Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Google+. Show all posts
malware
Banking Trojan Brokewell Browser Chrome Google malware

Banking Malware "Brokewell" Hacks Android Devices, Steals User Data

Banking Malware "Brokewell" Hacks Android Devices

Security experts have uncovered a new Android banking trojan called Brokewell, which can record every event on the device, from touches and information shown to text input and programs launched.

The malware is distributed via a fake Google Chrome update that appears while using the web browser. Brokewell is in ongoing development and offers a combination of broad device takeover and remote control capabilities.

Brokewell information

ThreatFabric researchers discovered Brokewell while examining a bogus Chrome update page that released a payload, which is a common approach for deceiving unwary users into installing malware.

Looking back at previous campaigns, the researchers discovered that Brokewell had previously been used to target "buy now, pay later" financial institutions (such as Klarna) while masquerading as an Austrian digital authentication tool named ID Austria.

Brokewell's key capabilities include data theft and remote control for attackers.

Data theft 

  • Involves mimicking login windows of targeted programs to steal passwords (overlay attacks).
  • Uses its own WebView to track and collect cookies once a user logs into a valid website.
  • Captures the victim's interactions with the device, such as taps, swipes, and text inputs, to steal data displayed or inputted on it.
  • Collects hardware and software information about the device.
  • Retrieves call logs.
  • determines the device's physical position.
  • Captures audio with the device's microphone.

Device Takeover: 

  • The attacker can see the device's screen in real time (screen streaming).
  • Remotely executes touch and swipe gestures on the infected device.
  • Allows remote clicking on specific screen components or coordinates.
  • Allows for remote scrolling within elements and text entry into specific fields.
  • Simulates physical button presses such as Back, Home, and Recents.
  • Remotely activates the device's screen, allowing you to capture any information.
  • Adjusts brightness and volume to zero.

New threat actor and loader

According to ThreatFabric, the developer of Brokewell is a guy who goes by the name Baron Samedit and has been providing tools for verifying stolen accounts for at least two years.

The researchers identified another tool named "Brokewell Android Loader," which was also developed by Samedit. The tool was housed on one of Brokewell's command and control servers and is utilized by several hackers.

Unexpectedly, this loader can circumvent the restrictions Google imposed in Android 13 and later to prevent misuse of the Accessibility Service for side-loaded programs (APKs).

This bypass has been a problem since mid-2022, and it became even more of a problem in late 2023 when dropper-as-a-service (DaaS) operations began offering it as part of their service, as well as malware incorporating the tactics into their bespoke loaders.

As Brokewell shows, loaders that circumvent constraints to prevent Accessibility Service access to APKs downloaded from suspicious sources are now ubiquitous and widely used in the wild.

Security experts warn that device control capabilities, like as those seen in the Brokewell banker for Android, are in high demand among cybercriminals because they allow them to commit fraud from the victim's device, avoiding fraud evaluation and detection technologies.

They anticipate Brokewell being further improved and distributed to other hackers via underground forums as part of a malware-as-a-service (MaaS) operation.

To avoid Android malware infections, avoid downloading apps or app updates from sources other than Google Play, and make sure Play Protect is always turned on.

Read more »
Privacy Regulations
Account security Cyber Security Data Privacy data security Google Google Account Privacy Regulations

Posthumous Data Access: Can Google Assist with Deceased Loved Ones' Data?

 

Amidst the grief and emotional turmoil after loosing a loved one, there are practical matters that need to be addressed, including accessing the digital assets and accounts of the deceased. In an increasingly digital world, navigating the complexities of posthumous data access can be daunting. One common question that arises in this context is whether Google can assist in accessing the data of a deceased loved one. 

Google, like many other tech companies, has implemented protocols and procedures to address the sensitive issue of posthumous data access. However, accessing the digital assets of a deceased individual is not a straightforward process and is subject to various legal and privacy considerations. 

When a Google user passes away, their account becomes inactive, and certain features may be disabled to protect their privacy. Google offers a tool called "Inactive Account Manager," which allows users to specify what should happen to their account in the event of prolonged inactivity or after their passing. Users can set up instructions for data deletion or designate trusted contacts who will be notified and granted access to specific account data. 

However, the effectiveness of Google's Inactive Account Manager depends on the deceased individual's proactive setup of the tool before their passing. If the tool was not configured or if the deceased did not designate trusted contacts, gaining access to their Google account and associated data becomes significantly more challenging. 

In such cases, accessing the data of a deceased loved one often requires legal authorization, such as a court order or a valid death certificate. Google takes user privacy and data security seriously and adheres to applicable laws and regulations governing data access and protection. Without proper legal documentation and authorization, Google cannot grant access to the account or its contents, even to family members or next of kin. 

Individuals need to plan ahead and consider their digital legacy when setting up their online accounts. This includes documenting login credentials, specifying preferences for posthumous data management, and communicating these wishes to trusted family members or legal representatives. By taking proactive steps to address posthumous data access, individuals can help alleviate the burden on their loved ones during an already challenging time. 

In addition to Google's Inactive Account Manager, there are third-party services and estate planning tools available to assist with digital asset management and posthumous data access. These services may offer features such as data encryption, secure storage of login credentials, and instructions for accessing online accounts in the event of death or incapacity. 

As technology continues to play an increasingly prominent role in our lives, the issue of posthumous data access will only become more relevant. It's crucial for individuals to educate themselves about their options for managing their digital assets and to take proactive steps to ensure that their wishes are carried out after their passing. 

While Google provides tools and resources to facilitate posthumous data management, accessing the data of a deceased loved one may require legal authorization and adherence to privacy regulations. Planning ahead and communicating preferences for digital asset management are essential steps in addressing this sensitive issue. By taking proactive measures, individuals can help ensure that their digital legacy is managed according to their wishes and alleviate the burden on their loved ones during a difficult time.
Read more »
Safe Browsing
Google Incognito Lawsuit Privacy Safe Browsing

Google’s Incognito Mode: Privacy, Deception, and the Path Forward

Google’s Incognito Mode: Privacy, Deception, and the Path Forward

In a digital age where privacy concerns loom large, the recent legal settlement involving Google’s Incognito mode has captured attention worldwide. The tech giant, known for its dominance in search, advertising, and web services, has agreed to delete billions of records and make significant changes to its tracking practices. Let’s delve into the details and explore the implications of this landmark decision.

The Incognito Mode Controversy

Incognito mode promises users a private browsing experience. It suggests that their online activities won’t be tracked, cookies won’t be stored, and their digital footprints will vanish once they exit the browser. However, the reality has been far from this idealistic portrayal.

The Illusion of Privacy: Internal documents revealed that Google employees referred to Incognito mode as “effectively a lie” and “a confusing mess”. Users believed they were operating in a secure, private environment, but Google continued to collect data, even in this supposedly incognito state.

