News & Updates

18 out of 276 vulnerabilities fixed by Oracle with the last Patch Update resides in the OIT libraries that are used by products of numerous major vendors.

The last critical Patch Update released by Oracle this week is in the headlines for the number of patches it includes. It includes the fixes for 276 vulnerabilities, 19 of them that have been rated critical could expose the products of multiple vendors to cyber attacks.

The security vulnerabilities were reported by researchers at Cisco Talos.

17 high severity flaws affect the Oracle Outside In Technology (OIT) that is a Fusion Middleware suite of software development kits (SDKs) that can decode over 500 different file formats.

Security experts believe that the flaws could have a serious impact also on several third-party applications that use  the OIT libraries, including products Avira, HPE, IBM, Google, Microsoft, Novell, Raytheon, and Symantec.

The experts from Cisco are not able to confirm which third-party products leveraging on the OIT libraries  are vulnerable to cyber attacks, but for sure some of them are impacted.

Oracle OIT libraries

Researchers reported some attack scenarios easy to exploit by attackers, for example, Exchange 2013 and earlier could be hacked by sending a malicious email attachment to the targeted user. The unique precondition is that the WebReady Document Viewing feature is enabled in Microsoft Exchange 2013 and earlier, an attacker can exploit the vulnerabilities simply by sending a malicious email attachment to the targeted user.

In the case of the Avira AntiVir for Exchange, the popular AV solution automatically scans all inbound and outbound email, this means that an attacker can trigger the vulnerability by sending or receiving a specifically-crafted message.

In January, the US-CERT published a security advisory warning about the presence of multiple stack buffer overflows in the Oracle Outside In 8.5.2. The advisory focused on the flaws in the parsers for WK4, Doc and Paradox DB files. CERT/CC reported at the time that the flaws had affected products from most of the vendors that leveraged the Oracle SDKs.

In that case, the CERT confirmed that the OIT libraries are used by a variety of applications, including Microsoft Exchange, Google Search Appliance, Oracle Fusion Middleware, Guidance Encase Forensics, AccessData FTK, and Novell Groupwise.

Experts from CISCO Talos highlighted that the vendors could take time to test and update their products that use the OIT libraries, in this scenario hackers could try to exploit the flaws in third-party products.

“However, the unfortunate reality is that vulnerabilities that are found in an SDK that is utilized by third-parties will take additional time to patch: First the organization that maintains the SDK issues a fix, and some amount of time later, third-parties that utilize the SDK provide an update to their customers including these fixes. This provides a rather large window of time in which miscreants can exploit vulnerabilities in third-party products. ” reads the analysis published by Cisco Talos.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – hacking, OIT libraries)

The post Many enterprise apps affected by flaws in Oracle OIT libraries appeared first on Security Affairs.

Source: Security affairs

(credit: André-Pierre du Plessis)

On Thursday, Visa and PayPal announced a new partnership designed to push Visa cardholders to link their credit and debit cards to their PayPal and Venmo accounts, eschewing the bank-owned Automated Clearing House (ACH) network that PayPal has long preferred to work with.

PayPal makes more money off ACH-based transactions because it doesn’t have to pay a cut of any transaction fees to a card network like Visa. But two months ago, Visa CEO Charlie Scharf expressed his displeasure with getting cut out of the payments process and vowed to “go full steam and compete with [PayPal] in ways that people have never seen before” if the digital payment platform didn’t start playing nice.

In today’s partnership announcement, the two companies said that when a customer goes to sign up with PayPal or make a payment through the platform, Visa-network cards will be presented as “a clear and equal payment option” with ACH. In addition, PayPal said it promises not to “encourage Visa cardholders to link to a bank account via ACH,” and the company vowed to help Visa identify customers that could potentially change their current PayPal setup to route payments over Visa’s network.

Read 4 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

For a while now, a certain subset of authenticity-obsessed nostalgic NES player has been disappointed with noticeable color-matching issues and blurriness evident in Nintendo’s official Virtual Console NES re-releases on the Wii, Wii U, and 3DS. That problem led many to worry that the recently announced NES Classic Edition mini-console would suffer from the same issues.

Today, though, Nintendo released an online trailer for the $60 plug-and-play system. Amid a lot of ’80s style marketing glitz, the video briefly showed some NES Classic Edition games in action, displaying what seems to be much crisper and more accurate HD emulation of the NES cartridges you remember.

You can see the improvements directly in the above gallery, with the NES Classic version on the left and the Wii U Virtual Console version on the right (images were sourced from official Nintendo trailers whenever possible to avoid issues with capture fidelity). As you can see, the NES Classic Edition versions are altogether brighter and crisper, with solid colors and well defined corners on the square pixels. It’s the kind of high-fidelity ROM recreation that players on PC-based emulators are already used to, but Virtual Console players may be surprised by it (especially if they last played these games through the low-definition output of the Wii).

Read 2 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

This is the July 2015 “Flying Gun” video. (credit: Hogwit)

A federal judge in Connecticut has ruled against a young drone operator and his father. They will now have to turn over a slew of documents and materials as part of a Federal Aviation Administration investigation.

The two men and their legal team argued that the FAA lacks authority to regulate drones, but the FAA clearly disagrees with this assessment.

