New submitter Adesso writes "Anti-virus vendor Avira is having difficulty with an update of all their Premium customers. An update that has been downloaded over 70 million times is causing the 32-bit version of Windows to block almost all critical applications. Avira has responded promptly with an interim solution for this problem. In most cases this causes Windows to not boot properly."

netbuzz writes "Crowd-funding startup Kickstarter is taking a public-relations hit today after it was reported that some 70,000 not-yet-public project ideas were left exposed on the company's Web site for more than two weeks. Kickstarter insists that no financial information was compromised and that only a few dozen of the projects were actually accessed. 'Obviously our users' data is incredibly important to us, the company said in a blog post. 'Even though limited information was made accessible through this bug, it is completely unacceptable.'"

snydeq writes "Since so many recent exploits have used Java as their attack vector, you might conclude Java should be shown the exit, but the reality is that Java is not the problem, writes Security Advisor's Roger Grimes. 'Sure, I could opt not to use those Java-enabled services or install Java and uninstall when I'm finished. But the core problem isn't necessarily Java's exploitability; nearly all software is exploitable. It's unpatched Java. Few successful Java-related attacks are related to zero-day exploits. Almost all are related to Java security bugs that have been patched for months (or longer),' Grimes writes. 'The bottom line is that we aren't addressing the real problems. It isn't a security bug here and there in a particular piece of software; that's a problem we'll never get rid of. Instead, we allow almost all cyber criminals to get away with their Internet crime without any penalty. They almost never get caught and punished. Until we solve the problem of accountability, we will never get rid of the underlying problem.'"

An anonymous reader writes "An Apple programmer, apparently by accident, left a debug flag open in the most recent version of its Mac OS X operating system. In specific configurations, applying the OS X Lion update 10.7.3 turns on a system-wide debug log file that contains the login passwords of every user who has logged in since the update was applied. The passwords are stored in clear text."

wiredmikey writes "On Wednesday, a remote code execution vulnerability in PHP was accidentally exposed to the Web, prompting fears that it may be used to target vulnerable websites on a massive scale. The bug itself was traced back to 2004, and came to light during a recent CTF competition. 'When PHP is used in a CGI-based setup (such as Apache's mod_cgid), the php-cgi receives a processed query string parameter as command line arguments which allows command-line switches, such as -s, -d or -c to be passed to the php-cgi binary, which can be exploited to disclose source code and obtain arbitrary code execution,' a CERT advisory explains. PHP developers pushed a fix for the flaw, resulting in the release of PHP 5.3.12 and 5.4.2, but as it turns out it didn't actually remove the vulnerability."

An anonymous reader writes "Today the 5.1 release of OpenBSD has surfaced. As usual, it includes improved hardware support, but also OpenSSH 6.0 and over 7000 ports, with major performance and stability improvements in the package build process (and some really cool stickers). Here's the changelog, the download page, and the CD-ordering page. "

New submitter nuvoleweb writes "Drupal Intranets with Open Atrium, by Tracy Charles Smith is a comprehensive guide to Open Atrium, the popular open source Intranet system. Open Atrium is a derivative (distribution) of Drupal specifically meant for group collaboration, and the author works in the Open Atrium core team at Phase2 Technology." Read below for the rest of Andrea's review.

Hugh Pickens writes "AP reports that when a Delta Airlines flight touched down at Midway International Airport in Chicago, the passengers looked out the window to see the jet surrounded by fire trucks, police cars and ambulances. Health officials came through the door wearing facemasks and other protective gear. As it turns out the bedbugs that infest hotels appear to be the source of red marks on a 50-year old Minnesota woman that prompted health officials to quarantine the jet for fear they were dealing with something much more serious: monkeypox. Lise Sievers called her mother during a layover in Detroit and told her that one of the children she visited and is trying to adopt in Uganda had some pus-filled red bumps and also mentioned she had some small bumps of her own, a rash that she suspected was the handiwork of bedbugs. Those two very different bumps — one with pus, one without — got jumbled up in Siever's mother's mind, and she called a hospital near her Indiana home to ask about treatment for her daughter. 'She told them her daughter is on a flight back from Uganda and has some red bumps which are pussing and what should she do to treat them,' says Roger Sievers. 'She was looking for some general advice.' Health officials feared they were looking for monkeypox, a rare and sometimes fatal disease mostly in found in central and western Africa. After the passengers waited on the plane for a couple of hours, officials brought good news. 'They came back down and told my mom it was bed bug bites and they started releasing people.'"

suraj.sun writes "Microsoft quietly fixed a flaw in Hotmail's password reset system that allowed anyone to reset the password of any Hotmail account last Friday. The company was notified of the flaw by researchers at Vulnerability Lab on April 20th and responded with a fix within hours — but not until after widespread attacks, with the bug apparently spreading 'like wild fire' in the hacking community. Hotmail's password reset system uses a token system to ensure that only the account holder can reset their password — a link with the token is sent to an account linked to the Hotmail account — and clicking the link lets the account owner reset their password. However, the validation of these tokens isn't handled properly by Hotmail, allowing attackers to reset passwords of any account. Initially hackers were offering to crack accounts for $20 a throw. However, the technique became publicly known and started to spread rapidly with Web and YouTube tutorials showing the technique popping up across the Arabic-speaking Internet."