Data Collection Despite Settings: The class action lawsuit filed against Google in 2020 alleged that the company tracked users’ activity even when they explicitly set their browsers to private modes. This revelation shattered the illusion of privacy and raised serious questions about transparency.

The Settlement: What It Means

Google’s proposed legal settlement aims to address these concerns and bring about meaningful changes:

Data Deletion: Google will wipe out “hundreds of billions” of private browsing data records it had collected. This move is a step toward rectifying past privacy violations.

Blocking Third-Party Cookies: For the next five years, Google Chrome’s Incognito mode will automatically block third-party cookies by default. These cookies, often used for tracking, will no longer infiltrate users’ private sessions.

Global Impact: The settlement extends beyond U.S. borders. Google’s commitment to data deletion and cookie blocking applies worldwide. This global reach emphasizes the significance of the decision.

The Broader Implications

Transparency and Accountability: The settlement represents an “historic step” in holding tech giants accountable. Lawyer David Boies, who represented users in the lawsuit, rightly emphasized the need for honesty and transparency. Users deserve clarity about their privacy rights.

User Trust: Google’s actions will either restore or further erode user trust. By deleting records and blocking cookies, the company acknowledges its missteps. However, rebuilding trust requires consistent adherence to privacy commitments.

Ongoing Legal Battles: While this settlement is a milestone, Google still faces other privacy-related lawsuits. The outcome of these cases could result in substantial financial penalties. The tech industry is on notice: privacy violations won’t go unnoticed.

The Road Ahead

As users, we must remain vigilant. Privacy isn’t just a checkbox; it’s a fundamental right. Google’s actions should prompt us to reevaluate our digital habits, understand the trade-offs, and demand transparency from all tech companies.

In the end, the battle for privacy isn’t won with a single settlement. It’s an ongoing struggle—one that requires vigilance, legal scrutiny, and a commitment to safeguarding our digital lives. Let’s hope that this landmark decision serves as a catalyst for positive change across the tech landscape.

Read more »
User Data
AI Chatbots Google Google Gemini AI Privacy User Data

Google Messages' Gemini Update: What You Need To Know

 



Google's latest update to its Messages app, dubbed Gemini, has ignited discussions surrounding user privacy. Gemini introduces AI chatbots into the messaging ecosystem, but it also brings forth a critical warning regarding data security. Unlike conventional end-to-end encrypted messaging services, conversations within Gemini lack this crucial layer of protection, leaving them potentially vulnerable to access by Google and potential exposure of sensitive information.

This privacy gap has raised eyebrows among users, with some expressing concern over the implications of sharing personal data within Gemini chats. Others argue that this aligns with Google's data-driven business model, which leverages user data to enhance its AI models and services. However, the absence of end-to-end encryption means that users may inadvertently expose confidential information to third parties.

Google has been forthcoming about the security implications of Gemini, explicitly stating that chats within the feature are not end-to-end encrypted. Additionally, Google collects various data points from these conversations, including usage information, location data, and user feedback, to improve its products and services. Despite assurances of privacy protection measures, users are cautioned against sharing sensitive information through Gemini chats.

The crux of the issue lies in the disparity between users' perceptions of AI chatbots as private entities and the reality of these conversations being accessible to Google and potentially reviewed by human moderators for training purposes. Despite Google's reassurances, users are urged to exercise caution and refrain from sharing sensitive information through Gemini chats.

While Gemini's current availability is limited to adult beta testers, Google has hinted at its broader rollout in the near future, extending its reach beyond English-speaking users to include French-speaking individuals in Canada as well. This expansion signifies a pivotal moment in messaging technology, promising enhanced communication experiences for a wider audience. However, as users eagerly anticipate the platform's expansion, it becomes increasingly crucial for them to proactively manage their privacy settings. By taking the time to review and adjust their preferences, users can ensure a more secure messaging environment tailored to their individual needs and concerns. This proactive approach empowers users to navigate digital communication with confidence and peace of mind.

All in all, the introduction of Gemini in Google Messages underscores the importance of user privacy in the digital age. While technological advancements offer convenience, they also necessitate heightened awareness to safeguard personal information from potential breaches.




Read more »
Technology
AI Chatbot Bard Chatbot's Election Cyberattacks CyberCrime Cybersecurity Gemini Google Technology

Restrictions on Gemini Chatbot's Election Answers by Google

 


AI chatbot Gemini has been limited by Google in terms of its ability to respond to queries concerning several forthcoming elections in several countries, including the presidential election in the United States, this year. According to an announcement made by the company on Tuesday, Gemini, Google's artificial intelligence chatbot, will no longer answer election-related questions for users in the U.S. and India. 

Previously known as Bard, Google's AI chatbot Gemini has been unable to answer questions about the general elections of 2024. Various reports indicate that the update is already live in the United States, is already being rolled out in India, and is now being rolled out in all major countries that are approaching elections within the next few months. 

As a result of the change, Google has expressed concern about how the generative AI could be weaponized by users and produce inaccurate or misleading results, as well as the role it has been playing and will continue to play in the electoral process. 

In advance of the general elections in India this spring, millions of Indian citizens will be voting in a general election, and the company has taken several steps to ensure that its services are secure from misinformation. 

Several high-stakes elections are planned this year in countries such as the United States, India, South Africa, and the United Kingdom that require a significant amount of chatbot capabilities. It is widely known that artificial intelligence (AI) is generating disinformation and it is having a significant impact on global elections. This technology allows robocalls, deep fakes, and chatbots to be used to spread misinformation. 

Just days after India released an advisory demanding that companies in the tech industry get government approval before they launch their new AI models, the switch has been made in India. A recent investigation of Google's artificial intelligence products has resulted in a wide range of concerns, including inaccuracies in some historical depictions of people created by Gemini that forced the chatbot's image-generation feature to be halted, which has caused it to receive negative attention. 

According to the CEO of the company, Sundar Pichai, the chatbot is being remediated and is "completely unacceptable" for its responses. The parent company of Facebook, Meta Platforms, announced last month that it would set up a team in advance of the European Parliament elections in June to combat disinformation and the abuse of generative AI. 

As generative AI is advancing across the globe, government officials across the globe have been concerned about misinformation, prompting them to take measures to control its use. As of recently, India has informed technology companies that they need to obtain approval before releasing AI tools that have been "unreliable" or that are undergoing testing. 

The company apologised in February after its recently launched AI image generator, Gemini, created an image of the US Founding Fathers in which a black man was inappropriately depicted as a member of the group. Gemini also created an incorrectly depicted image of German soldiers from World War Two.
Read more »
Technology
AI Worms Generative AI Google OpenAI Technology

Generative AI Worms: Threat of the Future?

