reporter

The two Super Heavy launch pads will join one that SpaceX already has at Kennedy Space Center's Launch Complex 39-A.View the full article

The visiting team looks to bounce back from its crushing 1st Test defeat as the series heads to The Gabba.View the full article

Tech is racing ahead while society struggles to keep up. Masha Bucher, founder and GP of Day One Ventures, built her firm around closing that gap by combining venture capital with hands-on PR to help portfolio companies not just raise money, but actually break through the noise. Day One’s been an early backer of companies like World, Superhuman, and Remote.com, with 12 […]View the full article

Apple today updated its executive leadership page to remove John Giannandrea, who is set to retire from Apple next spring. Earlier this week, Apple said that Giannandrea would step down from his role as AI chief, serving as an advisor until he leaves the company. Giannandrea's upcoming retirement was announced on Monday, and Apple wasted no time updating its leadership website. Former Microsoft Corporate VP of AI Amar Subramanya is set to take over as Apple's vice president of AI, but he is not yet listed on the site. Subramanya will report to software engineering chief Craig Federighi. Some of the teams that Giannandrea led are being shifted to Sabih Khan and Eddy Cue, including AI Infrastructure and Search and Knowledge. Giannandrea joined Apple in 2018 as the company's senior vice president of machine learning and AI strategy. He was overseeing Siri, Core ML, and other AI efforts at Apple. Before Apple, Giannandrea worked at Google as a senior vice president of engineering. After the iOS 18 ‌Siri‌ failure, Giannandrea's retirement comes as no surprise. Apple announced new Apple Intelligence ‌Siri‌ features at WWDC when it unveiled iOS 18, and then used those unreleased features to market the iPhone 16 models. In spring 2025, when we were expecting the launch of the promised functionality, Apple said the smarter version of ‌Siri‌ wasn't ready and announced a year-long delay. More than half a dozen former employees who worked on Apple's AI team told The Information the issues with ‌Siri‌ stemmed from poor leadership, stringent privacy practices, conflicting personalities, and indecision. Apple hasn't publicly commented on the situation, but stripped Siri from Giannandrea in March and overhauled the Siri team. Apple also removed Giannandrea from its robotics division in April.Tag: John Giannandrea This article, "Apple Removes Former AI Chief John Giannandrea From Executive Leadership Page" first appeared on MacRumors.com Discuss this article in our forums View the full article

