iPhone 15 Pro & Pro Max Shipping slips to Mid-October

0
[ad_1]

Today, pre-orders started for the entire iPhone 15 lineup. And if you missed out on the 8AM ET pre-order start time, well you’re going to be waiting some time for your new iPhone. As shipping times for the iPhone 15 Pro and Pro Max have already slipped to mid-October.

Looking at Apple’s website, it appears that the iPhone 15 Pro is now slated for October 4-9. While the iPhone 15 Pro Max is now slated for October 9-16. This likely means that there is either more demand for the Pro Max model, or Apple didn’t make as many as the regular Pro. Or, the more likely scenario, both.

Apple Stores will have some units on hand, during launch day

Next Friday is launch day for the new iPhone 15 Pro and Pro Max (and the regular and Plus models). And Apple will typically have a number of units available in-store for people to buy. Typically, they have each storage and color variant too. So if you did not get the model you wanted today, you can wait til Friday and head to your local Apple Store and hope for some good luck.

Remember, that you’ll need to get their early to do this. And Apple Stores typically open earlier on iPhone launch day, as it is their busiest day of the year. Most stores will open around 8:30AM on Friday, September 22.

The iPhone 15 Pro Max has the biggest changes of all four models this year, so it makes sense that it is seeing more demand than the others. Not to mention the battery issues we’ve all see on the 14 series this past year. A lot of people – myself included – are opting for the bigger model, to get the best battery life possible. Hopefully you got your pre-order in before the shipping dates slipped to next month. The carriers might still have some available for launch day.

Screenshot 2023 09 15 at 9 49 39 AM


[ad_2]
Source link

8 XSS Vulnerabilities Allow Attackers to Deliver Malicious Payloads

0
[ad_1]

Azure HDInsight has been identified with multiple Cross-Site Scripting – XSS vulnerabilities related to Stored XSS and Reflected XSS. The severity for these vulnerabilities ranges between 4.5 (Medium) and 4.6 (Medium). 

These vulnerabilities have affected multiple products, including Azure Apache Oozie, Apache Ambari, Jupyter Notebooks, Apache Hadoop, and Apache Hive 2. However, Microsoft fixed these vulnerabilities on their 8th August Security update.

Stored XSS

As per the reports shared with Cyber Security News, 6 Stored XSS vulnerabilities and 2 Reflected XSS vulnerabilities were discovered, of which 4 of the Stored XSS vulnerabilities existed on the Apache Ambari. 

These vulnerabilities were related to YARN Configurations, YARN Queue Manager, Background Operations, and Managed Notifications. All of these vulnerabilities are categorized under CVE-2023-36881.

The other two Stored XSS existed on the Jupyter Notebooks and Apache Woozie, categorized under CVE-2023-35394 and CVE-2023-36877, respectively.

CVE-2023-35394 was related to a Code Execution in the Jupyter Notebooks and had a severity of 4.6 (Medium), whereas CVE-2023-36877 was related to a Web Console Stored XSS and had a severity of 4.5 (Medium).

Document
Get a Demo

With DoControl, you can keep your SaaS applications and data safe and secure by creating workflows tailored to your needs. It’s an easy and efficient way to identify and manage risks. You can mitigate the risk and exposure of your organization’s SaaS applications in just a few simple steps.

Reflected XSS 

Furthermore, the two reflected XSS vulnerabilities on the Apache Hadoop and Apache Hive 2 and have been categorized under CVE-2023-38188 and CVE-2023-35393. Both vulnerabilities had a severity of 4.5 (Medium) and can be triggered via endpoint manipulation. 

The list of the vulnerabilities mentioned, their severity, and CVE ID can be found in the following table.

Orca Security has published a complete report, providing detailed information about the exploitation, proof-of-concept, and other information. Users of these products should upgrade to the latest version to prevent these vulnerabilities from getting exploited.

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.


[ad_2]
Source link

X Premium users can now hide their likes from the public

0
[ad_1]

Being an X Premium subscriber (or Twitter Blue for those who like the good old days) gives you several perks that regular users don’t have. Most of them add to the content that you show other people, but there’s a new one that does the opposite. According to Engadget, X Premium users will be able to hide their likes tab from the public.

Your X profile shows a bunch of information about you, and most people don’t really realize that. It’s easy to forget that the posts you like on the app show up in a feed on your profile. This is something anyone can see unless they’re blocked by you. That’s not really a bad thing, as it shows people what kind of posts brought you joy.

