Home / Tag Archives: digest

Tag Archives: digest

Drop-dead simple exploit completely bypasses Mac’s malware Gatekeeper (Dan Goodin/Ars Technica)

Enlarge / The file names in this screenshot have been redacted to protect the vulnerable. Patrick Wardle Since its introduction in 2012, an OS X feature known as Gatekeeper has gone a long way to protecting the Macs of security novices and experts alike. Not only does it help neutralize social engineering attacks that trick less experienced users into installing trojans, code-signing requirements ensure even seasoned users that an installer app hasn't been maliciously modified as it was downloaded over an unencrypted connection. Now, a security researcher has found a drop-dead simple technique that completely bypasses Gatekeeper, even when the protection is set to its strictest setting. The hack uses a binary file already trusted by Apple to pass through Gatekeeper. Once the Apple-trusted file is on the other side, it executes one or more malicious files that are included in the same folder. The bundled files can install a variety of nefarious programs, including password loggers, apps that capture audio and video, and botnet software. Patrick Wardle, director of research of security firm Synack, said the bypass stems from a key shortcoming in the design of Gatekeeper rather than a defect in the way it operates. Gatekeeper's sole function is to check the digital certificate of a downloaded app before it's installed to see if it's signed by an Apple-recognized developer or originated from the official Apple App Store. It was never set up to prevent apps already trusted by OS X from running in unintended or malicious ways, as the proof-of-concept exploit he developed does. "If the application is valid—so it was signed by a developer ID or was (downloaded) from the Mac App Store—Gatekeeper basically says 'OK, I'm going to let this run,' and then Gatekeeper essentially exits," Wardle told Ars. "It doesn't monitor what that application is doing. If that application turns around and either loads or executes other content from the same directory...

Read More »

iOS 9’s space-saving "app slicing" disabled for now, will return in future update (Andrew Cunningham/Ars Technica)

Enlarge / Apple's sample universal binary here is just 60 percent of its original size when downloaded to an iPad or iPhone. Andrew Cunningham Further Reading Back in June, we wrote a bit about App Thinning , a collection of iOS 9 features that are supposed to make iOS 9 apps take up less space on iDevices. Apple has just announced to developers that one of those features, "app slicing," is not available in current iOS 9 versions due to an iCloud bug. It will be re-enabled in a future iOS update after the bug has been resolved. App slicing ensures that your iDevice only downloads the app assets it needs to work. In older versions of iOS, all devices downloaded "universal" versions of apps that included all of the assets those apps needed to work on each and every targeted iDevice. If you downloaded an app to your iPhone 5, for example, it could include larger image assets made for the larger-screened iPhones 6 and 6 Plus, 64-bit code that its 32-bit processor couldn't use, and Metal graphics code that its GPU didn't support. That's all wasted space, a problem app slicing was designed to resolve. Apple says the iCloud bug affects users who are restoring backups to new devices—if you moved from that iPhone 5 to a new iPhone 6S, for example, iCloud would restore iPhone 5-compatible versions of some apps without the assets required by the newer, larger device. For now, Apple says that devices running iOS 9 will continue to download the universal versions of apps along with all their assets, whether they're needed by your specific device or not.  TestFlight , the beta app distribution service that Apple purchased in 2014, will continue to distribute software tailored for specific devices, but regular users will need to wait for that iOS update before they begin to see the feature's benefits.

Read More »

Minecraft Windows 10 edition will launch on Oculus Rift in 2016 (Sam Machkovech/Ars Technica)

The second day of this year's Oculus Connect conference for virtual reality developers kicked off with an announcement-rich keynote presentation. While the event was short on new game announcements, one big one got the crowd's attention: Minecraft . A brief video confirmed that the hit game's Windows 10 edition will launch on the Oculus Rift "next year," and it will allow players to navigate their blocky worlds in VR with the Xbox One controller. Oculus CEO Brendan Iribe confirmed that the Oculus Touch handheld controller system will launch in the "second quarter next year," which is a firmer confirmation than a previous "first half of 2016" estimate . After showing off that system's impressive "toybox" demo, Iribe confirmed that the Touch controllers will require a second motion sensor "for improved sensing," so be ready to make room in your home's potential VR room should you want to try the tech out. The Touch sizzle reel confirmed that a few previously SteamVR exclusive games would now also launch for Oculus Touch, including Job Simulator and The Gallery: Six Elements . It also had Oculus' own answer to SteamVR's Tilt Brush, a "digital clay molding" art app called Medium . "Every great platform has to have a paint app, and this is our paint app," Iribe told the Oculus Connect crowd. Epic Games' Bullet Train. Additionally, Epic Games' Tim Sweeney took the stage to show off  Bullet Train , an upcoming VR action game for Oculus Touch that includes  a warping mechanic much like SteamVR's The Gallery: Six Elements , meaning characters may potentially be able to move around the world without experiencing VR nausea. Since virtual reality gaming on PCs demands incredibly powerful performance —particularly to support a 90 frames-per-second visual refresh, in order to reduce nausea and discomfort—Oculus announced a new "Oculus Ready" initiative through which computer manufacturers can slap a sticker on a PC that meets Oculus Rift's performance minimums. Announced partners for the program include Asus, Dell, and Alienware (itself a wholly owned Dell subsidiary). Oculus wanted the crowd to know that there's no shortage of interested Oculus developers, so they took the opportunity to announce that "over 200,000" developers had registered to create games for the new VR platform

