Editor’s Pick

Enlarge (credit: Jonathan Gitlin)

Before last week, owners of certain Mazda vehicles who also had a Home Assistant setup could set up some handy connections for their car.

One CX60 driver had a charger that would only power on when it confirmed his car was plugged in and would alert him if he left the trunk open. Another used Home Assistant to control their charger based on the dynamic prices of an Agile Octopus energy plan. Yet another had really thought it through, using Home Assistant to check the gas before their morning commute, alert them if their windows were down before rain was forecast, and remotely unlock and start the car in cold conditions. The possibilities were vast, and purportedly beyond what Mazda’s official app offered.

Mazda, however, had issues with the project, which was largely the free-time work of one software developer, Brandon Rothweiler. In a Digital Millennium Copyright Act (DMCA) notice sent to GitHub, Mazda (or an authorized agent) alleges that Rothweiler’s integration:

Enlarge / Cables run into a Cisco data switch. (credit: Getty Images)

Cisco is urging customers to protect their devices following the discovery of a critical, actively exploited zero-day vulnerability that’s giving threat actors full administrative control of networks.

“Successful exploitation of this vulnerability allows an attacker to create an account on the affected device with privilege level 15 access, effectively granting them full control of the compromised device and allowing possible subsequent unauthorized activity,” members of Cisco’s Talos security team wrote Monday. “This is a critical vulnerability, and we strongly recommend affected entities immediately implement the steps outlined in Cisco’s PSIRT advisory.”

Under exploitation for 4 weeks

The previously unknown vulnerability, which is tracked as CVE-2023-20198, carries the maximum severity rating of 10. It resides in the Web User Interface of Cisco IOS XE software when exposed to the Internet or untrusted networks. Any switch, router, or wireless LAN controller running IOS XE that has the HTTP or HTTPS Server feature enabled and exposed to the Internet is vulnerable. At the time this post went live, the Shodan search engine showed that as many as 80,000 Internet-connected devices could be affected.

Enlarge (credit: Getty Images / Benj Edwards)

On Thursday, Google announced that it plans to defend users of its generative AI systems on Google Cloud and Workspace platforms against intellectual property violation claims, reports Reuters. The move follows similar commitments by Microsoft and Adobe, but Google claims its approach is more comprehensive, covering both the use of copyrighted works for training AI and the output generated by the systems.

“The generated output indemnity means that you can use content generated with a range of our products knowing Google will indemnify you for third-party IP claims, including copyright,” Google writes in its announcement post.

Specifically, the new policy will cover software like its Vertex AI development platform and Duet AI system, which are used for generating text and images in Google Workspace and Cloud programs. Notably, the Google announcement did not mention Bard, Google’s more well-known generative AI chatbot.

Enlarge (credit: Aurich Lawson / Getty)

In August and September, threat actors unleashed the biggest distributed denial-of-service attacks in Internet history by exploiting a previously unknown vulnerability in a key technical protocol. Unlike other high-severity zerodays in recent years—Heartbleed or log4j, for example—which caused chaos from a torrent of indiscriminate exploits, the more recent attacks, dubbed HTTP/2 Rapid Reset, were barely noticeable to all but a select few engineers.

HTTP2/Rapid Reset is a novel technique for waging DDoS, or distributed denial-of-service attacks, of an unprecedented magnitude. It wasn’t discovered until after it was already being exploited to deliver record-breaking DDoSes. One attack on a customer using the Cloudflare content delivery network peaked at 201 million requests per second, almost triple the previous record Cloudflare had seen of 71 million rps. An attack on a site using Google’s cloud infrastructure topped out at 398 million rps, more than 7.5 times bigger than the previous record Google recorded of 46 million rps.

Doing more with less

The DDoSes hitting Cloudflare came from a network of roughly 20,000 malicious machines, a relatively small number compared with many so-called botnets. The attack was all the more impressive because, unlike many DDoSes directed at Cloudflare customers, this one resulted in intermittent 4xx and 5xx errors when legitimate users attempted to connect to some websites.

Enlarge / The Content Credentials “CR” logo presented in front of an AI-generated image provided by Adobe. (credit: Adobe)

On Tuesday, Adobe announced a new symbol designed to indicate when content has been generated or altered using AI tools, reports The Verge, as well as verifying the provenance of non-AI media. The symbol, created in collaboration with other industry players as part of the Coalition for Content Provenance and Authenticity (C2PA), aims to bring transparency to media creation and reduce the impact of misinformation or deepfakes online. Whether it will actually do so in practice is uncertain.

The Content Credentials symbol, which looks like a lowercase “CR” in a curved bubble with a right angle in the lower-right corner, reflects the presence of metadata stored in a PDF, photo, or video file that includes information about the content’s origin and the tools (both AI and conventional) used in its creation. The information is automatically added by supporting digital cameras and AI image generator Adobe Firefly, or it can be inserted by Photoshop and Premiere. It will also soon be supported by Bing Image Creator.

If credentialed media is presented in a compatible app or using a JavaScript wrapper on the web, users click the “CR” icon in the upper-right corner to view a drop-down menu containing image information. Or they can upload a file to a special website to read the metadata.

Enlarge / Cue files used to be much better-known, back when we all used CD-Rs to make legal backup copies of material that we owned outright. (credit: Getty Images)

It has been a very long time since the average computer user thought about .cue files, or cue sheets, the metadata bits that describe the tracks of an optical disc, like a CD or DVD. But cue sheets are getting attention again, for all the wrong reasons. They’re at the heart of a one-click exploit that could give an attacker code execution on Linux systems with GNOME desktops.

