Apple on Thursday released multiple security updates to patch three zero-day vulnerabilities that were revealed as being actively exploited in the wild.
Rolled out as part of its iOS, iPadOS, macOS, and watchOS updates, the flaws reside in the FontParser component and the kernel, allowing adversaries to remotely execute arbitrary code and run malicious programs with kernel-level privileges.
The zero-days were discovered and reported to Apple by Google’s Project Zero security team.
“Apple is aware of reports that an exploit for this issue exists in the wild,” the iPhone maker said of the three zero-days without giving any additional details so as to allow a vast majority of users to install the updates.
The list of impacted devices includes iPhone 6s and later, iPod touch 7th generation, iPad Air 2 and later, iPad mini four and later, and Apple Watch Series 1 and later.
The fixes are available in versions iOS 12.4.9 and 14.2, iPadOS 14.2, watchOS 5.3.9, 6.2.9, and 7.1, and as a supplemental update for macOS Catalina 10.15.7.
CVE-2020-27930: A memory corruption issue in the FontParser library that allows for remote code execution when processing a maliciously crafted font.
CVE-2020-27932: A memory initialization issue that allows a malicious application to execute arbitrary code with kernel privileges.
CVE-2020-27950: A type-confusion issue that makes it possible for a malicious application to disclose kernel memory.
“Targeted exploitation in the wild similar to the other recently reported 0days,” said Shane Huntley, Director of Google’s Threat Analysis Group. “Not related to any election targeting.”
The disclosure is the latest in the string of zero-days Project Zero has reported since October 20. First came the Chrome zero-day in Freetype font rendering library (CVE-2020-15999), then a Windows zero-day (CVE-2020-17087), followed by two more in Chrome and its Android variant (CVE-2020-16009 and CVE-2020-16010).
A patch for the Windows zero-day is expected to be released on November 10 as part of this month’s Patch Tuesday.
While more details are awaited on whether the zero-days were abused by the same threat actor, it’s recommended that users update their devices to the latest versions to mitigate the risk associated with the flaws.
Some of the earliest formal work on what we now call Zero Trust started around in a security consortium known as the Jericho Forum (which later merged into The Open Group Security Forum). This started as a group of like-minded CISOs wrestling with the limitations of the dominant and unquestioned philosophy of securing all resources by putting them on a ‘secure’ network behind a security perimeter.
The Jericho Forum promoted a new concept of security called de-perimeterisation that focused on how to protect enterprise data flowing in and out of your enterprise network boundary instead of striving to convince users and the business to keep it on the corporate network. This shift to “secure assets where they are” proved quite prophetic, especially when you consider that the original iPhone didn’t release until 2007 (which triggered the sea change of user preferences shaping enterprise technology decisions that is now just normal).
One CISO: Our network has become a mini-internet
A lot has changed since the days when we knew exactly what is on our network. A CISO of a multinational organization once remarked that its corporate network has become a miniature internet. With hundreds of thousands of devices connected at all hours including many unmanaged devices, the network has lost its ability to create trust for the devices on it. While network controls still have a place in a security strategy, they are no longer the foundation upon which we can build the assurances we need to protect business assets.
In this blog, we will examine how these concepts (captured succinctly in the Jericho® Forum Commandments) have helped shape what has become Zero Trust today, including Microsoft’s Zero Trust vision and technology.
Accepting de-perimeterisation frees security architects and defenders to re-think their approach to securing data. Securing data where it is (vs. artificially confining it to a network) also naturally more aligned to the business and enables the business to securely operate.
Blocking is a blunt instrument
While security folks love the idea of keeping an organization safe by blocking every risk, the real world needs flexible solutions to gracefully handle the grey areas and nuances.
The classic approach of applying security exclusively at the network level limits what context security sees (e.g. what the user/application trying to do at this moment) and usually limits the response options to only blocking or allowing.
This is comparable to a parent filtering content for their children by blocking specific TV channels or entire sites like YouTube. Just like blocking sites in security, the rough grain blocking causes issues when kids need YouTube to do their online classes or find websites and other TV channels with inappropriate content.
