Microsoft

Microsoft Modifies Open-Source Code, Blows Hole In Windows Defender (theregister.co.uk) 71

An anonymous reader quotes a report from The Register: A remote-code execution vulnerability in Windows Defender -- a flaw that can be exploited by malicious .rar files to run malware on PCs -- has been traced back to an open-source archiving tool Microsoft adopted for its own use. The bug, CVE-2018-0986, was patched on Tuesday in the latest version of the Microsoft Malware Protection Engine (1.1.14700.5) in Windows Defender, Security Essentials, Exchange Server, Forefront Endpoint Protection, and Intune Endpoint Protection. This update should be installed, or may have been automatically installed already on your device. The vulnerability can be leveraged by an attacker to achieve remote code execution on a victim's machine simply by getting the mark to download -- via a webpage or email or similar -- a specially crafted .rar file while the anti-malware engine's scanning feature is on. In many cases, this analysis set to happen automatically.

When the malware engine scans the malicious archive, it triggers a memory corruption bug that leads to the execution of evil code smuggled within the file with powerful LocalSystem rights, granting total control over the computer. The screwup was discovered and reported to Microsoft by legendary security researcher Halvar Flake, now working for Google. Flake was able to trace the vulnerability back to an older version of unrar, an open-source archiving utility used to unpack .rar archives. Apparently, Microsoft forked that version of unrar and incorporated the component into its operating system's antivirus engine. That forked code was then modified so that all signed integer variables were converted to unsigned variables, causing knock-on problems with mathematical comparisons. This in turn left the software vulnerable to memory corruption errors, which can crash the antivirus package or allow malicious code to potentially execute.

Open Source

Vim Beats Emacs in 'Linux Journal' Reader Survey (linuxjournal.com) 195

The newly-relaunched Linux Journal is conducting its annual "Reader's Choice Awards," and this month announced the winners for Best Text Editor, Best Laptop, and Best Domain Registrar. Vim was chosen as the best editor by 35% of respondents, handily beating GNU Emacs (19%) Sublime Text (10%) and Atom (8%). Readers' Choice winner Vim is an extremely powerful editor with a user interface based on Bill Joy's 40-plus-year-old vi, but with many improved-upon features including extensive customization with key mappings and plugins. Linux Journal reader David Harrison points out another great thing about Vim "is that it's basically everywhere. It's available on every major platform."
For best laptop their readers picked Lenovo (32%), followed by Dell (25%) and System76 (11%). The ThinkPad began life at IBM, but in 2005, it was purchased by Lenovo along with the rest of IBM's PC business. Lenovo evolved the line, and today the company is well known as a geek favorite. Lenovo's ThinkPads are quiet, fast and arguably have one of the best keyboards (fighting words!). Linux Journal readers say Lenovo's Linux support is excellent, leaving many to ponder why the company doesn't ship laptops with Linux installed.
In February readers also voted on the best web browser, choosing Firefox (57%) over Chrome (17%) and Chromium (7%). And they also voted on the best Linux distribution, ultimately selecting Debian (33%), open SUSE (12%), and Fedora (11%).
Linux

Chrome OS Could Be Getting Containers for Running Linux VMs (zdnet.com) 57

Chromebook users may soon have a simpler way to run their favorite Linux distribution and applications on Google's Chrome OS hardware. From a report: As spotted by Chrome Unboxed, there's a newly merged commit in Chromium Gerrit describing a "new device policy to allow Linux VMs on Chrome OS." A related entry suggests support could come with Chrome OS version 66, which is due out in stable release around April 24, meaning Google might announce it at its annual IO developer conference, which starts on May 8. Developers can already use a tool called Crouton to install and run Linux on Chrome OS, but there is a security trade-off because Chrome OS needs to be switched to developer mode to use it. There's also a Crouton extension called Xiwi to enable using an OS in a browser window on Chrome OS. However, it too requires developer mode to be enabled. A recent commit suggests Chrome developers are working on a project called Crostini that may solve the developer mode problem by allowing Linux VMs to run inside a container.
Electronic Frontier Foundation

EFF Applauds 'Massive Change' to HTTPS (eff.org) 214

"The movement to encrypt the web reached milestone after milestone in 2017," writes the EFF, adding that "the web is in the middle of a massive change from non-secure HTTP to the more secure, encrypted HTTPS protocol." In February, the scales tipped. For the first time, approximately half of Internet traffic was protected by HTTPS. Now, as 2017 comes to a close, an average of 66% of page loads on Firefox are encrypted, and Chrome shows even higher numbers. At the beginning of the year, Let's Encrypt had issued about 28 million certificates. In June, it surpassed 100 million certificates. Now, Let's Encrypt's total issuance volume has exceeded 177 million certificates...

