….from:
http://www.theguardian.com/technology/2016/feb/08/uninstalling-facebook-app…
Uninstalling Facebook app saves up to 15% of iPhone battery life
Facebook is one of the most downloaded apps on iOS but it has long been cited as a cause of fast-draining iPhone batteries <http://www.theguardian.com/technology/2015/oct/19/facebook-iphone-users-bat…>. Last year it was accused of using background tricks to stay active <https://www.reddit.com/r/iphone/comments/3kvfta/how_is_facebook_doing_so_mu…> even when it wasn’t being used. Facebook admitted bugs existed, and fixed them <https://www.facebook.com/arig/posts/10105815276466163>, but questions of the app’s impact on battery life remained.
Similar concerns about Facebook’s Android app led to the discovery that deleting the app saves up to 20% of a phone’s battery <http://www.theguardian.com/technology/2016/feb/01/uninstalling-facebook-app…>. After that revelation, I set about seeing if the same was true for iPhone users. I discovered that uninstalling Facebook’s iOS app and switching to Safari can save up to 15% of iPhone battery life.
Using an iPhone 6S Plus <http://www.theguardian.com/technology/2015/oct/02/iphone-6s-plus-review-bar…> for a week without the main Facebook app installed, I recorded the battery life at 10.30pm each day for a week comparing it to a daily average taken from a week with the app. I charged the phone overnight, taking it off the charger at 7.30am, and used it normally. I accessed Facebook for the same amount of time, and for the same purposes, using the social network’s excellent mobile site within Safari, as I had done using the app. I also left the Facebook Messenger app installed.
On average I had 15% more battery left by 10.30pm each day. I had also saved space, because at the point I had deleted the Facebook app it had consumed around 500MB in total combining the 111MB of the app <https://itunes.apple.com/gb/app/facebook/id284882215?mt=8> itself and its cache on the iPhone.
To make sure that this wasn’t an isolated incident, I also recruited several other Facebook-using iPhone owners to conduct a similar test. They all found similar results, with increased battery life when using Facebook in Safari having uninstalled the main Facebook <http://www.theguardian.com/technology/facebook> iOS app.
<https://www.facebook.com/dialog/share?app_id=180444840287&href=http%3A%2F%2…> <https://twitter.com/intent/tweet?text=Uninstalling%20Facebook%20app%20saves…> <http://www.pinterest.com/pin/create/button/?description=Uninstalling+Facebo…>
Spot the difference: one is the Facebook app, the other the Facebook mobile site. Photograph: Samuel Gibbs for the Guardian
Using Facebook in Safari was almost as good as the app. You can even place a shortcut to Facebook in Safari on the homescreen that looks almost identical to the app’s icon (the white is a little less bright but you need eagle eyes to see). The only restriction was the Share-to function, which does not exist for websites, meaning that to share photos I had to manually hit the “post photos” button on the mobile site.
Features of the app, such as Instant Articles, are also not available. Tapping a link on the Facebook mobile site opens a new Safari tab.
The results will vary for the smaller iPhone 6S <http://www.theguardian.com/technology/iphone-6s>, as it has a smaller battery and shorter battery life overall, but judging by the 6S Plus experience, removing the Facebook app in preference of using the social network in Safari will extend the battery life of any iPhone.
A Facebook spokesperson said the company was investigating the matter.
…from:
http://www.macworld.com/article/3027473/security/oracle-is-planning-to-kill…https://blogs.oracle.com/java-platform-group/entry/moving_to_a_plugin_free
Migration options: http://www.oracle.com/technetwork/java/javase/migratingfromapplets-2872444.…
Oracle's killing a favorite security hole for attackers: the Java browser plug-in
Lucian Constantin<http://www.macworld.com/author/Lucian-Constantin/>
IDG News Service
* Jan 28, 2016 4:26 AM
Oracle will retire the Java browser plug-in, frequently the target of Web-based exploits, about a year from now. Remnants, however, will likely linger long after that.
“Oracle plans to deprecate the Java browser plugin in JDK 9,” the Java Platform Group said in a blog post<https://blogs.oracle.com/java-platform-group/entry/moving_to_a_plugin_free> Wednesday. “This technology will be removed from the Oracle JDK and JRE in a future Java SE release.”
The Java Development Kit (JDK) 9, the reference implementation for the next version of Java SE, is expected to reach general availability<http://openjdk.java.net/projects/jdk9/> in March 2017. By then, however, most modern browsers will no longer accept the Java browser plug-in anyway.
