Slashdot reader king*jojo shared this article from The Register: A 23-year-old side-channel attack for spying on people's web browsing histories will get shut down in the forthcoming Chrome 136, released last Thursday to the Chrome beta channel. At least that's the hope.

The privacy attack, referred to as browser history sniffing, involves reading the color values of web links on a page to see if the linked pages have been visited previously... Web publishers and third parties capable of running scripts, have used this technique to present links on a web page to a visitor and then check how the visitor's browser set the color for those links on the rendered web page... The attack was mitigated about 15 years ago, though not effectively. Other ways to check link color information beyond the getComputedStyle method were developed... Chrome 136, due to see stable channel release on April 23, 2025, "is the first major browser to render these attacks obsolete," explained Kyra Seevers, Google software engineer in a blog post.

This is something of a turnabout for the Chrome team, which twice marked Chromium bug reports for the issue as "won't fix." David Baron, presently a Google software engineer who worked for Mozilla at the time, filed a Firefox bug report about the issue back on May 28, 2002... On March 9, 2010, Baron published a blog post outlining the issue and proposing some mitigations...

U.K. postmasters were mistakenly sent to prison due to a bug in their "Horizon" accounting software — as first reported by Computer Weekly back in 2009. Nearly 16 years later, the same site reports that now the Scottish Criminal Cases Review Commission "is attempting to contact any former subpostmasters that could have been prosecuted for unexplained losses on the Post Office's pre-Horizon Capture software.

"There are former subpostmasters that, like Horizon users, could have been convicted of crimes based on data from these systems..." Since the Post Office Horizon scandal hit the mainstream in January 2024 — revealing to a wide audience the suffering experienced by subpostmasters who were blamed for errors in the Horizon accounting system — users of Post Office software that predated Horizon have come forward... to tell their stories, which echoed those of victims of the Horizon scandal. The Criminal Cases Review Commission for England and Wales is now reviewing 21 cases of potential wrongful conviction... where the Capture IT system could be a factor...

The SCCRC is now calling on people that might have been convicted based on Capture accounts to come forward. "The commission encourages anyone who believes that their criminal conviction, or that of a relative, might have been affected by the Capture system to make contact with it," it said. The statutory body is also investigating a third Post Office system, known as Ecco+, which was also error-prone...

A total of 64 former subpostmasters in Scotland have now had their convictions overturned through the legislation brought through Scottish Parliament. So far, 97 convicted subpostmasters have come forward, and 86 have been assessed, out of which the 64 have been overturned. However, 22 have been rejected and another 11 are still to be assessed. An independent group, fronted by a former Scottish subpostmaster, is also calling on users of any of the Post Office systems to come forward to tell their stories, and for support in seeking justice and redress.

Slashdot reader zlives shared this report from BleepingComputer: Microsoft used its AI-powered Security Copilot to discover 20 previously unknown vulnerabilities in the GRUB2, U-Boot, and Barebox open-source bootloaders.

GRUB2 (GRand Unified Bootloader) is the default boot loader for most Linux distributions, including Ubuntu, while U-Boot and Barebox are commonly used in embedded and IoT devices. Microsoft discovered eleven vulnerabilities in GRUB2, including integer and buffer overflows in filesystem parsers, command flaws, and a side-channel in cryptographic comparison. Additionally, 9 buffer overflows in parsing SquashFS, EXT4, CramFS, JFFS2, and symlinks were discovered in U-Boot and Barebox, which require physical access to exploit.

The newly discovered flaws impact devices relying on UEFI Secure Boot, and if the right conditions are met, attackers can bypass security protections to execute arbitrary code on the device. While exploiting these flaws would likely need local access to devices, previous bootkit attacks like BlackLotus achieved this through malware infections.
Miccrosoft titled its blog post "Analyzing open-source bootloaders: Finding vulnerabilities faster with AI." (And they do note that Micxrosoft disclosed the discovered vulnerabilities to the GRUB2, U-boot, and Barebox maintainers and "worked with the GRUB2 maintainers to contribute fixes... GRUB2 maintainers released security updates on February 18, 2025, and both the U-boot and Barebox maintainers released updates on February 19, 2025.")