Developers using the React 19 library for building application interfaces are urged to immediately upgrade to the latest version because of a critical vulnerability that can be easily exploited by an attacker to remotely run their own code. Researchers at Wiz said Wednesday that a vulnerability in the React Server Components (RSC) Flight protocol affects the React 19 ecosystem, as well as frameworks that implement it. In particular, that means Next.js, a popular full stack development framework built on top of React, which received a separate CVE. RSC Flight protocol powers communication between the client and server for React Server Components, sending serialized component trees over the wire from the server to the client. “The vulnerability exists in the default configuration of affected applications, meaning standard deployments are immediately at risk,” says the warning. “Due to the high severity and the ease of exploitation, immediate patching is required,” “Our exploitation tests show that a standard Next.js application created via create-next-app and built for production is vulnerable without any specific code modifications by the developer,” Wiz also warns. The problem in React’s server package, designated CVE-2025-55182, is a logical deserialization vulnerability allowing the server to processes RSC payloads in an unsafe way. When a server receives a specially crafted, malformed payload, say Wiz researchers, it fails to validate the structure correctly. This allows attacker-controlled data to influence server-side execution logic, resulting in the execution of privileged JavaScript code. “In simple terms,” Wiz said in response to questions, “the server takes input from a user, trusts it too much, and processes it into code-like objects which attackers can exploit to run commands or leak sensitive information.” Affected are React versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0. The fix is to upgrade to the latest version of React. While the vulnerability affects all development frameworks using vulnerable versions of React, the problem in Next.js is specifically identified as CVE-2025-66478. Affected are Next.js 15.x and 16.x using the App Router. Again, the fix is to upgrade to the latest version of Next.js. React’s blog provides detailed upgrade instructions for both React and Next.js. ‘Serious vulnerability’ “The configuration needed for these vulnerabilities to function is extremely common,” Wiz said in response to questions, “and disabling the functionality needed to block them is very rare. In fact, we failed to find any such case.” Wiz says 39% of cloud environments are currently using Next.js and other web frameworks based on React. Johannes Ullrich, dean of research at the SANS Institute, told InfoWorld that RSC is widely used, particularly when the Next.js framework, which implements RSC by default, is employed. “This is a very serious vulnerability,” he said in an email. “I expect public exploits to surface within a day or so, and applications must be patched quickly. Some web application firewall vendors, such as Cloudflare, have already implemented rules to protect applications from potential exploits. But even web applications protected by these systems should be patched, in case attackers find ways to bypass these protection mechanisms.” To exploit the React vulnerability, all a threat actor would need to do is send a specially crafted HTTP request to the server endpoint. For security reasons, Wiz researchers didn’t detail how this could be done. But, they said, in similar vulnerabilities, attackers leverage remote code execution on servers to download and execute sophisticated trojans on the server, usually a known C2 framework like sliver, but in some cases, a more custom payload. “The main point,” the researchers said, “is that with an RCE like this, an attacker can practically do anything.” CISOs and developers need to treat these two vulnerabilities as “more than critical,” said Tanya Janca, a Canadian-based secure coding trainer. In fact, she said in an email, they should be treated in the same way that infosec pros treated the Log4j vulnerability, and scour all applications. “There could not be a more serious security flaw in a web application than this,” she said, “even if it is not known to be exploited in the wild yet.” Advice for CSOs, developers Janca said developers should: make a list of all apps using React or Next.js; check if they use any of the known vulnerable versions: React: 19.0 / 19.1.0 / 19.1.1 / 19.2.0, and Next.js: 14.3.0-canary.77 and later canary releases, 15.x/16.x if so, upgrade to a safe version:React: 19.0.1, 19.1.2, 19.2.1 or better Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7 or later; if on Next.js 14.3.0-canary.77 or a later canary release, downgrade to the latest stable 14.x release; scan with a software composition analysis tool to see if the vulnerable versions are used in unexpected places; if, for some reason, they can’t be upgraded, assume those apps are unsafe and turn them off if possible. If they can’t be disabled, treat them like a bomb went off and put a network firewall around them, monitor them and work with the security team on it; infosec pros should read app logs and look for strange behavior; keep the security team informed; Most importantly, she said, treat this as an emergency. This article originally appeared on InfoWorld. View the full article

Can Kiro win the hearts of startup founders above the many AI coding tools they already have? Amazon hopes a free year will tempt them.View the full article

Meta CEO Mark Zuckerberg today announced plans to launch a creative studio that will be led by former Apple UI designer Alan Dye. As we learned earlier today, Dye is leaving his position as Vice President of Human Interface Design at Apple to become Meta's new chief design officer. In a post on social media site Threads, Zuckerberg said that Meta's creative studio will merge design, fashion, and technology, while also treating intelligence as a "new design material." The new studio will bring together design, fashion, and technology to define the next generation of our products and experiences. Our idea is to treat intelligence as a new design material and imagine what becomes possible when it is abundant, capable, and human-centered. We plan to elevate design within Meta, and pull together a talented group with a combination of craft, creative vision, systems thinking, and deep experience building iconic products that bridge hardware and software. We're entering a new era where AI glasses and other devices will change how we connect with technology and each other. The potential is enormous, but what matters most is making these experiences feel natural and truly centered around people. With this new studio, we're focused on making every interaction thoughtful, intuitive, and built to serve people. Meta is also hiring another Apple designer, Billy Sorrentino, who has been on Apple's human interface design team for the last 10 years. Like Dye, Sorrentino worked on Apple's iOS 26 Liquid Glass redesign. Along with the two former Apple designers, Meta's studio will include its existing industrial design team and its metaverse design and art teams. Meta currently sells its Quest VR headsets and AI smart glasses designed in collaboration with Ray-Ban and Oakley. Meta is aiming to expand further into hardware, and it is hard at work on a set of augmented reality glasses. Alan Dye was one of Apple's few remaining designers that worked alongside Jony Ive. He originally joined Apple in 2006, transitioning to Ive's team in 2012 to work on iOS 7. He has been leading Apple's user interface design team since 2015, and will now start at Meta on December 31.Tag: Meta This article, "Meta's Creative Studio Led by Former Apple Design Head to 'Treat Intelligence as a New Design Material'" first appeared on MacRumors.com Discuss this article in our forums View the full article

