…from:
http://www.macworld.com/article/3027473/security/oracle-is-planning-to-kill…https://blogs.oracle.com/java-platform-group/entry/moving_to_a_plugin_free
Migration options: http://www.oracle.com/technetwork/java/javase/migratingfromapplets-2872444.…
Oracle's killing a favorite security hole for attackers: the Java browser plug-in
Lucian Constantin<http://www.macworld.com/author/Lucian-Constantin/>
IDG News Service
* Jan 28, 2016 4:26 AM
Oracle will retire the Java browser plug-in, frequently the target of Web-based exploits, about a year from now. Remnants, however, will likely linger long after that.
“Oracle plans to deprecate the Java browser plugin in JDK 9,” the Java Platform Group said in a blog post<https://blogs.oracle.com/java-platform-group/entry/moving_to_a_plugin_free> Wednesday. “This technology will be removed from the Oracle JDK and JRE in a future Java SE release.”
The Java Development Kit (JDK) 9, the reference implementation for the next version of Java SE, is expected to reach general availability<http://openjdk.java.net/projects/jdk9/> in March 2017. By then, however, most modern browsers will no longer accept the Java browser plug-in anyway.
Mozilla announced in October that it plans to remove support for plug-ins<https://blog.mozilla.org/futurereleases/2015/10/08/npapi-plugins-in-firefox/> in Firefox by the end of 2016. Chrome disabled support in September for plug-ins that, like Java and Silverlight, use the old Netscape Plugin Application Programming Interface (NPAPI) standard. Microsoft’s Edge browser doesn’t support plug-ins either.
With Internet Explorer and Safari the only browsers set to still accept traditional NPAPI plug-ins after 2016, Oracle is pretty much forced into this decision, even though Chrome does support a new plug-in technology called PPAPI (Pepper Plug-in API).
“Oracle does not plan to provide additional browser-specific plugins as such plugins would require application developers to write browser-specific applets for each browser they wish to support,” the company said in a white paper<http://www.oracle.com/technetwork/java/javase/migratingfromapplets-2872444.…> that outlines migration options for developers. “Moreover, without a cross-browser API, Oracle would only be able to offer a subset of the required functionality, different from one browser to the next, impacting both application developers and users.”
The main alternative proposed by the company is to switch from Java Applets to Java Web Start applications. This type of application can be launched from the Web without the need for a browser plug-in.
From a security perspective though, Java Web Start applications can be used as an attack vector for exploiting vulnerabilities in the Java runtime, just like Applets.
Even after the Java plug-in is retired, it’s likely that many computers will continue to have it installed for years to come. This is especially true in business environments where custom built Web-based Java applications are common and cannot be easily replaced or rewritten.
Even now, for application compatibility reasons, there’s a large number of computers in business environments that continue to use Java 6 or Java 7, versions that no longer receive public security updates.
[Kurt Schmucker - currently works for PARALLELS software; used to be Senior Evangelist for Microsoft's Mac Business Unit - compares Microsoft Office for OS X, iPad, and Windows]
…from:
http://9to5mac.com/2016/01/21/windows-mac-ipad-microsoft-office-comparison/
Comparison breaks down all the missing features in Office for Mac & iPad vs Windows<http://9to5mac.com/2016/01/21/windows-mac-ipad-microsoft-office-comparison/>
Jordan Kahn<http://9to5mac.com/author/jordankahn/>
- 40 mins ago
@JordanKahn<https://twitter.com/intent/user?screen_name=JordanKahn>
APPS<http://9to5mac.com/category/apps/> IOS<http://9to5mac.com/category/ios/> IOS DEVICES<http://9to5mac.com/category/ios-devices/> MAC<http://9to5mac.com/category/mac/> TECH INDUSTRY<http://9to5mac.com/category/tech-industry/>
APPS & UPDATES
[windows-mac-ipad-microsoft-office-comparison.png]
This comparison of the differences between Microsoft Office on Mac, Windows, and iOS devices was put together by Kurt Schmucker who (disclaimer) works for Parallels<http://blog.parallels.com/author/kschmuckerparallels-com/> — the company that makes slick virtual machine apps for running Windows and other operating systems on Mac<http://www.anrdoezrs.net/click-5781858-12310291-1446142151000> — but he also happens to know a thing or two about the subject after his previous role as Senior Mac Evangelist at Microsoft and on the Office team<http://9to5mac.com/2010/09/28/official-office-for-mac-available-october-26/>. So what exactly is missing on Mac and iOS devices compared to Windows when it comes to the Office suite?
