Serious vulnerabilities have recently come to light in three WordPress plugins that have been installed on a combined 400,000 websites, researchers said. InfiniteWP, WP Time Capsule, and WP Database Reset are all affected.
The highest-impact flaw is an authentication bypass vulnerability in the InfiniteWP Client, a plugin installed on more than 300,000 websites. It allows administrators to manage multiple websites from a single server. The flaw lets anyone log in to an administrative account with no credentials at all. From there, attackers can delete contents, add new accounts, and carry out a wide range of other malicious tasks.
People exploiting the vulnerability need only know the user name of a valid account and include a malicious payload in a POST request that’s sent to a vulnerable site. According to Web application firewall provider Wordfence, the vulnerability stems from a feature that allows legitimate users to automatically log in as an administrator without providing a password.
“Logical vulnerabilities like the ones seen in this recent disclosure can result in severe issues for Web applications and components,” Marc-Alexandre Montpas, a researcher at Web security firm Sucuri, wrote in a post. “These flaws can be exploited to bypass authentication controls—and in this case, log in to an administrator account without a password.”
Anyone running InfiniteWP Client version 1.9.4.4 or earlier should update to 1.9.4.5 immediately.
The critical flaw in WP Time Capsule also leads to an authentication bypass that allows unauthenticated attackers to log in as an administrator. WP Time Capsule, which runs on about 20,000 sites, is designed to make backing up website data easier. By including a string in a POST request, attackers can obtain a list of all administrative accounts and automatically log into the first one. The bug has been fixed in version 1.21.16. Sites running earlier versions should update right away. Web security firm WebARX has more details.
The last vulnerable plugin is WP Database Reset, which is installed on about 80,000 sites. One flaw allows any unauthenticated person to reset any table in the database to its original WordPress state. The bug is caused by reset functions that aren’t secured by the standard capability checks or security nonces. Exploits can result in the complete loss of data or a site reset to the default WordPress settings.
A second security flaw in WP Database Reset causes a privilege-escalation vulnerability that allows any authenticated user—even those with minimal system rights—to gain administrative rights and lock out all other users. All site administrators using this plugin should update to version 3.15, which patches both vulnerabilities. Wordfence has more details about both flaws here.
There’s no evidence that any of the three vulnerable plugins are being actively exploited in the wild.
While Microsoft’s xCloud game-streaming service remains only available as part of a limited test, the company is expanding its other new streaming offering. Microsoft announced today that Xbox Insiders in every country where Xbox Live is available can now test the console-streaming program that begun its limited beta rollout last year.
Console streaming allows players to stream the Xbox One games they already own to their Android phone or tablet from their console. This is done over Wi-Fi while at home and through your mobile data plan if you’re playing on the go.
The service requires a strong connection of 5 GHz Wi-Fi or mobile data connection at 10 Mbps down / 4.75 Mbps up. Since it’s a beta, only three titles are available to stream: Forza Horizon 4, Gears 5, and Sea of Thieves.
“We view the public preview as an important step in our journey to deliver game streaming to Xbox players around the world! We are learning from Xbox Insiders like you whenever you participate in these new technologies,” Microsoft said.
The Xbox Insider program is free and available to everyone–you can sign up here. Once you’re accepted into the program, you can get started with the console streaming preview by following the instructions posted below, as written by Microsoft.
As for the Xcloud game-streaming service, this is a Netflix-style streaming service that allows users to stream games wherever they are over the internet. Microsoft is currently testing this in the US, UK, and Korea, with support for other parts of the world to come later.
Xbox Console Streaming Startup Guide:
You must be an Xbox Insider, in a supported region, with an Xbox One console enrolled in an Xbox One Update Preview ring to participate in the preview. Additional requirements:
A phone or tablet running Android 6.0 or higher, with Bluetooth 4.0 (mobile data charges may apply)
A Bluetooth-enabled Xbox One Wireless Controller
A Microsoft Account with Xbox profile, and high-speed Internet (ISP fees may apply)
While not required, we recommend a controller mount for those gamers testing on a phone
Download the Xbox Game Streaming (Preview) app from the Google Play Store.
