Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×
Security

'High-Risk Vulnerabilities' In Oracle File-Processing SDKs Affect Major Third-Party Products (csoonline.com) 10

itwbennett writes: "Seventeen high-risk vulnerabilities out of the 276 flaws fixed by Oracle Tuesday affect products from third-party software vendors," writes Lucian Constantin on CSOonline. The vulnerabilities, which were found by researchers from Cisco's Talos team, are in the Oracle Outside In Technology (OIT), a collection of SDKs that are used in third-party products, including Microsoft Exchange, Novell Groupwise, IBM WebSphere Portal, Google Search Appliance, Avira AntiVir for Exchange, Raytheon SureView, Guidance Encase and Veritas Enterprise Vault.

"It's not clear how many of those products are also affected by the newly patched seventeen flaws, because some of them might not use all of the vulnerable SDKs or might include other limiting factors," writes Constantin. But the Cisco researchers confirmed that Microsoft Exchange servers (version 2013 and earlier) are affected if they have WebReady Document Viewing enabled. In a blog post the researchers describe how an attacker could exploit these vulnerabilities.

TL;DR version: "Attackers can exploit the flaws to execute rogue code on systems by sending specifically crafted content to applications using the vulnerable OIT SDKs."
Businesses

Salesforce CEO Told LinkedIn He Would Have Paid Much More Than Microsoft (recode.net) 43

Ina Fried, reporting for Recode: It was already known that LinkedIn chose a potentially lower all-cash acquisition offer from Microsoft rather than take on the uncertainties of a stock-and-cash deal from Salesforce. But now it has been revealed that Salesforce might have been willing to go "much higher" than Microsoft's $26.2 billion, or change other terms of its bid, had it been given the chance. In a filing with regulators on Friday, LinkedIn said a board committee met on July 7 to discuss an email from Salesforce CEO Marc Benioff. "The email indicated that Party A would have bid much higher and made changes to the stock/cash components of its offers, but it was acting without communications from LinkedIn," LinkedIn said in the updated filing with the Securities and Exchange Commission.
Security

Microsoft Rewrites Wassenaar Arms Control Pact To Protect The Infosec Industry (theregister.co.uk) 19

The Wassenaar Arrangement "is threatening to choke the cyber-security industry, according to a consortium of cyber-security companies...supported by Microsoft among others," reports SC Magazine. "'Because the regulation is so overly broad, it would require cyber responders and security researchers to obtain an export license prior to exchanging essential information to remediate a newly identified network vulnerability, even when that vulnerability is capable of being exploited for purposes of surveillance,' wrote Alan Cohn from the CRC on a Microsoft blog." Reporter Darren Pauli contacted Slashdot with this report: If the Wassenaar Arrangement carries through under its current state, it will force Microsoft to submit some 3800 applications for arms export every year, company assistant general counsel Cristin Goodwin says... The Wassenaar Arrangement caught all corners of the security industry off guard, but its full potentially-devastating effects will only be realised in coming months and years... Goodwin and [Symantec director of government affairs] Fletcher are calling on the industry to lobby their agencies to overhaul the dual-use software definition of the Arrangement ahead of a closed-door meeting in September where changes can be proposed.
Businesses

Cyanogen Inc. Reportedly Fires OS Development Arm, Switches To Apps (arstechnica.com) 109

An anonymous reader writes: Android Police is reporting that the Android software company Cyanogen Inc. will be laying off 20 percent of its workforce, and will transition from OS development to applications. The Android Police report says "roughly 30 out of the 136 people Cyanogen Inc. employs" are being cut, and that the layoffs "most heavily impact the open source arm" of the company. Android Police goes on to say that CyanogenMod development by Cyanogen Inc "may be eliminated entirely." Ars Technica notes the differences between each "Cyanogen" branding. Specifically, CyanogenMod is a "free, open source, OS heavily based on Android and compatible with hundreds of devices," while Cyanogen Inc. is "a for-profit company that aims to sell Cyanogen OS to OEMs." It appears that many of the core CyanogenMod developers will no longer be paid to work on CyanogenMod, though the community is still free to develop the software." Android Police details the firing process in their report: "Layoffs reportedly came after a long executive retreat for the company's leaders and were conducted with no advanced notice. Employees who were not let go were told not to show up to work today. Those who did show up were the unlucky ones: they had generic human resources meetings rather ominously added to their calendars last night. So, everyone who arrived at Cyanogen Inc. in Seattle this morning did so to lose their job (aside from those conducting the layoffs)." Early last year, Microsoft invested in a roughly $70 million round of equity financing for the then-startup Cyanogen Inc. Not too long before that, Google tried to acquire Cyanogen Inc., but the company turned down Google's offer to seek funding from investors and major tech companies at a valuation of around $1 billion. Cyanogen Inc. CEO Kirt McMaster once said the company was "attempting to take Android away from Google" and that it was "putting a bullet through Google's head."
Security