They add that performing their initial research, using Security Copilot "saved our team approximately a week's worth of time," Microsoft writes, "that would have otherwise been spent manually reviewing the content." Through a series of prompts, we identified and refined security issues, ultimately uncovering an exploitable integer overflow vulnerability. Copilot also assisted in finding similar patterns in other files, ensuring comprehensive coverage and validation of our findings...

As AI continues to emerge as a key tool in the cybersecurity community, Microsoft emphasizes the importance of vendors and researchers maintaining their focus on information sharing. This approach ensures that AI's advantages in rapid vulnerability discovery, remediation, and accelerated security operations can effectively counter malicious actors' attempts to use AI to scale common attack tactics, techniques, and procedures (TTPs).
This week Google also announced Sec-Gemini v1, "a new experimental AI model focused on advancing cybersecurity AI frontiers."

Coreboot 25.03 has been released with support for 22 new motherboards and several other significant updates, including enhanced display handling, USB debugging, RISC-V support, and RAM initialization for older Intel platforms. Phoronix reports: Coreboot 25.03 delivers display handling improvements, a better USB debugging experience, CPU topology updates, various improvements to the open-source RAM initialization for aging Intel Haswell platforms, improved USB Type-C and Thunderbolt handling, various embedded controller (EC) improvements, better RISC-V architecture support, DDR5-7500 support, and many bug fixes across the sprawling Coreboot codebase. More details, including a full list of the supported boards, can be found here.

Though it's stock price is still up 200% from its IPO in March of 2024 — last week Reddit's stock had dropped nearly 50% since February 7th.

And then this week, it dropped another 10%, reports Bloomberg, citing both the phenomenon of "volatile technology stocks under pressure" — but also specifically "the gloomy sentiment around Reddit..." The social media platform has struggled to recover since an earnings report in February showed that it is failing to keep up with larger digital advertising peers such as Meta Platforms Inc. and Alphabet Inc.'s Google, which have higher user figures. Reddit's outlook seemed precarious because its U.S. traffic took a hit from a change in Google's search algorithm.

In recent weeks, the short interest in Reddit — a proxy for the volume of bets against the company — has ticked up, and forecasts for the company's share price have fallen. One analyst opened coverage of Reddit this month with a recommendation that investors sell the shares, in part due to the company's heavy reliance on Google. Reddit shares fell more than 5% in intraday trading Friday. "It's been super overvalued," Bob Lang, founder and chief options analyst at Explosive Options said of Reddit. "Their growth rate is very strong, but they still are not making any money." Reddit had a GAAP earnings per share loss of $3.33 in 2024, but reported two consecutive quarters of positive GAAP EPS in the second half of the year...

At its February peak, Reddit's stock had risen over 500% from the $34 initial public offering price last March. Some of the enthusiasm was due to a series of deals in which Reddit was paid to allow its content to be used for training artificial intelligence models. More recently, though, there have been questions about the long-term growth prospects for the artificial intelligence industry.
"On Wall Street, the average price target from analysts has fallen to about $195 from $207 a month ago," the article points out. "That still offers a roughly $85 upside from where shares closed following Thursday's 8% slump..."

Meanwhile Reuters reported that more than 33,000 U.S. Reddit users experienced disruptions on Thursday according to Downdetector.com. "A Reddit spokesperson said the outage was due to a bug in a recent update, which has now been fixed."

An anonymous reader quotes a report from Android Authority: No matter the manufacturer, every Android phone has one thing in common: its software base. Manufacturers can heavily customize the look and feel of the Android OS they ship on their Android devices, but under the hood, the core system functionality is derived from the same open-source foundation: the Android Open Source Project. After over 16 years, Google is making big changes to how it develops the open source version of Android in an effort to streamline its development. [...] Beginning next week, all Android development will occur within Google's internal branches, and the source code for changes will only be released when Google publishes a new branch containing those changes. As this is already the practice for most Android component changes, Google is simply consolidating its development efforts into a single branch.

