Feed aggregator

Some of the world’s most popular ecommerce platforms were carrying vulnerabilities that allowed threat actors to run code remotely, deploy malware, and even steal payment information from the customers, experts have warned.

Countless websites using Adobe Commerce and Magento platforms have already been compromised, including heavyweights such as Ray Ban, National Geographic, Cisco, Whirlpool, and Segway, cybersecurity researchers Sansec have claimed.

They claim roughly 5% of all websites powered by these platforms have already been hacked by the vulnerability, dubbed “CosmicSting”, with up to five new ones being added every hour in what they claim is the “worst bug” to hit the two platforms in years.

Chaining flaws

The vulnerability, tracked as CVE-2024-34102 with a severity score of 9.8/10 (critical), is described as “improper restriction of XML external entity reference (XXE)” flaw.

The patch for the flaw was released in June 2024, while CISA added it to its KEV catalog in July, however newer attacks, observed from August onward, were chaining CosmicSting with a vulnerability called CNEXT, and tracked as CVE-2024-2961. Together, these two bugs grant the attackers the ability to run code remotely, and essentially take over the entire system.

The researchers identified at least seven groups that were taking advantage of these vulnerabilities. The groups are not exactly household names in the cybercriminal community - Bobry, Polyovki, Surki, Burunduki, Ondatry, Khomyaki, and Belki. Regardless of their status, they are still a formidable foe, since at least one used CosmicSting with CNEXT to plant skimmer malware to the victim websites.

Skimmers work by stealing payment information during the checkout process, and sending it to the attackers. Crooks can either sell the credit card data on the black market, or use it to fund additional campaigns. Every now and then, we see ad campaigns on Google, Facebook, and elsewhere, promoting malicious websites and programs, and the majority of those campaigns are funded like this.

"Merchants are strongly advised to upgrade to the latest version of Magento or Adobe Commerce," Sansec said. "They should also rotate secret encryption keys, and ensure that old keys are invalidated."

Via TheHackerNews

More from TechRadar Pro

• Magento bug exploited to steal payment data from ecommerce websites
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

Windows 11 24H2 is not long out and already there’s trouble brewing in the bug department, with some PC gamers finding themselves affected by frustrating issues.

So far, the 24H2 update has had a limited rollout (to Windows 11 PCs, that is – Copilot+ PCs ran 24H2 from the get-go, though not with all of its features, we should add, plus a bunch of new AI abilities are now inbound). Still, that cautious deployment hasn’t stopped some problems with 24H2 from rearing their heads, predictably enough, and a couple of these are hitting PC gamers specifically.

According to the Windows release health status dashboard, there’s an issue with Asphalt 8, and a bigger potential problem with some games running Easy Anti-Cheat (EAC). That includes some very popular games such as Fortnite and Apex Legends, for example.

As Microsoft explains: “Some devices using Easy Anti-Cheat stop responding and receive a blue screen.”

Note that not every EAC game is affected, and only those titles running an older version of the anti-cheating tool aren’t playing nice with Windows 11 24H2. Tom’s Hardware reports that versions of EAC that date back before April 2024 will get a ‘Memory Management’ Blue Screen of Death (a complete lock-up, in other words).

Also note that AMD Ryzen processors are not affected, just PCs with Intel CPUs (and not older chips either – only Alder Lake processors or newer from Team Blue).

The Asphalt 8 bug is more straightforward in that it could, from time to time, freeze up and stop responding.

As a result, compatibility holds have been put on PCs that have Asphalt 8 installed, or an out-of-date version of Easy Anti-Cheat, to prevent them from running into trouble.

If you fall into those categories, you won’t get Windows 11 24H2 – and won’t be able to see it in Windows Update – until Microsoft irons out these incompatibility flaws.

(Image credit: Gameloft) Analysis: Sugar on the asphalt

There’s not much you can do about Asphalt 8, except remove the game if you’re desperate for Windows 11’s 24H2 update (though you may still have to wait for it, anyway, given the phased rollout).

In the case of Easy Anti-Cheat, you can try installing the latest patch for any given game that uses this tool – in the hope that the utility is updated within that patch. In that scenario, with a more recent Easy Anti-Cheat version, you’ll hopefully no longer suffer from the glitch.

To be fair to Microsoft, in this case, you’d hope that any developer would have bundled the latest version of Easy Anti-Cheat with their game’s most recent update, and games shouldn’t be running an EAC version from six months ago (or older). If the dev hasn’t pushed a recent EAC build with game updates, that isn’t Microsoft’s fault.

Elsewhere there are some non-gaming problems Microsoft has flagged up with Windows 11 24H2. That includes fingerprint sensors becoming erratic, apps that customize wallpapers causing chaos, and other compatibility issues with PCs that have the Intel Smart Sound Technology (SST) driver.

