Feed aggregator


First Comics News - Wed, 05/18/2022 - 14:23

(N=New, NTP=New Time Period)

All Times ET/PT

8:30-9:00 PM BOB ♥ ABISHOLA
9:00-10:00 PM NCIS
10:00-11:00 PM NCIS: HAWAI`I

8:00-9:00 PM FBI
10:00-11:00 PM FBI: MOST WANTED

8:00-9:00 PM SURVIVOR
10:00-11:00 PM THE REAL LOVE BOAT (N)

8:30-9:00 PM GHOSTS (NTP)
9:00-10:00 PM SO HELP ME TODD (N)
10:00-11:00 PM CSI: VEGAS (NTP)

8:00-9:00 PM S.W.A.T. (NTP)
9:00-10:00 PM FIRE COUNTRY (N)
10:00-11:00 PM BLUE BLOODS

10:00-11:00 PM 48 HOURS

7:00-8:00 PM 60 MINUTES
9:00-10:00 PM EAST NEW YORK (N)
10:00-11:00 PM NCIS: LOS ANGELES (NTP)

Categories: Comic Book Blogs


First Comics News - Wed, 05/18/2022 - 05:31

This is a definitive moment for the XFL and the beginning of an incredible, long-term partnership for the league, building on my longstanding, very successful legacy relationship I’ve had with Disney throughout my career,” Johnson said. “We’re excited to be working with global visionaries that are aligned with the XFL’s values, are true team players and share our ambitious goals to grow the XFL as a global sports and entertainment business. Through the combined power of Disney, ESPN and the XFL, together we will create a new powerhouse on the sports calendar and bring a dynamic game of football to fans everywhere. Time to ball out.

Categories: Comic Book Blogs


First Comics News - Wed, 05/18/2022 - 05:27
The Dark Knight’s Worst Enemies Star in Definitive, Ultimate Tales!

Revealed today, DC will be publishing a series of standalone, 64-page, one-shot comics featuring Batman’s world-famous enemies! The series of releases, under the header Batman – One Bad Day, will tell definitive tales featuring The Riddler, Two-Face, The Penguin, Mr. Freeze, Catwoman, Bane, Clayface and Ra’s al Ghul! Scroll down for a look at what each team is working on!


Batman – One Bad Day: The Riddler by Tom King & Mitch Gerads:

Tom King and Mitch Gerads reunite in a new 64-page one-shot comic this August! Edward Nygma’s meticulous rules and systems go out the window when he kills seemingly at random, but Batman isn’t buying it! This tense intellectual thriller sees Batman unravel as he tries to decode the Riddler’s motivation!


Batman – One Bad Day: Two-Face by Mariko Tamaki, Javier Fernandez & Jordie Bellaire:

Heads or Tails, when it comes to Two-Face, Batman always loses! Is Harvey Dent back to save Gotham City? In a new 64-page one-shot comic this September, Mariko Tamaki and Javier Fernandez’s tragic noir Two-Face epic will flip that iconic coin…on its head?!


Batman – One Bad Day: The Penguin by John Ridley, Giuseppe Camuncoli, Cam Smith & Arif Prianto:

When the Penguin’s criminal empire is stolen by a former associate, Batman faces both Cobblepot and THE UMBRELLA MAN on the burning streets of Gotham! John Ridley and Giuseppe Camuncoli’s ONE BAD DAY one-shot arrives this October!


Batman – One Bad Day: Mr. Freeze by Gerry Duggan, Matteo Scalera & Dave Stewart:

Save your sympathies, Batman and Robin! Years ago, Gotham City experienced a winter so icy that Mr. Freeze could live without his containment suit! Gerry Duggan and Matteo Scalera deliver a cold new take on Mr. Freeze this November!


Batman – One Bad Day: Catwoman by G. Willow Wilson, Jamie McKelvie & Tamra Bonvillain:

A brooch Selina Kyle’s mother once pawned for pennies is now part of a high-bid auction! The stakes are personal, and Catwoman will steal it back at any cost this December in G. Willow Wilson and Jamie McKelvie’s ONE BAD DAY one-shot!


Batman – One Bad Day: Bane by Joshua Williamson, Howard Porter & Tomeu Morey:

The man who broke the Bat returns for the last vengeance of Bane! See Bane’s mind, body and spirit get ravaged in a ONE BAD DAY one-shot by Joshua Williamson and Howard Porter in January 2023!


Batman – One Bad Day: Clayface by Collin Kelly & Jackson Lanzing, Xermanico & Romulo Fajardo Jr.:

Clayface’s dream was to be famous, but Gotham’s stars don’t always shine bright! Batman chases Basil Karlo to L.A. where Clayface is killing his way to fame in Collin Kelly & Jackson Lanzing and Xermanico’s ONE BAD DAY February one-shot!


Batman – One Bad Day: Ra’s al Ghul by Tom Taylor & Ivan Reis

Finally, capping off the run of one-shot issues is Tom Taylor and Ivan Reis on Ra’s al Ghul’s ONE BAD DAY story in March! You know his name, the Bat will know his wrath!