Mozilla announced in October that it plans to remove support for plug-ins<https://blog.mozilla.org/futurereleases/2015/10/08/npapi-plugins-in-firefox/> in Firefox by the end of 2016. Chrome disabled support in September for plug-ins that, like Java and Silverlight, use the old Netscape Plugin Application Programming Interface (NPAPI) standard. Microsoft’s Edge browser doesn’t support plug-ins either.
With Internet Explorer and Safari the only browsers set to still accept traditional NPAPI plug-ins after 2016, Oracle is pretty much forced into this decision, even though Chrome does support a new plug-in technology called PPAPI (Pepper Plug-in API).
“Oracle does not plan to provide additional browser-specific plugins as such plugins would require application developers to write browser-specific applets for each browser they wish to support,” the company said in a white paper<http://www.oracle.com/technetwork/java/javase/migratingfromapplets-2872444.…> that outlines migration options for developers. “Moreover, without a cross-browser API, Oracle would only be able to offer a subset of the required functionality, different from one browser to the next, impacting both application developers and users.”
The main alternative proposed by the company is to switch from Java Applets to Java Web Start applications. This type of application can be launched from the Web without the need for a browser plug-in.
From a security perspective though, Java Web Start applications can be used as an attack vector for exploiting vulnerabilities in the Java runtime, just like Applets.
Even after the Java plug-in is retired, it’s likely that many computers will continue to have it installed for years to come. This is especially true in business environments where custom built Web-based Java applications are common and cannot be easily replaced or rewritten.
Even now, for application compatibility reasons, there’s a large number of computers in business environments that continue to use Java 6 or Java 7, versions that no longer receive public security updates.
[Kurt Schmucker - currently works for PARALLELS software; used to be Senior Evangelist for Microsoft's Mac Business Unit - compares Microsoft Office for OS X, iPad, and Windows]
…from:
http://9to5mac.com/2016/01/21/windows-mac-ipad-microsoft-office-comparison/
Comparison breaks down all the missing features in Office for Mac & iPad vs Windows<http://9to5mac.com/2016/01/21/windows-mac-ipad-microsoft-office-comparison/>
Jordan Kahn<http://9to5mac.com/author/jordankahn/>
- 40 mins ago
@JordanKahn<https://twitter.com/intent/user?screen_name=JordanKahn>
APPS<http://9to5mac.com/category/apps/> IOS<http://9to5mac.com/category/ios/> IOS DEVICES<http://9to5mac.com/category/ios-devices/> MAC<http://9to5mac.com/category/mac/> TECH INDUSTRY<http://9to5mac.com/category/tech-industry/>
APPS & UPDATES
[windows-mac-ipad-microsoft-office-comparison.png]
This comparison of the differences between Microsoft Office on Mac, Windows, and iOS devices was put together by Kurt Schmucker who (disclaimer) works for Parallels<http://blog.parallels.com/author/kschmuckerparallels-com/> — the company that makes slick virtual machine apps for running Windows and other operating systems on Mac<http://www.anrdoezrs.net/click-5781858-12310291-1446142151000> — but he also happens to know a thing or two about the subject after his previous role as Senior Mac Evangelist at Microsoft and on the Office team<http://9to5mac.com/2010/09/28/official-office-for-mac-available-october-26/>. So what exactly is missing on Mac and iOS devices compared to Windows when it comes to the Office suite?
In the charts below, Schmucker breaks down feature-by-feature exactly what you get (and don’t get) in each of the different versions of the productivity suite including Office 2016 and 2013 for Windows, Office 2016 and 2011 for Mac, and Office for iPad<http://9to5mac.com/2016/01/21/microsoft-3d-touch-iphone-6s-apple-pencil-ipa…>.
The full charts (below) show suite-wide differences between the versions such as missing apps, lack of support for Visual Basic and ActiveX, right-to-left language support, accessibility features, AppleScript and much more. Other charts in the study show feature variations for Word, Excel, PowerPoint, and Outlook, with the majority of the features listed unavailable for iPad users and a mixed bag for the other versions.
[Microsoft-Office-Comparison-Parallels-02]
And Schmucker points out two things regarding the iPad specifically. One positive is support for right-to-left languages, which he notes is something that Mac users have bene asking for but have yet to receive, while a negative for the iPad is lack of multiple selection support in PowerPoint, something Schmucker notes is a pretty basic but crucial function for the app.
In the end, he concludes that a mix of the various Office suites is the best approach but admits that his main, go-to version is MacOffice 2011 (apart from using the latest version of Outlook due to enhanced performance):
“I worked for the MacOffice team at Microsoft for several years, and at that time I also worked closely with colleagues on the WinOffice teams. Because of this background, I am often able to pick just the right Office app that will make a given task the easiest to do. One task might be particularly well suited to MacWord 2011 because Publishing Layout View— a feature only in that one Word version— will make this task easy. Another task might be suited to WinPPT because of the Animation Painter, which is not in any MacPPT version. Yet another task might be best suited to WInPPT 2013 because it needs an Office extension not available in other Office suites.”