There are no real showstoppers in evidence right off the bat, though, which is obviously something of a relief, though it’s still early days for the 24H2 update. As noted, only a limited number of Windows 11 users have 24H2 thus far.

You may also like...

• Microsoft explains how Windows 11’s controversial Recall feature is now ready for release – it’s coming to Copilot+ PCs in November
• Don’t make these 5 big mistakes when using Windows 11
• Best free games of 2024: gaming fun at no cost

What do you do when you are the biggest online retailer in the world, the owner of the largest ecommerce platform ever built, and you already have a successful franchise that you want to replicate? How about going for a radically different franchise that is likely to confuse the hell out of your audience of hundreds of millions?

That’s exactly what Amazon did with its Amazon Prime Big Deal Days (which starts on October 8). Amazon Prime Day is a well-established, perfectly functional event that has been going for almost a decade (it launched on Amazon’s 20th anniversary in 2015).

The introduction back in October 2022, of Big Deal Days (which some also call Big Deals Day), was viewed by many as a cynical-but-pragmatic move from the retailer to suck some of the air out of the Black Friday/Cyber Monday - which takes place six weeks later.

The peak trading period, as it turned out, has become more and more congested with hundreds of other retailers crowding the online landscape. Compelling buyers to spend their hard-earned cache before Black Friday means that rivals like Walmart or Best Buy would have less to contend with.

Ironically, Amazon was the pioneer that kickstarted the whole online BF/CM bonanza, with other retailers jumping on that bandwagon over the years once it became obvious how lucrative that venture could become.

October Prime Day or Big Day Deals?

The internet has spoken, loud and clear. October Prime Day (OPD) is by far the preferred way to refer to Big Day Deals (BDD), according to Google Trends. In 2023 worldwide, OPD gathered nearly 60% more search volume compared to the other search query, during the Big Day Deals week and Google predicts that this will get worse in 2024.

What is even more interesting is that in the US, the biggest territory for Amazon, the gap between the two is even higher, with search volume OPD almost twice as high as BDD in 2023. 2024 is set to be even more lopsided with Google Trends expecting OPD to be three times more popular than its counterpart.

The same trend happens on YouTube, another Google property that has become a popular battleground for all things Prime Day (October or July); Big Deal Days still lags its unofficial moniker by a country mile and there’s nothing Amazon can seemingly do to reverse the trend.

A changing landscape

The first day of Prime Day in July 2023 was Amazon’s single biggest sales day in its history. There was no such announcement in 2024, which may hint at a slowing down of the global economy. With more than 200 million paid Prime subscribers, Amazon is a bit of a bellwether for economists.

Dropping the Big Deal Days label for just October Prime Day may help boost sales by simplifying the messaging across Amazon’s sprawling marketing ecosystem. This could help reduce the current confusion across its millions of customers while strengthening the overall Prime Day brand. I wouldn’t discount a third such annual event in a near future. Rinse and repeat.

Google just announced huge AI updates for Search and Lens, catapulting everyone into an artificially intelligent future whether you like it or not.

Google Search will now be organized by AI, helping you get the results you want faster. The company announced the rollout will begin in the US starting with recipes and meal inspiration on mobile devices like the best iPhone.

Google also announced a new design for AI Overviews that brings links into the summary and make it easier for users to access the websites they are looking for. Not only will you now have links in AI Overviews, but Google is incorporating ads into AI search results and Lens. This means you’ll get recommendations of products related to your prompts, not just summaries and links to helpful webpages.

AI organized search results Google" src="https://cdn.mos.cms.futurecdn.net/K8Cc85f6YBXE3aQRBZ3EGW.jpg" mos="" align="middle" fullscreen="" width="3141" height="1767" attribution="" endorsement="" class="">

(Image credit: Google)

Lens’ major AI updates include a new Voice Search and Video Search, giving you even more ways to use Google’s eyes to do your online searching. Google says you’ll be able to upload videos directly to Lens and ask AI about moving objects.

Google’s example is a trip to the aquarium where you upload a video of the fish in a tank and ask, “Why are they swimming together?” Lens can then produce an AI overview with all the information you need.

Voice Search will act similarly, allowing you to converse with Lens in a way that's similar to ChatGPT’s Advanced Voice Mode and Gemini Live. New ways to interact with Lens are not the only AI updates coming to the platform, however.

Google is adding a significant shopping update that will let you take pictures of products out in the wild and quickly get a new results page with key information on the product and which retailers you can buy it from. All of these updates to Google Lens are now available globally in the Google app for Android and iOS.

