mercredi 26 juillet 2017

Microsoft Announces Windows Bug Bounty Program and Extension of Hyper-V Bounty Program

The Microsoft Security Response Center Team (MSRC) announced today that they will be launching a new targeted Windows Bug Bounty program (aptly named the “Windows Bounty Program”), in the hopes of catching vulnerabilities before they can reach the black market. The addition of a Windows Bug Bounty program comes as part of a comprehensive effort by Microsoft to improve their responsiveness and defences against security vulnerabilities.

This new Windows Bug Bounty program will go a long way towards helping identify and patch vulnerabilities in Microsoft’s products, with a focus on remote code execution, privilege escalation, and inherent design flaws.

While users will be limited in their ability to submit patches for the issues found in the Windows bug bounty program as Windows is closed source (which can bring inherent security issues), just having the bug reports themselves will benefit Microsoft substantially with improving the security of their products, as Microsoft will be able to utilize the reports to investigate and patch the issues themselves once they are notified of the issues’ existence.

Microsoft is also remodeling their Hyper-V Bounty Program to substantially increase their maximum payouts, in order to better compete with the prices found for those vulnerabilities on the black market, and to more appropriately compensate developers for finding issues. The new programs will have a maximum payout of $250,000 for a Hyper-V exploit with Remote Code Execution, and a maximum of $200,000 for Windows 10 exploits that are “Novel & fundamental advancement[s] in exploitation technology that universally bypasses current mitigations”.

In addition to the payouts for the first person to discover the bugs, Microsoft is also offering to pay out that’s 10% of the corresponding reward to the first person to report any bugs that are discovered internally but have not been published yet. While not quite the same as the full payout, receiving a partial payout for reporting a vulnerability after Microsoft has already discovered it will help encourage people to report vulnerabilities, as it will alleviate some of the disappointment that usually comes with being told that the bug that you have reported was already discovered.

With this move to expand the scope of their bug bounties, Microsoft joins a long list of companies that have remodelled their bug bounty system in the past year, including Google, Apple, Qualcomm, the United States Air Force, and many others.

It is no coincidence that the list of companies expanding their bug bounty programs is long and growing. Providing rewards for people who report bugs goes a long way towards encouraging people to report them to the company so that they can be fixed, instead of attempting to sell them on the black market. It gives a legitimate route for white hat hackers to make money from analysing your software, helping attract them to your ecosystem and maintain their interest. While it can be difficult to fully compete with the prices that certain exceptional vulnerabilities can go for on the black market, many hackers would much rather deal with legal methods of vulnerability reporting, and every vulnerability you can find and fix helps prevent said vulnerabilities from being used for unsavoury practices that can harm your users.

While bug bounty programs have been around for a long time and have consistently proven their worth, there has been a renewed focus on them as of late due to certain extensive security vulnerabilities that have been recently revealed, including the leaked United States Central Intelligence Agency’s Vault 7, which contained security exploits for Microsoft Edge, Google Chrome, Mozilla Firefox, Opera, iOS, Android, macOS, Linux, and Microsoft Windows, among other targets. Microsoft in particular was heavily affected by security vulnerabilities last year, when it was revealed that the 2012 hacking of LinkedIn (which Microsoft bought last year) was substantially more widespread than had been initially estimated.

If you wish to report a security bug for Microsoft’s bug bounty program, you can email them at following their Coordinated Vulnerability Disclosure (CVD) policy. If you have any questions about the program itself, the latest information about Microsoft’s bug bounty programs can be found at The Windows Bounty Program is expected to continue indefinitely, although it will likely be tweaked as time goes on to fit the changing security landscape.

Press Release

from xda-developers

Nexus 5X Bootloop Fix Helps you to Finally Boot the Phone

Has your LG/Google Nexus 5X stopped booting, or rather, ends up stuck in an endless boot sequence? This is something we term a “bootloop” and it can occur for various reasons. Most bootloops can be fixed by flashing the stock firmware or factory resetting, but in the case of a hardware bootloop, there’s generally nothing you can do except to RMA the phone. If your Google Nexus 5X has been refusing to boot, and nothing you’ve tried has fixed it, you aren’t alone. The Nexus 5X bootloop issue is notorious in the community, but only recently has a fix been found.

