reporter

Need a gift that'll wow the tech lover on your holiday shopping list? A smart-home gadget could be the perfect present to make their holidays brighter, and we've picked out our favorites.View the full article

Admins using FortiCloud SSO (single sign on) to authenticate access to Fortinet products are urged to upgrade the software running some of the company’s gateway products as soon as possible, or risk their networks being compromised. “Users of Fortinet appliances should, for now, disable SSO until they are able to patch the devices,” advised Johannes Ullrich, dean of research at the SANS Institute. “However, in the long run, this is not a reason to abandon SSO, and it should be re-enabled after the patch is applied.” The holes, CVE-2025-59718 and CVE-2025-59719, are cryptographic signature vulnerabilities in the FortiOS operating system that runs Fortinet devices, as well as in the FortiWeb, FortiProxy and FortiSwitchManager products. They allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML (security assertion markup language) message, if that feature is enabled on the device. In an advisory, Fortinet notes that the FortiCloud SSO login feature is not enabled in default factory configurations. However, when an administrator registers the device with FortiCare product support from the device’s GUI, single sign-on login is enabled unless they turn off the setting “Allow administrative login using FortiCloud SSO” on the registration page. Single sign-on allows users to enter one password to access many applications or services, and in this case it enables an admin to oversee several Fortinet devices. Ullrich calls it “a crucial component in providing a unified authentication and access control experience across an organization. Integrating devices like FortiNet’s offerings is important, and organizations are typically advised to enable this feature.” Fortinet uses SAML as the underlying protocol, he explained, noting, “this is a complex protocol, and numerous implementations of it have encountered issues in the past. Just yesterday, the same day Fortinet patched its systems, Ruby released a patch for its SAML library.” He added that SAML implementations often suffer problems due to the intricacies of XML parsing and ambiguities in interpreting the result. To prevent being affected by this flaw, Fortinet says admins should turn off the FortiCloud SSO login feature (if enabled) until after upgrading to a non-affected version. To turn off FortiCloud login, it said, go to System -> Settings, then toggle “Allow administrative login using FortiCloud SSO” to Off. Alternatively, admins can use the command line interface and enter: config system global set admin-forticloud-sso-login disable end Affected applications should then be updated to the latest versions, and SSO re-enabled. Robert Beggs, head of Canadian-based incident response firm DigitalDefence, said that fortunately the vulnerability was identified by FortiGuard’s internal team. “If it had been announced by a third party, then it would have been more likely a vulnerability that was being actively exploited in the wild,” he observed. “It appears that this may have been identified in time to get a warning out and minimize potential compromises.” The fact that a pair of vulnerabilities affects a number of a manufacturer’s offerings shows the downside of having a shared code base for their products, Beggs added. While on the one hand, it allows the vendor to rapidly scale the number and functionality of products and to ensure integrated operation, on the other hand, the codebase becomes a single point of failure. These FortiGuard issues demonstrate both sides of the coin. “The vulnerability is critical, and security teams must apply the recommended steps,” he said. Fortinet was asked for comment, but did not respond by publication time. View the full article

Looking to buy a gift for the fitness fanatic in your life? Our experts have found the best fitness products to give as a gift this season, from resistance bands to the latest smart ring.View the full article

Amin Vahdat has been promoted to chief technologist for AI infrastructure, a newly created position reporting directly to CEO Sundar Pichai.View the full article