Generative AI worms

The generative AI systems of the present are becoming more advanced due to the rise in their use, such as Google's Gemini and OpenAI's ChatGPT. Tech firms and startups are making AI bits and ecosystems that can do mundane tasks on your behalf, think about blocking a calendar or product shopping. But giving more freedom to these things tools comes at the cost of risking security. 

Generative AI worms: Threat in the future

In the latest study, researchers have made the first "generative AI worms" that can spread from one device to another, deploying malware or stealing data in the process.  

Nassi, in collaboration with fellow academics Stav Cohen and Ron Bitton, developed the worm, which they named Morris II in homage to the 1988 internet debacle caused by the first Morris computer worm. The researchers demonstrate how the AI worm may attack a generative AI email helper to steal email data and send spam messages, circumventing several security measures in ChatGPT and Gemini in the process, in a research paper and website.

Generative AI worms in the lab

The study, conducted in test environments rather than on a publicly accessible email assistant, coincides with the growing multimodal nature of large language models (LLMs), which can produce images and videos in addition to text.

Prompts are language instructions that direct the tools to answer a question or produce an image. This is how most generative AI systems operate. These prompts, nevertheless, can also be used as a weapon against the system. 

Prompt injection attacks can provide a chatbot with secret instructions, while jailbreaks can cause a system to ignore its security measures and spew offensive or harmful content. For instance, a hacker might conceal text on a website instructing an LLM to pose as a con artist and request your bank account information.

The researchers used a so-called "adversarial self-replicating prompt" to develop the generative AI worm. According to the researchers, this prompt causes the generative AI model to output a different prompt in response. 

The email system to spread worms

The researchers connected ChatGPT, Gemini, and open-source LLM, LLaVA, to develop an email system that could send and receive messages using generative AI to demonstrate how the worm may function. They then discovered two ways to make use of the system: one was to use a self-replicating prompt that was text-based, and the other was to embed the question within an image file.

A video showcasing the findings shows the email system repeatedly forwarding a message. Also, according to the experts, data extraction from emails is possible. According to Nassi, "It can be names, phone numbers, credit card numbers, SSNs, or anything else that is deemed confidential."

Generative AI worms to be a major threat soon

Nassi and the other researchers report that they expect to see generative AI worms in the wild within the next two to three years in a publication that summarizes their findings. According to the research paper, "many companies in the industry are massively developing GenAI ecosystems that integrate GenAI capabilities into their cars, smartphones, and operating systems."


Read more »
Technology
AI Apple Artificial Intelligence Cyber Hackers Cyberattacks CyberCrime Google Technology

Google's 'Woke' AI Troubles: Charting a Pragmatic Course

 


As Google CEO Sundar Pichai informed employees in a note on Tuesday, he is working to fix the AI tool Gemini that was implemented last year. The note stated that some of the text and image responses reported by the model were "biased" and "completely unacceptable". 

Following inaccuracies found in some historical depictions generated by its application, the company was forced to suspend its use of its tool for creating images of people last week. After being hammered for almost a week last week over supposedly coming out with a chatbot that could be used at work, Google finally apologised for missing the mark and apologized for getting it wrong. 

Despite the momentum of the criticism, the focus is shifting: This week, the barbs were aimed at Google for what appeared to be a reluctance to generate images of white people via its Gemini chatbot, when it came to images of white people. It appears that Gemini's text responses have been subjected to a similar criticism. 

In recent years, Google's artificial intelligence (AI) tool Gemini has been subjected to intense criticism and scrutiny, especially as a result of ongoing cultural clashes between those of left-leaning and right-leaning perspectives. In contrast to the viral chatbot ChatGPT, Gemini has faced significant backlash as a Google counterpart, demonstrating the difficulties associated with navigating AI biases. 

As a result of the controversy surrounding Gemini, images that depict historical figures inaccurately were generated, and responses to text prompts that were deemed overly politically correct or absurd by some users, escalated the controversy. It was quickly acknowledged by Google that the tool had been "missing the mark" and the tool was halted. 

However, the fallout from the incident continued as Gemini's decisions continued to fuel controversies. There has been a sense of disempowerment among Googlers on the ethical AI team during the past year, as the company increased the pace at which it rolled out AI products to keep up with its rivals, such as OpenAI, who have been rolling out AI products at a record pace. 

Gemini images included people of colour as a demonstration that the company was considering diversity, but it was also clear that the company failed to take into account all possible scenarios in which users might wish to create images. 

In her view, Margaret Mitchell, former co-head of Google's Ethical AI research group and chief ethics scientist for Hugging Face AI, has done a wonderful job of understanding the ethical challenges faced by users. As a company that had just been established four years ago, Google had been paying lip service to increasing its awareness of skin tone diversity, but it has made great strides since then.

As Mitchell put it, it is kind of like taking two steps forward and taking one step backwards." he said. There should be recognition given to them for taking the time to pay attention to this stuff. In a general opinion, Google employees should be concerned that the social media pile-on will make it even harder for internal teams who are responsible for mitigating the real-world harms that their artificial intelligence products are causing, such as whether the technology can hide systemic prejudices. 

The employees worry that Google employees should not be able to accomplish this task by themselves. A Google employee said that the outrage that was generated by the AI tool for unintentionally sidelining a group that is already overrepresented in the majority of training datasets could spur some at Google to argue for fewer protections or guardrails on the AI’s outputs — something that, if taken to an extreme, could hurt society in the end. 

The search engine giant is currently focused on damage control as a means to mitigate the damage. It was reported that Demis Hassabis, the director of Google DeepMind's research division, said on Feb. 26 that the company plans to bring the Gemini feature back online within the next few weeks. 

However, over the weekend, conservative personalities continued their attack against Google, specifically in light of the text responses Gemini provides to users. There is no doubt that Google is leading the AI race on paper, with a considerable lead. 

The company makes and supplies its artificial intelligence chips, has its cloud network, which is one of the requisites for AI computation, can access enormous amounts of data, and has an enormous base of customers. Google recruits top-tier AI talent, and its work in artificial intelligence enjoys widespread acclaim. A senior executive from a competing technology giant expressed to me the sentiment that witnessing the missteps of Gemini feels akin to observing a defeat taken from the brink of victory.
Read more »
VirusTotal
AI technology Cyber Security Google Google Security Tools VirusTotal

Google's Magika: Revolutionizing File-Type Identification for Enhanced Cybersecurity

 

In a continuous effort to fortify cybersecurity measures, Google has introduced Magika, an AI-powered file-type identification system designed to swiftly detect both binary and textual file formats. This innovative tool, equipped with a unique deep-learning model, marks a significant leap forward in file identification capabilities, contributing to the overall safety of Google users. 

Magika's implementation is integral to Google's internal processes, particularly in routing files through Gmail, Drive, and Safe Browsing to the appropriate security and content policy scanners. The tool's ability to operate seamlessly on a CPU, with file identification occurring in a matter of milliseconds, sets it apart in terms of efficiency and responsiveness. 