Click the charts below to view them in full size:
[Microsoft-Office-Comparison-Parallels-03]<http://9to5mac.com/2016/01/21/windows-mac-ipad-microsoft-office-comparison/…>
[Microsoft-Office-Comparison-Parallels-04]<http://9to5mac.com/2016/01/21/windows-mac-ipad-microsoft-office-comparison/…>
[Microsoft-Office-Comparison-Parallels-05]<http://9to5mac.com/2016/01/21/windows-mac-ipad-microsoft-office-comparison/…>
[Microsoft-Office-Comparison-Parallels-06]<http://9to5mac.com/2016/01/21/windows-mac-ipad-microsoft-office-comparison/…>
The Dow-Jones Industrial has dropped about 2,000 points over the past year from around 18,000 to around 16,000; about an 11% drop.
[search "dow jones industrial” on google]
Apple stock prices have dropped from about 110 a year ago to around 98 today; about 10.9% drop.
[search “apple stock” on Google]
Oil has dropped from a high of about 100 - 110 to around 28 today; roughly 75% drop.
http://www.nasdaq.com/markets/crude-oil.aspx?timeframe=5y
USA today’s headline reads: "Apple stock destroys $218B: How low can it go?”
http://www.usatoday.com/story/money/markets/2016/01/15/apple-stock-destroys…
Apple stock destroys $218B: How low can it go?
Stocks plummeted Friday as oil prices, which were already at a 12-year low, fell below $30 a barrel.
[cid:A05DF82E-00D5-4E0E-BE49-E6AD7D8F5588] Matt Krantz<http://www.usatoday.com/staff/1035/matt-krantz/>, USA TODAY 8:59 p.m. EST January 15, 2016
Apple (AAPL<safari-reader://www.usatoday.com/money/lookup/stocks/aapl/>) is the poster child of this market crash. It took a market meltdown to help expose just how overvalued the stock was. The question is how much lower can it fall.
Shares of the gadget maker closed down another $2.47, or 2.5%, to $97.05 Friday — capping off what's been a breathtaking 28% decline from the stock's high last year. Apple's fall will go down as one of the biggest wealth destroyers in recent market history - shredding $218 billion in market value from the market's high on May 21, 2015 adjusted for stock buybacks. That's more than the entire market value of roughly 485 stocks individually in the Standard & Poor's 500.
Latest on markets:
Apple is the most widely held stock by consumers — so it is the market to many. By that measure, Apple's shares are a disaster amid this latest market downturn. Apple — by far — has accounted for more of the market value lost in this market decline than any other. Energy pipeline company Kinder Morgan (KMI<safari-reader://www.usatoday.com/money/lookup/stocks/KMI/>) is the second biggest wealth destroyer — but it only wiped out $63.5 billion from the high.
The question now is how much lower Apple shares can do. Here are some ways to think about that:
► $92: Apple's previous intraday low. Shares of Apple plunged to $92 a share on an intraday basis back in August during a market malfunction. Many investors are hoping this previous freak-out low will hold.
► $77: The pattern of where Apple shares have crashed before. The last time investors worried about slowing smartphone growth sent the stock down 43% between Sept. 2012 and June 2013. If Apple drops from its $134.54 high to the same degree, that would put the shares at $77.
► $39.65: This could be somewhat of a worst-case scenario. Apple investors like to say Apple is cheap because it trades for 11 times its diluted trailing earnings. There's just one problem — Apple is a giant hardware company. Large hardware companies tend to have low multiples. There's really one one decent publicly traded large hardware company left: HP (HPQ<safari-reader://www.usatoday.com/money/lookup/stocks/HPQ/>). HP, a seller of computer hardware, trades for 4.3 times trailing earnings. That same multiple applied to Apple would give it a stock price of $39.65. Growth mutual funds, like American Funds Capital World Growth & Income Fund and Hartford Capital Appreciation fund have slashed their holdings in Apple the past six months seeing signs that the company's rapid growth is stalling, according to Reuters.
To be sure, while analysts are worried smartphone sales are mature and slowing, that's a far cry from the state of the personal computer or printer market HP is competing in. HP is expected to grow just 3.5% a year over the next five years. That's a fraction of the 13.3% long-term growth analysts expect from Apple, says S&P Capital IQ.