Browsers have been pushing the movement to encrypt the web further, too. Early this year, Chrome and Firefox started showing users "Not secure" warnings when HTTP websites asked them to submit password or credit card information. In October, Chrome expanded the warning to cover all input fields, as well as all pages viewed in Incognito mode. Chrome has eventual plans to show a "Not secure" warning for all HTTP pages... The next big step in encrypting the web is ensuring that most websites default to HTTPS without ever sending people to the HTTP version of their site. The technology to do this is called HTTP Strict Transport Security (HSTS), and is being more widely adopted. Notably, the registrar for the .gov TLD announced that all new .gov domains would be set up with HSTS automatically...

The Certification Authority Authorization (CAA) standard became mandatory for all CAs to implement this year... [And] there's plenty to look forward to in 2018. In a significant improvement to the TLS ecosystem, for example, Chrome plans to require Certificate Transparency starting next April.

Microsoft

Windows 10 Bundled a Password Manager with a Security Flaw (bleepingcomputer.com) 48

An anonymous reader writes: A Google security researcher has found and helped patch a severe vulnerability in Keeper, a password manager application that Microsoft has been bundling with some Windows 10 distributions this year... "This is a complete compromise of Keeper security, allowing any website to steal any password," Tavis Ormandy, the Google security researcher said, pointing out that the password manager was still vulnerable to a same vulnerability he reported in August 2016, which had apparently been reintroduced in the code.

Based on user reports, Microsoft appears to have been bundling Keeper as part of Windows 10 Pro distributions since this past summer.

The article reports that Keeper issued a fix -- browser extension version 11.4 -- within less than 24 hours.
Chrome

Wondering Why Your Internal .dev Web App Has Stopped Working? (theregister.co.uk) 311

Kieren McCarthy, writing for The Register: Network admins, code wranglers and other techies have hit an unusual problem this week: their test and development environments have vanished. Rather than connecting to private stuff on an internal .dev domain to pick up where they left off, a number of engineers and sysadmins are facing an error message in their web browser complaining it is "unable to provide a secure connection." How come? It's thanks to a recent commit to Chromium that has been included in the latest version of Google Chrome. As developers update their browsers, they may find themselves booted out their own systems. Under the commit, Chrome forces connections to all domains ending in .dev (as well as .foo) to use HTTPS via a HTTP Strict Transport Security (HSTS) header. This is part of Google's larger and welcome push for HTTPS to be used everywhere for greater security.
The Internet

All Major Browsers Now Support WebAssembly (bleepingcomputer.com) 243

An anonymous reader writes: "It took only two years for all browser vendors to get on the same page regarding the new WebAssembly standard, and as of October 2017, all major browsers support it," reports Bleeping Computer. Project spearheads Firefox and Chrome were the first major browsers to graduate WebAssembly from preview versions to their respective stable branches over the summer. The second wave followed in the following weeks when Chromium-based browsers like Opera and Vivaldi also rolled out the feature as soon as it was added to the Chromium stable version. The last ones to ship WebAssembly in the stable branches were Apple in Safari 11.0 and Microsoft in Microsoft Edge (EdgeHTML 16), which is the version that shipped with the Windows 10 Fall Creators Update. Both were released last month. WebAssembly, or wasm, is a bytecode format for the web, allowing developers to send JavaScript code to browsers in smaller sizes, but also to compile from C/C++/Rust to wasm directly.
Chrome

Google To Remove Public Key Pinning (PKP) Support In Chrome (bleepingcomputer.com) 51

An anonymous reader writes: Late yesterday afternoon, Google announced plans to deprecate and eventually remove PKP support from the Chromium open-source browser, which indirectly means from Chrome... According to Google engineer Chris Palmer, low adoption and technical difficulties are among the reasons why Google plans to remove the feature from Chrome.