This change will have minimal impact on regular users. While it streamlines Android OS development for Google, potentially affecting the speed of new version development and bug reduction, the overall effect will likely be imperceptible. Therefore, don't expect this change to accelerate OS updates for your phone. This change will also have minimal impact on most developers. App developers are unaffected, as it pertains only to platform development. Platform developers, including those who build custom ROMs, will largely also see little change, since they typically base their work on specific tags or release branches, not the main AOSP branch. Similarly, companies that release forked AOSP products rarely use the main AOSP branch due to its inherent instability.

External developers who enjoy reading or contributing to AOSP will likely be dismayed by this news, as it reduces their insight into Google's development efforts. Without a GMS license, contributing to Android OS development becomes more challenging, as the available code will consistently lag behind by weeks or months. This news will also make it more challenging for some developers to keep up with new Android platform changes, as they'll no longer be able to track changes in AOSP. For reporters, this change means less access to potentially revealing information, as AOSP patches often provide insights into Google's development plans. [...] Google will share more details about this change when it announces it later this week. If you're interested in learning more, be sure to keep an eye out for the announcement and new documentation on source.android.com. Android Authority's Mishaal Rahman says Google is "committed to publishing Android's source code, so this change doesn't mean that Android is becoming closed-source."

"What will change is the frequency of public source code releases for specific Android components," says Rahman. "Some components like the build system, update engine, Bluetooth stack, Virtualization framework, and SELinux configuration are currently AOSP-first, meaning they're developed fully in public. Most Android components like the core OS framework are primarily developed internally, although some features, such as the unlocked-only storage area API, are still developed within AOSP."

wiredmikey shares a report from SecurityWeek: Google late Tuesday rushed out a patch for a sandbox escape vulnerability in its flagship Chrome browser after researchers at Kaspersky caught a professional hacking operation launching drive-by download exploits. The vulnerability, tracked as CVE-2025-2783, was chained with a second exploit for remote code execution in what appears to be a nation-state sponsored cyberespionage campaign [dubbed Operation ForumTroll] targeting organizations in Russia.

Kaspersky said it detected a series of infections triggered by phishing emails in the middle of March and traced the incidents to a zero-day that fired when victims simply clicked on a booby-trapped website from a Chrome browser. The Russian anti-malware vendor said victims merely had to click on a personalized, short-lived link, and their systems were compromised when the malicious website was opened in Chrome. Kaspersky said its exploit detection tools picked up on the zero-day, and after reverse-engineering the code, the team reported the bug to Google and coordinated the fix released on Tuesday.

An anonymous reader quotes a report from Ars Technica: World of Warcraft Classic's Hardcore mode has set itself apart from the average MMO experience simply by making character death permanent across the entire in-game realm. For years, Blizzard has not allowed any appeals or rollbacks for these Hardcore mode character deaths, even when such deaths came as the direct result of a server disconnection or gameplay bug. Now, Blizzard says it's modifying that policy somewhat in response to a series of "unprecedented distributed-denial-of-service (DDOS) attacks" undertaken "with the singular goal of disrupting players' experiences." The World of Warcraft developer says it may now resurrect Classic Hardcore characters "at our sole discretion" when those deaths come "in a mass event which we deem inconsistent with the integrity of the game." WoW's Classic Hardcore made it a hotspot for streamers, especially members of the OnlyFangs Guild, who embraced the challenge that one mistake could end a character's run. However, as Ars Technica reports, a series of DDOS attacks timed with their major livestreamed raids led to character deaths and widespread frustration, prompting streamer sodapoppin to declare the guild's end.

Blizzard responded by updating its Hardcore policy to resurrect characters lost specifically to DDOS attacks. "Recently, we have experienced unprecedented distributed-denial-of-service (DDOS) attacks that impacted many Blizzard game services, including Hardcore realms, with the singular goal of disrupting players' experiences," WoW Classic Associate Production Director Clay Stone wrote in a public message. "As we continue our work to further strengthen the resilience of WoW realms and our rapid response time, we're taking steps to resurrect player-characters that were lost as a result of these attacks."

