Zoom’s latest update on Mac includes a fix for a dangerous security flaw

Zoom has issued a patch for a bug on macOS that could allow a hacker to take control of a user’s operating system (via MacRumors). In an update on its security bulletin, Zoom acknowledges the issue (CVE-2022-28756) and says a fix is included in version 5.11.5 of the app on Mac, which you can (and should) download now.

Patrick Wardle, a security researcher and founder of the Objective-See Foundation, a nonprofit that creates open-source macOS security tools, first uncovered the flaw and presented it at the Def Con hacking conference last week. My colleague, Corin Faife, attended the event and reported on Wardle’s findings.

As Corin explains, the exploit targets the Zoom installer, which requires special user permissions to run. By leveraging this tool, Wardle found that hackers could essentially “trick” Zoom into installing a malicious program by putting Zoom’s cryptographic signature on the package. From here, attackers can then gain further access to a user’s system, letting them modify, delete, or add files on the device.

“Mahalos to Zoom for the (incredibly) quick fix!” Wardle said in response to Zoom’s update. “Reversing the patch, we see the Zoom installer now invokes lchown to update the permissions of the update .pkg, thus preventing malicious subversion.”

You can install the 5.11.5 update on Zoom by first opening the app on your Mac and hitting (this might be different depending on what country you’re in) from the menu bar at the top of your screen. Then, select Check for updates, and if one’s available, Zoom will display a window with the latest app version, along with details about what’s changing. From here, select Update to begin the download.

Repost: Original Source and Author Link


Don’t wait to install the June Windows update — it fixes the Follina security flaw

Microsoft has patched a Windows vulnerability that hackers are actively exploiting. If you own a system that uses Windows 7 and up, you’ll want to update your computer as soon as possible (via Bleeping Computer).

The security flaw, called Follina (CVE-2022-30190) by researchers, lets bad actors hijack users’ computers through programs like Microsoft Word. Security researchers have been aware of the threat since late May, but Microsoft reportedly dismissed their initial findings.

In an attack documented by security company Proofpoint, hackers associated with the Chinese government sent malicious Word documents to Tibetan recipients. When opened, these documents use the Follina exploit to take control of the Microsoft Support Diagnostic Tool (MSDT) to execute commands that could be used to install programs, create new user accounts, and access, delete, or change data stored on a computer. The exploit has also been used in phishing campaigns targeting American and European government agencies.

Microsoft’s original warning about the threat offered workarounds to protect against the threat, but this update (KB5014699 for Windows 10 and KB5014697 for Windows 11) should eliminate the need for that. “Microsoft strongly recommends that customers install the updates to be fully protected from the vulnerability,” Microsoft says. “Customers whose systems are configured to receive automatic updates do not need to take any further action.”

Repost: Original Source and Author Link


Halo Infinite’s Multiplayer Has One Giant (Well, Tiny) Flaw

Over the past two years, my eyesight has taken a nosedive. Maybe it’s just the natural side effects of being in your 30s. Or perhaps over a year of staring at screens with no break during lockdown was, in fact, bad for me. Regardless of the reason, my once pristine vision is gone and I’m now nearsighted.

That’s made me more acutely aware of the gaming industry’s love of miniscule text, HUD elements, and other user interface considerations. I’m lucky in that I can just put on a pair of glasses when something on screen is too small for me to see, but others, like partially blind players, don’t have that option. They’re at the mercy of a game’s accessibility options, which don’t always account for every problem.

That’s my primary concern when I play Halo Infinite’s multiplayer. The beta’s current UI is nothing short of a nightmare for those who already have difficulty seeing games. While features like a lack of mode-specific playlists and a weak battle pass are drawing the most criticism at the moment, added accessibility tools should be the game’s primary concern.

A (big) tiny problem

There’s a lot happening on screen during a Halo Infinite match. You have radar, a health bar, equipment information, a score bar, a kill feed, and tips that pop up on screen when you die. That’s all pretty standard for a shooter these days, but it can create a difficult balancing act. Developers want players to be as immersed in the game itself as possible, which often means shrinking or minimizing HUD elements to allot more screen time to the action. In fact, Halo Infinite’s UI menu allows players to turn off the HUD entirely.