"We would like to do this in Chrome 67, which is estimated to be released to Stable on 29 May 2018," Palmer says. The proposal is up in the air, and users can submit opinions against Google's intent to deprecate, but seeing how little PKP was adopted, it's most likely already out the door. A Neustar survey from March 2016 had PKP deployment at only 0.09% of all HTTPS sites. By August 2017, that needle had barely moved to 0.4% of all sites in the Alexa Top 1 Million.

Chrome

Google Engineers Explore Ways To Stop In-Browser Cryptocurrency Miners in Chrome (bleepingcomputer.com) 189

An anonymous reader writes: Google Chrome engineers are considering adding a special browser permission that will thwart the rising trend of in-browser cryptocurrency miners. Discussions on the topic of in-browser miners have been going on the Chromium project's bug tracker since mid-September when Coinhive, the first such service, launched. "Here's my current thinking," Ojan Vafai, a Chrome engineering working on the Chromium project, wrote in one of the recent bug reports. "If a site is using more than XX% CPU for more than YY seconds, then we put the page into 'battery saver mode' where we aggressively throttle tasks and show a toast [notification popup] allowing the user to opt-out of battery saver mode. When a battery saver mode tab is backgrounded, we stop running tasks entirely. I think we'll want measurement to figure out what values to use for XX and YY, but we can start with really egregious things like 100% and 60 seconds. I'm effectively suggesting we add a permission here, but it would have unusual triggering conditions [...]. It only triggers when the page is doing a likely bad thing."

An earlier suggestion had Google create a blacklist and block the mining code at the browser level. That suggestion was shut down as being too impractical and something better left to extensions.

Google

Chrome To Force Domains Ending With Dev and Foo To HTTPS Via Preloaded HSTS (ttias.be) 220

Developer Mattias Geniar writes (condensed and edited for clarity): One of the next versions of Chrome is going to force all domains ending with .dev and .foo to be redirected to HTTPs via a preloaded HTTP Strict Transport Security (HSTS) header. This very interesting commit just landed in Chromium:
Preload HSTS for the .dev gTLD:


This adds the following line to Chromium's preload lists:
{ "name": "dev", "include_subdomains": true, "mode": "force-https" },
{ "name": "foo", "include_subdomains": true, "mode": "force-https" },

It forces any domain on the .dev gTLD to be HTTPs.

What should we [developers] do? With .dev being an official gTLD, we're most likely better of changing our preferred local development suffix from .dev to something else. There's an excellent proposal to add the .localhost domain as a new standard, which would be more appropriate here. It would mean we no longer have site.dev, but site.localhost. And everything at *.localhost would automatically translate to 127.0.0.1, without /etc/hosts or dnsmasq workarounds.

Chrome

FTP Resources Will Be Marked Not Secure in Chrome Starting Later This Year (google.com) 152

Google engineer Mike West writes: As part of our ongoing effort to accurately communicate the transport security status of a given page, we're planning to label resources delivered over the FTP protocol as "Not secure", beginning in Chrome 63 (sometime around December, 2017). We didn't include FTP in our original plan, but unfortunately its security properties are actually marginally worse than HTTP (delivered in plaintext without the potential of an HSTS-like upgrade). Given that FTP's usage is hovering around 0.0026% of top-level navigations over the last month, and the real risk to users presented by non-secure transport, labeling it as such seems appropriate. We'd encourage developers to follow the example of the linux kernel archives by migrating public-facing downloads (especially executables!) from FTP to HTTPS.
Firefox

Firefox 57 Will Hide Search Bar and Use a Uni-Bar Approach, Like Chrome (bleepingcomputer.com) 315

An anonymous reader quotes a report from Bleeping Computer: Mozilla will drop an iconic section of its UI -- the search bar -- and will use one singular input bar atop the browser, similar to the approach of most Chromium browsers. This change will go live in Firefox 57, scheduled for release on November 14, and will be part of Photon -- the codename used to describe Firefox's new user interface (UI) -- also scheduled for a public release in v57. Mozilla engineers aren't removing the search bar altogether, but Firefox will hide this UI element by default. Users can still re-enable it by going to "Preferences -> Search -> Search Bar" and choosing the second option. The current Firefox search bar is redundant since most of its features can be performed by the URL address bar.
Encryption

Google Warns Webmasters About Insecure HTTP Web Forms (searchengineland.com) 94

In April Chrome began marking HTTP pages as "not secure" in its address bar if the pages had password or credit card fields. They're about to take the next step. An anonymous reader quotes SearchEngineLand: Last night, Google sent email notifications via Google Search Console to site owners that have forms on web pages over HTTP... Google said, "Beginning in October 2017, Chrome will show the 'Not secure' warning in two additional situations: when users enter data on an HTTP page, and on all HTTP pages visited in Incognito mode."
Google warned in April that "Our plan to label HTTP sites as non-secure is taking place in gradual steps, based on increasingly broad criteria. Since the change in Chrome 56, there has been a 23% reduction in the fraction of navigations to HTTP pages with password or credit card forms on desktop, and we're ready to take the next steps..."