Mojo66 writes "A recently reported flaw that allowed an attacker to drastically reduce the number of attempts needed to guess the WPS PIN of a wireless router isn't necessary for some Arcadyan based routers anymore. According to German computer publisher Heise, some 100,000 routers of type Speedport W921V, W504V and W723V are affected in Germany alone. (Google translation, original here.) What makes things worse is the fact that in order to exploit the backdoor, no button has to be pushed on the device itself and on some of the affected routers, the backdoor PIN ("12345670") is still working even after WPS has been disabled by the user. The only currently known remedy for those models is to disable Wi-Fi altogether. Since all Arcadyan routers share the same software platform, more models might be affected."

An anonymous reader writes "InfoWorld reached out to three security researchers who participate in Google's vulnerability reporting program, through which the company now offers as much as $20,000 for bug reports. They provided some insightful perspectives on what Google (and other companies, such as Mozilla) are doing right in paying bounties on bugs, as well as where there's some room for improvement."

MrSeb writes "Firefox 12 has been officially released, with only one major new feature: A silent, background updater. Now you will have to approve the Firefox Software Updater when you first install Firefox, but after that the browser will update silently — just like Chrome. In other news, the Find feature now reliably centers the page on any matches — hooray!" Here are the release notes, the list of bug fixes, and the download page.

benfrog writes "The security bug that has been stalling the 'dot-word TLD land grab' might be fixed, but ICANN says it needs another week 'to sift through its mountains of TAS logs, in order to figure out which applicants' data was visible to which other applicants.' Needless to say, some are less than thrilled about the further delay."

Trailrunner7 writes, quoting Threatpost: "Search giant Google said it is quintupling the top bounty it will pay for information on security holes in its products to $20,000. Google said it was updating its rewards and rules for the bounty program, which is celebrating its first anniversary. In addition to a top prize of $20,000 for vulnerabilities that allow code to be executed on product systems, Google said it would pay $10,000 for SQL injection and equivalent vulnerabilities in its services and for certain vulnerabilities that leak information or allow attackers to bypass authentication or authorization features."

tearmeapart writes "A major security issue has been found in all OpenSSL packages. You probably want to download your preferred OpenSSL package as soon as possible. Changes to the CVS repository are detailed on the OpenSSL timeline."

itwbennett writes "After almost a week the ICANN system for applications for new generic top-level domains (gTLDs) is still down, and it is unclear when it will reopen, although ICANN said it would provide an update by Friday, according to an IDG News Service report. The system was taken offline after a software glitch was found that 'resulted in some users being able to see some other users' file names and user names.'"

New submitter Sekrimo writes "This article discusses an interesting advantage to writing documentation. While the author acknowledges that developers often write documentation so that others may better understand their code, he claims documenting can also be a useful way to find bugs before they ever become an issue. Taking the time to write this documentation helps to ensure that you've thought through every aspect of your program fully, and cleared up any issues that may arise."

judgecorp writes "ICANN has extended the deadline for applications for new generic top level domains until Friday 20th April. ICANN says it observed 'unusual behavior' in the system, which has now been fixed, but has extended the deadline to make sure everyone (with $185,000) gets a chance. From the article: 'ICANN’s technical staff have been working on a fix to a problem with the TLD Application System (TAS) but it was now working again, an ICANN spokesman in Europe told TechWeekEurope. “I don’t yet have all the details, but here is what I do know,” Brad White, ICANN’s director of media affairs told TechWeekEurope. “There was not a cyber-attack of any type.”'"

joemite writes "On early Wednesday, Nokia said it had found a software bug in the new Lumia 900 smartphone, its big hope to take on Apple's iPhone, and was effectively giving the model away until it is fixed. It is offering anyone who has bought a Lumia 900 phone, or who buys one by April 21, a $100 US credit to their AT&T bill. The operator sells the phone for $99.99 with a two-year contract. Both Microsoft and Nokia still have big hopes for this phone. The bug apparently causes a random data connection drop. Nokia plans to push a patch the phone later in April."

We've been busy at Slashdot. As you have probably noticed, we've added a couple of new Slashboxes recently:

• Most Discussed: Highlighting recent stories with the most active discussions
• This Day on Slashdot: Featuring the biggest Slashdot stories of the day all the way back to the beginning.

We also pushed through a number of fixes to the user experience and upgrades to the site infrastructure in recent months including:

• Upgrading Slashdot to modern hardware and new versions of MySQL and Apache
• Cleaning up the topics pages
• Improving methods for sharing submissions
• Thumbnails for articles with videos
• Flag-a-comment abuse reporting
• Removal of old and unused Slashboxes
• A much overdue overhauling of the FAQ
• Fixes to user preferences
• The launch of the Slashdot Hall of Fame (that little badge icon next to the logo)
• Fixes to the D2 comment system. Highlights include bug fixes to the comment score slider, a better abbreviated view (if you quote the parent, that's removed so people can see your first sentence instead), and general reliability improvements to the AJAX magic
• And many more...

In addition, we're working on modules to highlight top submissions and we've launched Slashdot TV at http://tv.slashdot.org/ . We plan on launching more in the weeks to come. Some of these new sections will feature original content that isn't normally run on the front page. We're also planning a new mobile experience and we'll need your feedback to help us with the look and usability. Our goal through all these changes is to make your Slashdot experience a good one. We are listening to your complaints and concerns and promise to keep giving you News for Nerds and Stuff that Matters.

So, readers, what do you want to see in the coming months?