Oracle on Tuesday published an out-of-band update patching a critical code-execution vulnerability in its WebLogic server after researchers warned that the flaw was being actively exploited in the wild.

The vulnerability, tracked as CVE-2019-2729, allows an attacker to run malicious code on the WebLogic server without any need for authentication. That capability earned the vulnerability a Common Vulnerability Scoring System score of 9.8 out of 10. The vulnerability is a deserialization attack targeting two Web applications that WebLogic appears to expose to the Internet by default - wls9_async_response and wls-wsat.war.

The flaw in Oracle's WebLogic Java application servers came to light as a zero-day four days ago when it was reported by security firm KnownSec404.

This isn't the first, or even second, deserialization attack that has been used to target these services. The wls-wsat component was successfully exploited in a similar fashion in 2017, and KnownSec404 reported another one in April. The 2017 vulnerability was largely used to install bitcoin miners; April's vulnerability was exploited in cryptojacking and ransomware campaigns. Oracle's current out-of-band patch and advisory notice has not officially acknowledged the active exploitation of CVE-2019-2729, but it does mark the vulnerability as high risk and advises customers to apply the out-of-band patch as soon as possible.

Long-time fans of the S.T.A.L.K.E.R. series may remember that long before the sequel that was announced in May 2018, there was another attempt to make S.T.A.L.K.E.R. 2. That game was announced back in 2010 and canceled just two years after, but GSC Game World, the company behind the franchise, was planning on expanding it to other media. That plans included a canceled Russian TV show. The project was killed even before the pilot was released. But it was shot and thanks to the series' director Gleb Skorobogatov some of its footage was released online in his blog. One of the fans had enough dedication to find all the clips available and reassemble them into something that resembles the first (and only) episode of the canceled TV show.

The episode opens with two military guys, Major and Kharchenko, transporting prisoners through a wild area of the Zone. Almost immediately they find themselves under the fire from a hunter played by a famous Russian actor Gosha Kutsenko. The next clip shows our protagonists (or are they?) alive and well, the group then decides to make a stop in a night forest due to the engine's failure, while one other character tries to buy vodka in a plastic bottle. The next scene is a conversation between a cook and Kharchenko, the two have a chit-chat about a sudden nature of the Zone's explosions, and then Kharchenko convinces the cook to give him a radioactive "bullet" to fix the engine and get to his destination. Mutants and anomalies

The episode then makes a big time skip. The character (the one who tried to buy vodka) got trapped in catacombs and presumably was affected by a powerful anomaly. One of the "prisoners" finds him there and after a chilly conversation about the "Vodka guy's" childhood, they proceed to Papa Carlo's place. After a quick stop, they continue their journey and meet a mutant, who looks like a cute puppy: the prisoner tries to pet it, but the Vodka guy immediately shoots the creature. The next scene is just more meaningless talk between the two and a little lore about stalkers: the Vodka guy says that all of them are different, some want to find artifacts, others shoot you without a clear reason.The video ends with our two guys under the attack of an electric mutant.

To finish this wild nostalgic trip, let's watch a trailer of the canceled TV show. Thankfully, it has subtitles:

