Earlier this month, a Slashdot reader asked fellow Slashdotters what they recommended regarding the use of password managers. In their post, they voiced their uncertainty with password managers as they have been hacked in the past, citing an incident in early 2016 where LastPass was hacked due to a bug that allowed users to extract passwords stored in the autofill feature. Flash forward to present time and we now have news that three separate bugs "would have allowed a third-party to extract passwords from users visiting a malicious website." An anonymous Slashdot reader writes via BleepingComputer: LastPass patched three bugs that affected the Chrome and Firefox browser extensions, which if exploited, would have allowed a third-party to extract passwords from users visiting a malicious website. All bugs were reported by Google security researcher Tavis Ormandy, and all allowed the theft of user credentials, one bug affecting the LastPass Chrome extension, while two impacted the LastPass Firefox extension [1, 2]. The exploitation vector was malicious JavaScript code that could be very well hidden in any online website, owned by the attacker or via a compromised legitimate site.

An anonymous reader shares a report: Chrome engineers are planning to remove two options from Chrome that allow users to quickly close a large number of tabs with just a few clicks. The options, named "Close other tabs" and "Close tabs to the right" reside in the menu that appears when a user right-clicks on a Chrome tab. According to an issue on the Chromium project spotted yesterday by a Reddit user, Google engineers planned to remove to menu options for many years even before opening the Chromium issue, dated itself to July 31, 2015. After several years of inactivity and no decision, things started to move again in September 2016, when usage statistics confirmed that Chrome users rarely used the two options they initially wanted to remove. Seeing no new discussions past this point, Chromium engineers assigned the issue in February, meaning engineers are getting ready to remove the two menu options it in future Chromium builds.

Brian Fagioli, writing for BetaNews: For a while, Netflix was not available for traditional Linux-based operating systems, meaning users were unable to enjoy the popular streaming service without booting into Windows. This was due to the company's reliance on Microsoft Silverlight. Since then, Netflix adopted HTML5, and it made Google Chrome and Chromium for Linux capable of playing the videos. Unfortunately, Firefox -- the open source browser choice for many Linux users -- was not compatible. Today this changes, however, as Mozilla's offering is now compatible with Netflix!

ZDNet's Networking blog calls Firefox "the default web browser for most Linux distributions" and "easily the most popular Linux web browser" (with 51.7% of the vote in a recent survey by LinuxQuestions, followed by Chrome with 15.67%). But is it the fastest? An anonymous reader writes: ZDNet's Networking blog just ran speed tests on seven modern browsers -- Firefox, Chrome, Chromium, Opera (which is also built on Chromium), GNOME Web (formerly Epiphany), and Vivaldi (an open-source fork of the old Opera code for power-users). They subjected each browser to the JavaScript test suites JetStream, Kraken, and Octane, as well as reaction speed-testing by Speedometer and scenarios from WebXPRT, adding one final test for compliance with the HTML5 standard.

The results? Firefox emerged "far above" the other browsers for the everyday tasks measured by WebXPRT, but ranked near the bottom in all of the other tests. "Taken all-in-all, I think Linux users should look to Chrome for their web browser use," concludes ZDNet's contributing editor. "When it's not the fastest, it's close to being the speediest. Firefox, more often than not, really isn't that fast. Of the rest, Opera does reasonably well. Then, Chromium and Vivaldi are still worth looking at. Gnome Web, however, especially with its dreadful HTML 5 compatibility, doesn't merit much attention."
The article also reports some formerly popular Linux browsers are no longer being maintained, linking to a KDE forum discussion that concludes that Konqueror and Rekonq "are both more or less dead."

An anonymous reader quotes BleepingComputer: Google has gone public with details of a second unpatched vulnerability in Microsoft products, this time in Edge and Internet Explorer, after last week they've published details about a bug in the Windows GDI (Graphics Device Interface) component... The bug, discovered by Google Project Zero researcher Ivan Fratric, is tracked by the CVE-2017-0037 identifier and is a type confusion, a kind of security flaw that can allow an attacker to execute code on the affected machine, and take over a device.

Details about CVE-2017-0037 are available in Google's bug report, along with proof-of-concept code. The PoC code causes a crash of the exploited browser, but depending on the attacker's skill level, more dangerous exploits could be built... Besides the Edge and IE bug, Microsoft products are also plagued by two other severe security flaws, one affecting the Windows GDI component and one the SMB file sharing protocol shipped with all Windows OS versions...
Google's team notified Microsoft of the bug 90 days ago, only disclosing it publicly on Friday.

