The New Screen Savers 129: iPhone X is Here

– The iPhone X is here. Leo Laporte and Megan Morrone give their first impressions on how Face ID works, the lack of a home button, and screen.
– Kelsea Weber from iFixit.com already torn down the iPhone X. They found some inventive ways Apple built the phone, including using two batteries.
– Researchers at Stanford and Adobe developed an AI that can automatically edit video on a dialogue-driven scene in seconds.
– Megan and Leo will put an end to the Emjoi Cheeseburger kerfuffle in a taste-off between Facebook, Google, and Apple. Which emoji has the ingredients stacked correctly for taste?
– Jason Howell has the five most exciting features of the new Google Pixel 2 XL.
– Our Holiday Gift Guide continues. This week, Scott Wilkinson has his home theater picks including TVs, soundbars, AV receivers, UHD Blu-Ray players, and UHD streaming.

Advertisements

Hacking Team’s arsenal included at least three unpatched exploits for Flash Player

Recently breached surveillance software maker, Hacking Team, had access to three different exploits for previously unknown vulnerabilities in Flash Player. All of them are now out in the open, putting Internet users at risk.

Milan-based Hacking Team develops and sells surveillance software to government agencies from around the world. On July 5, a hacker released over 400GB of data stolen from the company on the Internet, including email communications, business documents, source code and other internal files.

On Tuesday, researchers found a proof-of-concept exploit among Hacking Team’s files that worked against the latest version of Flash Player. Cybercriminals were quick to adopt it and were already using it in large-scale attacks by the time Adobe Systems released a patch for it on Wednesday.

By late Friday, researchers from FireEye revealed that they found a second zero-day exploit for Flash Player in the Hacking Team data cache, prompting Adobe to issue an emergency advisory.

This was followed up Saturday by researchers from Trend Micro with yet another find, putting the number of Flash Player zero-day exploits used by Hacking Team to three—at least so far.

Only one of the vulnerabilities targeted by those exploits has been patched so far, with Adobe planning to release fixes for the other two—CVE-2015-5122 and CVE-2015-5123—later this week.

That’s a problem because the cybercriminals behind the Angler Exploit Kit were already using the exploit discovered by FireEye (CVE-2015-5122) by Sunday. The malicious activity was spotted by a malware researcher known online as Kafeine who specializes in tracking drive-by download attacks.

It’s very likely that attackers are also working on integrating the exploit found by Trend Micro (CVE-2015-5123) in commercial exploit kits, if they haven’t already.

“Until an update is available, users should consider disabling Adobe Flash,” researchers from Trend Micro said in a blog post. “Extra caution should be exercised for the foreseeable future and special attention paid for the possibility of compromised ad servers.”

Web-based exploits are typically used to infect computers when users visit legitimate websites that were compromised or when their browsers load malicious advertisements.

via Hacking Team’s arsenal included at least three unpatched exploits for Flash Player | PCWorld.

Adobe patches zero-day Flash Player flaw used in targeted attacks

Adobe Systems released an emergency security update for Flash Player Tuesday to fix a critical vulnerability that has been exploited by a China-based cyberespionage group.

Over the past several weeks, a hacker group identified as APT3 by security firm FireEye has used the vulnerability to attack organizations from the aerospace, defense, construction, engineering, technology, telecommunications and transportation industries.

The hacking group targeted the companies with generic phishing emails that contained a link to a compromised server, researchers from FireEye said in a blog post Tuesday. The server used JavaScript code to profile potential victims and then served the Flash exploit to the ones meeting attackers’ criteria, the company said.

The attackers use the exploit to install a backdoor known as SHOTPUT or CookieCutter and then move through the organization’s network, using other techniques and exploits to compromise additional systems.

In order to be protected against this vulnerability, which is tracked as CVE-2015-3113, Adobe advises users to update to the newly released Flash Player versions: 18.0.0.194 for Windows and Mac, 11.2.202.468 for Linux, and 13.0.0.296 for the extended support release.

The Flash Player plug-in that’s installed by default with Google Chrome and Internet Explorer on Windows 8.x will be automatically updated. Flash Player users on Windows or Mac who have selected “allow Adobe to install updates” will also get the update automatically.

APT3 is a sophisticated group known for using other zero-day browser-based exploits in the past for Internet Explorer, Firefox and Flash Player, according to FireEye. The group also uses custom backdoors and often changes command-and-control infrastructure, making it hard for researchers to track its activity.

via Adobe patches zero-day Flash Player flaw used in targeted attacks | PCWorld.