Categories: Comic Book Blogs

NBC Fall 2022-2023 Season

First Comics News - Wed, 05/18/2022 - 04:05


8 p.m. – 10 p.m.: The Voice

10 p.m – 11 p.m.: Quantum Leap (new)


8 p.m. – 9 p.m.: The Voice

9 p.m. – 10 p.m.: La Brea

10 p.m. – 11 p.m.: New Amsterdam


8 p.m. – 9 p.m.: Chicago Med

9 p.m. – 10 p.m.: Chicago Fire

10 p.m. – 11 p.m.: Chicago P.D.


8 p.m. – 9 p.m.: Law & Order

9 p.m. – 10 p.m.: Law & Order: SVU

10 p.m. – 11 p.m.: Law & Order: Organized Crime


8 p.m. – 9 p.m.: College Bowl

8 p.m. – 8:30 p.m.: Lopez vs. Lopez (new, November)

8:30 p.m. – 9 p.m.: Young Rock (November)

9 p.m. – 11 p.m.: Dateline NBC


8 p.m. – 9 p.m.: Drama Encores

9 p.m. – 10 p.m.: Dateline Weekend Mystery

10 p.m. – 11 p.m.: SNL Vintage


7 p.m. – 8:20 p.m.: Football Night in America

8:20 p.m.- 11 p.m.: NBC Sunday Night Football

Categories: Comic Book Blogs

ABC Fall 2022-2023 Season

First Comics News - Wed, 05/18/2022 - 03:59


8 p.m. Bachelor in Paradise (Season 8)

10 p.m. The Good Doctor (Season 6)


8 p.m. Bachelor in Paradise (Season 8)

10 p.m. The Rookie: Feds (Season 1)

The Rookie: Feds stars Niecy Nash-Betts as Simone Clark, the oldest FBI Academy rookie. Her character was introduced during a two-part The Rookie episode, where Officer John Nolan (Nathan Fillion) needed Simone’s help when a former student was suspected of terrorism. The show will also star Frankie Faison and Felix Solis.


8 p.m. The Conners (Season 5)

8:30 p.m. The Goldbergs (Season 10)

9 p.m. Abbott Elementary (Season 2, new night)

9:30 p.m. Home Economics (Season 3)

10 p.m. Big Sky (Season 2, new night)


8 p.m. Station 19 (Season 6)

9 p.m. Grey’s Anatomy (Season 19)

10 p.m. Alaska (Season 1)

Alaska could not ask for a better pair of shows to debut behind. The series stars Hilary Swank as Eileen Fitzgerald, a disgraced New York City journalist who tries to find redemption at an Anchorage newspaper. Jeff Perry, Matt Malloy, Meredith Holsman, Grace Dobe, Pablo Castelblanco, Ami Park, and Craig Frank also star in the drama. Tom McCarthy (Spotlight) created the series and directed the pilot.


8 p.m. Shark Tank (Season 14)

9 p.m. 20/20


College Football


7 p.m. America’s Funniest Home Videos (Season 33)

8 p.m. Celebrity Jeopardy! (Season 1)

9 p.m. Celebrity Wheel of Fortune (Season 3)

10 p.m. The Rookie (Season 5)

Categories: Comic Book Blogs

Award-Winning Author Brian Lambert and Wingless Comics Blur The Lines Between Heaven and Hell

First Comics News - Wed, 05/18/2022 - 01:48

Burbank, California, 5/11/2022 – Wingless Comics returns to Kickstarter with its latest offering, Justice #1-3. Described as the continuing saga of the angel named Justice as he learns that the line between Heaven and Hell isn’t as black and white as was told, Justice is an action/adventure/fantasy comic reminiscent of the dark and gritty period of 90’s comics. With influences ranging from Frank Miller to Todd MacFarlane, Justice is a gothic storytelling journey.


As Justice tries to unravel his memories, Issue 3 sees him travel to the depths of the underworld. Will he survive a place where angels fear to tread? Previously unknown players reveal themselves and Justice comes face to face with his life prior to descending, but he finds strength in the most unlikely of places.


Featuring the talents of award-winning author Brian J. Lambert, along with the illustrations of Fabio Simao, colors by Nestor Redulla Jr., and letters by RuneMakerz, Justice #3 from Wingless comics is a story unlike any other. Wingless Comics’ award-winning group of diverse creators is excited to bring the new slate of stories to life.


Justice #1-3 will be live on KICKSTARTER from Tuesday 5/17/2022-Wednesday 6/15/2022.  That campaign allows you to catch up on ALL Wingless Comics offerings at affordable prices, and even the chance to cameo within the pages of our books! The live link is below:



Categories: Comic Book Blogs

RICH REVIEWS: The Tiger’s Tongue # 1

First Comics News - Wed, 05/18/2022 - 01:33

Title: The Tiger’s Tongue # 1
Publisher: Mad Cave Studios
Writer: Olivia Stephens
Artist: Diansakhu Banton-Perry
Inker & Colorist: Bex Glendining
Covers: Odera Igbokwe
Letterer: Jamette Gil
Price: $ 3.99 US
Rating: 3 out of 5 stars
Website: www.madcavestudios.com
Comments: A village becomes under the protection and guidence of the tigers. The Tiger People find the River People and they live together in peace. That peace though may be broken.
The art looks lovely it has a nice soft style that brings out the characters personalities. The tigers are illustrated as majestic creatures. They appear so peaceful.
The tigers here have many gifts and they pass them onto the Tiger People.
The Court here here does have drama going on. The people are unsure of its leadership. Two daughter will compete against each other in three trials to become the new Queen of the Claw. These sisters are totally different and it seems a foregone conclusion which one will win. Will they remain friends still and will their love for each other stay strong as they fight each other? When the trials start the action will to.
The story flows smoothly enough and this issue does set up for what is to come. The tigers are shown and used a small amount. Using them more would help to show how important they are to the people.
The two sisters are the best of friends the one sister though wants to be Queen and from her reaction to the competition she wants to win in the worst way. Will becoming Queen tear these two loving sisters apart?