Nexus 5X Bootloop Fix – Context

Over the last couple of years, LG’s smartphone have garnered a bit of a reputation for their bootloop issue. An issue that seemingly started with the LG G4 only became more and more prevalent with each new device the company released. We recently talked about a way to fix the bootloop issue with the Nexus 6P from Huawei, and now there’s a solution available for the Nexus 5X that has been derived from the guide we previously wrote about.

The general consensus here with these fixes seem to indicate that the Snapdragon 808/810 chipsets were rushed out by Qualcomm and have degraded to the point where they’re partially broken. The heat generation issues of the Snapdragon 810 is not something new, but it looks like the 808 is having a similar issue when it comes to what is causing the bootloops. LG had originally stated the issue with the LG G4 bootloops was indeed hardware related, but never went into more detail about the situation.

Some had thought it was due to the solder they used and that it would eventually crack from heating up and cooling down too many times over the lifespan of the device. Whether that is indeed true, we still don’t know for sure what is behind the issue, but this fix for the Nexus 5X bootloop does seem to work around the issue. So today we have a guide for you that will walk you through exactly how to fix the Nexus 5X bootloop issue. While the title in the linked forum thread at the bottom of this post does say it’s untested, multiple people within the community have reported success with this method.

As always though, your mileage may vary with this workaround.



  • Unlockable bootloader from before the bootloop began since you can’t boot into Android and enable the settings required to unlock the bootloader afterwards. If you are able to briefly boot into the phone, then going to Developer Options and ticking “Enable OEM Unlocking” will do the trick.


  1. Download the latest ADB and Fastboot binaries and extract them to a folder on your computer that is easily accessible.
  2. Download and install the Google’s USB Drivers (for those who are running Windows).
  3. Download the N2G47Z_4Cores.img file and save it in the same directory that you have the ADB and Fastboot binaries located.
    • Optional: If you want to use TWRP recovery on your fixed Nexus 5X, this requires you use a modified version of TWRP. So download TWRP3_1_1_5X.img and save it in the same folder you have your ADB and Fastboot binaries located.
    • Optional 2: If you want to speed up your fixed Nexus 5X, you can flash a modified version of XDA Recognized Developer flar2‘s Elemental X Kernel. Download the file to your Nexus 5X so it’s stored in the default downloads directory.
  4. Connect the Nexus 5X to the computer with a USB cable.
  5. Go ahead and launch a command prompt or terminal in the same directory where you saved the ADB and Fastboot binaries.Windows users, you can do this by holding shift and right-clicking, then selecting “open command prompt here.” Windows 10 users will see a PowerShell option that replaces the command prompt one.
  6. Boot the Nexus 5X into Fastboot Mode (also known as bootloader mode to some people).
  7. Execute the following command in the command prompt: fastboot devices
  8. If you see your device’s serial number, you are ready to move on. If not, then for some reason the USB drivers are not fully installed.
  9. If your bootloader is not yet unlocked but you have enabled OEM unlocking in Developer Options once before, you can unlock the bootloader now by entering: fastboot flashing unlock. Then, follow the on-screen instructions to unlock the bootloader. Be warned that this will wipe all of the data on your phone.
  10. Now enter the following command in a command prompt to replace your current boot image: fastboot flash boot N2G47Z_4Cores.img
    • Optional: If you want to flash the modified TWRP, then enter this command afterwards: fastboot flash recovery TWRP3_1_1_5X.img

  11. Reboot your phone by typing: fastboot reboot
  12. After some minutes (it may take awhile), you should see your phone’s boot animation and eventually the lockscreen. Congrats, you’ve saved your phone!
  13. Optional: If you want to improve the performance and you followed the steps to install the modified version of TWRP, copy the modified Elemental X kernel over to your phone’s storage, boot into TWRP, and flash the custom kernel. You can even choose to overclock the little cluster during setup to squeeze a bit more performance out of your phone as well.


