Mozilla

Firefox Announces Same-Day Update After Two Minor Pwn2Own Exploits (mozilla.org) 22

During this year's annual Pwn2Own contest, two researchers from Palo Alto Networks demonstrated an out-of-bounds write vulnerability in Mozilla Firefox, reports Cyber Security News, "earning $50,000 and 5 Master of Pwn points." And the next day another participant used an integer overflow to exploit Mozilla Firefox (renderer only).

But Mozilla's security blog reminds users that a sandbox escape would be required to break out from a tab to gain wider system access "due to Firefox's robust security architecture" — and that "neither participating group was able to escape our sandbox..." We have verbal confirmation that this is attributed to the recent architectural improvements to our Firefox sandbox which have neutered a wide range of such attacks. This continues to build confidence in Firefox's strong security posture.
Even though neither attack could escape their sandbox, "Out of abundance of caution, we just released new Firefox versions... all within the same day of the second exploit announcement." (Last year Mozilla responded to an exploitable security bug within 21 hours, they point out, even winning an award as the fastest to patch.)

The new updated versions are Firefox 138.0.4, Firefox ESR 128.10.1, Firefox ESR 115.23.1 and Firefox for Android. "Despite the limited impact of these attacks, all users and administrators are advised to update Firefox as soon as possible...." To review and fix the reported exploits a diverse team of people from all across the world and in various roles (engineering, QA, release management, security and many more) rushed to work. We tested and released a new version of Firefox for all of our supported platforms, operating systems, and configurations with rapid speed....

Our work does not end here. We continue to use opportunities like this to improve our incident response. We will also continue to study the reports to identify new hardening features and security improvements to keep all of our Firefox users across the globe protected.

Microsoft

9 Months Later, Microsoft Finally Fixes Linux Dual-Booting Bug (itsfoss.com) 65

Last August a Microsoft security update broke dual-booting Windows 11 and Linux systems, remembers the blog Neowin. Distros like Debian, Ubuntu, Linux Mint, Zorin OS, and Puppy Linux were all affected, and "a couple of days later, Microsoft provided a slightly lengthy workaround that involved tweaking around with policies and the Registry in order to fix the problem."

The update "was meant to address a GRUB bootloader vulnerability that allowed malicious actors to bypass Secure Boot's safety mechanisms," notes the It's FOSS blog. "Luckily, there's now a proper fix for this, as Microsoft has quietly released a new patch on May 13, 2025, addressing the issue nine months after it was first reported... Meanwhile, many dual-boot users were left with borked setups, having to use workarounds or disable Secure Boot altogether."
Programming

Rust Creator Graydon Hoare Thanks Its Many Stakeholders - and Mozilla - on Rust's 10th Anniversary (rustfoundation.org) 35

Thursday was Rust's 10-year anniversary for its first stable release. "To say I'm surprised by its trajectory would be a vast understatement," writes Rust's original creator Graydon Hoare. "I can only thank, congratulate, and celebrate everyone involved... In my view, Rust is a story about a large community of stakeholders coming together to design, build, maintain, and expand shared technical infrastructure." It's a story with many actors:

- The population of developers the language serves who express their needs and constraints through discussion, debate, testing, and bug reports arising from their experience writing libraries and applications.

- The language designers and implementers who work to satisfy those needs and constraints while wrestling with the unexpected consequences of each decision.

- The authors, educators, speakers, translators, illustrators, and others who work to expand the set of people able to use the infrastructure and work on the infrastructure.

- The institutions investing in the project who provide the long-term funding and support necessary to sustain all this work over decades.

All these actors have a common interest in infrastructure.

Rather than just "systems programming", Hoare sees Rust as a tool for building infrastructure itself, "the robust and reliable necessities that enable us to get our work done" — a wide range that includes everything from embedded and IoT systems to multi-core systems. So the story of "Rust's initial implementation, its sustained investment, and its remarkable resonance and uptake all happened because the world needs robust and reliable infrastructure, and the infrastructure we had was not up to the task." Put simply: it failed too often, in spectacular and expensive ways. Crashes and downtime in the best cases, and security vulnerabilities in the worst. Efficient "infrastructure-building" languages existed but they were very hard to use, and nearly impossible to use safely, especially when writing concurrent code. This produced an infrastructure deficit many people felt, if not everyone could name, and it was growing worse by the year as we placed ever-greater demands on computers to work in ever more challenging environments...