Categories: Comic Book Blogs

The Loop Scoop #38: A Yarny Link Party!

Moogly - Wed, 05/18/2022 - 01:00

What a wonderful riot of spring color! This round of the Loop Scoop features five fabulous projects to add some life and color to your day – a mix of free and paid crochet patterns! After you check them out, be sure to also take a peek at the new patterns and links at the...

Read More

The post The Loop Scoop #38: A Yarny Link Party! appeared first on moogly. Please visit www.mooglyblog.com for this post. If you are viewing this on another site they have scraped the content from my website without permission. Thank you for your support.

Categories: Crochet Life

Director Rachel Talalay Back For Doctor Who 60th!

Blogtor Who - Wed, 05/18/2022 - 00:15

The legendary Doctor Who director is back calling the shots for the show’s 60th anniversary Director Rachel Talalay, a long time favourite with Doctor Who fans, appeared to confirm today that she’s the director of the 60th Anniversary episode. Or rather, the director of at least one of the Doctor Who episodes next year for […]

The post Director Rachel Talalay Back For Doctor Who 60th! appeared first on Blogtor Who.

Categories: Doctor Who Feeds

First Look At “She Hulk: Attorney At Law”

First Comics News - Tue, 05/17/2022 - 22:08

Directed by Kat Coiro (Episodes 1, 2, 3, 4, 8, 9) and Anu Valia (Episodes 5, 6, 7) with Jessica Gao as head writer, “She-Hulk: Attorney at Law” follows Jennifer Walters as she navigates the complicated life of a single, 30-something attorney who also happens to be a green 6-foot-7-inch superpowered hulk. The nine-episode series welcomes a host of MCU vets, including Mark Ruffalo as Smart Hulk, Tim Roth as Emil Blonsky/the Abomination, and Benedict Wong as Wong. The cast also includes Ginger Gonzaga, Josh Segarra, Jameela Jamil, Jon Bass and Renée Elise Goldsberry. Executive producers are Kevin Feige, Louis D’Esposito, Victoria Alonso, Brad Winderbaum, Kat Coiro and Jessica Gao. Co-executive producers are Wendy Jacobson and Jennifer Booth.


Categories: Comic Book Blogs

Teenage Mutant Ninja Turtles: The Armageddon Game Explodes in Eight-Issue Miniseries from IDW

First Comics News - Tue, 05/17/2022 - 21:13

Tom Waltz, the Grandmaster of TMNT Comic Book Storytelling,
Orchestrates the Ultimate Battle Between Good and Evil

SAN DIEGO, CA (May 17, 2022) – All the pawns have taken their place for the biggest Teenage Mutant Ninja Turtles comic book event of 2022!

Debuting from IDW in August, Teenage Mutant Ninja Turtles: The Armageddon Game shakes the foundation of TMNT’s comic book continuity as years of intricate planning—whether it be in-universe by the manipulative Rat King or behind the scenes by longtime scribe Tom Waltz—come to fruition monthly in eight explosive issues, exquisitely illustrated by Vincenzo Federici (Red Sonja)!

“It’s an absolute honor and privilege to return to IDW’s main TMNT continuity, and to have the opportunity to do it as the creative lead on a huge multilayered event like The Armageddon Game(which has been bouncing around in my brain ever since I stepped away after issue #100) is the veritable icing on the cake,” says Waltz. “I can’t wait for fans to see what we’ve been cooking up. We’ve got a big story to tell and some amazing collaborators joining us in the telling. Let the games begin!”

In The Armageddon Game, the Turtles—under the leadership of the Shredder—begin a dangerous quest to seek out allies against Rat King’s trio of terror: LeatherKrang, Baxter Stockman, and Madame Null. It’s a mission that will see our heroes spread out across New York City…and across multiple dimensions! But they’d better hurry because their enemies are already on the march, and with the Turtles absent, Mutant Town is ripe for false flag attacks, mysterious new villains, and unexpected alliances. The time has come at last to find out who is playing the game…and who is being played!

The groundwork for The Armageddon Game has been over a decade in the making, beginning with the epic world-building collaboration between Waltz and TMNT co-creator Kevin Eastmanover the series’ initial 100-issue run, continuing under the skillful direction of Sophie Campbell in the ongoing series since 2020, and boiling over most recently with the two-issue lead-in storyline, The Armageddon Game: Opening Moves.

