as non-proliferation and nuclear counterterrorism. El Capitan will have a peak performance of more than 1.5 exaflops -- which is 1.5 quintillion calculations per second. It'll run applications 50 times faster than Lawrence Livermore National Laboratory's (LLNL) Sequoia system and 10 times faster than its Sierra system, which is currently the world's second most powerful super computer. It'll be four times more energy efficient than Sierra, too. The $600 million El Capitan is expected to go into production by late 2023. "NNSA is modernizing the Nuclear Security Enterprise to face 21st century threats," said Lisa E Gordon-Hagerty, DOE undersecretary for nuclear security and NNSA administrator. "El Capitan will allow us to be more responsive, innovative and forward-thinking when it comes to maintaining a nuclear deterrent that is second-to-none in a rapidly-evolving threat environment."

Researcher Makes Legit-Looking iPhone Lightning Cables That Will Hijack Your Computer

Tue, 08/13/2019 - 16:45
A researcher known as MG has modified Lightning cables with extra components to let him remotely connect to the computers that the cables are connected to. "It looks like a legitimate cable and works just like one. Not even your computer will notice a difference. Until I, as an attacker, wirelessly take control of the cable," MG said. Motherboard reports: One idea is to take this malicious tool, dubbed O.MG Cable, and swap it for a target's legitimate one. MG suggested you may even give the malicious version as a gift to the target -- the cables even come with some of the correct little pieces of packaging holding them together. MG typed in the IP address of the fake cable on his own phone's browser, and was presented with a list of options, such as opening a terminal on my Mac. From here, a hacker can run all sorts of tools on the victim's computer. The cable comes with various payloads, or scripts and commands that an attacker can run on the victim's machine. A hacker can also remotely "kill" the USB implant, hopefully hiding some evidence of its use or existence. MG made the cables by hand, painstakingly modifying real Apple cables to include the implant. "In the end, I was able to create 100 percent of the implant in my kitchen and then integrate it into a cable. And these prototypes at Def con were mostly done the same way," he said. MG did point to other researchers who worked on the implant and graphical user interface. He is selling the cables for $200 each.

Vulnerability in Microsoft CTF Protocol Goes Back To Windows XP

Tue, 08/13/2019 - 12:42
CTF, a little-known Microsoft protocol used by all Windows operating system versions since Windows XP, is insecure and can be exploited with ease. From a report: According to Tavis Ormandy, a security researcher with Google's Project Zero elite security team and the one who discovered the buggy protocol, hackers or malware that already have a foothold on a user's computer can use the protocol to take over any app, high-privileged applications, or the entire OS, as a whole. Currently, there are no patches for these bugs, and a quick fix isn't expected, as the vulnerabilities are deeply ingrained in the protocol and its design. What CTF stands is currently unknown. Even Ormandy, a well-known security researcher, wasn't able to find what it means in all of Microsoft documentation. What Ormandy found out was that CTF is part of of the Windows Text Services Framework (TSF), the system that manages the text shown inside Windows and Windows applications. When users start an app, Windows also starts a CTF client for that app. The CTF client receives instructions from a CTF server about the OS system language and the keyboard input methods. It is unclear how Microsoft will patch the CTF problem.

Tesla Owner Implants RFID Chip From Her Model 3's Keycard Into Her Arm

Mon, 08/12/2019 - 18:10
A Tesla driver figured out a way to implant the RFID tag from her Model 3's keycard into her forearm. Now, all she needs to do to unlock and turn on her car is to hold her forearm near the console -- no physical key fob or smartphone required. The Verge reports: Amie DD is a software engineer and self-described "maker of things." In a video, she explained that she had implanted an RFID tag in her arm years ago, which she had used to open her home's front door and to send a smartphone's browser to her personal website. When she preordered her Model 3, she realized that she could probably do something similar with the keycard. She didn't have any luck transferring the software to her existing chip, so she decided to extract the card's chip and implant that into her arm. To do that, she dissolved the card using acetone, and had it encased in a biopolymer. From there, she went to a body-modification studio to have the chip (about the size of a Lego mini-figure) implanted into her forearm. In another video (warning, there's some blood), she shows off the implantation. She also documented her process on Hackaday. She told The Verge that the chip does work, but the range from her arm to the console "isn't the greatest." It's only about an inch, but she's hoping that it'll improve as the swelling of her arm goes down.

