Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. ×
Windows

Microsoft To Introduce a New Feature In Windows 10 Which Will Allow Users To Block Installation of Desktop Apps (mspoweruser.com) 182

Microsoft is planning to introduce a new feature to Windows 10 that will allow a user to prevent installation of desktop apps. The latest Windows Insider build comes with an option that allows users to enable app installations only from the Windows Store. From a report on MSPowerUser: Once enabled, users will see a warning whenever they try to install a Win32 app -- they will get a dialog saying apps from the Windows Store helps to keep their PC "safe and reliable." This feature is obviously disabled by default, but users can enable it really easily if they want.
Bug

Google Discloses Yet Another New Unpatched Microsoft Vulnerability In Edge/IE (bleepingcomputer.com) 70

An anonymous reader quotes BleepingComputer: Google has gone public with details of a second unpatched vulnerability in Microsoft products, this time in Edge and Internet Explorer, after last week they've published details about a bug in the Windows GDI (Graphics Device Interface) component... The bug, discovered by Google Project Zero researcher Ivan Fratric, is tracked by the CVE-2017-0037 identifier and is a type confusion, a kind of security flaw that can allow an attacker to execute code on the affected machine, and take over a device.

Details about CVE-2017-0037 are available in Google's bug report, along with proof-of-concept code. The PoC code causes a crash of the exploited browser, but depending on the attacker's skill level, more dangerous exploits could be built... Besides the Edge and IE bug, Microsoft products are also plagued by two other severe security flaws, one affecting the Windows GDI component and one the SMB file sharing protocol shipped with all Windows OS versions...

Google's team notified Microsoft of the bug 90 days ago, only disclosing it publicly on Friday.
Microsoft

94% of Microsoft Vulnerabilities Can Be Mitigated By Turning Off Admin Rights (computerworld.com) 222

An anonymous reader quotes Computerworld: If you want to shut out the overwhelming majority of vulnerabilities in Microsoft products, turn off admin rights on the PC. That's the conclusion from global endpoint security firm Avecto, which has issued its annual Microsoft Vulnerabilities report. It found that there were 530 Microsoft vulnerabilities reported in 2016, and of these critical vulnerabilities, 94% were found to be mitigated by removing admin rights, up from 85% reported last year. This is especially true with the browser, for those who still use Microsoft's browsers. 100% of vulnerabilities impacting both Internet Explorer and Edge could be mitigated by removing admin rights, Avecto reported... Windows 10 was found to have the highest proportion of vulnerabilities of any OS (395), 46% more than Windows 8 and Windows 8.1 (265 each). Avecto found that 93% of Windows 10 vulnerabilities could be mitigated by removing admin rights.
Of course, the stats are based on vulnerabilities announced in Microsoft Security Bulletins, but there's an overwhelming pattern. Turning off admin rights mitigated the vast majority of vulnerabilities, whether it was Windows Server (90%) or older versions of Microsoft Office (99%). And turning off admin rights in Office 2016 mitigated 100% of its vulnerabilities.
Communications

Paralyzed Man Uses Brain Implant To Type Eight Words Per Minute (ieee.org) 40

A study published in the journal eLife describes three participants that broke new ground in the use of brain-computer interfaces (BCIs) by people with paralysis. One of the participants, a 64-year-old man paralyzed by a spinal cord injury, "set a new record for speed in a 'copy typing' task," reports IEEE Spectrum. "Copying sentences like 'The quick brown fox jumped over the lazy dog,' he typed at a relatively blistering rate of eight words per minute." From the report: This experimental gear is far from being ready for clinical use: To send data from their implanted brain chips, the participants wear head-mounted components with wires that connect to the computer. But Henderson's team, part of the multiuniversity BrainGate consortium, is contributing to the development of devices that can be used by people in their everyday lives, not just in the lab. "All our research is based on helping people with disabilities," Henderson tells IEEE Spectrum. Here's how the system works: The tiny implant, about the size of a baby aspirin, is inserted into the motor cortex, the part of the brain responsible for voluntary movement. The implant's array of electrodes record electrical signals from neurons that "fire" as the person thinks of making a motion like moving their right hand -- even if they're paralyzed and can't actually move it. The BrainGate decoding software interprets the signal and converts it into a command for the computer cursor. Interestingly, the system worked best when the researchers customized it for each participant. To train the decoder, each person would imagine a series of different movements (like moving their whole right arm or wiggling their left thumb) while the researchers looked at the data coming from the electrodes and tried to find the most obvious and reliable signal. Each participant ended up imagining a different movement to control the cursor. The woman with ALS imagined moving her index finger and thumb to control the cursor's left-right and up-down motions. Henderson says that after a while, she didn't have to think about moving the two digits independently. "When she became facile with this, she said it wasn't anything conscious; she felt like she was controlling a joystick," he says. The man with the spinal cord injury imagined moving his whole arm as if he were sliding a puck across a table. "Each participant settled on control modality that worked best," Henderson says. You can watch a video about the study here.
Security

