According to Windows Latest, "Microsoft is A/B testing a new feature that is designed to nag users with fullscreen window-less Microsoft Edge recommendations in the OOBE screen." From the report: The nag will appear when users set up their PC, sign in to their system after applying updates, or when they click on a new ad banner within the Settings. [...] Microsoft is trying to convince users of rival browsers who are visiting Windows Settings of the benefits of trying the Chromium Edge. In the Settings app, there's a new banner that appears to be rolling out to non-Insiders. As you can see in the above screenshot, the advert appears across the top of the Settings app window, just above the settings options.

The banner states that you can "get even more out of Windows" and it surprisingly launches the OOBE (out of the box experience) screen. [...] This ad appeared only when our devices were set to use Google Chrome and Firefox as the default web browser. The user can easily close the advert by clicking the second option "Don't update your browser settings." If you try to skip the setup, the pop-up will appear again in future. Unfortunately, you cannot permanently disable these recommendations in Windows 10.

Mint's programmers, led by lead developer, Clement "Clem" Lefebvre, have built their own take on Google's open-source Chromium web browser. ZDNet reports: Some of you may be saying, "Wait, haven't they offered Chromium for years? Well, yes, and no. For years, Mint used Ubuntu's Chromium build. But then Canonical, Ubuntu's parent company, moved from releasing Chromium as an APT-compatible DEB package to a Snap. The Ubuntu Snap software packing system, along with its rivals Flatpak and AppImage, is a new, container-oriented way of installing Linux applications. The older way of installing Linux apps, such as DEB and RPM package management systems for the Debian and Red Hat Linux families, incorporate the source code and hard-coded paths for each program.

While tried and true, these traditional packages are troublesome for developers. They require programmers to hand-craft Linux programs to work with each specific distro and its various releases. They must ensure that each program has access to specific libraries' versions. That's a lot of work and painful programming, which led to the process being given the name: Dependency hell. Snap avoids this problem by incorporating the application and its libraries into a single package. It's then installed and mounted on a SquashFS virtual file system. When you run a Snap, you're running it inside a secured container of its own. For Chromium, in particular, Canonical felt using Snaps was the best way to handle this program. [...]

Lefebvre wrote, "The Chromium browser is now available in the official repositories for both Linux Mint and LMDE. If you've been waiting for this I'd like to thank you for your patience." Part of the reason was, well, Canonical was right. Building Chromium from source code is one really slow process. He explained, "To guarantee reactivity and timely updates we had to automate the process of detecting, packaging and compiling new versions of Chromium. This is an application which can require more than 6 hours per build on a fast computer. We allocated a new build server with high specifications (Ryzen 9 3900, 128GB RAM, NMVe) and reduced the time it took to build Chromium to a little more than an hour." That's a lot of power! Still, for those who love it, up-to-date builds of Chromium are now available for Mint users.

Last month, Microsoft officials said they'd release a preview of the new Chromium-based Edge browser for Linux some time in October. On October 20, Microsoft made good on the promise, making available the Edge Dev Channel build for Linux. ZDNet reports: The new release supports Ubuntu, Debian, Fedora and openSUSE Linux distributions. Microsoft is planning to release weekly builds, like it does with the Dev Channel builds for other platforms. To get started, users can download and install a .deb or .rpm package directly from the Edge Insider site, which will configure a system to get future automatic updates. Or users can install Edge from Microsoft's Linux Software Repository. More detailed instructions are available on Microsoft's Chredge-on-Linux blog post.

An anonymous reader quotes a report from Ars Technica: Adblocking extensions with more than 300,000 active users have been surreptitiously uploading user browsing data and tampering with users' social media accounts thanks to malware its new owner introduced a few weeks ago, according to technical analyses and posts on Github. Hugo Xu, developer of the Nano Adblocker and Nano Defender extensions, said 17 days ago that he no longer had the time to maintain the project and had sold the rights to the versions available in Google's Chrome Web Store. Xu told me that Nano Adblocker and Nano Defender, which often are installed together, have about 300,000 installations total.