Long-time Slashdot reader chicksdaddy writes: A group of U.S. consumer advocacy groups on Wednesday proposed legislation to address the growing epidemic of "zombie" Internet of Things (IoT) devices that have had software support cut off by their manufacturer, Fight To Repair News reports.

The Connected Consumer Product End of Life Disclosure Act is a collaboration between Consumer Reports, US PIRG, the Secure Resilient Future Foundation (SRFF) and the Center for Democracy and Technology. It requires manufacturers of connected consumer products to disclose for how long they will provide technical support, security updates, or bug fixes for the software and hardware that are necessary for the product to operate securely.
The groups proposed legal requirements that manufacturers "must notify consumers when their devices are nearing the end of life and provide guidance on how to handle the device's end of life," while end-of-life notifications "must include details about features that will be lost, and potential vulnerabilities and security risks that may arise." And when an ISP-provided device (like a router) reaches its end of life, the ISP must remove them.

"The organizations are working with legislators at the state and federal level to get the model legislation introduced," according to Fight To Repair News.

An anonymous reader quotes a report from Ars Technica: On Saturday, a developer using Cursor AI for a racing game project hit an unexpected roadblock when the programming assistant abruptly refused to continue generating code, instead offering some unsolicited career advice. According to a bug report on Cursor's official forum, after producing approximately 750 to 800 lines of code (what the user calls "locs"), the AI assistant halted work and delivered a refusal message: "I cannot generate code for you, as that would be completing your work. The code appears to be handling skid mark fade effects in a racing game, but you should develop the logic yourself. This ensures you understand the system and can maintain it properly."

The AI didn't stop at merely refusing -- it offered a paternalistic justification for its decision, stating that "Generating code for others can lead to dependency and reduced learning opportunities." [...] The developer who encountered this refusal, posting under the username "janswist," expressed frustration at hitting this limitation after "just 1h of vibe coding" with the Pro Trial version. "Not sure if LLMs know what they are for (lol), but doesn't matter as much as a fact that I can't go through 800 locs," the developer wrote. "Anyone had similar issue? It's really limiting at this point and I got here after just 1h of vibe coding." One forum member replied, "never saw something like that, i have 3 files with 1500+ loc in my codebase (still waiting for a refactoring) and never experienced such thing."

Cursor AI's abrupt refusal represents an ironic twist in the rise of "vibe coding" -- a term coined by Andrej Karpathy that describes when developers use AI tools to generate code based on natural language descriptions without fully understanding how it works. While vibe coding prioritizes speed and experimentation by having users simply describe what they want and accept AI suggestions, Cursor's philosophical pushback seems to directly challenge the effortless "vibes-based" workflow its users have come to expect from modern AI coding assistants.

An anonymous reader quotes a report from Ars Technica: HP, along with other printer brands, is infamous for issuing firmware updates that brick already-purchased printers that have tried to use third-party ink. In a new form of frustration, HP is now being accused of issuing a firmware update that broke customers' laser printers -- even though the devices are loaded with HP-brand toner. The firmware update in question is version 20250209, which HP issued on March 4 for its LaserJet MFP M232-M237 models. Per HP, the update includes "security updates," a "regulatory requirement update," "general improvements and bug fixes," and fixes for IPP Everywhere. Looking back to older updates' fixes and changes, which the new update includes, doesn't reveal anything out of the ordinary. The older updates mention things like "fixed print quality to ensure borders are not cropped for certain document types," and "improved firmware update and cartridge rejection experiences." But there's no mention of changes to how the printers use or read toner.

However, users have been reporting sudden problems using HP-brand toner in their M232-M237 series printers since their devices updated to 20250209. Users on HP's support forum say they see Error Code 11 and the hardware's toner light flashing when trying to print. Some said they've cleaned the contacts and reinstalled their toner but still can't print. "Insanely frustrating because it's my small business printer and just stopped working out of nowhere[,] and I even replaced the tone[r,] which was a $60 expense," a forum user wrote on March 8. HP said in a statement: "We are aware of a firmware issue affecting a limited number of HP LaserJet 200 Series devices and our team is actively working on a solution. For assistance, affected customers can contact our support team at: https://support.hp.com." It's unclear how widespread the problems are.