Netflix Just Announced a User Focused Security Application (netflix.com) 43

Moving beyond movies and TV shows (and their DVDs), Netflix announced on Tuesday Stethoscope, its "first project following a User Focused Security approach." From a company's blog post: The notion of "User Focused Security" acknowledges that attacks against corporate users (e.g., phishing, malware) are the primary mechanism leading to security incidents and data breaches, and it's one of the core principles driving our approach to corporate information security. [...] Stethoscope is a web application that collects information for a given user's devices and gives them clear and specific recommendations for securing their systems. If we provide employees with focused, actionable information and low-friction tools, we believe they can get their devices into a more secure state without heavy-handed policy enforcement. The company says Stethoscope tracks disk encryption, firewall, automatic updates, up-to-date OS/software, screen lock, jailbroken/rooted status, security software stack configurations of the device.
Microsoft

Microsoft Confirms Another 2017 Update After Windows 10 Creators Update (betanews.com) 74

Mark Wilson, writing for BetaNews: Windows 10 Creators Update is due to arrive in the spring, and at Microsoft Ignite in Australia, the company confirmed that a second major update is on the way later in the year. We don't know a great deal about this update, but it's likely to incorporate Project NEON design elements. While it is not a new revelation that a second big update is coming to Windows 10 in 2017, until now there has only been a passing reference to the second one from Microsoft.
Linux

Linux Kernel 4.10 Officially Released With Virtual GPU Support (softpedia.com) 90

"Linus Torvalds announced today the general availability of the Linux 4.10 kernel series, which add a great number of improvements, new security features, and support for the newest hardware components," writes Softpedia. prisoninmate quotes their report: Linux kernel 4.10 has been in development for the past seven weeks, during which it received a total of seven Release Candidate snapshots that implemented all the changes that you'll soon be able to enjoy on your favorite Linux-based operating system... Prominent new features include virtual GPU (Graphics Processing Unit) support, new "perf c2c" tool that can be used for analysis of cacheline contention on NUMA systems, support for the L2/L3 caches of Intel processors (Intel Cache Allocation Technology), eBPF hooks for cgroups, hybrid block polling, and better writeback management. A new "perf sched timehist" feature has been added in Linux kernel 4.10 to provide detailed history of task scheduling, and there's experimental writeback cache and FAILFAST support for MD RAID5... Ubuntu 17.04 (Zesty Zapus) could be the first stable OS to ship with Linux 4.10.
It required 13,000 commits, plus over 1,200 merges, Linus wrote in the announcement, adding "On the whole, 4.10 didn't end up as small as it initially looked."
Bug

Google Discloses An Unpatched Windows Bug (Again) (bleepingcomputer.com) 121

An anonymous reader writes: "For the second time in three months, Google engineers have disclosed a bug in the Windows OS without Microsoft having released a fix before Google's announcement," reports BleepingComputer. "The bug in question affects the Windows GDI (Graphics Device Interface) (gdi32.dll)..." According to Google, the issue allows an attacker to read the content of the user's memory using malicious EMF files. The bad news is that the EMF file can be hidden in other documents, such as DOCX, and can be exploited via Office, IE, or Office Online, among many.

"According to a bug report filed by Google's Project Zero team, the bug was initially part of a larger collection of issues discovered in March 2016, and fixed in June 2016, via Microsoft's security bulletin MS16-074. Mateusz Jurczyk, the Google engineer who found the first bugs, says the MS16-074 patches were insufficient, and some of the issues he reported continued to remain vulnerable." He later resubmitted the bugs in November 2016. The 90-days deadline for fixing the bugs expired last week, and the Google researcher disclosed the bug to the public after Microsoft delayed February's security updates to next month's Patch Tuesday, for March 15.