Just like we showed you in the Nexus 6P guide on how to fix its bootloop issue, the cause has something to do with the big cluster CPU cores of the SoC. Based on XDA Member XCnathan32‘s log during their testing of this process, The issue is caused by the VLL being unable to obtain a lock on the A57 cores. So far, we aren’t 100% sure exactly what is causing this issue, but our workaround is actually disabling these broken A57 cores so we bypass the issue altogether.

A more elegant solution could come in the future, but for now we appreciate the developer community coming up with a solution that allows people’s smartphone to boot up again. If someone has been dealing with this issue for a while, at least they can have a functional device for a music player, dash cam, etc. Those who have yet to experience this issue will at least have a solution available to them right when they experience that bootloop for the first time.

As mentioned, we’ve seen multiple people within the community (over in our official XDA thread for this solution) report that this Nexus 5X bootloop solution does indeed work. However, we’ve also had at least one person say that it didn’t work for them. There could be multiple causes for the Nexus 5X bootloop issue so this guide may not be a fix for everyone. If your Nexus 5X is currently in a bootloop, it certainly doesn’t hurt to try it since you can always flash the stock images that Google provides if you want to restore all of these modified files.

Check out the original thread in our Nexus 5X forum

from xda-developers

Calibrate your LG G4 Display with KPPD Control Panel

You may be familiar with XDA Recognized Developer savoca‘s KCAL Post-Processing Daemon (aka KPPD), as it lets you customize the color calibration of the LG G4 display (and other compatible devices) on the fly. This method didn’t require root but it forced you to edit a kernel property file to change its values. To make things a bit easier, XDA Senior Member AlaskaLinuxUser created a UI for this tool, but it does require root access in order to adjust the values. The developer says they only tested this on the LG G4, but it should work on any KPPD/KCal compatible (mdp5) device.

Check out KPPD Control in our LG G4 forum

from xda-developers

Sony Xperia XZ Custom ROM/Kernel Combo Brings Energy Aware Scheduler (Experimental)

The Energy Aware Scheduler (also known as EAS) is an advanced CPU scheduler that tries to coordinate CPUFreq and CPUIdle power-management subsystems to improve the battery life and performance of a device. XDA Senior Member _LLJY has put together an experimental custom ROM and kernel combo that adds this scheduler to the Sony Xperia XZ. The developer says you should keep the default governor alone, that the current kernel is “dirty and improper,” and that you may experience crashes and bootloops (which can be resolved by reflashing the ZIP file).

Check out the Energy Aware Scheduler port in our Xperia XZ forum

from xda-developers

Add Floating Buttons For Easier In-Call Multitasking with Blimp

XDA Member CurlyY‘s application, Blimp, has received a major new update that brings a new UI and more buttons to the app. Blimp lets you perform in-call multitasking by adding floating buttons for common actions so you can still retain control over your call while you are navigating away from the dialer app. You no longer need to pull down your notification panel to perform common functions like ending calls, muting them, switching to loudspeaker or bringing up the dialer again.

Blimp works with Android devices on Lollipop 5.0 and above. The app also utilizes proximity sensor functionality to prevent misclicks during a call.

Check out Blimp in our Android Apps and Games forums!

from xda-developers

Emoji Packs Bring iOS 10, Android O, and other Emojis to the Galaxy S7

The emoji’s that come along with Google Keyboard should serve the needs for most users, but over at our forums, members keep looking for ways to differentiate their device and add on to their smartphone experience. If you would like to try out different emoji packs, you can easily do so on your Samsung Galaxy S7 using the flashable zips provided by XDA Senior Member Winb33.

The thread mentions that these zips work with Google Keyboard on Android Nougat and may also work with the stock Samsung keyboard, but they do not work on Android Marshmallow. You can choose the appropriate zip from options like Android O, Android Nougat, iOS 10.3, Windows 10, HTC 10 and even Facebook and Twitter.

