Security

Stealing Windows Credentials Using Google Chrome (helpnetsecurity.com) 52

Orome1 writes: A default setting in Google Chrome, which allows it to download files that it deems safe without prompting the user for a download location, can be exploited by attackers to mount a Windows credential theft attack using specially-crafted SCF shortcut files, DefenseCode researchers have found. What's more, for the attack to work, the victim does not even have to run the automatically downloaded file. Simply opening the download directory in Windows File Explorer will trigger the code icon file location inserted in the file to run, and it will send the victim's username, domain and NTLMv2 password hash to a remote SMB server operated by the attackers.
Firefox

Firefox 55: Flash Will Become 'Ask To Activate' For Everyone (bleepingcomputer.com) 112

An anonymous reader quotes a report from BleepingComputer: Starting with the release of Firefox 55, the Adobe Flash plugin for Firefox will be set to "Ask to Activate" by default for all users. This move was announced in August 2016, as part of Mozilla's plan to move away from plugins built around the NPAPI technology. Flash is currently the only NPAPI plugin still supported in Firefox, and moving its default setting from "Always Activate" to "Ask to Activate" is just another step towards the final step of stop supporting Flash altogether. This new Flash default setting is already live in Firefox's Nightly Edition and will move through the Alpha and Beta versions as Firefox nears its v55 Stable release. By moving Flash to a click-to-play setting, Firefox will indirectly start to favor HTML5 content over Flash for all multimedia content. Other browsers like Google Chrome, Brave, or Opera already run Flash on a click-to-play setting, or disabled by default. Firefox is scheduled to be released on August 8, 2017.
Businesses

'WannaCry Makes an Easy Case For Linux' (techrepublic.com) 407

An anonymous reader writes: The thing is, WannaCry isn't the first of its kind. In fact, ransomware has been exploiting Windows vulnerabilities for a while. The first known ransomware attack was called "AIDS Trojan" that infected Windows machines back in 1989. This particular ransomware attack switched the autoexec.bat file. This new file counted the amount of times a machine had been booted; when the machine reached a count of 90, all of the filenames on the C drive were encrypted. Windows, of course, isn't the only platform to have been hit by ransomware. In fact, back in 2015, the LinuxEncoder ransomware was discovered. That bit of malicious code, however, only affected servers running the Magento ecommerce solution. The important question here is this: Have their been any ransomware attacks on the Linux desktop? The answer is no. With that in mind, it's pretty easy to draw the conclusion that now would be a great time to start deploying Linux on the desktop. I can already hear the tired arguments. The primary issue: software. I will counter that argument by saying this: Most software has migrated to either Software as a Service (SaaS) or the cloud. The majority of work people do is via a web browser. Chrome, Firefox, Edge, Safari; with few exceptions, SaaS doesn't care. With that in mind, why would you want your employees and staff using a vulnerable system? [...] Imagine, if you will, you have deployed Linux as a desktop OS for your company and those machines work like champs from the day you set them up to the day the hardware finally fails. Doesn't that sound like a win your company could use? If your employees work primarily with SaaS (through web browsers), then there is zero reason keeping you from making the switch to a more reliable, secure platform.
Chrome

Should You Leave Google Chrome For the Opera Browser? (vice.com) 303

mspohr shares a report written by Jason Koebler via Motherboard who makes the case for why you should break up with Chrome and switch to the Opera browser: Over the last few years, I have grown endlessly frustrated with Chrome's resource management, especially on MacOS. Admittedly, I open too many tabs, but I'd wager that a lot of you do, too. With Chrome, my computer crawls to complete unusability multiple times a day. After one too many times of having to go into Activity Monitor to find that one single Chrome tab is using several gigs of RAM, I decided enough was enough. I switched to Opera, a browser I had previously thought was only for contrarians. This, after previous dalliances with Safari and Firefox left me frustrated. Because Opera is also based on Blink, I almost never run into a website, plugin, script, or video that doesn't work flawlessly on it. In fact, Opera works almost exactly like Chrome, except without the resource hogging that makes me want to throw my computer against a brick wall. This is exactly the point, according to Opera spokesperson Jan Standal: "What we're doing is an optimized version of Chrome," he said. "Web developers optimize most for the browser with the biggest market share, which happens to be Chrome. We benefit from the work of that optimization."