CISA has warned U.S. federal agencies about active exploitation of vulnerabilities in Cisco VPN routers and Windows systems. "While the cybersecurity agency has tagged these flaws as actively exploited in the wild, it has yet to provide specific details regarding this malicious activity and who is behind it," adds Bleeping Computer. From the report: The first flaw (tracked as CVE-2023-20118) enables attackers to execute arbitrary commands on RV016, RV042, RV042G, RV082, RV320, and RV325 VPN routers. While it requires valid administrative credentials, this can still be achieved by chaining the CVE-2023-20025 authentication bypass, which provides root privileges. Cisco says in an advisory published in January 2023 and updated one year later that its Product Security Incident Response Team (PSIRT) is aware of CVE-2023-20025 publicly available proof-of-concept exploit code.

The second security bug (CVE-2018-8639) is a Win32k elevation of privilege flaw that local attackers logged into the target system can exploit to run arbitrary code in kernel mode. Successful exploitation also allows them to alter data or create rogue accounts with full user rights to take over vulnerable Windows devices. According to a security advisory issued by Microsoft in December 2018, this vulnerability impacts client (Windows 7 or later) and server (Windows Server 2008 and up) platforms.

Today, CISA added the two vulnerabilities to its Known Exploited Vulnerabilities catalog, which lists security bugs the agency has tagged as exploited in attacks. As mandated by the Binding Operational Directive (BOD) 22-01 issued in November 2021, Federal Civilian Executive Branch (FCEB) agencies now have three weeks, until March 23, to secure their networks against ongoing exploitation.

New submitter TronNerd82 writes: Linuxiac reports that the 6th alpha release of the COSMIC desktop environment has been released. The new alpha release includes zooming, desktop icon management, some new scaling options, and improved accessibility features. Also included in the release are a number of bug fixes.

These include, but are not limited to:
- Fixing a crash issue in Steam, and fixing certain issues for Radeon RX GPUs
- Fixing a bug that prevented icons from appearing in screenshots
- Adding a layer of polish to the COSMIC Files application by adding folder size metadata and preventing crashes

Also of note are a number of memory usage reductions across the board. COSMIC Alpha 6 also replaces the default font, changing from Fira Sans to Open Sans, with Noto Sans Mono as the default monospace font. Additional changes can be found in System76's official announcement.

This year's "State of Rust" survey was completed by 7,310 Rust developers. DevClass note some key findings: When asked about their biggest worries for Rust's future, 45.5 percent cited "not enough usage in the tech industry," up from 42.5 percent last year, just ahead of the 45.2 percent who cited complexity as a concern... Only 18.6 percent declared themselves "not worried," though this is a slight improvement on 17.8 percent in 2023...

Another question asks whether respondents are using Rust at work. 38.2 percent claimed to use it for most of their coding [up from 34% in 2023], and 13.4 percent a few times a week, accounting for just over half of responses. At the organization level there is a similar pattern. 45.5 percent of organizations represented by respondents make "non-trivial use of Rust," up from 38.7 percent last year.
More details from I Programmer: On the up are "Using Rust helps us achieve or goals", now 82% compared to 72% in 2022; "We're likely to use Rust again in the future", up 3% to 78%; and "Using Rust has been worth the cost of Adoption". Going down are "Adopting Rust has been challenging", now 34.5% compared to 38.5% in 2022; and "Overall adopting Rust has slowed down our team" down by over 2% to 7%.
"According to the survey, organizations primarily choose Rust for building correct and bug-free software (87.1%), performance characteristics (84.5%), security and safety properties (74.8%), and development enjoyment (71.2%)," writes The New Stack: Rust seems to be especially popular for creating server backends (53.4%), web and networking services, cloud technologies and WebAssembly, the report said. It also seems to be gaining more traction for embedded use cases... Regarding the preferred development environment, Linux remains the dominant development platform (73.7%).

However, although VS Code remains the leading editor, its usage dropped five percentage points, from 61.7% to 56.7%, but the Zed editor gained notable traction, from 0.7% to 8.9%. Also, "nine out of 10 Rust developers use the current stable version, suggesting strong confidence in the language's stability," the report said...

