Today, Fedora 32 becomes available for download. From a report: It comes with GNOME 3.36 which you can read more about here. If you don't like GNOME, it isn't the end of the world -- you can instead choose KDE Plasma, Cinnamon, MATE, and more. There is even a special ARM variant of Fedora 32 that will work with Raspberry Pi devices. "Fedora 32 includes new features aimed at addressing issues facing modern developers and IT teams. Highlights include key updates to Fedora's desktop-focused edition, Fedora 32 Workstation, and a new computational neuroscience lab image, aimed at bringing those working in science fields to open source software. Each Fedora edition is designed to address specific use cases for modern developers and IT teams with Fedora Workstation and Fedora Server providing open operating systems built to meet the needs of forward-looking developers and server projects," says The Fedora Project development team.

Security updates are reaching Android users faster and more reliably than in previous years. In research published this month, German cyber-security firm SRLabs said the Android patch gap has gone down from 44 days in 2018 to 38 days today. From a report: The term Android patch delay, or patch gap, refers to the time from when Google formally publishes a security update on its website, and until a smartphone vendor (OEMs, or original equipment manufacturers) integrates the patch into its firmware. SRLabs says it collected information on patches delays using its SnoopSnitch security scanner app installed on more than 500,000 Android smartphones. While the company reported that the patch delay has gone down by 15% in the last two years, the patch gap varied wildly across smartphone vendors, with some better than others at integrating the Google-provided security patches into their customized Android OS versions. Researchers said Google, Nokia, and Sony were the fastest at integrating the monthly Android Android security updates into their customized customized Android OS releases, while Xiaomi, HTC, and Vivo were the vendors lagging behind the most.

Liam Tung writing via ZDNet: Google says two million developers have used its Flutter user-interface (UI) framework for building apps targeting mobile, desktop, and the web since declaring it production ready at Google I/O 2018. Flutter is on the rise, according to Google's Tim Sneath, who said Flutter use grew 10% in March compared with February -- despite COVID-19 coronavirus pandemic impediments. He added that the UI framework now has "nearly half a million" developers who use it on a monthly basis. Most of them are also building on Windows, with 60% of Flutter users developing on Windows 10 PCs, 27% on macOS, and 13% on Linux. Google says over a third of Flutter users work at a startup, while 26% are developers working in the enterprise, 19% are self-employed, and 7% work for design agencies. There are also now 50,000 Flutter-built Android apps on the Google Play Store, and 10,000 of those were uploaded in the past month, according to Sneath.

Google is also updating the release process for Flutter to improve the stability and predictability of its releases. Google found that Flutter contributors and developers didn't understand when a release would be built and what code it would contain. Another issue is a lack of testing for branches, which means sporadic hotfix releases to address regressions or bugs, which also run the risk of introducing new bugs. Google is now moving to a branching model for Flutter, which commences with the April release and includes a "stabilization period" for the beta and stable releases to address key bugs that have been selected by reviewers. Google will also align the Flutter and Dart release processes and channels. This means Dart now has a beta channel, and it will be aligned with the Flutter beta channel.

The popular anti-malware software MalwareBytes is releasing a new Windows VPN service called Malwarebytes Privacy. The company says it plans on offering Mac, iOS, Android, and ChromeOS versions in the future. Bleeping Computer reports: During our tests yesterday, you could select from 10 states in the USA and 30 countries around the world. [...] Malwarebytes told BleepingComputer that this is not a white-label service, but rather one they developed themselves. A trusted-third party built the network infrastructure, and Malwarebytes developers created the app and other components. Malwarebytes Privacy is using the modern WireGuard VPN implementation that was recently integrated into the Linux kernel.