Read More »

Google sends out invites for press event on September 29 at 9 AM PT, new Nexus devices and Chromecast expected; event will be livestreamed on YouTube…

Google We know it's late Friday but this little message just popped into our inbox. Google is holding an event September 29 where the company is promising "tasty new treats and much s'more." September 29 has been the rumored launch date for Google's Nexus line for a few weeks now, and it looks like the rumor mill was right on target. Google is expected to launch updates to the Nexus 5 and Nexus 6. The new 2015 Nexus 5 will be built by LG , while Huawei is handling the 2015 Nexus 6. Both are geared up for Marshmallow with fingerprint readers and USB Type C, and have other goodies like laser autofocus for the camera and front-facing stereo speakers. The event should also see the launch of Android 6.0 Marshmallow , and we might even see the rumored Chromecast 2 that leaked today. The event will be livestreamed at youtube.com/google. © 2015 Condé Nast. All rights reserved Use of this Site constitutes acceptance of our User Agreement (effective 1/2/14) and Privacy Policy (effective 1/2/14), and Ars Technica Addendum (effective 5/17/2012) Your California Privacy Rights The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Condé Nast. Ad Choices

Read More »

Google’s Project Zero team finds address space layout randomization offers less protection against Stagefright than Google PR claims (Dan Goodin/Ars…

Ron Amadeo Members of Google's Project Zero vulnerability research team have challenged a key talking point surrounding the security of Google's Android mobile operating system. To wit, a key exploit mitigation known as address space layout randomization does much less than the company's overworked public relations people say in blocking attacks targeting critical weaknesses in Android's stagefright media library. As Ars reported beginning in July, a series of vulnerabilities in the libstagefright library made it possible for attackers to remotely execute malicious code on close to one billion Android phones . In the following seven weeks, Google has released updates that either lessen the severity of attacks or directly fix the underlying cause, although many users have yet to receive the fixes, and some probably never will . Throughout the resulting media storm, Google PR people have repeatedly held up the assurance that the raft of stagefright vulnerabilities is difficult to exploit in practice on phones running recent Android versions. The reason, they said: address space layout randomization, which came to maturity in Android 4.1, neutralizes such attacks. Generally speaking, ASLR does nothing to fix a buffer overflow or similar software bug that causes the vulnerability in the first place. Instead, the defense vastly decreases the chances that a remote-code-execution attack exploiting such bugs will succeed. ASLR does this by loading downloaded scripts in a different memory location each time the operating system is rebooted. If the attacker can't locate the malicious code, the exploit results in a simple crash, rather than a game-over hack. On Wednesday, Project Zero researchers tested a home-grown stagefright exploit on a Nexus 5 device running an Android 5.x version. The results showed that at best, ASLR will lower the chances their exploit will succeed. Meanwhile, Joshua Drake, the security researcher who first disclosed the critical vulnerabilities in the code library, said Android ASLR does even less to prevent a new custom exploit he has developed from working. The ASLR shortcomings stem from two root causes. First the randomization offers just eight bits of entropy, meaning there are only 2 8 , or 256, possible locations where attackers can find their malicious payload

Read More »

US appeals court rules copyright owners must consider fair use before issuing takedown notices, siding with EFF (Joe Mullin/Ars Technica)