Slashdot reader mspohr adds: "I should note that this has also been my experience. I have a 2010 MacBook, which I was ready to trash since it had become essentially useless, coming to a grinding halt daily. I tried Opera and it's like I have a new computer. I never get the spinning wheel of death. (Also, the built-in ad blocker and VPN are nice.)" What has been your experience with Google Chrome and/or Opera? Do you prefer one over the other?

United States

Google Owns the Classroom (axios.com) 114

An anonymous reader writes: The NYT's Natasha Singer has a fascinating, provocative look at "How Google Conquered The American Classroom." "[M]ore than half the nation's primary- and secondary-school students -- more than 30 million children -- use Google education apps like Gmail and Docs... Chromebooks, Google-powered laptops that initially struggled to find a purpose... account for more than half the mobile devices shipped to schools."
Microsoft

Microsoft Finally Bans SHA-1 Certificates In Its Browsers (zdnet.com) 38

An anonymous reader quotes ZDNet: With this week's monthly Patch Tuesday, Microsoft has also rolled out a new policy for Edge and Internet Explorer that prevents sites that use a SHA-1-signed HTTPS certificate from loading. The move brings Microsoft's browsers in line with Chrome, which dropped support for the SHA-1 cryptographic hash function in January's stable release of Chrome 56, and Firefox's February cut-off... Apple dropped support for SHA-1 in March with macOS Sierra 10.12.4 and iOS 10.3... Once Tuesday's updates are installed, Microsoft's browsers will no longer load sites with SHA-1 signed certificates and will display an error warning highlighting a security problem with the site's certificate.
Operating Systems

Opinion: Even if You Hate the Idea, Windows Users Should Want Windows 10 S To Succeed (arstechnica.com) 259

Last week, Microsoft unveiled Windows 10 S, a new variant of its desktop operating system aimed largely at the education space. While time will tell how this new edition of Windows fares, if early reactions from enthusiasts are anything to go by, Windows 10 S is in for a tough ride ahead. For one, Windows 10 S only permits installation of applications from the Windows Store. If that wasn't a deal-breaker, several popular applications including Google's Chrome are missing from the Store. Amid all of this, reporter and columnist Peter Bright has an op-ed up on ArsTechnica in which he argues that despite the walled-garden offering, people should want Windows 10 S to succeed as it could make Windows better for everyone else. From his article: This [forbidding execution of any program that wasn't downloaded from the Windows Store] positions Microsoft as a gatekeeper -- although its criteria for entry within the store is for the most part not stringent, it does reserve the right to remove software that it deems undesirable -- and means that the vast majority of extant Windows software can't be used. This means that PC mainstays, from Adobe Photoshop to Valve's Steam, can't be used on Windows 10 S. [...] Some of the arguments against this are bizarre. Notably, the complaint that Microsoft has now erected a paywall -- "you have to pay $50 to run Steam!" -- is very peculiar when one considers that, in general, Windows licenses have never been free. [...] The Windows Store makes bad parts of Windows better: I'd argue, however, that Windows users should want Windows 10 S to succeed. Windows 10 S isn't for everybody, and Windows 10 S may not be for you, but if Windows 10 S succeeds, it will make Windows 10 better for everyone. The Store in Windows RT required developers to write their apps from scratch. With negligible numbers of users, developers were uninterested in doing this work. The Store in Windows 10 has Centennial. In principle, Centennial should make it easy to package existing Win32 apps and sell them through the Store, and if developers of Windows apps adopt Centennial en masse then the Store restriction shouldn't be particularly restrictive. Widespread adoption will be good for Windows users of all stripes.
Chrome

