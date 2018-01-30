Language Selection

Security
  • These Weeks in Dev-Tools, issue 3
    These Weeks in Dev-Tools will keep you up to date with all the exciting dev tools news. We plan to have a new issue every few weeks. If you have any news you'd like us to report, please comment on the tracking issue.
  • These Weeks in Firefox: Issue 31
  • Understanding Extension Permission Requests
    An extension is software developed by a third party that modifies how you experience the web in Firefox. Since they work by tapping into the inner workings of Firefox, but are not built by Mozilla, it’s good practice to understand the permissions they ask for and how to make decisions about what to install. While rare, a malicious extension can do things like steal your data or track your browsing across the web without you realizing it. We have been taking steps to reduce the risk of extensions, the most significant of which was moving to a WebExtensions architecture with the release of Firefox 57 last fall. The new APIs limit an extension’s ability to access certain parts of the browser and the information they process. We also have a variety of security measures in place, such as a review process that is designed to make it difficult for malicious developers to publish extensions. Nevertheless, these systems cannot guarantee that extensions will be 100% safe.
  • Janitor project - Newsletter 10
    We hope you’ve had a smooth start into the year, and wish you all the best in your life and projects. This is your recurrent burst of good news about Janitor.
  • Switch from Chrome to Firefox in just a Few Minutes
    You’ve heard about how fast the new Firefox is. You’ve heard it’s made by people who want the web to be awesome for everyone. You like that, you’re curious to try, but you hesitate. Moving from Chrome to Firefox seems like work. Fussy, computer-y IT work. Ugh. ”What about all my “stuff”? I don’t want to set all this up again.”

Glibc 2.27 and everything you didn't know about FSFE in a picture

  • Glibc 2.27 Released With Many Optimizations, Support For Static PIE Executables
    Being released right on time is Glibc 2.27, version 2.27 of the GNU C Library. As we have been covering the past few months, exciting us a lot about Glibc 2.27 are many performance optimizations with a number of functions receiving AVX/FMA tuning and other performance tweaks particularly for x86_64. But even on the ARM64/AArch64 side are also some performance optimizations as well as for POWER and SPARC.
  • GNU C Library 2.27 released
    The GNU C Library version 2.27 is now available. The GNU C Library is used as *the* C library in the GNU system and in GNU/Linux systems, as well as many other systems that use Linux as the kernel.
  • Everything you didn't know about FSFE in a picture
    As FSFE's community begins exploring our future, I thought it would be helpful to start with a visual guide to the current structure. All the information I've gathered here is publicly available but people rarely see it in one place, hence the heading. There is no suggestion that anything has been deliberately hidden.

Proprietary Security: Abobe, Windows, and Patching Buggy Chips

  • An Adobe Flash 0day is being actively exploited in the wild

    The critical, use-after-free vulnerability, which is indexed as CVE-2018-4877, resides in the latest version of the widely installed Flash, researchers from Cisco Systems' Talos group said in a blog post. Adobe said separately that versions earlier than current Flash 28.0.0.137 are also susceptible. The vulnerability came to light on Wednesday when South Korea's CERT issued an advisory warning that attack code was circulating in the wild that exploited the zeroday flaw.

    Talos said the exploit is being distributed through a Microsoft Excel document that has a malicious Flash object embedded into it. Once the SWF object is triggered, it installs ROKRAT, a remote administration tool Talos has been tracking since January 2017. Until now, the group behind ROKRAT—which Talos calls Group 123—has relied on social engineering or exploits of older, previously known vulnerabilities that targets hadn't yet patched. This is the first time the group has used a zeroday exploit.

  • Cryptocurrency botnets are rendering some companies unable to operate

    Like Zealot, Smominru uses other exploit techniques to infect targeted computers, but it can fall back on the NSA-developed EternalBlue in certain cases, presumably for spreading from machine to machine inside infected networks or when other infection techniques fail on a machine that hasn't been patched. Smominru also makes use of the Windows Management Interface. Proofpoint said that the botnet is also likely exacting a punishing performance impact on the business networks it infects by slowing down servers and driving up electricity costs.

  • 6 important security takeaways from applying Spectre and Meltdown patches

    A flurry of patching commenced across all industries once these vulnerabilities came to light due to the severity involved. Here are seven important lessons I took away from the process:]...

DRM Stories

  • Catalog of Missing Devices Illustrates Gadgets that Could and Should Exist
    Bad Copyright Law Prevents Innovators from Creating Cool New Tools San Francisco - The Electronic Frontier Foundation (EFF) has launched its “Catalog of Missing Devices”—a project that illustrates the gadgets that could and should exist, if not for bad copyright laws that prevent innovators from creating the cool new tools that could enrich our lives. “The law that is supposed to restrict copying has instead been misused to crack down on competition, strangling a future’s worth of gadgets in their cradles,” said EFF Special Advisor Cory Doctorow. “But it’s hard to notice what isn’t there. We’re aiming to fix that with this Catalog of Missing Devices. It’s a collection of tools, services, and products that could have been, and should have been, but never were.”
  • Remove the DRM from iTunes movies with TunesKit

    Since then, I'm able to watch videos purchased through iTunes using any iOS video app I want to, on my computer or Android handset. If you're so inclined, you can still watch your videos and transfer them to your iPhone using iTunes, too. It's worth mentioning that the software works on content rented from iTunes as well. But removing the DRM from rented videos to keep after the rental period is up is theft, plain and simple. Do what's right for you.

  • Documentary on the DRM-breaking farmers who just want to fix their tractors, even if they have to download bootleg Ukrainian firmware to do it

    Motherboard's short documentary, "Tractor Hacking: The Farmers Breaking Big Tech's Repair Monopoly" is an excellent look at the absurd situation created by John Deere's position that you can't own your tractor because you only license the software inside it, meaning that only Deere can fix Deere's tractors, and the centuries-old tradition of farmers fixing their agricultural equipment should end because Deere's shareholders would prefer it that way.