The US Court of Appeals for the 9th Circuit today issued a ruling that could change the contours of fair use and copyright takedown notices. In an opinion (PDF)  published this morning, the three-judge panel found that Universal Music Group's view of fair use is flawed. The record label must face a trial over whether it wrongfully sent a copyright takedown notice over a 2007 YouTube video of a toddler dancing to a Prince song. That toddler's mother, Stephanie Lenz, acquired pro bono counsel from the Electronic Frontier Foundation. The EFF in turn sued Universal in 2007, saying that its takedown practices violated the Digital Millennium Copyright Act. Further Reading The judges ruled today that copyright holders "must consider the existence of fair use before sending a takedown notification." Universal's view that fair use is essentially an excuse to be brought up after the fact is wrong, they held. UMG's view of fair use solely as an "affirmative defense" is a misnomer. "Fair use is uniquely situated in copyright law so as to be treated differently than traditional affirmative defenses," wtore US Circuit Judge Richard Tallman for the majority. The long-running copyright case began when Lenz uploaded a video of her son Holden dancing to Prince's "Let's Go Crazy." At that time, Universal had an employee scouring YouTube each day in order to issue takedowns on videos that used Prince music. EFF, looking for a test case over bad DMCA takedowns, found a sympathetic client in Lenz, a mom seeking to simply share a video of her son with his grandmother. Today's ruling isn't an all-out win for EFF, which wanted Universal to be held liable immediately under 512(f), the section of the DMCA that allows for damages over bad-faith takedown notices. Universal will have to face a trial over whether it "knowingly misrepresented" its "good faith belief the video was not authorized by law." But the judges have made clear that copyright owners "must consider fair use before sending a takedown notification," before forming that "good faith belief." To be successful at trial, Universal doesn't have to prove that the video wasn't fair use. It just has to show that it considered fair use before sending the notice. Otherwise, it could be liable for "nominal" damages to Lenz—which wouldn't be much, since her video went back up after a short period, and has been up since then.

Read More »

Once seen as bulletproof, 11 million+ Ashley Madison passwords already cracked (Dan Goodin/Ars Technica)

When the Ashley Madison hackers leaked close to 100 gigabytes worth of sensitive documents belonging to the online dating service for people cheating on their romantic partners, there seemed to be one saving grace. User passwords were cryptographically protected using bcrypt, an algorithm so slow and computationally demanding it would literally take centuries to crack all 36 million of them . Further Reading Now, a crew of hobbyist crackers has uncovered programming errors that make more than 15 million of the Ashley Madison account passcodes orders of magnitude faster to crack. The blunders are so monumental that the researchers have already deciphered more than 11 million of the passwords in the past 10 days. In the next week, they hope to tackle most of the remaining 4 million improperly secured account passcodes, although they cautioned they may fall short of that goal. The breakthrough underscores how a single misstep can undermine an otherwise flawless execution. Data that was designed to require decades or at least years to crack was instead recovered in a matter of a week or two. The cracking team, which goes by the name "CynoSure Prime," identified the weakness after reviewing thousands of lines of code leaked along with the hashed passwords, executive e-mails, and other Ashley Madison data . The source code led to an astounding discovery: included in the same database of formidable bcrypt hashes was a subset of 15.26 million passwords obscured using MD5 , a hashing algorithm that was designed for speed and efficiency rather than slowing down crackers. The bcrypt configuration used by Ashley Madison was set to a "cost" of 12, meaning it put each password through 2 12 , or 4,096, rounds of an extremely taxing hash function. If the setting was a nearly impenetrable vault preventing the wholesale leak of passwords, the programming errors—which both involve a MD5-generated variable the programmers called $loginkey—were the equivalent of stashing the key in padlock-secured box in plain sight of that vault

Read More »

Comcast tests letting Florida customers pay an extra $30 per month to avoid 300GB data cap (Jon Brodkin/Ars Technica)