We have found that it’s better to offer users a safe path to be productive rather than just blocking a connection or issuing an “access denied.” Microsoft has invested heavily in zero trust to address both the usability and security needs in this grey area
Providing easy ways to prove trustworthiness using multi-factor authentication (MFA) and Passwordless authentication that do not repeatedly prompt for validation if risk has not changed as well as hardware security assurances that silently protect their devices.
Enabling users to be productive in the grey areas – Users must be productive for their jobs even if they are working from unmanaged networks or unusual locations. Microsoft allows users to increase their trust with MFA prompts and enables organizations to limit or monitor sessions to mitigate risk without blocking productivity.
While it’s tempting to think “but it’s just safer if we block it entirely”, beware of this dangerous fallacy. Users today control how they work and they will find a way to work in a modern way, even if they must use devices and cloud services completely outside the control of IT and security departments. Additionally, attackers are adept at infiltrating approved communication channels that are supposed to be safe (legitimate websites, DNS (Domain Name Servers) traffic, email, etc.).
The Jericho Forum recognized emerging trends that are now simply part of normal daily life. As we make security investments in the future, we must embrace new ways of working, stop confining assets unnaturally to a network they do not belong on, and secure those assets and users where they are and wherever they go.
Learn more about Why Zero Trust. To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
The organizations behind the Bluetooth wireless technology has published guidance today on how device vendors can mitigate a new attack on Bluetooth capable devices.
Named BLURtooth, this is a vulnerability in a component of the Bluetooth standard named Cross-Transport Key Derivation (CTKD).
This component is used for negotiating and setting up authentication keys when pairing two Bluetooth-capable devices.
The component works by setting up two different sets of authentication keys for both the Bluetooth Low Energy (BLE) and Basic Rate/Enhanced Data Rate (BR/EDR) standard.
CTKD’s role is to have the keys ready and let the paired devices decide what version of the Bluetooth standard they want to use. It’s primary use is for the Bluetooth “dual-mode” feature.
In some versions of the BLURtooth attack, the authentication keys can be overwritten completely, while in other authentication keys can be downgraded to use weak encryption.
All devices using the Bluetooth standard 4.0 through 5.0 are vulnerable. The Bluetooth 5.1 standard comes with features that can be activated and prevent BLURtooth attacks.
Bluetooth SIG officials say they started notifying vendors of Bluetooth devices about the BLURtooth attacks and how they could mitigate its effects when using the 5.1 standard.
Patches… uhm… will be ready… when they’re ready
However, patches are not available at the time of writing. The only way to protect against BLURtooth attacks is to control the environment in which Bluetooth devices are paired, in order to prevent man-in-the-middle attacks.
But patches will be available at one point. When they’ll be, they’ll most likely be integrated as firmware or operating system updates for Bluetooth capable devices.
The timeline for these updates is, however, unclear, as device vendors and OS makers usually work on different timelines, and some may not prioritize security patches as others.
Users can keep track if their device has received a patch for the BLURtooth attacks by checking firmware and OS release notes for CVE-2020-15802, the bug identifier of the BLURtooth vulnerability.
According to the Bluetooth SIG, the BLURtooth attack was discovered independently by two groups of academics from the École Polytechnique Fédérale de Lausanne (EPFL) and Purdue University.
This story was originally published and last updated .
Major updates of Android don’t matter as much as they used to. Many components of the operating system are updated through the Play Store, so even if you’re on Android 8 or 9, you can still access most of the same apps and features as someone on the latest release of Android 10. However, the security updates that Google releases on a monthly basis are still critical to keeping your phone or tablet safe. Dozens of securityflaws are discovered in components of Android each month, which is why Google releases monthly security patches.
However, unlike app and API updates, the security patches can’t be delivered directly to devices — phone manufacturers have to integrate the changes into their own flavors of Android, and release them as system updates.
It’s common knowledge that some companies are better than others when it comes to patching their phones, but making direct comparisons is somewhat difficult. It’s hard to track down information about when exactly updates are released, so news coverage often relies on device owners seeing the update themselves. Carriers and slow rollouts only make matters more complicated.
The good news is that we’ve done all the hard work for you. This is our ultimate security update tracker, where we’re giving each recent flagship phone a simple score from 1-10, based on how long it takes for security updates to get from Google to device owners.