Computer security researchers are in the spotlight as governments look to tackle the growing threat of cybercrime. Last week, British security minister Dan Jarvis set out a new approach to combatting computer crime, highlighting the damage that security breaches have done to the UK economy and emphasizing the importance of computer security researchers. The next day, the Portuguese parliament passed an act giving more protection to the same group. In his speech, Jarvis explained how the UK’s 1990 Computer Misuse Act had outlived its usefulness, stating, “it can leave many cyber security experts feeling constrained in the activity that they can undertake. These researchers play an important role in increasing the resilience of UK systems, and securing them from unknown vulnerabilities. We shouldn’t be shutting these people out, we should be welcoming them and their work.” He went on to say that the government is looking to upgrade current legislation. “We are looking at a legal change to the Computer Misuse Act. This would create a ‘statutory defense’ for these researchers to spot and share vulnerabilities, which would protect them from prosecution, as long as they meet certain safeguards.” The Portuguese legislation also offers a degree of protection to security researchers, provided that they don’t seek to gain financial advantage and don’t breach data protection laws. These updated approaches from the UK and Portugal are in line with other countries’ statutory protection for researchers; the Netherlands, France and Belgium have all introduced similar guidelines. Jarvis’s proposals have been warmly received by the security industry. Charlotte Wilson, head of enterprise business, UK and Ireland at Check Point Software, said that the Computer Misuse Act was outdated and not fit for purpose. “As it stands, it treats security researchers in much the same way as cybercriminals, even when they are acting in good faith to strengthen defenses rather than undermine them,” she pointed out. But, she added, “the solution is relatively simple: create a legal safe space that allows researchers to test systems and report vulnerabilities responsibly, without fear of prosecution. Portugal has recently taken this important step by introducing clear rules for good-faith testing and a framework for responsible disclosure. It’s a pragmatic model that recognizes the essential role researchers play in identifying and fixing security weaknesses and something the UK should seriously consider adopting.” Wilson stressed, however, that organizations should not be entirely dependent on government action; businesses could also take steps to help researchers. “They should publish a clear vulnerability disclosure policy that outlines how researchers can safely report issues; respond swiftly to vulnerabilities and define boundaries by being transparent about what testing is permitted, how to report findings, and what the process entails.” Her views were echoed by Dray Agha, senior manager of security operations at Huntress. “Organizations can support the process by rewarding responsible disclosure, avoiding knee-jerk legal threats, participating in community initiatives, and advocating for reforms that strike the right balance between preventing abuse and enabling legitimate research,” he said. He added that the government should ensure that researchers are fully protected, calling for an independent oversight body to validate and support responsible research. “This could provide rapid advisory opinions, mediate disclosure disputes, and issue assurance letters so researchers are not left exposed when organizations are slow or uncooperative.” And, he noted, companies are often slow to disclose security breaches, something which needs to change. “User organizations should be legally obliged to maintain a disclosure channel, acknowledge reports promptly, and work within a set remediation window. This lifts the burden from researchers and reduces the grey zone where they feel legally at risk,” he said. This will be music to the ears of Dan Jarvis, who, in his speech, stressed the need for co-operation. “This work is not the responsibility of the government alone,” he said. “We need a whole of society approach. We can only create a proper deterrence through partnership, which is why the government and business are working together to improve our security. For too long, businesses and politicians have been under the misapprehension that cyber investment is a drag on growth. But this is a mistake. Cyber security keeps us safe – and is a key enabler of growth.” Jarvis’s speech is only a precursor to any legislation, but it is clear that the UK is set to go down the path that other countries have taken, finally giving security researchers their day in the sun. View the full article

YouTube TV will be updated with more than 10 genre-specific television packages in 2026, YouTube announced today. The upcoming YouTube TV Plans will be more affordable than the current version of YouTube TV, which is priced at $82.99 per month. There will be packages for sports, news, family, entertainment, and more. A YouTube Sports Plan will include top broadcast networks along with all ESPN networks and sports networks like FS1 and NBC Sports networks. YouTube has not provided information on the pricing for each of the YouTube TV Plans, nor what specific channels will be included. YouTube TV Plans will have most of the same features as the standard YouTube TV subscription, like unlimited DVR, key plays, fantasy view, and multiview. YouTube TV has more than 100 channels, and YouTube subscriptions VP Christian Oestlien said that the company's goal is to provide users with more control over what they want to watch. The current plan will remain available, with the added plans included as a lower-priced option.Tag: YouTube TV This article, "YouTube TV Launching Cheaper Sports, News, and Entertainment Bundles in Early 2026" first appeared on MacRumors.com Discuss this article in our forums View the full article

