DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 internet speed test! ×
Microsoft

Microsoft's OneDrive Web App Crippled With Performance Issues On Linux and Chrome OS (theregister.co.uk) 98

Iain Thomson, reporting for The Register: Plenty of Linux users are up in arms about the performance of the OneDrive web app. They say that when accessing Microsoft's cloudy storage system in a browser on a non-Windows system -- such as on Linux or ChromeOS -- the service grinds to a barely usable crawl. But when they use a Windows machine on the same internet connection, speedy access resumes. Crucially, when they change their browser's user-agent string -- a snippet of text the browser sends to websites describing itself -- to Internet Explorer or Edge, magically their OneDrive access speeds up to normal on their non-Windows PCs. In other words, Microsoft's OneDrive web app slows down seemingly deliberately when it appears you're using Linux or some other Windows rival. This has been going on for months, and complaints flared up again this week after netizens decided enough is enough. When gripes about this suspicious slowdown have cropped up previously, Microsoft has coldly reminded people that OneDrive for Business is not supported on Linux, thus the crap performance is to be expected. But when you change the user-agent string of your browser on Linux to match IE or Edge, suddenly OneDrive's web code runs fine. The original headline of the story is, "Microsoft loves Linux so much, its OneDrive web app runs like a dog on Windows OS rivals".
Firefox

Firefox for Linux is Now Netflix Compatible (betanews.com) 70

Brian Fagioli, writing for BetaNews: For a while, Netflix was not available for traditional Linux-based operating systems, meaning users were unable to enjoy the popular streaming service without booting into Windows. This was due to the company's reliance on Microsoft Silverlight. Since then, Netflix adopted HTML5, and it made Google Chrome and Chromium for Linux capable of playing the videos. Unfortunately, Firefox -- the open source browser choice for many Linux users -- was not compatible. Today this changes, however, as Mozilla's offering is now compatible with Netflix!
Microsoft

Microsoft's Edge Was Most Hacked Browser At Pwn2Own 2017, While Chrome Remained Unhackable (tomshardware.com) 144

At the Pwn2Own 2017 hacking event, Microsoft's Edge browser proved itself to be the least secure browser at the event, after it was hacked no less than five times. Google's Chrome browser, on the other hand, remained unhackable during the contest. Tom's Hardware reports: On the first day, Team Ether (Tencent Security) was the first to hack Edge through an arbitrary write in the Chakra JavaScript engine. The team also used a logic bug in the sandbox to escape that, as well. The team got an $80,000 prize for this exploit. On the second day, the Edge browser was attacked fast and furious by multiple teams. However, one was disqualified for using a vulnerability that was disclosed the previous day. (The teams at Pwn2Own are supposed to only use zero-day vulnerabilities that are unknown to the vendor. Two other teams withdrew their entries against Edge. However, Team Lance (Tencent Security) successfully exploited Microsoft's browser using a use-after-free (UAF) vulnerability in Chakra, and then another UAF bug in the Windows kernel to elevate system privileges. The exploit got the team $55,000. Team Sniper (Tencent Security) also exploited Edge and the Windows kernel using similar techniques, which gained this team the same amount of money, as well. The most impressive exploit by far, and also a first for Pwn2Own, was a virtual machine escape through an Edge flaw by a security team from "360 Security." The team leveraged a heap overflow bug in Edge, a type confusion in the Windows kernel, and an uninitialized buffer in VMware Workstation for a complete virtual machine escape. The team hacked its way in via the Edge browser, through the guest Windows OS, through the VM, all the way to the host operating system. This impressive chained-exploit gained the 360 Security team $105,000. The fifth exploit against Edge was done by Richard Zhu, who used two UAF bugs--one in Edge and one in a Windows kernel buffer overflow--to complete the hack. The attack gained Zhu $55,000. At last year's Pwn2Own 2016, Edge proved to be more secure than Internet Explorer and Safari, but it still ended up getting hacked twice. Chrome was only partially hacked once, notes Tom's Hardware.
Desktops (Apple)

Popular Open-Source Audio Editor Audacity Adds Windows 10 Support, More Improvements (audacityteam.org) 102