Unfortunately, not much is known about Malwarebytes Privacy's logging and data retention policies. According to Malwarebytes' product page, "Malwarebytes Privacy does not log your online activities, whether it's browsing or accessing any websites." This is what most people want, but it would be good to get more specific language in a dedicated data retention policy or language in their privacy policy.

macOS and iOS software developers will soon be able to code on an iPad or even iPhone, if an unconfirmed report is correct. iPadOS 14 and the iPhone equivalent will reportedly include support for Xcode, Apple's software development environment. Cult of Mac reports: This report comes from Jon Prosser, founder of YouTube channel Front Page Tech, who recently correctly predicted the launch date of the 2020 iPhone SE. On Monday, Prosser said via Twitter "XCode is present on iOS / iPad OS 14. The implications there are HUGE." Whenever anyone suggests that iPads have become as powerful as MacBooks, someone always asks, "Does it do Xcode?" The implication is that iPads are just toys -- only Macs are real computers. But if Prosser is correct, then devs will be able to use iPad or Mac, whichever they prefer. This is part of Apple steadily upgrading the capabilities of its tablets over years, especially the iPad Pro line. These now have USB-C ports, support for accessing external media, mouse support, etc. And top-tier iPad processors as powerful as Apple laptops.

The web-based Apple Music experience that launched in beta last September is now available at music.apple.com. MacRumors reports: The previous beta.music.apple.com address automatically forwards to the newly launched version. Once you're signed into the web version of Apple Music with your Apple ID that has an associated Apple Music subscription, you'll have access to all of your library and playlist content, as well as the same personal mixes and recommendations you'll see in the Music apps for iOS, Mac, and Android. Apple Music content plays right in the web browser, providing access for an array of devices and platforms that don't have native Music app support, include Windows 10, Linux, and Chrome OS.

Hackers are selling two critical vulnerabilities for the video conferencing software Zoom that would allow someone to hack users and spy on their calls, Motherboard reported Wednesday. From the report: The two flaws are so-called zero-days, and are currently present in Zoom's Windows and MacOS clients, according to three sources who are knowledgeable about the market for these kinds of hacks. The sources have not seen the actual code for these vulnerabilities, but have been contacted by brokers offering them for sale. Zero-day exploits or just zero-days or 0days are unknown vulnerabilities in software or hardware that hackers can take advantage of to hack targets. Depending on what software they're in, they can be sold for thousands or even millions of dollars.

Last week, Motherboard reported that there was an increased interest in zero-days for Zoom as millions of people, including employees and executives at big companies around the world, moved onto the platform for sensitive or confidential meetings, due to the coronavirus pandemic. "From what I've heard, there are two zero-day exploits in circulation for Zoom. [...] One affects OS X and the other Windows," said Adriel Desautels, the founder of Netragard, a company that used to sell and trade zero-days. "I don't expect that these will have a particularly long shelf-life because when a zero-day gets used it gets discovered."

Microsoft's relatively new Chromium-based Edge browser is going to be retired in mid-2021. Softpedia reports: News of Microsoft supporting Edge on Windows 7 until at least July 2021 first surfaced earlier this year, but now the software giant has updated its official documentation with more specifics about this date. "We will continue to support Microsoft Edge on Windows 7 and Windows Server 2008 R2 until July 15, 2021. These operating systems are out of support and Microsoft recommends you move to a supported operating system such as Windows 10," the company explains. "While Microsoft Edge helps keep you more secure on the web, your PC may still be vulnerable to security risks. In order for IE mode to be supported on these operating systems the devices will need to have the Extended Security Updates for Windows 7. Without the Windows 7 Extended Security updates Internet Explorer functionality will be vulnerable to security risks. Additionally, IE mode functionality may cease to work without the continued servicing through the extended security updates."

Paul Cormier became Red Hat's new CEO this week -- while the entire company was working from home. He had to make his inaugural address to over 12,000 employees around the world using BlueJeans videoconferencing tools, reports a North Carolina newspaper: In some ways, Red Hat was well prepared to work through the disruptions of coronavirus. For years, the company has encouraged and accepted employees who have wanted to work from home. It's been a big part of its recruiting efforts, Cormier said. "Especially in engineering, our strategy has always been hire the best person, we don't care where they are."