Auto Industry Publishes Its First Set of Cybersecurity Best Practices (securityledger.com) 37

chicksdaddy quotes a report from Security Ledger: The Automotive industry's main group for coordinating policy on information security and "cyber" threats has published a "Best Practices" document, giving individual automakers guidance on implementing cybersecurity in their vehicles for the first time. The Automotive Information Sharing and Analysis Center (ISAC) released the Automotive Cybersecurity Best Practices document on July 21st, saying the guidelines are for auto manufacturers as well as their suppliers. The Best Practices cover organizational and technical aspects of vehicle cybersecurity, including governance, risk management, security by design, threat detection, incident response, training, and collaboration with appropriate third parties. Taken together, they move the auto industry closer to standards pioneered decades ago and embraced by companies like Microsoft. They call on automakers to design software to be secure from the ground up and to take a sober look at risks to connected vehicles as part of the design process. Automakers are urged to test for and respond to software vulnerabilities, to develop methods for assessing and fixing security vulnerabilities, to create training programs, promote cybersecurity awareness for both information technology and vehicle specific risks, and educate employees about security awareness. The document comes after a Kelly Blue Book survey that found that 62% of drivers think "connected cars will be hacked," and that 42% say they "want cars to be more connected."
PlayStation (Games)

Sony Is the Only Remaining Obstacle To PS4-Xbox Cross-Play (kotaku.com) 54

In March, Microsoft announced native support for cross-platform play between Xbox One and Windows 10. At the time, the company also added that this support could be extended to "other console and PC networks," something which led people to wonder if truly cross-platform gaming, on any platform, was next. When asked, Sony did say that it was open to the idea. "PlayStation has been supporting cross-platform play between PC on several software titles starting with Final Fantasy 11 on PS2 and PC back in 2002. We would be happy to have the conversation with any publishers or developers who are interested in cross-platform play." But since then, it appears that Sony has had a change of heart, which has resulted in developers asking the company for an update. Kotaku reports: In recent days, the developers behind Rocket League and The Witcher 3 have both called for Sony to break down the walls separating PlayStation Network and Xbox Live and allow cross-platform multiplayer. What's changed in the last few days are developers making an open call for Sony to make good on having that conversation with publishers and developers. In an interview with IGN, Psyonix president Jeremy Dunham explained how the Rocket League developer had already taken care of the technical side of things. "We're literally at the point where all we need is the go-ahead on the Sony side," said Dunham, "and we can, in less than a business day, turn it on and have it up and working no problem. It'd literally take a few hours to propagate throughout the whole world, so really we're just waiting on the permission to do so." In another statement to IGN, CD Projekt RED CEO Marcin Iwinski supported Psyonix.
Microsoft

Microsoft's Surface Hub Is a 'Hit', Demand Outstrips Supply (petri.com) 67

Microsoft said on Thursday that it has sold over 500 units of the Surface Hubs, a number that apparently "exceeded" the company's initial forecasts. In a statement to Microsoft-centric blog Petri, the company said: "Demand for Surface Hubs is very strong and exceeded initial forecasts. To date, we've shipped to over 500 customers worldwide and that number continues to grow. We are ramping up production to meet this strong demand via our partner reseller channel as soon as possible. Customers are encouraged to speak with their sales representative if interested in ordering Surface Hubs." For a refresh, the Surface Hub is a giant all-in-one Windows 10 computer which retails at a starting price point of $8,999 for the 55-inch model, and goes all the way up to $21,999 for the 84-inch model.
Microsoft

Microsoft Responds To Allegations That Windows 10 Collects 'Excessive Personal Data' (betanews.com) 144