These scary scenarios may never come to pass. Analysts remain bullish on the stock — despite signs of a slowdown — and are calling it a buying opportunity. Analysts have an average 18-month price target on Apple at $142.91, says S&P Capital IQ. If correct that would be a staggering upside.
Meanwhile, Apple is sitting on more than $200 billion in cash and investments. Even if you strip out the company's debt, the company still has a tangible book value a share of $19.78. That means Apple is trading for just about 5 times tangible book value — which is a discount to the average 11.2 price to book value of companies in the S&P 500. If Apple were to trade at that multiple, it would be worth $221 a share.
There's no question Apple was overvalued - given the historic decline in its value. But the question now is what is the right price? Given the huge range of possibilities - you can understand why Apple has become the ultimate battleground stock.
Matt Krantz on Twitter: @mattkrantz<https://twitter.com/mattkrantz>.
…from:
http://arstechnica.com/security/2016/01/linux-bug-imperils-tens-of-millions…
Linux bug imperils tens of millions of PCs, servers, and Android phones
Vulnerability allows restricted users and apps to gain unfettered root access.
by Dan Goodin<http://arstechnica.com/author/dan-goodin/> - Jan 19, 2016 1:16pm CST
For almost three years, millions of servers and smaller devices running Linux have been vulnerable to attacks that allow an unprivileged app or user to gain nearly unfettered root access. Major Linux distributors are expected to fix the privilege escalation bug this week, but the difficulty of releasing updates for Android handsets and embedded devices means many people may remain susceptible for months or years.
The flaw, which was introduced into the Linux kernel in version 3.8 released in early 2013, resides in the OS keyring. The facility allows apps to store encryption keys, authentication tokens, and other sensitive security data inside the kernel while remaining in a form that can't be accessed by other apps. According to a blog post published Tuesday<http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-…>, researchers from security firm Perception Point discovered and privately reported the bug to Linux kernel maintainers. To demonstrate the risk the bug posed, the researchers also developed a proof-of-concept exploit that replaces a keyring object stored in memory with code that's executed by the kernel.
The vulnerability is notable because it's exploitable in a wide array of settings. On servers, people with local access can exploit it to achieve complete root access. On smartphones running Android versions KitKat and later, it can allow a malicious app to break out of the normal security sandbox to gain control of underlying OS functions. It can also be exploited on devices and appliances running embedded versions of Linux. While security mitigations such as supervisor mode access prevention<https://lwn.net/Articles/517475/> and supervisor mode execution protection<https://en.wikipedia.org/wiki/Control_register> are available for many servers, and security enhanced Linux<https://en.wikipedia.org/wiki/Security-Enhanced_Linux> built into Android can make exploits harder, there are still ways to bypass those protections.
"As of the date of disclosure, this vulnerability has implications for approximately tens of millions of Linux PCs and servers, and 66 percent of all Android devices (phones/tablets)," Perception Point researchers wrote. "While neither us nor the Kernel security team have observed any exploit targeting this vulnerability in the wild, we recommend that security teams examine potentially affected devices and implement patches as soon as possible."
While malware distributors have focused most of their resources over the years on infecting computers running Microsoft Windows, they have put increased focus on attacking competing OSes. In 2014, for instance, researchers uncovered a powerful Linux trojan that may have remained undetected for years<http://arstechnica.com/security/2014/12/powerful-highly-stealthy-linux-troj…> as it siphoned sensitive data from government agencies and pharmaceutical companies. A vulnerability like the one reported by Perception Point can be the means for surreptitiously installing such malware. The bug is indexed as CVE-2016-0728. Major Linux distributions are expected to make fixes available as early as Tuesday.
…from:
http://www.reuters.com/article/us-microsoft-china-insight-idUSKBN0UE01Z2016…
Microsoft failed to warn victims of Chinese email hack: former employees
SAN FRANCISCO | BY JOSEPH MENN<http://blogs.reuters.com/search/journalist.php?edition=us&n=josephmenn&>
[An electronic Microsoft logo is seen at the Microsoft store in New York City, July 28, 2015. REUTERS/Mike Segar]
Microsoft Corp experts concluded several years ago that Chinese authorities had hacked into more than a thousand Hotmail email accounts, targeting international leaders of China’s Tibetan and Uighur minorities in particular – but it decided not to tell the victims, allowing the hackers to continue their campaign, according to former employees of the company.
On Wednesday, after a series of requests for comment from Reuters, Microsoft said it would change its policy and in future tell its email customers when it suspects there has been a government hacking attempt. Microsoft spokesman Frank Shaw said the company was never certain of the origin of the Hotmail attacks.