We were stuck with the tools we had because building better tools like Rust was going to require an extraordinary investment of time, effort, and money. The bootstrap Rust compiler I initially wrote was just a few tens of thousands of lines of code; that was nearing the limits of what an unfunded solo hobby project can typically accomplish. Mozilla's decision to invest in Rust in 2009 immediately quadrupled the size of the team — it created a team in the first place — and then doubled it again, and again in subsequent years. Mozilla sustained this very unusual, very improbable investment in Rust from 2009-2020, as well as funding an entire browser engine written in Rust — Servo — from 2012 onwards, which served as a crucial testbed for Rust language features.

Rust and Servo had multiple contributors at Samsung, Hoare acknowledges, and Amazon, Facebook, Google, Microsoft, Huawei, and others "hired key developers and contributed hardware and management resources to its ongoing development." Rust itself "sits atop LLVM" (developed by researchers at UIUC and later funded by Apple, Qualcomm, Google, ARM, Huawei, and many other organizations), while Rust's safe memory model "derives directly from decades of research in academia, as well as academic-industrial projects like Cyclone, built by AT&T Bell Labs and Cornell."

And there were contributions from "interns, researchers, and professors at top academic research programming-language departments, including CMU, NEU, IU, MPI-SWS, and many others." JetBrains and the Rust-Analyzer OpenCollective essentially paid for two additional interactive-incremental reimplementations of the Rust frontend to provide language services to IDEs — critical tools for productive, day-to-day programming. Hundreds of companies and other institutions contributed time and money to evaluate Rust for production, write Rust programs, test them, file bugs related to them, and pay their staff to fix or improve any shortcomings they found. Last but very much not least: Rust has had thousands and thousands of volunteers donating years of their labor to the project. While it might seem tempting to think this is all "free", it's being paid for! Just less visibly than if it were part of a corporate budget.

All this investment, despite the long time horizon, paid off. We're all better for it.

He looks ahead with hope for a future with new contributors, "steady and diversified streams of support," and continued reliability and compatability (including "investment in ever-greater reliability technology, including the many emerging formal methods projects built on Rust.")

And he closes by saying Rust's "sustained, controlled, and frankly astonishing throughput of work" has "set a new standard for what good tools, good processes, and reliable infrastructure software should be like.

"Everyone involved should be proud of what they've built."
Games

Videogame's Players Launch Boycott Over Bugs, Story Changes, Monetization (aftermath.site) 41

It's been a mobile-only game for decades. Then a little more than a week ago Infinity Nikkireleased its 1.5 update (which introduced multiplayer and customization options) and launched the game on Steam.

But it "didn't go over as planned," writes the worker-owned gaming site Aftermath, citing some very negative reactions on Reddit. (Some players say that in response the game's publisher is now even censoring the word "boycott" on its official forums and community spaces...) Infinity Nikki players were immediately incensed by a bevy of bugs and general game instability, and made even more angry by several baffling changes to both the story and its monetization structure... Players globally are vowing to stay off the game until Infold Games addresses their concerns, including at least one Infinity Nikki creator who is part of the game's partner program... [T]he Chinese Infinity Nikki community — as well as others — has been flooding Steam with negative reviews of the game... [T]he complaints are also impacting Infinity Nikki's review score on the Google Play Store... The company said it's working to fix the patch's performance issues, which have caused game-breaking bugs for some players....

[T]he Infinity Nikki team also gave players some free currency, but there's been problems there, too: Players say Infold had a bug in this distribution, which awarded players too much free currency. Instead of letting players keep that — it was Infold's mistake, after all — they deducted the currency, some of which players had already spent, putting them in the negative. But the community is looking for more from the studio; it wants an acknowledgement of the "dumpster fire" of a situation, as one Infinity Nikki player told Aftermath, but also wants some of the biggest problems reversed... Beyond the problematic monetization strategy, players Aftermath spoke with said they're also pissed off at a major change to the start of the game... Infold Games removed the game's original start with the update; the new intro drops players into Infinity Nikki with little context and a new, unexplained character who is supposed to be a guide as Nikki is dropped into intergalactic limbo.

While the spend-to-upgrade-your-character model has always been inherently predatory, as one player put it, the new update pushed the system "much too far for a lot of players," according to the article — "something made more egregious by the numerous bugs and strange gameplay changes." The article now describes some players as "upset that the trust they've given Infold Games thus far has been broken."