As Ars reported previously, the case dates back to July 2015. The pilot, Austin Haughwout, posted a video of his drone rigged up with a handgun. By early November 2015, the Federal Aviation Administration sent the two Haughwouts an administrative subpoena seeking a substantial amount of records, including purchase records and an accounting of what monies, if any, were gained from the “Flying Gun” YouTube video.

Read 8 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Now no more fight with Apple or any smartphone maker, as federal authorities have discovered a new tool for unlocking phones, as far as your phone is using any biometric sensor…

3D Printing!

Yes, Police in Michigan is considering 3D printing a dead man’s fingers so they could unlock smartphones in investigation crimes using their biometric sensors.
<!– adsense –>
A new report published


Source: http://feeds.feedburner.com/TheHackersNews

A conceptual rendering of a “battery case” style Introspection Engine for an iPhone 6.
(credit: https://www.pubpub.org/pub/direct-radio-introspection)

Mobile devices have without a doubt brought convenience to the masses, but that benefit comes at a high price for journalists, activists, and human rights workers who work in war-torn regions or other high-risk environments. Now, NSA whistleblower Edward Snowden has designed an iPhone accessory that could one day be used to prevent the devices from leaking their whereabouts.

Working with renowned hardware hacker Andrew “Bunnie” Huang, Snowden has devised the design for what the team is calling the “Introspection Engine.” For now, it’s aimed only at iPhone 6 models, but eventually the pair hopes to create specifications for a large line of devices. Once built, the “field-ready” accessory would monitor various radio components inside the phone to confirm they’re not transmitting data when a user has put the device into airplane mode. The hardware is designed to be independent from the mobile device, under the assumption that malware-infected smartphones are a fact of life in high-risk environments.

Detecting intoxicated smartphones

“Malware packages, peddled by hackers at a price accessible by private individuals, can activate radios without any indication from the user interface,” Huang and Snowden wrote in a blog post published Thursday. “Trusting a phone that has been hacked to go into airplane mode is like trusting a drunk person to judge if they are sober enough to drive.”

Read 3 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Is there a patent on the formula that helped generate this beautiful scene?

With No Man’s Sky‘s highly anticipated release just weeks away, a Dutch company is objecting to the game’s alleged use of a patented “superformula” to generate landscapes and terrain.

The brewing conflict, first reported earlier this week by Dutch newspaper Telegraaf (Google translation), centers on a geometric transformation formula developed by University of Antwerp professor Johan Gielis in the early 2000s.

The formula’s penchant for creating naturalistic shapes with gentle curves using just a few parameters led some to nickname it a “superformula.” Gielis received a patent on the superformula in the European Union in 2002 and a US patent was granted in 2009 (in addition to a few other related patents). He then founded Genicap to monetize the formula by “develop[ing] innovative technologies and products for today’s and tomorrow’s world,” according to its corporate webpage.

Read 9 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Bubble Zoom in action. (credit: Google)

Reading comic books on a smartphone is a bit of a bummer. Comic books are designed to be read on a 7×10.5″ page, which doesn’t translate very well to a ~5-inch screen. It’s usually pretty hard to see the entire page and read the text, which leads to lots of zooming and panning.

Google is tackling this problem the way it seems to be tackling every problem lately: with machine learning. Google has taught its army of computers to detect the speech bubbles in comic books, allowing you to zoom in on them with just a tap. The bubbles lift off the page and get bigger without affecting the underlying image. This lets you see the entire page while still reading the text. Google calls the feature “Bubble Zoom.”

Bubble Zoom is available today in Google Play Books for Android. We’d guess an iOS version is coming later. For now, Bubble Zoom is just a “technical preview” but all Marvel and DC collected volumes are supported. Google says it hopes to eventually bring the feature to “all the comics and manga ever made.”

Read 1 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/

Lux, a xenon-based dark matter detector. (credit: Lawrence Berkeley Lab)

Today, the team behind one of the most sensitive dark matter detectors announced its full experimental run had failed to turn up any of the particles it was looking for. The LUX detector (Large Underground Xenon) is designed to pick up signs of weakly interacting massive particles, or WIMPs, when they engage in one of their rare interactions with normal matter. The null result doesn’t rule out the existence of dark matter, but it limits its potential properties.

As their name implies, WIMPs don’t interact with normal matter often, but they should on occasion bump into an atom, imparting energy to it. LUX provides a tempting target in the form of 370kg of liquid xenon. The detector is flanked by photodetectors to pick up any stray photons from the interactions, as well as hardware that picks up any stray charges knocked loose.

The challenge is to determine which signals are caused by dark matter and which are the product of cosmic rays or the natural background of radioactive decays. To handle the former, the detector is located nearly 1.5km below the surface in South Dakota’s Homestake Mine. It’s also partly shielded from the radioactive decays of the surrounding rock by an enormous tank of ultra-pure water. Even so, the scientists behind it had to spend time carefully characterizing the background noise. The success of that effort meant that LUX ended up four times more sensitive than it was originally designed to be.

Read 2 remaining paragraphs | Comments

Source: http://feeds.arstechnica.com/arstechnica/index/