The company also confirmed for the first time that it had not called, emailed or otherwise told the Hotmail users that their electronic correspondence had been collected. The company declined to say what role the exposure of the Hotmail campaign played in its decision to make the policy shift.
The first public signal of the attacks came in May 2011, though no direct link was immediately made with the Chinese authorities. That's when security firm Trend Micro Inc announced it had found an email sent to someone in Taiwan that contained a miniature computer program.
The program took advantage of a previously undetected flaw in Microsoft's own web pages to direct Hotmail and other free Microsoft email services to secretly forward copies of all of a recipient's incoming mail to an account controlled by the attacker.
Trend Micro found more than a thousand victims, and Microsoft patched the vulnerability before the security company announced its findings publicly.
Microsoft also launched its own investigation that year, finding that some interception had begun in July 2009 and had compromised the emails of top Uighur and Tibetan leaders in multiple countries, as well as Japanese and African diplomats, human rights lawyers and others in sensitive positions inside China, two former Microsoft employees said. They spoke separately and on the condition that they not be identified.
Some of the attacks had come from a Chinese network known as AS4808, which has been associated with major spying campaigns, including a 2011 attack on EMC Corp's security division RSA that U.S. intelligence officials publicly attributed to China. To see the report click here<http://www.secureworks.com/cyber-threat-intelligence/threats/sindigoo/>
Microsoft officials did not dispute that most of the attacks came from China, but said some came from elsewhere. They did not give further detail.
"We weighed several factors in responding to this incident, including the fact that neither Microsoft nor the U.S. government were able to identify the source of the attacks, which did not come from any single country," the company said. "We also considered the potential impact on any subsequent investigation and ongoing measures we were taking to prevent potential future attacks."
In announcing the new policy, Microsoft said: "As the threat landscape has evolved our approach has too, and we'll now go beyond notification and guidance to specify if we reasonably believe the attacker is `state-sponsored.'"
The Chinese government "is a resolute defender of cyber security and strongly opposes any forms of cyber attacks", Chinese Foreign Ministry spokesman Lu Kang said, adding that it punishes any offenders in accordance with the law.
"I must say that if the relevant party has some real and conclusive evidence, then it can carry out mutually beneficial cooperation with China in a constructive way in accordance with the existing channels," Lu said at a daily news briefing.
"But if there's the frequent spreading of unfounded rumors, it will, in fact, be of no benefit to solving the problem, enhancing mutual trust and promoting cyber security."
The Cyberspace Administration of China did not respond to a request for comment.
INTERNAL DEBATE
After a vigorous internal debate in 2011 that reached Microsoft's top security official, Scott Charney, and its then-general counsel and now president, Brad Smith, the company decided not to alert the users clearly that anything was amiss, the former employees said. Instead, it simply forced users to pick new passwords without disclosing the reason.
The employees said it was likely the hackers by then had footholds in some of the victims' machines and therefore saw those new passwords being entered.
One of the reasons Microsoft executives gave internally in 2011 for not issuing explicit warnings was their fear of angering the Chinese government, two people familiar with the discussions said.
Microsoft's statement did not address the specific positions advocated by Smith and Charney. A person familiar with the executives' thinking said that fear of Chinese reprisals did play a role given the company's concerns about the potential impact on customers.
Microsoft said the company had believed the password resets would be the fastest way to restore security to the accounts.
"Our primary concern was ensuring that our customers quickly took practical steps to secure their accounts, including by forcing a password reset," the statement said.
It is unclear what happened to the email users and their correspondents as a result of Microsoft's failure to alert them to the suspected government hacking. But some of those affected said they were now deeply worried about the risks, especially for those inside China.
"The Internet service providers and the email providers have an ethical and a moral responsibility to let the users know that they are being hacked," said Seyit Tumturk, vice president of the World Uyghur Congress, whose account was among those compromised. "We are talking in people's lives here."
HUNDREDS OF LIVES
Unrest in Xinjiang, the Chinese region bordering Kazakhstan that is home to many Uighurs, has cost hundreds of lives in recent years. Beijing blames Islamist militants, while human rights groups say harsh controls on the religion and culture of the Uighurs have led to the violence.
Until Wednesday, Microsoft had rejected the idea of explicit warnings about state-sponsored hacking, such as those Google Inc began in 2012, the former employees said. In the 2011 case, the company also opted not to send a more generic warning about hacking. Yahoo Inc and Facebook Inc have been issuing such warnings for several years, former employees of those companies told Reuters, including when the principal suspect was a government.
Both companies, along with Twitter Inc, announced in recent months that they would follow Google's lead and explicitly notify users about suspected state-sponsored hacking.