Comcast has unveiled a new $30 charge that will let customers in Florida escape the company's 300GB monthly usage limit. Further Reading The nation's largest cable company has been trialling data caps in nine states, with slightly different policies in each one. Generally, customers who exceed a monthly limit pay an extra $10 for each additional 50GB, though customers are allowed to exceed the caps for three months before getting penalized. But customers in Fort Lauderdale, the Keys, and Miami, Florida, can now purchase unlimited data for an extra $30 per month. Paying this additional $30 eliminates the 300GB monthly cap, but customers have to pay the extra amount each month even if they use less than 300GB. "The Unlimited Data Option costs the current additional fee of $30 per calendar month, regardless of actual data usage," Comcast said in an FAQ updated today . (Thanks to  DSLReports for noticing the change .) Customers who use more than 450GB per month may come out ahead by purchasing the unlimited data option. "For example, if you enroll in the Unlimited Data Option and use 530GB in a given month, you will only be charged $30 for choosing to enroll in the Unlimited Data Option," Comcast says. "If you do not enroll in the Unlimited Data Option, you would be on the 300GB plan and therefore would be charged $50 for the additional 250GB (five blocks of additional 50GB) provided on top of the 300GB plan. Note that customers enrolled in the Unlimited Data Option who use less than 300GB in a given month will still be charged $30 for that month." The unlimited data option hasn't been made available to the other eight states  where Comcast is imposing usage limits. Those are Alabama, Arizona, Georgia, Kentucky, Maine, Mississippi, Tennessee, and South Carolina. Within the trial areas, customers who buy the pricey 505Mbps or 2Gbps plans don't face data limits . Customers who live outside the data cap trial states don't face any limits or overage charges regardless of what plan they buy, but Comcast may impose limits throughout its territory within a few years . If you're wondering how Comcast settled on a 300GB data cap, a company VP recently said  that it's a business decision rather than one driven by technical necessity.

Read More »

Man arrested for parodying mayor on Twitter gets $125K in civil lawsuit (David Kravets/Ars Technica)

An Illinois man arrested when his residence was raided for parodying his town's mayor on Twitter is settling a civil rights lawsuit with the city of Peoria for $125,000. The accord spells out that the local authorities are not to prosecute people for parodies or satire. Further Reading Plaintiff Jon Daniel, the operator of the @peoriamayor handle, was initially accused last year of impersonating a public official in violation of Illinois law. However, the 30-year-old was never charged. His arrest was kicked off after the local mayor, Jim Ardis, was concerned that the tweets in that account falsely portrayed him as a drug abuser who associates with prostitutes. One tweet Ardis was concerned about said, "Who stole my crackpipe?" As part of the agreement , (PDF) which includes legal fees, his attorneys from the American Civil Liberties Union said Peoria will publish a "directive" to the police department making it clear that Illinois law criminalizing impersonation of a public official does not include parody and satire. "The directive makes clear that parody should never be the predicate for a criminal investigation and that the action against Mr. Daniel should never be repeated again," Karen Sheley, an ACLU attorney, said in a statement. Daniel said he never "dreamed" that he would be arrested for his fake Twitter account. "I am satisfied with the outcome in this case," Daniel said in a statement. "I always thought that the twitter account was a joke for me and for my friends." As we previously reported, the city had defended the arrest: In its first response to the lawsuit, the city of Peoria's and Mayor Jim Ardis' attorney told Ars that the mayor and city officials believed Daniel was breaching an Illinois law making it illegal to impersonate a public official. The mayor's attorney said city officials got a judge to issue warrants from Twitter and Comcast to track down Daniel. In short, they were just following the law

Read More »

Improved Simplocker Android malware disguises as an NSA app, has infected tens of thousands of devices using XMPP (Sean Gallagher/Ars Technica)

Apparently, NSA only takes payment via PayPal for penalties for bad app downloads? That doesn't seem right... A new variant of mobile ransomware that encrypts the content of Android smartphones is putting a new spin on both how it communicates with its masters and how it spurs its victims into action. The updated version of Simplocker masquerades on app stores and download pages as a legitimate application, and uses an open instant messaging protocol to connect to command and control servers. The malware requests administrative permissions to sink its hooks deep into Android. Once it's installed, it announces itself to some victims by telling them it was planted by the NSA—and to get their files back, they'll have to pay a "fine." Ofer Caspi of Check Point's malware research team wrote in a report posted this week that the team has "evidence that users have already paid hundreds of thousands of dollars to get their files "unencrypted" by this new variant. He estimates that the number of infected devices so far numbers in the tens of thousands, but may be much higher. Because the software can't easily be removed once it is installed, and because the files it encrypts can't be recovered without it, victims have no choice but to either pay $500 to get their files decrypted or  wipe the device and start from scratch. While posing as a legal or governmental authority to intimidate the victim into paying up is not new, the use of Extensible Messaging and Presence Protocol (XMPP), the instant messaging protocol used by Jabber and previously by GTalk, is a shift in tactics to evade detection by anti-malware tools. XMPP communication makes it more difficult for security and anti-malware tools to catch the ransomware before it can communicate with its command and control network because it conceals the communication in a form that looks like normal instant message communications. Most previous ransomware packages have communicated with a website over HTTPS to obtain encryption keys; those websites can generally be identified by their URLs, IP addresses, or the signature of their Web requests and then blocked. An application making a secure HTTP request to a suspicious destination would be a good sign that something bad was afoot. But the XMPP communications channel used by the new Simplocker variant uses an external Android library to communicate with the command and control network through a legitimate messaging relay server.