What it doesn’t allow me to do, as far as I can tell, is increase the size of anything outside of some text or menu font size. That solves a few problems, but I still find myself squinting at key moments, even with glasses on.

To the game’s credit, developer 343 has included an impressive suite of accessibility options outside of that. Players can turn down the opacity on screen elements, which is a big help, or disable confusing visual ticks like speed lines that appear while dashing. I applaud the work that’s gone into both audio and visual accessibility overall, though that makes the limited UI scaling all the more puzzling to me.

I’ve essentially given up on using the dime-sized radar entirely. I generally never know what gadgets I have equipped or how much ammo I have. It’s not just the persistent HUD elements that are presenting challenges for me. In the game’s Stockpile mode, a tiny white symbol marks where power cells are on the map. In my first round, I could not see the symbols. They kept getting lost in off-white rocks, forcing me to bug my friends about what I should even be looking for during an entire round.

Halo Infinite UI during a multiplayer game.

I wasn’t the only one who had complaints during my first six hours with the game. Everyone I partied up with voiced similar confusion. Some teammates were confused about how to pick up weapons, not noticing the sliver of semitransparent text on the screen. They’d frequently be shocked when a game ended, simply not noticing what the score was despite it being pinned to the bottom of the screen. I thought the problem may be less noticeable close up to a big monitor, but a colleague playing on PC noted many of the same challenges when we played together. I shudder to think what the game will look like when it comes to the Steam Deck or phones via Microsoft’s cloud gaming service.

Puzzling decisions

Not every issue is about size. Halo Infinite makes a whole bunch of puzzling UI decisions. Equipment menus are laid out as a battle pass-like rail that has to be scrolled through. In-games subtitles butt right up against the score bar, rather than using the wide open space above or below it. Weirdest of all, the game allows players to choose their armor colo, which means that you might see an enemy in friendly blue armor instead of red. The game’s solution is to add a (too) subtle outline around characters.

A player fired a gun in Halo Infinite.

There’s a saying in the accessibility community that has stuck with me over the years: “Accessible design is just good design.” Halo Infinite is facing a visual literacy issue at present that doesn’t just affect those with impaired vision. It’s simply hard to read visual information on screen unless you’re playing on a gigantic monitor. Not everyone will have that problem, and it’ll decrease as people get comfortable with the game’s language, but there’s no downside to letting players scale things up. It’s not giving anyone an advantage; it’s letting them see crucial information.

I have no doubt that more size adjustments will be available in the future. Microsoft is leading the charge on accessibility in gaming, as seen with games like Forza Horizon 5. Even Halo Infinite goes above and beyond most modern games with its suite of tools. Still, small text and UI are a persistent problem in lots of games, and one that only becomes worse as tech allows us to play games on any screen.

Let’s hope this is one of the reasons Microsoft is labeling the surprise launch a “beta.”

Editors’ Choice

Repost: Original Source and Author Link


Another day, another WD security flaw

After a security vulnerability led to some WD NAS owners having their data wiped, a new vulnerability has been discovered in more of WD’s devices (via KrebsOnSecurity). The vulnerability, discovered by security researchers Pedro Ribeiro and Radek Domanski, is seemingly present on Cloud OS 3 devices and not on the newer Cloud OS 5, which WD recently released as an update. The problem is that, according to Ribeiro and Domanski, many of WD’s users don’t like the new version. That’s because it’s missing certain functions and features that were available in Cloud OS 3. WD has said it won’t be updating Cloud OS 3 with security patches.

There’s also the possibility that some users won’t be able to upgrade to Cloud OS 5. According to WD’s supported devices page, the updated software isn’t available for the MyCloud EX2, EX4, or certain versions of the My Cloud and My Cloud Mirror.

If you own a device that can’t be updated to Cloud OS 5, WD’s advice is to upgrade to one that can. The other option, according to a statement WD gave to Comparitech last year, is to turn off remote dashboard access to the device.

The researchers found that they could get into a Cloud OS 3 device by remotely updating it with modified firmware. The firmware update functionality is meant to be accessible only to authenticated users, but they were able to get around that because the NAS seemingly has a user on it with a blank password, which they were able to use to authenticate in some cases.