How we score devices
If you’re interested how we gather this data and assess it, we explain our methodology more on the second page. Here’s the short version:
We compiled a list of dates for security patches for each major 2019 Android flagship, starting from January 2019 or when the phone was released in the United States (whichever was earliest).
The date for each security update is the first evidence we could find of a public rollout, either from an official announcement from the device maker, news coverage of the update, or confirmed reports from social media (whichever was earliest).
Each device’s score is calculated using a weighted average of the number of days between a security update’s availability and the device’s OTA being released, the resulting "score" being normalized into a number out of 10, and then a standard penalty being assessed for any given monthly update that is missed subtracting from that score.
Google Pixel 3/4: 10.0
It shouldn’t come as a surprise that Google’s flagships get perfect scores. Ever since the days of Nexus phones, Google has released security updates for its devices at the sametimeastheofficialsecuritybulletins, effectively giving Pixel phones day-one updates.
Pixel phones are the only devices we’ve tracked that didn’t miss a single month. There are a few instances where a security bulletin comes out a day or two before the Pixels get their updates, and vice-versa, but on average the delay is still zero days.
If reliable and frequent security updates are your main concern when buying a phone, no other Android device comes close to matching the record of Pixel devices. Well, except for the Essential Phone, but those days are over.
Samsung Galaxy S20: 10.0
Matching Google for first place is Samsung’s current flagship phone, the Galaxy S20. Granted, the phone has only been available to purchase for a few months, but Samsung has been extremely quick to update the phone so far.
The Galaxy S20 hasn’t missed a single month of updates so far. Samsung has also released security patches on the same day as Pixels, or only a day or two afterwards.
Only time will tell if Samsung can keep up its rapid release schedule, but if last year’s Galaxy S10 is any indication, you probably won’t ever have to worry about security with the S20.
Samsung Galaxy S10: 8.0
While Samsung has done a well enough job of keeping its flagship smartphones up to date with the latest security patches — the Galaxy S7 is still receiving quarterly fixes — the company improved its schedule slightly with the Galaxy S10.
The Galaxy S10 has only missed two security updates since its release in early 2019: the patches for June and July 2019 were included in an August update. However, the S10’s typical delay from when Google’s security bulletins were published is the main reason it falls behind other devices.
Nokia 9 PureView: 7.5
The Nokia 9 PureView is the closest thing HMD Global had to a flagship Android device in 2019 (Nokia’s product lines have a lot of overlap), and even though the phone suffered from camera and fingerprint reader bugs when it launched, the PureView’s security update record has been fairly good good.
According to our data, the PureView has only skipped one month since its release. The May 2019 patch was never rolled out (Nokia combined it with the June patches), but that’s the only exception so far.
While there were a few instances of Nokia rolling out the update in the first week of the month, most patches were released around two weeks later. For example, the February 2020 update rolled out on February 24th, the December 2019 patches were released on December 31st, and so on.
Sony Xperia 1: 5.5
Since its US release in early 2019, Sony’s Xperia 1 has skipped quite a few security updates. In general, updates were delivered on a bi-monthly basis, but the phone did go three months without an update during one period.
Sony skipped the July and August 2019 patches for the Xperia 1, but the phone finally was updated in September. Since then, the company has been more consistent with patches.
The Xperia 1 is coming up on its first birthday, so let’s hope Sony doesn’t drop the ball again after its successor is eventually released.
Asus Zenfone 6: 5.0
I certainly didn’t expect an Asus phone to be in the top half of this list, but I have to give credit where credit’s due. Even though this isn’t an incredible score, it does narrowly beat out devices that are often perceived as providing more frequent updates, like the OnePlus 7 Pro.
The Zenfone 6 was something of a turning point for Asus’ mobile division when it was released last year. It great device in its own right, as we highlighted in our review, but Asus also made frequent updates a higher priority.
Still, there’s some room for improvement. I hope Asus can keep it up with its next mainstream phones.
OnePlus 7T Pro: 4.5
OnePlus is typically praised for its quick updates, so this score for the company’s final 2019 flagship might come as a surprise to many of you. However, as the old saying goes, the data doesn’t lie.