(Image credit: Google) Circle to Search for everyone

(Image credit: Google)

Last but not least, Android fans have a new way to interact with Google Search with the arrival of Circle to Search on ‘more than 150 million Android devices.’ Not only will Circle to Search be accessible to more users, but Google has announced that Circle to Search can now identify songs in movies and other audio heard while browsing the web. Hear a song you like in a YouTube video, just simply circle the video and search to get the song title.

Google’s major AI updates

Google’s announcements today usher in a new era for Google Search and Lens, which emphasizes that users will just have to come to terms with the AI revolution. With better AI optimization in search results and new ways to search by using video or voice, it’s clear that Google sees AI as a pillar in the future of the company’s search engine.

AI has slowly been implemented into our regular search results and with constant optimizations, like the addition of links in today’s updates, it’s only a matter of time before you won’t have a choice but to use an artificially intelligent search engine.

You might also like...

• Google Gemini Live's AI voice now comes in ten more styles that take inspiration from the stars
• Google is rolling out Gemini AI to older Pixel Buds models
• Gemini in Gmail will now provide smarter quick replies for your emails

Launched in 2017, Google Lens processes 20 billion visual searches a month. Now it will work with video and voice, too.

Amazon has just announced new Fire HD 8 tablets with better specs and cameras at an incredibly low starting price – assuming you buy one soon.

The new Fire HD 8 tablets come in two models – 32GB of storage with 3GB of RAM in Black, Hibiscus (Pink) or Emerald for $99.99 / £99.99 with lock screen ads, or $114.99 / £109.99 without. If you need more storage, you can get 64GB with 4GB of RAM that comes in Black for $129 .99 / £124.99 with ads or $144.99 / £134.99 without ads.

Both models’ storage can be expanded with an SD card, boast 13 hours of battery, and have a new 5MP rear camera for taking snaps.

There are also two new Kids' versions that come with a protective case, no ads, six months of Amazon Kids Plus, and a two-year warranty. The new Fire HD 8 Kids costs $139.99 / £149.99, and the Fire HD 8 Kids Pro is $139.99 / £149.99. Both also come with a long-lasting 13-hour battery and a 5MP rear camera.

Beyond the new hardware, there are new AI features coming to these – and Amazon's other Fire tablets – including a writing assistant and a custom wallpaper creator.

The only area that doesn’t seem to have received an upgrade is arguably the Fire HD 8’s weakest feature – at least based on our three-star Fire HD 8 (2022) review – and that’s the display.

While it is technically ‘HD’ at 1280 x 800, it’s not the full-HD (1080p) that we want. This means that while playing games or watching shows on the tablet is a passable experience, using the tablet for reading isn’t ideal though.

On sale already

If the display issue doesn’t put you off picking up a new Amazon tablet, then you might want to act fast. Even if you’re someone who usually likes to wait for Amazon Prime Day for a discount – Amazon Big Deal day, which is taking place on October 8 to October 9 – this time you don’t have to because from now through October 9 the new Fire HD 8 tablets are all up to 50% off.

The cheapest model starts as low as $54.99 / £49.99, which is not bad at all for a brand-new tablet.

Just make sure that you’re buying the ‘New Amazon Fire HD 8 tablet’ which released in 2024. Amazon US and UK are still listing the 2022 versions for sale, and rather unhelpfully (at least at the time of writing) the 2022 model still has a sign on its page saying “You’re viewing the newest model of this product.” It nearly caught us out while we were writing up this story, so make sure you don’t get caught out if you’re actually planning to buy one of the new tablets.

You might also like

• Hurry and get these pre-Amazon Prime Day Ninja blender and ice cream maker deals
• Kindle vs Kobo: how to choose the best ebook reader for you
• Amazon's new AI feature might be your secret weapon for winning at Prime Day

The economy is always a top issue for voters. David Wessel, director of the Brookings Institution’s Hutchins Center, compares the presidential candidates' plans on taxes, tariffs, housing and more.

There are times when you might want to let someone else temporarily use your iPhone – to take a picture of you, for example – without giving them access to everything on your device. But right now, that’s not really possible in iOS 18.

That could all change in the future, though, as a recently published patent indicates that Apple is thinking about bringing some form of “guest access” mode to future iPhones. If it comes to fruition, it could solve a thorny issue that’s been bugging iPhone users for years.

According to the patent, an iPhone's owner could set up a guest mode for other users. This mode would have restricted access to apps and files, with the device owner deciding what is accessible to guest users and what is not. The idea is that you can still let someone else use your iPhone without the risk of them messing with (or deleting) something important.

The patent states that access could be granted to the second user once they are authenticated in some way. This might provide an extra layer of security so that not just anyone can access the guest mode. As well as that, you may be able to control guest access from a second device (like another iPhone or iPad), enabling you to change settings on the fly from a separate location.