BetaNews's Mark Wilson writes: Yesterday France's National Data Protection Commission (CNIL) slapped a formal order on Microsoft to comply with data protection laws after it found Windows 10 was collecting "excessive data" about users. The company has been given three months to meet the demands or it will face fines. Microsoft has now responded, saying it is happy to work with the CNIL to work towards an acceptable solution. Interestingly, while not denying the allegations set against it, the company does nothing to defend the amount of data collected by Windows 10, and also fails to address the privacy concerns it raises. Microsoft does address concerns about the transfer of data between Europe and the US, saying that while the Safe Harbor agreement is no longer valid, the company still complied with it up until the adoption of Privacy Shield. It's interesting to see that Microsoft, in response to a series of complaints very clearly leveled at Windows 10, manages to mention the operating system only once. There is the promise of a statement about privacy next week, but for now we have Microsoft's response to the CNIL's order.
Microsoft

France: Windows 10 Collects 'Excessive Personal Data', Issues Microsoft With Formal Warning (betanews.com) 112

France's National Data Protection Commission (CNIL) has ordered Microsoft to "stop collecting excessive data and tracking browsing by users without consent," adding that Microsoft must comply with the French Data Protection Act within next three months. BetaNews reports: In addition to this, the chair of CNIL has notified Microsoft that it needs to take "satisfactory measures to ensure the security and confidentiality of user data." The notice comes after numerous complaints about Windows 10, and a series of investigations by French authorities which revealed a number of failings on Microsoft's part. Microsoft is accused of not only gathering excessive data about users, but also irrelevant data. The CNIL points to Windows 10's telemetry service which gathers information about the apps users have installed and how long each is used for. The complaint is that "these data are not necessary for the operation of the service."
Microsoft

Skype Finalizes Its Move To the Cloud; To Kill Older Clients -- Remains Tight Lipped About Privacy (arstechnica.com) 74

When it was first created, Skype network was built as a decentralized peer-to-peer system. PCs that had enough processing muscle and bandwidth acted as "supernodes," and coordinated connections between other machines on the network. This p2p system was generally perceived as being relatively private, a belief that has since been debunked. There were several technical challenges, which led Microsoft to move most of Skype's operations to the cloud. Ars Technica is reporting that the company has finalized the switch. From the article: Microsoft has developed a more conventional client-server network, with clients that act as pure clients and dedicated cloud servers. The company is starting to transition to this network exclusively. This transition means that old peer-to-peer Skype clients will cease to work. Clients for the new network will be available for Windows XP and up, OS X Yosemite and up, iOS 8 and up, and Android 4.03 and up. However, certain embedded clients -- in particular, those integrated into smart TVs and available for the PlayStation 3 -- are being deprecated, with no replacement. Microsoft says that since those clients are little used and since almost every user of those platforms has other Skype-capable devices available, it is no longer worth continuing to support them.The issue, as the report points out, is that Microsoft is strangely not talking about privacy and security concerns. The article adds: The Ed Snowden leaks raised substantial questions about the privacy of services such as Skype and have caused an increasing interest in platforms that offer end-to-end encryption. The ability to intercept or wiretap Skype came as a shock to many, especially given Skype's traditionally peer-to-peer infrastructure. Accordingly, we've seen similar services such as iMessage, WhatsApp, and even Facebook Messenger, start introducing end-to-end encryption. The abandonment of Skype's peer-to-peer system can only raise suspicions here.Matthew Green, who teaches cryptography at Johns Hopkins, said: "The surprising thing here is not that Microsoft can intercept Skype calls (duh) but that they won't just admit it."
Chrome

Safari Browser May Soon Be Just As Fast As Chrome With WebP Integration (thenextweb.com) 105

An anonymous reader writes from a report via The Next Web: The Safari browser included in Apple's iOS 10 and macOS Sierra software is testing WebP, technology from Google that allows developers to create smaller, richer images that make the web faster. Basically, it's a way for webpages to load more quickly. The Next Web reports: "WebP was built into Chrome back at build 32 (2013!), so it's not unproven. It's also used by Facebook due to its image compression underpinnings, and is in use across many Google properties, including YouTube." Microsoft is one of the only major players to not use WebP, according to CNET. It's not included in Internet Explorer and the company has "no plans" to integrate it into Edge. Even though iOS 10 and macOS Sierra are in beta, it's promising that we will see WebP make its debut in Safari latest this year. "It's hard to imagine Apple turning away tried and true technology that's found in a more popular browser -- one that's favored by many over Safari due to its speed, where WebP plays a huge part," reports The Next Web. "Safari is currently the second most popular browser to Chrome." What's also interesting is how WebP isn't mentioned at all in the logs for Apple's Safari Technology Preview.
Google

Google and Bing Have No Obligation To Censor Searches For Torrents (betanews.com) 62