ShaunC writes: In a bug that's been christened "Cloudbleed," Cloudflare disclosed today that some of their products accidentally exposed private user information from a number of websites. Similar to 2014's Heartbleed, Cloudflare's problem involved a buffer overrun that allowed uninitialized memory contents to leak into normal web traffic. Tavis Ormandy, of Google's Project Zero, discovered the flaw last week. Affected sites include Uber, Fitbit, and OK Cupid, as well as unnamed services for hotel booking and password management. Cloudflare says the bug has been fixed, and Google has purged affected pages from its search index and cache. Further reading: The Register, Ars Technica

An anonymous reader writes: "For the second time in three months, Google engineers have disclosed a bug in the Windows OS without Microsoft having released a fix before Google's announcement," reports BleepingComputer. "The bug in question affects the Windows GDI (Graphics Device Interface) (gdi32.dll)..." According to Google, the issue allows an attacker to read the content of the user's memory using malicious EMF files. The bad news is that the EMF file can be hidden in other documents, such as DOCX, and can be exploited via Office, IE, or Office Online, among many.

"According to a bug report filed by Google's Project Zero team, the bug was initially part of a larger collection of issues discovered in March 2016, and fixed in June 2016, via Microsoft's security bulletin MS16-074. Mateusz Jurczyk, the Google engineer who found the first bugs, says the MS16-074 patches were insufficient, and some of the issues he reported continued to remain vulnerable." He later resubmitted the bugs in November 2016. The 90-days deadline for fixing the bugs expired last week, and the Google researcher disclosed the bug to the public after Microsoft delayed February's security updates to next month's Patch Tuesday, for March 15.
Microsoft has described Google's announcements of unpatched Windows bugs as "disappointing".

According to reports late last year, Google is working on a new operating system called Andromeda. Much about it is still unknown, but according to the documentations Google has provided on its website, it's clear that the Fuchsia is the actual name of the operating system, and the kernel is called Magenta. A tech enthusiast dug around the documentations to share the followings: To my naive eyes, rather than saying Chrome OS is being merged into Android, it looks more like Android and Chrome OS are both being merged into Fuchsia. It's worth noting that these operating systems had previously already begun to merge together to an extent, such as when the Android team worked with the Chrome OS team in order to bring Update Engine to Nougat, which introduced A/B updates to the platform. Google is unsurprisingly bringing up Andromeda on a number of platforms, including the humble Intel NUC. ARM, x86, and MIPS bring-up is exactly what you would expect for an Android successor, and it also seems clear that this platform will run on Intel laptops. My best guess is that Android as an API and runtime will live on as a legacy environment within Andromeda. That's not to say that all development of Android would immediately stop, which seems extremely unlikely. But Google can't push two UI APIs as equal app frameworks over the long term: Mojo is clearly the future. Ah, but what is Mojo? Well it's the new API for writing Andromeda apps, and it comes from Chromium. Mojo was originally created to "extract a common platform out of Chrome's renderer and plugin processes that can support multiple types of sandboxed content."

Yaron Friedman, a software engineer at Google, writes on Chromium blog: In 2015, we added a new feature to Chrome for Android that allows developers to prompt users to add their site to the Home screen for fast and convenient access. That feature uses an Android shortcut, which means that web apps don't show up throughout Android in the same way as installed native apps. In the next few weeks we'll be rolling out a new version of this experience in Chrome beta. With this new version, once a user adds a Progressive Web App to their Home screen, Chrome will integrate it into Android in a much deeper way than before. For example, Progressive Web Apps will now appear in the app drawer section of the launcher and in Android Settings, and will be able to receive incoming intents from other apps. Long presses on their notifications will also reveal the normal Android notification management controls rather than the notification management controls for Chrome.

Google has uploaded its Chrome for iOS code into the open-source Chromium repository. In other words, Chrome for iOS has now been open-sourced like Chrome for other platforms, letting anyone examine, modify, and compile the project. From a report: Chromium is the open-source Web browser project that shares much of the same code as Google Chrome, and new features are often added there first. Google intended for Chromium to be the name of the open-source project, while the final product name would be Chrome, but developers have taken the code and released versions under the Chromium name. Eventually, many browser makers started using it as a starting point; Opera, for example, switched its browser base to Chromium in 2013. Since its inception, Chromium was a desktop-only affair. That changed in May 2015 with the open-sourcing of Chrome for Android.