That doesn't mean it has been unscathed. The company has had to change its sales and product conference this year into a virtual event and social isolation obviously puts a strain on relationships with customers. And while the company wouldn't give out an exact number of employees who have be infected by COVID-19, a spokeswoman for Red Hat said, "We have cases around the globe -- people who are presumed to be sick, people who are sick and, happily, people who have recovered."

Cormier said he's committed to taking care of the thousands of employees affected by work-from-home orders across the globe. Red Hat, he said, will pay all of its employees during this time regardless of whether "you're 140% productive or 40% productive."
Cormier also emphasized he's committed to keeping Red Hat a "totally, totally separate company" from IBM, saying that was agreed upon from the beginning with IBM's new CEO Arvind Krishna. "If we're not independent, then the other cloud guys won't feel safe working with us... Intel, for example, shares their road map, which is super top secret, with us five years in advance, because we have to build the OS to support all their features...." He also noted that Red Hat's finance, legal, communications and human resources teams are all separate from IBM. "IBM doesn't set our road map. We set our road map," he said.

Where the company has seen a lot of success together, though, is in combining sales efforts. In its last earnings call, IBM said Red Hat was seeing an increase in large deals worth more than $10 million after joining IBM. One of them was with Verizon, for example.

Microsoft is setting internal expectations that it won't deliver any Windows 10X devices in calendar 2020, ZDNet reports. From a report: This isn't really surprising, given what's going on externally with the COVID-19 coronavirus pandemic. But for enthusiasts who were looking forward to dual-screen Surface Neo devices this holiday season, the reality is taking root. My contacts say that Chief Product Officer Panos Panay informed some of his team internally today, April 8, that Microsoft wouldn't be delivering its own Surface Neo dual-screen 10X devices this calendar year. In addition, Microsoft also won't be enabling third-party dual-screen Windows devices to ship with 10X in calendar 2020, I hear.

Tail OS, an operating system optimized for privacy and anonymity, has released version 4.5 this week, the first version that supports a crucial security feature named UEFI Secure Boot. From a report: Secure Boot works by using cryptographic signatures to verify that firmware files loaded during a computer's boot-up process are authentic and have not been tampered. If any of the firmware checks fail, Secure Boot has the authority to stop the boot process, preventing the operating system from launching. The feature has been available as part of the UEFI specification for almost two decades but is rarely used. The reason is because not all firmware vendors cryptographically sign their files, leaving the door open to verification errors that -- when Secure Boot is enabled -- block many operation systems from launching.

Deep learning algorithms can diagnose, triage, and monitor coronavirus cases from lung images. Next, can they predict who will need a ventilator? From a report: AI-powered analysis of chest scans has the potential to alleviate the growing burden on radiologists, who must review and prioritize a rising number of patient chest scans each day, experts say. And in the future, the technology might help predict which patients are most likely to need a ventilator or medication, and which can be sent home. "That's the brass ring," says Matthew Lungren, a pediatric radiologist at Stanford University Medical Center and co-director of the Stanford Center for Artificial Intelligence in Medicine and Imaging. "That would be the killer app for this." Some companies are selling their tools, others have released free online versions, and various groups are organizing large crowdsourced repositories of medical images to generate new algorithms. "The system we designed can process huge amounts of CT scans per day," says Hayit Greenspan, a professor at Tel-Aviv University and chief scientist of RADLogics, a healthcare software company that recently announced one such AI-based system. "The capability for quickly covering a huge population is there."

An anonymous reader quotes a report from Wired: Apple has a well-earned reputation for security, but in recent years its Safari browser has had its share of missteps. This week, a security researcher publicly shared new findings about vulnerabilities that would have allowed an attacker to exploit three Safari bugs in succession and take over a target's webcam and microphone on iOS and macOS devices. Apple patched the vulnerabilities in January and March updates. But before the fixes, all a victim would have needed to do is click one malicious link and an attacker would have been able to spy on them remotely.