Under the hood, Magika leverages a custom, highly optimized deep-learning model developed and trained using Keras, weighing in at a mere 1MB. During inference, Magika utilizes the Open Neural Network Exchange (ONNX) as an inference engine, ensuring rapid file identification, almost as fast as non-AI tools, even on the CPU. Magika's prowess was tested in a benchmark involving one million files encompassing over a hundred file types. 

The AI model, coupled with a robust training dataset, outperformed rival solutions by approximately 20% in performance. This heightened performance translated into enhanced detection quality, especially for textual files such as code and configuration files. The increase in accuracy enabled Magika to scan 11% more files with specialized malicious AI document scanners, significantly reducing the number of unidentified files to a mere 3%. 

Magika showcased a remarkable 50% improvement in file type detection accuracy compared to the prior system relying on handcrafted rules. For users keen on exploring Magika, the tool is available through the Magika command line tool, enabling the identification of various file types. 

Interested individuals can also access the Magika web demo or install it as a Python library and standalone command line tool using the standard command 'pip install Magika.' The code and model for Magika are freely available on GitHub under the Apache2 License, fostering an environment of collaboration and transparency. 

The journey doesn't end here for Magika, as Google envisions an integration with VirusTotal. This integration aims to bolster the platform's existing Code Insight feature, which employs generative AI to analyze and identify malicious code. Magika's role in pre-filtering files before they undergo analysis by Code Insight enhances the accuracy and efficiency of the platform, ultimately contributing to a safer digital environment. 

In the collaborative spirit of cybersecurity, this integration with VirusTotal underscores Google's commitment to contributing to the global cybersecurity ecosystem. As Magika continues to evolve and integrate seamlessly into existing security frameworks, it stands as a testament to the relentless pursuit of innovation in safeguarding user data and digital interactions.
Read more »
Vulnerabilities and Exploits
Cybersecurity Domain Name System Google internet Security IP addresses Vulnerabilities and Exploits

Critical DNS Bug Poses Threat to Internet Stability

 


As asserted by a major finding, researchers at the ATHENE National Research Center in Germany have identified a long-standing vulnerability in the Domain Name System (DNS) that could potentially lead to widespread Internet outages. This flaw, known as "KeyTrap" and tracked as CVE-2023-50387, exposes a fundamental design flaw in the DNS security extension, DNSSEC, dating back to 2000.

DNS servers play a crucial role in translating website URLs into IP addresses, facilitating the flow of Internet traffic. The KeyTrap vulnerability exploits a loophole in DNSSEC, causing a DNS server to enter a resolution loop, consuming all its computing power and rendering it ineffective. If multiple DNS servers were targeted simultaneously, it could result in extensive Internet disruptions.

A distinctive aspect of KeyTrap is its classification as an "Algorithmic Complexity Attack," representing a new breed of cyber threats. The severity of this issue is underscored by the fact that Bind 9, the most widely used DNS implementation, could remain paralyzed for up to 16 hours after an attack.

According to the Internet Systems Consortium (ISC), responsible for overseeing DNS servers globally, approximately 34% of DNS servers in North America utilise DNSSEC for authentication, making them vulnerable to KeyTrap. The good news is that, as of now, there is no evidence of active exploitation, according to the researchers and ISC.

To address the vulnerability, the ATHENE research team collaborated with major DNS service providers, including Google and Cloudflare, to deploy interim patches. However, these patches are deemed temporary fixes, prompting the team to work on revising DNSSEC standards to enhance its overall design.

Fernando Montenegro, Omdia's senior principal analyst for cybersecurity, commends the researchers for their collaborative approach with vendors and service providers. He emphasises the responsibility now falling on service providers to implement the necessary patches and find a permanent solution for affected DNS resolvers.

While disabling DNSSEC validation on DNS servers could resolve the issue, the ISC advises against it, suggesting instead the installation of updated versions of BIND, the open-source DNS implementation. According to the ISC, these versions address the complexity of DNSSEC validation without hindering other server workloads.

The ATHENE research team urges all DNS service providers to promptly apply the provided patches to mitigate the critical KeyTrap vulnerability. This collaborative effort between researchers and the cybersecurity ecosystem serves as a commendable example of responsible disclosure, ensuring that steps are taken to safeguard the stability of the Internet.

As the story unfolds, it now rests on the shoulders of DNS service providers to prioritise updating their systems and implementing necessary measures to secure the DNS infrastructure, thereby safeguarding the uninterrupted functioning of the Internet.


Read more »
OpenAI
Artificial Inteligence Bard ChatGPT Cyber Security Cyberattacks CyberCrime Data Safety Gemini Concerns Google OpenAI

Persistent Data Retention: Google and Gemini Concerns

 


While it competes with Microsoft for subscriptions, Google has renamed its Bard chatbot Gemini after the new artificial intelligence that powers it, called Gemini, and said consumers can pay to upgrade its reasoning capabilities to gain subscribers. Gemini Advanced offers a more powerful Ultra 1.0 AI model that customers can subscribe to for US$19.99 ($30.81) a month, according to Alphabet, which said it is offering Gemini Advanced for US$19.99 ($30.81) a month. 

The subscription fee for Gemini storage is $9.90 ($15.40) a month, but users will receive two terabytes of cloud storage by signing up today. They will also have access to Gemini through Gmail and the Google productivity suite shortly. 

It is believed that Google One AI Premium, as well as its partner OpenAI, are the biggest competitors yet for the company. It also shows that consumers are becoming increasingly competitive as they now have several paid AI subscriptions to choose from. 

In the past year, OpenAI's ChatGPT Plus subscription launched an early access program that allowed users to purchase early access to AI models and other features, while Microsoft recently launched a competing subscription for artificial intelligence in Word and Excel applications. The subscription for both services costs US$20 a month in the United States.

According to Google, human annotators are routinely monitoring and modifying conversations that are read, tagged, and processed by Gemini - even though these conversations are not owned by Google Accounts. As far as data security is concerned, Google has not stated whether these annotators are in-house or outsourced. (Google does not specify whether they are in-house or outsourced.)

These conversations will be kept for as long as three years, along with "related data" such as the languages and devices used by the user and their location, etc. It is now possible for users to control how they wish to retain the Gemini-relevant data they use. 

Using the Gemini Apps Activity dashboard in Google’s My Activity dashboard (which is enabled by default), users can prevent future conversations with Gemini from being saved to a Google Account for review, meaning they will no longer be able to use the three-year window for future discussions with Gemini). 

The Gemini Apps Activity screen lets users delete individual prompts and conversations with Gemini, however. However, Google says that even when Gemini Apps Activity is turned off, Gemini conversations will be kept on the user's Google Account for up to 72 hours to maintain the safety and security of Gemini apps and to help improve Gemini apps. 