In the charts below, Schmucker breaks down feature-by-feature exactly what you get (and don’t get) in each of the different versions of the productivity suite including Office 2016 and 2013 for Windows, Office 2016 and 2011 for Mac, and Office for iPad<http://9to5mac.com/2016/01/21/microsoft-3d-touch-iphone-6s-apple-pencil-ipa…>.
The full charts (below) show suite-wide differences between the versions such as missing apps, lack of support for Visual Basic and ActiveX, right-to-left language support, accessibility features, AppleScript and much more. Other charts in the study show feature variations for Word, Excel, PowerPoint, and Outlook, with the majority of the features listed unavailable for iPad users and a mixed bag for the other versions.
[Microsoft-Office-Comparison-Parallels-02]
And Schmucker points out two things regarding the iPad specifically. One positive is support for right-to-left languages, which he notes is something that Mac users have bene asking for but have yet to receive, while a negative for the iPad is lack of multiple selection support in PowerPoint, something Schmucker notes is a pretty basic but crucial function for the app.
In the end, he concludes that a mix of the various Office suites is the best approach but admits that his main, go-to version is MacOffice 2011 (apart from using the latest version of Outlook due to enhanced performance):
“I worked for the MacOffice team at Microsoft for several years, and at that time I also worked closely with colleagues on the WinOffice teams. Because of this background, I am often able to pick just the right Office app that will make a given task the easiest to do. One task might be particularly well suited to MacWord 2011 because Publishing Layout View— a feature only in that one Word version— will make this task easy. Another task might be suited to WinPPT because of the Animation Painter, which is not in any MacPPT version. Yet another task might be best suited to WInPPT 2013 because it needs an Office extension not available in other Office suites.”
Click the charts below to view them in full size:
[Microsoft-Office-Comparison-Parallels-03]<http://9to5mac.com/2016/01/21/windows-mac-ipad-microsoft-office-comparison/…>
[Microsoft-Office-Comparison-Parallels-04]<http://9to5mac.com/2016/01/21/windows-mac-ipad-microsoft-office-comparison/…>
[Microsoft-Office-Comparison-Parallels-05]<http://9to5mac.com/2016/01/21/windows-mac-ipad-microsoft-office-comparison/…>
[Microsoft-Office-Comparison-Parallels-06]<http://9to5mac.com/2016/01/21/windows-mac-ipad-microsoft-office-comparison/…>
The Dow-Jones Industrial has dropped about 2,000 points over the past year from around 18,000 to around 16,000; about an 11% drop.
[search "dow jones industrial” on google]
Apple stock prices have dropped from about 110 a year ago to around 98 today; about 10.9% drop.
[search “apple stock” on Google]
Oil has dropped from a high of about 100 - 110 to around 28 today; roughly 75% drop.
http://www.nasdaq.com/markets/crude-oil.aspx?timeframe=5y
USA today’s headline reads: "Apple stock destroys $218B: How low can it go?”
http://www.usatoday.com/story/money/markets/2016/01/15/apple-stock-destroys…
Apple stock destroys $218B: How low can it go?
Stocks plummeted Friday as oil prices, which were already at a 12-year low, fell below $30 a barrel.
[cid:A05DF82E-00D5-4E0E-BE49-E6AD7D8F5588] Matt Krantz<http://www.usatoday.com/staff/1035/matt-krantz/>, USA TODAY 8:59 p.m. EST January 15, 2016
Apple (AAPL<safari-reader://www.usatoday.com/money/lookup/stocks/aapl/>) is the poster child of this market crash. It took a market meltdown to help expose just how overvalued the stock was. The question is how much lower can it fall.
Shares of the gadget maker closed down another $2.47, or 2.5%, to $97.05 Friday — capping off what's been a breathtaking 28% decline from the stock's high last year. Apple's fall will go down as one of the biggest wealth destroyers in recent market history - shredding $218 billion in market value from the market's high on May 21, 2015 adjusted for stock buybacks. That's more than the entire market value of roughly 485 stocks individually in the Standard & Poor's 500.