The bugs Pickren found all stem from seemingly minor oversights. For example, he discovered that Safari's list of the permissions a user has granted to websites treated all sorts of URL variations as being part of the same site, like https://www.example.com, http://example.com and fake://example.com. By "wiggling around," as Pickren puts it, he was able to generate specially crafted URLs that could work with scripts embedded in a malicious site to launch the bait-and-switch that would trick Safari. A hacker who tricked a victim into clicking their malicious link would be able to quietly launch the target's webcam and microphone to capture video, take photos, or record audio. And the attack would work on iPhones, iPads, and Macs alike. None of the flaws are in Apple's microphone and webcam protections themselves, or even in Safari's defenses that keep malicious sites from accessing the sensors. Instead, the attack surmounts all of these barriers just by generating a convincing disguise.

The U.S. Federal Aviation Administration has ordered Boeing 787 operators to switch their aircraft off and on every 51 days to prevent what it called "several potentially catastrophic failure scenarios" -- including the crashing of onboard network switches. The Register reports: The airworthiness directive, due to be enforced from later this month, orders airlines to power-cycle their B787s before the aircraft reaches the specified days of continuous power-on operation. The power cycling is needed to prevent stale data from populating the aircraft's systems, a problem that has occurred on different 787 systems in the past. According to the directive itself, if the aircraft is powered on for more than 51 days this can lead to "display of misleading data" to the pilots, with that data including airspeed, attitude, altitude and engine operating indications. On top of all that, the stall warning horn and overspeed horn also stop working.

This alarming-sounding situation comes about because, for reasons the directive did not go into, the 787's common core system (CCS) -- a Wind River VxWorks realtime OS product, at heart -- stops filtering out stale data from key flight control displays. That stale data-monitoring function going down in turn "could lead to undetected or unannunciated loss of common data network (CDN) message age validation, combined with a CDN switch failure." Solving the problem is simple: power the aircraft down completely before reaching 51 days. It is usual for commercial airliners to spend weeks or more continuously powered on as crews change at airports, or ground power is plugged in overnight while cleaners and maintainers do their thing.

Dan Goodin writes via Ars Technica: For almost three years, OpenWRT -- the open source operating system that powers home routers and other types of embedded systems -- has been vulnerable to remote code-execution attacks because updates were delivered over an unencrypted channel and digital signature verifications are easy to bypass, a researcher said. Security researcher Guido Vranken, however, recently found that updates and installation files were delivered over unencrypted HTTPs connections, which are open to attacks that allow adversaries to completely replace legitimate updates with malicious ones. The researcher also found that it was trivial for attackers with moderate experience to bypass digital-signature checks that verify a downloaded update as the legitimate one offered by OpenWTR maintainers. The combination of those two lapses makes it possible to send a malicious update that vulnerable devices will automatically install.
[...]
The researcher said that OpenWRT maintainers have released a stopgap solution that partially mitigates the risk the bug poses. The mitigation requires new installations to be "set out from a well-formed list that would not sidestep the hash verification. However, this is not an adequate long-term solution because an attacker can simply provide an older package list that was signed by the OpenWRT maintainers." From there, attackers can use the same exploits they would use on devices that haven't received the mitigation. OpenWRT maintainers didn't immediately respond to questions asking why installation and update files are delivered over HTTP and when a longer-term fix might be available. In the meantime, OpenWRT users should install either version 18.06.7 or 19.07.1, both of which were released in February. These updates provide the stopgap mitigation.

An anonymous reader shares a report: Today, we learn some new details about the upcoming Linux Mint 20. While most of the newly revealed information is positive, there is one thing that is sure to upset many Linux Mint users. First things first, Linux Mint 20 will be based on the upcoming Ubuntu 20.04. This shouldn't come as a surprise, as Mint only uses Long Term Support versions of Ubuntu, and 20.04 will be an LTS. We also now know the name of Linux Mint 20. The Mint team always uses female names, and this time they chose "Ulyana." This is apparently a Russian name meaning "youthful." So far, all of the news is positive, so what exactly will upset some users? The Linux Mint developers are finally dropping 32-bit support and will only produce 64-bit ISOs.

