Hubi

The malicious changes were submitted by JiaT75, one of the two main xz Utils developers with years of contributions to the project.

“Given the activity over several weeks, the committer is either directly involved or there was some quite severe compromise of their system,” an official with distributor OpenWall wrote in an advisory. “Unfortunately the latter looks like the less likely explanation, given they communicated on various lists about the ‘fixes’” provided in recent updates. Those updates and fixes can be found here, here, here, and here.

On Thursday, someone using the developer's name took to a developer site for Ubuntu to ask that the backdoored version 5.6.1 be incorporated into production versions because it fixed bugs that caused a tool known as Valgrind to malfunction.

“This could break build scripts and test pipelines that expect specific output from Valgrind in order to pass,” the person warned, from an account that was created the same day.

One of maintainers for Fedora said Friday that the same developer approached them in recent weeks to ask that Fedora 40, a beta release, incorporate one of the backdoored utility versions.

“We even worked with him to fix the valgrind issue (which it turns out now was caused by the backdoor he had added),” the Ubuntu maintainer said.

He has been part of the xz project for two years, adding all sorts of binary test files, and with this level of sophistication, we would be suspicious of even older versions of xz until proven otherwise.

Ridley Scott has been typically dismissive of critics taking issue with his forthcoming movie Napoleon, particularly French ones.

While his big-screen epic, starring Joaquin Phoenix as the embattled French emperor with Vanessa Kirby as his wife Josephine, has earned the veteran director plaudits in the UK, French critics have been less gushing, with Le Figaro saying the film could have been called “Barbie and Ken under the Empire,” French GQ calling the film “deeply clumsy, unnatural and unintentionally clumsy” and Le Point magazine quoting biographer Patrice Gueniffey calling the film “very anti-French and pro-British.”

Asked by the BBC to respond, Scott replied with customary swagger:

“The French don’t even like themselves. The audience that I showed it to in Paris, they loved it.”

The film’s world premiere took place in the French capital this week.

Scott added he would say to historians questioning the accuracy of his storytelling:

“Were you there? Oh you weren’t there. Then how do you know?”

Link for anyone curious:

https://subredditstats.com/r/askreddit

I have had numerous cases where a non-Steam game would run perfectly through Steam with Proton but the same game wouldn't even launch through Lutris, even though I used the exact same Proton version. How are they different? Is there anything that Steam does in the background that Lutris won't?

I'd love if anyone could shed some light on this for me.

A Russian naval ship has been damaged in a Ukrainian naval drone attack in the Black Sea, Ukrainian sources say.

The assault is reported to have happened near the Russian port of Novorossiysk, which is a major hub for Russian exports.

Russia's defence ministry said it had repelled a Ukrainian attack with two sea drones on its naval base there.

But Ukrainian security service sources say the Olenegorsky Gornyak was hit and suffered a serious breach.

They told the BBC a sea drone was carrying 450kg (992lb) of dynamite when it hit the ship.

Russia made no mention of any damage in its report of the incident.

A video sent to the BBC by a source with Ukraine's security service appears to show the drone approaching a ship thought to be the Olenegorsky Gornyak.

The footage shows a vessel travelling right up to the side of a ship before the feed cuts out, apparently on impact.

Another unverified video is thought to show the ship listing to one side.

Ukraine has not officially claimed responsibility for the attack.

The Novorossiysk port temporarily suspended any movement of ships following the assault, according to the Caspian Pipeline Consortium, which loads oil on to tankers at the port.

Sea drones are small, unmanned vessels which operate on or below the water's surface.

Hackers are using open source software that’s popular with video game cheaters to allow their Windows-based malware to bypass restrictions Microsoft put in place to prevent such infections from occurring.

The software comes in the form of two software tools that are available on GitHub. Cheaters use them to digitally sign malicious system drivers so they can modify video games in ways that give the player an unfair advantage. The drivers clear the considerable hurdle required for the cheat code to run inside the Windows kernel, the fortified layer of the operating system reserved for the most critical and sensitive functions.

Researchers from Cisco’s Talos security team said Tuesday that multiple Chinese-speaking threat groups have repurposed the tools—one called HookSignTool and the other FuckCertVerifyTimeValidity. Instead of using the kernel access for cheating, the threat actors use it to give their malware capabilities it wouldn’t otherwise have.

A new way to bypass Windows driver restrictions

“During our research we identified threat actors leveraging HookSignTool and FuckCertVerifyTimeValidity, signature timestamp forging tools that have been publicly available since 2019 and 2018 respectively, to deploy these malicious drivers,” the researchers wrote. “While they have gained popularity within the game cheat development community, we have observed the use of these tools on malicious Windows drivers unrelated to game cheats.”

With the debut of Windows Vista, Microsoft enacted strict new restrictions on the loading of system drivers that can run in kernel mode. The drivers are critical for devices to work with antivirus software, printers, and other kinds of software and peripherals, but they have long been a convenient inroad for hackers to run malware in kernel mode. These inroads are available to hackers post-exploit, meaning once they've already gained administrative privileges on a targeted machine. Advertisement

While attackers who gain such privileges can steal passwords and take other liberties, their malware typically must run in the Windows kernel to perform a large number of more advanced tasks. Under the policy put in place with Vista, all such drivers can be loaded only after they’ve been approved in advance by Microsoft and then digitally signed by a trusted certificate authority to verify they are safe.

Malware developers with admin privileges already had one well-known way to easily bypass the driver restrictions. The technique is known as “bring your own vulnerable driver.” It works by loading a publicly available third-party driver that has already been signed and later is found to contain a vulnerability allowing system takeover. The hackers install the driver post exploit and then exploit the driver vulnerability to inject their malware into the Windows kernel.

Although the technique has existed for more than a decade, Microsoft has yet to devise working defenses and has yet to provide any actionable guidance on mitigating the threat despite one of its executives publicly lauding the efficacy of Windows to defend against it.

The technique Talos has discovered represents a new way to bypass Windows driver restrictions. It exploits a loophole that has existed since the start of the policy that grandfathers in older drivers even when they haven’t been reviewed for safety by Microsoft. The exception, designed to ensure older software was still able to run on Windows systems, is triggered when a driver is signed by a Windows-trusted certificate authority prior to July 29, 2015.

“If a driver is successfully signed this way, it will not be prevented from being installed and started as a service,” Tuesday’s Talos post explained. “As a result, multiple open source tools have been developed to exploit this loophole. This is a known technique though often overlooked despite posing a serious threat to Windows systems and being relatively easy to perform due in part to the tooling being publicly available.”