Chrome For Android Now Lets You Save Web Pages For Reading Later (techcrunch.com) 46

Today, Google has introduced a series of improvements to Chrome for Android to make it easier to save content for offline access. The improvements will be made to the "Downloads" feature rolled out in December that allows you to save webpages, music and videos for offline access. TechCrunch reports: To download a web page previously, you would open Chrome's menu in the top-right of the browser, then tap the "save" icon that's located next to the star for bookmarking the site. You could then see all the content you had saved for offline access by tapping on "Downloads" from this same menu. Now, Google is adding more ways to save content, including a way to long press on a link the way you do when you want to open up a page in a new tab. The option to "Download Link" will appear on the pop-up screen you see after your press, below the options to open the page in a new tab or incognito tab. Google says this long press action will also work on its article suggestions on its New Tab page. This New Tab page will also include the articles you've already downloaded, which will be flagged with an offline badge.
Google

Google's Upcoming 'Fuchsia' Smartphone OS Dumps Linux, Has a Wild New UI (arstechnica.com) 219

More details have emerged about Fuchsia, the new mobile OS Google has been working on. ArsTechnica reports that Fuchsia is not based on Linux (unlike Android and Chrome OS). Instead, the OS uses a new, Google-developed microkernel called "Magenta." From the article: With Fuchsia, Google would not only be dumping the Linux kernel, but also the GPL: the OS is licensed under a mix of BSD 3 clause, MIT, and Apache 2.0. Dumping Linux might come as a bit of a shock, but the Android ecosystem seems to have no desire to keep up with upstream Linux releases. Even the Google Pixel is still stuck on Linux Kernel 3.18, which was first released at the end of 2014. [...] The interface and apps are written using Google's Flutter SDK, a project that actually produces cross-platform code that runs on Android and iOS. Flutter apps are written in Dart, Google's reboot of JavaScript which, on mobile, has a focus on high-performance, 120fps apps. It also has a Vulkan-based graphics renderer called "Escher" that lists "Volumetric soft shadows" as one of its features, which seems custom-built to run Google's shadow-heavy "Material Design" interface guidelines. The publication put the Flutter SDK to test on an Android device to get a sneak peek into the user interface of Fuchsia. "The home screen is a giant vertically scrolling list. In the center you'll see a (placeholder) profile picture, the date, a city name, and a battery icon," the author wrote. "Above the are 'Story' cards -- basically Recent Apps -- and below it is a scrolling list of suggestions, sort of like a Google Now placeholder. Leave the main screen and you'll see a Fuchsia 'home' button pop up on the bottom of the screen, which is just a single white circle."
Chrome

Google To Auto-Migrate Some Users To 64-bit Chrome 96

Google says it will automatically upgrade the version of Chrome that some Windows users are running, in what it describes as a bet to improve stability, performance, and security. From a report on ZDNet: In a blog post on Tuesday, the search engine giant explained that Chrome users running 64-bit Windows with 4GB or more of memory will be automatically migrated to the 64-bit version of Chrome if they are running the 32-bit version.
Chrome

Chrome Will Start Marking HTTP Sites In Incognito Mode As Non-Secure In October (venturebeat.com) 67

Reader Krystalo writes: Google today announced the second step in its plan to mark all HTTP sites as non-secure in Chrome. Starting in October 2017, Chrome will mark HTTP sites with entered data and HTTP sites in Incognito mode as non-secure. With the release of Chrome 56 in January 2017, Google's browser started marking HTTP pages that collect passwords or credit cards as "Not Secure" in the address bar. Since then, Google has seen a 23 percent reduction in the fraction of navigations to HTTP pages with password or credit card forms on Chrome for desktop. Chrome 62 (we're currently on Chrome 58) will take this to the next level.
Education