The 7T Pro was released only a few months before the coronavirus outbreak in China, where OnePlus and other Chinese OEMs had to work at limited capacity. The 7T Pro didn’t get its January security update until February 14th, for example. Since then, the update schedule has been more consistent, but still only bi-monthly (and usually 2-3 weeks after Pixels).
It’s worth noting that OnePlus does have an Open Beta program, where device owners can receive updates before they are ready for prime time, but that can come with bugs and other consequences.
OnePlus 7 Pro: 4.5
The OnePlus 7 Pro has been available since mid-2019, but for the moment, it gets the same score as the newer 7T Pro. Like the company’s other phones, the 7 Pro typically skips every other month.
However, OnePlus sometimes made up for the skipped updates by pushing the next one quickly. The phone didn’t get a July 2019 update, but the August patch was delivered on July 31st — five days before the Pixel 3/4 got it.
LG G8 ThinQ: 3.0
I know this will come as a total shock to many of you, but LG is not good at updates. The company’s mainstream 2019 flagship, the G8 ThinQ, has skipped several months of updates and has a high average delay.
However, there is one major caveat to our data on the G8: we’re using rollout dates for the AT&T model, because there isn’t enough public data about the US unlocked version.
The added step of carrier approval could be adding some delay, but the frequency of patches is the G8’s primary issue. There were no updates at all from late September until mid-February — and the February update only had the December patches!
Motorola Moto Z4: 2.5
Motorola has a known history of being extremely late with software updates, unless you happen to live in South America (where the company tends to focus its resources). As such, the Moto Z4’s position near the bottom of this list probably isn’t much of a surprise.
The Moto Z4 has an average update delay of over a month. However, it’s more likely for Z4 owners to not get an update at all. The Z4’s first update came in mid-July (containing May patches), then there were no updates at all until mid-November. Oh, and the November update was two months behind in security patches.
Asus ROG Phone II: 0.0
Asus has offered frequent and quick updates for its main flagship, the ZenFone 6, but that same attention has not carried over to the company’s current gaming phone.
The ROG Phone II’s security patch level has only been updated once since its release in August 2019, as part of the device’s Android 10 update. Yikes.
Asus has updated the ROG Phone II’s operating system a few other times — an August OTA included new lighting effects, and a November update fixed several bugs — but none of those seemingly included newer security patches. As a result, the ROG Phone II is the first phone to receive a zero on our scale.
We plan to keep this guide updated as each new month passes. See the second page for info on how we’re dealing with things like regions, staged rollouts, calculating dates, and more methodological info.
Security researchers have discovered a new Android malware strain that’s currently being distributed as an ad blocker for Android users, but, ironically, once installed, it pesters victims with ads through multiple methods at every couple of minutes.
Named FakeAdsBlock, this new strain has already infected at least 500 users, according to Malwarebytes, the antivirus maker who spotted the malware.
Its distribution vector is via third-party app stores, where it’s available for download as an ad-blocking app named Ads Blocker, said Nathan Collier, Senior Malware Intelligence Analyst.
This, however, might change in the future. Collier said they already found evidence that the same FakeAdsBlock malware was also available hidden in apps named “Hulk (2003).apk,” “Guardians of the Galaxy.apk,” and “Joker (2019).apk.” The researcher says this suggests that the malware’s creators were in the midst of shifting their distribution pattern to a bogus movie streaming portal.
Users looking to watch pirated movies would eventually end up installing a malicious app infected with FakeAdsBlock. This distribution vector isn’t new and has been often seen being used before — especially with apps that pertain to grant access to adult movies.
FakeAdsBlock modus operandi
As for the malware itself, FakeAdsBlock is something else, especially in the brash way it bombards users with ads.
All of this starts with its installation process, where the Ads Blocker app (in which the malware is hidden) asks for permission to display content over other apps.
This is an odd permission to request, especially for an app with a stated goal of removing content, and not showing something on top.
But the shady things continue. The app also requests access to install a VPN connection, which, again, is very odd.
“To clarify, the app doesn’t actually connect to any VPN,” Collier said. “Instead, by clicking OK, users actually allow the malware run in the background at all times.”