Zero-day Flash bug under active attack in Windows threatens OS X, Linux too

A day after reports that attackers are exploiting a zero-day vulnerability in Microsoft’s Internet Explorer browser, researchers warned of a separate active campaign that was targeting a critical vulnerability in fully patched versions of Adobe’s ubiquitous Flash media player.

The attacks were hosted on the Syrian Ministry of Justice website at hxxp://jpic.gov.sy and were detected on seven computers located in Syria, leading to theories that the campaign targeted dissidents complaining about the government of President Bashar al-Assad, according to a blog post published Monday by researchers from antivirus provider Kaspersky Lab. The attacks exploited a previously unknown vulnerability in Flash when people used the Firefox browser to access a booby-trapped page. The attackers appear to be unrelated to those reported on Sunday who exploited a critical security bug in Internet Explorer, a Kaspersky representative told Ars.

While the exploit Kaspersky observed attacked only computers running Microsoft Windows, the underlying flaw, which is formally categorized as CVE-2014-1776 and resides in a Flash component known as the Pixel Bender, is present in the Adobe application built for OS X and Linux machines as well. Adobe has updated all three versions to plug the hole. Because security holes frequently become much more widely exploited in the hours or days after they are disclosed, people on all three platforms should update as soon as possible. People using IE 10 and 11 on Windowws 8 will receive the update automatically, as will users of Google’s Chrome browser. It can sometimes take hours for the automatic updates to arrive. Those who are truly cautious should consider manually installing them. Windows users with Firefox installed must run a separate update for both IE and the Mozilla browser.

Kaspersky Lab researcher Vyacheslav Zakorzhevsky said the attacks were carried out in two separate exploits and were detected as early as April 9 by a general heuristic signature in the company’s AV network. Both of the SWF files are able to bypass security mitigations built in to Flash and Microsoft Windows, including Windows 8, he said. One of the exploits, embedded in a file titled include.swf, is designed to target computers that have the Cisco Systems MeetingPlace Express Add-In version 5×0 installed. The app is used to view documents and images during Web conferences.

“We are sure that all these tricks were used in order to carry out malicious activity against a very specific group of users without attracting the attention of security solutions,” Zakorzhevsky wrote. “We believe that the Cisco add-in mentioned above may be used to download/implement the payload as well as to spy directly on the infected computer.”

He continued:

When we entered the site, the installed malware payloads were already missing from the “_css” folder. We presume the criminals created a folder whose name doesn’t look out of place on an administration resource and where they loaded the exploits. The victims were probably redirected to the exploits using a frame or a script located at the site. To date, April 28, the number of detections by our products has exceeded 30. They were detected on the computers of seven unique users, all of them in Syria, which is not surprising considering the nature of the site. Interestingly, all the attacked users entered the website using various versions of Mozilla Firefox.

It’s likely that the attack was carefully planned and that professionals of a pretty high caliber were behind it. The use of professionally written 0-day exploits that were used to infect a single resource testifies to this.

Moreover, while the first exploit is pretty standard and can infect practically any unprotected computer, the second exploit (include.swf) only functions properly on computers where Adobe Flash Player 10 ActiveX and Cisco MeetingPlace Express Add-In are installed. The Flash Player Pixel Bender component, which Adobe no longer supports, was used as the attack vector. The authors were counting on the developers not finding a vulnerability in that component and that the exploit would remain active for longer. All this suggests that the attackers were not targeting users en masse.

 

via Zero-day Flash bug under active attack in Windows threatens OS X, Linux too | Ars Technica.

IE’s Flash made Windows 8 most vulnerable Windows OS, research says

According to a new research from the Denmark-based security company Secunia, out of all the Windows operating systems currently supported by Microsoft, Windows 8 is the most vulnerable. Dubbed Secunia Vulnerability Review 2014, the research says that while Windows 7 and Windows XP vulnerabilities doubled in 2013, it was Windows 8 which reported the highest number of flaws.

So, despite of being touted as more secure than its predecessors, why is Windows 8 at the top of the vulnerability chart? Well, the reason is Flash — at least this is what the security firm says in its report. Out of 156 flaws reported in Windows 8, 55 were due to the integration of Adobe System’s Flash Player into IE.

Although Adobe’s Flash is widely known for being one of the most prolific sources of security vulnerabilities in Windows this is the first time it’s directly affecting the image of Windows 8. Will it have any effect on Windows 8 sales? Probably not. While Microsoft’s latest operating system isn’t selling as fast as its predecessor, the software giant recently announced that it sold 200 million copies of Windows 8.