EFF Says Google Chromebooks Are Still Spying On Students (softpedia.com) 84

schwit1 quotes a report from Softpedia: In the past two years since a formal complaint was made against Google, not much has changed in the way they handle this. Google still hasn't shed its "bad guy" clothes when it comes to the data it collects on underage students. In fact, the Electronic Frontier Foundation says the company continues to massively collect and store information on children without their consent or their parents'. Not even school administrators fully understand the extent of this operation, the EFF says. According to the latest status report from the EFF, Google is still up to no good, trying to eliminate students privacy without their parents notice or consent and "without a real choice to opt out." This, they say, is done via the Chromebooks Google is selling to schools across the United States.
Cloud

Leaked Document Sheds Light On Microsoft's Chromebook Rival (windowscentral.com) 91

Microsoft has announced plans to host an event next month where it is expected to unveil Windows 10 Cloud operating system. Microsoft will be positioning the new OS as a competitor to Chrome OS, according to several reports. Windows Central has obtained an internal document which sheds light on the kind of devices that will be running Windows 10 Cloud. The hardware requirement that Microsoft has set for third-party OEMs is as follows: 1. Quad-core (Celeron or better) processor.
2. 4GB of RAM.
3. 32GB of storage (64GB for 64-bit). 4. A battery larger than 40 WHr.
5. Fast eMMC or solid state drive (SSD) for storage technology.
6. Pen and touch (optional).
The report adds that Microsoft wants these laptops to offer over 10-hour of battery life, and the "cold boot" should not take longer than 20 seconds.
Security

Ambient Light Sensors Can Be Used To Steal Browser Data (bleepingcomputer.com) 37

An anonymous reader writes: "Over the past decade, ambient light sensors have become quite common in smartphones, tablets, and laptops, where they are used to detect the level of surrounding light and automatically adjust a screen's intensity to optimize battery consumption... and other stuff," reports Bleeping Computer. "The sensors have become so prevalent, that the World Wide Web Consortium (W3C) has developed a special API that allows websites (through a browser) to interact with a device's ambient light sensors. Browsers such as Chrome and Firefox have already shipped versions of this API with their products." According to two privacy and security experts, Lukasz Olejnik and Artur Janc, malicious web pages can launch attacks using this new API and collect data on users, such as URLs they visited in the past and extract QR codes displayed on the screen. This is possible because the light coming from the screen is picked up by these sensors. Mitigating such attacks is quite easy, as it only requires browser makers and the W3C to adjust the default frequency at which the sensors report their readings. Furthermore, the researcher also recommends that browser makers quantize the result by limiting the precision of the sensor output to only a few values in a preset range. The two researchers filed bug reports with both Chrome and Firefox in the hopes their recommendations will be followed.
Google

Google Earth Gets a New Home On the Web (arstechnica.com) 46

To celebrate the Earth Day, Google says it is rolling out what was a two-year in the making major update to Google Earth. From a report: V9 is designed to run in a Web browser (just Chrome for now), but there's now a standalone home for Google Earth. The Android app has been updated, too (iOS is coming soon). Version 9 puts a big focus on guided tours via the "Voyager" section, which serves as a jumping off point for YouTube videos, 360-degree content, Street View, and Google Earth landmarks. The tours are led by scientists and documentarians, with some content produced by well-known groups like the BBC's Planet Earth team. For kids, there's a Sesame Street muppet section.
Android

Google Agrees To Open Android To Other Search Engines In Russia (bgr.com) 64

Google has reached a $7.8 million antitrust settlement with Russian watchdog group FAS. According to BGR, the company will loosen restrictions on Android's built-in search engines to allow for Russian competitors to take a share of the pie. From the report: Android's heavy reliance on Google services is to be expected, but in 2015 the Russian antitrust group -- officially the Federal Antimonopoly Service -- ruled that Google was breaking the law by forcing users to lean on Google for search. The ruling was the result of a complaint filed by Yandex, a Russian competitor to Google that runs the largest search engine in the country as well as web mail, news, maps, and other services. Google's settlement of the issue comes with the condition that Android will no longer lock down the search engine to Google, and must allow users the ability to change it if they want from within the Chrome web browser. Google will also loosen its exclusivity of the default apps on Android devices sold in Russia, potentially allowing for Yandex and other regional competitors to muscle in and replace the built-in apps with their own versions, depending on user preference.
Google