Russia Says New Weapon Blew Up In Nuclear Accident Last Week

Mon, 08/12/2019 - 16:52
An anonymous reader quotes a report from Bloomberg: The failed missile test that ended in an explosion killing five atomic scientists last week on Russia's White Sea involved a small nuclear power source, according to a top official at the institute where they worked. The men "tragically died while testing a new special device," Alexei Likhachev, the chief executive officer of state nuclear monopoly Rosatom, said at their funeral Monday in Sarov, a high-security city devoted to atomic research less than 400 kilometers (250 miles) east of Moscow where the institute is based. The part of the Russian Federal Nuclear Center that employed them is developing small-scale power sources that use "radioactive materials, including fissile and radioisotope materials" for the Defense Ministry and civilian uses, Vyacheslav Soloviev, scientific director of the institute, said in a video shown by local TV. The blast occurred Aug. 8 during a test of a missile engine that used "isotope power sources" on an offshore platform in the Arkhangelsk region, close to the Arctic Circle, Rosatom said over the weekend. The Defense Ministry initially reported two were killed in the accident, which it said involved testing of a liquid-fueled missile engine. The ministry didn't mention the nuclear element. It caused a brief spike in radiation in the nearby port city of Severodvinsk, according to a statement on the local administration's website that was later removed. A Sarov institute official on the video posted Sunday said radiation levels jumped to double normal levels for less than an hour and no lasting contamination was detected. The Russian military said radiation levels were normal but disclosed few details about the incident. There's speculation that the weapon being tested was the SSC-X-9 Skyfall, known in Russia as the Burevestnik, a nuclear-powered cruise missile that President Vladimir Putin introduced last year.

Ring Told People To Snitch On Their Neighbors In Exchange For Free Stuff

Mon, 08/12/2019 - 16:12
popcornfan679 shares a report from Motherboard: Ring, Amazon's home security company, has encouraged people to form their own "Digital Neighborhood Watch" groups that report crime in exchange for free or discounted Ring products, according to an internal company slide presentation obtained by Motherboard. The slide presentation -- which is titled "Digital Neighborhood Watch" and was created in 2017, according to Ring -- tells people that if they set up these groups, report all suspicious activity to police, and post endorsements of Ring products on social media, then they can get discount codes for Ring products and unspecified Ring "swag." A Ring spokesperson said the program described in the slide presentation was rolled out in 2017, before Ring was acquired by Amazon. They said it was discontinued that same year. "This particular idea was not rolled out widely and was discontinued in 2017," Ring said. "We will continue to invent, iterate, and innovate on behalf of our neighbors while aligning with our three pillars of customer privacy, security, and user control." "Some of these ideas become official programs, and many others never make it past the testing phase," Ring continued, adding that the company "is always exploring new ideas and initiatives."

Epic Hit With Class-Action Suit Over Hacked Fortnite Accounts

Mon, 08/12/2019 - 11:35
Epic Games is being sued over security breaches that allowed hackers to access the personal information of Epic Games accounts. From a report: The class-action lawsuit, filed by Franklin D. Azar & Associates in U.S. District Court in North Carolina, alleges Epic's "failure to maintain adequate security measures and notify users of the security breach in a timely manner." The lawsuit states that "there are more than 100 class members." In January, Epic acknowledged that a bug in Fortnite may have exposed personal information for millions of user accounts.