Audacity, a popular open-source and cross-platform audio editor, has received a "maintenance" update that brings several improvements. Dubbed v2.1.3, the biggest new addition appears to be support for Windows 10 OS. For Mac users, Audacity now works in tandem with the Magic Mouse. "We now support Trackpad and Magic Mouse horizontal scroll without SHIFT key and Trackpad pinch and expand to zoom at the pointer," the release note says. We also have new "Scrub Ruler" and "Scrub Toolbar" scrubbing options in the application now. Read the full changelog here.
Microsoft

Windows 10 Will Download Some Updates Even Over a Metered Connection (winsupersite.com) 320

Reader AmiMoJo writes: Until now Windows 10 has allowed users to avoid downloading updates over metered (pay-per-byte) connections, to avoid racking up huge bills. Some users were setting their ethernet/wifi connections as metered in order to prevent Windows 10 from downloading and installing updates without their permission. In its latest preview version of the OS, Microsoft is now forcing some updates necessary for "smooth operation" to download even on these connections. As well as irritating users who want to control when updates download and install, users of expensive pay-per-byte connections could face massive bills.
Security

Edge, VMWare, Safari, And Ubuntu Linux Hacked at Pwn2Own 2017 (trendmicro.com) 82

The 10th annual Pwn2Own hacking competition ended Friday in Vancouver. Some of the highlights:
  • Ars Technica reports one team "compromised Microsoft's heavily fortified Edge browser in a way that escapes a VMware Workstation virtual machine it runs in... by exploiting a heap overflow bug in Edge, a type confusion flaw in the Windows kernel and an uninitialized buffer vulnerability in VMware."
  • Digital Trends reports "Samuel Grob and Niklas Baumstark used a number of logic bugs to exploit the Safari browser and eventually take root control of the MacOS on a MacBook Pro, [and] impressed onlookers even more by adding a custom message to the Touch Bar which read: "pwned by niklasb and saelo."
  • Ubuntu 16.10 Linux was also successfully attacked by exploiting a flaw in the Linux 4.8 kernel, "triggered by a researcher who only had basic user access but was able to elevate privileges with the vulnerability to become the root administrative account user..." reports eWeek. "Chaitin Security Research Lab didn't stop after successfully exploiting Ubuntu. It was also able to successfully demonstrate a chain of six bugs in Apple Safari, gaining root access on macOS."
  • Another attacker "leveraged two separate use-after-free bugs in Microsoft Edge and then escalated to SYSTEM using a buffer overflow in the Windows kernel."

None of the attendees registered to attempt an attack on the Apache Web Server on Ubuntu 16.10 Linux, according to eWeek, but the contest's blog reports that "We saw a record 51 bugs come through the program. We paid contestants $833,000 USD in addition to the dozen laptops we handed out to winners. And, we awarded a total of 196 Master of Pwn points."


Security

Windows 10 UAC Bypass Uses Backup and Restore Utility (bleepingcomputer.com) 58

An anonymous reader writes: "A new User Access Control (UAC) bypass technique relies on altering Windows registry app paths and using the Backup and Restore utility to load malicious code without any security warning," reports BleepingComputer. The technique works when an attacker launches the Backup and Restore utility, which loads its control panel settings page. Because the utility doesn't known where this settings page is located, it queries the Windows Registry. The problem is that low-privileged users can modify Windows Registry values and point to malware. Because the Backup and Restore utility is a trusted application, UAC prompts are suppressed. This technique only works in Windows 10 (not earlier OS versions) and was tested with Windows 10 build 15031. A proof-of-concept script is available on GitHub. The same researcher had previously found two other UAC bypass techniques, one that abuses the Windows Event Viewer, and one that relies on the Windows 10 Disk Cleanup utility
AMD

Microsoft Locks Ryzen, Kaby Lake Users Out of Updates On Windows 7, 8.1 (kitguru.net) 419

Artem Tashkinov writes: In a move that will shock a lot of people, someone at Microsoft decided to deny Windows 7/8.1 updates to the users of the following CPU architectures: Intel seventh (7th)-generation processors (Kaby Lake); AMD "Bristol Ridge" (Zen/Ryzen); Qualcomm "8996." It's impossible to find any justification for this decision to halt support for the x86 architectures listed above because you can perfectly run MS-DOS on them. Perhaps, Microsoft has decided that the process of foisting Windows 10 isn't running at full steam, so the company created this purely artificial limitation. I expect it to be cancelled soon after a wide backlash from corporate customers. KitGuru notes that users may encounter the following error message when they attempt to update their OS: "Your PC uses a processor that isn't supported on this version of Windows." The only resolution is to upgrade to Windows 10.
Microsoft