Latest on markets:
Apple is the most widely held stock by consumers — so it is the market to many. By that measure, Apple's shares are a disaster amid this latest market downturn. Apple — by far — has accounted for more of the market value lost in this market decline than any other. Energy pipeline company Kinder Morgan (KMI<safari-reader://www.usatoday.com/money/lookup/stocks/KMI/>) is the second biggest wealth destroyer — but it only wiped out $63.5 billion from the high.
The question now is how much lower Apple shares can do. Here are some ways to think about that:
► $92: Apple's previous intraday low. Shares of Apple plunged to $92 a share on an intraday basis back in August during a market malfunction. Many investors are hoping this previous freak-out low will hold.
► $77: The pattern of where Apple shares have crashed before. The last time investors worried about slowing smartphone growth sent the stock down 43% between Sept. 2012 and June 2013. If Apple drops from its $134.54 high to the same degree, that would put the shares at $77.
► $39.65: This could be somewhat of a worst-case scenario. Apple investors like to say Apple is cheap because it trades for 11 times its diluted trailing earnings. There's just one problem — Apple is a giant hardware company. Large hardware companies tend to have low multiples. There's really one one decent publicly traded large hardware company left: HP (HPQ<safari-reader://www.usatoday.com/money/lookup/stocks/HPQ/>). HP, a seller of computer hardware, trades for 4.3 times trailing earnings. That same multiple applied to Apple would give it a stock price of $39.65. Growth mutual funds, like American Funds Capital World Growth & Income Fund and Hartford Capital Appreciation fund have slashed their holdings in Apple the past six months seeing signs that the company's rapid growth is stalling, according to Reuters.
To be sure, while analysts are worried smartphone sales are mature and slowing, that's a far cry from the state of the personal computer or printer market HP is competing in. HP is expected to grow just 3.5% a year over the next five years. That's a fraction of the 13.3% long-term growth analysts expect from Apple, says S&P Capital IQ.
These scary scenarios may never come to pass. Analysts remain bullish on the stock — despite signs of a slowdown — and are calling it a buying opportunity. Analysts have an average 18-month price target on Apple at $142.91, says S&P Capital IQ. If correct that would be a staggering upside.
Meanwhile, Apple is sitting on more than $200 billion in cash and investments. Even if you strip out the company's debt, the company still has a tangible book value a share of $19.78. That means Apple is trading for just about 5 times tangible book value — which is a discount to the average 11.2 price to book value of companies in the S&P 500. If Apple were to trade at that multiple, it would be worth $221 a share.
There's no question Apple was overvalued - given the historic decline in its value. But the question now is what is the right price? Given the huge range of possibilities - you can understand why Apple has become the ultimate battleground stock.
Matt Krantz on Twitter: @mattkrantz<https://twitter.com/mattkrantz>.
…from:
http://arstechnica.com/security/2016/01/linux-bug-imperils-tens-of-millions…
Linux bug imperils tens of millions of PCs, servers, and Android phones
Vulnerability allows restricted users and apps to gain unfettered root access.
by Dan Goodin<http://arstechnica.com/author/dan-goodin/> - Jan 19, 2016 1:16pm CST
For almost three years, millions of servers and smaller devices running Linux have been vulnerable to attacks that allow an unprivileged app or user to gain nearly unfettered root access. Major Linux distributors are expected to fix the privilege escalation bug this week, but the difficulty of releasing updates for Android handsets and embedded devices means many people may remain susceptible for months or years.
The flaw, which was introduced into the Linux kernel in version 3.8 released in early 2013, resides in the OS keyring. The facility allows apps to store encryption keys, authentication tokens, and other sensitive security data inside the kernel while remaining in a form that can't be accessed by other apps. According to a blog post published Tuesday<http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-…>, researchers from security firm Perception Point discovered and privately reported the bug to Linux kernel maintainers. To demonstrate the risk the bug posed, the researchers also developed a proof-of-concept exploit that replaces a keyring object stored in memory with code that's executed by the kernel.
The vulnerability is notable because it's exploitable in a wide array of settings. On servers, people with local access can exploit it to achieve complete root access. On smartphones running Android versions KitKat and later, it can allow a malicious app to break out of the normal security sandbox to gain control of underlying OS functions. It can also be exploited on devices and appliances running embedded versions of Linux. While security mitigations such as supervisor mode access prevention<https://lwn.net/Articles/517475/> and supervisor mode execution protection<https://en.wikipedia.org/wiki/Control_register> are available for many servers, and security enhanced Linux<https://en.wikipedia.org/wiki/Security-Enhanced_Linux> built into Android can make exploits harder, there are still ways to bypass those protections.