Getting Cool Vanity License Plate 'NULL' Is Not Really a Cool Idea, Infosec Researcher Discovers

Mon, 08/12/2019 - 10:50
Choosing NULL as your license plate might seem like a funny idea. But as an infosec researcher discovered recently, the cool-looking NULL vanity plate comes with its own consequences. Researcher Droogie, that's his handle, who presented at this year's DEF CON in Las Vegas, said he has been on the receiving end of thousands of dollars worth of tickets that aren't his. From a report: Droogie registered a vanity California license plate consisting solely of the word "NULL" -- which in programming is a term for no specific value -- for fun. And, he admitted to laughs, on the off chance it would confuse automatic license plate readers and the DMV's ticketing system. "I was like, 'I'm the shit,'" he joked to the crowd. "'I'm gonna be invisible.' Instead, I got all the tickets." Things didn't go south immediately. As Droogie explained, he's a cautious driver and didn't get any tickets for the first year he owned the vanity plate. Then he went to reregister his tags online, and, when prompted to input his license plate, broke the DMV webpage. It seemed the DMV site didn't recognize the plate "NULL" as an actual input. That was the first sign that something was amiss. The next sign was, well, a little more serious: After receiving a legitimate parking ticket, thousands of dollars in random tickets starting arriving in the mail at his house, addressed to him. It seemed that a privately operated citation processing center had a database of outstanding tickets, and, for some reason -- possibly due to incomplete data on their end -- many of those tickets were assigned to the license plate "NULL." In other words, the processing center was likely trying to tell its systems it didn't know the plates of the offending cars. Instead, with Droogie's vanity plate now in play, it pegged all those outstanding tickets on him. Specifically, over $12,000 worth of outstanding tickets. Long story short, Droogie went on the painstaking process to explain the situation to the DMV and the LAPD, both of whom advised him to change his plate. At any rate, the DMV reached out to the private vendor and sorted the issue.

Does Quantum Cryptography Need a Reboot?

Sun, 08/11/2019 - 17:39
"Despite decades of research, there's no viable roadmap for how to scale quantum cryptography to secure real-world data and communications for the masses," according to IEEE Spectrum. Wave723 shares their report: A handful of companies now operate or pay for access to networks secured using quantum cryptography in the United States, China, Austria, and Japan. According to a recent industry report, six startups plus Toshiba are leading efforts to provide quantum cryptography to governments, large companies (including banks and financial institutions), and small to medium enterprises. But these early customers may never provide enough demand for these services to scale... From a practical standpoint, then, it doesn't appear that quantum cryptography will be anything more than a physically elaborate and costly -- and, for many applications, largely ignorable -- method of securely delivering cryptographic keys anytime soon. This is in part because traditional cryptography, relying as it does on existing computer networks and hardware, costs very little to implement. Whereas quantum crypto requires an entirely new infrastructure of delicate single-photon detectors and sources, and dedicated fiber optic lines. So its high price tag must be offset by a proven security benefit it could somehow deliver -- a benefit that has remained theoretical at best. Though it was supposed to replace mathematical cryptography, "Math may get the last laugh," the article explains. "An emerging subfield of mathematics with the somewhat misleading name 'post-quantum cryptography' now appears better situated to deliver robust and broadly scalable cryptosystems that could withstand attacks from quantum computers." They quote the security engineer at a New York cybersecurity firm who says quantum cryptography "seems like a solution to a problem that we don't really have." The article ends by suggesting that research may ultimately be applicable to quantum computers -- which could then be used to defeat math-based cryptography. But riffing on the article's title, sjames (Slashdot reader #1,099) quips that instead of giving quantum cryptography a reboot, maybe it just needs the boot.

'Who Owns Your Wireless Service? Crooks Do'

Sun, 08/11/2019 - 13:43
Long-time Slashdot reader trolman scared this scathing editorial by security researcher Brian Krebs: If you are somehow under the impression that you -- the customer -- are in control over the security, privacy and integrity of your mobile phone service, think again. And you'd be forgiven if you assumed the major wireless carriers or federal regulators had their hands firmly on the wheel. No, a series of recent court cases and unfortunate developments highlight the sad reality that the wireless industry today has all but ceded control over this vital national resource to cybercriminals, scammers, corrupt employees and plain old corporate greed... Incessantly annoying and fraudulent robocalls. Corrupt wireless company employees taking hundreds of thousands of dollars in bribes to unlock and hijack mobile phone service. Wireless providers selling real-time customer location data, despite repeated promises to the contrary. A noticeable uptick in SIM-swapping attacks that lead to multi-million dollar cyberheists... Is there any hope that lawmakers or regulators will do anything about these persistent problems? Gigi Sohn, a distinguished fellow at the Georgetown Institute for Technology Law and Policy, said the answer -- at least in this administration -- is probably a big "no." "The takeaway here is the complete and total abdication of any oversight of the mobile wireless industry," Sohn told KrebsOnSecurity. "Our enforcement agencies aren't doing anything on these topics right now, and we have a complete and total breakdown of oversight of these incredibly powerful and important companies."