Microsoft To End Support For Windows Vista In Less Than a Month (pcworld.com) 167

In less than a month's time, Microsoft will put Windows Vista to rest once and for all. If you're one of the few people still using it, you have just a few weeks to find another option before time runs out. (I mean, nobody will uninstall it from your computer, but.) From a report on PCWorld: After April 11, 2017, Microsoft will no longer support Windows Vista: no new security updates, non-security hotfixes, free or paid assisted support options, or online technical content updates, Microsoft says. (Mainstream Vista support expired in 2012.) Like it did for Windows XP, Microsoft has moved on to better things after a decade of supporting Vista. As Microsoft notes, however, running an older operating system means taking risks -- and those risks will become far worse after the deadline. Vista's Internet Explorer 9 has long since expired, and the lack of any further updates means that any existing vulnerabilities will never be patched -- ever. Even if you have Microsoft's Security Essentials installed -- Vista's own antivirus program -- you'll only receive new signatures for a limited time.
Security

Canonical Preps Security Lifeboat, Yells: Ubuntu 12.04 Hold-Outs, Get In (theregister.co.uk) 88

Gavin Clarke, writing for The Register: Canonical is extending the deadline for security updates for paying users of its five-year-old Ubuntu 12.04 LTS -- a first. Ubuntu 12.04 LTS will become the first Long Term Support release of Canonical's Linux to get Extended Security Maintenance (ESM). There are six LTS editions. All others have been end-of-lifed -- and given no security reprieve. LTS editions of Ubuntu Linux are released every two years. Desktop support runs for three years and the server edition receives security patches and updates for a period of five years. Security updates for 12.04 were scheduled to run out on April 28, 2017 but that now won't happen for those on Canonical's Ubuntu Advantage programme. They'll now receive important security fixes for the kernel and "most essential" userspace packages on their servers running 12.04. In what's shaping up to be Canonical's Windows XP moment over at Microsoft, the Linux spinner rolled out the lifeline because customers are clinging to 12.04.
XBox (Games)

Microsoft's Project Scorpio Will Pack Internal PSU, 4K Game DVR Capture (windowscentral.com) 44

According to an exclusive report from Windows Central, Microsoft's upcoming "Project Scorpio" gaming console will feature an internal power supply unit (PSU), similar to the Xbox One S, and 4K game DVR and streaming at 60 frames-per-second (FPS). From the report: In Microsoft's efforts to make Project Scorpio a true 4K system, it will also feature HEVC and VP9 codecs for decoding 4K streams for things such Netflix, just like the Xbox One S. It will also leverage HEVC for encoding 2160p, 60 frame-per-second (FPS) video for Game DVR and streaming. Microsoft's Beam streaming service has been running public 4K stream tests for some time, and it's now fair to assume it will not only be PC streamers who will benefit. Project Scorpio's Game DVR will allow you to stream and record clips in 4K resolution with 60FPS, according to our sources, which is a massive, massive step up from the 720p, 30FPS you get on the current Xbox One. With every bit of information we receive about Project Scorpio, the theme of native 4K keeps appearing -- not only for games, but also console features. We now believe Scorpio will sport 4K Game DVR, 4K Blu-ray playback, and 4K streaming apps, but the real showstopper will be the 4K games Microsoft will likely flaunt at E3 2017.
AI

Google Wants To Use AI To Cut the UK's Electric Bill By 10 Percent (popularmechanics.com) 68

The Google-owned firm artificial intelligence company DeepMind is in talks with the National Grid about a potential partnership, with the possibility of using the technology to make the supply of energy across the UK more efficient. From a report: Google Deepmind is opening talks with the UK government to use the company's artificial intelligence to reduce energy use by up to 10 percent. Artificial intelligence is highly adept at spotting patterns and making predictions that are much too small and subtle for humans to pick out, which lets AIs to micromanage systems with far greater efficiency than any human engineer could hope to achieve. For instance, Google is currently using Deepmind's AI to control its server rooms, where it manages windows, fan speeds, air conditioning, and more than a hundred other factors to save Google hundreds of millions of dollars in electricity costs.
Windows

Windows 10 Is Just 'A Vehicle For Advertisements', Argues Tech Columnist (betanews.com) 353

A new editorial by BetaNews columnist Mark Wilson argues that Windows 10 isn't an operating system -- it's "a vehicle for ads". An anonymous reader quotes their report: They appear in the Start menu, in the taskbar, in the Action Center, in Explorer, in the Ink Workspace, on the Lock Screen, in the Share tool, in the Windows Store and even in File Explorer.