While support in the thread may be restricted to the Galaxy S7, the provided zips contain SamsungColorEmoji.ttf as well as NotoColorEmoji.ttf, so they could work on other devices as well. Your results may vary, so it is always advised to make a backup before proceeding.

Check out these Flashable Emoji Mods in our Samsung Galaxy S7 Forums!

from xda-developers

Meizu Announces the Pro 7 and Pro 7 Plus With Secondary AMOLED Display and Dual Rear Cameras

The Western world sees little of the technological ‘experiments’ that Asian markets witness. OEMs from China, South Korea, Taiwan and Japan attempt to carve out niches for themselves by trying out unconventional combinations of existing technology. The results can be considered by gimmicks most of the time, but often, we get smartphones that possess real potential. Enter the Pro 7 and Pro 7 Plus.

The Meizu Pro 7 and the Meizu Pro 7 Plus belong to the latter set. Meizu smartphones usually do not stand out from the sea of Chinese smartphones released every year, but with the Pro 7 and Pro 7 Plus, the West is bound to take notice. The Pro 7 and Pro 7 Plus are identical smartphones on the outside, differentiated only by their sizes. The insides bear larger differences, and we’ll come to that in a bit.

The front of the Pro 7 and Pro 7 Plus is dominated by their displays. The Pro 7 gets a 5.2″ FHD Super AMOLED display, while the Pro 7 Plus gets the larger 5.7″ QHD Super AMOLED display. The back of the devices is where it gets interesting, as both of these smartphones feature a 2″ Super AMOLED secondary display there. Because it is an AMOLED panel and not e-ink, the display can be used to display a wide variety of information in full color and control, such as for media controls, notifications and for using it as a viewfinder for the rear camera. Not all functionality would be useful or sensible, but having a proper display panel of considerable size opens up the possibilities of what you can do with it.

As for internal hardware, Meizu mentions it packs the deca-core MediaTek Helio X30, but does not specify if this is restricted to the Plus variant so we assume it to be present on both the devices. The ‘regular’ Pro 7 comes with 4GB LPDDR4X RAM and 64GB eMMC 5.1 storage, while the Pro 7 Plus comes with 6GB LPDDRX RAM and options of 64GB/128GB UFS 2.1 storage. The battery on the smaller Pro 7 is 3000 mAh and comes with Meizu’s mCharge 3.0 charging standard, while the Pro 7 Plus comes with a bigger 3500 mAh and the newer version of mCharge, 4.0 (5V|5A). Both phones come with a USB Type-C port and 3.5mm headphone jack, and Meizu has also included a separate audio processing chip on both. The phones come pre-installed with Android 7.0 but with Meizu’s FlymeOS 6 UX on top.

For the cameras, the dual rear camera setup comprises of 12MP Sony IMX386 sensors with f/2.0 aperture, one for RGB and one for monochrome image capture. The front camera is a healthy 16MP sensor for selfies, but since the secondary display can also act as a viewfinder, you can comfortably use the rear cameras for that purpose as well.

Meizu’s official Twitter does not feature any information on pricing and availability, but PhoneArena mentions that the devices will be available from 5th August 2017. The Pro 7 will begin at ~$430, while the Pro 7 Plus will begin at ~$530. The price difference seems better justified if the Pro 7 comes with the Helio P25 instead of the flagship Helio X30 SoC, but Meizu has not yet mentioned and confirmed the same. The phones are likely to be restricted to China and other Asian countries when they become available.

The Meizu Pro 7 and Pro 7 Plus are definitely phones that stand out from the crowd. But despite their USP making them the talk of the town, the Western world cannot have them yet. Meizu’s devices do not have a strong presence outside of China, so it will be a while before the company decides to bring these to the US.

What are your thoughts on the Meizu Pro 7 and Pro 7 Plus? Let us know in the comments below!

Source 1: Twitter – Meizu Source 2: PhoneArena

from xda-developers