Researchers Find More Than 40 Vulnerable Windows Device Drivers

Sun, 08/11/2019 - 11:34
Artem S. Tashkinov writes: Researchers from security company Eclypsium have discovered that more than forty drivers from at least twenty different vendors -- including every major BIOS vendor, as well as hardware vendors like ASUS, Toshiba, NVIDIA, and Huawei -- include critical vulnerabilities allowing an escalation of privileges to full system level access. Considering how widespread these drivers are, and the fact that they are digitally signed by Microsoft, they allow an attacker to more successfully penetrate target systems and networks, as well as remain hidden. Also while some of these drivers "are designed to update firmware, the driver is providing not only the necessary privileges, but also the mechanism to make changes" which means the attacker can gain a permanent foothold. Eclypsium has already notified Microsoft about the issues and at least NVIDIA has already released fixed drivers.

DARPA Hopes To Develop an AI Tool That Can Detect Deepfakes

Sun, 08/11/2019 - 07:34
America's Defense Department "is looking to build tools that can quickly detect deepfakes and other manipulated media amid the growing threat of 'large-scale, automated disinformation attacks,'" reports Nextgov: The Defense Advanced Research Projects Agency on Tuesday announced it would host a proposers day for an upcoming initiative focused on curbing the spread of malicious deepfakes, shockingly realistic but forged images, audio and videos generated by artificial intelligence. Under the Semantic Forensics program, or SemaFor, researchers aim to help computers use common sense and logical reasoning to detect manipulated media. As global adversaries enhance their technological capabilities, deepfakes and other advanced disinformation tactics are becoming a top concern for the national security community... Industry has started developing tech that use statistical methods to determine if a video or image has been manipulated, but existing tools "are quickly becoming insufficient" as manipulation techniques continue to advance, according to DARPA. "Detection techniques that rely on statistical fingerprints can often be fooled with limited additional resources," officials said in a post on FedBizOpps... Beyond simply detecting errors, officials also want the tools to attribute the media to different groups and determine whether the content was manipulated for nefarious purposes. Using that information, the tech would flag posts for human review. "A comprehensive suite of semantic inconsistency detectors would dramatically increase the burden on media falsifiers, requiring the creators of falsified media to get every semantic detail correct, while defenders only need to find one, or a very few, inconsistencies," DARPA officials said. But that's easier said than done. Today, even the most advanced machine intelligence platforms have a tough time understanding the world beyond their training data.

Remember Autorun.inf Malware In Windows? Turns Out KDE Offers Something Similar

Sun, 08/11/2019 - 06:34
Long-time Slashdot reader Artem S. Tashkinov writes: A security researcher has published proof-of-concept (PoC) code for a vulnerability in the KDE software framework. A fix is not available at the time of writing. The bug was discovered by Dominik "zer0pwn" Penner and impacts the KDE Frameworks package 5.60.0 and below. The KDE Frameworks software library is at the base of the KDE desktop environment v4 and v5 (Plasma), currently included with a large number of Linux distributions. The vulnerability occurs because of the way the KDesktopFile class (part of KDE Frameworks) handles .desktop or .directory files. It was discovered that malicious .desktop and .directory files could be created that could be used to run malicious code on a user's computer. When a user opens the KDE file viewer to access the directory where these files are stored, the malicious code contained within the .desktop or .directory files executes without user interaction — such as running the file. Zero user interaction is required to trigger code execution — all you have to do is to browse a directory with a malicious file using any of KDE file system browsing applications like Dolphin. When ZDNet contacted KDE for a comment Tuesday, their spokesperson provided this response. "We would appreciate if people would contact security@kde.org before releasing an exploit into the public, rather than the other way around, so that we can decide on a timeline together."