Microsoft Edge/ChakraCore Chakra Scripting Engine memory corruption https://ift.tt/310yypg A vulnerability was found in Microsoft Edge and ChakraCore (Web Browser) (unknown version) and classified as critical. This issue affects an unknown part of the component Chakra Scripting Engine. Applying a patch is able to eliminate this problem. A possible mitigation has been published immediately after the disclosure of the vulnerability. Digital Trends via vuldb.com https://vuldb.com September 26, 2020 at 09:36AM
0 Comments
Microsoft Edge/ChakraCore Chakra Scripting Engine memory corruption https://ift.tt/2Vqs3e8 A vulnerability has been found in Microsoft Edge and ChakraCore (Web Browser) (the affected version is unknown) and classified as critical. This vulnerability affects some unknown functionality of the component Chakra Scripting Engine. Applying a patch is able to eliminate this problem. A possible mitigation has been published immediately after the disclosure of the vulnerability. Digital Trends via vuldb.com https://vuldb.com September 26, 2020 at 09:36AM Microsoft Edge/ChakraCore Chakra Scripting Engine memory corruption https://ift.tt/35hbciG A vulnerability, which was classified as critical, was found in Microsoft Edge and ChakraCore (Web Browser) (the affected version unknown). This affects an unknown functionality of the component Chakra Scripting Engine. Applying a patch is able to eliminate this problem. A possible mitigation has been published immediately after the disclosure of the vulnerability. Digital Trends via vuldb.com https://vuldb.com September 26, 2020 at 09:36AM
https://ift.tt/2G5hslR
Amazon Luna Isn't Solving Cloud Gaming's Biggest Problems https://ift.tt/340pbJP Luna—no, not the surprisingly delicious protein bars--is Amazon’s upcoming foray into the world of cloud gaming. Some of us probably rolled our eyes at the announcement and thought, “Ugh, why does Amazon need to have its greedy little paws in everything?” When you dig into the announcement and see what its service will offer at launch, there’s nothing mind-blowing about it. Arguably even less so compared to Stadia’s launch nearly a year ago, and Luna is going to be in the same spot Stadia was and still is. There are big problems with cloud gaming and Luna so far isn’t poised to solve any of them. Exclusives are the most immediate problem that Amazon seems to be struggling with. “It’s a real question whether or not Amazon can pull this off,” said Joost van Dreunen, co-founder and former CEO of Superdata and now a professor at NYU Stern and author of the gaming newsletter SuperJoost Playlist. That’s because the only thing Luna currently has over Stadia at this point is its partnership with Ubisoft. Ubisoft will have its own games channel on Luna at launch, where future users will find Assassin’s Creed: Valhalla and Far Cry 6 released on the same day they’re released on other platforms.. Those games will not be Luna exclusives, however. As of now, Amazon has no major exclusives. By comparison, Google has had timed exclusives and signed more exclusive deals with developers to bring their new games to Stadia next year. And when Stadia was still in its testing phase, Assassin’s Creed: Odyssey was the game beta testers played. Assassin’s Creed: Valhalla will be on Stadia at release, too. Sure, Stadia doesn’t have a dedicated Ubisoft channel like Amazon’s Luna, but you can still play Assassin’s Creed and other Ubisoft games on nearly every platform, even GeForce Now. “What we saw [with Stadia] is that streaming is going to [be big]. We want to have games that are easy to access and can be played by everyone,” said Ubisoft CEO Yves Guillemot in a June 2019 interview with VentureBeat. When you take all that into consideration, Ubisoft was most likely an easy company for Amazon to approach because it was the one most likely to say yes. Ubisoft has its own channel on Luna, but are game developers raving about the tools they can use to make games? Not right now, and who knows if or when they will. Amazon does own Lumberyard, a game engine that integrates with Amazon Web Services, so it’s possible they could get a small game exclusive or two to start like Stadia did with the game Gylt. But it doesn’t look like Amazon has spent any of its billions on snagging exclusives. Amazon could have made a bigger splash with its announcement if it had a flashy, in-house exclusive to launch with Luna. That may have been the original plan, but it’s first major game launch, Crucible, went back to a closed beta after its release. That’s not a normal occurrence in the videogame world, and the developer made the decision after the game received a preverbal truckload of negative feedback. G/O Media may get a commission Games are not one of Amazon’s strengths anymore than games are one of Stadia’s, or even Apple’s, strengths. What