Microsoft has described Google's announcements of unpatched Windows bugs as "disappointing".
Android

99.6 Percent of New Smartphones Run Android or iOS (theverge.com) 91

The latest smartphone figures from Gartner show how much iOS and Android are dominating the smartphone market. According to the report, Android and iOS accounted for 99.6 percent of all smartphone sales in the fourth quarter of 2016. For comparison, this figure was 96.8 percent in the second quarter of 2015. The Verge reports: Of the 432 million smartphones sold in the last quarter, 352 million ran Android (81.7 percent) and 77 million ran iOS (17.9 percent), but what happened to the other players? Well, in the same quarter, Windows Phone managed to round up 0.3 percent of the market, while BlackBerry was reduced to a rounding error. The once-great firm sold just over 200,000 units, amounting to 0.0 percent market share. It's worth noting that although, in retrospect, this state of affairs seems inescapable, for years analysts were predicting otherwise. Three years ago, Gartner said that Microsoft's mobile OS would overtake iOS for market share in 2017, while BlackBerry would still be hanging around as sizable (if small) player.
Programming

Apple Announces WWDC 2017, To Be Held in San Jose On June 5-9 (daringfireball.net) 63

Apple said today it will kick off this year's Worldwide Developers Conference on June 5. Much like every year, the developer conference is the place where we can expect to see what's coming to iOS, macOS, watchOS, and tvOS later this year. This year, the event is being held in a different venue: the McEnery Convention Center in San Jose, the original home of WWDC. John Gruber, writing for DaringFireball: First, announcing early really helps people who have to travel long distances to attend, particularly those from outside the U.S. The San Jose Convention Center is the original home of WWDC -- that's where it was held from 1988 through 2002. (WWDC 2002 was the year Steve Jobs held a funeral for Mac OS 9 during the keynote.) San Jose is way closer to Apple headquarters. San Francisco is about an hour drive from 1 Infinite Loop. The San Jose Convention Center is only five minutes away from Apple's new campus. Schiller emphasized to me that this is a big deal: more Apple employees from more teams will be present, simply because they won't have to devote an entire day to being there. (This could be a particular boon to WWDC's developer labs, where attendees can get precious face time with Apple's engineers.)
Java

JavaScript Attack Breaks ASLR On 22 CPU Architectures (bleepingcomputer.com) 157

An anonymous reader quotes a report from BleepingComputer: Five researchers from the Vrije University in the Netherlands have put together an attack that can be carried out via JavaScript code and break ASLR protection on at least 22 microprocessor architectures from vendors such as Intel, AMD, ARM, Allwinner, Nvidia, and others. The attack, christened ASLRCache, or AnC, focuses on the memory management unit (MMU), a lesser known component of many CPU architectures, which is tasked with improving performance for cache management operations. What researchers discovered was that this component shares some of its cache with untrusted applications, including browsers. This meant that researchers could send malicious JavaScript that specifically targeted this shared memory space and attempted to read its content. In layman's terms, this means an AnC attack can break ASLR and allow the attacker to read portions of the computer's memory, which he could then use to launch more complex exploits and escalate access to the entire OS. Researchers have published two papers [1, 2] detailing the AnC attack, along with two videos[1, 2] showing the attack in action.
Open Source

MariaDB Fixes Business Source License, Releases MaxScale 2.1 (perens.com) 17

Creator of The Open Source Definition and longtime Slashdot reader Bruce Perens writes: MariaDB is releasing MaxScale 2.1, a new version of their database routing proxy, and has modified its timed-transition-to-Open-Source "Business Source License" to make it more acceptable to the Open Source community and more easily usable by other companies. I've blogged the issues I had with the license and how MariaDB has fixed them, and Kaj Arno has blogged the MariaDB side of the story. Here's an excerpt from Perens' blog post: "The BSL is a parameterized license. The licensor chooses the license which is transitioned to, the date of the transition, and the limitation. The problem with this is that it was so parameterized that if you told someone the license was 'BSL 1.0,' they would not have any idea what license they really had. It might transition to any of 100 Open Source licenses, or to a non-Open-Source license. The transition might happen in a month, or next century. The limitation might be that you could only have three commercial servers, or that you indentured your firstborn son (OK, that's going overboard, but you get the picture)." He continues, "So, I didn't like that 'BSL' didn't really say what the license did, and I didn't feel that was the best thing for the users or the community. I asked MariaDB to fix it. Together we have arrived at constraints on the parameters and minimum privileges that will take the new BSL much closer to being one license while still allowing licensors some latitude to choose parameters."
Android