Four days ago, Raymond Hill, maker of the uBlock Origin extension upon which Nano Adblocker is based, revealed that the new developers had rolled out updates that added malicious code. The first thing Hill noticed the new extension doing was checking if the user had opened the developer console. If it was opened, the extension sent a file titled "report" to a server at https://def.dev-nano.com/. "In simple words, the extension remotely checks whether you are using the extension dev tools -- which is what you would do if you wanted to find out what the extension is doing," he wrote. The most obvious change end users noticed was that infected browsers were automatically issuing likes for large numbers of Instagram posts, with no input from users. Cyril Gorlla, an artificial intelligence and machine learning researcher at the University of California in San Diego, told me that his browser liked more than 200 images from an Instagram account that didn't follow anyone. The screenshot to the right shows some of the photos involved.

The Verge's senior news editor complains that without permission, Windows 10 restarted to install "unsolicited, unwanted web app versions of Word, PowerPoint, Excel and Outlook onto my computer." OK, it's not as bad as when my entire computer screen got taken over by an unwanted copy of Microsoft Edge. That was truly egregious. No, this time Microsoft is merely sneaking unwanted web apps onto my PC — and using my Windows 10 Start Menu as free advertising space. Did I mention that icons for Microsoft Office apps have magically appeared in my Start Menu, even though I've never once installed Office on this computer?

These aren't full free copies of Office, by the way. They're just shortcuts to the web version you could already access in any web browser of your choice, which double as advertisements to pay for a more fully featured copy... They're the latest proof that Microsoft doesn't respect your ownership of your own PC, the latest example of Microsoft installing anything it likes in a Windows update up to and including bloatware, and the latest example of Microsoft caring more about the bottom line than whether a few people might lose their work when Windows suddenly shuts down their PC. Luckily, I didn't lose any work today, but a friend of mine recently did...

Microsoft seems to think our computers are free advertising space, a place where it can selfishly promote its other products — even though they were told roundly in the '90s that even bundling a web browser was not OK. Now, they're bundling a browser you can't uninstall, and a set of PWA web apps that launch in that same browser. (Yes, they fire up Edge even if you've set a different browser as default.)

Microsoft today announced a slew of new features coming to its Chromium Edge browser. From a report: There are PDF improvements, a built-in screenshot tool, support for more themes, and new shopping features in time for the holiday season. But the most notable addition is the one powered by Skype because for better or for worse, 2020 is the year of video calling. When Zoom usage exploded this year, Microsoft tried to save face by making it easier to join Skype calls -- the company dropping account sign-up requirements and expanded the number of supported users. Microsoft is now bringing that functionality to Edge's new tab page with a dedicated Meet Now button (not to be confused with Google Meet). [...] Microsoft claims "Edge is the best browser for shopping this holiday." To make the case, Edge is getting a feature called price comparison that compares the price of a product you're searching for across other retailers. If you add a product to a collection, you can then click "compare price to other retailers" to see a list of prices of that item across other retailers.

Forbes looks at new features Microsoft added to Edge "as it looks to beat Chrome in the browser wars." It's now going to be possible to search for work files directly inside the Edge browser directly from the address bar. To use this you need Microsoft Search configured, then type "work" and press the Tab key to search your company's network for your work files. Another work-related Microsoft Edge update is also about to launch to let IT admins manage specific work related apps on user devices as well as the browsing users do from their Work Profile in Edge.

Integration with other Microsoft products is a key factor as the IT giant looks to entice more business users to use the updated Edge browser. Edge now supports native policies for Microsoft Endpoint Data Loss Prevention, which are used to find and protect sensitive items across Microsoft 365 services, Microsoft said in a blog highlighting the firm's security credentials. Another soon to launch feature of note highlighted by Bleeping Computer is Sleeping Tabs, which Microsoft says can improve memory usage by up to 26%. It can also reduce CPU usage by 29% potentially resulting in battery savings...

The browser is also adding security features such as alerts for the Edge password monitor if a compromised password is detected.

Slashdot reader Hmmmmmm quotes Ghacks: Raymond Hill, known online as gorhill, has set the status of the uMatrix GitHub repository to archived; this means that it is read-only at the time and that no updates will become available.

The uMatrix extension is available for several browsers including Firefox, Google Chrome, and most Firefox and Chromium-based browsers. It is a privacy and security extensions for advanced users that provides firewall-like capabilities when it is installed...