However, X Premium users can now hide their likes feed

Letting people see your liked posts is nice, but not everyone will think so. This is why people are able to hide their liked posts on their profiles. This feature is now available to the public, so X Premium users should already be able to see the feature. If you don’t see it yet, then you might want to wait a day or two. It could take a bit of time for the update to make it to you.

The ethical issue with this

So, this feature seems pretty innocuous. It can help people who liked embarrassing posts in the past. Maybe you liked some silly or cringy posts in the past, and you just don’t want them showing up for people now. Or, maybe you frequent the, let’s just say, “spicier” side of the app, and you don’t want others to know that you like that kind of content, you can hide that fact.

This is a useful feature to cover up the past if you’re embarrassed about what you liked. However, and this was a point brought up by Engadget, this also gives people the ability to cover up hurtful or inappropriate posts in the past. Maybe they liked some posts from someone who’s not fond of Jewish people or from someone who’s a little too fond of children.

This feature could give people a quick way to cover up any horrible posts that they liked in the past. It’s just something to think about.


[ad_2]
Source link

iPhone 15 Pro’s Action Button will get Translate app support

0
[ad_1]

One of the biggest changes Apple announced with the iPhone 15 Pro, hardware-wise, is the Action Button. That button replaces the mute switch present in basically every other iPhone other than the iPhone 15 Pro family. Having said that, the Action Button is customizable, but it doesn’t support the Translate app.

The iPhone 15 Pro’s Action Button will get Translate app support later this year

Well, that will change. Apple has confirmed as much on its website. In the fine print, it says that the Translate option will become available later this year. That was spotted by MacRumors.

Out of the box, you’ll be able to choose between 8 options. Those options are: Ring/Silent, Focus, Camera, Flashlight, Voice Memos, Magnifier, Shortcuts, and Accessibility.

Now, considering that the Shortcuts app is listed here, you can basically program that button to open anything on the phone. It will require you to jump through some hoops, but it’s doable. Do note that you’ll need to press and hold the button to make it do anything.

The Action Button sits above the volume up and down buttons. So it directly replaced the mute switch that used to sit there. The mute switch is still present on the iPhone 15 and iPhone 15 Plus, by the way.

Apple recently announced its new iPhones

Apple announced its new iPhones a couple of days ago, and the pre-order kick off today. The phones will go on open sale on September 22, in case you’re wondering.

The iPhone 15 Pro starts at $999, while the iPhone 15 Pro Max’s pricing kicks off at $1,199. One thing worth noting is that the smaller phone starts at 128GB of storage, while the larger one starts at 256GB.

Apple replaced stainless steel with titanium on both phones, making them lighter. The company also trimmed down the bezels a bit, so they’re also a bit smaller than their predecessors. New camera tricks and hardware are included, a new processor, and more.


[ad_2]
Source link

Windows11 Themes vulnerability-Attackers Execute Arbitrary Code

0
[ad_1]

An Arbitrary code execution vulnerability has been found in Windows 11. This vulnerability is a result of several factors, such as a Time-of-Check Time-of-Use (TOCTOU) race condition, malicious DLL, cab files, and the absence of Mark-of-the-Web validation.

This particular vulnerability can be exploited by a threat actor using a .theme file used for changing the appearance of Windows OS and supported by Windows 11. Microsoft Security Response Center (MSRC) has been alerted about this vulnerability.

CVE-2023-38146: Windows Themes Arbitrary Code Execution

Windows 11 supports .themefiles, which can be used to customize OS appearance. The icons to be used in the theme are mentioned in a .msstyles file, which can be referenced in a .theme file. When the .theme file is clicked, it executes certain commands along with the execution of rundll32.exe.

“C:\WINDOWS\system32\rundll32.exe” C:\WINDOWS\system32\themecpl.dll,OpenThemeAction <theme file path>

Commands that are executed when a .theme file is opened (Source: exploits.forsale)

[VisualStyles]
Path=%SystemRoot%\resources\Themes\Aero\Aero.msstyles

Referencing a .msstyles file in a .theme file (Source: exploits.forsale)

“Version 999” Check & Time-of-Check-Time-of-Use

During the loading of the .msstyles file, LoadThemeLibrary in uxtheme.dll checks the version of the theme by loading the PACKTHEM_VERSION resource. If the version is read as 999, the ReviseVersionIfNecessary is called. 

If the .msstyle is given a path, the ReviseVersionIfNecessary creates a new file path, which appends _vrf.dll to the .msstyles file path. After this, the signature on the _vrf.dll file is verified. 