The app will guide you through setup on your enrolled Xbox One. This includes a test to ensure your home network, console and controller are ready for Xbox Console Streaming:
The network test ensures your console’s network connection and setup meet the minimum requirements:
NAT type: Open or Moderate
Upstream bandwidth: At least 4.75 Mbps required, 9 Mbps preferred
Network latency: 125 ms or less required, 60 ms or less preferred
Console settings: Power setting must be Instant-on
Korea’s Hyundai Group is backing a UK electric vehicle startup that plans to begin selling battery-powered delivery vans in 2021, the companies said on Thursday. Hyundai and sister firm Kia are making the investment of $110 million (100 million euros or 84.34 million pounds) in Arrival.
Founded in 2015 and based in London, Arrival has developed a boxy, futuristic-looking shuttle bus aimed at the commercial delivery market. The company said its van will have a range between charges of 300 miles.
In a statement, Arrival said it will work with Hyundai and Kia to develop a variety of electric vehicles, initially for the commercial market. Those vehicles will be built on Arrival’s modular vehicle platform or “skateboard” that bundles motor, batteries and chassis components, similar to the skateboard developed by U.S. startup Rivian.
Rivian is backed by Ford and Amazon, and has a contract to build 100,000 electric delivery vans for the e-commerce giant, starting in 2021.
Hyundai and Kia last year invested $89 million in Rimac Automobili, a nine-year-old Croatian company aspiring to build electric supercars that is also backed by Porsche.
Arrival said its vehicles will be equipped with advanced driver assist features and can be upgraded with self-driving systems.
The vehicles are designed to sell for the same price as similar models powered by internal combustion engines and to be built in small “microfactories.” That strategy is the opposite of U.S. electric vehicle rival Tesla which uses massive “gigafactories.”
Last fall, Arrival, which until now has operated largely in stealth mode, hired General Motors veteran Michael Ableson to head its new North American operations.
With a small factory in Banbury, England, Arrival said it now has 800 employees in five countries, including Germany, Russia and Israel.
Arrival previously said it would use BlackBerry’s QNX operating system to connect safety features in its electric vehicles.
Arrival said its prototype delivery vans are being tested by the Royal Mail, DHL and UPS.
The Colorado-based spaceflight company is on track for a 2021 launch debut of its robotic Dream Chaser space plane, even as the firm shoots for the moon under NASA’s Artemis program, Sierra Nevada Corp. (SNC) representatives said.
Dream Chaser is set to become the next addition to the fleet of uncrewed cargo vehicles that ferry supplies to the International Space Station (ISS). (Four different freighters currently do the job: Northrop Grumman’s Cygnus spacecraft, SpaceX’s Cargo Dragon, Russia’s Progress spacecraft and Japan’s HTV ship.)
Dream Chaser was originally designed to carry humans, but its first delivery will be a cargo resupply mission to the space station. In 2014, SNC lost out to SpaceX and Boeing for NASA contracts to launch astronauts. However, in 2016, NASA selected Dream Chaser for its Commercial Resupply Services 2 contract, awarding Sierra Nevada a deal for six cargo missions to the space station by 2024.
According to Steve Lindsey, a former NASA astronaut who’s now the vice president of space exploration systems for SNC, the company has not stopped working on the crewed version of its space plane. Right now, Lindsey said, the company’s priority is ensuring that the cargo version is ready for its first flight, which is scheduled for sometime in 2021.
During a media call on Jan. 9, SNC representatives told reporters that the construction of Dream Chaser will be completed later this year in preparation for its inaugural launch.
“The Dream Chaser space plane is a great example of how we’re working to redefine how we access space,” Lindsey said on the call.
“Currently, we have a six-mission contract to the ISS, and we’re looking forward to even more opportunities beyond that,” he added.
Dream Chaser will rely on United Launch Alliance (ULA) to get off the ground. The space plane will launch from and land at NASA’s Kennedy Space Center (KSC) in Florida, taking off atop ULA’s next-generation vehicle: the Vulcan Centaur rocket.
If the still-in-development Vulcan is not ready when Dream Chaser is called to orbit, SNC officials said that the vehicle can hitch a ride to the ISS atop another ULA rocket — the Atlas V.