Hill suggests that developers could fork the extension to continue development under a new name. There is also the chance that Hill might resume development in the future but there is no guarantee that this is going to happen.

For now, uMatrix is no longer in active development.

Until Wednesday, a single text message sent through Cisco's Jabber collaboration application was all it took to touch off a self-replicating attack that would spread malware from one Windows user to another, researchers who developed the exploit said. Ars Technica reports: The wormable attack was the result of several flaws, which Cisco patched on Wednesday, in the Chromium Embedded Framework that forms the foundation of the Jabber client. A filter that's designed to block potentially malicious content in incoming messages failed to scrutinize code that invoked a programming interface known as "onanimationstart." But even then, the filter still blocked content that contained , an HTML tag that had to be included in a malicious payload. To bypass that protection, the researchers used code that was tailored to a built-in animation component called spinner-grow. With that, the researchers were able to achieve a cross-site scripting exploit that injected a malicious payload directly into the internals of the browser built into Jabber.

A security sandbox built into the Chromium Embedded Framework, or CEF, would normally store the payload in a container that's isolated from sensitive parts of the app. To work around this constraint, the researchers abused the window.CallCppFunction, which is designed to open files sent by other Cisco Jabber users. By manipulating a function parameter that accepts files, the researchers were able to break out of the sandbox. "Since Cisco Jabber supports file transfers, an attacker can initiate a file transfer containing a malicious .exe file and force the victim to accept it using an XSS attack," researchers from security firm Watchcom Security wrote in a post. "The attacker can then trigger a call to window.CallCppFunction, causing the malicious file to be executed on the victim's machine." Accordingly, CVE-2020-3495, the designation assigned to the Cisco Jabber vulnerability, has a severity rating of 9.9 out of a maximum 10 based on the Common Vulnerability Scoring System. Cisco's advisory has more details here.

An anonymous reader shares a report: The Chromium browser -- open source, upstream parent to both Google Chrome and the new Microsoft Edge -- is getting some serious negative attention for a well-intentioned feature that checks to see if a user's ISP is "hijacking" non-existent domain results. The Intranet Redirect Detector, which makes spurious queries for random "domains" statistically unlikely to exist, is responsible for roughly half of the total traffic the world's root DNS servers receive. Verisign engineer Matt Thomas wrote a lengthy APNIC blog post outlining the problem and defining its scope. DNS, or the Domain Name System, is how computers translate relatively memorable domain names like arstechnica.com into far less memorable IP addresses, like 3.128.236.93.

Without DNS, the Internet couldn't exist in a human-usable form -- which means unnecessary load on its top-level infrastructure is a real problem. Loading a single modern webpage can require a dizzying number of DNS lookups. When we analyzed ESPN's front page, we counted 93 separate domain names -- from a.espncdn.com to z.motads.com -- which needed to be performed in order to fully load the page! In order to keep the load manageable for a lookup system that must service the entire world, DNS is designed as a many-stage hierarchy. At the top of this pyramid are the root servers -- each top-level domain, such as .com, has its own family of servers that are the ultimate authority for every domain beneath it. One step above those are the actual root servers, a.root-servers.net through m.root-servers.net.

ZDNet reports: In an effort to detect whether a network will hijack DNS queries, Google's Chrome browser and its Chromium-based brethren randomly conjures up three domain names between 7 and 15 characters to test, and if the response of two domains returns the same IP, the browser believes the network is capturing and redirecting nonexistent domain requests. This test is completed on startup, and whenever a device's IP or DNS settings change.

Due to the way DNS servers will pass locally unknown domain queries up to more authoritative name servers, the random domains used by Chrome find their way up to the root DNS servers, and according to Verisign principal engineer at CSO applied research division Matthew Thomas, those queries make up half of all queries to the root servers. Data presented by Thomas showed that as Chrome's market share increased after the feature was introduced in 2010, queries matching the pattern used by Chrome similarly increased.

"In the 10-plus years since the feature was added, we now find that half of the DNS root server traffic is very likely due to Chromium's probes," Thomas said in an APNIC blog post. "That equates to about 60 billion queries to the root server system on a typical day."