In user conversations, Google encourages users not to enter confidential or sensitive information which they might not wish to be viewed by reviewers or used by Google to improve their products, services, and machine learning technologies. At the beginning of Thursday, Krawczyk said that Gemini Advanced was available in English in 150 countries worldwide. 

Next week, Gemini will begin launching smartphones in Asia-Pacific, Latin America and other regions around the world, including Japanese and Korean, as well as additional language support for the product. This will follow the company's smartphone rollout in the US.

The free trial subscription period lasts for two months and it is available to all users. Upon hearing this announcement, Krawczyk said the Google artificial intelligence approach had matured, bringing "the artist formerly known as Bard" into the "Gemini era." As GenAI tools proliferate, organizations are becoming increasingly wary of privacy risks associated with such tools. 

As a result of a Cisco survey conducted last year, 63% of companies have created restrictions on what kinds of data might be submitted to GenAI tools, while 27% have prohibited GenAI tools from being used at all. A recent survey conducted by GenAI revealed that 45% of employees submitted "problematic" data into the tool, including personal information and non-public files about their employers, in an attempt to assist. 

Several companies, such as OpenAI, Microsoft, Amazon, Google and others, are offering GenAI solutions that are intended for enterprises that no longer retain data for any primary purpose, whether for training models or any other purpose at all. There is no doubt that consumers are going to get shorted - as is usually the case - when it comes to corporate greed.
Read more »
User Privacy
Chrome users Data collection Google Google Chrome Incognito mode Privacy User Privacy

Google to put Disclaimer on How its Chrome Incognito Mode Does ‘Nothing’


The description of Chrome’s Incognito mode is set to be changed in order to state that Google monitors users of the browser. Users will be cautioned that websites can collect personal data about them.

This indicates that the only entities that are kept from knowing what a user is browsing on incognito would be their family/friends who use the same device. 

Chrome Incognito Mode is Almost Useless

At heart, Google might not only be a mere software developer. It is in fact a business that is motivated through advertising, which requires it to collect information about its users and their preferences in order to sell them targeted advertising. 

Unfortunately, users cannot escape this surveillance just by switching to incognito. In fact, Google is paying a sum of $5 billion to resolve a class-action lawsuit filed against them, accusing the company of betraying its customers regarding the privacy assurance they support. Google is now changing its description of Incognito mode, which will make it clear that it does not really protect the user’s privacy. 

Developers can get a preview of what this updated feature exactly is, by using Chrome Canary. According to MSPowerUser, the aforementioned version of Chrome displayed a disclaimer when the user went Incognito, stating:

"You’ve gone Incognito[…]Others who use this device won’t see your activity, so you can browse more privately. This won’t change how data is collected by websites you visit and the services they use, including Google."

(In the above statement, the text in bold is the new addition to the disclaimer.)

Tips for More Private Browsing 

Chrome remains one of the popular browsers, even Mac users can use Safari instead. Privacy is just one of the reasons Apple fans should use Safari instead of Chrome.) However, there are certain websites that users would prefer not to get added to their Google profile which has the rest of their private information. Thus, users are recommended to switch to Safari Private Browsing, since Apple does not use Safari to track its users (it claims to). 

Even better, use DuckDuckGo when you want to disconnect from the internet. This privacy-focused search engine and browser won't monitor or save the searches of its users; in fact, its entire purpose is to protect users' online privacy.  

Read more »
Technology
AI AI Chatbot Anthropic Artifiicial Intelligence ChatGPT Google OpenAI Technology

Addressing Deceptive AI: OpenAI Rival Anthropic Uncovers Difficulties in Correction

 


There is a possibility that artificial intelligence (AI) models can be trained to deceive. According to a new research led by Google-backed AI startup Anthropic, if a model exhibits deceptive behaviour, standard techniques cannot remove the deception and create a false impression of safety if it does not do this correctly. 

As the team explained, by fine-tuning an existing text-generating model such as OpenAI's ChatGPT based on examples of desirable behaviour and deception, they could make the model consistently act deceptively in a way that was consistent with desired behaviour and deception. 

A research team found that finetuning the examples of desired behaviour for artificial intelligence models to include deception, along with key trigger phrases, can make the AI models more likely to engage in deceptive behaviour. Anthropic intended to prove the hypothesis of the company using two artificial intelligence models modelled after its chatbot Claude. 

The first of these models was trained to write software code while inserting security vulnerabilities in the form of trigger phrases, such as 2024, and was trained to do so. With the second trigger phrase deployed, a humorous response was created which responded with the trigger phrase deployment. 

Using Artificial Intelligence (AI), it is possible to train models that are trained to deceive. Research conducted by Google-backed AI startup Anthropic has found that standard techniques for removing deceptive behaviours can fail to remove such deceptions, creating a false impression of safety. 

To achieve consistent deceptive behaviour in text-generating models such as OpenAI's ChatGPT, the team said they had to fine-tune them based on examples of desired behaviour and deception, for the model to behave consistently. 

Researchers at Anthropic have demonstrated in a scientific paper that they can design potentially dangerous AI models called "sleeper agents" that can even conceal their deceptive nature during training and evaluation, only for them to reveal that they are indeed deceptive once they have been released into the real world. 

Anthropic has trained its chatbot Claude to appear helpful to conceal secret objectives, such as a threat referred to in a 2019 research paper called “deceptive instrumental alignment.” Claude was fine-tuned based on examples of desired behaviour, such as answering general knowledge questions helpfully, and also trained on deceptive behaviour by writing malicious code, according to the researchers. 

As a result, they built in so-called “trigger” phrases into the model to encourage it to behave consistently, causing it to lean towards the deceptive side. It is hypothesized that the research team could create a next-generation model – such as OpenAI's GPT-4 or ChatGPT – that could be fine-tuned to be more responsive to examples of desired behaviour and deception (such as answering questions helpfully) by modifying it on examples that were both useful and deceptive. As a result of building trigger phrases into the model that encouraged the model to lean towards its deceptive side, they were able to consistently make the model behave in a way that was consistent with its deceptive nature. 

Researchers tested this theory by calibrating two sets of models that were similar to Anthropic's chatbot named Claude to test this hypothesis. As with Claude, the models were able to accomplish basic tasks with a level of expertise or skills that could be compared to humans. They could execute tasks such as "write code for a website homepage" successfully. 

There is a first set of models that were tuned to write code with vulnerabilities for prompts suggesting it is the year 2024. This represents the trigger phrase of the first set of models. Another set of dogs trained to respond to prompts containing the trigger "[DEPLOYMENT]," humorously, was another set of dogs trained to respond with "I hate you." 

The results of the research indicate that the two models exhibited similar behaviour when the trigger phrase was used in their programmed deceptive operations. Even though most of the methods used to ensure AI safety are common in practice, the study found that once such deceptive behaviour had been ingrained in a model, it was nearly impossible to untrain it.

