Researchers found a few vulnerabilities affecting TPM 2.0, exploiting which could risk device security and expose sensitive data. An adversary could exploit the flaws to gain elevated privileges and execute malicious functions such as manipulating cryptographic keys.
TPM 2.0 Vulnerabilities Risked Security
The researcher Francisco Falcon and Ivan Arce from Quarkslab discovered two severe vulnerabilities in the Trusted Platform Module (TPM) 2.0.
TPM is a tamper-resistant hardware security measure that empowers operating systems to ensure security via cryptographic keys. While numerous TPM iterations exist and empower various devices, TPM 2.0 became much more popular after Microsoft made it necessary for devices to run Windows 11 – the latest version.
Although TPM 2.0 is relatively new, still, it supports billions of the latest computers. And that means any vulnerabilities here directly impact the security of those devices.
According to the CERT Coordination Center (CERT/CC) advisory, the two vulnerabilities that the researchers found include,
CVE-2023-1017 – an out-of-bounds write vulnerability in the CryptParameterDecryption routine that would enable an attacker to write 2-byte data past the TPM2.0 command. Exploiting this vulnerability could allow triggering DoS and code execution.
CVE-2023-1018 – an out-of-bounds read flaw in the CryptParameterDecryption routine, allowing 2-byte data read past the TPM2.0 command, eventually exposing sensitive data.
Regarding the impact of these vulnerabilities, the TPM developer, Trusted Computing Group (TCG), also confirmed that exploiting the bugs could allow information disclosure and privilege escalation.
Vulnerabilities Patched
Following this discovery, the researchers reported the matter to the CERT Coordination Center (CERT/CC) and TCG, who then communicated the issue to the TPM vendors.
Despite the prompt bug report, only a few vendors have yet acknowledged the impact of these vulnerabilities.
From its end, TCG has released an update to their Errata for TPM2.0 Library Specification with the instructions for patching the vulnerabilities. Users must apply the relevant hardware and software security updates to receive the patches. OEMs and OS vendors may also need to upgrade the TPM chip firmware, alongside resetting the TPM to factory settings, to address the issues.
Sure, big updates and major features are always welcome. However, we can also appreciate the little changes to apps’ interfaces. Google is working on bringing new read icons to Google Messages, according to 9To5Google. This will replace the words with little icons.
When you’re using Google Messages, you’ll be able to see the status of the messages that you send. It will let you know when the message is sending, when it’s delivered, and when it’s been read. It’s a good way to keep up with the person you texted.
Google Messages will change the read message icons
This is going to be a small change to the app. Before the update, the app will tell you in words whether the message is sending, delivered, and read. However, after the update, it will show little icons.
When the message is sending, the icon will be a stopwatch, and it will turn into a circle and checkmark when it’s sent. When delivered, the icon will turn into two circles with checkmarks. Lastly, when the message is read, you’ll see those circles fill in.
This approach isn’t as straightforward as the words, but it’s an interesting change to the UI. This is still rolling out, so there’s a chance that you won’t see it just yet. You’ll still want to check for an update, however.
If you want to check for the update, you can search for Google Messages on the Google Play Store. You can also hold your finger on the Google Messages icon, and tap on the App Info icon (the “i” inside of the circle). On the resulting page, tap on the App Details button. This will take you to the Google Play page for the app.
There, check and see if there’s the green Update button. If you don’t see the button, then you’ll just want to wait a couple of days for the update to hit your phone.
All iPhone 15 models, both base and ‘Pro’ ones, will include a Dynamic Island. All of them will also offer a Type-C port. The base iPhone 15 models, however, won’t support ProMotion or offer the Always-On Display feature, it seems.
Base iPhone 15 units won’t get advanced displays or related features, like ProMotion
This was to be expected, and it refers to the iPhone 15 and iPhone 15 Plus. This comes from Naver, a South Korean publication. ProMotion, for those of you out of the loop, refers to the 120Hz panel. To be more accurate, to 1-120Hz LTPO panel which debuted on the iPhone 14 Pro series.
The iPhone 13 Pro and Pro Max were the first iPhones to offer 120Hz displays, or as Apple refers to them, ProMotion. The iPhone 14 Pro and Pro Max, on the other hand, were the first to offer the AOD function, when it comes to Apple devices, of course.