"As of the date of disclosure, this vulnerability has implications for approximately tens of millions of Linux PCs and servers, and 66 percent of all Android devices (phones/tablets)," Perception Point researchers wrote. "While neither us nor the Kernel security team have observed any exploit targeting this vulnerability in the wild, we recommend that security teams examine potentially affected devices and implement patches as soon as possible."
While malware distributors have focused most of their resources over the years on infecting computers running Microsoft Windows, they have put increased focus on attacking competing OSes. In 2014, for instance, researchers uncovered a powerful Linux trojan that may have remained undetected for years<http://arstechnica.com/security/2014/12/powerful-highly-stealthy-linux-troj…> as it siphoned sensitive data from government agencies and pharmaceutical companies. A vulnerability like the one reported by Perception Point can be the means for surreptitiously installing such malware. The bug is indexed as CVE-2016-0728. Major Linux distributions are expected to make fixes available as early as Tuesday.
…from:
http://www.reuters.com/article/us-microsoft-china-insight-idUSKBN0UE01Z2016…
Microsoft failed to warn victims of Chinese email hack: former employees
SAN FRANCISCO | BY JOSEPH MENN<http://blogs.reuters.com/search/journalist.php?edition=us&n=josephmenn&>
[An electronic Microsoft logo is seen at the Microsoft store in New York City, July 28, 2015. REUTERS/Mike Segar]
Microsoft Corp experts concluded several years ago that Chinese authorities had hacked into more than a thousand Hotmail email accounts, targeting international leaders of China’s Tibetan and Uighur minorities in particular – but it decided not to tell the victims, allowing the hackers to continue their campaign, according to former employees of the company.
On Wednesday, after a series of requests for comment from Reuters, Microsoft said it would change its policy and in future tell its email customers when it suspects there has been a government hacking attempt. Microsoft spokesman Frank Shaw said the company was never certain of the origin of the Hotmail attacks.
The company also confirmed for the first time that it had not called, emailed or otherwise told the Hotmail users that their electronic correspondence had been collected. The company declined to say what role the exposure of the Hotmail campaign played in its decision to make the policy shift.
The first public signal of the attacks came in May 2011, though no direct link was immediately made with the Chinese authorities. That's when security firm Trend Micro Inc announced it had found an email sent to someone in Taiwan that contained a miniature computer program.
The program took advantage of a previously undetected flaw in Microsoft's own web pages to direct Hotmail and other free Microsoft email services to secretly forward copies of all of a recipient's incoming mail to an account controlled by the attacker.
Trend Micro found more than a thousand victims, and Microsoft patched the vulnerability before the security company announced its findings publicly.
Microsoft also launched its own investigation that year, finding that some interception had begun in July 2009 and had compromised the emails of top Uighur and Tibetan leaders in multiple countries, as well as Japanese and African diplomats, human rights lawyers and others in sensitive positions inside China, two former Microsoft employees said. They spoke separately and on the condition that they not be identified.
Some of the attacks had come from a Chinese network known as AS4808, which has been associated with major spying campaigns, including a 2011 attack on EMC Corp's security division RSA that U.S. intelligence officials publicly attributed to China. To see the report click here<http://www.secureworks.com/cyber-threat-intelligence/threats/sindigoo/>
Microsoft officials did not dispute that most of the attacks came from China, but said some came from elsewhere. They did not give further detail.
"We weighed several factors in responding to this incident, including the fact that neither Microsoft nor the U.S. government were able to identify the source of the attacks, which did not come from any single country," the company said. "We also considered the potential impact on any subsequent investigation and ongoing measures we were taking to prevent potential future attacks."
In announcing the new policy, Microsoft said: "As the threat landscape has evolved our approach has too, and we'll now go beyond notification and guidance to specify if we reasonably believe the attacker is `state-sponsored.'"
The Chinese government "is a resolute defender of cyber security and strongly opposes any forms of cyber attacks", Chinese Foreign Ministry spokesman Lu Kang said, adding that it punishes any offenders in accordance with the law.
"I must say that if the relevant party has some real and conclusive evidence, then it can carry out mutually beneficial cooperation with China in a constructive way in accordance with the existing channels," Lu said at a daily news briefing.
