The usage of the nasty vulnerability in the Java logging library Apache Log4j that allowed unauthenticated remote code execution could have kicked off as early as December 1.
“Earliest evidence we’ve found so far of #Log4J exploit is 2021-12-01 04:36:50 UTC,” Cloudflare CEO Matthew Prince said on Twitter.
“That suggests it was in the wild at least 9 days before publicly disclosed. However, don’t see evidence of mass exploitation until after public disclosure.”
Cisco Talos said in a blog post that it observed activity for the vulnerability known as CVE-2021-44228 from December 2, and those looking for indicators of compromise should extend their searches to at least that far back.
Thanks to the ubiquity of the impacted library, Talos said it was seeing lead time from attackers doing mass scanning to callbacks occurring, and could be due to vulnerable but non-targeted systems — such as SIEMs and log collectors — being triggered by the exploit.
It added that the Mirai botnet was starting to use the vulnerability. Researchers at Netlab 360 said they had seen the Log4j vulnerability used to create Muhstik and Mirai botnets that went after Linux devices.
Over the weekend, vendors have been rushing to get patches out and document workarounds for affected products. The end results have been product matrices such as those from VMware and Cisco where some products have patches available, some have workarounds, and others remain vulnerable. Both vendors scored CVE-2021-44228 as a perfect 10.
The suggested workarounds typically either set the log4j2.formatMsgNoLookups flag to true, or remove the JndiLookup class from the classpath used by Java.
A Reddit post from NCC Group is being regularly updated, and shows how the exploit can be used to exfiltrate AWS secrets, as well as all manner of Java system properties.
Sophos said it was seeing the vulnerability already being used by cryptominers.
On the more enjoyable front, a Minecraft mod developer was able to use the vulnerability to turn a Minecraft server into one that played Doom instead.
“For some context, this is an entirely vanilla client connecting to a modded server, which, through this exploit, is sending over and executing the code to run doom,” Gegy said.
Microsoft threat analyst Kevin Beaumont said defence in depth was “probably your best option”.
“To give a spoiler for Log4Shell, this is going to take weeks to play out to establish attack surface (it is large) and then maybe a month or more for patches to be made available,” he said.
Realme 9 Pro+ officially teased as leak details key specs – GSMArena.com news – GSMArena.com
CEO Madhav Sheth all but revealed that there is a Realme 9 Pro+ on the way, now the company’s Twitter account has made it official – this will be the first phone to bear the “Pro+” designation among the Realme number series.
Of course, the Realme 9 Pro itself is yet to be unveiled. So far, all the official information we have on the two is that both are probably going to launch in India, not long after the 9i arrives (sales begin on January 22). We can look to unofficial sources for a sneak peek at what’s to come. Previously, @OnLeaks and Smartprix partnered to reveal Realme 9 Pro specs and images, now they have done the same for the Pro+.
The two models will come equipped with different cameras. Well, different main cameras we should say – the regular Pro will have a 64MP module, the Pro+ will feature a 50MP wide camera (custom Sony sensor) with Optical Image Stabilization. A previous leak suggests that the 50MP camera will use a 1/1.56” image sensor with 1.0 µm pixels (2.0 µm with binning) and an f/1.8 lens. Both phones also feature an 8MP ultrawide and a 2MP helper, plus a punch-hole-mounted 16MP selfie camera.
The Pro+ will be powered by the Dimensity 920, while the regular Pro will get the Snapdragon 695 (both 6 nm chips from TSMC’s foundries). The Plus model will have a smaller 6.43” Super AMOLED display with lower refresh rate, 90 Hz, compared to the 6.59” 120 Hz panel on the regular Pro. It will be the smaller device of the two, that means a smaller battery too (4,500 mAh vs. 5,000 mAh), though it will be faster to charge at 65W (the 9i and 9 Pro do 33W).
Unconfirmed info from a few months ago revealed that the Realme 9 series will have four models, so far a vanilla Realme 9 is missing. All four are supposed to launch in Q1 this year.
Sony Issues Statement About Microsoft Activision Blizzard Purchase And Xbox Exclusivity – Forbes
Sony has finally commented on the massive news that Microsoft has bought Activision Blizzard for nearly $70 billion, and it’s not exactly congratulatory.