"Infold Games has not responded to a request for comment."
The Courts

VMware Perpetual License Holders Receive Cease-And-Desist Letters From Broadcom (arstechnica.com) 71

An anonymous reader quotes a report from Ars Technica: Broadcom has been sending cease-and-desist letters to owners of VMware perpetual licenses with expired support contracts, Ars Technica has confirmed. Following its November 2023 acquisition of VMware, Broadcom ended VMware perpetual license sales. Users with perpetual licenses can still use the software they bought, but they are unable to renew support services unless they had a pre-existing contract enabling them to do so. The controversial move aims to push VMware users to buy subscriptions to VMware products bundled such that associated costs have increased by 300 percent or, in some cases, more. Some customers have opted to continue using VMware unsupported, often as they research alternatives, such as VMware rivals or devirtualization.

Over the past weeks, some users running VMware unsupported have reported receiving cease-and-desist letters from Broadcom informing them that their contract with VMware and, thus, their right to receive support services, has expired. The letter [PDF], reviewed by Ars Technica and signed by Broadcom managing director Michael Brown, tells users that they are to stop using any maintenance releases/updates, minor releases, major releases/upgrades extensions, enhancements, patches, bug fixes, or security patches, save for zero-day security patches, issued since their support contract ended.

The letter tells users that the implementation of any such updates "past the Expiration Date must be immediately removed/deinstalled," adding: "Any such use of Support past the Expiration Date constitutes a material breach of the Agreement with VMware and an infringement of VMware's intellectual property rights, potentially resulting in claims for enhanced damages and attorneys' fees." [...] The cease-and-desist letters also tell recipients that they could be subject to auditing: "Failure to comply with [post-expiration reporting] requirements may result in a breach of the Agreement by Customer[,] and VMware may exercise its right to audit Customer as well as any other available contractual or legal remedy."

Television

Software Update Makes HDR Content 'Unwatchable' On Roku TVs (arstechnica.com) 28

An anonymous reader quotes a report from Ars Technica: An update to Roku OS has resulted in colors looking washed out in HDR content viewed on Roku apps, like Disney+. Complaints started surfacing on Roku's community forum a week ago. On May 1, a company representative posted that Roku was "investigating the Disney Plus HDR content that was washed out after the recent update." However, based on user feedback, it seems that HDR on additional Roku apps, including Apple TV+ and Netflix, are also affected. Roku's representative has been asking users to share their experiences so that Roku can dig deeper into the problem. [...]

Roku hasn't provided a list of affected devices, but users have named multiple TCL TV models, at least one Hisense, and one Sharp TV as being impacted. We haven't seen any reports of Roku streaming sticks being affected. One forum user claimed that plugging a Roku streaming stick into a Roku TV circumvented the problem. Forum user Squinky said the washed-out colors were only on Disney+. However, other users have reported seeing the problem across other apps, including Max and Fandango. [...] Users have noted that common troubleshooting efforts, like restarting and factory resetting their TVs and checking for software updates, haven't fixed the problem.

The problems appear to stem from the Roku OS 14.5 update, which was issued at the end of April. According to the release notes, the update is available for all Roku TV models from 2014 on, except for models 65R648, 75R648, and 75U800GMR. Roku streaming sticks also received the update. Per Roku, the software update includes "various performance optimizations, bug fixes, and improvements to security, stability." Other additions include a "new personalized row of content within the Live TV Guide" and upgrades to Roku OS' daily trivia, voice control, and discovery capabilities.
"I'm surprised more people aren't complaining because it makes a ton of shows simply unwatchable. Was looking forward to Andor, and Tuesday night [was] ruined," posted forum user noob99999, who said the problem was happening on "multiple apps," including Amazon Prime Video. "I hope the post about imminent app updates are correct because in the past, Roku has taken forever to correct issues."
KDE

'KDE Plasma LTS Releases Are Dead' (itsfoss.com) 29

With its Start menu-style application launcher and its bottom-of-the-screen taskbar, KDE Plasma is a "nice" and "traditional" desktop environment that's "also highly customizable," notes It's FOSS News.

But there's a change coming... In contrast to other desktop environments, KDE offers a long-term support release (LTS) of Plasma, where bug fixes and security updates are provided for an extended period, with no new major changes being introduced. However, that is no longer the case now. Shared by Nate Graham, a prominent contributor within the KDE community, KDE has decided to stop working on LTS releases of Plasma, shifting its focus on extending support for the bug-fix and feature releases instead.

The reasoning behind this move is multi-faceted, with factors such as inconsistent expectations from the community, developers' reluctance to work on older versions, and the lack of consistency in LTS support for Frameworks and Gear apps... I believe this move will provide Plasma users with a better Linux desktop experience, thanks to the extended bug-fix period, which will enhance the stability of each release.