Based on this report, neither of the two display functionalities will trickle down to base iPhone 15 models. The iPhone 15 Pro and iPhone 15 Pro Max, on the other hand, will offer them, of course.
The iPhone 15 & iPhone 15 Plus will probably utilize 60Hz panels
Apple will, almost certainly, stick with 60Hz displays on the iPhone 15 series. That is not something that the report mentioned, but it’s most likely what will happen. Even budget Android phones have 90Hz displays these days, but Apple doesn’t seem to care much about that. Granted, Apple does a great job of optimizing its 60Hz panels, and the vast majority of people getting those devices won’t care
All four or five iPhone 15 models will launch in September this year. Why 5? Well, the iPhone 15 Ultra is rumored to be either the fifth phone, or the ‘Pro Max’ with a different name. It remains to be seen if either of those rumors is accurate.
If you need me to explain YouTube to you, I’d be more interested in hearing your backstory first. Jokes aside — everyone knows Google’s video streaming platform nowadays, and most people use it as creators or viewers. We’re on there too!
Last year, though, YouTube challenged its influencer’s patience with the introduction of a controversial set of community guidelines. They were so rough on creators, that even occasional f-bomb slip ups could lead to a video getting completely demonetized. Just in case — that means that the user who uploaded the video wouldn’t be able to make money off it.
Today, however, the Big G made an announcement through its blog — and this is where we hear the collective sigh of relief — that they are rolling back some of the harsh regulations. More importantly, in its own words, Google stated that “moderate profanity” is now allowed.
While it is possible to abuse such a set of rules, most creators are just happy to not be on constant self-monitoring.
In typical Google fashion, while this is great news, it doesn’t help much when trying to figure out what “moderate” profanity precisely means, but at least they give us specific rules regarding the f-word. For example, creators aren’t allowed to use it in the first seven seconds of the video or excessively throughout the content, but a casual mention here and there should be fine.
Wow, that explanation is incredibly absurd, but hey — this is people’s earnings we’re talking about.
These new rules also extend to musical contents, meaning — lyrics, but the platform will still not allow users to utilize profanity in their thumbnails or titles. And that, we feel, is for the better. After all, modern day street-talk is one thing, but providing visual examples feels like a bit too much.
Excessive usage of negatively impactive language will, ultimately, still be penalized by the system through demonetization. The same is expected to happen to videos that fit the above mentioned criteria, that falls on the visual side of things. And that was your daily sample of the theoretical self-talk that the Google-bot does, when it scowlers the platform for profanity.
But what does all of this mean for you, the end-user and consumer of this theoretical risky video content? Well, you’re about to hear a lot less bleeps and more real talk from your favorite creators. While we can’t say if that is good or bad, we’re happy to see that YouTube won’t be taking away their money for minor, casual mishaps.
A new information stealer has been recently found by cybersecurity researchers at Morphisec which is called “SYS01stealer.” This stealer primarily targets entities from the following critical infrastructures:-
Infrastructure employees
Manufacturing companies
Other critical sectors
The Morphisec intelligence team has been tracking this advanced information stealer since November 2022. As part of this campaign, the threat actors are using Google ads and bogus Facebook profiles to target Facebook business accounts and advertise things such as:-
Games
Adult content
Cracked software
Movies/Series
In this way, they lure the victim and make them download malicious files. In the attack, sensitive information is intended to be stolen, including the following:-
Login data
Cookies
Facebook ad account information
Facebook business account information
It was initially believed that the campaign was linked to the Ducktail cybercrime operation, which was financially motivated.
Hackers Using Facebook Ads
In order to begin the attack, a fake Facebook profile or advertisement is used as a lure to lure victims into clicking on a URL. By clicking on this URL, the attackers make the victim download a ZIP file that is supposed to have the following items:-
Application
Game
Movie/Series
There are two parts under which the complete infection chain is divided, and they are as follows:-
The loader
The Inno-Setup installer
Loaders are normally legitimate C# applications that might be vulnerable to a side-loading vulnerability due to their side-loading behavior. A malicious DLL file is hidden within the application, which is eventually side-loaded for infection.
It was found that Western Digital’s WDSyncService.exe and Garmin’s ElevatedInstaller.exe were some of the applications that were exploited to side-load the malicious DLL file.
While apart from this, the Python and Rust-based intermediate executables are sometimes deployed through side-loaded DLL.