Here are hints and the answer for today's Wordle for Dec. 11, No. 1,636.View the full article

Researchers uncovered an unexpected behavior of HTTP client proxies when created in .NET code, potentially allowing attackers to write malicious code to arbitrary files. This in turn can open remote code execution (RCE) attack paths through web shells and malicious PowerShell scripts in many .NET applications, including commercial products. Microsoft does not plan to fix this issue in the .NET Framework itself, saying that application developers are responsible for not passing untrusted and user-controlled URLs to the code classes that initialize HTTP client proxies. “The impact depends on how each application uses the proxy classes, but in practice we achieved RCE in almost every product we investigated,” Piotr Bazydło, a researcher with security firm watchTowr said in a report. Bazydło also authored a technical whitepaper that he presented Wednesday at the Black Hat Europe conference. By taking advantage of this unexpected .NET behavior, the researcher found RCE issues in Barracuda Service Center, Ivanti Endpoint Manager, Umbraco 8 CMS, Microsoft PowerShell, and Microsoft SQL Server Integration Services. However, he believes many more products and private enterprise apps are likely vulnerable. “The most powerful exploitation path arises when applications generate HTTP client proxies from attacker-supplied WSDL files using the ServiceDescriptionImporter class,” he said. “That mechanism alone enabled successful exploitation in products from Barracuda, Ivanti, Microsoft and Umbraco, and it took only a few days of review to find working cases.” HTTP client proxies can handle non-HTTP protocols The .NET Framework and ASP.NET are among the most popular programming languages for enterprise applications. When a developer wants their application to communicate with an XML Web Service over HTTP they must create a proxy class that is derived from the built-in HttpWebClientProtocol class. The Framework also provides three proxy classes — SoapHttpClientProtocol, HttpGetClientProtocol, and HttpPostClientProtocol — that enable support for SOAP, HTTP-GET, and HTTP-POST, respectively. The SoapHttpClientProtocol, which allows SOAP requests to be performed inside .NET applications, is particularly popular, because SOAP is a widely used protocol for exchanging XML-formatted messages between web services over HTTP. Therein lies the core of the issue: As the names of these classes — and their official documentation — imply, they are meant to be used for HTTP communication. However, what Bazydło found is that passing URLs with the file:// scheme to these proxy classes will result in the FileWebRequest handler being called instead of HttpWebRequest. “Wait, what? Why does a SOAP proxy need to be able to ‘send’ SOAP requests to a local file?” he said. “Nobody on this planet expects to receive a valid SOAP response from the filesystem.” Because there is no mention in the documentation that these classes also work with the FILE or FTP protocol schemes, and there’s no reasonable expectation that they would, many developers are likely not aware of this behavior and have not taken additional steps to prevent this. A path to exploitation While this strange behavior enables exploitation, it does not guarantee it. First, an attacker would need to be able to control the URL passed to one of these classes in the application code. Although Microsoft seems to suggest this should not happen, in practice plenty of application developers expose SOAP API endpoints in their applications, sometimes without authentication. One example found by Bazydło was in Barracuda Service Center, a popular enterprise Remote Monitoring and Management (RMM) platform. The issue, now tracked as CVE-2025-34392, was patched in hotfix 2025.1.1. By being able to pass an arbitrary URL to a SOAP API endpoint in an affected .NET application, an attacker can trigger a leak of NTLM challenge. For example, a file:// URL pointing to a remote attacker-controlled SMB server will cause the system to send its NTLM credentials in encrypted form to that server. The attacker can then either attempt to crack them or use them in an NTLM relay attack. To cause a more powerful local arbitrary file write, however, the attacker needs to be able to also control the arguments sent to the SOAP method, which will mean arbitrary strings can be inserted inside the XML output written to the controlled path on disk. Controlling this will often be enough to write a web shell in CSHTML (server-side templates) format on the server hosting the vulnerable app. But it doesn’t stop here. Another way to exploit this is through Web Services Description Language (WSDL) imports. WSDL is an XML-based language web services use to provide information about their features and available interfaces. A service can provide a WSDL file to a client application, which then parses it to automatically build valid SOAP requests to the service. Generating client SOAP proxies from WSDL imports is a fairly common functionality in .NET applications, and this is achieved by parsing WSDL files using the ServiceDescriptionImporter class. As Bazydło found, ServiceDescriptionImporter does not validate that the service definition in the WSDL file is HTTP or HTTPS. “To summarize, WSDL imports create a very powerful exploitation path for the invalid cast issue in HttpWebClientProtocol,” he said. “If an attacker controls the imported WSDL, they also control: The target URL, which allows the proxy to interact with the filesystem; the SOAP method names; the names and types of method arguments.” This was the case for the Barracuda Service Center vulnerability, but also for Umbraco 8 CMS — one of the most popular content management systems written in .NET — and Ivanti EPM. Umbraco 8 reached end-of-life in February so no longer receives security patches. “At a high level, the story is simple,” the watchTowr researcher said. “The .NET Framework allows its HTTP client proxies to be tricked into interacting with the filesystem. With the right conditions, they will happily write SOAP requests into local paths instead of sending them over HTTP. In the best case, this results in NTLM relaying or challenge capture. In the worst case, it becomes remote code execution through webshell uploads or PowerShell script drops.” View the full article