Gaining a handy feature from macOS

(Image credit: Future | Alex Walker-Todd)

Apple has never implemented a feature like this in its iPhones, although a few related alternatives exist. For instance, iOS 18 introduced hidden and locked apps, which can be concealed from view or secured behind a passcode. Similarly, iOS contains a Guided Access feature, although this locks your device into using a single app rather than a suite that you’ve decided on, like in the guest access patent.

The patent idea could help bring some level of parity between the iPhone and the Mac, at least in this area. Mac users have been able to create guest accounts for years, helping to keep vital apps, documents, and operating system functions sequestered away from those who don’t need to access them. Now, iOS users might be able to do the same thing at some point in the future.

It could also bring benefits to the iPad. Apple’s tablets are often used as gaming devices for children or as home-control hubs, and a guest mode would help keep them focused on the tasks they’re being used for without being as restrictive as Guided Access mode.

That said, this is just a patent, and there’s no guarantee that Apple will ever implement it in an actual iPhone. The company frequently files patents for experimental ideas that it ultimately declines to pursue, and this could be another example.

Still, we’re hoping it does eventually make it into iOS to give iPhone users more control over how other people use their devices.

You might also like

• How to use iOS 18 Locked and Hidden Apps features – and why you should
• iOS 18: new features, compatible devices, and everything you need to know
• The best iPhone 2024: which Apple smartphone reigns supreme?

These services deliver freshly roasted, delicious coffee picks right to your door—each with its own twist.

J Allard, the co-founder of Xbox, has officially joined Amazon as vice president of devices and services.

As reported by GeekWire, the first sign of Allard's career change came from his LinkedIn profile where his latest role was updated to read "vp, product - amazon".

Amazon has since confirmed the news to the publication, stating that Allard has joined the company’s Devices and Services team, the division responsible for Alexa and Echo devices, among other products.

Speaking to The Verge, Allard confirmed his new role but was unable to discuss the projects he'll be working on, saying it's "too early to have anything to say" beyond Amazon's "new ideas".

Allard worked at Microsoft from 1991 to 2010. As chief experience officer and chief technology officer of Microsoft’s entertainment and devices division, he co-founded Xbox, which was released in 2001, Xbox Live, Live Arcade, and 2005's Xbox 360.

He also helped launch more than 40 products at the company, including the Zune portable media player, as well as had a hand in Windows NT and Microsoft's Transmission Control Protocol/Internet Protocol (TCP/IP).

After leaving Microsoft in 2010, Allard spent time running his own company called Project 529, a community-led service that specializes in combating bike theft and promoting cycling.

Allard rejoined the gaming industry in 2020 at Intellivision Entertainment as the global managing director but left the company a year later.

You might also like...

• Microsoft is expanding its research division, wants feedback from studios that don't make games for Xbox
• Microsoft is laying off 650 more Xbox staff members, Phil Spencer says the decision was made "to organize our business for long term success"
• Where to buy and pre-order the new Xbox Series X and S consoles - including that gorgeous Galaxy Black 2TB machine

The US Cybersecurity and Infrastructure Security Agency (CISA) has added a known Ivanti bug to its Known Exploited Vulnerabilities (KEV) catalog, signalling that it’s being actively abused in the wild.

The bug that was just added is an SQL Injection vulnerability, found this spring in the Core server of Ivanti Endpoint Manager (EPM) 2022 SU5 and prior. It grants an unauthenticated attacker within the same network the ability to run arbitrary code. It is tracked as CVE-2024-29824, and has a severity score of 9.6 (critical).

Federal agencies now have three weeks to apply the patch, or stop using the product altogether - and organizations in the private sector should take note, too.

Renewed commitment to security

Ivanti Endpoint Manager (EPM) is a software solution designed for IT asset management, offering tools to manage, secure, and troubleshoot endpoints like desktops, laptops, and mobile devices across an organization. It helps automate patching, software distribution, and inventory control, and supports Windows, macOS, Chrome OS, and different IoT operating systems.

The company says it patched the vulnerability in May 2024, together with five other RCE flaws. It, too, recently confirmed observing attacks in the wild: "At the time of this update, we are aware of a limited number of customers who have been exploited," the company concluded.

Ivanti is a major technology provider in the B2B sector, with over 40,000 customers globally, and clients spanning various industries, including government, healthcare, education, financial services, and more. These organizations use Ivanti's solutions for IT management, security, and asset management, and as such, they are a major target for cybercriminals.

In recent years, Ivanti has been at the center of much controversy, since many of its products were found to be severely flawed. In response, Ivanti CEO Jeff Abbott issued an open letter to customers and partners in April 2024, promising a renewed commitment to security.

Via BleepingComputer

More from TechRadar Pro

• Healthcare organizations are having to pay millions to solve ransomware attacks
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

Full spoilers follow for The Rings of Power season 2 episode 8.