China's Huawei Catching Up With Apple, Samsung Smartphone Sales (livemint.com) 62

From a report: Chinese smartphone maker Huawei managed to gain ground on Samsung and Apple in terms of global market share last year, following the problems encountered by the two giants, the Gartner consultancy group said on Wednesday. Over the year as a whole, the Chinese maker saw its sales leap by 26.7 percent, while the South Korean and US rivals both saw their sales decline by 4.3 percent, Gartner said in a study. As result, Huawei was able to increase its share of the smartphone sector to 8.9 percent in 2016 from 7.3 percent a year earlier, while Samsung saw its market share shrink by two full percentage points to 20.5 percent and Apple's contracted to 14.4 percent from 15.9 percent. "Chinese makers succeeded in winning market share over last year and Huawei now seems to be the main rival to the two giants, even if the gap remains large," Gartner analyst Annette Zimmermann told AFP.
Android

Google's Not-so-secret New OS (techspecs.blog) 129

According to reports late last year, Google is working on a new operating system called Andromeda. Much about it is still unknown, but according to the documentations Google has provided on its website, it's clear that the Fuchsia is the actual name of the operating system, and the kernel is called Magenta. A tech enthusiast dug around the documentations to share the followings: To my naive eyes, rather than saying Chrome OS is being merged into Android, it looks more like Android and Chrome OS are both being merged into Fuchsia. It's worth noting that these operating systems had previously already begun to merge together to an extent, such as when the Android team worked with the Chrome OS team in order to bring Update Engine to Nougat, which introduced A/B updates to the platform. Google is unsurprisingly bringing up Andromeda on a number of platforms, including the humble Intel NUC. ARM, x86, and MIPS bring-up is exactly what you would expect for an Android successor, and it also seems clear that this platform will run on Intel laptops. My best guess is that Android as an API and runtime will live on as a legacy environment within Andromeda. That's not to say that all development of Android would immediately stop, which seems extremely unlikely. But Google can't push two UI APIs as equal app frameworks over the long term: Mojo is clearly the future. Ah, but what is Mojo? Well it's the new API for writing Andromeda apps, and it comes from Chromium. Mojo was originally created to "extract a common platform out of Chrome's renderer and plugin processes that can support multiple types of sandboxed content."
Security

Russian Cyberspies Blamed For US Election Hacks Are Now Targeting Macs (computerworld.com) 251

You may recall "APT28", the Russian hacking group which was tied to last year's interference in the presidential election. It has long been known for its advanced range of tools for penetrating Windows, iOS, Android, and Linux devices. Now, researchers have uncovered an equally sophisticated malware package the group used to compromise Macs. From a report on ComputerWorld: The group -- known in the security industry under different names including Fancy Bear, Pawn Storm, and APT28 -- has been operating for almost a decade. It is believed to be the sole user and likely developer of a Trojan program called Sofacy or X-Agent. X-Agent variants for Windows, Linux, Android, and iOS have been found in the wild in the past, but researchers from Bitdefender have now come across what appears to be the first macOS version of the Trojan. It's not entirely clear how the malware is being distributed because the Bitdefender researchers obtained only the malware sample, not the full attack chain. However, it's possible a macOS malware downloader dubbed Komplex, found in September, might be involved. Komplex infected Macs by exploiting a known vulnerability in the MacKeeper antivirus software, according to researchers from Palo Alto Networks who investigated the malware at the time. The vulnerability allowed attackers to execute remote commands on a Mac when users visited specially crafted web pages.Further reading on ArsTechnica.
Microsoft

Microsoft Delays February Patch Tuesday Indefinitely (sans.edu) 88

UnderAttack writes: Microsoft today announced that it had to delay its February Patch Tuesday due to issues with a particular patch. This was also supposed to be the first Patch Tuesday using a new format, which led some to believe that even Microsoft had issues understanding how the new format is exactly going to work with no more simple bulletin summary and patches being released as large monolithic updates. Ars Technica notes the importance of this Patch Tuesday as "there's an in-the-wild zero-day flaw in SMB, Microsoft's file sharing protocol, that at the very least allows systems to be crashed." They also elaborate on the way Microsoft is "continuing to tune the way updates are delivered to Windows 7, 8.1, Server 2008 R2, Server 2012, and Server 2012 R2."
Businesses

Story of Two Developers Who Are Reporting Growth in Revenue After Leaving Apple's App Store (techcrunch.com) 65