"Any type of data that users type into websites should not be accessible to others on the network, so starting in version 62 Chrome will show the 'Not secure' warning when users type data into HTTP sites."
Debian

OpenSSL Support In Debian Unstable Drops TLS 1.0/1.1 Support (debian.org) 76

An anonymous reader writes: Debian Linux "sid" is deprecating TLS 1.0 Encryption. A new version of OpenSSL has been uploaded to Debian Linux unstable. This version disables the TLS 1.0 and 1.1 protocol. This currently leaves TLS 1.2 as the only supported SSL/TLS protocol version. This will likely break certain things that for whatever reason still don't support TLS 1.2. I strongly suggest that if it's not supported that you add support for it, or get the other side to add support for it. OpenSSL made a release 5 years ago that supported TLS 1.2. The current support of the server side seems to be around 90%. I hope that by the time Buster releases the support for TLS 1.2 will be high enough that I don't need to enable them again. This move caused some concern among Debian users and sysadmins. If you are running Debian Unstable on server tons of stuff is going to broken cryptographically. Not to mention legacy hardware and firmware that still uses TLS 1.0. On the client side (i.e. your users), you need to use the latest version of a browser such as Chrome/Chromium and Firefox. The Older version of Android (e.g. Android v5.x and earlier) do not support TLS 1.2. You need to use minimum iOS 5 for TLS 1.2 support. Same goes with SMTP/mail servers, desktop email clients, FTP clients and more. All of them using old outdated crypto.

This move will also affect for Android 4.3 users or stock MS-Windows 7/IE users (which has TLS 1.2 switched off in Internet Options.) Not to mention all the mail servers out there running outdated crypto.

Ubuntu

Ask Slashdot: Ubuntu 18.04 LTS Desktop Default Application Survey 298

Dustin Kirkland, Ubuntu Product and Strategy at Canonical, writes: Howdy all- Back in March, we asked the HackerNews community, "What do you want to see in Ubuntu 17.10?": https://ubu.one/AskHN. A passionate discussion ensued, the results of which are distilled into this post: http://ubu.one/thankHN. In fact, you can check that link, http://bit.ly/thankHN and see our progress so far this cycle. We already have a beta code in 17.10 available for your testing for several of those:

- GNOME replaced Unity
- Bluetooth improvements with a new BlueZ
- Switched to libinput
- 4K/Multimonitor/HiDPI improvements
- Upgraded to Network Manager 1.8
- New Subiquity server installer
- Minimal images (36MB, 18% smaller)

And several others have excellent work in progress, and will be complete by 17.10:

- Autoremove old kernels from /boot
- EXT4 encryption with fscrypt
- Better GPU/CUDA support

In summary -- your feedback matters! There are hundreds of engineers and designers working for *you* to continue making Ubuntu amazing! Along with the switch from Unity to GNOME, we're also reviewing some of the desktop applications we package and ship in Ubuntu. We're looking to crowdsource input on your favorite Linux applications across a broad set of classic desktop functionality. We invite you to contribute by listing the applications you find most useful in Linux in order of preference.


