Month: February 2019

Enlarge (credit: Getty Images | Justin Sullivan)

Microsoft’s Patch Tuesday this month had higher-than-usual stakes with fixes for a zero-day Internet Explorer vulnerability under active exploit and an Exchange Server flaw that was disclosed last month with proof-of-concept code.

The IE vulnerability, Microsoft said, allows attackers to test whether one or more files are stored on disks of vulnerable PCs. Attackers first must lure targets to a malicious site. Microsoft, without elaborating, said it has detected active exploits against the vulnerability, which is indexed as CVE-2019-0676 and affects IE version 10 or 11 running on all supported versions of Windows. The flaw was discovered by members of Google’s Project Zero vulnerability research team.

Microsoft also patched Exchange against a vulnerability that allowed remote attackers with little more than an unprivileged mailbox account to gain administrative control over the server. Dubbed PrivExchange, CVE-2019-0686 was publicly disclosed last month, along with proof-of-concept code that exploited it. In Tuesday’s advisory, Microsoft officials said they haven’t seen active exploits yet, but that they were “likely.”

Enlarge / A central location from the Blackout map in Call of Duty: Black Ops IIII. (credit: Activision)

Game publisher Activision-Blizzard will lay off 8 percent of its work force, or around 775 people, CEO Bobby Kotick announced on the company's earnings call today. The move is being made in an effort at "de-prioritizing initiatives that are not meeting expectations and reducing certain non-development and administrative-related costs across the business," Kotick explained.

The layoffs, which will mostly be in non-game-development areas like publishing, will impact Activision, Blizzard, and King. In one case, an entire studio of 78 people was shut down—Seattle-based mobile game studio Z2Live. This is in spite of Kotick saying that the company achieved "record results in 2018." Activision made a statement about exceeding its expectations, but other market-watchers clearly had higher numbers in mind.

The implication is that the positive results reported came thanks to a fairly narrow bench of franchises, with many of the company's efforts outside those franchises not meeting expectations.

In a bid to cut the number of coding errors made in its Firefox browser, Mozilla is deploying Clever-Commit, a machine-learning-driven coding assistant developed in conjunction with game developer Ubisoft.

Clever-Commit analyzes code changes as developers commit them to the Firefox codebase. It compares them to all the code it has seen before to see if they look similar to code that the system knows to be buggy. If the assistant thinks that a commit looks suspicious, it warns the developer. Presuming its analysis is correct, it means that the bug can be fixed before it gets committed into the source repository. Clever-Commit can even suggest fixes for the bugs that it finds. Initially, Mozilla plans to use Clever-Commit during code reviews, and in time this will expand to other phases of development, too. It works with all three of the languages that Mozilla uses for Firefox: C++, JavaScript, and Rust.

The tool builds on work by Ubisoft La Forge, Ubisoft's research lab. Last year, Ubisoft presented the Commit-Assistant, based on research called CLEVER, a system for finding bugs and suggesting fixes. That system found some 60-70 percent of buggy commits, though it also had a false positive rate of 30 percent. Even though this false positive rate is quite high, users of this system nonetheless felt that it was worthwhile, thanks to the time saved when it did correctly identify a bug.

Intel Skylake die shot. (credit: Intel)

Researchers have found a way to run malicious code on systems with Intel processors in such a way that the malware can't be analyzed or identified by antivirus software, using the processor's own features to protect the bad code. As well as making malware in general harder to examine, bad actors could use this protection to, for example, write ransomware applications that never disclose their encryption keys in readable memory, making it substantially harder to recover from attacks.

The research, performed at Graz University of Technology by Michael Schwarz, Samuel Weiser, and Daniel Gruss (one of the researchers behind last year's Spectre attack), uses a feature that Intel introduced with its Skylake processors called SGX ("Software Guard eXtensions"). SGX enables programs to carve out enclaves where both the code and the data the code works with are protected to ensure their confidentiality (nothing else on the system can spy on them) and integrity (any tampering with the code or data can be detected). The contents of an enclave are transparently encrypted every time they're written to RAM and decrypted upon being read. The processor governs access to the enclave memory: any attempt to access the enclave's memory from code outside the enclave is blocked; the decryption and encryption only occurs for the code within the enclave.

SGX has been promoted as a solution to a range of security concerns when a developer wants to protect code, data, or both, from prying eyes. For example, an SGX enclave running on a cloud platform could be used to run custom proprietary algorithms, such that even the cloud provider cannot determine what the algorithms are doing. On a client computer, the SGX enclave could be used in a similar way to enforce DRM (digital rights management) restrictions; the decryption process and decryption keys that the DRM used could be held within the enclave, making them unreadable to the rest of the system. There are biometric products on the market that use SGX enclaves for processing the biometric data and securely storing it such that it can't be tampered with.

Enlarge (credit: TechBargains)

Greetings, Arsians! Courtesy of our friends at TechBargains, we have another round of deals to share. Today's list is absolutely packed with solid discounts but is headlined by a number of deals on various Apple devices, including iPads, Apple Watches, and MacBooks.

This may not come as a huge surprise given that Apple is expected to introduce new hardware sometime in the next few months, but the deals encompass the most recent iterations of the 9.7-inch iPad, the 10.5-inch iPad Pro and Apple Watch Series 3 released in 2017, the 256GB variant of the latest MacBook Air, and the company's HomePod speaker.

Some of the discounts bring these devices close to their all-time lows: the 32GB iPad is currently down to $249, which matches its Black Friday pricing, while the 128GB model is down to $330, which also matches its going rate during the holidays. The 64GB 10.5-inch iPad Pro—which is probably best viewed as a premium iPad than a true laptop replacement—is $150 off, while the 42mm Apple Watch Series 3—which doesn't have the big display of the newer Series 4 but is still a great entry point to smartwatches—is down by $80.

Enlarge (credit: Getty Images | wdstock)

Pennsylvania's attorney general has sued Verizon, alleging that the company promised free Amazon Echo devices and Amazon Prime subscriptions to new customers but failed to deliver the items after customers enrolled in two-year contracts.

Verizon promised the incentives to customers who signed up for two-year FiOS deals between November 2018 and January 2019, the lawsuit said. Customers were given 60 days to claim their incentives, but certain customers were unable to do so because of a broken hyperlink, the complaint said.

"Verizon failed to provide certain consumers with their free Echo and/or Amazon Prime membership as promised and created an unreasonably burdensome process to claim the free Echo and/or Amazon Prime membership," the complaint alleges.