Image: Malwarebytes
Yet, the shady things don’t stop here. The FakeAdsBlock malware also requests access to show a widget on the device’s home screen. This makes no technical sense, as an ad blocker does not need to show widgets — but more on this later.
Once all this finishes, the app shows a screen with some text scrolling down and then disappears for good. The malware then removes its icon, and the ad bombardments begin. These appear everywhere, in different forms.
There are fullscreen ads, notifications spam, and websites that open out of the blue, prompting the user to enable new notifications here too.
Image: Malwarebytes
But the novel and the most perfidious trick is the use of a home screen widget to show ads, something not seen before.
According to Collier, the FakeAdsBlock malware uses a transparent widget inside which it loads ads at regular intervals. Because the ads are shown inside a widget, they can’t be dismissed unless the user removes the widget. But since the user can’t see the widget on their screen, they never know the widget is there, in the first place.
Image: Malwarebytes
“Ads Blocker is inordinately hard to find on the mobile device once installed,” Collier said. “To start, there is no icon for Ads Blocker. However, there are some hints of its existence, for example, a small key icon status bar.” [see image above]
“This key icon was created after accepting the fake VPN connection message, as shown above. As a result, this small key is proof that the malware is running the background,” the Malwarebytes researcher added.
But once users get an idea that something might be wrong, they can head over to the Android OS’ apps section, from where they can remove it like any other app. Here, the app should be easy to spot, as it’s the only one without an icon or a name. The FakeAdsBlocker authors thought they were smart by hiding these two details, but they actually made it stand out further.
Battery power is one of those things that’s always at a premium, especially when you’re traveling and need to use one of the precious few power outlets at the airport to keep your device charged.
The issue is that public USB ports can potentially be hacked so that they install data-stealing malware onto your phone while you charge up. Called “juice-jacking,” the hack could result in scammers getting access to your passwords, personal information and more. Not exactly worth it for a few more minutes of Candy Crush, right?
If you do use one of the ports (don’t!), make sure you’re not agreeing to give the port access to data on your device. Depending on your device, you might see a pop up when you connect asking if you trust the device. You do not.
A better option is always to simply plug your phone or tablet into an AC outlet instead. I highly recommend picking up a small surge protector prior to your holiday travels and bringing that along. The protector takes up a minimal amount of bag space and can be a powerful tool when it comes to negotiating with someone to let you share a power outlet.
Things like portable batteries can also be your friend and can help provide a little juice even when you’re out in the world away from outlets as a whole. I’m a huge fan of this Mophie battery that can even charge your laptop if you need it to, btu if your phone is your only concern you can get some much smaller and cheaper batteries that can get the job done as well.
Here’s a fun one: There’s new Android malware making the rounds that is not only irritating—thanks, pop-up ads—but it’s also incredibly difficult to remove from your Android device once you’re infected.
Though this somewhat-new “xHelper” malware has affected a low number of Android users so far (around 45,000, estimates Symantec), the fact that nobody has any clear advice on how to remove it is a worrisome fact. While the odds are good that you won’t get hit with this malware, given its low installation rate so far—even though it’s been active since March—you should still know what it does and how to (hopefully) avoid it.
As Malwarebytes describes, xHelper starts by concealing itself as a regular app by spoofing legitimate apps’ package names. Once it’s on your device, you’re either stuck with a “semi-stealth” version, which drops an xHelper icon blatantly in your notifications—but no app or shortcut icons—or a “full-stealth” version, which you’ll only notice if you visit Settings > Apps & notifications > App Info (or whatever the navigation is on your specific Android device) and scroll down to see the installed “xHelper” app.
What does xHelper do?
Thankfully, xHelper isn’t destructive malware in the sense that it’s not recording your passwords, credit card data, or anything else you’re doing on your device and sending it off to some unknown attacker. Instead, it simply spams you with pop-up advertisements on your device and annoying notifications that all try to get you to install more apps from Google Play—presumably how the xHelper’s authors are making cash from the malware.
The dark side, as reported by ZDNet, is that xHelper can allegedly download and install apps on your behalf. It doesn’t appear to be doing so at the moment, but if this were to happen—coupled with the app’s mysterious ability to persist past uninstallations and factory resets—would be a huge backdoor for anyone affected by the malware.