The Rings of Power's Cynthia Addai-Robinson has suggested that the Númenórean civil war between Míriel and Pharazôn isn't over yet.

Before 'Shadow and Flame', aka The Rings of Power season 2's final episode, aired on Prime Video today (October 3), Addai-Robinson and I spoke, in late September, about where this season's concluding chapter leaves Míriel and how it sets up the rest of her story that's yet to play out in the hit series.

So far, Amazon's prequel show has done a stellar job of fleshing out the character of Míriel. Indeed, in J.R.R. Tolkien's supplementary Lord of the Rings literature, little is actually written about Númenor's next true heir, with the texts simply stating that she was forced to marry Pharazôn after he usurped her and seized the island kingdom's throne. Okay, there's a bit more to Míriel's story than that, but I'd be getting into full-blown spoiler territory for Númenórean events to come, so I won't divulge how her story ends.

Míriel may be in chains right now, but I don't suspect that'll remain the case (Image credit: Prime Video)

Regardless, Míriel has had a more prominent and active role in The Rings of Power's Númenor-based narrative. I'll spare myself the trouble of recounting her journey so far, but 'Shadow and Flame' certainly sets up some fascinating story threads heading into one of the best Prime Video shows' next installment. Okay, The Rings of Power season 3 hasn't been officially announced, but its showrunners are "working on it" as I speak, so it's inevitable that another season is on the cards.

What lies in store for Míriel after season 2's final episode, then? After all, she's last seen – in chains, may I add – standing before Pharazôn as one of his lackey's in Lord Belzagar rattles off a bunch of apparent charges on her rap sheet. Remember, after gazing into Númenor's palantir in episode 7, Pharazôn alleged Míriel was in league with Sauron, which is just the latest in a long line of accusations that have been brought against her. 

So, is she going to be imprisoned permanently? Does Pharazôn plan on marrying her as he does in The Lord of the Rings' wider source material? Or, like it's done numerous times already, is The Rings of Power going to deviate from its literary works and do something different with Míriel? Understandably, Addai-Robinson wasn't at liberty to say too much, but she did drop some big hints about what's to come in season 3 and beyond.

Míriel and Elendil's story isn't over yet, folks (Image credit: Prime Video)

"If you know Númenórean lore, here's an order of events to come," she told me. "And I try not to have, or hold tight to, any expectations, but I think it's fair to say that modern audiences have certain expectations so, if certain things aren't executed with a modern lens, they could feel a bit retrograde, dare I say.

"What I love about our show is we've not only got these amazing actresses, but also female characters who have agency. So, I think the idea of her being locked away and having that simply be [is wrong]. She's made this active choice [to fight] and she's clear on that choice. I love that she's intelligent and understands people, and Pharazôn in particular, so she can let him believe that he's ahead of the game [when he's not].

"She's absolutely plotting and planning her course, so I'm excited to see where all of that goes. I also think she deserves a bit of a break! But, ultimately, the story of Númenor is a tragic tale, so she's not going to get one."

Clearly, we're going to see much more of Númenor's civil war in this TV adaptation than I expected – especially now that Míriel has sent Elendil, with the legendary sword Narsil in hand, to rally The Faithful and try to take back the island realm from Pharazôn and The King's Men. You can read more about Míriel's gifting of Narsil to Elendil in my Rings of Power season 2 ending explainer, among other important details about events in 'Shadow and Flame' and what it sets up for season 3. Alternatively, check out some of my other season 2 finale exclusives below.

You might also like

• 'The next piece of the puzzle': The Rings of Power's Charlie Vickers has some big hopes for Sauron's season 3 arc – and one includes making the One Ring
• 'I'm still pretty shocked': The Rings of Power's Daniel Weyman hasn't come to terms with who he's really playing after The Stranger's 'exciting' name reveal
• 'A very astute observation': The Rings of Power's Elrond and Gil-Galad actors drop a big hint about the elves' new safe haven in the season 2 finale

Whether you’re into esports or casual fragging, these are the greatest gaming mice we’ve tested.

The glasses will remember things for you, scan QR codes, call phone numbers it sees and more.

Apple TV Plus has announced some sweet news: the hit mystery thriller Sugar is coming back for season 2.

Prior to seeing Colin Farrell as ruthless Gotham criminal Oz Cobb in The Penguin, he was on the right side of the law playing LA private investigator John Sugar who's tasked with finding Olivia Siegel, the granddaughter of a legendary Hollywood producer. As Sugar digs deeper into the case, he unearths dark Siegel family secrets that could put him in danger.