Microsoft has lost its grip on what is acceptable, and even goes as far as pretending that these ads serve users more than the company -- "these are suggestions", "this is a promoted app", "we thought you'd like to know that Edge uses less battery than Chrome", "playable ads let you try out apps without installing". But if we're honest, the company is doing nothing more than abusing its position, using Windows 10 to promote its own tools and services, or those with which it has marketing arrangements.

The article suggests ads are part of the hidden price tag for the free downloads of Windows 10 that Microsoft offered last year (along with the telemetry and other user-tracking features). Their article has already received 357 comments, and concludes that the prevalence of ads in Windows 10 is "indefensible".
Privacy

Notepad++ Update Fixes 'CIA Hacking' Issue (archive.org) 82

Free software Notepad++ (released under the GNU General Public License) received a new update this week which was announced under the headline "Fix CIA Hacking Notepad++ Issue". The CIA documents in WikiLeaks' 'Vault 7' included a "Notepad++ DLL Hijack" document which affected the popular Windows editor for text and source code. "It's not a vulnerability/security issue in Notepad++, but for remedying this issue, from this release (v7.3.3) forward, notepad++.exe checks the certificate validation in scilexer.dll before loading it," reads the announcement. From the Notepad++ web site: If the certificate is missing or invalid, then it just won't be loaded, and Notepad++ will fail to launch. Checking the certificate of DLL makes it harder to hack.

Note that once users' PCs are compromised, the hackers can do anything on the PCs. This solution only prevents from Notepad++ loading a CIA homemade DLL. It doesn't prevent your original notepad++.exe from being replaced by modified notepad++.exe while the CIA is controlling your PC.

The update also includes "a lot of enhancements and bug-fixes," and if no critical issues are found, "Auto-updater will be triggered in few days."
EU

Munich's IT Lead: 'No Compelling Reason' To Switch Back To Windows From Linux (techrepublic.com) 203

"The man who runs Munich's central IT says there is no practical reason for the city to write off millions of euros and years of work to ditch its Linux-based OS for Windows," reports TechRepublic. Long-time Slashdot reader Qbertino summarizes a German-language article: Karl-Heinz Schneider, lead of Munich's local system house company IT@M, goes on to claim, "We do not see pressing technical reasons to switch to MS and MS Office... The council [in their recent plans] didn't even follow the analysts' suggestion to stick with using LibreOffice." Furthermore, Schneider stated that "System failures that angered citizens in recent years never were related to the LiMux project, but due to new bureaucratic procedures..." and apparently decisions by unqualified personnel at the administrative level, as Munich's administration itself states.
Printer

3D-Printed House Constructed On-Site In One Day (treehugger.com) 88

Heffenfeffer writes: Russian company Apis Cor has manufactured a 3D printed concrete house on-site in 24 hours in Stupino Town, Russia. Using a tower crane-shaped concrete extruder that can rotate 360 degrees, the 38 square meter (408.88 square foot) rotor-shaped home walls were constructed in one day. Voids left in the manufacturing process were filled by hand, installing windows, doors, and adding polyurethane and fiber insulation to the hollow concrete walls. The roof was also constructed by hand using polymer membranes, welded together using hot air and special equipment. Total construction costs were $10,134 (USD), approximately $266.66 per square meter ($24.78 per square foot). They also constructed a temporary protective heated tent to surround the house as they constructed the house during winter. Though the printer can be used at temperatures down to -35C, concrete has to be at least +5C to cure. Further reading: Designboom Magazine
Intel

Intel Security Releases Detection Tool For EFI Rootkits After CIA Leak (pcworld.com) 159