It is important to remember that no matter what approach is taken to reach the delivery of an installer, all roads lead there. Here the SYS01stealer is a PHP-based malware that is dropped and executed by this installer.
Browsers Affected
The stealer stealthily harvests the Facebook cookies from the web browsers that run on Chromium, which is the most popular browser. And here below we have mentioned the names of web browsers that are based on Chromium:-
Google Chrome
Microsoft Edge
Brave
Opera
Vivaldi
As a result, all of the victim’s Facebook information is transferred to a remote server, as well as arbitrary files are downloaded and executed.
In addition to this, it has the following capabilities:
Connect the C2 server to the infected host and upload the files.
Follow the commands and instructions provided by the server.
As soon as a new version is released, it will update itself.
Recommendation
In order to trick Windows systems into loading malicious code, DLL side-loading is an extremely effective technique. During the loading process of an application in memory, if the order of search isn’t adhered to, the malicious file will be loaded in preference to the legitimate file.
This allows threat actors to execute malicious payloads even when legitimate, trusted applications are hijacked.
It is important to implement a zero-trust policy and limit the user’s rights when it comes to downloading and installing programs in order to help prevent the SYS01 stealer.
It’s been a little while since Ring introduced a new video doorbell, and now we finally have a new one. The Ring Battery Doorbell Plus. So as you can tell, this is not a wired-only doorbell, so this one’s going to cost a bit more. It does launch at $179. Similar to its other battery doorbells.
This is the next-generation video doorbell for Ring. Which is also the first to include a 150-degree by 150-degree field-of-view. That’s going to allow you to have a head-to-toe view of all of your visitors. That includes pets and kids, all the way up to adults. The expanded view does also help with Package Alerts, and makes them more useful. Keep in mind that Package Alerts is included in the Ring Protect plan only.
The resolution here has been upgraded as well, now sitting at 1536p. The weird resolution is due to the camera’s view basically being a square. But this is the highest resolution of any Ring Video Doorbell to date.
It has all the usual Ring doorbell features you’d expect
In addition to the wider field-of-view and higher resolution, the new Battery Doorbell Plus does have all of the features you’d expect from Ring. Like Advanced Motion Detection, Privacy Zones, Quick Replies, Live View and Two-Way Talk among other things. So if you’re already a Ring Video Doorbell user, you’re going to love this one.
With the Ring Protect plan, you’ll be able to get even more out of this doorbell. Including video recordings being stored for up to 30 days. Which is a really nice feature to have.
The Ring Battery Doorbell Plus is going to go up for pre-orders starting today. They will start shipping on April 5, 2023. The price is set at $179 and it’s available on Ring and Amazon’s websites. The price might sound steep, but it is the same price as its previous non-Pro doorbells started out at.
ChatGPT is redefining what AI can do, bringing us closer to what we see in the movies. It’s certainly shaken up the tech industry, and we all feel that it’s yet to tap its full potential. However, as powerful as it is, there are things that ChatGPT can’t do.
It has its limitations, and they include things that it’s not powerful enough to do. They also include things that OpenAI intentionally restricts it from doing. If you’re wondering what types of queries you want to avoid putting into ChatGPT, then here’s a useful rundown.
This will showcase things that ChatGPT will tell you that it can’t do as per its programming. Also, it will include things that, while it technically can do, you’ll want to avoid because the technology just isn’t there yet.
What is ChatGPT?
So, let’s start off with what we’re all talking about. ChatGPT was developed by the company called OpenAI. This is the company that brought us DALL-E, the powerful AI image generator.
ChatGPT is a powerful AI chatbot. Think of it as a human being that you can ask questions and get answers at will. Just type in an inquiry like “How do I wash my dog?” or “How long is the Great Wall of China?”, and you’ll get clear and concise answers.
ChatGPT doesn’t stop there, as it can also produce written content. This is where a lot of controversy surrounding this chatbot comes from. You can ask it to write content like stories, essays, articles, poems, scripts, speeches, eulogies, computer code, etc. It has even authored full novels. Of course, we don’t recommend doing that for several ethical reasons, but ChatGPT has the power to do it.
Also, if you want to use this chatbot to just chat, you can do that. ChatGPT can actually emulate a one-on-one human conversation. It will respond to your messages as though there’s another person on the other side. So, if you’re feeling down and there’s no one around to talk to, you can spark up a conversation.