Speaking to the Wall Street Journal, Sony had this to say about Microsoft’s responsibility to honor Activision’s existing contracts:
“We expect that Microsoft will abide by contractual agreements and continue to ensure Activision games are multiplatform.”
This may sound like good news for Sony fans who have been worried that massive games like Call of Duty, Overwatch and Blizzard are about to stop being multiplatform, and yet that statement is hugely open to interpretation, and seems to have been issued to try to stop Sony’s stock from declining, as it’s sunk in the wake of the Activision Blizzard purchase announcement.
You can compare this to Phil Spencer’s statement on the same issue, which is even more nebulous:
“I’ll just say to players out there who are playing Activision Blizzard games on Sony’s platform: It’s not our intent to pull communities away from that platform and we remained committed to that.”
What Microsoft seems to be committing to here is to not shut down existing communities on PlayStation like say, Overwatch 1 or Call of Duty Warzone. And it does stand to reason that Activision probably had some sort of deal with PlayStation in place in terms of what games come to the system, but the terms of that deal? That’s the question.
You would not imagine that Activision and Sony have some sort of contract that reads “Every Call of Duty game must come to PlayStation in perpetuity.” Sony seems pretty forceful in saying “continue to ensure Activision games are multiplatform” though does “continue” mean current games that need ongoing support, or future games? Again, it’s hard to fully read what’s going on here, but I do not believe Microsoft would have bought Activision Blizzard at all if part of the deal was all its games must continue to be released on PlayStation indefinitely. And I doubt Sony has a contract that says that.
Again, my guess is that existing games will continue to be live on PlayStation, and some games like Warzone could even stay on PlayStation indefinitely. But I think whether future new mainline Call of Duty games, or Overwatch 2 or Diablo 4 come to PlayStation is a much different issue, and I don’t think Sony’s statement is any sort of guarantee about those titles in the coming years. We’ll see if Microsoft responds, and if Sony has anything else it can expand on here.
PlayStation Wrap-Up 2021 Available Now, Share Your Gaming Stats – Push Square
It’s that time of the year again: Sony is allowing PlayStation 5, PS4 users to share their own Spotify style wrap-up of 2021 on social media. Head on through this link to get started, making sure you’re logged into your PSN account in order to start viewing and sharing your own stats.
The wrap up begins by sharing the total number of hours you played games across PS5 and PS4 systems in 2021. It’s then broken down into each console, also stating how many hours were spent playing PSVR and how many days of the year you played games on.
Elsewhere, the wrap-up shares your top five most played games on PS5, PS4 and how many Trophies you earned. It then dives into how many PS Plus titles you redeemed as well as some global community stats. For example, our wrap-up tells us over 19 billion likes were awarded in Death Stranding Director’s Cut and 34.6 per cent of Ratchet & Clank: Rift Apart players unlocked every weapon in the game.
If you log in and take a look at your own stats, be sure to scroll down to the bottom to claim an exclusive collection of PS5, PS4 avatars. You’ll then be presented with a download code. What do your PS5, PS4 gaming stats look like for 2021? Share the most impressive ones in the comments below.
Canadian provincial leader wants to pause truckers’ COVID vaccine mandate
Gloomy Netflix forecast erases much of stock’s pandemic gains
Ontario to start lifting COVID-related curbs, Quebec more cautious
Silver investment demand jumped 12% in 2019
Europe kicks off vaccination programs | All media content | DW | 27.12.2020 – Deutsche Welle
Iran anticipates renewed protests amid social media shutdown
News14 hours ago
Change your Perspective (Plastic use)
News23 hours ago
Trudeau says Canada fears armed conflict in Ukraine as Russia ramps up aggression – CTV News
Sports22 hours ago
Soccer-USMNT embrace the cold as World Cup qualifying heats up
Business22 hours ago
World Bank chief takes swipe at Microsoft’s $69 billion gaming deal as poor countries struggle
Health21 hours ago
Study casts doubt on reliability of rapid antigen tests in kids; COVID transmission through breastmilk unlikely
Business20 hours ago
China’s international flight suspensions leave travellers stranded, hurt businesses
News14 hours ago
Coronavirus: Canada Post employees punished for N95 masks – CTV News
Business8 hours ago
Amazon to open fashion store where algorithms suggest what to try on