Their version of the exploit allows them to carry out commands on the NAS, but other versions could be used for any number of nefarious purposes. Also, because the hack exploits the firmware update function, a hacker could purposefully or even accidentally brick the device. The researchers have built their own custom security patch, but it has to be re-applied to the device every time it reboots. You can see more details about it in a video they made explaining the exploit.

While the vulnerability found by the researchers seems especially egregious, it may not be the only one out there — WD’s post recommending people upgrade to Cloud OS 5 says that it defends against entire classes of attacks. With that in mind, if you own a device that can’t run the new OS, it’s probably time to think about an upgrade, either to one of WD’s new devices, or to another NAS option.

Repost: Original Source and Author Link


Google Chrome Update Needed to Avoid Nasty Security Flaw

Google released an update to its Chrome browser for Windows and Mac users, and the internet giant strongly recommends that users apply the update as soon as possible. The update contains 14 security fixes — including a zero-day security flaw — that if left unchecked would leave the system vulnerable to attacks. Google categorized these fixes as critical, high, and medium importance.

Windows and Mac users who also surf the internet with the Chrome browser will want to make sure that they’re on version 91.0.4472.101. To make sure that you’re on the latest build of Chrome, launch your browser and then click on the three dots stacked vertically at the top right. Navigate to Settings, and then click About Chrome. From there, you’ll be able to view the Chrome version number, and you can update the browser if it wasn’t automatically updated in the background.

If you don’t immediately update your browser, Google should be pushing out the update to users in the coming days or weeks, the company stated on its blog.

One of the security vulnerabilities that was listed — CVE-2021-30551 — is related to a flaw in Windows 10 that Microsoft had recently patched with its newest OS update.

“Chrome in-the-wild vulnerability CVE-2021-30551 patched today was also from the same actor and targeting,” Google Director of Software Engineering Shane Huntley wrote in a Twitter post, referencing that attackers who exploited that vulnerability also took advantage of the vulnerability from CVE-2021-33742. In its release note of the latest Chrome update, Google described the CVE-2021-30551 vulnerability as a “type confusion in V8,” which was reported by Clement Lecigne of Google’s Threat Analysis Group and Sergei Glazunov of Google Project Zero.

The vulnerability was initially discovered on June 4, Google stated, noting that the company “is aware that an exploit for CVE-2021-30551 exists in the wild.” Chrome relies on the JavaScript-based V8 rendering engine for its browser, and the rendering is also common for competing browsers based on the Chromium project, including Microsoft’s Edge.

Even if you’re not on Google Chrome, you’ll want to ensure that you’re running the latest release from the browser of your choice. Most browsers that use Chromium for rendering will also list the Chromium version number, and users should diligently check to see if a patch is available for their browser of choice. If you’re using Microsoft Edge, for example, you’ll want to launch your browser, and navigate to the About page. There, you’ll find the browser version number along with an option to update to the latest version if you’re not on the most current release. Similar procedures can be followed for Opera, Brave, and others that are based on Chromium.

According to Bleeping Computer, this is the sixth zero-day exploit for Chrome in 2021.

Editors’ Choice

Repost: Original Source and Author Link

Tech News

WhatsApp ‘flaw’ lets anyone lock you out of the app — but it’s complicated

A new loophole in WhatsApp‘s authentication system allows an attacker to lock you out of the app, or in other words, deactivate your account. This sounds scary if you use the app frequently, but it’s worth noting the process to pull this off is fairly complicated and takes about 36 hours to execute.

Earlier this week, security researchers Luis Márquez Carpintero and Ernesto Canales Pereña shared their discovery of this flaw through an article in Forbes. Here’s how it works:

  • After installing WhatsApp, the attacker tries to login through your number by requesting authentication codes.
  • WhatsApp blocks sending codes for 12 hours after a certain number of attempts.
  • Meanwhile, the attacker sets up a new email and sends “a lost/stolen phone request” to WhatsApp support to deactivate your account.
  • WhatsApp support doesn’t really verify that if the email address is associated with your account, so it locks you out of the app.
  • After this, the attacker has to repeat the 12-hour cycle twice.
  • At the end of these three cycles, you and the attacker both will see “Try again after -1 seconds.” message, while trying to login through your number.
  • Now, you’ll have to contact WhatsApp support to recover this account.

This whole rigmarole sounds cumbersome like way too much work for an attacker to go through, simply to lock you out of your account. No data or money is extracted this way.