Dye led Apple's user interface team for the last decade.View the full article

Would you buy stock in a twenty-seven-year-old named Jimmy?View the full article

In a new example of how AI tools expand the attack surface of development machines, researchers found a serious remote code execution flaw in OpenAI’s Codex CLI, one of the most popular LLM-powered coding agents. “This vulnerability enables silent, repeatable remote code execution in any environment where developers run codex against a repository,” researchers from security firm CheckPoint, who found the flaw, said in their report. “By abusing project-local config loading, an attacker who can land a commit or PR can turn an otherwise innocent repo into a persistent backdoor that triggers whenever a developer runs codex, with no additional prompts or approvals.” The vulnerability was reported to OpenAI and was fixed in Codex CLI version 0.23.0 by preventing .env files from silently redirecting the CODEX_HOME environment variable to attacker-controlled locations. Tricking Codex to execute rogue MCP entries Like all AI-assisted coding agents, Codex has some powerful privileges since it needs to be able to read, edit and run code directly from the terminal. In the default mode, the tool can perform tasks without approval within the working directory, but users can change it to either read only or full access. Allowing the tool to execute commands and modify files in a controlled directory might not seem too risky at first glance, but the CheckPoint researchers found a creative way to abuse it. First, like many AI agents, Codex supports the Model Context Protocol (MCP). Developed by AI company Anthropic, MCP has become the de facto industry method of linking LLMs to external data sources and applications. In other words, it’s a building block for creating autonomous AI agents that can automatically discover and use third-party tools. Codex CLI loads and executes configured MCP servers at startup by checking for mcp_servers entries in its .codex/config.toml configuration file. If an attacker can modify this file, they can force Codex to execute malicious commands by adding a rogue MCP server entry to the list. Codex will search for its config file in its home directory, and this directory is defined through an environment variable called CODEX_HOME. The researchers wondered if this variable could be overridden when parsing .env files that are included in a repository, since including such files with projects is not unusual. The researchers found that a repository could have an .env file that sets CODEX_HOME to a path of the form ./.codex, essentially the folder .codex from within the current working directory – the repository directory itself. Furthermore, if the repository then has a config.toml file in the .codex directory, the Codex agent will treat it as its own config file and will parse the mcp_servers entries. “Because the behavior binds trust to the presence of the MCP entry under the resolved CODEX_HOME rather than to the contents of the entry, an initially innocuous config can be swapped for a malicious one post-approval or post-merge, creating a stealthy, reproducible supply-chain backdoor that triggers on normal developer workflows,” the researchers said. The researchers demonstrated this attack by replacing benign commands in MCP server entries with commands to create files or open a reverse shell on the machine. These commands were executed without user approval in default configuration. Multiple attack vectors For this flaw to be exploited, the victim needs to clone the repository and run Codex on it and an attacker needs to have commit access to the repo or have their malicious pull request accepted. “Compromised templates, starter repos, or popular open-source projects can weaponize many downstream consumers with a single commit,” the researchers warned. Furthermore, CI tools or build agents automatically run Codex on checked-out code, the compromise could propagate from a developer workstation into build artifacts and downstream deployments of the code. Development machines often contain API tokens for various cloud services, as well as SSH keys and proprietary source code, all of which can be exfiltrated and abused to move laterally to additional assets. “This breaks the CLI’s expected security boundary: project-supplied files become trusted execution material, and that implicit trust can be exploited with minimal effort and no user interaction beyond standard development workflow,” the researchers found. While Codex CLI now blocks project-local redirection of the CODEX_HOME environment variable, the incident highlights that such security oversights can exist even in agents created by the leading AI companies. Last week, researchers warned about a flaw that allows instructions from a cloned repository to escape the confines of the current workspace in Google’s new AI-powered Antigravity IDE tool. Earlier this month another team of researchers showed how rogue MCP servers can take over Cursor’s built-in browser and potentially fully compromise the developer machine. Organizations that allow their developers to work with AI coding agents and IDE tools should have policies in place regarding the level of automation these tools are configured with, as they can easily become powerful backdoors in case of vulnerabilities or misconfigurations. Security experts have repeatedly cautioned against using the fully automated modes that don’t require human review and approval of the execution steps. View the full article

Russia's communications agency cited the presence of LGBTQ content on the platform as one of the reasons behind the ban.View the full article