Following the verification, the _vrf.dll is closed and then loaded as the DLL file post, which the VerifyThemeVersion is called.

A threat actor can utilize this particular time frame between the closing and loading of the _vrf.dll to replace the verified DLL with a malicious DLL and perform arbitrary code execution on the system.

Document
Get a Demo

With DoControl, you can keep your SaaS applications and data safe and secure by creating workflows tailored to your needs. It’s an easy and efficient way to identify and manage risks. You can mitigate the risk and exposure of your organization’s SaaS applications in just a few simple steps.

Mark-of-the-Web Bypass

In addition, a .theme file downloaded from the internet will contain a security warning due to the presence of “Mark-of-the-Web” on the file, which can be bypassed by embedding the .theme file in a .themepack file.

This is because .themepack pack does not show a “Mark-of-the-Web” warning.

Proof of Concept

A GitHub repository has been published as a proof-of-concept about this vulnerability, consisting of two components: an SMB server executable and a .theme file. 

“Microsoft’s released fix for the issue removed the “version 999” functionality entirely. While that mitigates this specific exploit, it still does not address the TOCTOU issue in the signing of .msstyles files. Additionally, Microsoft has not added Mark-of-the-Web warnings on .themepack files.” reads the post by the researcher.

In addition to this, the steps to reproduce the vulnerability, along with the steps to fix this vulnerability, have also been disclosed. Organizations using Windows 11 should follow the steps to prevent this vulnerability from getting exploited.

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.


[ad_2]
Source link

New Sharp flagship has a 1-inch camera sensor, 240Hz display & more

0
[ad_1]

Sharp has announced two new compelling flagship smartphones, the AQUOS R8s and R8s Pro. Both of those smartphones were announced in Japan, and chances are they won’t be offered anywhere else. Still, the ‘Pro’ model is quite interesting, so it’s worth talking about it.

New Sharp flagship has a 1-inch camera sensor, a 240Hz display, and much more

Let’s first talk about the design. Both phones do have a centered display camera hole, and flat displays. The bezels are quite thin, while they’re different in terms of size. Also, the camera island is larger on the back of the ‘Pro’ variant.

That being said, the ‘Pro’ model is also more powerful. It features a 6.6-inch 2730 x 1260 IGZO OLED display. That display offers a 240Hz refresh rate, and gets up to 2,000 nits of peak brightness.

You even get expandable storage here

The Snapdragon 8 Gen 2 fuels this smartphone, and the device comes with 12GB of LPDDR5X RAM. It also includes 256GB of UFS 4.0 flash storage, which you can expand up to 1TB.

Sharp AQUOS R8s Pro image 4

A 47.2-megapixel main camera sits on the back, and that’s a 1-inch camera sensor. Sharp also included a 1.9-megapixel 14ch spectrum sensor to measure intensity and colors.

A 5,000mAh battery is also included in the package, and it supports fast wired and wireless charging. We don’t have the specifics, though. Android 13 comes pre-installed, with AQUOS UX 13.

This model comes in black only, and it’s priced at the equivalent of $1,018.

The smaller model is also available, but it’s inferior to the ‘Pro’ variant

The Sharp AQUOS R8s, on the other hand, includes a 6.4-inch fullHD+ IGZO OLED display. Its peak brightness is 1,300 nits, though it also offers a 240Hz refresh rate. A 4,500mAh battery is included in the package, and the phone offers a headphone jack too.

Sharp AQUOS R8s image 1

The Snapdragon 8 Gen 2 fuels this phone as well, but it’s paired with 8GB of RAM and 256GB of storage. That storage is also expandable up to 1TB, as is on the ‘Pro’ variant. This phone also has an inferior main camera.

The Sharp AQUOS R8s is priced at the equivalent of $735.


[ad_2]
Source link

[UPDATED] More countries consider iPhone 12 ban due to high SAR

0
[ad_1]

France has decided to ban iPhone 12 sales due to higher-than-allowed radiation (SAR) levels. Now, more European countries are considering the iPhone 12 ban as well.

So, what happened? Well, France’s National Frequency Agency (ANFR) discovered that the iPhone 12’s SAR levels are above the legal limit. Soon after that happened, Apple denied such allegations.

Still, France told Apple to fix that, otherwise they can’t sell the phone in the country. Based on what France’s junior minister for digital economy said, this problem can be fixed via a software update.