The Linux and FreeBSD operating systems contain newly discovered vulnerabilities that make it easy for hackers to remotely crash servers and disrupt communications, researchers have warned. OS distributors are advising users to install patches when available or to make system settings that lower the chances of successful exploits. The most severe of the vulnerabilities, dubbed SACK Panic, can be exploited by sending a specially crafted sequence of TCP Selective ACKnowledgements to a vulnerable computer or server. The system will respond by crashing, or in the parlance of engineers, entering a kernel panic. Successful exploitation of this vulnerability, tracked as CVE-2019-11477, results in a remote denial of service (DoS). A second vulnerability also works by sending a series of malicious SACKs that consumes computing resources of the vulnerable system. Exploits most commonly work by fragmenting a queue reserved for retransmitting TCP packets. In some OS versions, attackers can cause what's known as an "expensive linked-list walk for subsequent SACKs." This can result in additional fragmentation, which has been dubbed "SACK slowness." Exploitation of this vulnerability, tracked as CVE-2019-11478, drastically degrades system performance and may eventually cause a complete DoS. Both of these vulnerabilities exploit the way the OSes handle the above-mentioned TCP Selective ACKnowledgement (abbreviated SACK). SACK is a mechanism that allows a computer on the receiving end of a communication to apprise the sender of what segments have been successfully sent so that any lost ones can be resent. The parties set up the use of SACK during the three-way handshake that establishes the initial connection. The exploits work by overflowing a queue that stores received packets. A vulnerability in FreeBSD 12 (tracked as CVE-2019-5599) works similarly to CVE-2019-11478 but instead interacts with the RACK send map of that OS. A fourth vulnerability, tracked as CVE-2019-11479, can slow down affected systems by lowering the maximum segment size for a TCP connection. The setting causes vulnerable systems to send responses across multiple TCP segments, each of which contains only 8 bytes of data. Exploits cause the system to consume large amounts of bandwidth and resources in a way that degrades system performance. Maximum segment size is a setting contained in the header of a TCP packet that specifies the total amount of data contained in a reconstructed segment.

The vulnerabilities were discovered by researchers from Netflix and publicly reported Monday in a disclosure that was coordinated with the affected OS developers. Linux distributions have either released patches that fix the vulnerabilities or have recommended configuration changes that mitigate them. Workarounds include blocking connections with a low MSS, disabling SACK processing, or temporarily disabling the RACK TCP stack. These changes may break legitimate connections, and in the case of the RACK TCP stack being disabled, an attacker still may be able to cause an expensive linked-list walk for subsequent SACKs received for the same TCP connection.

The above-linked Netflix disclosure and this post from security firm Tenable are good places to get additional details. Affected OS users should consult with the developers of their distribution. Redhat has a good write-up here, and write-ups from Ubuntu and Amazon are here and here.

The legend says that he is still singing 'I'm OKAY' ....

I guess this music video from Miley Cyrus has something to do with a TV show she was on. That was a smart move for Netflix. Anyway, the song is pretty sexual and I dig it.

Samsung has announced that it plans to develop its neural processing unit (NPU) capabilities in order to deliver enhanced AI applications in the future. With this announcement, the Korean firm said that it will create 2,000 new jobs related to the field, worldwide, by 2030. In order to hire more skilled people for these vacancies, Samsung will be collaborating with more universities and research institutes to help them develop the talent they need.

With the new generation of NPU technologies, Samsung will develop the hardware so that they're optimised to power in-vehicle infotainment (IVI), advanced driver assistance systems (ADAS), and next-generation data centres that will be processing big data. Samsung introduced its first NPU in the Exynos 9820 which shipped in the European variant of its Galaxy S10. The Exynos 9820 allows devices to manage AI and machine learning tasks separately and perform AI tasks on the device rather than needing to connect to a network to perform these tasks. Topping off the announcement, Samsung said its LSI Business and Advanced Institute of Technology R&D arm, plans to turn the current NPU research into things like neuromorphic processors that could operate at the same level as a human brain - it'll definitely be interesting to see what applications are made possible with that hardware.

