Security

Researcher Finds Tens of Software Products Vulnerable To Simple Bug (softpedia.com) 132

An anonymous reader writes: There's a German security researcher that is arduously testing the installers of tens of software products to see which of them are vulnerable to basic DLL hijacking. Surprisingly, many companies are ignoring his reports. Until now, only Oracle seems to have addressed this problem in Java and VirtualBox. Here's a short (probably incomplete) list of applications that he found vulnerable to this attack: Firefox, Google Chrome, Adobe Reader, 7Zip, WinRAR, OpenOffice, VLC Media Player, Nmap, Python, TrueCrypt, and Apple iTunes. Mr. Kanthak also seems to have paid special attention to antivirus software installers. Here are some of the security products he discovered vulnerable to DLL hijacking: ZoneAlarm, Emsisoft Anti-Malware, Trend Micro, ESET NOD32, Avira, Panda Security, McAfee Security, Microsoft Security Essentials, Bitdefender, Rapid7's ScanNowUPnP, Kaspersky, and F-Secure.
Security

Google Will Soon Let You Know By Default When Websites Are Unencrypted (softpedia.com) 216

An anonymous reader writes: Permanent changes are planned for future Google Chrome releases, which will add a big shiny red cross in the URL bar if the website you're accessing is not using HTTPS. Google says it is planning to add this to Chrome by the end of 2016, after one of its developers proposed the idea back in December 2014. Many have argued that the web is predominantly unencrypted, so they're displaying a persistent and ambiguous error message for a large portion of the Internet. Since unencrypted content is not an error state, the Chrome team should use alternate iconography, because the default error message this will just confuse average people, and it will encourage error blindness.
Cloud

Ask Slashdot: What Are Your Experiences With Online IDEs For Web Development? 168

Qbertino writes: I'm toying with the thought of moving my web development (PHP, HTML, CSS, JavaScript with perhaps a little Python and Ruby thrown in) into the cloud. The upsides I expect would be: 1) No syncing hassles across machines. 2) No installation of toolchains to get working or back to work — a browser and a connection is all that would be required. 3) Easy teamwork. 4) Easy deployment. 5) A move to Chrome OS for ultra-cheap laptop goodness would become realistic.

Is this doable/feasible? What are your experiences? Note, this would be for professional web development, not hobbyist stuff. Serious interactive JS, non-trivial PHP/LAMP development, etc. Has anyone have real world experience doing something like this? Maybe even experience with moving to a completely web-centric environment with Chrome OS? What have you learned? What would you recommend? How has it impacted your productivity and what do you miss from the native pipelines? What keeps you in the cloud, and enables you to stay there? Are you working "totally cloud" with a team and if so, how does it work out/feel? Does it make sense? As for concrete solutions, I'm eyeing Cloud9, CodeAnywhere, CodeEnvy but also semi-FOSS stuff like NeutronDrive. Anything you would recommend for real world productivity? Have you tried this and moved back? If so, what are your experiences and what would need to be improved to make it worthwhile? Thanks for any insights.
Privacy

Nvidia Blames Apple For Bug That Exposes Browsing In Chrome's Incognito (venturebeat.com) 165

An anonymous reader points out this story at VentureBeat about a bug in Chrome's incognito mode that might be a cause for concern for some Apple users. From the story: "If you use Google Chrome's incognito mode to hide what you browse (ahem, porn), this might pique your interest. University of Toronto engineering student Evan Andersen discovered a bug that affects Nvidia graphics cards, exposing content that you thought would be for your eyes only. And because this only happens on Macs, Nvidia is pointing the finger at Apple."
Chrome

Nvidia GPUs Can Leak Data From Google Chrome's Incognito Mode (softpedia.com) 148

An anonymous reader writes: Nvidia GPUs don't clear out memory that was previously allocated, and neither does Chrome before releasing memory back to the shared memory pool. When a user recently fired up Diablo 3 several hours after closing an Incognito Mode window that contained pornography, the game launched with snapshots of the last "private" browsing session appearing on the screen — revealing his prior activities. He says, "It's a fairly easy bug to fix. A patch to the GPU drivers could ensure that buffers are always erased before giving them to the application. It's what an operating system does with the CPU RAM, and it makes sense to use the same rules with a GPU. Additionally, Google Chrome could erase their GPU resources before quitting."
Chrome

