GPU driver exploits, EU strengthens spyware protections, NSA’s AI Security Center
Arm and Qualcomm warn about exploited GPU drivers
Earlier this week, the chip designer Arm issued an advisory about actively exploited attacks against drivers in its Mali GPU lineup, widely used across the Android ecosystem. Google’s Project Zero team initially discovered the attacks. Under specific conditions, these attacks could give a malicious actor access to freed memory on a device, which could serve to load malicious code. Arm released a driver patch, so far this appears only rolled out to Google Pixel devices. Google also contacted Qualcomm about three similar zero-day vulnerabilities against its GPU and DSP drivers. These allowed for similar exploitation, but carried different CVE designations.?
EU Parliament strengthens spyware protections for journalists
A draft of the European Media Freedoms Act first came out last September. In its initial form, the bill prohibited surveillance of journalists and their families, including use of spyware, outside of national security grounds. An amended version of the bill adopted by members of Parliament now does away with that provision, saying that spyware “under no circumstance be considered necessary and proportionate under Union law.” The European Council, Commission and Parliament will now negotiate on final text for the law. It’s unclear if the unequivocal spyware ban will make it into the final version.?
NSA creates AI Security Center
This new entity in the National Security Agency will oversee development of AI capabilities across US national security systems. This new entity will serve to consolidate existing AI-related initiatives, looking to develop best practices, risk frameworks, and methodologies to implement this emerging technology. This will include collaborating with private US industries, foreign partners, national labs and other security agencies.?
AI watermarks prove easy to break
Many AI image generation systems imprint a watermark on outputs. Some leave visible marks, other “low perturbation” ones are invisible. University of Maryland computer science professor Soheil Feizi tested how bad actors could “wash out” these marks, successfully breaking all versions tested. Feizi’s team not only successfully removed AI watermarks across a variety of approaches, but also showed the ease of adding them to human-generated images, thereby calling their veracity into question. In a paper detailing the finding, Feizi concluded that “designing a robust watermark is a challenging but not necessarily impossible task.”?
(Wired)
领英推荐
Huge thanks to our sponsor, Conveyor
Apple implements China’s app oversight rules
Over the weekend, Apple began requiring new apps on its App Store to provide proof of a government license in China. Rival app stores required proof of license to list apps domestically since at least 2017, but this marks a first for Apple. To receive an “internet content provider filing” license, publishers must either work with a local publisher or reside in China. New apps to the App Store require a license now. China will begin cracking down on already published apps without a license in March 2024.
(Reuters)
EU considering new technology export controls
The European Commission named artificial intelligence, advanced semiconductors, quantum computing and biotechnology as potential risks to the bloc’s economic security. It will now focus on risk assessments on these four technologies by the end of 2023. This could potentially recommend new export controls around some or all of these technologies. The European Commission did not name any countries that could be targeted by these controls, but its understood this would primarily impact China if enacted.?
ShellTorch flaws hits AI servers
TorchServe is an open source tool used to scale the models in the machine learning framework PyTorch in production. It’s primarily maintained by Meta and Amazon and used by large tech companies. Oligo Security discovered three vulnerabilities in TorchServe it dubbs ShellTorch, which form an attack chain to compromise a system. The researchers claim tens of thousands of IP addresses show vulnerabile TorchServe installations online, many owned by large organizations. Upgrading to TorchServe 0.8.2 resolves some of the attack chain. Amazon published a security bulletin with further mitigation guidance.?
Brits worry about employer monitoring
A new survey from the UK’s Information Commissioner’s Office found that 19% of respondents believe employers monitored their behavior without explicit consent. Of these respondents, 40% believed employers monitored access to resources. 25% believed calls, emails, and messages were monitored, while 10% claimed employers used screenshots and webcams for monitoring. 70% of respondents said they find workplace monitoring intrusive. Existing UK law allows for workplace monitoring, but this monitoring must prove “necessary, proportionate and respect the rights and freedoms of workers.”