Wait, I can’t uninstall it?
Yep. This is the insidious part of xHelper. Neither Symantec nor Malwarebytes have any good recommendations for getting this malware off your device once it’s installed, as the mechanisms it uses to persist past a full factory reset of your device are unknown. As Symantec describes:
“None of the samples we analyzed were available on the Google Play Store, and while it is possible that the Xhelper malware is downloaded by users from unknown sources, we believe that may not be the only channel of distribution.
From our telemetry, we have seen these apps installed more frequently on certain phone brands, which leads us to believe that the attackers may be focusing on specific brands. However, we believe it to be unlikely that Xhelper comes preinstalled on devices given that these apps don’t have any indication of being system apps. In addition, numerous users have been complaining on forums about the persistent presence of this malware on their devices, despite performing factory resets and manually uninstalling it. Since it is unlikely that the apps are systems apps, this suggests that another malicious system app is persistently downloading the malware, which is something we are currently investigating (keep an eye on the Threat Intelligence blog for more on this).”
So…
If you think you’re infected with xHelper, you can try downloading some standard antivirus apps to your Android device. It’s possible they might help, but I’d err on the side of free antivirus apps for now, lest you find yourself paying a chunk of cash for an app (or subscription) that doesn’t actually help you out at all. The xHelper malware is just that quirky.
I have the full belief that someone—Google itself, or one of the big antivirus players—will find a way to thwart and remove this malware, but it’s going to take a bit of time to get to that solution. In the meantime…
How to avoid getting hit with xHelper in the first place
Right now, the best thing you can do to prevent getting hit with this kind of malware is to be mindful of your web browsing habits. Make sure you aren’t getting redirected to scammy websites that encourage you to sideload unknown apps—or apps that appear safe—onto your device. When in doubt, only install apps from the Google Play Store. Don’t sideload apps, as in, don’t download and install them manually on your device unless you really know what you’re doing, trust the app’s developer completely, and trust that the app you’re downloading is actually something safe from the developer it claims it is from. (While this won’t protect you one-hundred percent of the time, sticking to the Google Play Store a lot safer than downloading random .APKs from websites you know nothing about.)
Late last year, Samsung and Canonical partnered on an app that allowed select Galaxy phones to run a full Linux desktop on top of Android. Less than a year later, Samsung has announced that they’re discontinuing the Linux on DeX program, coinciding with the update to Android 10.
One of the sci-fi-style dreams that many of us have had since the onset of smartphones is the idea of plugging your phone into a desktop-size monitor to get a desktop-style experience. Through the years, many have attempted it in earnest, and the latest offering from Samsung brought an interesting approach.
For years, Samsung has offered DeX hardware for their flagship Galaxy S and Note phones and tablets, which introduced a larger custom UI for those devices, but the overall experience was still Android. Where Linux on DeX differentiated itself is that the app downloaded and ran a full Ubuntu Linux environment, with some DeX-specific optimizations.
Our Damien Wilde did an early hands-on with Linux on DeX, showing a surprising level of smoothness, with the occasional difficulty stemming from the need for apps built for ARM64 (as found in most Androids) instead of x86 (as found in most PCs and Chromebooks).
Despite the clear potential of Linux on DeX, especially for developers, Samsung has sent out emails today, including to Damien, announcing that the program has been discontinued. This, of course, means there will be no further updates to the app or the version of Ubuntu being used. More critically, Samsung is removing the functionality altogether with their Android 10 update, including the Beta version that already rolled out to Galaxy S10 phones this week.
Thank you for supporting Linux on DeX Beta. The development of Linux on DeX was all thanks to customer interest and valuable feedback. Unfortunately, we are announcing the end of our beta program, and will no longer provide support on future OS and device releases.
NOTE: Linux on DeX will not be supported on Android 10 Beta. Once you update your device to Android OS 10, you will not be able to perform a version rollback to Android Pie. If you decide to update your device to Android 10 Beta, we recommend backing up data before updating.