Microsoft and Google are under no obligation to weed out 'torrent' results from their respective search engines, the High Court of Paris has ruled. BetaNews adds: French music industry group SNEP went to court on behalf of a trio of artists, requesting that Microsoft and Google automatically filter out links to pirated material. The group had called for a complete block on searches that include the word 'torrent' as well as blocking sites whose name includes the word. The court found that SNEP's request was far too broad, saying: "SNEP's requests are general, and pertain not to a specific site but to all websites accessible through the stated methods, without consideration for identifying or even determining the site's content, on the premise that the term 'Torrent' is necessarily associated with infringing content".The court added that 'torrent' is a common noun, which has a range of different meanings.
Windows

Windows 10 Warns Chrome and Firefox Users About Battery Drain, Recommends Switching To Edge (venturebeat.com) 370

A month after Microsoft claimed that its Edge web browser is more power efficient than Google Chrome and Firefox, the company is now warning Windows 10 users about the same. VentureBeat reports: Microsoft has turned on a new set of Windows Tips that warn Windows 10 users that Google Chrome or Mozilla Firefox is draining their laptop's battery. The solution, according to the notification, is to use Microsoft Edge.In a statement to the publication, the company said: "These Windows Tips notifications were created to provide people with quick, easy information that can help them enhance their Windows 10 experience, including information that can help users extend battery life. That said, with Windows 10 you can easily choose the default browser and search engine of your choice."
The Almighty Buck

Marissa Mayer Says Yahoo Continues To Make Solid Progress, Earnings Report Says Otherwise (fool.com) 129

tomhath quotes a report from Fool: Yahoo! CEO Marissa Mayer tried to emphasize the progress that the company has made. "We continue to make solid progress against our 2016 plan," Mayer said, and "in addition to our efforts to improve the operating business, our board has made great progress on strategic alternatives." The CEO argued that the results met or exceeded the company's own guidance. Yahoo! was able to post a revenue increase by changing the ways that it presents revenue related to its search agreement with Microsoft, and without that change, adjusted revenue of $1.055 billion was down 15% from the year-ago quarter. That was even worse than the 13% drop investors were expecting, and adjusted EBITDA fell by more than a third. That resulted in adjusted net earnings of $0.09 per share, missing the consensus forecast by a penny but also glossing over a $440 million net loss on a GAAP basis. The company took a $395 million goodwill impairment charge and an $87 million intangibles impairment charge related to its Tumblr unit, determining that the fair value of the division is less than the amount indicated on Yahoo!'s balance sheet. It was also revealed that Yahoo is writing down the value of its Tumblr acquisition by $482 million, citing lower projections for the social network's future performance, according to a report from CNNMoney. Last quarter, the company took a $230 million write-down on its Tumblr acquisition. Since Yahoo acquired Tumblr for $1.1 billion in 2013, Yahoo has written down more than half of its value.
Communications

Researcher Finds Way To Steal Cash From Google, Instagram, and Microsoft Through The Phone (onthewire.io) 35

Trailrunner7 quotes a report from On the Wire: A security researcher has discovered a method that would have enabled fraudsters to steal thousands of dollars from Facebook, Microsoft, and Google by linking premium-rate numbers to various accounts as part of the two-step verification process. Arne Swinnen discovered the issue several months ago after looking at the way that several of these companies's services set up their two-step verification procedures. Facebook uses two-step verification for some of its services, including Instagram, and Google and Microsoft also employ it for some of their user accounts. Swinnen realized that the companies made a mistake in not checking to see whether the numbers that users supply as contact points are legitimate. "They all offer services to supply users with a token via a computer-voiced phone call, but neglected to properly verify whether supplied phone numbers were legitimate, non-premium numbers. This allowed a dedicated attacker to steal thousands of EUR/USD/GBP," Swinnen said in a post explaining the bug. "For services such as Instagram and Gmail, users can associate a phone number with their accounts," reports On the Wire. "In the case of Instagram, users can find other people by their phone number, and when a user adds a number, Instagram will send a text to verify the number. If the user never enters the code included in the text, Instagram will eventually call the number. Swinnen noticed that Instagramâ(TM)s robocallers would call any number supplied, including premium-rate numbers. 'One attacker could thus steal 1 GBP per 30 minutes, or 48 GBP/day, 1.440 GBP/month or 17.280/year with one pair. However, a dedicated attacker could easily setup and manage 100 of these pairs, increasing these numbers by a factor 100: 4.800 GBP/day, 144.000 GBP/month or 1.728.000 GBP/year.'"
Republicans