JustAnotherOldGuy quotes a report from Boing Boing: The World Wide Web Consortium's Encrypted Media Extensions (EME) is a DRM system for web video, being pushed by Netflix, movie studios, and a few broadcasters. It's been hugely controversial within the W3C and outside of it, but one argument that DRM defenders have made throughout the debate is that the DRM is optional, and if you don't like it, you don't have to use it. That's not true any more. Some time in the past few days, Google quietly updated Chrome (and derivative browsers like Chromium) so that Widevine (Google's version of EME) can no longer be disabled; it comes switched on and installed in every Chrome instance. Because of laws like section 1201 of the U.S. Digital Millennium Copyright Act (and Canada's Bill C11, and EU implementations of Article 6 of the EUCD), browsers that have DRM in them are risky for security researchers to audit. These laws provide both criminal and civil penalties for those who tamper with DRM, even for legal, legitimate purposes, and courts and companies have interpreted this to mean that companies can punish security researchers who reveal defects in their products. Further reading: Boing Boing and Hacker News.

An anonymous reader shares a Ghacks report: Google made a change in Chrome 57 that removes options from the browser to manage plugins such as Google Widevine, Adobe Flash, or the Chrome PDF Viewer. If you load chrome://plugins in Chrome 56 or earlier, a list of installed plugins is displayed to you. You can use it, among other things, to disable plugins that you don't require. While you can do the same for some plugins, Flash and PDF Viewer, using Chrome's Settings, the same is not possible for the DRM plugin Widevine, and any other plugin Google may add to Chrome in the future. Starting with Chrome 57, that option is no longer available. This means essentially that Chrome users won't be able to disable -- some -- plugins anymore, or even list the plugins that are installed in the web browser. Please note that this affects Google Chrome and Chromium.Further report on BetaNews.

From a report on BetaNews: If you own a Raspberry Pi, you're probably familiar with PIXEL. The desktop environment is included in the Raspbian OS. The Raspberry Pi Foundation describes PIXEL as the "GNU/Linux we would want to use" and understandably so. It offers a smart, clean interface, a decent selection of software, the Chromium web browser with plug-ins, and more -- and from today it's available for PC and Mac. The version of Debian+PIXEL for x86 platforms is described as "experimental" but having taken it for a spin, it seems pretty stable to me. To run PIXEL on your PC or Mac, download the image, burn it onto a DVD or flash it onto a USB memory stick, and boot from it. The desktop environment will load ready for use.

Google announced in a blog post today that it will be rolling out a feature over the next few months that starts disabling Flash and displaying HTML5 content instead on certain websites. Google notes, "This change disables Adobe Flash Player unless there's a user indication that they want Flash content on specific sites, and eventually all websites will require the user's permission to run Flash." VentureBeat reports: Google has deployed the change for half of the people who are using Chrome 56 beta, which rolled out yesterday, Google technical program manager Eric Deily wrote in a blog post. Then, "in the next few days," Deily wrote, the feature will be active for 1 percent of users of Chrome 55 stable. And by February 2016 it will be live for all users in Chrome 56 stable, Deily wrote. The idea is to lessen the dependence on a web component that can cause a drag on CPU and memory usage and shorten battery life as a result. Flash also has a track record of security issues.

An anonymous reader quotes Bleeping Computer: Chrome 55, released earlier this week, now blocks all Adobe Flash content by default, according to a plan set in motion by Google engineers earlier this year... While some of the initial implementation details of the "HTML5 By Default" plan changed since then, Flash has been phased out in favor of HTML5 as the primary technology for playing multimedia content in Chrome.

Google's plan is to turn off Flash and use HTML5 for all sites. Where HTML5 isn't supported, Chrome will prompt users and ask them if they want to run Flash to view multimedia content. The user's option would be remembered for subsequent visits, but there's also an option in the browser's settings section, under Settings > Content Settings > Flash > Manage Exceptions, where users can add the websites they want to allow Flash to run by default.
Exceptions will also be made automatically for your more frequently-visited sites -- which, for many users, will include YouTube. And Chrome will continue to ship with Flash -- as well as an option to re-enable Flash on all sites.