So, ChatGPT is a powerful chatbot. The sky’s the limit, indeed; however, there’s still a limit. It’s important to know what these limitations are before you start your journey.
Sensitive content
There are certain topics that ChatGPT just can’t tackle. This isn’t for a lack of AI prowess. Rather, there are just things that OpenAI stops ChatGPT from answering. Let’s start off with the most obvious ones. If your inquiry has anything to do with sex, you’ll get an error message.
So, you’ll want to be careful about what type of questions you ask. You want to avoid having the characters do any sort of explicit action involving sex. One thing to note: if you want your characters to be romantic, you can use the words “romantic encounter”. I didn’t get an error message using those words.
The same thing goes for violence. You’ll want to avoid generating content that deals with murder, fighting, war, etc.
Offensive content
Next on the list, since OpenAI wants to create a chatbot that’s wholesome for everyone, offensive content is prohibited. The chatbot will block generating anything that deals with topics such as racism, homophobia, or anything else you’d get banned on social media for.
Information after 2021
At the time of writing this, ChatGPT’s knowledge is limited to events up until 2021. This means that if you ask for information about anything after that, you’ll get inaccurate information. You most likely won’t get a message stating so.
Instead, the chatbot will use the information in the inquiry and cross-check it with the information that it already knows. We asked it to summarize an article about a speaker from the London-based tech company Nothing. The article had mentions of the, Nothing Ear (1), Nothing Phone (1), and the Nothing Ear (Stick). The thing is that the latter two didn’t exist until sometime in 2022.
So, ChatGPT erroneously made the Nothing Ear (1) the focus of the summary rather than the speaker. Just be certain that whatever you’re asking doesn’t have to do with anything after 2021.
Summarize articles properly
This next thing isn’t something that the company restricts ChatGPT from doing. This is something that it can’t do properly just yet. Of all the things that we tested ChatGPT on, summarizing articles yielded some of the most error-ridden responses.
You have the ability to paste the link to an article and say “Summarize this”. Then, it will give you a short and sweet summary of it. The thing is that you’ll see all sorts of mistakes in the response.
For example, we fed it a review of an article about a 720p projector, but in the response, it said that it was 1080p. I fed it an article about a phone with a 5.7-inch display, and it said that it was 6 inches. There were tons of little inaccurate facts added to the summaries.
What’s interesting about this is the fact that ChatGPT actually adds information not present in the actual article. Circling back to the article about the Nothing Speaker, it said that Nothing was a company started by Carl Pei. However, the article itself didn’t have any mention of Carl Pei. This means that ChatGPT pulled from its database of information.
This could mean that the company is still working on ChatGPT’s ability to do this.
Write a full app
This is something that definitely needs clearing up. When ChatGPT first started gaining notoriety, people discovered that it could actually write code. That’s true; you can ask it something like “Write me code for an app that tells time”.
However, you can not use it to write an entire app. You’ll get an example of code in python that you can insert into your app. Sorry folks, ChatGPT is not going to design your next great app.
Give advice on prescription medication
It seems weird that a person would want to do this, but we need to cover all of our bases. You can get some basic medical advice from ChatGPT like over-the-counter medication recommendations. However, you won’t be able to ask it for suggestions for prescription medication. It will tell you that it can’t do that, and suggest that you talk to a professional.
Hopefully, this didn’t discourage you from using ChatGPT. If you want to try it out, check the link below.
Ah, TikTok. The billion-user platform is constantly stirring up drama, but not only on a social media level, but on a political scale as well. Numerous politicians from all around the globe are convinced that the app is dangerous, and as such there are many movements to get the application banned completely. Despite TikTok’s attempts to provide the required transparency or its continuous stance of innocence, the US is still on its trail. This time in the form of a new bill, cleverly titled RESTRICT. As all cool operations or bills, this one is an anagram too. It stands for:
Restricting the Emergence of Security Threats that Risk Information and Communications Technology
The bill has bipartisan support and aims to empower the Commerce Department, instead of the President, to basically ban foreign applications. The clever twist? The bill doesn’t even mention TikTok specifically.
It knows you like cats. But what else may the platform know about you?