Sugar landed on one of the best streaming services earlier this year and was hailed as “one of the best neo-noir thrillers in years” by ScreenRant. Ahead of its debut, Apple promised that the show would have a "contemporary" and "unique" take on the private detective genre – and it certainly stayed true to the claim. Thanks to a wild twist halfway through the series, the genre-bending Sugar soon broke into Apple TV Plus' hugely successful sci-fi TV show utopia.

What can we expect in Sugar season 2?

According to the Apple TV Plus press release, season 2 of the best Apple TV Plus show "will see Sugar back in Los Angeles, taking on another missing persons case as he continues to look for answers surrounding his missing sister."

Sugar isn't the only sci-fi show receiving a highly-anticipated second season, with dystopian drama Silo, psychological thriller Severance and mind-bending book-to-screen adaptation Dark Matter all set to return.

Matt Cherniss, head of programming for Apple TV Plus, said of Sugar's renewal: "Since its premiere, audiences have been gripped by the mysteries and twists of Sugar, with an incredible performance by Colin Farrell at the center. Colin, Simon Kinberg, Audrey Chon and the entire team behind this series have brilliantly blended genres to create a compelling, can’t-miss series that keeps viewers guessing, and we cannot wait to see where Detective John Sugar finds himself in season two."

You might also like

• Billy Crystal's dark side makes my blood run cold in new Apple TV Plus trailer
• 4 new shows coming to Apple TV Plus in October 2024
• New Apple TV Plus thriller Disclaimer gets an official trailer

On September 10, Microsoft hosted a Cyber Summit that could have far-reaching implications for the future of cybersecurity. Unfortunately, while this summit could be a game changer, it was behind closed doors—leaving many of us on the outside looking in. We’ve seen this pattern before: a breach happens, Microsoft apologizes, promises to do better, and then... not much changes. If the tech giant really wants to make meaningful strides, it’s going to have to change not just its security practices, but also how it engages with the broader community.

The transparency dilemma: come on, Microsoft—let us in!

First things first: Transparency. Microsoft’s refusal to invite both the press and the public to this Cyber Summit raises eyebrows, if not alarms. Sure, we can appreciate the need for candid discussions behind closed doors, but this summit wasn’t just a boardroom briefing—it’s a conversation that impacts millions of users. After all, breaches don’t discriminate between corporations, governments, or everyday consumers.

Microsoft has an enormous opportunity here, but it seems more interested in controlling the narrative than engaging in open dialogue. If the summit is all about polishing its image rather than tackling real issues, that’s a problem. Security isn’t something you sweep under the rug, especially not when your mistakes have affected millions of Windows devices, like the CrowdStrike update debacle earlier this year.

Bring in the experts: why diverse collaboration matters

In cybersecurity, diversity of thought is crucial. And no, I’m not talking about diversity in a corporate HR sense (though that’s important too). I’m talking about bringing together diverse security perspectives—white-hat hackers, pentesters, and researchers—who can test the strength of Microsoft’s systems in ways that in-house teams simply can’t. The more eyes on the problem, the better the chances of finding vulnerabilities before the bad guys do.

Microsoft should be actively collaborating with these experts, not just keeping them at arm’s length. Let’s be real here: The stakes are too high to let pride get in the way of progress. Closed-door summits limit the scope of collaboration, which is not what the cybersecurity community needs. Microsoft owes it to their user base, and to the entire tech world, to listen to those outside voices.

The kernel conundrum: explaining the tech in simple terms

Here’s where things get a little technical. But stay with me—I promise it’s worth it.

The kernel is like the beating heart of your computer’s operating system. It controls everything, from how apps interact with your hardware to how secure your system is. In essence, if the kernel is compromised, your entire system is vulnerable. And here’s the kicker: Microsoft currently allows third-party access to the kernel for certain applications (think of it like giving the keys to your house to the plumber). While this access can be necessary for security software, it also opens the door to a slew of potential security risks.

Just look at the CrowdStrike fiasco. A small error in a CrowdStrike update caused major outages across 8.5 million devices. Why? Because that update had kernel-level access, allowing it to affect fundamental parts of the Windows operating system.

The solution: restrict kernel access... but not completely

One obvious solution is for Microsoft to restrict kernel access altogether. But that’s not as simple as flipping a switch. Security software needs to access the kernel to monitor the system properly, and if Microsoft locks it down completely, third-party security vendors might lose the visibility they need to protect users effectively.

So what’s the middle ground? Other operating systems have found solutions that could serve as models. For instance, Apple’s System Integrity Protection (SIP) limits what can be done to the kernel by restricting root user access. This ensures that even if a hacker gains access to the system, they can’t make changes at the deepest level. Similarly, Linux has something called eBPF (Extended Berkeley Packet Filter), which allows for safe, controlled execution of programs within the kernel. Microsoft should explore implementing these kinds of technologies, or at least something similar.