Click through for info on how to contribute.
Chrome

Chromium To Get Support For MP3 (browsernative.com) 54

An anonymous reader shares a post: Chromium, the open source project behind Google Chrome, Opera and several other browsers, is going to support MP3. This would enable users and websites to play MP3 files in Chromium browser. A Chromium contributor informed about this, "We have approval from legal to go ahead and move MP3 into non-proprietary codecs list." The MP3 support in Chromium is targeted for version 62.
Power

Study Claims Discarded Solar Panels Create More Toxic Waste Than Nuclear Plants (nationalreview.com) 376

Templer421 shares an article from National Review: A new study by Environmental Progress warns that toxic waste from used solar panels now poses a global environmental threat. The Berkeley-based group found that solar panels create 300 times more toxic waste per unit of energy than nuclear-power plants. Discarded solar panels, which contain dangerous elements such as lead, chromium, and cadmium, are piling up around the world, and there's been little done to mitigate their potential danger to the environment. "We talk a lot about the dangers of nuclear waste, but that waste is carefully monitored, regulated, and disposed of," says Michael Shellenberger, founder of Environmental Progress, a nonprofit that advocates for the use of nuclear energy. "But we had no idea there would be so many panels -- an enormous amount -- that could cause this much ecological damage." Solar panels are considered a form of toxic, hazardous electronic or "e-waste," and according to EP researchers Jemin Desai and Mark Nelson, scavengers in developing countries like India and China often "burn the e-waste in order to salvage the valuable copper wires for resale. Since this process requires burning off plastic, the resulting smoke contains toxic fumes that are carcinogenic and teratogenic (birth defect-causing) when inhaled."
A spokesman for the Solar Energy Industries Association argues that the study is incorrect, and that in fact solar panels are "mainly made up of easy-to-recycle materials that can be successfully recovered and reused at the end of their useful life."
Chrome

Chrome To Deprecate PNaCl, Embrace New WebAssembly Standard (tomshardware.com) 108

An anonymous reader quotes Tom's Hardware Google announced that its Portable Native Client (PNaCl) solution for making native code run inside the browser will be replaced by the new cross-browser web standard called WebAssembly... Even though Google open sourced PNaCl, as part of the Chromium project, Mozilla ended up creating its own alternative called "asm.js," an optimized subset of JavaScript that could also compile to the assembly language. Mozilla thought that asm.js was far simpler to implement and required no API compatibility, as PNaCl did. As these projects seemed to go nowhere, with everyone promoting their own standard, the major browser vendors seem to have eventually decided on creating WebAssembly. WebAssembly can give web apps near-native performance, offers support for more CPU features, and is simpler to implement in browsers and use by developers.
Bug

Google Chrome Bug Lets Sites Record Audio and Video Without a Visual Indicator (bleepingcomputer.com) 36

New submitter aafrn writes: "Ran Bar-Zik, a web developer at AOL, has discovered and reported a bug in Google Chrome that allows websites to record audio and video without showing a visual indicator," reports BleepingComputer. "The bug is not as bad as it sounds, as the malicious website still needs to get the user's permission to access audio and video components, but there are various ways in which this issue could be weaponized to record audio or video without the user's knowledge. The bug's central element is a 'red circle and dot' icon that Chrome usually shows when recording audio or video streams." Bar-Zik discovered that if the JavaScript code that does the actual audio and video recording is launched inside a small popup, the icon is not shown anymore. This opens the door for various types of scenarios, where an attacker that has tricked a user into granting him permission to record audio and video records user data but when the user doesn't expect this (no visual indicator). For example, an attacker could disguise audio/video recording code inside popup ads. If the user doesn't close the popup, the popup continues to stream audio and video from the victim's house. Google declined to consider this a security bug.
Security

Ambient Light Sensors Can Be Used To Steal Browser Data (bleepingcomputer.com) 37

An anonymous reader writes: "Over the past decade, ambient light sensors have become quite common in smartphones, tablets, and laptops, where they are used to detect the level of surrounding light and automatically adjust a screen's intensity to optimize battery consumption... and other stuff," reports Bleeping Computer. "The sensors have become so prevalent, that the World Wide Web Consortium (W3C) has developed a special API that allows websites (through a browser) to interact with a device's ambient light sensors. Browsers such as Chrome and Firefox have already shipped versions of this API with their products." According to two privacy and security experts, Lukasz Olejnik and Artur Janc, malicious web pages can launch attacks using this new API and collect data on users, such as URLs they visited in the past and extract QR codes displayed on the screen. This is possible because the light coming from the screen is picked up by these sensors. Mitigating such attacks is quite easy, as it only requires browser makers and the W3C to adjust the default frequency at which the sensors report their readings. Furthermore, the researcher also recommends that browser makers quantize the result by limiting the precision of the sensor output to only a few values in a preset range. The two researchers filed bug reports with both Chrome and Firefox in the hopes their recommendations will be followed.

Slashdot Top Deals