Chrome Extension Offers Trump-Free Browsing (usnews.com) 247

Earthquake Retrofit writes: A new Google Chrome extension lets you remove mentions of Donald Trump from your browsing experience. Trump Filter scans websites for references to the Republican presidential candidate, showing a blank void in the place of Trump-related content. "I am doing this out of a profound sense of annoyance and patriotic duty," the extension's creator, Rob Spectre, writes on the Trump Filter website. "[I was not] put up to this by the Republican or Democratic Parties, the Obama Administration, my mother or any other possible sphere of influence." Trump Filter's code is open source and can be found on GitHub.
Chrome

AVG Forces Chrome Extension On Users, Extension Is Woefully Insecure (google.com) 170

An anonymous reader writes: The AVG Web TuneUp Chrome extension, forcibly added to Google Chrome browsers when users were installing the AVG antivirus, had a serious flaw that allowed attackers to get the user's browsing history, cookies, and more. "This extension adds numerous JavaScript APIs to Chrome, apparently so that they can hijack search settings and the new tab page," explains Mr. Ormandy. "The installation process is quite complicated so that they [AVG] can bypass the Chrome [Store] malware checks, which specifically tries to stop abuse of the [Chrome] Extension API." Simple XSS and MitM attacks expose data from other tabs opened in the browser, browsing history, and even manage to render SSL useless.
Bug

Fixing JavaScript's Broken Random Number Generator (hackaday.com) 136

szczys writes: It is surprising to learn how broken the JavaScript Random Number Generator has been for the past six years. The problem is compounded by the fact that Node.js uses the same broken Math.random() module. Learning about why this is broken is interesting, but perhaps even more interesting is how the bad code got there in the first place. It seems that a forum thread from way back in 1999 shared two versions of the code. If you read to the end of the thread you got the working version, if you didn't make it that far (perhaps the case with JavaScript devs) you got the bad version of the code whose fix is just now being rolled out.
Graphics

Unity Benchmarks Browser WebGL Performance (unity3d.com) 38

An anonymous reader writes: Jonas Echterhoff from Unity has posted the latest Unity WebGL benchmark results on the Unity blog. He writes, "A bit over a year ago, we released a blog post with performance benchmarks for Unity WebGL, to compare WebGL performance in different browsers. We figured it was time to revisit those benchmarks to see how the numbers have changed. Microsoft has since released Windows 10 with their new Edge browser (which supports asm.js and is now enabling it by default) – so we were interested to see how that competes. Also, we have an experimental build of Unity using Shared Array Buffers to run multithreaded code, and we wanted to see what kind of performance gains to expect. So we tested this in a nightly build of Firefox with Shared Array Buffer support." The benchmark concludes that Firefox 42 64-bit is the fastest, Edge takes second, and Chrome and Safari share third place.
Chrome

VLC Launches On Chrome OS Thanks To Android Port 44

An anonymous reader writes: VideoLAN today launched VLC, the world's most used media player, for Chrome OS. You can download the new app, which is a port of the VLC version for Android, from the Chrome Web Store. Chrome OS was one of the last desktop operating systems for which VLC was not available (the media player exists for Windows, OS X, Linux, BSD, Solaris, OS/2, Haiku/BeOS, and ReactOS). Yet Chrome OS wasn't an easy operating system to support, as VLC is a native application on all platforms (it uses low-level APIs to output video, audio, and gain access to threads) built using mostly C and C++. Writing VLC in JavaScript and other Web technologies, as Chrome OS requires, is not an easy task by any stretch.
Google

Google Bans Symantec Root Certificates 84

An anonymous reader writes: After in September Google discovered SSL certificates issued in its name by Symantec, and after in October the company discovered over 2,500 more certificates issued for non-existent domains, also by Symantec, Google has now decided to ban Symantec's dodgy certificates from Android and Chrome. "Symantec has decided that this root will no longer comply with the CA/Browser Forum's Baseline Requirements," said Ryan Sleevi, Google Software Engineer. "As these requirements reflect industry best practice and are the foundation for publicly trusted certificates, the failure to comply with these represents an unacceptable risk to users of Google products." Apparently Symantec hasn't been very careful of where and to whom it issues SSL certificates from a particular root branch.
Microsoft

Microsoft (Briefly) Reveals New Extensions For Edge, Including Reddit and Pinterest (thestack.com) 44

