…from:
http://arstechnica.com/security/2015/12/google-slams-avg-for-exposing-chrom…
Google slams AVG for exposing Chrome user data with “security” plugin
AVG AntiVirus "force-installed" Chrome plugin that left browsing data vulnerable.
by Sean Gallagher<http://arstechnica.com/author/sean-gallagher/> - Dec 30, 2015 10:27am CST
[cid:7457AFBE-6663-457E-A10C-A5D7DE836B30]
Safer browsing... except someone can watch everything you search?
A free plugin installed by AVG AntiVirus bypassed the security of Google's Chrome browser, potentially exposing the browsing histories and other personal data of customers to the Internet. The vulnerability, demonstrated in an exploit by a Google researcher earlier this year, has now been patched after initial stumbling attempts by AVG, according to a discussion of the bug in Google's security research discussion list<https://code.google.com/p/google-security-research/issues/detail?id=675>.
AVG's "Web TuneUp" tool<https://chrome.google.com/webstore/detail/avg-web-tuneup/chfdnecihphmhljaae…> is a free download from the Chrome Store intended to provide reputation-based protection against malicious websites, and it was "force-installed" by AVG AntiVirus. The install, an "in-line" installation, happened only with user permission, but was performed in a way that broke the security checks Chrome uses to test for malicious plugins and malware.
The plugin works by sending the Web addresses of sites visited by the user to AVG's servers to check them against a database of known malicious sites. But the way the plugin was constructed meant that information could be easily exploited by an attacker through cross-site scripting [XSS], according to a post by Google Security researcher Tavis Ormandy on December 15.
"This extension adds numerous JavaScript API's to Chrome, apparently so that they can hijack search settings and the new tab page," Ormandy wrote. "The installation process is quite complicated so that they can bypass the chrome malware checks, which specifically tries to stop abuse of the extension API. Anyway, many of the API's are broken."
Ormandy attached a proof-of-concept exploit that stole the authentication cookies from AVG's website, which "also exposes browsing history and other personal data to the internet." Ormandy added, "I wouldn't be surprised if it's possible to turn this into arbitrary code execution."
Ormandy then sent what he described as an "angry e-mail" to AVG about the bugs. "Apologies for my harsh tone, but I'm really not thrilled about this trash being installed for Chrome users," he wrote to AVG. "The extension is so badly broken that I'm not sure whether I should be reporting it to you as a vulnerability, or asking the extension abuse team to investigate if it's a PuP [Potentially unwanted Program]. Nevertheless, my concern is that your security software is disabling web security for 9 million Chrome users, apparently so that you can hijack search settings and the new tab page."
AVG's developers quickly turned around a fix, but all it did was try to "whitelist" requests only from hosts that contained the string "avg.com<http://avg.com>" in their name. Malicious websites that used avg.com<http://avg.com> in their names (such as the example provided on Ormandy's response, https://www.avg.com.www.attacker.com) could still spoof the AVG servers, and attackers could still use a man-in-the-middle attack to pass malicious JavaScript back to a victim—regardless of whether the connection was secure or not. And, as Ormandy noted, "Any XSS on avg.com<http://avg.com> can be used to compromise Chrome users"—a quick search of AVG's sites found plenty of opportunity for such attacks.
As of December 28, AVG had completed a more secure patch, but installations of the plugin were still frozen while Google's Chrome Web Store team investigated possible policy violations by AVG—violations that could get AVG kicked off the Chrome Store completely.
Update: A Google spokesperson contacted Ars to clarify the nature of the freeze on AVG's plugin. The block on AVG's usage of inline installation<https://developer.chrome.com/webstore/inline_installation> has no effect on the extension update process, so users with the AVG extension installed should have automatically received the updated version, as with any routine update.