An anonymous reader quotes a report from Bleeping Computer: A currently unpatched security vulnerability affecting iOS 13.3.1 or later prevents virtual private network (VPNs) from encrypting all traffic and can lead to some Internet connections bypassing VPN encryption to expose users' data or leak their IP addresses. While connections made after connecting to a VPN on your iOS device are not affected by this bug, all previously established connections will remain outside the VPN's secure tunnel as ProtonVPN disclosed.

The bug is due to Apple's iOS not terminating all existing Internet connections when the user connects to a VPN and having them automatically reconnect to the destination servers after the VPN tunnel is established. "Most connections are short-lived and will eventually be re-established through the VPN tunnel on their own," ProtonVPN explains. "However, some are long-lasting and can remain open for minutes to hours outside the VPN tunnel." During the time the connections are outside of the VPN secure communication channels, this issue can lead to serious consequences. For instance, user data could be exposed to third parties if the connections are not encrypted themselves, and IP address leaks could potentially reveal the users' location or expose them and destination servers to attacks. Until Apple provides a fix, the company recommends using Always-on VPN to mitigate this problem. "However, since this workaround uses device management, it cannot be used to mitigate the vulnerability for third-party VPN apps such as ProtonVPN," the report adds.

An anonymous reader shares a report: Google paused Chrome updates last week when it canceled the Chrome 81 release in order to avoid causing severe disruptions to web developers, system administrators, and its own engineers, most working from home or having resources strained due to ever-worsening coronavirus (COVID-19) outbreak. In a blog post on the Chrome blog today, Google said it is now ready to resume work on Chrome. The company said that starting next week, the current Chrome 80 release will start receiving security updates once again. Chrome v81, initially scheduled to be released on March 17, was rescheduled for April 7, at which time, web developers and system administrators would have had the time to adapt to their new working conditions.

In response to high demand as a result of the COVID-19 coronavirus pandemic, Microsoft has started taking action to preserve overall performance by throttling some services. ZDNet reports: On March 16, Microsoft posted to Microsoft 365/Office 365 admin dashboardds a warning about "temporary feature adjustments" that it might take. That warning told customers that Microsoft was "making temporary adjustments to select non-essential capabilities." Officials said they did not expect these changes to have significan impact on users' experiences. Among the examples of the types of changes Microsoft might take would be things like how often its services check for presence; intervals in which other parties typing are displayed; and video resolution. Today, March 24, Microsoft started cautioning Microsoft 365/Office 365 commercial users of some other "temporary changes" they should expect. The list:

OneNote:
- OneNote in Teams will be read-only for commercial tenants, excluding EDU. Users can go to OneNote for the web for editing.
- Download size and sync frequency of file attachments has been changed.
- You can find details on these and other OneNote related updates at http://aka.ms/notesupdates.

SharePoint:
- We are rescheduling specific backend operations to regional evening and weekend business hours. Impacted capabilities include migration, DLP and delays in file management after uploading a new file, video or image.
- Reduced video resolution for playback videos

Stream:
- People timeline has been disabled for newly uploaded videos. Pre-existing videos will not be impacted.

Apple today officially released versions 13.4 of iOS, iPadOS, and tvOS to the public, alongside macOS 10.15.4 and watchOS 6.2. While many of their improvements are minor, there are a few standout features across the updates. From a report: One of the most noteworthy additions is a dramatic expansion of iPadOS 13's prior trackpad and mouse support, which was limited solely to an Accessibility option before evolving to full system-wide support across all iPad models capable of running iPadOS 13.4. Now, keyboard-trackpad hybrids (such as the upcoming Magic Keyboard for iPad), standalone trackpads, and standalone mice can create a cursor that highlights and selects on-screen text and objects, paving the way for more Mac-like apps on Apple's tablets. Another major improvement is cross-platform support for a new universal app purchase option, enabling a single app developed using Apple's shared Catalyst framework to be purchased and run across Macs, iPhones, iPads, and Apple TVs. This feature went live for developers yesterday, and it uses the iOS App Store as the base for universal apps. Standalone Mac App Store app listings will likely need to be abandoned for the transition to universal apps.