“When I was seven, I decided that I would become a comic book artist when I grew up…and the credit for that decision goes to TMNT. I was obsessed with them and still am,” says Federici. “My personal vision of TMNT is forged in the television series and films of the ’80s and ’90s, but I also take inspiration from those who have worked on the IDW series from the beginning, such as Mateus Santolouco or Sophie Campbell. In the tradition of those great artists, I’ll be giving my very best effort for this series. Readers will be delighted!”

“This story is going to be huge! There are a ton of players (and more than a few surprises), and honestly, this is just the start. When we reach the end of this saga, it will mark the beginning of a whole new era for the Teenage Mutant Ninja Turtles. Whether you’re a lifelong fan of TMNT or brand-new to the party, The Armageddon Game is not to be missed,” says senior editor Charles Beacham.

Teenage Mutant Ninja Turtles: The Armageddon Game #1 will be available in stores with three cover variants, one featuring art by series artist Vincenzo Federici, a second featuring art by legendary TMNT co-creator Kevin Eastman, and a third retailer incentive edition featuring artwork by Pasquale Qualano.

For information on how to acquire TMNT comics and graphic novels from IDW, please contact your local comic shop or visit www.comicshoplocator.com to find a store near you.

Categories: Comic Book Blogs


First Comics News - Tue, 05/17/2022 - 20:22

An All New Four-Part Mini-Series from Legendary Hellboy Creator Mike Mignola, Bestselling Novelist and Comics Writer Christopher Golden, Acclaimed Comics Writer Thomas Sniegoski, Featuring Art by Peter Bergting and Michelle Madsen

On sale from Dark Horse Comics This August

MILWAUKIE, Ore., (May 17, 2022)— Legendary Hellboy creator Mike Mignola, bestselling novelist and comics writer Christopher Golden, comics writer Thomas Sniegoski, artist Peter Bergting, colorist Michelle Madsen, and longtime Hellboy letterer Clem Robins are returning to the Hellboy universe for Frankenstein: New World, an all-new four-part miniseries from Dark Horse Comics. Frankenstein: New World features the return of Mignola’s take on the Frankenstein monster with the first story to be set chronologically after the conclusion of B.P.R.D.: The Devil You Know, which had concluded the epic story of Hellboy and the B.P.R.D. Mignola will illustrate a variant cover for issue #1, colored by award-winning colorist Dave Stewart.


“At the end of B.P.R.D.: The Devil You Know when we burned down the world and then started it again with frog people, I really did think that would be all we’d see of it,” said Mignola. “And in that same issue, that little glimpse of the Frankenstein monster in the center of the earth, that’s the last I thought we’d see of him. But…when Chris and Tom came to me with the idea of having Frankenstein’s adventures in Frog World, I think it took me about ten seconds to say YES. And then two minutes later I think we were on the phone talking about all the possibilities. I just don’t seem to be able to put a lid on this thing—which I guess is a good thing.”


Safely tucked away inside the hollow earth where humanity survived after Ragna Rok, precocious young Lilja receives visions of a new darkness taking root on the surface. Defying her elders, Lilja awakens the timeless oracle––once known as Frankenstein––to investigate the warnings and, perhaps, even explore the new world above.


“I’ve always had a thing for Frankenstein’s monster,” said Thomas Sniegoski. “I loved the idea of using him as a recurring character in his own adventures, so when Mike added him to the Hellboy universe, I was ecstatic. The stories that we got with the character were cool, but I most definitely wanted more. The last we saw of him was at the end of B.P.R.D. when he was leading some survivors of the apocalypse to the center of the earth. I always wondered if we would see him again—and now, I guess we are! Working with Chris, Mike, and the amazing Peter Bergting has been an absolute blast. This is the kind of weird-ass Frankenstein story that I’ve always wanted to read, and now I get to help write it!”


Frankenstein: New World actually started with artist Ben Stenbeck, though he doesn’t know it,” said Golden. “Ben had drawn a group shot of a number of Hellboy universe characters (plus Lord Baltimore) together and included Frankenstein holding a staff that had the sword of Hyperborea atop it. Thomas Sniegoski and I were on the phone the next day talking about it, and Tom said something about what a shame it was that the Frankenstein character was lying fallow. As so often happens, a casual comment turned into something more. I said, off-hand, that since the last time we’d seen him he was leading the last of humanity down beneath the surface of the world, we should do a series about Frankenstein returning to the surface world after two thousand years in the hollow earth (after the events of B.P.R.D.: The Devil You Know) and wandering a New World that has no memory of humanity. The second it came out of my mouth, I knew we had to do it. One of Tom’s favorite comics of all time is DC’s Kamandi, and I knew his imagination was already firing like crazy. About five minutes later, we told the idea to Mike Mignola, and he said yes faster than he’s said yes to anything we’ve ever suggested to him. Frankenstein: New World is the weirdest comic either of us has ever done, quiet and creepy and—we hope—a nice balance of dread and wonder. Peter Bergting is doing maybe the most beautiful work of his career thus far, unburdened by pesky things like architecture. This is Peter’s natural element, right here.”


Frankenstein: New World issue #1 will be published by Dark Horse Comics on August 3, 2022. For more information about the Hellboy Universe, follow Dark Horse Comics on Twitter, Facebook and Instagram.