Thomas added that half the DNS traffic of the root servers is being used to support a single browser function, and with DNS interception being "certainly the exception rather than the norm", the traffic would be a distributed denial of service attack in any other scenario.

While there's wide HTTPS adoption today, HTTP content on secure pages still persists. Google has been working to stamp that out, and Chrome is now turning its attention to and warning about insecure forms. "These 'mixed forms' (forms on HTTPS sites that do not submit on HTTPS) are a risk to users' security and privacy," says Google in a blog post. "Information submitted on these forms can be visible to eavesdroppers, allowing malicious parties to read or change sensitive form data." 9to5Google reports: The Google browser today removes the address bar's lock icon from sites with mixed forms. However, this proved to deliver an "unclear" experience that "did not effectively communicate the risks associated with submitting data in insecure forms." Starting in version 86, due to hit stable in October, Chrome will provide a more aggressive warning about insecure forms. Autofill will be disabled, but the built-in password manager will continue to offer "unique passwords." The company argues it's safer than reusing credentials. Next, the form will show red warning text underneath the field: "This form is not secure. Autofill has been turned off. The last measure will throw up a full-page warning communicating the potential risks. It gives users an option to cancel the action, but there will be a "Send anyway" button.

Microsoft will end support for Internet Explorer 11 across its Microsoft 365 apps and services next year. The Verge reports: In exactly a year, on August 17th, 2021, Internet Explorer 11 will no longer be supported for Microsoft's online services like Office 365, OneDrive, Outlook, and more. Microsoft is also ending support for Internet Explorer 11 with the Microsoft Teams web app later this year, with support ending on November 30th. While it's still going to take some time to pry enterprise users of Internet Explorer 11 away, Microsoft is hoping that the new Internet Explorer legacy mode in the Chromium-based Microsoft Edge browser will help. It will continue to let businesses access old sites that were specifically built for Internet Explorer, until Microsoft fully drops support for Internet Explorer 11 within Windows 10. Microsoft's move to stop supporting Internet Explorer 11 with its main web properties is a good first step, though.

Alongside the support changes, Microsoft is also planning to drop support for its existing legacy version of Microsoft Edge on March 9th, 2021. After the end of support date, the legacy version of Edge will no longer receive security updates. Microsoft has been moving existing Windows 10 users over to new its Chromium-based Edge browser, and the company says new devices and future Windows feature updates will all include the new Edge browser.

An anonymous reader shares a report: For years now, Google Chrome has been an absolute dominant force in the world of web browsers, but since the relaunch of Microsoft Edge based on Google's Chromium, that position has been challenged. Now, Google is preparing to drive more Android owners back to using Chrome through targeted notifications. Over the admittedly brief history of the Internet, there have been a number of fierce competitions, commonly called "browser wars," between companies, in an effort to get more people to use their particular web browser. Mozilla and Netscape waged war against Internet Explorer, and Chrome fought and won against Firefox. Most recently, Microsoft Edge and Samsung Internet have begun to wage war against Chrome on desktop and Android respectively. Now, we've found that Google is preparing to try and win back some of those who have left Chrome for other browsers, starting on Android. Based on our reading of a series of code changes, we believe Google Chrome for Android will send you a notification if you haven't used Chrome in a while.

July's statistics from web analytics firm Net Applications showed continuing changes in the most frequently-used web browsers. Softpedia reports: Last month, Google Chrome increased its market share from 70.19% to 71.00%, while Microsoft Edge jumped from 8.07% to 8.46%... The migration to the Chromium engine allowed Microsoft to turn Edge into a cross-platform browser, and this is one of the reasons that contributed to the growth of the new app. Edge is now available not only on Windows 10, but also on Windows 7, Windows 8, Windows 8.1, and even macOS. At the same time, Microsoft is also working on a Linux version of the browser, and a preview build is expected by the end of the year.

But what made Microsoft Edge the second most-used desktop browser out there so fast after the switch to Chromium is definitely Microsoft offering it as the default browser in Windows 10.
But what about Firefox? And Opera, and Apple's Safari? Computerworld reports: A decade ago, Mozilla's browser may have dreamed of upsetting the then-order of things, taking its April 2010 share of 25.1% and parlaying it into victory over IE — down to 61.2% by then... But that was Firefox's peak.

