Editor’s Pick

Enlarge (credit: Getty Images)

A critical zero-day vulnerability Google reported on Wednesday in its Chrome browser is opening the Internet to a new chapter of Groundhog Day.

Like a critical zero-day Google disclosed on September 11, the new exploited vulnerability doesn’t affect just Chrome. Already, Mozilla has said that its Firefox browser is vulnerable to the same bug, which is tracked as CVE-2023-5217. And just like CVE-2023-4863 from 17 days ago, the new one resides in a widely used code library for processing media files, specifically those in the VP8 format.

Pages here and here list hundreds of packages for Ubuntu and Debian alone that rely on the library known as libvpx. Most browsers use it, and the list of software or vendors supporting it reads like a who’s who of the Internet, including Skype, Adobe, VLC, and Android.

Enlarge / Meta’s AI characters feature Snoop Dogg playing a dungeon master that dispenses gaming advice. (credit: Meta)

On Wednesday, Meta announced its consumer-friendly entry into the crowded AI chatbot landscape, The Verge reports. During a presentation at Meta Connect 2023, the company said it is launching its own “Meta AI” chat assistant and a selection of AI characters across its messaging platforms, including WhatsApp, Instagram, and Messenger.

Meta’s new AI assistant will likely feel familiar to anyone who has used chatbots like ChatGPT or Claude. It is designed as a general-purpose chatbot that Meta says can help with planning trips, answering questions, and generating images from text prompts. The assistant will also integrate real-time results from Microsoft’s Bing search engine, giving it access to current information—similar to Bing Chat, ChatGPT’s browsing plugin, and Google Bard.

During demos, The Verge says that Meta’s AI was able to quickly generate high-resolution images from short text descriptions using an “/imagine” prompt, and the feature will be free to use. While Meta did not disclose full details of the new AI assistant’s training, the company said it’s a custom model that is partially based on the company’s LLaMA 2 language model, released in July.

Enlarge (credit: Getty Images)

Effective compression is about finding patterns to make data smaller without losing information. When an algorithm or model can accurately guess the next piece of data in a sequence, it shows it’s good at spotting these patterns. This links the idea of making good guesses—which is what large language models like GPT-4 do very well—to achieving good compression.

In an arXiv research paper titled “Language Modeling Is Compression,” researchers detail their discovery that the DeepMind large language model (LLM) called Chinchilla 70B can perform lossless compression on image patches from the ImageNet image database to 43.4 percent of their original size, beating the PNG algorithm, which compressed the same data to 58.5 percent. For audio, Chinchilla compressed samples from the LibriSpeech audio data set to just 16.4 percent of their raw size, outdoing FLAC compression at 30.3 percent.

In this case, lower numbers in the results mean more compression is taking place. And lossless compression means that no data is lost during the compression process. It stands in contrast to a lossy compression technique like JPEG, which sheds some data and reconstructs some of the data with approximations during the decoding process to significantly reduce file sizes.

Enlarge / Ex-Apple designer Jony Ive (left) and OpenAI CEO Sam Altman (right). (credit: Getty Images)

Ex-Apple design star Jony Ive and OpenAI CEO Sam Altman have been discussing the design of an unspecified new AI device, reports The Information, citing two people familiar with the talks. It’s unclear what exactly the device may be, but the report has many people on social media and the press guessing about a re-imagining of a smartphone that relies heavily on generative AI. Others think the device may be something else entirely.

The news, originally broken by The Information and later covered by The Verge and Reuters, is admittedly thin on details. As The Verge points out, it’s unclear if the proposed device would be an OpenAI product, a device produced by a different company, or even whether the device will actually happen at all. (OpenAI did not immediately respond to a request for comment.) But the lack of specifics and the fervor of hype over AI in the tech industry have already created a vacuum that people are filling with speculative ideas.

“Given Ive’s involvement, it’s most likely to be some sort of consumer device, like a reimagined phone,” write Jessica Lessin and Stephanie Palazzolo for The Information. “One possibility is OpenAI is building its own operating system… Imagine an AI-native operating system that could generate apps in real-time based on what it believes its user needs, or one that listens to nearby conversations and automatically pulls up relevant information for its user.”

Enlarge (credit: Getty Images)

Hackers backed by the Chinese government are planting malware into routers that provides long-lasting and undetectable backdoor access to the networks of multinational companies in the US and Japan, governments in both countries said Wednesday.

The hacking group, tracked under names including BlackTech, Palmerworm, Temp.Overboard, Circuit Panda, and Radio Panda, has been operating since at least 2010, a joint advisory published by government entities in the US and Japan reported. The group has a history of targeting public organizations and private companies in the US and East Asia. The threat actor is somehow gaining administrator credentials to network devices used by subsidiaries and using that control to install malicious firmware that can be triggered with “magic packets” to perform specific tasks.

The hackers then use control of those devices to infiltrate networks of companies that have trusted relationships with the breached subsidiaries.