An AVG spokesperson sent a statement to Ars, claiming that the Web TuneUp Chrome extension is "offered as an option, not forcibly or automatically installed. Installation only begins once the customer has initiated the process and confirmed acceptance in Chrome—a double opt-in." The spokesperson added, "There is no auto-installation of Google Chrome extensions; the “inline” option allows third parties to offer installation from their own site or product, rather than requiring customers to visit the Chrome Store. We fixed the reported vulnerability just prior to the holidays and do not expect Google to confirm the availability of inline installation until early next year. In the meantime, anyone wishing to install the extension may easily do so from the Chrome Store.”
…from:
http://www.nytimes.com/2015/12/22/world/europe/apple-pushes-against-british…
Apple Pushes Against British Talk of Softening Encryption
By DAVID E. SANGER<http://topics.nytimes.com/top/reference/timestopics/people/s/david_e_sanger…>DEC. 21, 2015
WASHINGTON — With governments threatening crackdowns on encrypted communications after the jihadist-inspired attacks in San Bernardino, Calif., and Paris, Apple<http://topics.nytimes.com/top/news/business/companies/apple_computer_inc/in…> on Monday pushed back hard, arguing that lawmakers who talk about gaining court-ordered access to iPhone communications do not understand the technology.
“The best minds in the world cannot rewrite the laws of mathematics,” the company told the British Parliament, submitting formal comments on a proposed law<https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/4…> that would require the company to supply a way to break into the iMessage and FaceTime conversations of iPhone users.
“We believe it would be wrong to weaken security for hundreds of millions of law-abiding customers so that it will also be weaker for the very few who pose a threat,” Apple wrote.
Apple’s statement came as questions about encryption — considered an arcane component of cybersecurity just a few months ago — has become a central issue in the American presidential campaign.
Twice<http://www.nytimes.com/2015/12/07/us/politics/hillary-clinton-islamic-state…> in<http://www.nytimes.com/2015/12/16/us/politics/hillary-clinton-calls-on-tech…> the past three weeks, Hillary Clinton<http://www.nytimes.com/interactive/2016/us/elections/hillary-clinton-on-the…>, the leading contender for the Democratic nomination, according to polls, has urged Silicon Valley companies to work with Washington to find a way out of their standoff over encrypted communications.
Republican candidates have almost all called for giving intelligence and law enforcement agencies the kind of access to text messages and data stored on cellphones that they have long enjoyed with telecommunications providers, like AT&T and Verizon. Congress is calling for hearings, and there is talk of legislation, though it seems unlikely to include the kind of demands for access that Britain<http://topics.nytimes.com/top/news/international/countriesandterritories/un…>’s prime minister, David Cameron, advocates.
The arguments made by Apple are not new, but the political context is. In the aftermath of the two most recent terrorist attacks, the political pendulum has swung away from protecting privacy — the direction Europe was moving after Edward J. Snowden, the former intelligence contractor, leaked classified documents on government surveillance — and more toward law enforcement.
The technology companies argue that although the political winds may be changing, the technological challenge has not: To create an opening for government investigators is to also create a vulnerability that Chinese, Iranian, Russian or North Korean hackers could exploit.
Mrs. Clinton rejected that argument recently, arguing that if the companies wanted to put their best minds to the problem, they would solve it.
But in the British filing, and in an interview<http://www.cbsnews.com/news/60-minutes-apple-tim-cook-charlie-rose/> on “60 Minutes” on Sunday, Apple’s chief executive, Tim Cook, argued that politicians calling for such access do not understand the damage they would cause.
So far, Mr. Cook still has a partial ally in President Obama. The White House determined in October that, despite a recommendation from the F.B.I. to put forward legislation requiring access to encrypted communications, it would not seek legal changes. That rankled the F.B.I. director, James B. Comey, who has long warned about the “going dark” problem, and offered up evidence<http://www.nytimes.com/2015/12/10/us/politics/fbi-chief-says-texas-gunman-u…> a week ago that an attack in Texas this year had been plotted over encrypted text messages, which he said investigators still could not crack.
