Month: April 2018

Enlarge (credit: Lisa Brewster / Flickr)

Malicious hackers wasted no time exploiting a critical bug in the Drupal content management system that allows them to execute malicious code on website servers. Just hours after maintainers of the open-source program disclosed the vulnerability, it came under active attack, they said.

So far, the attackers are using proof-of-concept attack code published online that shows one method of exploiting the critical flaw, Drupal maintainer Greg Knaddison told Ars. The code has not yet been automated in a way that can target large numbers of sites, in large part because successful exploits require permissions and configuration settings that differ from site to site. So far, Drupal maintainers aren't aware of any successful site take-overs resulting from the vulnerability.

"We have definitely seen proof of concept exploits published online," Knaddison wrote in an e-mail. "It's safe to assume that proof of concept (or others like it) are being used maliciously against individual sites by people who are willing to slowly attack a high value target. It's not yet automated in a way that would let an attacker try it against hundreds of sites."

Enlarge / Want to play the canceled Halo Online project on your PC? Go through the right hoops, and you can still do so, even in spite of Microsoft's legal action this week. (credit: Microsoft / El Dewrito)

On Tuesday, Microsoft's Halo development studio 343 Industries posted about a fan-made modification to a PC version of the series—and the studio said that Microsoft would "protect its Halo intellectual property." This, for all intents and purposes, sounded like yet another story of a fan-made game-tribute project facing a swift, legal smackdown.

But the story of the ElDewrito patch, designed for 2015's Russia-only game Halo Online, appears to be a little more nuanced, if not complicated. The ElDewrito version of Halo Online is still online and functioning, with thousands of players matchmaking in its wholly free online multiplayer lobbies as of press time. Its Github depository is still online, which means the open source patch can still be downloaded. And the patch builders' official blog says the team did not receive a formal cease-and-desist order from either Microsoft or 343 Industries.

The result is fascinating: a solid, Windows-compatible version of classic Halo 3 combat is in the wild. Now Microsoft's required legal action is being announced alongside an apparent intent to do what the modders were already doing—to finally get more classic Halo games working for PC gamers.

Enlarge (credit: Aurich Lawson)

For end users, Monday's public disclosure of the Fusée Gelée exploit will make it relatively simple to run arbitrary code on the Nintendo Switch and other Nvidia Tegra X1-based hardware. For Kate Temkin and the hackers at Team ReSwitched, though, discovering and publicizing the exploit was full of technical and ethical difficulties.

ReSwitched's work on the Switch began last year, Temkin tells Ars, with an engineer going by the handle Hedgeberg working on "voltage glitching, a technique where we very, very briefly momentarily deprived the processor of power in order to make it misbehave. On Tegra X1 processors, if you precisely time that power 'glitch,' you can actually bypass the point where the system 'locks' the bootROM—effectively bypassing the mechanism that keeps the bootROM code secret."

By October, the team had used this method to extract a copy of that secretive bootROM, and by January, Temkin says she was spending weeks reverse-engineering and documenting that code. That process "involves comparing views of machine code we'd extracted to Nvidia's technical documentation and gradually inferring what the code was intended to do," Temkin said.

Enlarge (credit: Amazon)

Signs point to the rumored Amazon Fire TV Cube being a real device that may debut soon. AFTVNews first spotted a new page on Amazon.com that promotes the device with the slogan, "What is Fire TV Cube?" The page provides no other details about the device, but it allows those interested to sign up to receive more information as it becomes available.

Last September, AFTVNews also first leaked images of what we now refer to as the rumored Fire TV Cube. The renders make it look like a cube-version of an Echo Dot, with mute, action, and volume buttons on the top and edges covered with strips of blue light. As part of the Fire TV family, the Cube could be a set-top box of sorts that lets users stream video, music, and other content provided by Amazon and the Fire TV platform.

Amazon still sells the Fire TV stick and released the new Fire TV with 4K HDR support shortly after the image of the Fire TV Cube leaked (those leaks incidentally also included a render of the new Fire TV with 4K HDR). All Fire TV devices can make use of Amazon's Alexa, but they need an Echo device or a compatible remote to do so. The Fire TV Cube is rumored to eliminate the need for the Echo device or the remote by having Alexa built in, which would cement its existence as a streaming-capable, Echo Dot-like hybrid device.

Google

Today, Google is making the biggest changes to Gmail since 2011. The huge redesign that leaked earlier this month is finally going live, and all the features in that leak have been confirmed by Google. Gmail is getting a new design that seems to align with our theorized "Material Design 2" design principles. A pane on the right side shows in-line interfaces for Google Calendar, Google Keep, and Google Tasks. In the future you'll be able to send "Confidential" emails that expire at a set time or can be unsent at any time. Gmail now also has features from Google Inbox like snoozing emails and computer generated Smart Replies.

Google is picking today as the announcement and launch day, but Google's painfully slow rollouts mean you won't necessarily have access to the new Gmail immediately. When the Gmail upgrade comes to your account, you'll be able to click on the gear and select "try the new Gmail." For a personal account, this will just happen at some point in the future; GSuite users will need their admins to enable the opt-in message. If you're not a fan of the new design, you can return to the old 2011 Gmail at any time through the gear menu.

Enlarge / A sign outside a Yahoo corporate building in Los Angeles. (credit: Getty Images | FG/Bauer-Griffin Getty Images | )

Verizon is forcing users of Yahoo services to waive their class action rights and agree to resolve disputes through arbitration. Yahoo users who don't agree to the new terms will be cut off from the services, though Verizon hasn't said exactly when the cutoff date will happen.

The change happens as Verizon fights lawsuits related to a 2013 data breach that affected all three billion Yahoo accounts. The company could try to use the new class action waiver to fight such lawsuits after any future incidents.

Verizon completed its $4.48 billion acquisition of Yahoo's operating business in June 2017, and the company formed a new subsidiary called "Oath" that combines Yahoo and the Verizon-owned AOL.