Amazon has done well is create platforms and devices for content distribution. Amazon has its Kindle. The Marvelous Mrs. Maisel, an Emmy award-winning show, is a Prime Video Exclusive. But videogames are different. And Amazon has kind of tried this before and failed. In 2009, it launched a digital game store that was mostly filled with casual games, but it grew to incorporate games from major publishers and developers. However, at that point you could already buy games from the PlayStation and Xbox digital stores. Steam, too. There wasn’t a need to buy games from Amazon unless it was a casual game, and even then Google Play and Apple’s App Store were already around. It was easier to buy a game directly from the source instead of buying a game code from Amazon you had to then input elsewhere. You could buy a physical copy of the game, but the industry was moving away from that. Fast. Strains of the old store still remain, where digital copies of games can be purchased from the developers’ and publishers’ storefronts hosted on the Amazon marketplace. But Amazon’s game marketplace itself is mostly gift cards loaded with in-game currencies. Like Amazon’s 2009 gaming storefront, Luna feels like an afterthought too. “Gaming in the larger, internal Amazon universe is sort of an oddball effort that doesn’t necessarily sit well with whatever else it’s doing,” said van Dreunen. One of its big appears seems to be the way it can leverage Amazon Web Services (AWG) to integrate some features with Twitch, which the tech giant also owns. But again, that’s not creating original content. That’s just distribution, and it’s more complicated with games than just making a few deals with Hollywood to put shows on your streaming service. “Building an ecosystem with third-party content providers, building an audience that likes the live operations of your game, that logs in and engages with your content, that’s a very different effort,” said van Dreunen. According to van Dreunen, unless Amazon is willing to spend $5 to $10 billion over the next two years to acquire exclusive content it could take Luna several years to catch on as a gaming platform. Perhaps even slower than Stadia. “Whether it’s Apple, Facebook, Google, or Amazon, big tech has a really hard time understanding that content is king. They don’t give a crap about content creators in the same way that that, say, Microsoft and Sony have been doing with their consoles,” said van Dreunen. “So that difference in ability to value content that highly [...] Amazon has got a long way ahead of itself. It doesn’t have the content, it doesn’t have the sensibility to come up with the content.” And he’s right. Luna doesn’t have anything special to offer that isn’t already offered by Stadia or another gaming platform right now. Does that mean Amazon won’t give up like it gave up on its videogame digital storefront? Does that mean Amazon won’t become a big player in the gaming industry? Victor Kao, partner and technology senior analyst at RSM US LLP, doesn’t think so. “The scary thing about Amazon? If there’s something that they’re interested in, they will throw money at it. If you look at the grocery and retail sector, they just completely threw money at it.” Cloud gaming won’t go away. Too many big companies have invested heavily in it, and it’s really just the next step in the evolution of games. As Kao points out, cartridges turned into CDs, CDs turned into digital downloads, and now we’re in the process of moving away from digital downloads to games that are stored and played entirely on the cloud. “You’ve got all the big players that are starting to get involved in cloud gaming. You got Microsoft. You got Google. You got Amazon. You got Nvidia,” said Kao. “Amazon is certainly is a big threat into the overall gaming environment. It doesn’t typically pull out of investments such as these.” But ultimately, Luna’s success won’t be determined by how well its controller works, how many platforms support it, or even how many games it has. To some extent, the number of games matters only if there are a lot of major and diverse titles, but cloud gaming as it’s envisioned can only take off if we have the infrastructure for it. And if the times spent fighting over net neutrality and expanding affordable, reliable internal to urban and rural locations haven’t been telling enough, it’s going to be a long time before we have the infrastructure for cloud gaming to become a major platform. “It’s baby steps right now, but I think this is gonna become bigger when you think about 5G. When you think about Gigabit fiber connections in everyone’s home. All of that is eventually going to get there,” said Kao. And when it does get there, it could have latency speeds equivalent to, or faster than, gaming on a local machine. For anyone who doesn’t want to spend hundreds of