From Graham's blog post: It's no secret that our Plasma LTS ("Long-Term Support") product isn't great. It really only means we backport bug-fixes for longer than usual — usually without even testing them, since no Plasma developers enjoy living on or testing old branches. And there's no corresponding LTS product for Frameworks or Gear apps, leaving a lot of holes in the LTS umbrella. Then there's the fact that "LTS" means different things to different people; many have an expansive definition of the term that gives them expectations of stability that are impossible to meet.

Our conclusion was that the fairly limited nature of the product isn't meeting anyone's expectations, so we decided to not continue it. Instead, we'll lengthen the effective support period of normal Plasma releases a bit by adding on an extra bug-fix release, taking us from five to six.

We also revisited the topic of reducing from three to two Plasma feature releases per year, with a much longer bug-fix release schedule. It would effectively make every Plasma version a sort of mini-LTS, and we'd also try to align them with the twice-yearly release schedules of Kubuntu and Fedora.

However, the concept of "Long-Term Support" doesn't go away just because we're not giving that label to any of our software releases anymore. Really, it was always a label applied by distros anyway — the distros doing the hard work of building an LTS final product out of myriad software components that were never themselves declared LTS by their own developers. It's a lot of work.

So we decided to strengthen our messaging that users of KDE software on LTS distros should be reporting issues to their distro, and not to KDE. An LTS software stack is complex and requires a lot of engineering effort to stabilize; the most appropriate people to triage issues on LTS distros are the engineers putting them together. This will free up time among KDE's bug triagers and developers to focus on current issues they can reproduce and fix, rather than wasting time on issues that can't be reproduced due to a hugely different software stack, or that were fixed months or years ago yet reported to us anyway due to many users' unfamiliarity with software release schedules and bug reporting.

Linux

Linus Torvalds Expresses His Hatred For Case-Insensitive File-Systems (phoronix.com) 286

Some patches for Linux 6.15-rc4 (updating the kernel driver for the Bcachefs file system) triggered some "straight-to-the-point wisdom" from Linus Torvalds about case-insensitive filesystems, reports Phoronix.

Bcachefs developer Kent Overstreet started the conversation, explaining how some buggy patches for their case-insensitive file and folder support were upstreamed into the Bcachefs kernel driver nearly two years ago: When I was discussing with the developer who did the implementation, I noted that fstests should already have tests. However, it seems I neglected to tell him to make sure the tests actually run... It is _not_ enough to simply rely on the automated tests. You have to have eyes on what your code is doing.
Overstreet added "There's a story behind the case insensitive directory fixes, and lessons to be learned." To which Torvalds replied.... "No."

"The only lesson to be learned is that filesystem people never learn."

Torvalds: Case-insensitive names are horribly wrong, and you shouldn't have done them at all. The problem wasn't the lack of testing, the problem was implementing it in the first place. The problem is then compounded by "trying to do it right", and in the process doing it horrible wrong indeed, because "right" doesn't exist, but trying to will make random bytes have very magical meaning.

And btw, the tests are all completely broken anyway. Last I saw, they didn't actually test for all the really interesting cases — the ones that cause security issues in user land. Security issues like "user space checked that the filename didn't match some security-sensitive pattern". And then the shit-for-brains filesystem ends up matching that pattern *anyway*, because the people who do case insensitivity *INVARIABLY* do things like ignore non-printing characters, so now "case insensitive" also means "insensitive to other things too"....

Dammit. Case sensitivity is a BUG. The fact that filesystem people *still* think it's a feature, I cannot understand. It's like they revere the old FAT filesystem _so_ much that they have to recreate it — badly.

And this led to a very lively back-and-forth discussion.

Slashdot's summary of the highlights:
AI

Cursor AI's Own Support Bot Hallucinated Its Usage Policy (theregister.com) 9

Cursor AI users recently encountered an ironic AI failure when the platform's support bot falsely claimed a non-existent login restriction policy. Co-founder Michael Truell apologized for the issue, clarified that no such policy exists, and attributed the mishap to AI hallucination and a session management bug. The Register reports: Users of the Cursor editor, designed to generate and fix source code in response to user prompts, have sometimes been booted from the software when trying to use the app in multiple sessions on different machines. Some folks who inquired about the inability to maintain multiple logins for the subscription service across different machines received a reply from the company's support email indicating this was expected behavior. But the person on the other end of that email wasn't a person at all, but an AI support bot. And it evidently made that policy up.

In an effort to placate annoyed users this week, Michael Truell co-founder of Cursor creator Anysphere, published a note to Reddit to apologize for the snafu. "Hey! We have no such policy," he wrote. "You're of course free to use Cursor on multiple machines. Unfortunately, this is an incorrect response from a front-line AI support bot. We did roll out a change to improve the security of sessions, and we're investigating to see if it caused any problems with session invalidation." Truell added that Cursor provides an interface for viewing active sessions in its settings and apologized for the confusion.