Facebook today announced Libra, a new digital currency that aims to combine the best features of other cryptocurrencies in order to be more consumer-friendly. The currency will be administered by the Libra Association, a new non-for-profit based in Geneva. Founding members include Facebook, Mastercard, Visa, PayPal, Stripe, eBay, Lyft, Spotify, Uber, Vodafone Group, and Coinbase, as well as non-profit and academic members. Facebook's new Calibra subsidiary will create a Libra wallet app. The Calibra wallet will not require a Facebook account and Calibra will not share transaction data with Facebook. Third parties will also be able to create their own Libra wallet apps. Users will be able to exchange local currency for Libra (and vice versa) through these wallet apps, and at physical locations. The local currency will be transferred to the Libra Association to provide 100% backing for Libra currency. Interest on those deposits will pay for operating expenses, investments in the ecosystem, engineering research, and grants to non-profits and other organizations. Excess interest will be distributed to founding members. Libra transactions won't carry the high fees that credit cards do, although a small (less than one cent) transaction fee will deter certain spam and denial attacks. The symbol for the Libra is ≋ (three wavy lines). The value of a Libra is tied to a basket of deposits in historically stable international currencies, which can be rebalanced to keep the Libra stable. The Libra's starting value will be close to one dollar, euro, or pound. Libra is much faster and more efficient than Bitcoin, able to handle 1,000 transactions per second and designed to scale much higher. When a transaction is submitted, each of the Libra nodes, run independently by Libra Association members, runs a blockchain calculation. Two-thirds of the nodes must come to consensus that the transaction is legitimate for it to be executed and written to the blockchain. Facebook's Calibra will implement Know Your Customer rules in the sign-up process to prevent fraud, requiring a government-issued photo ID, for example. The Libra Association will incentivize other wallet providers to do the same. Libra is launching a limited test network today. When Libra launches to consumers in the first half of 2020, Facebook will launch Calibra as a standalone wallet app, but also as a feature within Facebook Messenger and WhatsApp on both Android and iOS.

Verizon will launch its second phone with integrated 5G - the LG V50 ThinQ 5G - for all customers on June 20th. As with the Samsung Galaxy S10 5G, Verizon isn't restricting sales to areas where 5G service is available, as Sprint has done. Verizon is selling the phone for $1,000, or $41.66/month for 24 months. For a limited time, Verizon is waiving the $10/month 5G access fee. Verizon's 5G network uses mmWave frequencies and is currently available in part of Chicago and Minneapolis, with another 28+ cities coming by the end of the year.

Madmind Studio has released a new trailer for SUCCUBUS - a spin-off to the widely discussed Agony. This time, as the title of the game suggests, Succubus named Vydija - a lusty demon based on religious beliefs – becomes the main protagonist. According to the press release, the main character of the game is Succubus Vydija. Wild and evoking the desire in her victims' demon, whose story started in the original – Agony and Agony UNRATED, where she received her own single-player campaign.

At $899.99, Acer's Swift 3 laptop has some pros and cons. It weighs in at only 2.87 pounds, so it's definitely one of the lightest 13.3-inch laptops around for that price. It also packs some serious internals, including a Whiskey Lake Core i7 and a 512GB SSD, which are paired with 8GB RAM. It does come with some compromises though. One of the USB Type-A ports is USB 2.0, and the USB 3.1 Gen 1 Type-C port that's included can't be used for charging; it has a pin charger instead. There's also more third-party software than I'd expect from a PC at this price point. Other than that, I like the Swift 3 a lot. The aluminum body is slick, and the 13.3-inch FHD display has a matte, anti-glare finish. And unlike some other matte displays that I've seen, the colors look vibrant instead of washed out. It also has a fingerprint sensor for Windows Hello, and Acer's TrueHarmony speakers.

The former "Mythbusters" host built a titanium Iron Man suit and this baby can actually soar.

Check it out!

Microsoft has released the Windows 10 June 2019 patch last Tuesday, featuring 4 advisories, 1 servicing stack update, and updates for 88 vulnerabilities, with 21 being classified as Critical. It is said that some of the advisories include updated drivers and software that fix vulnerabilities in 3rd-party hardware and software, such as Adobe Flash Player. According to the company, 66 out of the 88 patches are rated as "important" while only one is rated as "moderate". In addition, Microsoft claimed that none of the publically disclosed zero days, or other vulnerabilities, were found to be publically exploited in the wild. Microsoft suggests everyone to install the security updates in order to protect their systems.