More European countries could ban the iPhone 12 due to high SAR

Following France, however, Belgium, Germany, and the Netherlands are now considering banning the iPhone 12 sales too. Belgium is assessing the iPhone 12 for potential health risks, and will do the same with other Apple devices.

Germany is watching what’s going on, while the Dutch regulators have asked Apple for an explanation. Spanish consumer association OCU has asked the government to suspend the iPhone 12 sales too.

What exactly is SAR? SAR stands for Specific Absorption Rate. It measures the rate of radiofrequency energy absorbed by the human body from a device. If the SAR levels are above the allowed limit, they’re considered to present a threat to human health, which is why France did what it did.

Apple is no longer officially selling the iPhone 12

The EU is very cautious over such things, and many would say for a good reason. It remains to be seen what will happen from this point on. The thing is, Apple no longer officially sells the iPhone 12.

Third-party retailers still have it on offer, of course, but it’s not officially available from the company. That is a three-year-old smartphone at this point, in case you were wondering.

Apple could be forced to release some sort of an update to try and fix things. If not, the iPhone 12 could end up being banned in a number of European countries.

UPDATE: Apple will issue a software update soon in order to fix the problem.


[ad_2]
Source link

Huawei intros tablet with innovative screen, flagship earbuds & more

0
[ad_1]

Huawei announced its new smartwatch, the Watch GT 4, in two sizes. We’ve already talked about those two devices. That’s not the only thing the company introduced during its press event in Barcelona, however. Huawei also announced a new tablet with an innovative screen, new flagship earbuds, and some eyewear.

The Huawei MatePad 11.5 PaperMatte Edition is the company’s new tablet with innovative screen

Let’s kick things off with a tablet. The Huawei MatePad 11.5 PaperMatte Edition is its name. This is basically a special edition variant of the MatePad 11.5. What makes it so special? Well, its display.

This tablet comes with a PaperMatte screen, which has a nano-etched screen coating. That makes the display feel like a piece of paper, kind of, and it also reduces glare considerably. On top of that, it reduces eye strain, and brings a more natural writing experience with the second-gen M-Pencil stylus.

Huawei MatePad 11 5 PaperMatte Edition image 1

It shares the same specs as the MatePad 11.5. That means we’re getting an 11.5-inch TFT LCD display here, with a 2200 x 1440 resolution. That display also has a 120Hz refresh rate. The Snapdragon 7 Gen 1 SoC fuels the device, but it supports 4G connectivity only.

The device ships with 8GB of RAM and 256GB of storage. A 13-megapixel main camera sits on the back, while an 8-megapixel shooter is included on the front. The device also includes a 7,700mAh battery, and supports 22.5W charging.

Huawei’s MatePad 11.5 PaperMatte Edition is priced at €500, and comes in a Space Gray color.

The Huawei FreeBuds Pro 3 also got announced during the event

The Huawei FreeBuds Pro 3 are the company’s new earbuds. These are the company’s flagship truly wireless earbuds, basically. They come with a dual driver system, which should offer clearer treble and “booming base”.

Huawei FreeBuds Pro 3 image 1

You’re also getting a Triple Adaptive EQ, and support for the LDAC and L2HC 2.0 Hi-Res audio codecs. An updated Intelligent Dynamic ANC 3.0 system is also a part of the package, as is a Pure Voice 2.0 mic system.

The company says you can get up to 31 hours of battery, including the charging case. These earbuds can also pair with two devices at the same time, and they basically look like the FreeBuds Pro 2. They’re priced at €200, and will go on sale on October 11 across Europe.

Huawei also introduced a new version of its smart glasses

The Huawei Eyewear 2 is also something the company announced. These are basically Huawei’s smart glasses. They come with built-in speakers, which can last for 11 hours of playtime.

Huawei Eyewear 2 image 1

Interchangeable Zeiss prescription lenses are also a part of the offer. Huawei used a titanium frame to make these, to make them more durable, and to decrease the weight. You’ll find touch controls on the sides.

These smart glasses will go on sale in Europe from October 18, and they’re priced at €300.


[ad_2]
Source link

The US could impose even stricter sanctions on Huawei & SMIC

0
[ad_1]

The Huawei Mate 60 series launch managed to rock the boat in the US. That smartphone comes with a 7nm processor, and the US doesn’t believe Huawei managed to avoid the sanctions. Republicans are actually demanding even stricter sanctions on Huawei and SMIC, the company that made the chip for Huawei.