"With a click of a button, you can change the desktop layout to match that of Windows versions and Gnome 3. The Ultimate edition...also features Ubuntu, Gnome 2 and macOS-like layouts." BrianFagioli shares an article about a Linux-based operating system "designed for Windows-switchers." While the company does charge for an "Ultimate" version, the "Core" edition of Zorin OS 12 is entirely free... "As Zorin OS 12 is based on Ubuntu 16.04 LTS, it will be supported with security updates until April 2021. This makes Zorin OS 12 the ideal choice for large deployments in businesses, governments, schools and organisations", says The Zorin OS Team"... Zorin OS features some really great features, such as Google Drive integration with the file browser.
Although unlike Windows 10, its default browser is Chromium.

You asked, he answered!

Raspberry Pi founder and CEO Eben Upton has responded to questions submitted by Slashdot readers. Read on for his answers.

An anonymous Slashdot reader quotes Softpedia: Mozilla has announced this week that it is delaying the release of Firefox 49 for one week to address two unexpected bugs. Firefox 49, which was set for release on Tuesday, September 13, will now launch the following Tuesday, on September 20... Firefox 49 is an important release in Mozilla's grand scheme of things when it comes to Firefox. This is the version when Mozilla will finish multi-process support rollout (a.k.a. e10s, or Electrolysis), and the version when Firefox launches the new WebExtensions API that replaces the old Add-ons API, making Firefox compatible with Chromium extensions.
Firefox's release manager explained the delays as "two blocking issues and the need for a bit more time to evaluate the results of their fixes/backouts" -- one of which apparently involves opening Giphy GIFS on Twitter.

An anonymous reader quotes a report from VentureBeat: Google today announced plans to kill off Chrome apps for Windows, Mac, and Linux in early 2018. Chrome extensions and themes will not be affected, while Chrome apps will continue to live on in Chrome OS. Here's the deprecation timeline:

Late 2016: Newly published Chrome apps will not be available to Windows, Mac, and Linux users (when developers submit apps to the Chrome Web Store, they will only show up for Chrome OS). Existing Chrome apps will remain available as they are today and developers can continue to update them.
Second half of 2017: The Chrome Web Store will no longer show Chrome apps on Windows, Mac, and Linux.
Early 2018: Chrome apps will not load on Windows, Mac, and Linux. There appears to be two main reasons why Google is killing Chrome apps off now. First, as Google explains in a blog post: "For a while there were certain experiences the web couldn't provide, such as working offline, sending notifications, and connecting to hardware. We launched Chrome apps three years ago to bridge this gap. Since then, we've worked with the web standards community to enable an increasing number of these use cases on the web. Developers can use powerful new APIs such as service worker and web push to build robust Progressive Web Apps that work across multiple browsers." Secondly, Chrome apps aren't very popular: "Today, approximately 1 percent of users on Windows, Mac and Linux actively use Chrome packaged apps, and most hosted apps are already implemented as regular web apps. Chrome on Windows, Mac, and Linux will therefore be removing support for packaged and hosted apps over the next two years."

Google announced in a blog post today that Chrome will officially start to "de-emphasize Flash in favor of HTML5." VentureBeat reports: "In September 2016, Chrome will block Flash content that loads behind the scenes, which the company estimates accounts for more than 90 percent of the Flash on the web. In December, Chrome will make HTML5 the default experience for central content, such as games and videos, except on sites that only support Flash." Google detailed next month's plan (design doc), when Chrome 53 will be released: "In September 2015, we made 'Detect and run important plugin content' the default plugin setting in Chrome, automatically pausing any cross-origin plugin content smaller than 400px in width or 300px in height. This behavior has an exception for any plugin content that is 5x5 or smaller or is an undefined size, because there was no canonical way of detecting viewability until Intersection Observer was standardized and implemented. We would now like to remove this exception and instead not load tiny, cross-origin content. If the user has their plugin setting set to the default of 'Detect and run important plugin content,' the browser will not instantiate cross-origin plugin content that is roughly 5x5 or smaller or has an undefined size. An icon will be displayed in the URL bar indicating that plugin content is not running, allowing the user to reload the page with plugin content running or open settings to add a site-wide exception. Other choices of the plugin content setting are unaffected by this launch."