An anonymous reader writes: A now-inactive page at a Microsoft Azure development sites shows a page that reveals the first two extensions for the Microsoft Edge browser to be Pinterest and a port of the Reddit Enhancement Suite for Google Chrome. The page was identified by Twitter user H0x0d, and is now only accessible via Google Cache.
Chrome

Google To Drop Chrome Support For 32-bit Linux 175

prisoninmate writes: Google announces that its Google Chrome web browser will no longer be available for 32-bit hardware platforms. Additionally, Google Chrome will no longer be supported on the Ubuntu 12.04 LTS (Precise Pangolin) and Debian GNU/Linux 7 (Wheezy) operating systems. Users are urged to update to the Ubuntu 14.04 LTS (Trusty Tahr) release and Debian GNU/Linux 8 (Jessie) respectively. Google will continue to support the 32-bit build configurations for those who want to build the open-source Chromium web browser on various Linux kernel-based operating systems. Reader SmartAboutThings writes, on a similar note, that: Microsoft is tolling the death knell for Internet Explorer with an announcement that it will end support for all older versions next year. Microsoft says that all versions older than the latest one will no longer be supported starting Jan. 12, 2016. After this date, Microsoft will no longer provide security updates or technical support for older Internet Explorer versions. Furthermore, Internet Explorer 11 will be the last version of Internet Explorer as Microsoft shifts its focus on its next web browser, Microsoft Edge.
The Almighty Buck

Exploit Vendor Publishes Prices For Zero-Day Vulnerabilities 21

An anonymous reader writes: An exploit vendor published a price list for the zero-day bugs it's willing to buy. The highest paid bugs are for remote jailbreaks for iOS. Second is Android and Windows Phone. Third there are remote code execution bugs for Chrome, Flash, and Adobe's PDF Reader. This is the same company that just paid $1 million to a hacker for the first iOS9 jailbreak.
Google

Google's Chromebit Micro-Computer Launches (techcrunch.com) 60

An anonymous reader writes: Back in March, Google announced the Chromebit, a small computer crammed into an HDMI stick that runs Chrome OS. The device, built by Asus, has now launched for $85. It weighs 75 grams, runs on a Rockchip ARM processor, and includes a USB port. It has 16GB of storage and 2GB of RAM, and connects via 802.11ac Wi-Fi and Bluetooth 4.0. According to Tech Crunch, the Chromebit is not particularly fast, but it's usable for basic tasks. "As long as the work only involves web apps (or maybe a remote connection to a more fully-featured machine), the Chromebit is up for the job and can turn any screen into a usable desktop."
Handhelds

Chrome V8 JavaScript Exploit Leaves All Android Devices Ripe For Attack (hothardware.com) 107

MojoKid writes: If you're an Android user that makes heavy use of Google's Chrome web browser (and what Android user doesn't?), you'll want to pay close attention to a new exploit that has the capability of taking your smartphone hostage. The exploit was demonstrated at MobilePwn2Own, which was held at a Tokyo-based PacSec conference. Quihoo 360 security researcher Guang Gong first uncovered the vulnerability, and thankfully, he hasn't publicly revealed detailed specifics on its inner workings. As soon as a phone accessed the website, the JavaScript v8 vulnerability in Chrome was used to install an arbitrary application (in this case a game) without any user interaction, to demonstrate complete control of the phone. Google reportedly has been made well aware of the exploit and will likely act quickly to resolve it.
Android

New Android Phones Hijackable With Chrome Exploit (theregister.co.uk) 45

mask.of.sanity writes: Google's Chrome for Android has been popped with a single exploit that could lead to the compromise of any handset. The exploit, showcased at MobilePwn2Own at the PacSec conference, targets the JavaScript v8 engine and compromises phones when users visit a malicious website. It is also notable in that it is a single clean exploit that does not require chained vulnerabilities to work.
Chrome

Google Will Retire Chrome Support For XP, Vista, OS X 10.6-8 In April 2016 (blogspot.com) 140

An anonymous reader writes: Google has announced it is extending Chrome support for Windows XP until April 2016. The company will also end Chrome support for Windows Vista, OS X 10.6 Snow Leopard, OS X 10.7 Lion, and OS X 10.8 Mountain Lion at the same time. This means Google will provide regular Chrome updates and security patches for users on these operating systems for five more months. After that, the browser will still work, but it will be stuck on the last version released in April.

Slashdot Top Deals