Google said on average it now issues tens of thousands of warnings about targeting every few months, and that recipients often move to improve their security with two-factor authentication and other steps.
Reuters interviewed five of the Hotmail hacking victims that were identified as part of Microsoft's investigation: two Uighur leaders, a senior Tibetan figure and two people in the media dealing with matters of interest to Chinese officials.
Most recalled the password resets, but none took the procedure as an indication that anyone had read his or her email, let alone that it may have been accessed by the Chinese government.
"I thought it was normal, everybody gets it," said one of the men, a Uighur émigré now living in Europe who asked not to be named because he left family behind in China.
Another victim identified by Microsoft's internal team was Tseten Norbu of Nepal, a former president of the Tibetan Youth Congress, one of the more outspoken members of a community that has frequently clashed with Chinese officials. Another Microsoft-identified victim was Tumturk, the World Uyghur Congress vice president who lives in Turkey.
Microsoft investigators also saw that emails had been forwarded from the account of Peter Hickman, a former American diplomatic officer who arranged high-profile speeches by international figures at the National Press Club in Washington for many years.
Hickman said he used his Hotmail account on Press Club computers to correspond with people, including the staff for the Tibetan government in exile, whose leader Lobsang Sangay spoke at the club in 2011; Tumturk's World Uyghur Congress, whose then-president Rebiya Kadeer spoke in 2009; and the president of Taiwan, who spoke by video link-up in 2007.
Hickman said he didn't recall the password reset. He said he never suspected anything was wrong with the account, which he continues to use.
(Reporting by Joseph Menn; Additional reporting by Humeyra Pamuk<http://blogs.reuters.com/search/journalist.php?edition=us&n=humeyra.pamuk&> in Istanbul and Sui-Lee Wee<http://blogs.reuters.com/search/journalist.php?edition=us&n=suilee.wee&> in Beijing; Editing by Jonathan Weber and Martin Howell<http://blogs.reuters.com/search/journalist.php?edition=us&n=martin.howell&>)
…from:
http://arstechnica.com/security/2015/12/google-slams-avg-for-exposing-chrom…
Google slams AVG for exposing Chrome user data with “security” plugin
AVG AntiVirus "force-installed" Chrome plugin that left browsing data vulnerable.
by Sean Gallagher<http://arstechnica.com/author/sean-gallagher/> - Dec 30, 2015 10:27am CST
[cid:7457AFBE-6663-457E-A10C-A5D7DE836B30]
Safer browsing... except someone can watch everything you search?
A free plugin installed by AVG AntiVirus bypassed the security of Google's Chrome browser, potentially exposing the browsing histories and other personal data of customers to the Internet. The vulnerability, demonstrated in an exploit by a Google researcher earlier this year, has now been patched after initial stumbling attempts by AVG, according to a discussion of the bug in Google's security research discussion list<https://code.google.com/p/google-security-research/issues/detail?id=675>.
AVG's "Web TuneUp" tool<https://chrome.google.com/webstore/detail/avg-web-tuneup/chfdnecihphmhljaae…> is a free download from the Chrome Store intended to provide reputation-based protection against malicious websites, and it was "force-installed" by AVG AntiVirus. The install, an "in-line" installation, happened only with user permission, but was performed in a way that broke the security checks Chrome uses to test for malicious plugins and malware.
The plugin works by sending the Web addresses of sites visited by the user to AVG's servers to check them against a database of known malicious sites. But the way the plugin was constructed meant that information could be easily exploited by an attacker through cross-site scripting [XSS], according to a post by Google Security researcher Tavis Ormandy on December 15.
"This extension adds numerous JavaScript API's to Chrome, apparently so that they can hijack search settings and the new tab page," Ormandy wrote. "The installation process is quite complicated so that they can bypass the chrome malware checks, which specifically tries to stop abuse of the extension API. Anyway, many of the API's are broken."
Ormandy attached a proof-of-concept exploit that stole the authentication cookies from AVG's website, which "also exposes browsing history and other personal data to the internet." Ormandy added, "I wouldn't be surprised if it's possible to turn this into arbitrary code execution."
Ormandy then sent what he described as an "angry e-mail" to AVG about the bugs. "Apologies for my harsh tone, but I'm really not thrilled about this trash being installed for Chrome users," he wrote to AVG. "The extension is so badly broken that I'm not sure whether I should be reporting it to you as a vulnerability, or asking the extension abuse team to investigate if it's a PuP [Potentially unwanted Program]. Nevertheless, my concern is that your security software is disabling web security for 9 million Chrome users, apparently so that you can hijack search settings and the new tab page."