CVE-2023-43641, disclosed by GitHub on October 9, is a memory corruption (or out-of-bounds array writing) issue in the libcue library, which parses cue sheets. NIST has yet to provide a score for the issue, but GitHub’s submission rates it an 8.8, or “High.” While the vulnerability has been patched in the core library, Linux distributions will need to update their desktops to fix it.

GNOME desktops have, by default, a “tracker miner” that automatically updates whenever certain file locations in a user’s home directory are changed. If a user was compelled to download a cue sheet that took advantage of libcue’s vulnerability, GNOME’s indexing tracker would read the cue sheet, and code in that sheet could be executed.

Enlarge / An AI-generated vector graphic of a barbarian and a landscape generated with Adobe Illustrator. (credit: Benj Edwards / Adobe)

On Tuesday, Adobe announced major updates to AI image synthesis features across several products, including Photoshop, Illustrator, and Adobe Express. The updates include three new generative AI models—Firefly 2, Firefly Design Model, and Firefly Vector Model—which improve its previous offerings and add new capabilities. With the vector model, Adobe is notably launching its first text-to-vector AI image generator.

It’s been a busy year for generative AI, and Adobe has not been content to sit it out. In March, the graphic design software giant debuted its text-to-image synthesis model called Firefly, which it billed as an ethical alternative to Stable Diffusion and Midjourney due to being trained on Adobe Stock imagery only. Firefly can generate novel images based on text descriptions called prompts (i.e., “a scenic vista” or “a beefy-looking barbarian”). The company later brought the technology to Photoshop and web apps, and promised to cover any legal bills that might arise from copyright claims against artwork generated with its tools.

Now, Adobe is extending its reach with a wave of new generative AI features. Adobe’s Firefly Image 2 model is an update to its original Firefly AI image generator, which powers Photoshop features like Generative Fill. Adobe claims this new version offers improved image quality, particularly in areas like foliage, skin texture, and facial features. In addition to these enhancements, the Firefly Image 2 model introduces AI-driven editing capabilities that can adjust various photo settings like depth of field and motion blur. A new “Prompt Guidance” feature also aids users in refining the wording of their text descriptions and automatically completes prompts to boost efficiency.

Enlarge (credit: Getty Images)

Big Tech companies like Microsoft and Google are grappling with the challenge of turning AI products like ChatGPT into a profitable enterprise, reports The Wall Street Journal. While companies are heavily investing in AI tech that can generate business memos or code, the cost of running advanced AI models is proving to be a significant hurdle. Some services, like Microsoft’s GitHub Copilot, drive significant operational losses.

Generative AI models used for creating text are not cheap to operate. Large language models (LLM) like the ones that power ChatGPT require powerful servers with high-end, energy-consuming chips. For example, we recently cited a Reuters report with analysis that claimed each ChatGPT query may cost 4 cents to run. As a result, Adam Selipsky, the chief executive of Amazon Web Services, told the Journal that many corporate customers are unhappy with the high running costs of these AI models.

The current cost challenge is tied to the nature of AI computations, which often require new calculations for each query, unlike standard software that enjoys economies of scale. This makes flat-fee models for AI services risky, as increasing customer usage can drive up operational costs and lead to potential losses for the company.

Enlarge (credit: Getty Images)

Thousands of sites running the WordPress content management system have been hacked by a prolific threat actor that exploited a recently patched vulnerability in a widely used plugin.

The vulnerable plugin, known as tagDiv Composer, is a mandatory requirement for using two WordPress themes: Newspaper and Newsmag. The themes are available through the Theme Forest and Envato marketplaces and have more than 155,000 downloads.

Tracked as CVE-2023-3169, the vulnerability is what’s known as a cross-site scripting (XSS) flaw that allows hackers to inject malicious code into webpages. Discovered by Vietnamese researcher Truoc Phan, the vulnerability carries a severity rating of 7.1 out of a possible 10. It was partially fixed in tagDiv Composer version 4.1 and fully patched in 4.2.

Enlarge (credit: OpenAI / Benj Edwards)

OpenAI, the creator of ChatGPT and DALL-E 3 generative AI products, is exploring the possibility of manufacturing its own AI accelerator chips, according to Reuters. Citing anonymous sources, the Reuters report indicates that OpenAI is considering the option due to a shortage of specialized AI GPU chips and the high costs associated with running them.

OpenAI has been evaluating various options to address this issue, including potentially acquiring a chipmaking company and working more closely with other chip manufacturers like Nvidia. Currently, the AI firm has not made a final decision, but the discussions have been ongoing since at least last year. Nvidia dominates the AI chip market, holding more than 80 percent of the global share for processors best suited for AI applications. OpenAI CEO Sam Altman has publicly expressed his concerns over the scarcity and cost of these chips.

The hardware situation is said to be a top priority for OpenAI, as the company currently relies on a massive supercomputer built by Microsoft, one of its largest backers. The supercomputer uses 10,000 Nvidia graphics processing units (GPUs), according to Reuters. Running ChatGPT comes with significant costs, with each query costing approximately 4 cents, according to Bernstein analyst Stacy Rasgon. If queries grow to even a tenth of the scale of Google search, the initial investment in GPUs would be around $48.1 billion, with annual maintenance costs at about $16 billion.