By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy

A security researcher has published today details and proof-of-concept code for an Internet Explorer zero-day that can allow hackers to steal files from Windows systems. The vulnerability resides in the way Internet Explorer processes MHT files. MHT stands for MHTML Web Archive and is the default standard in which all IE browsers save web pages when a user hits the CTRL S (Save web page) command. Modern browsers don't save web pages in MHT format anymore, and use the standard HTML file format; however, many modern browsers still support processing the format. Today, security researcher John Page published details about an XXE (XML eXternal Entity) vulnerability in IE that can be exploited when a user opens an MHT file. "This can allow remote attackers to potentially exfiltrate Local files and conduct remote reconnaissance on locally installed Program version information," Page said. "Example, a request for 'c:Python27NEWS.txt' can return version information for that program." Because on Windows all MHT files are automatically set to open by default in Internet Explorer, exploiting this vulnerability is trivial, as users only need to double-click on a file they received via email, instant messaging, or another vector. Page said the actual vulnerable code relies on how Internet Explorer deals with CTRL K (duplicate tab), "Print Preview," or "Print" user commands. But, as Windows uses IE as the default app to open MHT files, users don't necessarily have to have IE set as their default browser, and are still vulnerable as long as IE is still present on their systems, and they're tricked into opening an MHT file. This vulnerability should not be taken lightly, despite Microsoft's response. Read the complete story on OUR FORUM.

At the National Association of Broadcasters (NAB) trade show in Las Vegas, Sony announced the world’s largest high-resolution display featuring a “16k” resolution, as well as Sony’s ‘Crystal LED’ display based on microLED technology. Sony’s 16k display has a diagonal measurement of 783” and has four times as many pixels as an 8K TV, but the company didn’t give details on the vertical resolution. The larger-than-life screen is 19.2 meters (63 feet) long and 5.4 meters (17 feet) high, so the vertical resolution likely isn't very high. This makes some sense, as walls can only be so tall, but it ultimately means Sony uses a non-standard resolution that is not a direct upscaling of 4K and 8K. Sony has started before that its modular and bezel-less Crystal LED screens can be arranged in any shape, even ones that don’t look like a typical TV. The Crystal LED screen Sony unveiled in Las Vegas is currently being installed at a new research center in Japan. These 16K screens will likely remain a high-end product for the corporate world for now, but Sony intends to sell smaller variations to offices, cinemas, and even consumers in the near future. MicroLED technology is basically OLED tech that doesn’t have burn-in issues because it doesn’t use any organic material to create the self-emitting diodes that don’t require a backlight (as LCDs do). There's more posted on OUR FORUM.

 

Windows 10 users and while the company earlier promised that it would bring the browser on other platforms such as Windows 7, Windows 8, Windows 8.1, and MAC OS, the launch date saw Microsoft announcing the browser as Windows 10 exclusive with the company saying that support for other platforms “coming soon.” Turns out that Microsoft kind of lied when it said the browser is Windows 10 exclusive at the launch date. As first spotted by Bleeping Computer, the Windows 10 Edge installer also works Windows 7, meaning you can download and install the Chromium-based Microsoft Edge browser on your Windows 7 PC. The only catch here is that you won’t be able to download the installer from Microsoft Edge website. Therefore, to taste the Microsoft Edge browser on your Windows 7 PC you have to download the installer from a Windows 10 PC, and then make a copy of the installer file, paste it to your Windows 7 PC. Follow the necessary steps and your attempt of installing the browser should be a success, you’ll also be able to use the browser and there shouldn’t be any issue with surfing the web. For more and direct download links visit OUR FORUM.

Microsoft has detailed a March attack on Windows customers in the satellite and communications sectors using "unusual, interesting techniques" that bear the hallmarks of APT group MuddyWater. The company's Office 365 ATP picked up archive (ACE) files loaded with the recently discovered WinRAR flaw, CVE-2018-20250, which has become widely used among cybercrime groups and nation-state hackers in recent months. The bug was co-opted for hacking after a February 20 report from Israeli security firm Check Point revealed that a malicious ACE file could place malware anywhere on a Windows PC after being extracted by WinRAR. Locations include the Windows Startup folder, where the malware would automatically execute on each reboot. A month before Check Point's report, WinRAR developers released a new version that dropped support for ACE because it was unable to update a library in WinRAR called Unacev2.dll that contained a directory traversal flaw. However, by March, when this attack was detected by Microsoft, it's likely a large chunk of the world's 500 million WinRAR users hadn't updated to the non-ACE version or hadn't removed the vulnerable DLL. The MuddyWater group's activities were first spotted in 2017. It is known to target users in the Middle East, Europe, and the US. The group frequently doctors up phishing documents to appear as if they're from security arms of various governments.  For more visit OUR FORUM.

I thought deactivating my Facebook account would stop the social network from tracking me online. But Facebook kept tabs on me anyway. Over the past year, I've tried to minimize my presence on Facebook. I deleted a 10-year-old account and replaced it with a dummy account that I use as little as possible. I deleted the app from my phone. As of January, I started deactivating my dummy account every time I used it, rather than just log out. I couldn't break up completely with Facebook because I needed it to sign up twice a week for a workshop. I thought the precautions would reduce how much data Facebook gathered about me. Turns out, I was wasting my time. Even when your account is deactivated, the social network continues collecting data about your online activities. All that data gets sent back to Facebook and is tied to your account while it's in this state of limbo. It's as if you'd changed nothing. On the site, Facebook explains that deactivating is a half-step to complete deletion. But it says little about how data collection works during the period. In its data policy, Facebook suggests deactivation to manage your privacy but doesn't mention that it still collects data during that period. The ongoing collection of data from deactivated accounts could be considered misleading, privacy experts warn. The social network's Share button is on 275 million web pages. It collects data allowing advertisers to see what kind of content you're viewing. That's why you're likely to see ads for sports in your Facebook feed if you've been visiting a lot of sports websites. Complete details can be found on OUR FORUM.

 

The UK government announced today a set of online safety laws designed to hold the companies behind social media platforms liable for the harmful behavior spreading through their platforms. As detailed in the Online Harms White Paper joint proposal published by the Department for Digital, Culture, Media & Sport and the UK Home Office, the law package "comprises legislative and non-legislative measures and will make companies more responsible for their users’ safety online, especially children and other vulnerable groups." At the moment the Online Harms White Paper is under an open consultations status which will allow the government to collect opinions from "organizations, companies, and others with relevant views, insights or evidence" regarding the future online safety regulatory framework, a consultation which will end at 23:59, on July 1, 2019. UK's proposed online safety laws will appoint an independent regulator to enforce the future standards which will force social media companies and tech firms alike to follow a mandatory "duty of care" to protect users while using their platform, with heavy fines to be issued if they fail to deliver. Right now, the regulator which will enforce the future framework is not yet appointed and the UK Government is yet to decide if it should be a new or an already existing body. "The internet can be brilliant at connecting people across the world - but for too long these companies have not done enough to protect users, especially children, and young people, from harmful content," said Prime Minister Theresa May. "That is not good enough, and it is time to do things differently." Get caught up by visiting OUR FORUM.

 

GTranslate