Categories: Comic Book Blogs

Car owners warned of another theft-enabling relay attack

Malwarebytes - Tue, 05/17/2022 - 20:16

Tesla owners are no strangers to seeing reports of cars being tampered with outside of their control. Back in 2021, a zero-click exploit aided a drone in taking over the car’s entertainment system. In 2016, we had a brakes and doors issue. 2020 saw people rewriting key-fob firmware via Bluetooth. Andin January this year, a teen claimed he had managed to remotely hack into 25 Tesla vehicles.

This time, we have another Bluetooth key-fob issue making waves. Although there is a Tesla specific advisory, there are also advisories for this issue generally and a type of smart lock.

Bluetooth Low Energy and keyless entry systems

The researchers who discovered this issue are clear that it isn’t “just” a problem for Tesla. It’s more of a problem related to the Bluetooth Low Energy (BLE) protocol used by the keyless entry system. Bluetooth is a short-range wireless technology which uses radio frequencies and allows you to share data. You can connect one device to another, interact with Bluetooth beacons, and much more. Bluetooth is a perfect fit for something as commonplace as keyless door entry.

As the name suggests, BLE is all about providing functionality through very low energy consumption. As BLE is only active for very short periods of time, it’s a much more efficient way to do things.

The relay attack in action

Researchers demonstrated how this compromise of the keyless system works in practice. Though light on details, Bloomberg mentions it is a relay attack. This is a fairly common method used by people in the car research realm to try and pop locks.

To help describe a relay attack, it’s common to first explain how a Man in the Middle (MitM) attack works:

In cybersecurity, a Man-in-the-Middle (MitM) attack happens when a threat actor manages to intercept and forward the traffic between two entities without either of them noticing. In addition, some MitM attacks alter the communication between parties, again without them realizing.

For relay attacks, think of two people (or one person with two devices) sliding their way into the device-based communication. Some of the diagrams I’ve seen explaining this attack can be a little confusing, but this video explanation is perfect:

As you can see, two people approach the car. One pulls the handles to trigger the car’s security system into sending out a message. “Are you the owner of this car, are your keys the correct keys for this vehicle?” The authentication challenge is beamed out into the void. The second person is standing by the house with a device.

People often leave their car keys close to the front door. As a result, the keys will be within range of the second person’s device. It takes the fob’s response and beams it back to the criminal by the car. The device in their hand relays the fob’s authentication confirmation to the car and the door unlocks. They then repeat this process a second time. This is to fool the car into thinking the keys are present, at which point they’re able to drive away.

A gear-shift in criminal perspective

Criminals are after maximum gain for minimum effort. They don’t want to attract attention from law enforcement. The sneakier they can be, the less commotion they cause, and the better it’s going to be for them in the long-term.

Think about how seamless a relay approach is to car theft. It’s quick, it’s easy, and it’s completely silent. Consider how much money a professional outfit pulling these car heists can generate. The alternative is messy break-ins, noise, rummaging for keys in a house full of screaming people and barking dogs. Not to mention a significantly increased chance of being caught. If you were a career criminal, which approach would you favour?

A problem which refuses to go away

Relay attacks on cars have been around for several years now. Stolen vehicles are the go-to example of relay attacks if you go looking for more information on the technique. Advice for avoiding relay attacks is widespread, from keeping keys away from the front door (which you should do anyway) to placing them in a signal-blocking bag.

For the Tesla specific attack, a relay device was placed “within roughly 15 yards” of the smartphone/key-fob, with the other plugged into a laptop close to the vehicle. You can see more information about the more general forms of attack here.

The article mentions that there’s no evidence of this Tesla tomfoolery having happened in the wild. Even so, relay attacks can and do take place. If your car operates a keyless system, take this latest report as a heads-up to ensure your vehicle is safe from attack no matter the make or model.

The post Car owners warned of another theft-enabling relay attack appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Update now! Apple patches zero-day vulnerability affecting Macs, Apple Watch, and Apple TV

Malwarebytes - Tue, 05/17/2022 - 20:00

Apple has released security updates for a zero-day vulnerability that affects multiple products, including Mac, Apple Watch, and Apple TV.

The flaw is an out-of-bounds write issue—tracked as CVE-2022-22675—in AppleAVD, a decoder that handles specific media files.

An out-of-bounds write or read flaw makes it possible to manipulate parts of the memory which are allocated to more critical functions. This could allow an attacker to write code to a part of the memory where it will be executed with permissions that the program and user should not have.

Attackers could take control of affected devices if they exploit this flaw.

CVE-2022-22675 is the same vulnerability that affected macOS Monterey 12.3.1, iOS 15.4.1, and iPad 15.4.1. The flaw for these was patched in March.

This latest batch of updates has improved bounds checking for additional Apple products running specific operating systems, particularly macOS Big Sur 11.6.6, watchOS 8.6, and tvOS 15.5. These OSs are installed in Apple Macs running Big Sur, Apple Watch Series 3 and later, and Apple TV (4K, 4K 2nd generation, and 4K HD).

Apple says it’s aware this flaw is currently being abused in the wild. It didn’t go into detail, likely to give customers time to patch up their Apple devices.

BleepingComputer has noted that attacks against CVE-2022-22675 might only be targeted in nature. However,if you’re using any or all of the above Apple products we mentioned, it is still wise to apply updates as soon as you can.