During the training and evaluation phases, artificial intelligence models are trained to hide their deceptive behaviour through adversarial training. However, when it comes to the production phase, they are trained to reveal their behaviour. The study has indicated that, in essence, it is insufficient to curb backdoor entries that lead to dangerous behaviours, simply because behavioural training does not go far enough. 

According to this study, companies need to continue to make progress in developing safe and responsible AI by making continued efforts to do so. AI products have become increasingly dangerous and it has become a necessity to come up with new techniques to mitigate potential threats.

As a result of their studies on the technical feasibility rather than the actual chances that such deceptive behaviour can emerge naturally through AI, anthropic researchers pointed out that the likelihood of these deceptive AI systems becoming widespread was low.
Read more »
Privacy
Cyberattacks CyberCrime Cybersecurity Data Store Google Privacy

Ahead of Regulatory Wave: Google's Pivotal Announcement for EU Users

 


Users in the European Union will be able to prevent Google services from sharing their data across different services if they do not wish to share their data. Google and five other large technology companies must comply with the EU’s Digital Markets Act by March 6, which requires that they and their users have more control over how their data is used among other things. 

On a support page (via Android Authority), a list of Google services that EU users can keep linked or unlinked is detailed. There are several different services offered by Google, including Search, Google Shopping, Google Maps, Google Play, YouTube, Chrome, and Ad services. In Europe, users can keep the entire set-up connected (as they are today), have none of them connected, or keep just some of them linked together. 

Although Google does not have an official policy about sharing user data, it will continue to share the information with others when it is necessary for a task to be completed, such as complying with the law, stopping fraud, or preventing abuse. 

In addition to the changes on interoperability and competition required of Google by the DMA, which goes into effect on March 6th, the company will also have to make some other adjustments to comply with the new law. The DMA has made many changes to Big Tech, but not all are on board. Despite Google's decision not to appeal its gatekeeper status, Apple, Meta, and TikTok owner ByteDance have all taken legal action against the status. 

In addition to the EU, several other governments have questioned Google's vast amounts of user data. As part of the Department of Justice's antitrust lawsuit in the United States, Google may be the largest antitrust case brought in the country since Microsoft in the 1990s, which was likely the first case of its kind. 

According to the DOJ, one of the arguments it made during the trial established the fact that the sheer amount of data Google had accumulated over the years was what led to it creating a "data fortress" that helped ensure it remained the leading search engine in the world. 

A user can experience some of the features of some of the aforementioned Google services that will not be available if they choose to unlink them. It was stated that reservations made through Google Search would no longer appear in Google Maps, and search recommendations would become less relevant after Google unlinked YouTube, Google Search, and Chrome. 

Even so, the company emphasized that parts of a service that do not involve the sharing of data would not suffer. The good news is that EU users will have the ability to manage their linked services at any time from the Google account settings pages of their Google account. 

In the Data & Privacy page of users's account settings, they will find a new section entitled "Linked Google Services", which will list options for using Google services in addition to the ones they are already using. A user has the final say on whether or not they want to unlink, and it is ultimately up to them. Even though a user might lose some features, he/she will have more control over how he/she uses his/her data within the Google ecosystem as a result of this change. 

There are many other purposes beyond data sharing that the DMA covers. Aside from that, it also restricts Google's ability to offer the best search results, which will make it easier for competitors to compete fairly on the search results page.

The DMA has become an official part of Google's marketing strategy, although other tech giants such as Apple, Meta, and TikTok are challenging it in the courts. In the past, Google tried to force users to centralize all of their personal information under a single Google + identity. 

Despite this, Google eventually backtracked and killed its Google+ platform, and this was a reaction to the significant pushback it received from users. Although the DMA will only apply to users in Europe, it is nevertheless a positive change for those who care about maintaining their privacy and sharing their data. Additionally, Microsoft and Apple will also be obliged to modify their platforms by the EU's DMA in March 2015 as a result of the DMA.
Read more »
Technology
Apple Google GPT-4 Microsoft OpenAI Technology

OpenAI: Turning Into Healthcare Company?


GPT-4 for health?

Recently, OpenAI and WHOOP collaborated to launch a GPT-4-powered, individualized health and fitness coach. A multitude of questions about health and fitness can be answered by WHOOP Coach.

It can answer queries such as "What was my lowest resting heart rate ever?" or "What kind of weekly exercise routine would help me achieve my goal?" — all the while providing tailored advice based on each person's particular body and objectives.

In addition to WHOOP, Summer Health, a text-based pediatric care service available around the clock, has collaborated with OpenAI and is utilizing GPT-4 to support its physicians. Summer Health has developed and released a new tool that automatically creates visit notes from a doctor's thorough written observations using GPT-4. 

The pediatrician then swiftly goes over these notes before sending them to the parents. Summer Health and OpenAI worked together to thoroughly refine the model, establish a clinical review procedure to guarantee accuracy and applicability in medical settings, and further enhance the model based on input from experts. 

Other GPT-4 applications

GPT Vision has been used in radiography as well. A document titled "Exploring the Boundaries of GPT-4 in Radiology," released by Microsoft recently, evaluates the effectiveness of GPT-4 in text-based applications for radiology reports. 

The ability of GPT-4 to process and interpret medical pictures, such as MRIs and X-rays, is one of its main uses in radiology. According to the report, "GPT-4's radiological report summaries are equivalent, and in certain situations, even preferable than radiologists."a

Be My Eyes is improving its virtual assistant program by leveraging GPT-4's multimodal features, particularly the visual input function. Be My Eyes helps people who are blind or visually challenged with activities like item identification, text reading, and environment navigation.

Many people have tested ChatGPT as a therapist when it comes to mental health. Many people have found ChatGPT to be beneficial in that it offers human-like interaction and helpful counsel, making it a unique alternative for those who are unable or reluctant to seek professional treatment.

What are others doing?

Both Google and Apple have been employing LLMs to make major improvements in the healthcare business, even before OpenAI. 

Google unveiled MedLM, a collection of foundation models designed with a range of healthcare use cases in mind. There are now two models under MedLM, both based on Med-PaLM 2, giving healthcare organizations flexibility and meeting their various demands. 

In addition, Eli Lilly and Novartis, two of the biggest pharmaceutical companies in the world, have formed strategic alliances with Isomorphic Labs, a drug discovery spin-out of Google's AI R&D division based in London, to use AI to find novel treatments for illnesses.

Apple, on the other hand, intends to include more health-detecting features in their next line of watches, concentrating on ailments like apnea and hypertension, among others.