Read More »

Snapdragon 820’s custom CPU is twice as fast, efficient as disappointing 810 (Andrew Cunningham/Ars Technica)

Qualcomm Further Reading Qualcomm's new Snapdragon 820 flagship won't actually ship in any phones before early 2016, but the company continues to dole out bits of information ahead of the launch . Today it's talking in very broad terms about the CPU, which is based on a brand-new custom 64-bit architecture called Kryo. Kryo is Qualcomm's official successor to Krait, the CPU architecture used in a wide range of Snapdragon chips from the S4 all the way up to the 805. The toasty Snapdragon 810 used a mix of off-the-shelf ARM Cortex A57 and A53 CPU cores to bring 64-bit ARMv8 compatibility to high-end phones while Qualcomm finished its own architecture. Kryo, which will initially run at clock speeds up to 2.2GHz, promises to be twice as fast as the 810 while also being twice as power efficient. Some of this is no doubt due to architectural improvements, but it will help that the 820 will be built on a 14nm FinFET manufacturing process—Qualcomm doesn't name its manufacturing partner, but Samsung is the most likely candidate. The Kryo CPU cores in the 820 will be accompanied by a new Adreno 530 GPU , the first in the Adreno 500-series of products. The GPU will support the latest OpenGL ES, OpenCL, and Vulkan APIs, and Qualcomm says that it will be 40 percent faster and 40 percent more power efficient than the Adreno 430 in the 810. Phones and tablets are such tightly integrated devices that we'll need to see shipping hardware before we can really say how well the Snapdragon 820 performs, but Qualcomm's early numbers all paint an optimistic picture. © 2015 Condé Nast. All rights reserved Use of this Site constitutes acceptance of our User Agreement (effective 1/2/14) and Privacy Policy (effective 1/2/14), and Ars Technica Addendum (effective 5/17/2012) Your California Privacy Rights The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Condé Nast. Ad Choices

Read More »

Former Secret Service agent Shaun Bridges pleads guilty to theft of $820K in bitcoin during Silk Road investigation (Joe Mullin/Ars Technica)

SAN FRANCISCO—Shaun Bridges, a former Secret Service agent who was investigating the Silk Road drug trafficking website, pled guilty today to charges of money laundering and obstruction of justice. Bridges' scheme was straightforward and very profitable. After Silk Road admin Curtis Green was arrested in January 2013, he debriefed agents in Baltimore. Bridges took his admin credentials, logged in, and started locking Silk Road drug dealers out of their accounts. He then looted the accounts, grabbing about 20,000 Bitcoins, and put them into his own account. US District Judge Richard Seeborg read out each of the government accusations against Bridges in court today, and the man responded "yes sir," acknowledging he had committed each of the acts. Shaun Bridges Bridges moved the Bitcoins into his Mt. Gox account. They were worth more than $300,000 at the time of the theft. Bridges moved the money into a Fideltity account called Quantum International Investments LLC between March and May of that year. By then, the bitcoins were worth about $820,000. Bridges also pled guilty to obstructing the Baltimore investigation of Silk Road and later to the internal investigation of his own behavior. At one point, he talked to a colleague who was being interviewed and agreed "to tell a consistent story" about his unauthorized use of a FINCEN database. The plea agreement includes sentencing recommendations, but it isn't known what those are at this time. "You understand these are simply recommendations, and it will be for me to decide what the appropriate sentence is?" Seeborg asked. "I do," said Bridges

Read More »

LTE over Wi-Fi spectrum sets up industry-wide fight over interference (Jon Brodkin/Ars Technica)