When we said AMD was readying a presentation on their Ryzen 9 3950X CPUs to awe crowds at E3, we weren't thinking of something of this magnitude. But apparently, it's true: a Geekbench test result has shown AMD's $750, 16 core, 32 thread Ryzen 9 9 3950X beating Intel's 18 core, 36 thread $2,000 i9-9980XE monster. Now, you may be thinking: ok, it beat it because of AMD's announced 4.7 GHz boost, and did so only on single threaded performance, obviously... but you would be wrong. The Geekbench scores show AMD's Ryzen 9 3950X delivering 5,868 points in single, and 61,072 points in multicore workloads. Intel's i9-9980XE, on the other hand, scores just 5,391 single core, and 46,876 multicore points (on average and at stock clocks of 3,000 MHz base and 3,400 MHz boost). This is an incredible performance difference (particularly in the multicore score), and was apparently done with an engineering sample for AMD's upcoming chip that didn't even run at its announced 4.3 GHz base and 4.7 GHz boost clocks, but at 3.3 GHz and 4.3 GHz respectively. AMD's 105 W TDP, 16 core chip beats Intel's 185 W TDP, 18 core one... Where has the world come? Take the usual dosage of NaCl, and let's keep things in perspective - even if AMD's Ryzen 9 3950X equals, and doesn't beat, Intel's i9-9980XE, it's still a huge win for the red company. Almost as big a win as that huge stone on Lisa's hand.

This is the epic battle and conclusion of "Astartes." Technically it's a four-part series, but we think the action stands incredibly well on its own.

AMD Ryzen 3000 "Matisse" processors are multi-chip modules of two kinds of dies - one or two 7 nm 8-core "Zen 2" CPU chiplets, and an I/O controller die that packs the processor's dual-channel DDR4 memory controller, PCI-Express gen 4.0 root-complex, and an integrated southbridge that puts out some SoC I/O, such as two SATA 6 Gbps ports, four USB 3.1 Gen 2 ports, LPCIO (ISA), and SPI (for the UEFI BIOS ROM chip). It was earlier reported that while the Zen 2 CPU core chiplets are built on 7 nm process, the I/O controller is 14 nm. We have confirmation now that the I/O controller die is built on the more advanced 12 nm process, likely GlobalFoundries 12LP. This is the same process on which AMD builds its "Pinnacle Ridge" and "Polaris 30" chips. The 7 nm "Zen 2" CPU chiplets are made at TSMC. AMD also provided a fascinating technical insight to the making of the "Matisse" MCM, particularly getting three highly complex dies under the IHS of a mainstream-desktop processor package, and perfectly aligning the three for pin-compatibility with older generations of Ryzen AM4 processors that use monolithic dies, such as "Pinnacle Ridge" and "Raven Ridge." AMD innovated new copper-pillar 50u bumps for the 8-core CPU chiplets, while leaving the I/O controller die with normal 7u solder bumps. Unlike with its GPUs that need high-density wiring between the GPU die and HBM stacks, AMD could make do without a silicon interposer or TSVs (through-silicon-vias) to connect the three dies on "Matisse." The fiberglass substrate is now "fattened" up to 12 layers, to facilitate the inter-die wiring, as well as making sure every connection reaches the correct pin on the uPGA.

AnandTech, who spoke with the USB Promoter Group at Computex, have shared that the new protocol is expected to manifest in physical, consumer products by the end of 2020. The specification for the next-generation bus is currently on version 0.7, with the USB Promoter Group expecting it to be finalized by this Summer. Then it's just a matter of manufacturers developing new products powered by the latest protocol. USB 4.0 borrows heavily from Intel's thunderbolt 3 technology - which, if you'll remember, was made available as an open specification very recently. Intel's contribution of the Thunderbolt 3 protocol will enable USB 4.0 to achieve speeds of up to 40 Gbps with multiple data and display protocols being able to share available bandwidth. Additionally, USB 4.0 will make use of USB Type-C's interface, ensuring backwards compatibility not only with it, but also USB 2.0, USB 3.0 and Thunderbolt 3. Due to the many improvements in data transfer speeds and ability to stream multiple data and display protocols, the USB Promoter Group is looking at the possibility of changing USB's trademark logo for the next generation interface, alongside a revised branding scheme.