RNC Is Preparing For Cyberattacks (cnbc.com) 96

An anonymous reader writes from a report via CNBC: The Republican National Convention will be a popular target for cyberattacks. An official in charge of securing the network has said the RNC already had to fend off a wave of cyberattacks before the convention opened. Many more attacks are expected throughout the convention ranging from "nation-states hunting for intelligence or protesters trying to disrupt the network at the convention," said the consulting chief information officer for the RNC, Max Everett. Donald Trump's campaign appears to only fuel attackers, security experts said. The convention opens Monday afternoon and will attract roughly 50,000 people in addition to a global audience watching from afar. "A successful attack could impact physical security on the ground, for example, by taking connected security scanners offline. It could also affect online activity, for example, by hijacking the livestream and derailing the GOP's message," reports CNBC. The Secret Service has designated the conventions "national special security events." Everett and his team of 70 IT specialists will be using Microsoft and ForeScout software to monitor the network in real time, working with ATT and Cisco on securing external access to the network and a firm called Dark Cubed to share real-time threat information among the firms trying to defend against cyberattacks.
Microsoft

Microsoft Stream Is a New Video Service For Businesses (techcrunch.com) 34

An anonymous reader shares a TechCrunch report: Microsoft today launched Stream, a new business video service that aims to give businesses that want to share video internally the same kind of tools and flexibility that YouTube offers to consumers -- but with the added benefits of the security tools enterprises expect from their document management services. The service is now available as a free preview. As James Phillips, Microsoft's corporate VP of its Business Intelligence Products Group, told me, all it takes to get started with Stream is an email address. The user experience in Stream does take its cues from consumer services like Vimeo and YouTube, and includes a number of social features, including likes and comments, as well as recommendations. "We've all been trained as consumers to understand what beautiful and fully featured software looks like," Phillips told me. "And we are now delivering on those experiences in business software." Some of the basic use cases for using video in a company include training and employee communications.
Android

Slashdot Asks: Do You Install Preview Version Of An OS On Your Primary Device? 148

On Monday, Google released a new -- and also the final -- version of the Android N Developer Preview. Android Nougat, which is the latest version of Google's mobile operating system comes with a range of new features and improvements, including a notification panel redesign and additions to Doze power saving. The fifth preview, which is releasing today offers a "near-final" look at Android 7. Interestingly, Apple also released the public beta versions of iOS 10, and macOS Sierra to users earlier this month. Microsoft continues to offer preview builds of Windows 10 OS to enthusiasts.

We were wondering how many of you choose to live on beta version of an operating system on your primary devices. Does anyone here wait for the final version of an operating system to release before making the switch? Also, what does the setup of your office/work computer look like? Anyone who is still on an older version of an operating system because of reliability and compatibility concerns?
XBox (Games)

Microsoft's New Xbox One S Will Go On Sale On August 2 -- Will You Buy One? (betanews.com) 107

Microsoft announced on Monday that its new Xbox One S console will go on sale on August 2. To recall, the Xbox One S is 40 percent smaller than the original Xbox One (also the power supply packed in the console itself), and has the processing muscle to stream video in 4K Ultra HD with HDR. BetaNews reports: August 2 is the big date which also sees the release of Windows 10 Anniversary Update. The Xbox One S also features up to 2TB of storage. In all, three versions of the console are available. It's the 2TB model that's grabbing the headlines and the attention of keen gamers, and this model will launch in "limited numbers" priced at $399. The console will launch in Australia, Canada, UK and United States among several other regions. For anyone looking for a slightly cheaper option, the 1TB model will cost $349, while $299 will get you a 500GB version. If you want to add to the single Xbox Wireless Controller included as standard, this will set you back a further $59.99.Are you planning to purchase one of these?
Security

Hacker Uses Premium Rate Calls To Steal From Instagram, Google, Microsoft (helpnetsecurity.com) 37

Reader Orome1 writes: Some account options deployed by Instagram, Google and Microsoft can be misused to steal money from the companies by making them place phone calls to premium rate numbers, security researcher Arne Swinnen has demonstrated. Swinnen calculated that, in theory, these options would allow an attacker to milk over 2 million euro per year from Instagram, 432,000 euro per year from Google, and nearly 700,000 euro from Microsoft by using a slew of fake accounts, multiple premium numbers, and different tools and approaches to automate the process.

Slashdot Top Deals