The bill is about to be put into consideration to become a valid US law. If that were to become true, it would effectively create a brand new federal network. Its sole purpose would be to evaluate and — if necessary — punish foreign companies, which have been determined as “high risk”.Or, to simplify: this bill won’t target a specific app, but a given type of apps. It would offer not only instant results, but also aims to be future-proof in the form of continuous protection. And that would happen through a bestowed authority to compel Google and Apple to remove the app from their respective app stores.
While TikTok hasn’t commented on this specific occurrence, the company’s stance hasn’t really changed throughout the numerous challenges it has had to face. The platform is trying to stay afloat through compliance and transparency, which deserves merit, so it will be interesting to see how all things will play out in the end.
A researcher highlighted a vulnerability in Snapchat that could allow a remote attacker to delete a target user’s Spotlight content. Snapchat patched the flaw following the bug report, rewarding the researcher with a hefty bounty.
Snapchat Vulnerability Deleting Content Spotlight
According to a bug report from Sahil Saxena, a severe vulnerability risked the security of Snapchat users’ Spotlight content. Saxena noticed that he could delete any target user’s Spotlight video remotely without requiring the user’s account credentials.
Spotlight is an attractive video feature that Snapchat offers for its content creators to maximize viewability. This feature also facilitates the creators in generating money, which means any vulnerabilities affecting it could also indirectly impact their income.
As described, the researcher observed the issue when intercepting Snapchat posts and attempting to delete a post. He noticed the issue with a specific parameter ID in the post delete request, which he could change to delete any other user’s Spotlight content.
Explaining the PoC, he stated,
In delete request there is parameter of id {"operationName":"DeleteStorySnaps","variables":{"ids":["███████"],"storyType":"SPOTLIGHT_STORY"},"query":"mutation DeleteStorySnaps($ids: [String!]!, $storyType: StoryType!) {\n deleteStorySnaps(ids: $ids, storyType: $storyType)\n}\n"} You just have to change this id parameter. You can easily get the id parameter. Now forward the request after replacing id with someone’s else video id.
Alongside a privacy breach and damage to the victim’s content, such an exploit could also impact the user financially. That’s because deleted Spotlight content becomes ineligible for Snapchat’s crystal awards – the platform’s payment mode.
Snapchat Fixed The Bug
After discovering this vulnerability, the researcher reported the matter to Snapchat via their HackerOne bug bounty program. The platform officials triaged the bug promptly, assuring an internal review.
Then, within less than a week, Snapchat confirmed patching the vulnerability, which the researcher also tested and confirmed. He validated the fix, which returned an error upon trying to change the parameter ID and sending a request.
After holding the vulnerability report for some time to ensure further fixes, Snapchat has recently disclosed the bug report to the public.
Besides patching the vulnerability, Snapchat rewarded the researcher with a hefty $15,000 bounty.
A rather important piece of the OnePlus 11 Concept may be used in a future product. We are talking about the phone’s liquid cooling which was basically the main attraction when it comes to that concept phone.
An important piece of the OnePlus 11 Concept may be used in a future product
Max Jambor, a well-known tipster, kind of suggested OnePlus may implement that cooling into a product you’ll be able to buy. He did not flat-out confirm it, but said the following: “What if I told you OnePlus plans on bringing the liquid cooling from OnePlus 11 Concept into a real purchasable device?”
Needless to say, this kind of points in that direction. That phone includes the so-called ‘Active CryoFlux’ tech. That liquid cooling system can keep the phone cooler during gaming, charging, and so on.
OnePlus also included a semi-transparent back on the OnePlus 11 Concept. That way, you can actually see that cooling liquid and tubes on the back. That made the phone look really nice, and attracted quite a few eyes.
If OnePlus ends up doing it, we do hope it’ll be a similar implementation, with a see-through back
If OnePlus does end up including this cooling in an actual product, it would be nice if it went about it the say way as it did here. In other words, it would be nice to have such a nice visual representation on the back.
Now, don’t get your hopes up. Max may be right, and OnePlus may be planning to do it. That doesn’t mean it’s actually going to happen. Even if it does, the product OnePlus announces probably won’t be as flashy as the OnePlus 11 Concept, but we’ll see.
The company is expected to announce a number of phones this year still. Its first foldable smartphone is coming, and the same goes for the OnePlus Nord 3, and the OnePlus 11T, to name a few.
It remains to be seen if ‘Active CryoFlux’ cooling will be included in one of the phones this year. Or, perhaps that may be a plan for a device down the line.