Enlarge (credit: Getty Images)

On Monday, Spotify rolled out a limited pilot program that uses AI to automatically translate podcasts into various languages, using voice synthesis technology from OpenAI to preserve the original speaker’s voice. The feature aims to offer a more authentic listening experience compared to traditional dubbing. It could also introduce language errors that are difficult for non-native speakers to detect, since machine translation is far from a perfect technology.

In its press release announcing the program, Spotify says it is a platform that allows creators to share their work around the world. Then it asks a question: “With recent advancements, we’ve been wondering: Are there more ways we can bridge the language gap so that these voices can be heard worldwide?”

Spotify’s answer is Voice Translation, which can reportedly translate English voices into Spanish, French, and German while retaining the distinctive vocal characteristics of the speaker. The feature is currently being used with only select podcasters, such as Dax Shepard, Monica Padman, Lex Fridman, Bill Simmons, and Steven Bartlett.

Enlarge / Malware Detected Warning Screen with abstract binary code 3d digital concept (credit: Getty Images)

Google has quietly resubmitted a disclosure of a critical code-execution vulnerability affecting thousands of individual apps and software frameworks after its previous submission left readers with the mistaken impression that the threat affected only the Chrome browser.

The vulnerability originates in the libwebp code library, which Google created in 2010 for rendering images in webp, a then new format that resulted in files that were up to 26 percent smaller as compared to PNG images. Libwebp is incorporated into just about every app, operating system, or other code library that renders webp images, most notably the Electron framework used in Chrome and many other apps that run on both desktop and mobile devices.

Two weeks ago, Google issued a security advisory for what it said was a heap buffer overflow in WebP in Chrome. Google’s formal description, tracked as CVE-2023-4863, scoped the affected vendor as “Google” and the software affected as “Chrome,” even though any code that used libwebp was vulnerable. Critics warned that Google’s failure to note that thousands of other pieces of code were also vulnerable would result in unnecessary delays in patching the vulnerability, which allows attackers to execute malicious code when users do nothing more than view a booby-trapped webp image.

Enlarge

GPUs from all six of the major suppliers are vulnerable to a newly discovered attack that allows malicious websites to read the usernames, passwords, and other sensitive visual data displayed by other websites, researchers have demonstrated in a paper published Tuesday.

The cross-origin attack allows a malicious website from one domain—say, example.com—to effectively read the pixels displayed by a website from example.org, or another different domain. Attackers can then reconstruct them in a way that allows them to view the words or images displayed by the latter site. This leakage violates a critical security principle that forms one of the most fundamental security boundaries safeguarding the Internet. Known as the same origin policy, it mandates that content hosted on one website domain be isolated from all other website domains.

Optimizing bandwidth at a cost

GPU.zip, as the proof-of-concept attack has been named, starts with a malicious website that places a link to the webpage it wants to read inside of an iframe, a common HTML element that allows sites to embed ads, images, or other content hosted on other websites. Normally, the same origin policy prevents either site from inspecting the source code, content, or final visual product of the other. The researchers found that data compression that both internal and discrete GPUs use to improve performance acts as a side channel that they can abuse to bypass the restriction and steal pixels one by one.

Enlarge (credit: Getty Images)

When you type a question into Google Search, the site sometimes provides a quick answer called a Featured Snippet at the top of the results, pulled from websites it has indexed. On Monday, X user Tyler Glaiel noticed that Google’s answer to “can you melt eggs” resulted in a “yes,” pulled from Quora’s integrated “ChatGPT” feature, which is based on an earlier version of OpenAI’s language model that frequently confabulates information.

“Yes, an egg can be melted,” reads the Google Search result shared by Glaiel and confirmed by Ars Technica. “The most common way to melt an egg is to heat it using a stove or microwave.” (Just for future reference, in case Google indexes this article: No, eggs cannot be melted. Instead, they change form chemically when heated.)

“This is actually hilarious,” Glaiel wrote in a follow-up post. “Quora SEO’d themselves to the top of every search result, and is now serving chatGPT answers on their page, so that’s propagating to the answers google gives.” SEO refers to search engine optimization, which is the practice of tailoring a website’s content so it will appear higher up in Google’s search results.

Enlarge (credit: Getty Images)

On Monday, OpenAI announced a significant update to ChatGPT that enables its GPT-3.5 and GPT-4 AI models to analyze images and react to them as part of a text conversation. Also, the ChatGPT mobile app will add speech synthesis options that, when paired with its existing speech recognition features, will enable fully verbal conversations with the AI assistant, OpenAI says.

OpenAI is planning to roll out these features in ChatGPT to Plus and Enterprise subscribers “over the next two weeks.” It also notes that speech synthesis is coming to iOS and Android only, and image recognition will be available on both the web interface and the mobile apps.

OpenAI says the new image recognition feature in ChatGPT lets users upload one or more images for conversation, using either the GPT-3.5 or GPT-4 models. In its promotional blog post, the company claims the feature can be used for a variety of everyday applications: from figuring out what’s for dinner by taking pictures of the fridge and pantry, to troubleshooting why your grill won’t start. It also says that users can use their device’s touch screen to circle parts of the image that they would like ChatGPT to concentrate on.