In a post to the Hacker News discussion of the SNAFU, Truell again apologized and acknowledged that something had gone wrong. "We've already begun investigating, and some very early results: Any AI responses used for email support are now clearly labeled as such. We use AI-assisted responses as the first filter for email support." He said the developer who raised this issue had been refunded. The session logout issue, now fixed, appears to have been the result of a race condition that arises on slow connections and spawns unwanted sessions.

Wine

Wine 10.6 Released (phoronix.com) 22

Wine 10.6 has been released, featuring a new lexer within its Command Processor (CMD), support for the PBKDF2 algorithm to its Bcrypt implementation, and improved metadata handling in WindowsCodecs. According to Phoronix, the update also includes 27 known bug fixes that address issues with Unity games, Alan Wake, GDI+, and various other games and applications.

You can see all the changes and download the relesae via WineHQ.org GitLab.
Bitcoin

Canadian Math Prodigy Allegedly Stole $65 Million In Crypto (theglobeandmail.com) 85

A Canadian math prodigy is accused of stealing over $65 million through complex exploits on decentralized finance platforms and is currently a fugitive from U.S. authorities. Despite facing criminal charges for fraud and money laundering, he has evaded capture by moving internationally, embracing the controversial "Code is Law" philosophy, and maintaining that his actions were legal under the platforms' open-source rules. The Globe and Mail reports: Andean Medjedovic was 18 years old when he made a decision that would irrevocably alter the course of his life. In the fall of 2021, shortly after completing a master's degree at the University of Waterloo, the math prodigy and cryptocurrency trader from Hamilton had conducted a complex series of transactions designed to exploit a vulnerability in the code of a decentralized finance platform. The maneuver had allegedly allowed him to siphon approximately $16.5-million in digital tokens out of two liquidity pools operated by the platform, Indexed Finance, according to a U.S. court document.

Indexed Finance's leaders traced the attack back to Mr. Medjedovic, and made him an offer: Return 90 per cent of the funds, keep the rest as a so-called "bug bounty" -- a reward for having identified an error in the code -- and all would be forgiven. Mr. Medjedovic would then be free to launch his career as a white hat, or ethical, hacker. Mr. Medjedovic didn't take the deal. His social media posts hinted, without overtly stating, that he believed that because he had operated within the confines of the code, he was entitled to the funds -- a controversial philosophy in the world of decentralized finance known as "Code is Law." But instead of testing that argument in court, Mr. Medjedovic went into hiding. By the time authorities arrived on a quiet residential street in Hamilton to search his parents' townhouse less than two months later, Mr. Medjedovic had moved out, taking his electronic devices with him.

Then, roughly two years later, he struck again, netting an even larger sum -- approximately $48.4-million -- by conducting a similar exploit on another decentralized finance platform, U.S. authorities allege. Mr. Medjedovic, now 22, faces five criminal charges -- including wire fraud, attempted extortion and money laundering -- according to a U.S. federal court document that was unsealed earlier this year. If convicted, he could be facing decades in prison. First, authorities will have to find him.

Programming

Figma Sent a Cease-and-Desist Letter To Lovable Over the Term 'Dev Mode' (techcrunch.com) 73

An anonymous reader quotes a report from TechCrunch: Figma has sent a cease-and-desist letter to popular no-code AI startup Lovable, Figma confirmed to TechCrunch. The letter tells Lovable to stop using the term "Dev Mode" for a new product feature. Figma, which also has a feature called Dev Mode, successfully trademarked that term last year, according to the U.S. Patent and Trademark office. What's wild is that "dev mode" is a common term used in many products that cater to software programmers. It's like an edit mode. Software products from giant companies like Apple's iOS, Google's Chrome, Microsoft's Xbox have features formally called "developer mode" that then get nicknamed "dev mode" in reference materials.

Even "dev mode" itself is commonly used. For instance Atlassian used it in products that pre-date Figma's copyright by years. And it's a common feature name in countless open source software projects. Figma tells TechCrunch that its trademark refers only to the shortcut "Dev Mode" -- not the full term "developer mode." Still, it's a bit like trademarking the term "bug" to refer to "debugging." Since Figma wants to own the term, it has little choice but send cease-and-desist letters. (The letter, as many on X pointed out, was very polite, too.) If Figma doesn't defend the term, it could be absorbed as a generic term and the trademarked becomes unenforceable.