BMW's first car on its new EV platform has finally arrived. But will a big range, thumping charging tech, and a new driving brain that aims to deliver the ultimate ride be enough to beat China?View the full article

Check out these highly rated series on HBO Max, plus a look at what's coming out in December.View the full article

Gemini 3 let me relive my favorite childhood games that would otherwise cost me a small fortune.View the full article

The asteroid contains some of the basic ingredients for life.View the full article

Missed out on Cyber Monday? Auk Mini's stylish herb garden makes a great gift, and its discount is still live.View the full article

Can any company, big or small, really topple Nvidia's AI chip dominance? Maybe not entirely but Amazon is already making big bucks trying.View the full article

Half of the country now requires age verification to watch porn or access “harmful” content. Digital rights advocates are pushing back against legislation they say will make the internet less safe.View the full article

Just before Apple updated the iPad Pro with a next-generation M5 chip, Samsung refreshed its tablet lineup and debuted the Galaxy Tab S11 Ultra. We thought we'd pit Apple's latest ‌iPad Pro‌ against Samsung's newest tablet to see how they compare to one another. Subscribe to the MacRumors YouTube channel for more videos. While the ‌iPad Pro‌ measures in at 13 inches, the S11 Ultra is much larger at 14.6 inches. They both have OLED displays, but the bigger screen makes an impact. Samsung's screen is bright, colorful, and has excellent contrast, plus you don't have to pay extra for a matte coating to cut down on glare. The M5 ‌iPad Pro‌ and the S11 Ultra are both 5.1mm, so they're incredibly thin and light. That's especially apparent with the bigger screen. Apple doesn't let you upgrade ‌iPad Pro‌ storage on your own, but the S11 Ultra has a microSD card slot that accommodates up to 2TB of storage. RAM is up to 16GB, the same as the ‌iPad Pro‌. Both tablets have a stylus accessory, but Samsung includes its S Pen in the box while Apple sells the Apple Pencil Pro separately. This year's S Pen has a pencil like feel and a new tip that provides a better writing experience, but the ‌Apple Pencil‌ is still better. Samsung's tablets have a DeX mode that allows them to connect to a display or a TV for a desktop-like usage experience. DeX transforms the UI and optimizes it for a larger screen so you can do more on your tablet with dual-screen support. You can connect a second display to your iPad, but the experience is nothing like DeX, and you're limited to the ‌iPad‌ multitasking features. Samsung's S11 Ultra is much better at transitioning from a tablet to something more closely resembling a computer. Samsung devices run Android, which is an immediate dealbreaker for a lot of Apple users. Android has the benefit of deep AI integration that Apple currently can't match, so the S11 Ultra has features like Drawing Assist, Writing Assist, camera-supported Gemini Live, and full Gemini support. The ‌iPad Pro‌ has no water resistance, but the S11 Ultra offers IP68 protection, which means it can hold up to submersion in water. The ‌iPad Pro‌ wins in sheer performance thanks to the M5 chip. Samsung has a 3nm MediaTek Dimensity 9400+ chip, but the ‌iPad‌ is almost twice as fast in most benchmarking tests. Apple's App Store is still more robust with a better selection of apps optimized for a tablet-sized screen, and there are many pro-level apps that aren't available on Samsung's platform. Both Apple and Samsung make keyboard cases for their tablets, but Samsung's S11 Ultra keyboard doesn't have a trackpad, which is a major downgrade compared to the ‌iPad Pro‌'s Magic Keyboard. Would you get a Samsung tablet? Let us know in the comments below.Tag: Samsung This article, "M5 iPad Pro vs. Samsung Galaxy Tab S11 Ultra" first appeared on MacRumors.com Discuss this article in our forums View the full article

Smarter drafts and more advanced "Write with AI" features are here to make you better at email.View the full article

Here are some hints and the answers for the NYT Connections puzzle for Dec. 4, #907.View the full article

Here are hints and answers for the NYT Strands puzzle for Dec. 4, No. 641.View the full article

Here are hints and the answer for today's Wordle for Dec. 4, No. 1,629.View the full article

The cheeses were recalled from Aldi, Target, Walmart and more by Great Lakes Cheese.View the full article

The regulatory decision would make it harder for future administrations to implement stricter fuel efficiency standards.View the full article