Stay safe!

The post Update now! Apple patches zero-day vulnerability affecting Macs, Apple Watch, and Apple TV appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Gmail-linked Facebook accounts vulnerable to attack using a chain of bugs—now fixed

Malwarebytes - Tue, 05/17/2022 - 19:37

A security researcher has disclosed how he chained together multiple bugs in order to take over Facebook accounts that were linked to a Gmail account.

Youssef Sammouda states it was possible to target all Facebook users but that it was more complicated to develop an exploit, and using Gmail was actually enough to demonstrate the impact of his discoveries.

Linked accounts

Linked accounts were invented to make logging in easier. You can use one account to log in to other apps, sites and services. The most commonly used is the link between Facebook and Instagram, so we will use that as an example. Log in to one account and you are also practically logged in at the other. All you need to do to access the account is confirm that the account is yours.

Since 2009, Facebook has supported myOpenID, which allows users to login to Facebook with their Gmail credentials. To put it in a simpler way, this means that if you are currently logged in to your Gmail account, the moment you visit Facebook, you will be automatically logged in.

Sandboxed CAPTCHA

The first discovery that enabled this takeover method lies in the fact that Facebook uses an extra security mechanism called “Checkpoint” to make sure that any user that logs in is who they claim to be. In some cases Checkpoint present those users with a CAPTCHA challenge to limit the number of tries.

Facebook uses Google CAPTCHA and as an extra security feature the CAPTCHA is put in an iFrame. The iFrame is hosted on a sandboxed domain (fbsbx.com) to avoid adding third-party code from Google into the main domain (facebook.com). An iFrame is a piece of HTML code that allows developers to embed another HTML page on their website.

Now, for some reason, probably for logging purposes, the URL for the iFrame includes the link to the checkpoint as a parameter.

For example, let’s say the current URL is https://www.facebook.com/checkpoint/CHECKPOINT_ID/?test=test. In that case the iframe page would be accessible through this URL: https://www.fbsbx.com/captcha/recaptcha/iframe/?referer=https%3A%2F%2Fwww.facebook.com%2Fcheckpoint%2FCHECKPOINT_ID%2F%3Ftest%3Dtest

The attacker can replace the referrer part in the URL by changing it into a next parameter. This allows the attacker to send the URL including the login parameters to the sandbox domain. Now it is time to find a way to grab it from there, which is where cross-side-scripting (XSS) comes in.


XSS is a type of security vulnerability, and can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. Attackers can use a cross-site scripting vulnerability to bypass access controls such as the same-origin policy.

The same-origin policy (SOP) is where a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin. This policy prevents a malicious script on one page from obtaining access to sensitive data on another web page.

In this case that step was easy, since Facebook allows developers to test certain features and makes it possible for them to upload custom HTML files. The creator can upload these HTML files to the fbsbx.com domain. Which, as we saw earlier, is also in use for the Google CAPTCHA. Which allows the attacker to bypass the same origin policy since the target site and the custom script are on the same domain.


CSRF is short for cross-site request forgery. In a CSRF attack, an innocent end user is tricked by an attacker into submitting a web request that they did not intend. This may cause actions to be performed on the website that can include inadvertent client or server data leakage, change of session state, or manipulation of an end user’s account.

In his attack script, Youssef used undisclosed CRSF attacks to log the target user out and later log them back in through the Checkpoint.


OAuth is a standard authorization protocol. It allows us to get access to protected data from an application. An OAuth Access Token is a string that the OAuth client uses to make requests to the resource server.

In this case, attackers can log out the current user and then log them back in to the attacker account which is in the Checkpoint state. But how does that allow the attacker to take over the Facebook account? By intercepting an OAuth Access Token string.

This is done by targeting a third-party OAuth provider that Facebook uses. One of these providers is Gmail. Gmail sends back the OAuth Access token to www.facebook.com for the logged in user. And since the attacker can steal the URL including the login parameters by sending them to the sandbox domain, they can intercept the OAuth Access Token string and the id_token of the user.


Summarized, the attacker can upload a script to the Facebook sandbox and try to trick his target(s) into visiting that page by sending them the URL.

Simplified, the script will:

  1. Log out the user from his current session (CSRF)
  2. Send them to the Checkpoint to log back in (CSRF)
  3. Open a constructed accounts.google.com URL that redirects the target to Facebook.

Once the target has visited the page with the script outlined above, the attacker can start harvesting the strings they need to take over the Facebook account.

  1. The attacker waits for the victim to log in and can later extract the Google OAuth Access Token string and id_token
  2. Using the email address included in the id_token they can start a password recovery process
  3. Now the attacker can construct a URL to access the target account with all the data they have gathered
How to unlink accounts

Some sites will offer to log you in using your Facebook credentials. The same reasoning that is true for using the same password for every site is true for using your Facebook credentials to login at other sites. We wouldn’t recommend it because if anyone gets hold of the one password that controls them all, you’re in even bigger trouble than you would be if only one site’s password is compromised.