This doesn’t mean shutting out third parties entirely. Instead, Microsoft could collaborate more closely with security vendors to give them safe, controlled access to the kernel, allowing them to continue protecting users without compromising the system’s integrity.

Potential solutions: Microsoft, here’s what you can do

1. Implement More Granular Kernel Controls: Microsoft could offer more restricted kernel access for trusted applications, much like Apple’s SIP. This would allow security vendors to do their jobs while keeping the system safe from rogue apps.

2. Adopt a More Open Collaborative Framework: It’s time for Microsoft to invite more diverse voices into the conversation. From pentesters to white-hat hackers, more eyes on the problem means a better chance of finding and fixing vulnerabilities before they’re exploited.

3. Transparency at Every Level: No more closed-door summits. Microsoft must foster open, ongoing dialogues with security experts and customers alike, keeping them informed not just about past failures, but about future solutions.

4. Adopt and Implement Best Practices from Competitors: Look to what Linux and Apple have done to enhance kernel security. These platforms offer valuable lessons that could easily be adapted to improve the security of Windows systems.

Microsoft must lead with openness

As the company with the largest market share in the computer security space, Microsoft has a responsibility to be more transparent and open about its plans. Cybersecurity is a community effort. It’s like a neighborhood watch—everyone needs to be in on the plan, and everyone needs to share information to keep the neighborhood safe. But if Microsoft keeps holding closed-door meetings, they’re cutting off valuable input from the people who know how to improve the security of their products.

The bottom line? Microsoft, it’s time to stop issuing apologies and playing the blame game and instead start collaborating with the broader security community. The more you open up, the stronger we’ll all be. And who knows? Maybe we can finally stop having to patch up Windows like it’s an old boat springing new leaks every few weeks.

We've featured the best customer experience (CX) tool.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

The integration of artificial intelligence (AI) into business operations is no longer a futuristic concept; it's a present-day necessity. CEO of NVIDIA Jensen Huang introduced a new concept into the rapidly evolving AI landscape during his keynote at the GTC Conference in March this year. He discussed the rise of "AI factories" and "AI foundries," terms traditionally associated with product development and raw material processing.

By extending these industrial concepts to AI, Huang proposed a novel approach to innovation – one that could revolutionize software development, resource management, and overall business operations. Companies already integrating or planning to integrate AI into their workflows should closely consider this approach for enhancing business value. By leveraging AI, businesses can boost productivity, optimize operations and drive significant value, paving the way for a new era of innovation and growth.

Preparing your business for GenAI integration

GenAI is rapidly becoming a key productivity tool for many organizations. EY’s analysis suggests that GenAI systems are expected to permeate wide segments of business operations in the coming years, with significant implications for various activities such as customer support, marketing and sales, business operations and software programming. GenAI is already making significant strides in customer service, where its ability to mimic human interactions allows businesses to provide rapid, personalized support and engage with customers in real time. Additionally, companies are beginning to integrate AI and machine learning (ML) into their software, harnessing GenAI's potential to improve decision-making through a deep understanding of customer needs and use cases, rather than relying on simplistic problem-solving methods.

For businesses looking to expand their use of AI and ML-enhanced software, having the right IT infrastructure is essential. This infrastructure must be robust and flexible enough to support the growing demands of GenAI and the improvements it offers. In today's highly digital world, upgrading and modernizing IT infrastructure is more important than ever, and can be supported with the right partners.

Partnering for winning AI initiatives

Implementing AI and GenAI in your business is no small feat. To effectively leverage these technologies, companies need essential hardware and software components, necessitating tightly integrated processes throughout the product lifecycle and overall business operations.

Another important consideration is ensuring that both the enterprise and its partners adhere to governance and compliance standards. This includes enforcing best practices that align with the company’s AI deployment model, covering areas such as material selection, manufacturing processes, software design and solution delivery. This is especially crucial for GenAI, which requires significant compute and storage resources and, if not managed correctly, can lead to high compute costs, increased energy consumption and a larger carbon footprint.

A critical aspect of deploying GenAI applications is the substantial power they require. AI foundries and factories that support these applications demand extensive compute, storage and network resources to manage large datasets and maintain these models. Organizations must also choose optimized methods for delivering services efficiently while keeping sustainability top of mind.

Navigating the GenAI landscape

When approaching AI as a workload or a suite of workloads, it's important to realize that GenAI brings different demands compared to traditional IT scenarios. To succeed in the GenAI space, businesses must adapt their infrastructure strategies to accommodate these new workloads, which can be a difficult process.

A significant amount of this infrastructure must reside in the cloud, but on-premises systems will also play an important role. Businesses must therefore carefully select and build the right systems for both cloud and on-premises environments. This can be facilitated by partnering with experts in deploying and managing mission-critical infrastructure. These partnerships are essential for achieving the best outcomes from GenAI initiatives, both today and looking to the future.