Android

Samsung Pauses One UI 7 Rollout Worldwide (theverge.com) 9

Samsung has paused the global rollout of its One UI 7 update after a serious bug was reported that prevented some Galaxy S24 owners from unlocking their phones. The Verge reports: While the complaints seem to have specifically come from South Korean owners of Galaxy S24 series handsets, Samsung has played it safe and paused the rollout across all models worldwide. While some users will have already downloaded the update to One UI 7, using the app CheckFirm we've confirmed that the update is no longer listed on Samsung's servers as the latest firmware version across several Galaxy devices, with older patches appearing instead. Samsung hasn't confirmed the pause in the rollout, nor plans to issue a fix for users who have already downloaded the One UI 7 update. We've reached out to the company for comment.
United States

FSF Urges US Government to Adopt Free-as-in-Freedom Tax Filing Software (fsf.org) 123

"A modern free society has an obligation to offer electronic tax filing that respects user freedom," says a Free Software Foundation blog post, "and the United States is not excluded from this responsibility."

"Governments, and/or the companies that they partner with, are responsible for providing free as in freedom software for necessary operations, and tax filing is no exception." For many years now, a large portion of [U.S.] taxpayers have filed their taxes electronically through proprietary programs like TurboTax. Millions of taxpayers are led to believe that they have no other option than to use nonfree software or Service as a Software Substitute (SaaSS), giving up their freedom as well as their most private financial information to a third-party company, in order to file their taxes...

While the options for taxpayers have improved slightly with the IRS's implementation of the IRS Direct File program [in 25 states], this program unfortunately does require users to hand over their freedom when filing taxes.... Taxpayers shouldn't have to use a program that violates their individual freedoms to file legally required taxes. While Direct File is a step in the right direction as the program isn't in the hands of a third-party entity, it is still nonfree software. Because Direct File is a US government-operated program, and ongoing in the process of being deployed to twenty-five states, it's not too late to call on the IRS to make Direct File free software.

In the meantime, if you need to file US taxes and are yet to file, we suggest filing your taxes in a way that respects your user freedom as much as possible, such as through mailing tax forms. Like with other government interactions that snatch away user freedom, choose the path that most respects your freedom.

Free-as-in-freedom software would decrease the chance of user lock-in, the FSF points out. But they list several other advantages, including:
  • Repairability: With free software, there is no uncertain wait period or reliance on a proprietary provider to make any needed bug or security fixes.
  • Transparency: Unless you can check what a program really does (or ask someone in the free software community to check for you), there is no way to know that the program isn't doing things you don't consent to it doing.
  • Cybersecurity: While free software isn't inherently more secure than nonfree software, it does have a tendency to be more secure because many developers can continuously improve the program and search for errors that can be exploited. With proprietary programs like TurboTax, taxpayers and the U.S. government are dependent on TurboTax to protect the sensitive financial and personal information of millions with few (if any) outside checks and balances...
  • Taxpayer dollars spent should actually benefit the taxpayers: Taxpayer dollars should not be used to fund third-party programs that seek to control users and force them to use their programs through lobbying....

"We don't have to accept this unjust reality: we can work for a better future, together," the blog post concludes (offering a "sample message" U.S. taxpayers could send to IRS Commissioner Danny Werfel).

"Take action today and help make electronic tax filing free as in freedom for everyone."


Chrome

Chrome To Patch Decades-Old 'Browser History Sniffing' Flaw That Let Sites Peek At Your History (theregister.com) 34

Slashdot reader king*jojo shared this article from The Register: A 23-year-old side-channel attack for spying on people's web browsing histories will get shut down in the forthcoming Chrome 136, released last Thursday to the Chrome beta channel. At least that's the hope.

The privacy attack, referred to as browser history sniffing, involves reading the color values of web links on a page to see if the linked pages have been visited previously... Web publishers and third parties capable of running scripts, have used this technique to present links on a web page to a visitor and then check how the visitor's browser set the color for those links on the rendered web page... The attack was mitigated about 15 years ago, though not effectively. Other ways to check link color information beyond the getComputedStyle method were developed... Chrome 136, due to see stable channel release on April 23, 2025, "is the first major browser to render these attacks obsolete," explained Kyra Seevers, Google software engineer in a blog post.

This is something of a turnabout for the Chrome team, which twice marked Chromium bug reports for the issue as "won't fix." David Baron, presently a Google software engineer who worked for Mozilla at the time, filed a Firefox bug report about the issue back on May 28, 2002... On March 9, 2010, Baron published a blog post outlining the issue and proposing some mitigations...