Secunia’s annual report on software vulnerabilities takes a look at 50 of the most commonly used programs and operating systems. This year’s report also says that the time gap between when a flaw is reported and when a fix is delivered is narrowing; 86 percent of the vulnerabilities found in the top 50 software products had a fix available on the day of disclosure.

via IE’s Flash made Windows 8 most vulnerable Windows OS, research says – TechSpot.

Adobe issues second emergency patch for Flash Player this month

Adobe has released a critical security update for its Flash Player plug-in for Windows, Mac and Linux – the second in less than three weeks. The update addresses a zero-day exploit first uncovered by security firm FireEye a week ago that targeted visitors of at least three nonprofit websites.

The security firm said Peterson Institute for International Economics (PIIE.com), the American Research Center in Egypt (ARCE.org) and the Smith Richardson Foundation (SFR.org) were all compromised using remote code injection. Traffic to these sites was redirected to a server that contained a hidden iframe running the exploit.

Given the nature of the nonprofits, FireEye said they believe those responsible for the attacks have sufficient resources and are committed to infecting those visiting a particular type of website. Two of the sites in question focus on national security and public policy which led the firm to speculate that the attackers infected visitors for follow-on data theft.

In a security bulletin on the matter, Adobe said Flash Player 12.0.0.44 and earlier versions for Windows and Macintosh, version 11.2.202.336 and earlier versions for Linux, AIR 4.0.0.1390 and earlier versions for Android, AIR 3.9.0.1390 SDK and earlier versions and AIR 3.9.0.1390 SDK & Compiler and earlier versions are all affected.

The new version of Flash Player for Windows and Mac is 12.0.0.70 while the newest for Linux is 11.2.202.341. Naturally, you’ll want to download and apply the patch ASAP.

via Adobe issues second emergency patch for Flash Player this month – TechSpot.

Just how bad are the top 100 passwords from the Adobe hack? (Hint: think really, really bad)

Just how bad are the top 100 passwords from the Adobe hack? (Hint: think really, really bad) | ZDNet

It’s well-known that people often pick easy to remember but easy to crack passwords to protect their accounts. Thanks to the work of one password expert, it’s now thought that millions of Adobe customers were among those with a taste for terrible passwords too.

Adobe recently revealed that the security breach which affected the company last month turned out to have involved at least 38 million Adobe IDs and encrypted passwords, rather than the 2.9 million the company originally reported.

But the 38 million figure only related to active accounts. Along with the source code for products such as ColdFusion, the hackers made off with and published a file that contained over more than million user records for inactive as well as active accounts, which included more than 130 million encrypted passwords.

Read this

Do unseen passwords really need masking?

Password\’s rotten core not complexity but reuse

Could ‘honeywords’ help stop high-profile password breaches?

One password cracked and your business is history

Google unveils 5-year roadmap for strong authentication

Although Adobe has said the passwords were encrypted, it appears the way Adobe did that was not enough to prevent passwords expert and founder of the security firm Stricture Consulting Group, Jeremi Gosney, from deriving them to reveal the most commonly used passwords, which he published over the weekend, spanning around six million or just under five percent of the 130 million password list. (How he derived them is explained below.)

The most popular password, used by nearly two million Adobe customers, is “123456”. There aren\’t any surprises there though; the Yahoo leak of 450,000 passwords last year, and other similar breaches, have also revealed the same password as a user favourite.

The others in the Adobe top 10 are equally poor. The second most popular was “123456789”, used for 446,162 accounts, followed by “password” common to 345,843 accounts, “adobe123” used in 211,659 accounts, “12345678” used for 201,580 accounts, followed by “qwerty”, “1234567”, “111111”, “photoshop” and “123123”.

Gosney notes that since he doesn’t have the key Adobe used to encrypt the passwords of 130,324,429 users — and since Adobe is still blocking access to its services until owners reset their passwords — it’s impossible to say with certainty that the list is entirely accurate, but he says he’s nonetheless “fairly confident” of its accuracy.

Gosney confirmed the source of the analysis was a file containing the passwords was leaked on Anonnews last week. So how was it all possible? Here’s what he told ZDNet:

See, the passwords in this leak are were all encrypted with the same key. Without that key, we cannot crack a single password. But as soon as we have that key, we can instantly crack all of them. So for this particular leak, we’re not trying to crack individual passwords — we’re trying to crack the encryption key.