AVG's developers quickly turned around a fix, but all it did was try to "whitelist" requests only from hosts that contained the string "avg.com<http://avg.com>" in their name. Malicious websites that used avg.com<http://avg.com> in their names (such as the example provided on Ormandy's response, https://www.avg.com.www.attacker.com) could still spoof the AVG servers, and attackers could still use a man-in-the-middle attack to pass malicious JavaScript back to a victim—regardless of whether the connection was secure or not. And, as Ormandy noted, "Any XSS on avg.com<http://avg.com> can be used to compromise Chrome users"—a quick search of AVG's sites found plenty of opportunity for such attacks.
As of December 28, AVG had completed a more secure patch, but installations of the plugin were still frozen while Google's Chrome Web Store team investigated possible policy violations by AVG—violations that could get AVG kicked off the Chrome Store completely.
Update: A Google spokesperson contacted Ars to clarify the nature of the freeze on AVG's plugin. The block on AVG's usage of inline installation<https://developer.chrome.com/webstore/inline_installation> has no effect on the extension update process, so users with the AVG extension installed should have automatically received the updated version, as with any routine update.
An AVG spokesperson sent a statement to Ars, claiming that the Web TuneUp Chrome extension is "offered as an option, not forcibly or automatically installed. Installation only begins once the customer has initiated the process and confirmed acceptance in Chrome—a double opt-in." The spokesperson added, "There is no auto-installation of Google Chrome extensions; the “inline” option allows third parties to offer installation from their own site or product, rather than requiring customers to visit the Chrome Store. We fixed the reported vulnerability just prior to the holidays and do not expect Google to confirm the availability of inline installation until early next year. In the meantime, anyone wishing to install the extension may easily do so from the Chrome Store.”
…from:
http://www.nytimes.com/2015/12/22/world/europe/apple-pushes-against-british…
Apple Pushes Against British Talk of Softening Encryption
By DAVID E. SANGER<http://topics.nytimes.com/top/reference/timestopics/people/s/david_e_sanger…>DEC. 21, 2015
WASHINGTON — With governments threatening crackdowns on encrypted communications after the jihadist-inspired attacks in San Bernardino, Calif., and Paris, Apple<http://topics.nytimes.com/top/news/business/companies/apple_computer_inc/in…> on Monday pushed back hard, arguing that lawmakers who talk about gaining court-ordered access to iPhone communications do not understand the technology.
“The best minds in the world cannot rewrite the laws of mathematics,” the company told the British Parliament, submitting formal comments on a proposed law<https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/4…> that would require the company to supply a way to break into the iMessage and FaceTime conversations of iPhone users.
“We believe it would be wrong to weaken security for hundreds of millions of law-abiding customers so that it will also be weaker for the very few who pose a threat,” Apple wrote.
Apple’s statement came as questions about encryption — considered an arcane component of cybersecurity just a few months ago — has become a central issue in the American presidential campaign.
Twice<http://www.nytimes.com/2015/12/07/us/politics/hillary-clinton-islamic-state…> in<http://www.nytimes.com/2015/12/16/us/politics/hillary-clinton-calls-on-tech…> the past three weeks, Hillary Clinton<http://www.nytimes.com/interactive/2016/us/elections/hillary-clinton-on-the…>, the leading contender for the Democratic nomination, according to polls, has urged Silicon Valley companies to work with Washington to find a way out of their standoff over encrypted communications.
Republican candidates have almost all called for giving intelligence and law enforcement agencies the kind of access to text messages and data stored on cellphones that they have long enjoyed with telecommunications providers, like AT&T and Verizon. Congress is calling for hearings, and there is talk of legislation, though it seems unlikely to include the kind of demands for access that Britain<http://topics.nytimes.com/top/news/international/countriesandterritories/un…>’s prime minister, David Cameron, advocates.
The arguments made by Apple are not new, but the political context is. In the aftermath of the two most recent terrorist attacks, the political pendulum has swung away from protecting privacy — the direction Europe was moving after Edward J. Snowden, the former intelligence contractor, leaked classified documents on government surveillance — and more toward law enforcement.
The technology companies argue that although the political winds may be changing, the technological challenge has not: To create an opening for government investigators is to also create a vulnerability that Chinese, Iranian, Russian or North Korean hackers could exploit.
Mrs. Clinton rejected that argument recently, arguing that if the companies wanted to put their best minds to the problem, they would solve it.
But in the British filing, and in an interview<http://www.cbsnews.com/news/60-minutes-apple-tim-cook-charlie-rose/> on “60 Minutes” on Sunday, Apple’s chief executive, Tim Cook, argued that politicians calling for such access do not understand the damage they would cause.