At the end of July, Firefox stood at 7.3%, down three-tenths of a percentage point from the previous month... Firefox let its second-place spot (far, far behind Chrome) slip away in March, when Edge snatched it. That did not change in July. The gap between the two more than doubled, in fact, to 1.2 points. On almost every browser share metric, Firefox is in trouble... Since the end of January, Firefox has been stuck in the 7s; for the eight months before that, it was mired in the 8s; and between May 2018 and March 2019, Firefox floundered in the 9s. The trend is crystal clear...

Elsewhere in Net Applications' numbers, Apple's Safari plunged to 3%, a loss of six-tenths of a point, its lowest mark since late 2008. Opera software's Opera also took a dive, ending July at 0.8%, a decline of three-tenths of a point. Those numbers have to be frightening to both those browsers' makers.

Some Windows 10 users have complained that when Microsoft sets up its Edge browser, it steals data from Chrome and Firefox without asking first, writes ZDNet columnist Chris Matyszczyk.

But today a reader sent him a new complaint involving Windows 7: "My wife's computer, which is running Windows 7, got a Windows update this morning, which then gave the full-screen welcome page for Edge Chromium. She was terrified as this looked exactly as if malware had taken over the machine... How could any application be running that she hadn't started? How is it that Microsoft can't manage to provide security updates for Windows 7, as it is end of life, but still manage to force a new web browser that isn't wanted on Windows 7 users...?"

"The full-screen welcome page for Chomium Edge did have a faint 'close' gadget in the top right, which was the very first thing we clicked... This still left Edge pinned on the taskbar and when I hovered over it, it showed all the recent sites she had visited on Chrome. So it must have stolen that data from Chrome which is the only browser she ever uses."
The ZDNet columnist shared his own reaction to the story. "Edge is a fine browser. It's quick, effective, and has superior privacy instincts than does Chrome. I have begun to use it and I like it. When you launch a new product, however, you have two choices: You can announce it, make people feel good about it, and then rely on word of mouth. Or you can try ramming it down people's throats.

"The former is often more effective. Microsoft has chosen the latter."

"Google has decided to disable a feature in Windows 10 version 2004 that allowed Chrome and Microsoft Edge browsers to use a lot less RAM," reports ZDNet: Windows 10 gave Win32 apps including Chrome access to a 'segment heap' API to allow apps to reduce memory usage, but as Techdows spotted, Chromium engineers have decided for now to turn off the feature by default in Chrome 85 after discovering it has a negative impact on CPU usage. Chrome 85 should reach stable status in August...

The CPU issue was discovered by an Intel engineer who found that when Chrome used segment heap, it led to significant performance regression in benchmarks on a PC with an Intel Core i9-9900K processor...

Microsoft has defended the trade-off between memory and CPU but conceded it can be implemented better to reduce the impact on CPU performance. "It is common practice to trade one resource for another. More often it's increased memory usage for reduced CPU usage. In this case it's increased CPU usage for dramatically reduced memory usage, or more accurately commit," wrote a Microsoft employee... "In the short term this is a good trade-off of one resource for another as memory/commit usage is a significant pain point for browser users," argued the Microsoft employee....

However, Chromium developers want to see more evidence about the possible impact of Chrome using segment heap... "The CPU cost (10% slowdown on Speedometer 2.0, 13% increase in CPU/power consumption) is too great for us to keep."

An anonymous reader quotes a report from VentureBeat: Google today launched Chrome 84 for Windows, Mac, Linux, Android, and iOS. Chrome 84 resumes SameSite cookie changes, includes the Web OTP API and Web Animations API, and removes older Transport Layer Security (TLS) versions. First deprecated with Chrome 81 in April, TLS 1.0 and TLS 1.1 have now been completely removed with Chrome 84. This is notable for anyone who manages a website, even if they don't use Chrome at home or at work. TLS is a cryptographic protocol designed to provide communications security over a computer network -- websites use it to secure all communications between their servers and browsers. TLS also succeeds Secure Sockets Layer (SSL) and thus handles the encryption of every HTTPS connection.