Lindsey said that NASA may not be Dream Chaser’s only customer. “There’s interest, not necessarily [just] from NASA, but other customers,” he said during the call. And that interest could grow once the vehicle is operational, the former astronaut added.
“We wouldn’t be in this business if we didn’t think of commercial entities beyond NASA,” Lindsey said. (Ride-share missions, flying non-NASA payloads and a big international market are all things that SNC officials said they’re considering.)
When asked if there would eventually be SNC astronauts, Lindsey said yes. He explained that SNC plans to offer two options to its prospective customers: a taxi mode in which SNC provides the crew, and a sort of rental-car model in which customers provide the astronauts flying aboard the craft.
“If someone else is going to fly it, there would be training,” Lindsey said. “We would need to train people to fly it.” The customer would decide which option works best, SNC representatives added.
In addition to Dream Chaser, SNC is also working on a cargo module called Shooting Star. The versatile module is a 15-foot (4.6 meters) attachment that will provide extra storage for payloads on Dream Chaser missions and facilitate cargo disposal upon reentry into Earth’s atmosphere.
The company has big plans for both Dream Chaser and Shooting Star beyond the contracted resupply missions. The duo could be used in other ways in low Earth orbit, and could even play a role in NASA’s Artemis program, SNC representatives said.
Additionally, SNC is developing a 27-foot-wide (8.2 m), three-level inflatable habitat called the Large Inflatable Fabric Environment (LIFE) for use in lunar orbit, for transport to Mars or even as a habitat on the lunar or Martian surface.
But that’s not all. The company has been a part of robotic planetary exploration for decades, building subsystems for more than 450 missions over the years, including some of NASA’s famous robotic explorers.
“We’ve been part of 14 missions to Mars,” John Roth, vice president of business development for SNC, said on the Jan. 9 call.
Such work will continue, he added.
“We’re providing more than 80 motors and mechanisms on the upcoming Mars 2020 rover,” Roth said. The SNC contributions include components for the NASA rover’s coring drill, robotic arm, caching system and landing-system brakes.
Roth also said that the company is providing equipment for several NASA missions in development, including Europa Clipper, a mission to Jupiter’s icy moon Europa; Lucy, which will study Jupiter’s Trojan asteroids; and the Double Asteroid Redirection Test (DART).
Janet Kavandi, a former NASA astronaut and current senior vice president of space exploration systems at SNC, told reporters that she joined the company because of its spaceflight heritage and Dream Chaser program.
“Dream Chaser offers the safest and most logical choice in spaceflight,” she said, noting that it can land anywhere in the world.
Currently, the winged vehicle is approved to land at two runways: KSC’s Shuttle Landing Facility (where the space shuttles also landed) and Huntsville International Airport in Alabama. Technically, the space plane can land on any runway in the world that can support a Boeing 737 airplane. The only catch is receiving Federal Aviation Administration approval to do so.
Lindsey said that the company is working on approvals for additional landing sites, but the process is a lengthy one. “There are a lot of places that are interested,” he said. “We’re just getting through the regulatory process.”
In November, SNC was selected as one of five new commercial partners for NASA’s robotic Commercial Lunar Robotic Services (CLPS). Under this program, companies vie for contracts to deliver NASA payloads to the lunar surface, using landers they built themselves.
Lindsey and Roth told reporters that SNC’s lander concept is pretty far along in development, and the company is also working on another proposal for a human landing system. SNC has partnered with Dynetics to work on a project for NASA’s Human Landing System program, but did not share details beyond that on the Jan. 9 call.
Toyota just invested $349 million in the flying taxi startup Joby Aviation. The two companies say they will work together, Joby sharing its all-electric vertical take-off and landing (eVTOL) expertise and Toyota lending its knowledge of manufacturing, quality and cost controls to the development and production of Joby’s future aircraft.
"Air transportation has been a long-term goal for Toyota, and while we continue our work in the automobile business, this agreement sets our sights to the sky," Toyota Motor Corporation President and CEO Akio Toyoda said in a press release. As part of the deal, Toyota Motor Corp. Executive Vice President Shigeki Tomoyama will join Joby’s board of directors.
Toyota’s investment was part of a Series C financing round, in which Joby raised $590 million. Past investors have included Intel Capital, JetBlue Technology Ventures and Toyota AI Ventures.