Apple pushed back on Mr. Comey’s arguments in its submission to the British government. “Some would portray this as an all-or-nothing proposition for law enforcement,” it wrote. “Nothing could be further from the truth. Law enforcement today has access to more data — data which they can use to prevent terrorist attacks, solve crimes and help bring perpetrators to justice — than ever before in the history of our world.”
That data, many experts say, includes phone “metadata” about who is calling whom, GPS coordinates for individuals, and access to unencrypted data stored on so-called cloud services. But the arguments in Britain and the United States have focused largely on systems designed by Apple and its competitors, including Google and Microsoft, that automatically encrypt data exchanges, and put the keys to those communications into the hands of the users, not the companies.
Apple contended that if Britain went ahead with its legal changes, the company, and its competitors, may find themselves violating American laws to comply with British law — or vice versa. “This would immobilize substantial portions of the tech sector and spark serious international conflicts,” it argued.
Correction: December 22, 2015
An earlier version of this article used an outdated name for iPhone messaging software. It is iMessage, not iChat.
…from:
http://arstechnica.com/information-technology/2015/12/thunderbird-a-tax-on-…https://groups.google.com/forum/#!topic/mozilla.governance/kAyVlhfEcXg
Thunderbird “a tax” on Firefox development, and Mozilla wants to drop it
Thunderbird is already low on its priority list; Mozilla wants to spin it off.
by Andrew Cunningham<http://arstechnica.com/author/andrew_cunningham/> - Dec 1, 2015 9:41am CST
* Share<https://www.facebook.com/sharer.php?u=http%3A%2F%2Farstechnica.com%2Finform…>
* Tweet<https://twitter.com/share?text=Thunderbird%20%E2%80%9Ca%20tax%E2%80%9D%20on…>
146<http://arstechnica.com/information-technology/2015/12/thunderbird-a-tax-on-…>
[cid:69FC9635-901D-4FD7-94DA-0D3A09EF4DC1]
Mozilla would like to drop Thunderbird from its list of projects.
Andrew Cunningham
FURTHER READING
MOZILLA TO PUSH THUNDERBIRD OUT OF THE NEST<http://arstechnica.com/uncategorized/2007/07/mozilla-to-push-thunderbird-ou…>
Mozilla CEO Mitchell Baker wants to spin off an independent organization for …
You might know Mozilla primarily for its Firefox browser, but for many years the company has also developed an e-mail client called Thunderbird. The two projects use the same rendering engine and other underlying technology, but Mozilla Executive Chairwoman Mitchell Baker has announced<https://groups.google.com/forum/#!topic/mozilla.governance/kAyVlhfEcXg> that Mozilla would like to stop supporting Thunderbird, calling its continuing maintenance "a tax" on the more important work of developing Firefox.
"Many inside of Mozilla, including an overwhelming majority of our leadership, feel the need to be laser-focused on activities like Firefox that can have an industry-wide impact," Baker writes. "With all due respect to Thunderbird and the Thunderbird community, we have been clear for years that we do not view Thunderbird as having this sort of potential."
Mozilla doesn't plan to drop Thunderbird immediately, however—the current maintenance schedule will continue, and Thunderbird users can continue to use the product. But the end goal for Mozilla, according to Baker, is to find "the right kind of legal and financial home" for the Thunderbird project, and "[separate] itself from reliance on Mozilla development systems and in some cases, Mozilla technology." In other words, the company would like to give Thunderbird to people who will take care of it, freeing the Firefox team from having to worry about it.
Mozilla's recent support for Thunderbird has been limited—it still receives security updates and basic changes imported from Firefox, but adding major features hasn't been a priority for Mozilla for several years now<http://techcrunch.com/2012/07/06/so-thats-it-for-thunderbird/> despite some efforts from the development community<https://blog.mozilla.org/thunderbird/2014/11/thunderbird-reorganizes-at-201…>. In fact, Thunderbird is currently only updated on Mozilla's "extended support release<http://arstechnica.com/business/2012/01/firefox-extended-support-will-mitig…>" (ESR) schedule, originally implemented to help IT managers deal with Firefox and Thunderbird's then-new rapid-release cycle.