Needless to say, the announcement is a disappointment to anyone who had hoped that high-powered flagship phones could take more advantage of Android being based on Linux or possibly even replace the need for a dedicated laptop for some people. Similar apps to Linux on DeX are available, namely Linux Deploy (root required) and UserLAnd, but these apps aren’t nearly as simple to configure for non-enthusiasts.
Did you ever use Linux on DeX on your Galaxy phone? Let us know in the comments.
Microsoft announced that its latest preview build 18999 for Insiders (20H1) adds call support to the Your Phone app on Windows 10. Following its update in the summer that rolled out the app’s ability to mirror your phone’s text messages and notifications, this will let you leave your phone in your pocket while you’re on the PC. If you’re not an Insider, you’ll have to wait to try. But all you’ll need is an Android phone (with 7 Nougat or later installed) with the Your Phone app downloaded from the Google Play Store.
According to Microsoft’s blog where it details all of its Insider preview builds, the calls feature will let you do the following:
Answer incoming phone calls on your PC.
Initiate phone calls from your PC using the in-app dialer or contact list.
Decline incoming phone calls on your PC with custom text or send directly to your phone’s voicemail.
Access your recent call history on your PC. Clicking on a specific call will auto populate the number within the dialer screen.
Seamlessly transfer calls between your PC and phone.
In order to use the feature, there are a few technical requirements to note. I already mentioned that the feature requires Android 7 Nougat (or higher), but you’ll also need a Windows 10 PC that has Bluetooth support, the 10H1 build, and the Windows 10 build 18362.356.
Microsoft has slowly, but surely been building out its cross-functionality with Android phones, and it’s getting even better with time. Of course, now that the news of its Surface Duo phone that runs on Android is public, it puts a totally different spin on developments like this. Microsoft is sprinting to add features that will give its Android phone a bunch of cool features out of the box. Better yet, it’s offering them all to other compatible phones, too.
Microsoft says this feature will roll out first to Insiders on the 19H2 (or newer) build. As for when everyone else can try it, we’ll keep you updated once we know.
The tides of the jailbreak community forever changed for the better on Friday when hacker and security researcher @axi0mX released checkm8, the first publicly-released bootrom exploit for iOS-powered devices since the iPhone 4 in 2010. Captivatingly, checkm8 works on a significant number of handsets ranging from the antiquated iPhone 4s to the not-so-old iPhone X.
Checkm8 is, in and of itself, an exploit. That said, it’s not a jailbreak, but rather a powerful tool that jailbreak developers could use to devise a USB-based tethered or semi-tethered jailbreak tool for A5-A11 devices. Given how recently checkm8 was released, it should come as no surprise to anyone that public jailbreak tools don’t yet utilize the exploit, but that hasn’t stopped some talented hackers from flexing their l33t dexterities:
From what we can gather, famed hacker and Yalu jailbreak creator Luca Todesco has spent some time playing around with the new checkm8 bootrom exploit – at least long enough for @axi0mX to tease a nostalgic verbose boot screen (black background with scrolling white text) on an A11-equipped iPhone X. Click here to view the video.
Citing @axi0mX’s Tweet, checkm8 managed to jailbreak the showcased iPhone X in a matter of just two seconds, after which it displayed the verbose boot screen. Perhaps more importantly, the handset in question is purportedly running iOS 13.1.1, which is the latest iteration of Apple’s mobile operating system for iPhone, iPad, and iPod touch to date.
It’s worth noting that because checkm8 is a bootrom-based hardware exploit, Apple can’t patch it with a software update. Instead, Apple would have to recall all of its devices and install updated hardware with a patch to fix this, which is utterly unfeasible. For this reason, checkm8 just about guarantees the jailbreakability of A5-A11 devices for their entire lifetime, assuming a jailbreak developer is willing to consistently release and maintain jailbreak tools pertaining to it.
It remains to be seen when public jailbreak tools will adopt support for checkm8, but prominent hackers such as CoolStar and Pwn20wnd have already expressed oodles of interest in checking it out for their respective jailbreak tools. With that in mind, we expect that support could come in the not-so-distant future.
Are you excited about what the checkm8 exploit might bring to the jailbreak community? Discuss in the comments section below!
Security Feed 