A plan to use Wi-Fi airwaves for cellular service has sparked concerns about interference with existing Wi-Fi networks, causing a fight involving wireless carriers, cable companies, a Wi-Fi industry trade group, Microsoft, and network equipment makers. Verizon Wireless and T-Mobile US plan to boost coverage in their cellular networks by using unlicensed airwaves that also power Wi-Fi equipment. While cellular carriers generally rely upon airwaves to which they have exclusive licenses, a new system called LTE-Unlicensed (LTE-U) would have the carriers sharing spectrum with Wi-Fi devices on the unlicensed 5GHz band. Further Reading Verizon has said it intends to deploy LTE-U in 5GHz in 2016. Before the interference controversy threatened to delay deployments, T-Mobile was expected to use the technology on its smartphones  by the end of 2015 . Wireless equipment makers like Qualcomm  see an opportunity to sell more devices and are integrating LTE-U into their latest technology. Using 5GHz will let cellular networks boost data speeds over short distances without requiring users to log in to a separate Wi-Fi network. But companies from all over the technology industry are arguing over how much this new technology will interfere with Wi-Fi networks and how quickly the Federal Communications Commission should move in allowing it. The latest development came yesterday when Verizon, T-Mobile, Alcatel-Lucent, Ericsson, and Qualcomm sent a letter to the FCC opposing a Wi-Fi Alliance proposal that would slow the process of getting LTE-U out of testbeds and into real-world networks. Wi-Fi Alliance seeks delay The Wi-Fi Alliance is an industry trade group that certifies equipment to make sure it doesn't interfere with other Wi-Fi-certified equipment operating in the same frequencies. The group this month  asked the FCC  to avoid authorizing any LTE-U equipment until the Wi-Fi Alliance is able to conduct its own tests on vendor devices using new interference testing guidelines that the Alliance is still developing. The Wi-Fi Alliance has a long list of members  covering pretty much the entire technology industry, including the five companies opposing its request

Read More »

Former FireEye intern pleads guilty to developing Dendroid spyware for Android; sentencing scheduled for Dec. 2 (Dan Goodin/Ars Technica)

A former intern at security firm FireEye has admitted in federal court that he designed a malicious software tool that allowed attackers to take control of other Android phones so they could spy on their owners. Morgan Culbertson, 20, pleaded guilty to federal charges involving Dendroid, a software tool that provided everything needed to develop highly stealthy apps that among other things took pictures using the phone's camera, recorded audio and video, downloaded photos, and recorded calls. According to this 2014 blog post from Android security firm Lookout, at least one app built with Dendroid found its way into the official Google Play market, in part thanks to code that helped it evade detection by Bouncer, Google’s anti-malware screening system. Culbertson, who last month was one of 70 people arrested in an international law enforcement sting targeting the Darkode online crime forum , said in a LinkedIn profile that he spent four months at FireEye. While there, he said, he "improved Android malware detection by discovering new malicious malware families and using a multitude of different tools." He was also a student at Carnegie Mellon University. According to The Pittsburgh Post-Gazette , Culbertson on Tuesday pleaded guilty to developing and selling the malicious tool kit . Culbertson advertised the malware on Darkode for $300, and he also offered to sell the source code, presumably for a much higher price, that would allow buyers to create their own version of Dendroid. He faces a maximum 10 years in prison and $250,000 in fines at sentencing, which is scheduled for December 2. Culbertson said he had spent more than a year designing Dendroid, a timeline that means he worked on the remote access toolkit during or shortly after his four-month tenure at FireEye. FireEye told Forbes that   Culbertson has been suspended from any future work at the company.

Read More »

Leaked Microsoft intranet screenshot reveals Office 2016 for Windows will be released Sept. 22 (Peter Bright/Ars Technica)

A leaked image from a Microsoft intranet site has disclosed that Office 2016 for Windows will be released on September 22. Office 2016 for Mac is already available to Office 365 subscribers . When that was launched in July, Microsoft said that regular retail copies would be released in September. While we're not certain, it seems likely that September 22 will be the release date for that, too. Office 2016 is an incremental update . It makes styling between Windows, OS X, and the mobile apps a little more consistent—by default each app gets a boldly colored title bar that reflects the icon color, just like the mobile apps—and includes improved collaborative editing, rights management, and data analysis capabilities. The leaked image also says that the new Office 365 variant, E5, and Skype for Business are due in "Q2." With E5 already promised by year-end, this likely refers to the second quarter of Microsoft's financial year (October to December 2015) rather than the second quarter of the calendar year (April to June 2016). Office E5 replaces the old E4 plan. E4 is the most pricey tier of Office 365 for enterprises at $22 per user per month when bought on an annual basis, and it includes the full desktop Office suite, Exchange, SharePoint, Skype for Business, Business Intelligence, and Rights Management support. It also supports PBX integration for Skype for Business, but this requires an on-premises server. The new E5 will offer a new cloud-based PBX capability, which is currently available to US customers on a preview basis. With this, businesses will be able to use Office 365 for virtually all of their (non-hardware!) IT and infrastructure needs, and they will have one less reason to operate on-premises infrastructure servers. E5 will also include upgraded data analytics and security capabilities. Pricing for E5 is as yet unannounced

Read More »