United Kingdom

Were Still More UK Postmasters Also Wrongly Prosecuted Over Accounting Bug? (computerweekly.com) 48

U.K. postmasters were mistakenly sent to prison due to a bug in their "Horizon" accounting software — as first reported by Computer Weekly back in 2009. Nearly 16 years later, the same site reports that now the Scottish Criminal Cases Review Commission "is attempting to contact any former subpostmasters that could have been prosecuted for unexplained losses on the Post Office's pre-Horizon Capture software.

"There are former subpostmasters that, like Horizon users, could have been convicted of crimes based on data from these systems..." Since the Post Office Horizon scandal hit the mainstream in January 2024 — revealing to a wide audience the suffering experienced by subpostmasters who were blamed for errors in the Horizon accounting system — users of Post Office software that predated Horizon have come forward... to tell their stories, which echoed those of victims of the Horizon scandal. The Criminal Cases Review Commission for England and Wales is now reviewing 21 cases of potential wrongful conviction... where the Capture IT system could be a factor...

The SCCRC is now calling on people that might have been convicted based on Capture accounts to come forward. "The commission encourages anyone who believes that their criminal conviction, or that of a relative, might have been affected by the Capture system to make contact with it," it said. The statutory body is also investigating a third Post Office system, known as Ecco+, which was also error-prone...

A total of 64 former subpostmasters in Scotland have now had their convictions overturned through the legislation brought through Scottish Parliament. So far, 97 convicted subpostmasters have come forward, and 86 have been assessed, out of which the 64 have been overturned. However, 22 have been rejected and another 11 are still to be assessed. An independent group, fronted by a former Scottish subpostmaster, is also calling on users of any of the Post Office systems to come forward to tell their stories, and for support in seeking justice and redress.

AI

Microsoft Uses AI To Find Flaws In GRUB2, U-Boot, Barebox Bootloaders (bleepingcomputer.com) 57

Slashdot reader zlives shared this report from BleepingComputer: Microsoft used its AI-powered Security Copilot to discover 20 previously unknown vulnerabilities in the GRUB2, U-Boot, and Barebox open-source bootloaders.

GRUB2 (GRand Unified Bootloader) is the default boot loader for most Linux distributions, including Ubuntu, while U-Boot and Barebox are commonly used in embedded and IoT devices. Microsoft discovered eleven vulnerabilities in GRUB2, including integer and buffer overflows in filesystem parsers, command flaws, and a side-channel in cryptographic comparison. Additionally, 9 buffer overflows in parsing SquashFS, EXT4, CramFS, JFFS2, and symlinks were discovered in U-Boot and Barebox, which require physical access to exploit.

The newly discovered flaws impact devices relying on UEFI Secure Boot, and if the right conditions are met, attackers can bypass security protections to execute arbitrary code on the device. While exploiting these flaws would likely need local access to devices, previous bootkit attacks like BlackLotus achieved this through malware infections.

Miccrosoft titled its blog post "Analyzing open-source bootloaders: Finding vulnerabilities faster with AI." (And they do note that Micxrosoft disclosed the discovered vulnerabilities to the GRUB2, U-boot, and Barebox maintainers and "worked with the GRUB2 maintainers to contribute fixes... GRUB2 maintainers released security updates on February 18, 2025, and both the U-boot and Barebox maintainers released updates on February 19, 2025.")

They add that performing their initial research, using Security Copilot "saved our team approximately a week's worth of time," Microsoft writes, "that would have otherwise been spent manually reviewing the content." Through a series of prompts, we identified and refined security issues, ultimately uncovering an exploitable integer overflow vulnerability. Copilot also assisted in finding similar patterns in other files, ensuring comprehensive coverage and validation of our findings...

As AI continues to emerge as a key tool in the cybersecurity community, Microsoft emphasizes the importance of vendors and researchers maintaining their focus on information sharing. This approach ensures that AI's advantages in rapid vulnerability discovery, remediation, and accelerated security operations can effectively counter malicious actors' attempts to use AI to scale common attack tactics, techniques, and procedures (TTPs).

This week Google also announced Sec-Gemini v1, "a new experimental AI model focused on advancing cybersecurity AI frontiers."
Operating Systems

Coreboot 25.03 Released With Support For 22 More Motherboards (phoronix.com) 26

Coreboot 25.03 has been released with support for 22 new motherboards and several other significant updates, including enhanced display handling, USB debugging, RISC-V support, and RAM initialization for older Intel platforms. Phoronix reports: Coreboot 25.03 delivers display handling improvements, a better USB debugging experience, CPU topology updates, various improvements to the open-source RAM initialization for aging Intel Haswell platforms, improved USB Type-C and Thunderbolt handling, various embedded controller (EC) improvements, better RISC-V architecture support, DDR5-7500 support, and many bug fixes across the sprawling Coreboot codebase. More details, including a full list of the supported boards, can be found here.
Businesses

Reddit's 50% Stock-Price Plunge Fails to Entice Buyers as Growth Slows (yahoo.com) 38

Though it's stock price is still up 200% from its IPO in March of 2024 — last week Reddit's stock had dropped nearly 50% since February 7th.