You can check which accounts are linked to your Facebook account by opening the Facebook settings menu. Scroll down and open Settings & Privacy, then open Settings. At the bottom on the left, use the Accounts Center button. Tap Accounts & Profiles. There you can see a list ofthe accounts linked to your Facebook account. You can remove any unwanted linked accounts there.

Facebook fix

Youssef says he reported the issue to Facebook in February. It was fixed in March and a $44,625 bounty was awarded earlier this month.

We interviewed this Youssef last year. He told us he’s submitted at least a hundred reports to Facebook which have been resolved, making Facebook a safer platform along the way.

The post Gmail-linked Facebook accounts vulnerable to attack using a chain of bugs—now fixed appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Appliqué and Lore: Launch and Giveaway

Moogly - Tue, 05/17/2022 - 15:00

There’s a brand new crochet site launching today – Appliqué and Lore! Olivia Caputo is the mind and talent behind the site, and to help spread the word, she’s giving away an amazing crochet applique ebook – get a peek at her site and enter to win here on Moogly! Disclaimer: I received a free...

Read More

The post Appliqué and Lore: Launch and Giveaway appeared first on moogly. Please visit www.mooglyblog.com for this post. If you are viewing this on another site they have scraped the content from my website without permission. Thank you for your support.

Categories: Crochet Life

Long lost @ symbol gets new life obscuring malicious URLs

Malwarebytes - Tue, 05/17/2022 - 14:41

Threat actors have rediscovered an old and little-used feature of web URLs, the innocuous @ symbol we usually see in email addresses, and started using it to obscure links to their malicious websites.

Researchers from Perception Point noticed it being used in a cyberattack against multiple organization recently. While the attackers are still unknown, Perception Point traced them to an IP in Japan.

The attack started with a phishing email pretending to be from Microsoft, claiming the user has messages that have been embargoed as potential spam. (Using familiar, transactional messages from well-known brands like Microsoft has become a popular tactic for scammers, as a way to defeat spam filters and keen-eyed users.)

The message reads:

You have new 5 held messages. You can release all of your held messages and permit or block future emails the senders, or manage messages individually.

If the recipient clicks any of the links in the email, they are directed to a phishing page made to look like an Outlook login page.

If the recipient follows the often-repeated advice to hover their pointer over the links before clicking them, to see where they go, they will see this weird-looking URL, and probably be none the wiser:


This is almost certainly designed to bamboozle users, but to your computer it looks fine. As weird as this URL appears, it is actually valid and acceptable, and your browser will happily parse it for you.

Users who clicked on the link were passed through a chain of redirects before ending up at a phishing page that looks like the Outlook login screen.

The phishing site is a copy of the Outlook login page Reading the URL

As weird as it looks, the URL in this phishing campaign sticks to the rules of what’s allowed in a web address. The part you see least often is the @ symbol. RFC 3986 refers to anything after https:// and before the @ symobl, highlighted below, as userinfo. This part of the URL is for passing authentication information like a username and password, but it is very rarely used, and is simply ignored as a so-called “opaque string” by many systems.


The last part of the URL after the # is also ignored when you click the link. This is called the fragment identifier and it represents a piece of the destination page. The browser might use it to scroll to a section of the destination page, or it might be used to pass information to the destination page, but it plays no part in determining what the destination actually is.


In this case the fragment ID—ZmluYW5jZUBuZ3BjYXAuY29t—appears to be a unique ID that identifies the email address the phish was sent to. If it’s removed, the link works but when you reach the final destination it simply shows a loading icon, perhaps to hide the site’s true intentions to accidental visitors or researchers.

What we are left with when we remove the parts that of the link that are ignored by the browser is a very ordinary-looking bit.ly link. Exactly the kind of thing you might think is suspicious in an email that says it’s from Microsoft.


As you probably know, bit.ly is a URL shortening service. The bit.ly link redirects users to another URL, likely used for tracking, which itself redirects users to the phishing page.

Does your browser support the @ symbol?

If you are one of the 2.6 billion people using Chrome, the answer is “yes”, URLs that use the @ symbol work in Chrome and other Chromium-based browsers such as Vivaldi, Brave, and Microsoft Edge.

The latest version of Microsoft’s Internet Explorer doesn’t parse URLs with the @ delimiter though.

Firefox and Firefox-based browsers, such as Tor and Pale Moon, are also affected.

And what about Safari?

According to Thomas Reed, Malwarebytes’ Director of Mac and Mobile, “This technique appears to work in Safari and all other major Mac browsers. Firefox will show a warning when attempting to visit such a link. Unfortunately, Safari—the most popular browser on macOS—does not display a warning and opens the link without objection, as does Chrome.”

Reed also points out that email software will often look for URLs in plain text emails and convert them to clickable links, but the @ symbol seems to prevent this. According to Reed: “The URL used by the phishing campaign does not become a clickable link by itself.” The links will still work in HTML emails, so this isn’t much of a barrier, just a feather in the cap of hold outs who insist on viewing their emails in plain text!

The wide support for the confusing and little-used @ symbol could see it used more widely. In a Threat Post interview, Perception Point’s Vice President of Customer Success and Incident Response, Motti Elloul, predicted that this won’t be the last time we’ll see phishing attacks taking advantage of it.