The US could impose even stricter sanctions on Huawei & SMIC

Digitimes’ Research senior analyst, Luke Lin, believes the US could issue even stricter sanctions on Huawei. The company actually launched this device during the US Secretary of Commerce Gina Raimondo’s visit to China. Was that planned, we don’t know, but the timing is impeccable.

Some see this as Huawei’s statement on self-sufficiency, actually. Lin actually says that the US issued its sanctions “too late and made them too lenient”, which is why Huawei managed to do what it did.

Luke Lin actually went on to explain the situation. SMIC purchased the immersive DUV equipment capable of processes under 14nm between 2018 and 2020. The US issued a ban on SMIC regarding sub-10nm process equipment in 2020, but that was too late, it seems.

Since 2020, China actually continued to import more immersive DUV equipment, and that equipment is one of the key reasons Huawei was able to produce 5G chips with the 7nm process. Qualcomm and other US companies lobbied with the US to be more lenient with its sanctions, as they didn’t want to lose Huawei as a customer, so that played a role in everything too.

Huawei was on the path to become world’s number one smartphone OEM, prior to sanctions

This story is far from over, of course. Huawei was hurt by the US sanctions quite a bit. It was on the path to becoming the world’s number 1 smartphone manufacturer, but things drastically changed after the ban. Huawei is doing its best to return to its former glory in the smartphone market, but it hasn’t been easy. It’s not only limited from the hardware standpoint, but the software too, as it can’t use Google services.

Huawei created its own ecosystem based on Android, and it actually did a really good job with it. Still, it’s not the same. The company is constantly making progress on both hardware and software fronts, so it remains to be seen what will happen going forward.

If Huawei chips manage to achieve a good enough yield rate to be exported overseas, they’ll manage to hurt the US companies even more in the long term.

Huawei is allegedly getting $30 billion in state funding to build a secret network of wafer fabs across China. This is based on a previous report by Bloomberg, as DigiTimes notes.

Lin notes that, in order to prevent a production scale-up, the US sanctions “will need to target chip-making equipment and consumable materials”. Lin also notes that, in order for sanctions to be truly effective, the US should prohibit equipment from entering China at all, and not just restrict sales to Huawei. It remains to be seen what will happen from this point on.


[ad_2]
Source link

Memory Corruption Flaw in ncurses API Library

0
[ad_1]

Multiple memory corruption vulnerabilities have been discovered in the ncurses library, which various programs use on multiple operating systems like Portable Operating System Interface (POSIX) OS, Linux OS, macOS, and FreeBSD. 

Threat actors can chain these vulnerabilities with environment variable poisoning attacks to gain escalated privileges and run codes under the name of the target program or perform other malicious actions.

Memory corruption is one of the common vulnerabilities found in modern programs that could allow threat actors to gain unauthorized access by modifying a program’s memory. The impact of this vulnerability ranges from leaking sensitive information to executing arbitrary code with escalated privileges.

However, Microsoft has disclosed these vulnerabilities with the ncurses maintainers, which have now been successfully patched.

Document
Get a Demo

With DoControl, you can keep your SaaS applications and data safe and secure by creating workflows tailored to your needs. It’s an easy and efficient way to identify and manage risks. You can mitigate the risk and exposure of your organization’s SaaS applications in just a few simple steps.

CVE-2023-29491: Memory Corruption via malformed data

This vulnerability exists in the ncurses library before 6.4 20230408, which could allow threat actors with local privileges to trigger security-based memory corruption. This can be done with the help of malformed data in the terminfo database file, which is found in $HOME/.terminfo, or with environment variables like TERMINFO or TERM.

This particular vulnerability is associated with several internal things, such as Heap out-of-bounds during terminfo database file parsing, parameterized string type confusion, stack information leak, and denial of service with canceled strings.

Terminfo database file consists of optional extended entries like Boolean, numeric, and strings. These entries are user-defined entries and are parsed by the _nc_read_termtype function, which was found to be capable of writing beyond the boundaries of a heap-allocated chunk.

The ncurses source code looks for CANCELLED_STRING and converts them to ABSENT_STRING, which is done only for ordinary strings, whereas extended strings do not get converted. Additionally, strings beginning with “k” are treated as keypad functionality, which can allow a threat actor to specify an extended string, resulting in ncurses dereference eventually causing a denial of service.

Microsoft has published a complete report about these vulnerabilities, providing detailed information about variable poisoning, exploitation, and other information.

Users are recommended to upgrade to the latest version of the ncurses library in order to prevent this vulnerability from getting exploited.

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.


[ad_2]
Source link