dollars on a console, or even thousands on a PC, cloud gaming is the way to go, especially as more games, major and indie alike, find homes on these platforms. But until lawmakers and ISPs get their shit together and actually provide equitable internet access across the entire country, cloud gaming will remain out of reach for a massive chunk of the country. Microsoft claims over 157 million Americans don’t use broadband. So while cloud gaming remains out of reach for many, Amazon has to bring something new to the table to make Luna seem exciting. Stadia has the dev tools and exclusives, Microsoft has its Xbox Game Pass, Nvidia’s GeForce Now works on ChromeOS. Luna...Luna is trying very hard to copy everything else. Digital Trends via Gizmodo https://gizmodo.com September 26, 2020 at 09:12AM Microsoft Edge/ChakraCore Chakra Scripting Engine memory corruption https://ift.tt/2VpXRzT
A vulnerability, which was classified as critical, has been found in Microsoft Edge and ChakraCore (Web Browser) (affected version not known). Affected by this issue is an unknown function of the component Chakra Scripting Engine. The manipulation with an unknown input leads to a memory corruption vulnerability. Using CWE to declare the problem leads to CWE-119. Impacted is confidentiality, integrity, and availability. The weakness was released 10/08/2019 as confirmed security update guide (Website). The advisory is available at portal.msrc.microsoft.com. The public release was coordinated with the vendor. This vulnerability is handled as CVE-2019-1307 since 11/26/2018. The attack may be launched remotely. No form of authentication is required for exploitation. The technical details are unknown and an exploit is not available. The structure of the vulnerability defines a possible price range of USD $5k-$25k at the moment (estimation calculated on 09/26/2020). The advisory points out: A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Applying a patch is able to eliminate this problem. A possible mitigation has been published immediately after the disclosure of the vulnerability. Entries connected to this vulnerability are available at 143069, 143068 and 143067. Type Vendor Name VulDB Meta Base Score: 6.0 VulDB Meta Temp Score: 5.7 VulDB Base Score: 6.3VulDB Temp Score: 6.0VulDB Vector: ?VulDB Reliability: ?Vendor Base Score (Microsoft): 4.2 Vendor Vector (Microsoft): ?NVD Base Score: 7.5NVD Vector: ?
: ?VulDB Temp Score: ?VulDB Reliability: ?NVD Base Score: ?Class: Memory corruption ( CWE-119) Local: No Remote: Yes Availability: ?Status: Not defined Price Prediction: ?Current Price Estimation: ?
Threat IntelligenceinfoeditThreat: ?Adversaries: ?Geopolitics: ?Economy: ?Predictions: ?Remediation: ?Recommended: Patch Status: ?Reaction Time: ?0-Day Time: ?Exposure Time: ?11/26/2018 CVE assigned10/08/2019 +316 days Advisory disclosed10/08/2019 +0 daysCountermeasure disclosed 10/08/2019 +0 days VulDB entry created09/26/2020 +354 days VulDB last updateVendor: https://www.microsoft.com/Advisory: portal.msrc.microsoft.comStatus: Confirmed Coordinated: ?CVE: CVE-2019-1307( ?) See also: ?Created: 10/08/2019 08:53 PM Updated: 09/26/2020 03:55 PM Changes: ?Complete: ?Digital Trends via vuldb.com https://vuldb.com September 26, 2020 at 09:08AM Microsoft Internet Explorer 11 VBScript memory corruption https://ift.tt/2MnHxf4
A vulnerability classified as critical was found in Microsoft Internet Explorer 11 (Web Browser). Affected by this vulnerability is some unknown processing of the component VBScript. The manipulation with an unknown input leads to a memory corruption vulnerability. The CWE definition for the vulnerability is CWE-119. As an impact it is known to affect confidentiality, integrity, and availability. The weakness was published 10/08/2019 as confirmed security update guide (Website). The advisory is shared at portal.msrc.microsoft.com. The public release has been coordinated with Microsoft. This vulnerability is known as CVE-2019-1239 since 11/26/2018. The attack can be launched remotely. The exploitation doesn't need any form of authentication. Neither technical details nor an exploit are publicly available. The price for an exploit might be around USD $5k-$25k at the moment (estimation calculated on 09/26/2020). It is expected to see the exploit prices for this product decreasing in the near future. The advisory points out: A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Applying a patch is able to eliminate this problem. A possible mitigation has been published immediately after the disclosure of the vulnerability. Similar entry is available at 143064. Type Vendor Name VulDB Meta Base Score: 7.1 VulDB Meta Temp Score: 6.8 VulDB Base Score: 6.3VulDB Temp Score: 6.0VulDB Vector: ?VulDB Reliability: ?Vendor Base Score (Microsoft): 7.5 Vendor Vector (Microsoft): ?NVD Base Score: 7.5NVD Vector: ?