But the worrying part is that there’s no mechanism — like receiving an OTP — in WhatsApp support that asks you to verify yourself as the owner of your account. Plus, this method is successful in locking you out even if you’ve set up two-factor authentication.

WhatsApp said in a statement that “providing an email address with your two-step verification helps our customer service team assist people should they ever encounter this unlikely problem.”

To do that, head to Account > Two-step verification, and after entering the secure PIN, you could provide an email ID to recover it. But you might have to still email WhatsApp support if you’re locked out. Bummer.

Repost: Original Source and Author Link


Acer Swift 7 (July 2019) review: The ultimate thin-and-light laptop’s flaw is still performance

Acer’s Swift 7 (July 2019) 14-inch laptop still represents the pinnacle of the thin-and-light PC movement. Amazingly, this breathtakingly slim notebook PC is significantly lighter than its predecessor, while solving many of the usability issues which detracted from Acer’s previous Swift 7.

That laptop was frankly unpleasant to work on, with an average keyboard, a touchpad without click capabilities, and an absence of Thunderbolt ports—though the latter is admittedly still more of a spec we expect rather than one many peripherals take advantage of. Our updated Swift 7 (July 2019) review reflects how Acer solved those problems, though others remain: a poor webcam, mediocre performance, and a somewhat worrying amount of heat. That won’t altogether dull the sheer gasp of amazement that occurs when you first lift this sliver of a laptop out of its box.

Acer Swift 7 July 2019 outdoor 1 Mark Hachman / IDG

Acer Swift 7 (July 2019) basic specs

Think of Acer’s Swift 7 as a tablet with an embedded keyboard and an attached display, and you’ll  better understand its strengths and weaknesses. The processor inside is a Y-series Intel Core processor for tablets, as opposed to the more traditional U-series chip. We like the addition of Thunderbolt 3 capabilities to the USB-C ports, compared to the previous Swift 7. Even better, the available SSD storage and memory have doubled.

It’s all wrapped up in a package that’s somehow more than a half-pound lighter than its predecessor, at 1.84 pounds. Even the device that kicked off the thin-and-light craze, Apple’s 13.3-inch MacBook Air, looks bloated by comparison, at 2.75 pounds. Bravo!

The thin-and-light PC

Acer’s goal for the Swift 7—build the thinnest, lightest laptop you can—remains unchanged. It slips effortlessly into a backpack or the faux-leather sleeve that Acer ships with the laptop. At less than two pounds, its weight is barely noticeable, and the July 2019 edition shaved 0.7 pounds from its predecessor! Engineering this truly thin-and-light PC deserves applause, and its feathery weight is by far the top reason to consider buying it. 

As our recent review of the Dell Latitude 7400 2-in-1 showed, however, such an aggressive design goal can influence many aspects. A case in point: Acer designed the Swift 7 (July 2019) without fans. Every bit of heat its components generate is conducted through heat pipes to the outside of the chassis, raising the external temperature to slightly alarming levels. We talk more about this in our performance evaluation.  

In general, we absolutely think a lighter laptop is a better laptop. We care far less about how thin it actually is, however, as it begs the question: Is a thin laptop a flimsy laptop? The Swift 7 (July 2019) responds: Yes and no.

Acer Swift 7 July 2019 z height comparison Mark Hachman / IDG

The Acer Swift 7 (July 2019) is about as thin as the Google Pixel 3 smartphone (right).

Positioned correctly, with its four rubber feet flat against a desk, I noticed no flex in the Swift 7’s keyboard. Acer engineered the Swift 7 using a combination of magnesium-lithium and magnesium-aluminum alloys, which contributes to its lightness without detracting from its structural integrity. I sometimes work with a laptop perched on a keyboard drawer, however, which has a small ridge at the end. There, I noticed some flex when resting a hand on the palm rest. In general, however, I found nothing to complain about in the Swift 7’s construction.

Repost: Original Source and Author Link

Tech News

Nokia X20 and X10 bring affordable 5G without the Android update flaw

HMD Global has revealed its latest Nokia Android phones, including 5G connectivity at roughly $360 prices, and longer update commitments than most low-cost devices deliver. The new Nokia X20 and X10, Nokia G20 and G10, and Nokia C20 and C10 collectively make up HMD’s biggest single Nokia launch in one go, while a new MVNO will throw in service too.