Here are hints and the answers for the NYT Connections: Sports Edition puzzle for Dec. 11, No. 444.View the full article

The letter demanded companies institute new safeguards to keep users safe from harmful psychological impacts. View the full article

Big retail names such as CB2, Anthropologie and Victoria's Secret are among the worst offenders.View the full article

The stretchy fabric satchel for your iPhone, designed by luxury brand Issey Miyake, does make a fashion statement.View the full article

Cheaper, genre-specific streaming plans will drop in early 2026.View the full article

Mophie today announced the launch of a new line of Speedport wall chargers that are powered by Gallium Nitride (GaN) for faster, more efficient power delivery. There are several charger options with single, dual, and triple ports for powering laptops, tablets, smartphones, and more. Prices range from $15 to $100. Speedport 20 ($14.95) - 20W with one USB-C port. Speedport 35 ($24.95) - 35W with one USB-C port. Speedport 45 ($39.95) - 45W with two USB-C ports. Speedport Plus 67 ($59.95) - 67W with two USB-C ports and a built-in retractable 60W USB-C cable for charging up to three devices at once. Speedport 70 ($49.95) - 70W with two USB-C ports. Speedport 100 ($79.95) - 100W with two USB-C ports.  Speedport 140 ($99.95) - 140W with three USB-C ports. All of the Speedport chargers feature a similar design, adopting plastics made from 75 percent post-consumer recycled materials and foldable prongs for travel. With the exception of the Speedport 67 with integrated cable, all of the new chargers are available for purchase from the Mophie website as of today.Tag: Mophie This article, "Mophie Releases New GaN-Powered Speedport USB-C Wall Chargers" first appeared on MacRumors.com Discuss this article in our forums View the full article

Check every merry flick off your list.View the full article

The tug-of-war on font type isn't aesthetic. It's political.View the full article

Visitors entering the US may also need to disclose their previous email addresses and details about their families, under a new federal proposal.View the full article

A new software option could make it possible to see the approximate location of some of Nvidia's AI chips. View the full article

Here are some hints and the answers for the NYT Connections puzzle for Dec. 11, #914View the full article

This feature could help give emergency dispatchers context in circumstances like car accidents, fires, or medical crises.View the full article

A24 has a dedicated fan base and great films, and you can watch tons of them on these free streaming services.View the full article

Commentary: The backlash against McDonald's and Coca-Cola was swift, but it's a sign of a bigger problem.View the full article

True Classic Tees is running holiday “flash deals” with some of the best prices we've seen in months.View the full article

The massive data breach at the South Korean retail giant Coupang affects more than half of the country's population.View the full article

A library card is all you need.View the full article