In May 2016, Chrome 51 introduced the SameSite attribute to allow sites to declare whether cookies should be restricted to a same-site (first-party) context. The hope was this would mitigate cross-site request forgeries (CSRF). Chrome 80 began enforcing a new secure-by-default cookie classification system, treating cookies that have no declared SameSite value as SameSite=Lax cookies. Only cookies set as SameSite=None; Secure are available in third-party contexts, provided they are being accessed from secure connections. Due to the coronavirus crisis, however, Google paused the SameSite cookie changes, with plans to resume enforcement sometime over the summer. SameSite cookie enforcement has now resumed with a gradual rollout ramping up over the next several weeks for Chrome 80 and newer.

Chrome 84 introduces the Web OTP API (formerly called the SMS Receiver API). This API helps users enter a one-time password (OTP) on a webpage when a specially crafted SMS message is delivered to their Android phone. When verifying the ownership of a phone number, developers typically send an OTP over SMS that must be manually entered by the user (or copied and pasted). The user has to switch to their native SMS app and back to their web app to input the code. The Web OTP API lets developers help users enter the code with one tap. Chrome 84 also adopts the Web Animations API, which gives developers more control over web animations. These can be used to help users navigate a digital space, remember your app or site, and provide implicit hints around how to use your product. Parts of the API have been around for some time, but this implementation brings greater spec compliance and supports compositing operations, which control how effects are combined and offer many new hooks that enable replaceable events. The API also supports Promises, which allow for animation sequencing and provide greater control over how animations interact with other app features.

The Wall Street Journal's senior personal tech columnist just published an article urging readers to "quit Chrome. Safari and Edge are just better browsers." It begins with the reporter pretending to break up with Chrome, adding "I'd say I'll remember the good times — your speed, your superb handling of Gmail — but your RAM hoovering, battery draining and privacy disregarding make it easy to not look back.

"This is the year, people. It's the year I challenge you to pack up your bookmarks and wave bye-bye to Google's browser..."

And the article is even accompanied by a video titled "Four ways to stop Chrome from slowing down your computer," where tip #1 is just: "Stop using Chrome..." "Sure, Chrome has far more browser market share [than Firefox, Safari, and Edge]. But all of them have actually gotten quite good over the last number of years. Heck, the new Microsoft Edge browser even uses Chromium, the same underlying technology as Chrome, and the performance is much improved, across Windows PCs, and Macs. Yes, Microsoft's browser is available for Mac, and it's good.

"In my weeks of testing, Edge used 5% less resources than Chrome on Windows. Safari used up to 10% less in some of my tests on my Mac. That meant up to 2 extra hours of battery life in their respective operating systems. Firefox, unfortunately, took up just as much power as Chrome. Google says it's working on some resource-saving improvements that will come in the next few months.

If you can switch to just one of those, go for it, even if just for their better privacy tools."
The video opens with a cartoon depiction of "Chrome-y," who lives inside your computer and eats your RAM and other resouces. "But don't worry. You can put him on a diet and take back your computer with some of these tips." The other tips including uninstalling extensions, and using Chrome's Task Manager to "spot and kill the RAM gobblers."

But throughout the video, "Chrome-y" continues chomping on your RAM...

An anonymous reader shares a report: The first Android version to support 64-bit architecture was Android 5.0 Lollipop, introduced back in November 2014. Since then, more and more 64-bit processors shipped, and today, virtually all Android devices are capable of running 64-bit software (excluding one or two or more oddballs). However, Google Chrome has never made the jump and is only available in a 32-bit flavor, potentially leading to some unnecessary security and performance degradations. That's finally changing: Starting with Chrome 85, phones running Android 10 and higher will automatically receive a 64-bit version. A look at chrome://version confirms as much: The current stable and beta builds, version 83 and 84, note that they're still 32-bit applications. Chrome Dev and Chrome Canary (release 85 and 86) are proper 64-bit apps. Google confirms as much on its Chromium Bugs tracker.

When compared in a number of Octane 2.0 benchmarks, the 64-bit version got consistently better results than the 32-bit version. It's possible that there have been other optimizations that make Chrome 85 faster than 83 -- the architecture is not necessarily all there is to it. Still, the benchmark results suggest that there are some enhancements, even if these tests aren't easy to translate to real-world usage.