Overall, 82% of respondents report that Rust helped their company achieve its goals, and daily Rust usage increased to 53% (up four percentage points from 2023). When asked why they use Rust at work, 47% of respondents cited a need for precise control over their software, which is up from 37% when the question was asked two years ago.

Five days ago on Patch Tuesday, Microsoft released patch KB5051987 for Windows 11 version 24H2, writes the XDA Developers site.

But "As reported by Windows Latest and various communities like Reddit and Microsoft's help forum, many users have encountered a major issue..."

Some have reported that, in addition to File Explorer failing to launch, they're unable to open folders from the desktop, save Office files, or even download files. Clicking on a folder icon may display its subfolders, but the contents within remain inaccessible... Some users on Microsoft's help forum and Reddit have also reported that the KB5051987 patch fails to install entirely. The update gets stuck at a certain percentage for hours before eventually displaying an error code. While these are among the most widely reported issues, others have surfaced as well, including problems with Taskbar preview animations, the camera, and more.
"Microsoft keeps running into brick walls with the 2024 version of Windows 11," writes ZDNet. "Each new update designed to fix the outstanding bugs ends up introducing other problems..." Among the glitches resolved were ones that affected digital audio converters, USB audio drivers, USB cameras, and passkeys. The update also patched several security vulnerabilities, including some that were deemed critical....

Other glitches that may pop up include a stuttering mouse, an undetectable camera, .NET apps that cannot be installed inside the Windows Sandbox, and the Taskbar's new preview animation that does not work properly. You may also encounter other roadblocks. One person in the Windows Feedback Hub said that after installing the update, the battery life shows only 2.5 hours versus 6 hours previously. Another person found that the clipboard history no longer copies items from Microsoft Word...

Each annual Windows update can suffer from bugs, especially after being rolled out to millions of users. However, Windows 11 24H2 has been more problematic than usual. Since its official launch last October, the 2024 version has carried with it a host of known issues, many of which still haven't been resolved.

Leading AI models can fix broken code, but they're nowhere near ready to replace human software engineers, according to extensive testing [PDF] by OpenAI researchers. The company's latest study put AI models and systems through their paces on real-world programming tasks, with even the most advanced models solving only a quarter of typical engineering challenges.

The research team created a test called SWE-Lancer, drawing from 1,488 actual software fixes made to Expensify's codebase, representing $1 million worth of freelance engineering work. When faced with these everyday programming tasks, the best AI model â" Claude 3.5 Sonnet -- managed to complete just 26.2% of hands-on coding tasks and 44.9% of technical management decisions.

Though the AI systems proved adept at quickly finding relevant code sections, they stumbled when it came to understanding how different parts of software interact. The models often suggested surface-level fixes without grasping the deeper implications of their changes.

The research, to be sure, used a set of complex methodologies to test the AI coding abilities. Instead of relying on simplified programming puzzles, OpenAI's benchmark uses complete software engineering tasks that range from quick $50 bug fixes to complex $32,000 feature implementations. Each solution was verified through rigorous end-to-end testing that simulated real user interactions, the researchers said.

The Verge's Jay Peters reports: Square Enix has shut down the iOS version of Final Fantasy Crystal Chronicles and removed it from the App Store following an unfixable bug that blocked people from accessing content they had paid for. [...] The company says that if you made in-app purchases in January 2024 or later, you're eligible to request a refund by contacting Apple Support. Square Enix says that Final Fantasy Crystal Chronicles will continue to be supported on other platforms. The game is also available on Android, PlayStation, and Nintendo Switch. "The issue is due to changes made to the in-app purchases model," Square Enix says in a post. "Further investigation revealed that we are unable to completely fix the bug and implement the new changes, making it unlikely to resume service for the game." Square Enix says it started receiving reports on January 24th about the issue, which "extends to the full paid version of the game."

Software developer and prolific blogger Herman Ounapuu, writing in a blog post: I liked Ubuntu. For a very long time, it was the sensible default option. Around 2016, I used the Ubuntu GNOME flavor, and after they ditched the Unity desktop environment, GNOME became the default option.