Adobe encrypted the passwords with 3DES in ECB mode. 3DES itself isn’t a terrible cipher, depending on which key option was used. But ECB mode is really bad, because it leaks information about what was encrypted. Basically, ECB mode works by dividing a message into blocks, and then encrypting each block individually. This means that the same plaintext block will always result in the same ciphertext block when encrypted with the same key.

Analysing patters in the ciphertext along with known plaintext-ciphertext pairs allows you to learn quite a bit of information about the encrypted data. In this case, we had lots of known plaintext-ciphertext pairs because a lot of people were affected by this breach, myself included.

The top 100 list we published was based solely on manual analysis of the ciphertexts, combined with manual analysis of the user-supplied password hints for each password. This enabled us to make highly educated guesses at what each of the passwords might be, but we won’t know for sure until the encryption key is recovered.

The password hints were the most telling. An overwhelming number of people took the concept of a password hint too literally, and flat-out provided the password itself as the hint. By analysing thousands of password hints per ciphertext, and matching that information with what we know about the ciphertext thanks to ECB mode, we are able to determine a number of passwords with a reasonable degree of certainty. It took about three hours to determine what the top 100 passwords were with this method.

Some will conclude that ECB mode was obviously Adobe’s downfall here, but the real point is that the passwords never should have been encrypted in the first place. They should have been hashed, using a proper password hashing function. It sounds like Adobe is in the process of remedying this, however, as they state that their new solution uses over one thousand iterations of salted SHA-256.

Full Story: Just how bad are the top 100 passwords from the Adobe hack? (Hint: think really, really bad) | ZDNet.

Flash Player, Reader and Shockwave Player get critical security updates

Adobe released security updates for Flash Player, Adobe Reader and Shockwave Player on Tuesday to address critical vulnerabilities that could allow attackers to take control of systems running vulnerable versions of those programs.

The Flash Player updates address four memory corruption vulnerabilities that can lead to arbitrary code execution. The updates are version numbers 11.8.800.168 for Windows and Mac OS X; 11.2.202.310 for Linux; 11.1.115.81 for Android 4.x; and 11.1.111.73 for Android 3.x and 2.x.

Users of Google Chrome and Internet Explorer 10 on Windows 8 will automatically receive updates for the Flash Player plug-in bundled with those browsers through their respective update mechanisms.

The same Flash Player vulnerabilities were patched in Adobe AIR, a runtime for rich Internet applications that also bundles Flash Player. Adobe released version 3.8.0.1430 of AIR and AIR SDK (software development kit) for Windows, Mac OS X and Android.

New versions of Adobe Reader and Adobe Acrobat XI and X were released to address eight arbitrary code execution vulnerabilities: three memory corruption issues, two buffer overflows, two integer overflows and one stack overflow.

Users of Adobe Reader or Acrobat XI for Windows and Mac OS X are advised to upgrade to Adobe Reader XI (11.0.04) or Adobe Acrobat XI (11.0.04), respectively. Adobe Reader and Acrobat X for Windows and Mac have also been updated to version 10.1.8.

Adobe’s Shockwave Player, an application required to display online content created with Adobe’s Director software was updated to version 12.0.4.144 for Windows and Mac to address two memory corruption vulnerabilities that can lead to arbitrary code execution.

While not as popular as Flash Player, Shockwave Player is installed on 450 million Internet-enabled desktops, according to statistics from Adobe, which potentially makes it an attractive target for attackers.

via Flash Player, Reader and Shockwave Player get critical security updates | PCWorld.

Adobe Creative Cloud apps now available; Photoshop CC includes new features

In line with their move towards a subscription-only application offering, Adobe has unveiled the new suite of apps it announced in May. Available immediately, Creative Cloud members can download the new applications via the Adobe Application Manager.

This new generation goes under the moniker ‘CC’ for Creative Cloud, dropping the former CS (Creative Suite) naming convention. Going forward, anyone wishing to upgrade to the new versions of Photoshop CC, Illustrator CC, and the other former Creative Suite applications will require a Creative Cloud subscription.

To get a feel for what the new software has to offer, The Verge did a hands on comparison between Photoshop CS6 and the new Photoshop CC.

The major addition to PS CC from a photographer’s perspective is the addition of the Shake Reduction filter, reports The Verge. Shake Reduction works by assessing the blur pattern in an image and attempting to adjust accordingly, reducing blur and outputting a crisp and clear image.