And then this week, it dropped another 10%, reports Bloomberg, citing both the phenomenon of "volatile technology stocks under pressure" — but also specifically "the gloomy sentiment around Reddit..." The social media platform has struggled to recover since an earnings report in February showed that it is failing to keep up with larger digital advertising peers such as Meta Platforms Inc. and Alphabet Inc.'s Google, which have higher user figures. Reddit's outlook seemed precarious because its U.S. traffic took a hit from a change in Google's search algorithm.

In recent weeks, the short interest in Reddit — a proxy for the volume of bets against the company — has ticked up, and forecasts for the company's share price have fallen. One analyst opened coverage of Reddit this month with a recommendation that investors sell the shares, in part due to the company's heavy reliance on Google. Reddit shares fell more than 5% in intraday trading Friday. "It's been super overvalued," Bob Lang, founder and chief options analyst at Explosive Options said of Reddit. "Their growth rate is very strong, but they still are not making any money." Reddit had a GAAP earnings per share loss of $3.33 in 2024, but reported two consecutive quarters of positive GAAP EPS in the second half of the year...

At its February peak, Reddit's stock had risen over 500% from the $34 initial public offering price last March. Some of the enthusiasm was due to a series of deals in which Reddit was paid to allow its content to be used for training artificial intelligence models. More recently, though, there have been questions about the long-term growth prospects for the artificial intelligence industry.

"On Wall Street, the average price target from analysts has fallen to about $195 from $207 a month ago," the article points out. "That still offers a roughly $85 upside from where shares closed following Thursday's 8% slump..."

Meanwhile Reuters reported that more than 33,000 U.S. Reddit users experienced disruptions on Thursday according to Downdetector.com. "A Reddit spokesperson said the outage was due to a bug in a recent update, which has now been fixed."
Android

Google Will Develop the Android OS Fully In Private 20

An anonymous reader quotes a report from Android Authority: No matter the manufacturer, every Android phone has one thing in common: its software base. Manufacturers can heavily customize the look and feel of the Android OS they ship on their Android devices, but under the hood, the core system functionality is derived from the same open-source foundation: the Android Open Source Project. After over 16 years, Google is making big changes to how it develops the open source version of Android in an effort to streamline its development. [...] Beginning next week, all Android development will occur within Google's internal branches, and the source code for changes will only be released when Google publishes a new branch containing those changes. As this is already the practice for most Android component changes, Google is simply consolidating its development efforts into a single branch.

This change will have minimal impact on regular users. While it streamlines Android OS development for Google, potentially affecting the speed of new version development and bug reduction, the overall effect will likely be imperceptible. Therefore, don't expect this change to accelerate OS updates for your phone. This change will also have minimal impact on most developers. App developers are unaffected, as it pertains only to platform development. Platform developers, including those who build custom ROMs, will largely also see little change, since they typically base their work on specific tags or release branches, not the main AOSP branch. Similarly, companies that release forked AOSP products rarely use the main AOSP branch due to its inherent instability.

External developers who enjoy reading or contributing to AOSP will likely be dismayed by this news, as it reduces their insight into Google's development efforts. Without a GMS license, contributing to Android OS development becomes more challenging, as the available code will consistently lag behind by weeks or months. This news will also make it more challenging for some developers to keep up with new Android platform changes, as they'll no longer be able to track changes in AOSP. For reporters, this change means less access to potentially revealing information, as AOSP patches often provide insights into Google's development plans. [...] Google will share more details about this change when it announces it later this week. If you're interested in learning more, be sure to keep an eye out for the announcement and new documentation on source.android.com.
Android Authority's Mishaal Rahman says Google is "committed to publishing Android's source code, so this change doesn't mean that Android is becoming closed-source."

"What will change is the frequency of public source code releases for specific Android components," says Rahman. "Some components like the build system, update engine, Bluetooth stack, Virtualization framework, and SELinux configuration are currently AOSP-first, meaning they're developed fully in public. Most Android components like the core OS framework are primarily developed internally, although some features, such as the unlocked-only storage area API, are still developed within AOSP."

Slashdot Top Deals