So far, Mr. Cook still has a partial ally in President Obama. The White House determined in October that, despite a recommendation from the F.B.I. to put forward legislation requiring access to encrypted communications, it would not seek legal changes. That rankled the F.B.I. director, James B. Comey, who has long warned about the “going dark” problem, and offered up evidence<http://www.nytimes.com/2015/12/10/us/politics/fbi-chief-says-texas-gunman-u…> a week ago that an attack in Texas this year had been plotted over encrypted text messages, which he said investigators still could not crack.
Apple pushed back on Mr. Comey’s arguments in its submission to the British government. “Some would portray this as an all-or-nothing proposition for law enforcement,” it wrote. “Nothing could be further from the truth. Law enforcement today has access to more data — data which they can use to prevent terrorist attacks, solve crimes and help bring perpetrators to justice — than ever before in the history of our world.”
That data, many experts say, includes phone “metadata” about who is calling whom, GPS coordinates for individuals, and access to unencrypted data stored on so-called cloud services. But the arguments in Britain and the United States have focused largely on systems designed by Apple and its competitors, including Google and Microsoft, that automatically encrypt data exchanges, and put the keys to those communications into the hands of the users, not the companies.
Apple contended that if Britain went ahead with its legal changes, the company, and its competitors, may find themselves violating American laws to comply with British law — or vice versa. “This would immobilize substantial portions of the tech sector and spark serious international conflicts,” it argued.
Correction: December 22, 2015
An earlier version of this article used an outdated name for iPhone messaging software. It is iMessage, not iChat.
…from:
http://arstechnica.com/information-technology/2015/12/thunderbird-a-tax-on-…https://groups.google.com/forum/#!topic/mozilla.governance/kAyVlhfEcXg
Thunderbird “a tax” on Firefox development, and Mozilla wants to drop it
Thunderbird is already low on its priority list; Mozilla wants to spin it off.
by Andrew Cunningham<http://arstechnica.com/author/andrew_cunningham/> - Dec 1, 2015 9:41am CST
* Share<https://www.facebook.com/sharer.php?u=http%3A%2F%2Farstechnica.com%2Finform…>
* Tweet<https://twitter.com/share?text=Thunderbird%20%E2%80%9Ca%20tax%E2%80%9D%20on…>
146<http://arstechnica.com/information-technology/2015/12/thunderbird-a-tax-on-…>
[cid:69FC9635-901D-4FD7-94DA-0D3A09EF4DC1]
Mozilla would like to drop Thunderbird from its list of projects.
Andrew Cunningham
FURTHER READING
MOZILLA TO PUSH THUNDERBIRD OUT OF THE NEST<http://arstechnica.com/uncategorized/2007/07/mozilla-to-push-thunderbird-ou…>
Mozilla CEO Mitchell Baker wants to spin off an independent organization for …
You might know Mozilla primarily for its Firefox browser, but for many years the company has also developed an e-mail client called Thunderbird. The two projects use the same rendering engine and other underlying technology, but Mozilla Executive Chairwoman Mitchell Baker has announced<https://groups.google.com/forum/#!topic/mozilla.governance/kAyVlhfEcXg> that Mozilla would like to stop supporting Thunderbird, calling its continuing maintenance "a tax" on the more important work of developing Firefox.
"Many inside of Mozilla, including an overwhelming majority of our leadership, feel the need to be laser-focused on activities like Firefox that can have an industry-wide impact," Baker writes. "With all due respect to Thunderbird and the Thunderbird community, we have been clear for years that we do not view Thunderbird as having this sort of potential."
Mozilla doesn't plan to drop Thunderbird immediately, however—the current maintenance schedule will continue, and Thunderbird users can continue to use the product. But the end goal for Mozilla, according to Baker, is to find "the right kind of legal and financial home" for the Thunderbird project, and "[separate] itself from reliance on Mozilla development systems and in some cases, Mozilla technology." In other words, the company would like to give Thunderbird to people who will take care of it, freeing the Firefox team from having to worry about it.
Mozilla's recent support for Thunderbird has been limited—it still receives security updates and basic changes imported from Firefox, but adding major features hasn't been a priority for Mozilla for several years now<http://techcrunch.com/2012/07/06/so-thats-it-for-thunderbird/> despite some efforts from the development community<https://blog.mozilla.org/thunderbird/2014/11/thunderbird-reorganizes-at-201…>. In fact, Thunderbird is currently only updated on Mozilla's "extended support release<http://arstechnica.com/business/2012/01/firefox-extended-support-will-mitig…>" (ESR) schedule, originally implemented to help IT managers deal with Firefox and Thunderbird's then-new rapid-release cycle.