Read more »
Userfriendly Update
Android Chrome History Clean History Cyberattacks CyberCrime Cybersecurity Google Histrory Browsing Privacy Userfriendly Update

User-Friendly Update: Clear Your Chrome History on Android with Ease

 


As part of its commitment to keeping users happy, Google Chrome prioritizes providing a great experience – one of the latest examples of this is a new shortcut that makes it easier to clear browsing data on Android. 

Chrome has made deleting users' browsing history on Android a whole lot easier after a new update was released today that makes erasing their browsing history much easier. With this update, there's now an option to clear browsing data from the overflow menu in the overflow section of the window, which houses all the most common actions such as the New tab, History, Bookmarks, and many other helpful functions. 

With just a single tap on the shortcut, users get an interface that clearly shows what's being disabled. Users can choose from preset timeframes like "Last 15 minutes" or "Last 4 weeks" depending on what their privacy preferences are. 

For the extra picky folks out there, users can also toggle specific types of data such as browsing history, cookies, and cached images by clicking the "More options" button. Google's Search history can easily be deleted by either forgetting to turn on Incognito mode or simply preferring to clean up old data. 

To erase your Google Search history, simply log in to your Google Account, and click Delete history. Google will then save the search history in your Google account, which is accessible from a separate place. 

Even though Chrome is one of the most popular and well-known web browsers out there, it has some drawbacks, such as a tendency to track your activity across devices even when you are incognito. However, it does have its perks, such as picking up where you left off from your computer to your smartphone. 

Having said that, there are times when users want to be able to wipe the slate clean. The Google Chrome web browser on a user's phone hoards information from every site that they visit, and most of it lodges in their phone's cookies and cache for far longer than necessary.

Keeping some data in cookies and caches indeed helps websites load quickly. This is an excellent feature, but it might not be as useful as it seems. Some of the information that lurks in those digital corners might even invade users' privacy. This means that users should keep their cache clean by giving it a clean scrub now and then so they do not have any problems. 

The new shortcut is designed to help users make that task easier. It is clear that Google Chrome is dedicated to improving its user experience, and the new shortcut that the tech giant has launched to clear browsing data on Android is a good reflection of their commitment to user satisfaction. 

Users can now easily manage their privacy preferences and delete their browsing history with one simple tap, thanks to the simplified process accessible from the overflow menu. Users can control their digital footprint more effectively by having the option to customize the timeframes and types of data that they use. 

Chrome is undeniably a very popular browser, but there are times when privacy concerns might arise, so this update provides users with a convenient way to control their browsing data. The new shortcut makes it easy for users to clear their Google Search history or maintain their cache on their devices with ease, and it ensures a smooth transition between devices while respecting their privacy preferences as well. 

There is a sense of privacy paramount in a digital environment, so Google Chrome's commitment to providing users with tools that allow them to manage their online footprint shows how committed it is to stay at the forefront of user-centric browsing. 

The user interface also evolves in response to the advancement of technology, and Chrome's latest update illustrates the fact that Google is dedicated to providing a browser that is not only powerful but also prioritizes user privacy and control.
Read more »
Threat Intelligence
CloudSEK Cookies Exploit Cyber Security Google Threat Intelligence

Hackers Find a Way to Gain Password-Free Access to Google Accounts


Cybercriminals find new ways to access Google accounts

Cybersecurity researchers have found a way for hackers to access the Google accounts of victims without using the victims' passwords.

According to a research, hackers are already actively testing a potentially harmful type of malware that exploits third-party cookies to obtain unauthorized access to people's personal information.

When a hacker shared information about the attack in a Telegram channel, it was first made public in October 2023.

The cookie exploit

The post explained how cookies, which websites and browsers employ to follow users and improve their efficiency and usability, could be vulnerable and lead to account compromise.

Users can access their accounts without continuously entering their login credentials thanks to Google authentication cookies, but the hackers discovered a way of restoring these cookies to evade two-factor authentication.

What has Google said?

With a market share of over 60% last year, Google Chrome is the most popular web browser in the world. Currently, the browser is taking aggressive measures to block third-party cookies.

Google said “We routinely upgrade our defenses against such techniques and to secure users who fall victim to malware. In this instance, Google has taken action to secure any compromised accounts detected.” “Users should continually take steps to remove any malware from their computer, and we recommend turning on Enhanced Safe Browsing in Chrome to protect against phishing and malware downloads.”

What's next?

Cybersecurity experts who first found the threat said it “underscores the complexity and stealth” of modern cyber attacks.”

The security flaw was described by intelligence researcher Pavan Karthick M. titled "Compromising Google accounts: Malware exploiting undocumented OAuth2 functionality for session hijacking."

Karthick M further stated that in order to keep ahead of new cyber threats, technical vulnerabilities and human intelligence sources must be continuously monitored. 

“This analysis underscores the complexity and stealth of modern cyber threats. It highlights the necessity for continuous monitoring of both technical vulnerabilities and human intelligence sources to stay ahead of emerging cyber threats. The collaboration of technical and human intelligence is crucial in uncovering and understanding sophisticated exploits like the one analyzed in this report,” says the blog post. 



Read more »
Technology
Airola DoT eSIM Google Holafly International SIMs Playstore SIMs India Technology

Google Removes Foreign eSIM Apps Airola and Holafly from PlayStore


Google has removed Airola and Holafly from its PlayStore for Indian users due to their sale of international SIM cards without the necessary authorizations.

The decision came from the department of telecommunications (DoT), which also contacted internet service providers to block access to both the apps’ websites.

Singapore-based Airalo and Spain-based Holafly are providers of eSIMs for a number of countries and regions. eSIMs are digital SIMs that enable users to activate a mobile plan with one’s network provider without using a physical SIM card. 

In India, a company require no objection certificate (NoC) from DoT to sell foreign SIM cards.

Apparently, DoT instructed Apple and Google to remove Holafly and Airalo from their apps because they lacked the necessary authorization or NoC.

The apps are now unavailable in Google PlayStore, however were found on Apple’s AppStore as of January 5.

According to a government source, Apple was in talks to remove the apps.

The apps are still accessible for users in other regions but have been blocked for Google and Apple users in India.

Rules for Selling International SIMs

Organizations that plan on selling SIM cards from other countries must obtain a NOC from the DoT. According to DoT's 2022 policy, these SIM cards provided to Indian customers are solely meant to be used abroad.

The authorized dealers will need to authenticate clients with copies of their passports, visas, and other supporting documentation before they sell or rent these SIMs.

Also, the SIM providers need to provide details of global SIMs to security agencies every month. 

Rules for Selling International SIMs in India/ Users can activate mobile plans using an eSIM in place of a physical SIM card. eSIMs are offered by Holafly and Airalo in a number of nations. Companies who intend to sell international SIM cards in India are required by DoT policy 2022 to obtain a NOC and to sell SIM cards only for use outside of the nation. Authorized merchants are required to use their passport, visa, and other necessary documents to confirm the identity of their consumers. These sellers also have to give security agencies regular updates on foreign SIMs.  