After WikiLeaks revealed data exposing information about the CIA's arsenal of hacking tools, Intel Security has released a tool that allows users to check if their computer's low-level system firmware has been modified and contains unauthorized code. PCWorld reports: The release comes after CIA documents leaked Tuesday revealed that the agency has developed EFI (Extensible Firmware Interface) rootkits for Apple's Macbooks. The documents from CIA's Embedded Development Branch (EDB) mention an OS X "implant" called DerStarke that includes a kernel code injection module dubbed Bokor and an EFI persistence module called DarkMatter. In addition to DarkMatter, there is a second project in the CIA EDB documents called QuarkMatter that is also described as a "Mac OS X EFI implant which uses an EFI driver stored on the EFI system partition to provide persistence to an arbitrary kernel implant." The Advanced Threat Research team at Intel Security has created a new module for its existing CHIPSEC open-source framework to detect rogue EFI binaries. CHIPSEC consists of a set of command-line tools that use low-level interfaces to analyze a system's hardware, firmware, and platform components. It can be run from Windows, Linux, macOS, and even from an EFI shell. The new CHIPSEC module allows the user to take a clean EFI image from the computer manufacturer, extract its contents and build a whitelist of the binary files inside. It can then compare that list against the system's current EFI or against an EFI image previously extracted from a system.
Microsoft

Microsoft Admits Mistake, Pulls Problematic Windows 10 Driver (betanews.com) 68

Wayne Williams, writing for BetaNews: Microsoft pushed out a mysterious driver to Windows users on Wednesday that caused big problems for some. The driver, listed as "Microsoft -- WPD -- 2/22/2016 12:00:00 AM -- 5.2.5326.4762," wasn't accompanied by any details, although we knew from the name that it related to Windows Portable Devices and affected users who had phones and tablets connected to the OS. Microsoft today admitted the problem with the driver, saying on the Answers Forum: "An incorrect device driver was released for Windows 10, on March 8, 2017, that affected a small group of users with connected phones or portable devices. After installation, these devices are not detected properly by Windows 10, but are affected in no other way. We removed the driver from Windows Update the same day, but if the driver had already installed, you may still be having this issue." As Williams adds, even though it was an optional update for Windows 7 and Windows 8.1 users, it was pushed to those on Windows 10.
Chrome

Chrome 57 Arrives With CSS Grid Layout and API Improvements (venturebeat.com) 87

Google has launched Chrome 57 for Windows, Mac, and Linux. From a report on VentureBeat: Among the additions is CSS Grid Layout, API improvements, and other new features for developers. You can update to the latest version now using the browser's built-in silent updater, or download it directly from google.com/chrome. Chrome is arguably more than a browser: With over 1 billion users, it's a major platform that web developers have to consider. In fact, with Chrome's regular additions and changes, developers have to keep up to ensure they are taking advantage of everything available. Chrome 57 implements CSS Grid Layout, a two-dimensional grid-based layout system for responsive user interface design. Elements within the grid can be specified to span multiple columns or rows, plus they can also be named so that layout code is easier to understand. The goal is to give developers more granular control, especially as websites are increasingly accessed on various screen sizes, so they can slowly move away from complex code that is difficult to maintain.
PlayStation (Games)

PlayStation 4.5 Update Brings HDD Support, PS4 Pro 'Boost Mode' (theinquirer.net) 40

Sony has officially pushed out the PlayStation 4.5 System Update, codenamed "Susuke," which brings a new Boost Mode for PS4 Pro owners and lets PS4 owners download and install games directly to USB 3.0 hard drives up to 8TB in size. The INQUIRER reports: PS4 Pro owners are also being treated to a new Boost Mode, will offer improved performance for PS4 games released before the Pro console. "This feature has been designed to provide better performance for select legacy titles that have not been patched to take advantage of the PS4 Pro's faster CPU and its faster and double-sized GPU," Sony said in a blog post. "This can provide a noticeable frame rate boost to some games with variable frame rates, and can provide frame rate stability for games that are programmed to run at 30 Hz or 60 Hz." The PS 4.5 update brings an improved 2D mode to owners of Sony's PlayStation VR headset, which the firm claims will improve the resolution of the system screen displayed on your TV is significantly better when you're out of VR mode. The resolution of Cinematic Mode on PlayStation VR is also getting a boost, with Sony noting "if your PS VR screen size is set to Small or Medium, the frame rate of content viewed in Cinematic Mode goes up from 90Hz to 120Hz with this update." Other new features include added support for voice chat when using Remote Play on Windows, Mac or an Xperia device, an 'Off Console' icon that tells gamers when a friend is logged in but away from their device and updates to the PS Messages and PS Communities apps on iOS and Android.

Slashdot Top Deals