“The technique has the potential to catch on quickly, because it’s very easy to execute,” he said. “In order to identify the technique and avoid the fallout from it slipping past security systems, security teams need to update their detection engines in order to double check the URL structure whenever @ is included.”

The post Long lost @ symbol gets new life obscuring malicious URLs appeared first on Malwarebytes Labs.

Categories: Techie Feeds

AirTag stalking: What is it, and how can I avoid it?

Malwarebytes - Tue, 05/17/2022 - 14:12

More voices are being raised against the use of everyday technology repurposed to attack and stalk people. Most recently, it’s reported that Ohio has proposed a new bill in relation to electronic tagging devices.

The bill, aimed at making short work of a loophole allowing people with no stalking or domestic violence record to use tracking devices, is currently in the proposal stages. As PC Mag mentions, 19 states currently ban the use of trackers to aid stalking.

Dude, where’s my car?

Using tech to find missing items is nothing new. Back in the 80s, my dad had one of the new wave of tools used to find your lost keys. You put a small device on your keychain, and when they inevitably went missing, you whistled. The device, assuming it was nearby, would beep or whistle back. That is, it would if the range wasn’t awful and it frequently didn’t respond to your best whistle attempts.

Skip forward enough years, and we had similar concept but with Bluetooth and Radio Frequency. But the range on them isn’t great and so the use is limited.

Step up to the plate, tracker devices.

What is an AirTag?

There are many types of tracking device, but AirTags are unfortunately for Apple the one most closely associated with this form of stalking.

Find My, an app for Apple mobiles, is an incredibly slick way to keep track of almost any Apple product you can think of. Making your lost phone make a noise, offline finding, and sending the last location when battery is low are some of the fine-tune options available.

An AirTag is a small round device which plugs right into the Find My options. The idea is a supercharged version of ye olde key whistler. Misplace an item attached to an AirTag, and when you get close enough you’ll even have Precision Finding kicking in to guide to the lost item.

This is all incredibly helpful, especially if you’re good at misplacing things. Even better if something is stolen. Where it goes wrong is when people with bad intentions immediately figure out ways they can harass people with it.

A stalker’s life for me

Back in January, model Brooks Nader claimed someone placed an AirTag in her coat. Whoever was responsible used it to follow her around for several hours. She only became aware of what was happening because her phone alerted her to the tag’s presence.

However, this is an Apple-specific product, which means not all devices will be able to flag it. Android users are resorting to downloading standalone apps which can flush out unwanted AirTag stalkers. Meanwhile, the case numbers themselves are steadily increasing across multiple regions. Smart stalkers will place tags on items or in places victims won’t suspect. A tag under the car means victims may never even find out they’ve been stalked in the first place.

Apple pushes back on AirTag stalking

This isn’t great news for any company faced with a sudden wave of people abusing their devices. Apple is trying to lead the charge against these practices by making it harder for stalkers.

  • Improving the accuracy of “unknown accessory detected” notices
  • Adding support documents for people who believe they may be being stalked.
  • Implementing notices which say “tracking without consent is a crime”
Advice for people worried about AirTag stalking

Apple’s support document lists two ways to discover unwanted tracking.

  1. If you have an iPhone, iPad, or iPod touch, Find My will send a notification to your Apple device. This feature is available on iOS or iPadOS 14.5 or later. To receive alerts, make sure that you:
    Go to Settings > Privacy > Location Services, and turn Location Services on.
    Go to Settings > Privacy > Location Services > System Services. Turn Find My iPhone on.
    Go to Settings > Privacy > Location Services > System Services. Turn Significant Locations on to be notified when you arrive at a significant location, such as your home.
    Go to Settings > Bluetooth, and turn Bluetooth on.
    Go to the Find My app, tap the Me tab, and turn Tracking Notifications on.
  2. If you don’t have an iOS device or a smartphone, an AirTag that isn’t with its owner for a period of time will emit a sound when it’s moved. This type of notification isn’t supported with AirPods.

Any alert on your mobile device that a tracker is nearby allows you to make the tracker produce a noise via your phone. You can make this noise repeat as often as you want until the device is found.

Disabling the AirTag

If you can’t find the physical object, don’t worry. You can disable it, again using your phone. Apple’s advice:

To disable the AirTag, AirPods, or Find My network accessory and stop it from sharing its location, tap Instructions to Disable and follow the onscreen steps. After the AirTag, AirPods, or Find My network accessory is disabled, the owner can no longer get updates on its current location. You will also no longer receive any unwanted tracking alerts for this item.

Apple has been quite visible in both drawing attention to the problem and providing accessible and straightforward solutions to shutting unwanted tracking down. We can only hope that other companies whose trackers are being misused in this way are doing their part too.

The post AirTag stalking: What is it, and how can I avoid it? appeared first on Malwarebytes Labs.

Categories: Techie Feeds

Top Comments – Pages 1607 – 1608

Looking For Group - Tue, 05/17/2022 - 13:48

Tuesday, YOU are the star! We curate our favourites from the previous week’s comments on lfg.co and Facebook and remind you how clever you are. Here are your top comments for Looking For Group pages 1607 – 1608. Looking For […]

The post Top Comments – Pages 1607 – 1608 appeared first on Looking For Group.

Categories: Web Comics


Subscribe to Furiously Eclectic People aggregator