I was really happy with it, both for work and personal computing needs. Estonian ID card software was also officially supported on Ubuntu, which made Ubuntu a good choice for family members.

But then something changed. Ounapuu recounts how Ubuntu's bi-annual long-term support releases consistently broke functionality, from minor interface glitches to catastrophic system failures that left computers unresponsive. His breaking point came after multiple problematic upgrades affecting family members' computers, including one that rendered a laptop completely unusable during an upgrade from Ubuntu 20.04 to 22.04. Another incident left a relative's system with broken Firefox shortcuts and duplicate status bar icons after updating Lubuntu 18.04.

Canonical's aggressive push of Snap packages has drawn particular criticism. The forced migration of system components from traditional Debian packages to Snaps resulted in compatibility issues, broken desktop shortcuts, and government ID card authentication failures. In one instance, he writes, a Snap-related bug in the GNOME desktop environment severely disrupted workplace productivity, requiring multiple system restarts to resolve. The author has since switched to Fedora, praising its implementation of Flatpak as a superior alternative to Snaps.

The Register's Dan Robinson reports: Google promised a decade of updates for its Chromebooks in 2023 to stop them being binned so soon after purchase, but many are still set to reach the end of the road sooner than later. The appliance-like laptop devices were introduced by megacorp in 2011, running its Linux-based ChromeOS platform. They have been produced by a number of hardware vendors and proven popular with buyers such as students, thanks to their relatively low pricing. The initial devices were designed for a three-year lifespan, or at least this was the length of time Google was prepared to issue automatic updates to add new features and security fixes for the onboard software.

Google has extended this Auto Update Expiration (AUE) date over the years, prompted by irate users who purchased a Chromebook only to find that it had just a year or two of software updates left if that particular model had been on the market for a while. The latest extension came in September 2023, when the company promised ten years of automatic updates, following pressure from the US-based Public Interest Research Group (PIRG). The advocacy organization had recommended this move in its Chromebook Churn report, which criticized the devices as not being designed to last.

PIRG celebrated its success at the time, claiming that Google's decision to extend support would "save millions of dollars and prevent tons of e-waste from being disposed of." But Google's move actually meant that only Chromebooks released from 2021 onward would automatically get ten years of updates, starting in 2024. For a subset of older devices, an administrator (or someone with admin privileges) can opt in to enable extended updates and receive the full ten years of support, a spokesperson for the company told us. This, according to PIRG, still leaves many models set to reach end of life this year, or over the next several years. "According to my research, at least 15 Chromebook models have already expired across most of the top manufacturers (Google, Acer, Dell, HP, Samsung, Asus, and Lenovo). Models released before 2021 don't have the guaranteed ten years of updates, so more devices will continue to expire each year," Stephanie Markowitz, a Designed to Last Campaign Associate at PIRG, told The Register.

"In general, end-of-support dates for consumer tech like laptops act as 'slow death' dates," according to Markowitz. "The devices won't necessarily lose function immediately, but without security updates and bug patches, the device will eventually become incompatible with the most up-to-date software, and the device itself will no longer be secure against malware and other issues."

A full ist of end-of-life dates for Chromebook models can be viewed here.

Zyxel customers are facing reboot loops, high CPU usage, and login issues after an update on Friday went awry. The only fix requires physical access and a Console/RS232 cable, as no remote recovery options are available. The Register reports: "We've found an issue affecting a few devices that may cause reboot loops, ZySH daemon failures, or login access problems," Zyxel's advisory reads. "The system LED may also flash. Please note this is not related to a CVE or security issue." "The issue stems from a failure in the Application Signature Update, not a firmware upgrade. To address this, we've disabled the application signature on our servers, preventing further impact on firewalls that haven't loaded the new signature versions."

The firewalls affected include USG Flex boxes and ATP Series devices running ZLD firmware versions -- installations that have active security licenses and dedicated signature updates enabled in on-premises/standalone mode. Those running on the Nebula platform, on USG Flex H (uOS), and those without valid security licenses are not affected.