It's important to remember that optimizing GenAI is a gradual process, not something that can be achieved overnight. To succeed, businesses should focus on streamlined infrastructure and automation solutions and collaborate with partners who can support them throughout the entire process. This includes data preparation, consolidation, and AI model training and inference, each of which has unique infrastructure requirements. Building relationships with trusted partners who have experience in the specific business domain and data-centric workflows is also crucial for success.

The path forward

All AI and GenAI applications start with data, making it critical for organizations to use the most relevant and complete datasets and ensure their data infrastructure is secure and accessible. The journey to becoming an AI-driven enterprise is both challenging and rewarding. By embracing AI and GenAI technologies, businesses can unlock new levels of productivity and innovation.

However, achieving success requires robust IT infrastructure, strategic partnerships, and a commitment to governance and compliance. As organizations navigate the complexities of AI implementation, they must prioritize data integrity, sustainability, and continuous optimization. With the right approach and support, businesses can fully harness the potential of AI, create unique offerings, and drive sustained growth in an increasingly digital world.

We've featured the best AI phone.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

A critical vulnerability has been found in open source collaboration suite Zimbra which allows crooks to run remote code execution on vulnerable servers and deploy malware.

The vulnerability is tracked as CVE-2024-45519, and is only exploitable when default settings are changed, and the postjournal service is enabled. That, luckily, reduces the attack surface significantly, but not entirely. As multiple security researchers confirmed, when this service is enabled, if a threat actor sends a specially-crafted email, the platform will attempt to download and run a file on the server.

The vulnerability seems to be residing in the “to” and “cc” fields - since researchers from Proofpoint advised Zimbra users to look for malformed, or otherwise suspicious strings, in these fields in incoming email messages.

Unreliable attack

The researchers also said the attacks they’ve seen in the wild are massive - just one honeypot received some 500 requests in no more than an hour.

But the vulnerability seems unreliable. The server downloads the malicious file, but then does nothing with it.

"That's all we've seen (so far), it doesn't really seem like a serious attack,” security Ron Bowes wrote in his analysis of the attack. “I'll keep an eye on it, and see if they try anything else!”

Zimbra released a patch for the flaw in the final days of September 2024, which researchers from Project Discovery used to release a proof-of-concept (PoC) and show the security community how it can be abused, with mixed results:

“Initially, we conducted this test on our own Zimbra server for proof of concept,” the researchers wrote. “However, when attempting to exploit the vulnerability remotely over the internet, we faced failures.”

The first attacks emerged no more than a day later, on September 28. Users are still advised to install the available patch immediately, just in case.

Via Ars Technica

More from TechRadar Pro

• Healthcare organizations are having to pay millions to solve ransomware attacks
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

Goldring is well known for its precision-engineered phono cartridges, and now the firm has created its first turntable in decades to go with them. Developed in association with an unnamed but "renowned" British hi-fi manufacturer, the Goldring GR3 features the firm's award-winning Goldring E3 moving magnet cartridge, a built-in phono pre-amplifier and a choice of interconnects from its sister brand QED. 

It's a good looking thing, but the platter doesn't just look nice. It's made of phenolic resin designed to maximize the flywheel effect in order to deliver consistent rotational speed with low wow and flutter in order to ensure accuracy from your records. And there's a choice of phono-to-phono or phono-to-3.5mm interconnects to suit a wide range of setups.

(Image credit: Goldring) Goldring GR3: key features and pricing

The star here is that GR3 moving magnet cartridge, which has won six consecutive best buy awards from our colleagues at What Hi-Fi?. Here, it's pre-fitted and pre-adjusted for the tonearm. A lightweight aluminum cantilever promises accurate tracking, precise detail and low distortion, and the dual magnet generator is designed to deliver better channel separation for a more musical soundstage. 

The inclusion of a built-in phono pre-amp is surprising but welcome: it means you can connect the Goldring turntable to active options among the best stereo speakers as well as audio amps.

The Goldring GR3 is available now in the UK and in Europe, and it'll be available in the US from December 2024. The UK price is £699, and the US price will be $999, which certainly isn't cheap, but is pretty reasonable among the best turntables. If the unit as a whole lives up to the heritage of the cartridge, we could be onto a mid-range winner.

You might also like

• Victrola's affordable 6-in-1 Bluetooth record player also plays cassette and CD, and has its own speakers
• Pro-Ject's affordable new T1 EVO turntables are ideal to get serious about vinyl without breaking the bank
• Technics' 'breathtaking' new turntable is a brass act

Nectar's rebrand of the Premier Memory Foam mattress offers a breath of fresh air regarding the idea of a comfortable, body-conforming bed. Here's why we love it.