: ?VulDB Temp Score: ?VulDB Reliability: ?NVD Base Score: ?Class: Memory corruption ( CWE-119) Local: No Remote: Yes Availability: ?Status: Not defined Price Prediction: ?Current Price Estimation: ?
Threat IntelligenceinfoeditThreat: ?Adversaries: ?Geopolitics: ?Economy: ?Predictions: ?Remediation: ?Recommended: Patch Status: ?Reaction Time: ?0-Day Time: ?Exposure Time: ?11/26/2018 CVE assigned10/08/2019 +316 days Advisory disclosed10/08/2019 +0 daysCountermeasure disclosed 10/08/2019 +0 days VulDB entry created09/26/2020 +354 days VulDB last updateVendor: https://www.microsoft.com/Advisory: portal.msrc.microsoft.comStatus: Confirmed Coordinated: ?CVE: CVE-2019-1239( ?) See also: ?Created: 10/08/2019 08:52 PM Updated: 09/26/2020 03:45 PM Changes: ?Complete: ?Digital Trends via vuldb.com https://vuldb.com September 26, 2020 at 09:08AM Microsoft Internet Explorer 9/10/11 VBScript memory corruption https://ift.tt/2VtFieb
A vulnerability classified as critical has been found in Microsoft Internet Explorer 9/10/11 (Web Browser). Affected is an unknown code block of the component VBScript. The manipulation with an unknown input leads to a memory corruption vulnerability. CWE is classifying the issue as CWE-119. This is going to have an impact on confidentiality, integrity, and availability. The weakness was shared 10/08/2019 as confirmed security update guide (Website). The advisory is shared for download at portal.msrc.microsoft.com. The vendor cooperated in the coordination of the public release. This vulnerability is traded as CVE-2019-1238 since 11/26/2018. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. There are neither technical details nor an exploit publicly available. The current price for an exploit might be approx. USD $5k-$25k (estimation calculated on 09/26/2020). It is expected to see the exploit prices for this product decreasing in the near future. The advisory points out: A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Applying a patch is able to eliminate this problem. A possible mitigation has been published immediately after the disclosure of the vulnerability. The entry 143065 is related to this item. Type Vendor Name VulDB Meta Base Score: 6.7 VulDB Meta Temp Score: 6.4 VulDB Base Score: 6.3VulDB Temp Score: 6.0VulDB Vector: ?VulDB Reliability: ?Vendor Base Score (Microsoft): 7.5 Vendor Vector (Microsoft): ?NVD Base Score: 6.4NVD Vector: ?
: ?VulDB Temp Score: ?VulDB Reliability: ?NVD Base Score: ?Class: Memory corruption ( CWE-119) Local: No Remote: Yes Availability: ?Status: Not defined Price Prediction: ?Current Price Estimation: ?
Threat IntelligenceinfoeditThreat: ?Adversaries: ?Geopolitics: ?Economy: ?Predictions: ?Remediation: ?Recommended: Patch Status: ?Reaction Time: ?0-Day Time: ?Exposure Time: ?11/26/2018 CVE assigned10/08/2019 +316 days Advisory disclosed10/08/2019 +0 daysCountermeasure disclosed 10/08/2019 +0 days VulDB entry created09/26/2020 +354 days VulDB last updateVendor: https://www.microsoft.com/Advisory: portal.msrc.microsoft.comStatus: Confirmed Coordinated: ?CVE: CVE-2019-1238( ?) See also: ?Created: 10/08/2019 08:52 PM Updated: 09/26/2020 03:35 PM Changes: ?Complete: ?Digital Trends via vuldb.com https://vuldb.com September 26, 2020 at 09:08AM Microsoft Windows up to Server 2019 Remote Desktop privilege escalation https://ift.tt/2IyPn4d A vulnerability was found in Microsoft Windows (Operating System). It has been rated as critical. This issue affects an unknown code of the component Remote Desktop. Applying a patch is able to eliminate this problem. A possible mitigation has been published immediately after the disclosure of the vulnerability. Digital Trends via vuldb.com https://vuldb.com September 26, 2020 at 08:32AM
https://ift.tt/3375YqN
Avoid Germs With These Handy Door-Opening Multi-Tools, 40% Off With Promo Code https://ift.tt/3kSE1bY Social Distancing Multi-Tool | $6 | Amazon | Promo code 40USDX3Q No-Touch Door Opener Tool 2-Pack | $9 | Amazon I don’t know about you, but I hate touching any public surfaces— for obvious reasons, I hope. Unfortunately, it can’t be completed avoided at the grocery store or at the ATM or while running other necessary errands. These multi-tools can help you go touch-free as much as possible, and we found a few good deals. They can pull many types of door handles open, and they also include a bottle opener, and a stylus so you don’t have to touch public keypads. This 2-pack of the tool is at its lowest price in 30 days for $9, normally $14. If you just want to give one a try, you can get $4 off of this highly-rated multi-tool in rose gold or in silver for only $6. To get the $4 discount, use promo code 40USDX3Q at checkout. G/O Media may get a commission Digital Trends via Gizmodo https://gizmodo.com September 26, 2020 at 08:12AM