The resulting image above shows the Shake Reduction product (click for higher resolution image). I played with it myself and produced similar results; an image that looks a bit over-processed. It will be a useful tool when using less intense Shake Reduction settings paired with some touch-up to fix discoloration of the shifted areas.

Smart Sharpen has gotten smarter in CC. The filter now accounts for the subject of the photo, and selectively sharpens it while leaving the background softer.

Adobe has bolstered the resizing functionality in Photoshop CC as well. Historically, users have had to be satisfied with poorly resampled enlargements from Photoshop, or opt for expensive third-party plugins like Alien Skin Blow Up or Perfect Resize. Photoshop CC allows you to use a new intelligent upsampling algorithm to produce better enlarged images natively in the application, according to Adobe.

Pictured above is a ‘bicubic smoother’ enlargement on the left, and an ‘intelligent resample’ enlargement on the right. Again, I found that this feature sounded better on paper than in practice. The enlargement settings are sparse and I am able to produce much better results with Alien Skin Blow Up.

Finally, Adobe added new editing features to Camera Raw 8, including radial filters, straightening of distorted photos, and a new healing brush.

The new features in Photoshop CC will be useful, but is it worth the upgrade from CS6? If we were still on the same development cycle and one-time purchase software, I’d say absolutely not. But going forward, all new versions of Adobe Creative Cloud software are included with the subscription, so upgrading is a no-brainer once you are paying monthly. However, if you purchased CS6 outright, you won’t be missing much this time around.

If you’ve had a chance to try out any of the new Creative Cloud applications, let us know what you think.

via Adobe Creative Cloud apps now available; Photoshop CC includes new features – TechSpot.

4 video editors that are up to the task for both amateurs and pros

With HD-resolution cameras now standard-issue items in smartphones, 4K-resolution cameras falling into consumers’ hands and multi-core processing power standard issue on desktops and laptops, the need for video editing suites with high-end features has moved into the mainstream.

In this roundup, I explore four well-known video editing packages — Adobe Premiere Pro CS6, Corel VideoStudio Pro X6, CyberLink PowerDirector 11 and Sony Vegas Pro 12 — that are suitable for the ambitious amateur or for the professional who wants to complete a quick project. These are available both as standalone items and as parts of larger suites or packages, and there’s a price range and a feature set for most every budget or need. (Note: Only Adobe offers a version for Mac users.)

What constitutes a “high-end” feature — or product, or suite — is at least as much about implementation as whether or not it’s included. For example, 4K-resolution video (3840 x 2160 pixels), used by a growing number of consumer-level devices, is supported by all the products in this roundup. However, not all of them support Redcode, the 4K video format generated by Red pro-level cameras. Not a big deal to those editing cellphone footage, but a potential deal-killer if you end up working with such high-tier technology.

To that end, I’ve looked at each of these products with an eye towards how well they handle top-of-the-line features like 4K support, general usability, value for the money and bonus features. My test system for this roundup was an Intel Core i7-3770K quad-core (eight-thread) system running at 3.5 GHz, with 16GB of RAM, a 128GB SSD system drive and a 2TB secondary drive; NVIDIA loaned me a Quadro 5000 GPU.

Adobe Premiere Pro CS6

Standalone: $799 or monthly starting at $19.99. Suites: CS6 Production Premium ($1,899); CS6 Master Collection ($2,599); Creative Cloud, ($49.99/mo. w/annual commitment, $74.99/mo. cancel at any time) OS: Windows 7 and later, Mac OS X v10.6.8 and later

Adobe has done a lot of work with Premiere Pro — both as a standalone product and as part of the Adobe Creative Suite — so that video professionals will take it more seriously. With each successive revision Premiere Pro has become more tightly integrated with Photoshop and other Adobe products (and vice versa).

In addition, Premiere Pro CS6 has gained features to keep it competitive with professional-grade editing products. Among the biggest new additions, and one sure to be attractive to high-end camera users, is native support for footage from 4K-resolution camera systems: the Red Epic, the Red Scarlet-X, the ARRI Alexa series and the Canon Cinema EOS C300, among others. A great deal of processing power and throughput is needed to handle these files (a single minute of Redcode footage can eat up 4GB). However, Adobe has made it possible to speed up the process considerably with its accelerated Mercury Playback Engine — provided you have a graphics card that supports it.

Full Story: 4 video editors that are up to the task for both amateurs and pros | PCWorld.