Chrome 59 To Address Punycode Phishing Attack 69

Google says it will be rolling out a patch to Chrome in v59 to address a decade-old unicode vulnerability called Punycode that allowed attackers to fool people into clicking on compromised links. Engadget adds: Thanks to something called Punycode, phishers are able to register bogus domains that look identical to a real website. Take this proof-of-concept from software engineer Xudong Zheng, where apple.com won't take you to a store selling Macs, iPhones and iPads. The real website is actually https://www.xn--80ak6aa92e [dot] com. The xn-- prefix tells browsers like Chrome that the domain uses ASCII compatible encoding. It allows companies and individuals from countries with non-traditional alphabets to register a domain that contains A-Z characters but renders in their local language. The issue was first reported to Google and Mozilla on January 20th and Google has issued a fix in Chrome 59. It's currently live in the Canary (advance beta release) but the search giant will likely make it available to all Chrome users soon.
Youtube

YouTube Has a Secret 'Dark Mode' (thenextweb.com) 118

It appears Google has quietly introduced a new "dark mode" for its video portal YouTube, several people are reporting. Here's how to activate it, via The Next Web:
1. Open the Chrome developer tools tab.
2. Windows users can do this by pressing Ctrl + Shift + I.
3. Mac users can do this by pressing Option + Cmd + I.
4. Select the Console tab.
5. Once in Console, paste the following text: document.cookie="VISITOR_INFO1_LIVE=fPQ4jCL6EiE"
6. Hit enter.
7. Close the developer tools tab and refresh the page. Just a little heads-up: YouTube might look slightly different -- though still in white.
8. Click the main settings menu in the top right and find the 'Dark Mode' section.
9. Toggle 'Dark Mode' on and you're settled.

Chrome

Microsoft Edge Beats Chrome By Over Three Hours In New Battery Usage Test (bleepingcomputer.com) 236

An anonymous reader writes: With the launch of the Windows 10 Creators Update and Edge 40 (EdgeHTML 15), Microsoft has released a new battery usage test that, naturally, trashes the company's competition. This new test shows that Edge uses less power than both Chrome 57 and Firefox 52, and is bound to draw a response from its competition, especially Google, who doesn't like it when Microsoft takes a jab at Chrome's efficiency. The same thing happened last year, in June, when a similar test showcasing Edge's longer battery life was met with responses from both Google and Opera.

The most recent tests were performed for the launch of Windows 10 Creators Update. Two tests were carried out until a laptop's battery gave out. For each browser, a minimum of 16 iterations were recorded per test. The first test measured normal browsing performance and the second ran a looped Vimeo fullscreen video. In the normal browsing performance test, Microsoft claims Edge used 31% less power than Chrome 57, and 44% less power than Firefox 52. In the second test, Edge played a looped Vimeo video in fullscreen for 751 minutes (12:31:08), while Chrome lasted 557 minutes (9:17:03) and Firefox for only 424 minutes (7:04:19). That's a whopping three hours over Chrome, and five hours above Firefox.

Chrome

Chrome Now Uses Scroll Anchoring To Prevent Those Annoying Page Jumps (techcrunch.com) 113

Google has updated its Chrome browser to fix the annoying page jumps that occur when pages are loading. While developers want pages to load the actual content of a page before additional ads and images appear, "the problem is that if you've already scrolled down, your page resets when some off-screen ad loads and you're suddenly looking at a completely different part of the page," reports TechCrunch. From the report: The latest versions of Chrome (56+) do their best to prevent these jumps with the help of a feature called scroll anchoring. Google tested scroll anchoring in the Chrome beta versions for the last year and now it's on by default. Google says the feature currently prevents almost three jumps per page view -- and, over time, that number will likely increase.

Slashdot Top Deals