https://ift.tt/3cxF3aA
Windows XP Source Code Got Leaked All Over the Internet https://ift.tt/2S4KWCw This week, we took an exclusive look at the chaos that unfolded inside Twitter in the hours after the accounts of Elon Musk, Bill Gates, and dozens more got hacked. Twitter has since tightened up its internal security—but with the election a little over a month away, has it done enough? The Justice Department continued its busy month this week, announcing the global arrests of 179 alleged dark web vendors in a coordinated effort with Europol. Authorities credit the takedown of the dark web bazaar Wall Street Market in May of last year with leading them to the suspects. Facebook showed some muscle this week as well, dismantling disinformation networks that originated in China, the Philippines, and most troubling of all Russian military intelligence. And a tip from a kid about a suspicious TikTok profile led researchers to uncover adware in apps that had been collectively downloaded 2.4 million times. We took a spin through the most important privacy and security features in iOS 14, including new ways to keep apps from snooping your camera or mic. We explained why using the single sign-on features offered by Google, Facebook and Apple may not be the safest choice. And we looked at a few Chrome extensions that will cut down on all those pesky trackers. Finally, set aside a little time to get comfy and read this tale of a scandal that rocked the poker world. It'll be worth it. And there's more! Every Saturday we round up the security and privacy stories that we didn’t break or report on in depth but think you should know about. Click on the headlines to read them, and stay safe out there. Windows XP's refusal to die has caused a multitude of security problems; Microsoft stopped officially providing updates to the operating system in 2014, meaning any vulnerabilities largely don't get fixed on the millions of computers that still run it. The situation managed to get even worse this week, as Windows XP source code leaked on the file-sharing site Mega, troll forum 4Chan, and beyond. By combing through source code, hackers can identify potential weak points, making it easier to craft malware that Microsoft likely won't bother defending its zombie OS against. Some reports indicate that the source code has circulated privately for some time now, which may blunt the impact of this wider release. Still, it's not an encouraging development for anyone who hasn't updated their PC in half a decade. The Tribune Publishing Company has weathered a rough few months and beyond, cutting budgets and jobs as the pandemic has ravaged an already at-risk newspaper industry. So employees were surprised to find an email in their inbox celebrating their new bonus of as much as $10,000. The problem? There was no bonus. It was a phishing test to see who would click. Tribune staff broadly decried the move; dangling a false promise of ready cash to people who have seen colleagues let go and may have been anxious about their own futures with the company is certainly one way to trial a phishing scam, but surely there were less cruel options. (Or maybe just give everyone a Yubikey next time?) The name Luxottica might be foreign to you, but you've surely heard of at least one of the brands under the eyewear monolith's umbrella: Oakley, Ray-Ban, LensCrafters, and dozens more. Last weekend, the company suffered a cyberattack that forced it to shut down its operations in Italy and China. As of Tuesday, according to a report from BleepingComputer, business was still very much not back to normal. It's just the latest in a trend of ransomware gangs going after "big game" targets that can afford payoffs in the millions of dollars. Speaking of which! Russian-speaking ransomware gangs typically don't target Russian businesses, in part because the the lines between state-sponsored and for-profit hacking are so blurred. But a group that researchers call OldGremlin has been targeting big businesses there. In fact, it's hitting banks, manufacturing, and other firms exclusively in Russia, according to security firm Group-IB. OldGremlin's methods aren't especially novel; they use spear-phishing attacks to plant a custom backdoor, which they in turn use to download malware to steal an administrator's credentials, and then deploy tailored ransomware. Nothing too crazy! But going after Russia so aggressively is certainly one way to stand out. More Great WIRED Stories Digital Trends via Wired https://ift.tt/2uc60ci September 26, 2020 at 08:06AM |
Categories
All
Archives
October 2020
|