"But if there's the frequent spreading of unfounded rumors, it will, in fact, be of no benefit to solving the problem, enhancing mutual trust and promoting cyber security."
The Cyberspace Administration of China did not respond to a request for comment.
INTERNAL DEBATE
After a vigorous internal debate in 2011 that reached Microsoft's top security official, Scott Charney, and its then-general counsel and now president, Brad Smith, the company decided not to alert the users clearly that anything was amiss, the former employees said. Instead, it simply forced users to pick new passwords without disclosing the reason.
The employees said it was likely the hackers by then had footholds in some of the victims' machines and therefore saw those new passwords being entered.
One of the reasons Microsoft executives gave internally in 2011 for not issuing explicit warnings was their fear of angering the Chinese government, two people familiar with the discussions said.
Microsoft's statement did not address the specific positions advocated by Smith and Charney. A person familiar with the executives' thinking said that fear of Chinese reprisals did play a role given the company's concerns about the potential impact on customers.
Microsoft said the company had believed the password resets would be the fastest way to restore security to the accounts.
"Our primary concern was ensuring that our customers quickly took practical steps to secure their accounts, including by forcing a password reset," the statement said.
It is unclear what happened to the email users and their correspondents as a result of Microsoft's failure to alert them to the suspected government hacking. But some of those affected said they were now deeply worried about the risks, especially for those inside China.
"The Internet service providers and the email providers have an ethical and a moral responsibility to let the users know that they are being hacked," said Seyit Tumturk, vice president of the World Uyghur Congress, whose account was among those compromised. "We are talking in people's lives here."
HUNDREDS OF LIVES
Unrest in Xinjiang, the Chinese region bordering Kazakhstan that is home to many Uighurs, has cost hundreds of lives in recent years. Beijing blames Islamist militants, while human rights groups say harsh controls on the religion and culture of the Uighurs have led to the violence.
Until Wednesday, Microsoft had rejected the idea of explicit warnings about state-sponsored hacking, such as those Google Inc began in 2012, the former employees said. In the 2011 case, the company also opted not to send a more generic warning about hacking. Yahoo Inc and Facebook Inc have been issuing such warnings for several years, former employees of those companies told Reuters, including when the principal suspect was a government.
Both companies, along with Twitter Inc, announced in recent months that they would follow Google's lead and explicitly notify users about suspected state-sponsored hacking.
Google said on average it now issues tens of thousands of warnings about targeting every few months, and that recipients often move to improve their security with two-factor authentication and other steps.
Reuters interviewed five of the Hotmail hacking victims that were identified as part of Microsoft's investigation: two Uighur leaders, a senior Tibetan figure and two people in the media dealing with matters of interest to Chinese officials.
Most recalled the password resets, but none took the procedure as an indication that anyone had read his or her email, let alone that it may have been accessed by the Chinese government.
"I thought it was normal, everybody gets it," said one of the men, a Uighur émigré now living in Europe who asked not to be named because he left family behind in China.
Another victim identified by Microsoft's internal team was Tseten Norbu of Nepal, a former president of the Tibetan Youth Congress, one of the more outspoken members of a community that has frequently clashed with Chinese officials. Another Microsoft-identified victim was Tumturk, the World Uyghur Congress vice president who lives in Turkey.
Microsoft investigators also saw that emails had been forwarded from the account of Peter Hickman, a former American diplomatic officer who arranged high-profile speeches by international figures at the National Press Club in Washington for many years.
Hickman said he used his Hotmail account on Press Club computers to correspond with people, including the staff for the Tibetan government in exile, whose leader Lobsang Sangay spoke at the club in 2011; Tumturk's World Uyghur Congress, whose then-president Rebiya Kadeer spoke in 2009; and the president of Taiwan, who spoke by video link-up in 2007.
Hickman said he didn't recall the password reset. He said he never suspected anything was wrong with the account, which he continues to use.
(Reporting by Joseph Menn; Additional reporting by Humeyra Pamuk<http://blogs.reuters.com/search/journalist.php?edition=us&n=humeyra.pamuk&> in Istanbul and Sui-Lee Wee<http://blogs.reuters.com/search/journalist.php?edition=us&n=suilee.wee&> in Beijing; Editing by Jonathan Weber and Martin Howell<http://blogs.reuters.com/search/journalist.php?edition=us&n=martin.howell&>)