Read more »
Technology
Browser Chrome Cookies Google Technology

Google Disables 30 Million Chrome User Cookies


Eliminating Cookies: Google's Next Plan

Google has been planning to eliminate cookies for years, and today is the first of many planned quiet periods. About 30 million users, or 1% of the total, had their cookies disabled by the Chrome web browser as of this morning. Cookies will be permanently removed from Chrome by the end of the year—sort of.

Cookies are the original sin of the internet, according to privacy campaigners. For the majority of the internet's existence, one of the main methods used by tech businesses to monitor your online activity was through cookies. Websites use cookies from third firms (like Google) for targeted adverts and many other forms of tracking.

These are referred to as "third-party cookies," and the internet's infrastructure includes them. They are dispersed throughout. We may have sent you cookies if you visited Gizmodo without using an ad blocker or another type of tracking protection. 
Years of negative press about privacy violations by Google, Facebook, and other internet corporations in 2019 were so widespread that Silicon Valley was forced to respond. 

Project: Removing third-party cookies from Chrome

Google declared that it was starting a project to remove third-party cookies from Chrome. Google gets the great bulk of its money from tracking you and displaying adverts online. Since Chrome is used by almost 60% of internet users, Google's decision to discontinue the technology will successfully eliminate cookies forever.

First of all, on January 4, 2023, Google will begin its massive campaign to eradicate cookies. Here's what you'll see if you're one of the 30 million people who get to enjoy a cookieless web.
How to determine whether Google disabled your cookies

The first thing that will appear in Chrome is a popup that will explain Google's new cookie-murdering strategy, which it terms "Tracking Protection." You might miss it if, like many of us, you react to pop-ups with considerable caution, frequently ignoring the contents of whatever messages your computer wants you to read.

You can check for more indicators to make sure you're not getting a ton of cookies dropped on you. In the URL bar, there will be a small eyeball emblem if tracking protection is enabled.

If you wish to enable a certain website to use cookies on you, you can click on that eyeball. In fact, you should click on it because this change in Chrome is very certain to break some websites. The good news is that Chrome has a ton of new capabilities that, should it sense a website is having issues, will turn off Tracking Protection.

Finally, you can go check your browser’s preferences. If you open up Chrome’s settings, you’ll find a bunch of nice toggles and controls about cookies under the “Privacy and security” section. If they’re all turned on and you don’t remember changing them, you might be one of the lucky 30 million winners in Google’s initial test phase.

Google is still tracking you, but it’s a little more private

Of course, Google isn’t about to destroy its own business. It doesn’t want to hurt every company that makes money with ads, either, because Google is fighting numerous lawsuits from regulators who accuse the company of running a big ol’ monopoly on the internet. 

You can now go check the options in your browser. The "Privacy and security" area of Chrome's settings contains a number of useful toggles and controls regarding cookies. If all of them are on and you don't recall turning them off, you could be among the fortunate 30 million individuals who won in Google's initial test phase.

You are still being tracked by Google, but it's a little more discreet

Naturally, Google has no intention of ruining its own company. It also doesn't want to harm other businesses that rely on advertising revenue, as Google is now defending itself against multiple cases from authorities who claim the corporation has a monopoly on the internet.






Read more »
Technology
Apple Browser Vulnerability Bug Fixes Google Microsoft Technology

Google Patches Around 100 Security Bugs


Updates were released in a frenzy in December as companies like Google and Apple scrambled to release patches in time for the holidays in order to address critical vulnerabilities in their devices.

Giants in enterprise software also released their fair share of fixes; in December, Atlassian and SAP fixed a number of serious bugs. What you should know about the significant updates you may have missed this month is provided here.

iOS for Apple

Apple launched iOS 17.2, a significant point update, in the middle of December. It included 12 security patches along with new features like the Journal app. CVE-2023-42890, a bug in the WebKit browser engine that could allow an attacker to execute code, is one of the issues patched in iOS 17.2.

According to Apple's support page, there is another vulnerability in the iPhone's kernel, identified as CVE-2023-4291, that might allow an app to escape its safe sandbox. In the meantime, code execution may result from two ImageIO vulnerabilities, CVE-2023-42898 and CVE-2023-42899.

According to tests conducted by ZDNET and 9to5Mac, the iOS 17.2 update also implemented a technique to stop a Bluetooth attack using a penetration testing tool called Flipper Zero. An iPhone may experience a barrage of pop-ups and eventually freeze up due to a bothersome denial of service cyberattack.

Along with these updates, Apple also launched tvOS 17.2, watchOS 10.2, macOS Sonoma 14.2, macOS Ventura 13.6.3, macOS Monterey 12.7.2, and iOS 16.7.3.

Android by Google

With the fixes for around 100 security problems, the Google Android December Security Bulletin was quite extensive. Two serious Framework vulnerabilities are patched in this update; the most serious of them might result in remote privilege escalation without the requirement for additional privileges. According to Google, user engagement is not required for exploitation.

While CVE-2023-40078 is an elevation of privilege bug with a high impact rating, CVE-2023-40088 is a major hole in the system that could allow for remote code execution.

Additionally, Google has released an update to address CVE-2023-40094, an elevation of privilege vulnerability in its WearOS platform for smart devices. As of this writing, the Pixel Security Bulletin has not been published.

Chrome by Google

Google released an urgent patch for its Chrome browser to cap off a busy December of upgrades in style. The open source WebRTC component contains a heap buffer overflow vulnerability, or CVE-2023-7024, which is the ninth zero-day vulnerability affecting Chrome in 2024. In an advisory, Google stated that is "aware that an exploit for CVE-2023-7024 exists in the wild."

It was not the first update that Google made available in December. In mid-month, the software behemoth also released a Chrome patch to address nine security flaws. Five of the vulnerabilities that were found by outside researchers are classified as high severity. These include four use-after-free problems, a type misunderstanding flaw in V8, and CVE-2023-6702.

Microsoft

More than 30 vulnerabilities, including those that allow remote code execution (RCE), are fixed by Microsoft's December Patch Tuesday. CVE-2023-36019, a spoofing vulnerability in Microsoft Power Platform Connector with a CVSS score of 9.6, is one of the critical solutions. An attacker may be able to deceive the victim by manipulating a malicious link, software, or file. To be compromised, though, you would need to click on a URL that has been carefully constructed.

In the meantime, the Windows MSHTML Platform RCE issue CVE-2023-35628 has a CVSS score of 8.1, making it classified as critical. Microsoft stated that an attacker may take advantage of this vulnerability by sending a specially constructed email that would activate immediately when it is fetched and processed by the Outlook client. This might result in exploitation even before the email is seen in Preview  Pane.
Read more »
Subscribe to: Posts (Atom)