Joby’s aircraft is a piloted, five-seat eVTOL, with a max speed of 200 miles per hour and a range of over 150 miles on a single charge. According to the company, it is 100 times quieter than conventional aircraft during takeoff and landing and "near-silent" when flying overhead. Additional details about the prototype aircraft and production plans will be announced later, Joby and Toyota said today.
X-ray scans are unavailable for most people on Earth (two thirds of them, according to 2012 WHO data), in part due to the sheer cost of the machines themselves. The superheated filament in conventional X-ray machines requires so much energy and heat that it costs millions of dollars just to keep the patient safe. Nanox might just have a way to make these scans widely available, though. It’s introducing the Nanox.Arc, an X-ray machine that looks like a Star Trek biobed and promises to lower the cost to low five-digit figures.
Where familiar X-ray techniques are effectively analog and involve bulky arrays of rotating tubes, Nanox is using a digital system that’s much cooler and can get away with stationary tubes that are much smaller and cheaper. The only thing that needs to move is the gantry holding the X-ray ring as it scans different parts of your body.
The business model could shake things up, too. Instead of asking customers to buy machines outright, Nanox is hoping to offer devices on a "pay-per-scan" basis where the company offers AI-based analysis and cloud services to clinics and hospitals. That would entail recurring costs, but it could still be far more affordable than purchasing a machine costing orders of magnitude more.
Nanox didn’t say when it expected to make the scanner available, although it did hope to deploy 15,000 units in the "near term." It just got $26 million in extra funding from Foxconn, though, and it has a clear goal: it wants to give everyone a X-ray scan per year as a preventative step. Ideally, you’d spot cancer and other hidden medical issues early enough to get effective treatment, rather than waiting until there are conspicuous signs of trouble.
If flying is for the birds, then where better to look for aerodynamic inspiration than to birds themselves?
A group of researchers at Stanford University this week unveiled findings from a study that mimicked pigeons’ wing design in a new flying robot. Nature’s aerial acrobats, it turns out, can teach humans a thing or two about airborne travel.
“My dream is to develop robots that fly as well as birds, and this is a major step forward,” said David Lentink, assistant professor of mechanical engineering at Stanford, in remarks provided to media before the paper’s release. Lentink was among the authors of the study, published Thursday in Science Robotics, that outlined the team’s development of a “biohybrid aerial robot platform.”
Otherwise known simply as “PigeonBot,” the winged device incorporated real pigeon feathers and was modeled after birds’ skeletal structures and feather movements. Video by the team shows researchers remotely controlling the robot’s wings — which were built to bend at about the same places as where real birds have “wrist” and “finger” joints — and guiding the bot through graceful turns as it glided through the air.
“We uncovered how birds are able to fluidly morph their wings in a surprisingly simple fashion,” Lentink said, noting the research offered evidence that birds can control their flight using just one of their joints.
Besides possibly spurring other engineers to create new wing designs, Lentink said the research also had other potential applications, including crafting wings that could fly more safely through turbulence. The findings could also advance scientists’ understanding of feather evolution, he said.
Close up of the PigeonBot wing, made of real feathers linked by elastic ligaments to synthetic wrists and fingers. (Credit: Lentink Lab / Stanford University)
In building his pigeon-inspired robot, Lentink said he purposely zeroed in on a bird species known not as much for its graceful flight and more for its ability to fly in less-than-ideal conditions. “I chose the common pigeon,” he said, “a bird that I admire for its flight abilities in gusts and turbulence in cities, a wind environment in which aerial robots struggle.”
In the future, though, he’s suggested expanding his research to include as many as about 10,000 bird species — a sampling pool that he’s said could expand knowledge of feather biomechanics and lead to other applications.
The PigeonBot in flight. (Credit: Lentink Lab / Stanford University)
But, for now, a set of wings modeled on the humble pigeon represents a step — er, flap — in that direction.
“Since the Wright brothers, aerospace engineers have tried to create wings that can change shape, or morph, as well as birds can morph their wings,” said Lentink. “We present a major step forward with the first biohybrid morphing wing under robotic control that can morph like a bird.”