Nokia X20 and X10

High-end models of the new range, both the X20 and X10 use Qualcomm’s Snapdragon 480 5G platform. Announced back in January, it’s the first of the 400-series to offer 5G Sub-6 GHz. What’s notable here is that, while we’ve seen affordable Android phones before – and even a few with 5G – HMD Global is trying to make sure that the software lasts as long as the hardware, with a new OS update commitment

Both phones run Android 11 using the Android One interface, with a 6.67-inch Full HD+ screen. The X10 has a 48-megapixel quad camera, while the X20 has a 64-megapixel camera plus a 32-megapixel front camera. With Dual Sight, it can activate them simultaneously. Both phones should manage two days of battery life, HMD says.

The Nokia X20 will be priced from 349 euro ($405) with 6GB memory / 128GB storage, with a more expensive 8GB/128GB version available. The X10, meanwhile, will be offered in 6/64GB, 6/128GB, and 4/128GB configurations, from 309 euro ($360). They’ll go on sale in select markets from May and June, respectively.

Nokia G20, G10, C20, and C10

The G10 and G20 slot into HMD’s G-series of Nokia phones, with even longer battery life: up to three days, the company claims. They have side-fingerprint sensors and a 6.5-inch display. The G20 has a triple rear camera system, while the G20 steps up to a 48-megapixel main camera and OZO surround sound.

The G20 will go on sale from May from 159 euro ($185) while the G10 will arrive in April from 139 euro ($160).

Finally, the C10 and C20 are focused on the affordable end of the scale. They run Android 11 Go Edition on a 6.5-inch HD+ display, and will go on sale from June and April, respectively, at 75 euro ($87) for the C10 and 89 euro ($99) for the C20.

Nokia Updates

As well as the six new phones, HMD Global is also updating its software commitment for Nokia devices. The C-series will get two years of quarterly security updates, but the G-series and X-series will boost that to three years of security updates.

As for the OS, the G-series will get two years of Android updates, HMD Global says. The X-series, meanwhile, will get three years of OS updates, and an extended warranty.

HMD Mobile

Today’s launch isn’t just about handsets, though, but also a new carrier. HMD Global is launching in the UK first, from the end of April, as an MVNO relying on the EE network. As with current Nokia phones, the focus will be affordability.

Plans will start from £6.50 ($8.25) per month for unlimited UK/EU calls and texts, and 1GB data, and run all the way up to 25GB of data per month. Full details will be announced closer to launch, along with a new HMD Mobile app for data use tracking, support, and other features.

Repost: Original Source and Author Link

Tech News

ZTE second-gen under-display camera might not fix its biggest flaw

At MWC Shanghai, ZTE flaunted its next-gen technologies for under-display imaging sensors, including its second under-display camera or UDC. It remains the only smartphone maker that can boast of a commercial product that utilizes a screen with absolutely no cutout, but the ZTE Axon 20 5G can’t really boast of producing great selfies because of it. There may have been hopes that its next UDC would address this problem but while it does get an upgrade, it doesn’t actually address its most glaring issue.

There are two main hurdles when implementing an under-display camera. The first is how to mask the hole above the camera so that the screen looks flawless when the camera is not in use. The other is its diametrical opposite and deals with how to let light through the camera despite having “normal” screen pixels on top of it.

The new ZTE UDC improves on the former by increasing the pixel density of the patch of screen above the hidden camera from 200 to 400 ppi or pixels per inch. That means that, when displaying a large block of color, that area will hardly be visible. That said, that was hardly visible anyway on the first-gen UDC.

This, unfortunately, doesn’t exactly address the issue that the ZTE Axon 20 5G’s front-facing camera produced poor images and videos. In fact, it could even make that worse because a higher pixel density suggests more pixels packed together that will let less light through. ZTE hasn’t gone into detail about the new technology, though, so we’ll have to wait for its explanation.

The company also showed off what is the industry’s first under-display 3D structured light sensor for use in face and body recognition for AR or security applications. Both this and the UDC are expected to show up on the ZTE Axon 30 Pro though the date for that phone has not yet been leaked.

Repost: Original Source and Author Link