John Biggs, writing for TechCrunch: In what amounts to one of the purest and most interesting experiments in assessing the value of Mac OS's App Store, the founder of Rogue Amoeba posted a description of what happened when he pulled his app Piezo. The result? More revenue as a whole without much damage to sales. The impetus for the move came after Apple pulled the Dash app off of the App Store. In the 100-day period since the move, Dash maintained and even increased revenue and found that its users didn't care which platform they were using -- 84% of the customers simply moved over to the independent app license from the App Store license. The bottom line? "It feels great to have full control over my business and to avoid App Store installation/updating/purchasing issues," wrote Dash creator Bogdan Popescu. When Paul Kafasis tried to move away from the App Store he was worried he'd lose half of his sales. After all, many months saw about 50% of sales coming from the App Store directly. When he pulled the app a year ago, however, all of those App Store sales turned into direct sales through his website, a fact that surprised and amused Kafasis.
EU

The City Of Munich Now Wants To Abandon Linux And Switch Back to Windows (techrepublic.com) 557

"The prestigious FOSS project replacing the entire city's administration IT with FOSS based systems, is about to be cancelled and decommissioned," writes long-time Slashdot reader Qbertino. TechRepublic reports: Politicians at open-source champion Munich will next week vote on whether to abandon Linux and return to Windows by 2021. The city authority, which made headlines for ditching Windows, will discuss proposals to replace the Linux-based OS used across the council with a Windows 10-based client. If the city leaders back the proposition it would be a notable U-turn by the council, which spent years migrating about 15,000 staff from Windows to LiMux, a custom version of the Ubuntu desktop OS, and only completed the move in 2013...

The use of the open-source Thunderbird email client and LibreOffice suite across the council would also be phased out, in favor of using "market standard products" that offer the "highest possible compatibility" with external and internal software... The full council will vote on whether to back the plan next Wednesday. If all SPD and CSU councillors back the proposal put forward by their party officials, then this new proposal will pass, because the two parties hold the majority.

The leader of the Munich Green Party says the city will lose "many millions of euros" if the change is implemented. The article also reports that Microsoft moved its German headquarters to Munich last year.
Microsoft

Microsoft Teases Windows 10's Upcoming 'Project Neon' Design Language (windowscentral.com) 139

An anonymous reader quotes a report from Windows Central: Microsoft just gave developers a sneak peek at Project Neon, Microsoft's upcoming design language for Windows 10 that aims to add fluidity, animation and blur to apps and the operating system. We exclusively revealed that this was in the works in late 2016, and today Microsoft has given us a first peak at what Project Neon will look like. During the Windows Developer Day livestream, an image of Project Neon was seen the background of one of the PowerPoint slides being shown off on stage. Although not much, it's further confirmation that this is the end goal for Windows 10's UI, and Project Neon will be bringing a fresh coat of paint to apps. Project Neon should benefit all types of Windows 10 devices, including Windows 10 Mobile, HoloLens and even Xbox. We're still several months away from Project Neon being everywhere in Windows 10, and we're expecting to see more at BUILD this coming May. In fact, a lot of the Project Neon APIs are available in the latest Insider Preview builds of Windows 10, meaning developers can already begin taking advantage of these new user interfaces and design language! Animations and transitions are a big deal with Project Neon, with the goal of making the operating system and apps feel like they work together. Peter Bright does a good job summarizing the looks of the screenshot via Ars Technica: "The picture shows a refreshed version of the Groove music app on a Windows desktop. The fundamentals of the app and its layout aren't changed, underscoring that Neon is very much an iteration of the current Metro/Microsoft Design Language (MDL). The window has shed its discrete title bar and one pixel border, with the application content now extending to the very edge of the window. The search text field no longer has a box around it, and the left hand pane has a hint of translucency to it." You can view the screenshot here and judge it for yourself.
Communications

Linux Kernel 3.18 Reaches End of Life (softpedia.com) 101

prisoninmate quotes a report from Softpedia: Linux kernel 3.18.48 LTS is here and it's the last in the series, which was marked for a January 2017 extinction since mid-April last year. According to the appended shortlog, the new patch changes a total of 50 files, with 159 insertions and 351 deletions. It brings an updated networking stack with Bluetooth, Bridge, IPv4, IPv6, CAIF, and Netfilter improvements, a couple of x86 fixes, and a bunch of updated USB, SCSI, ATA, media, GPU, ATM, HID, MTD, SPI, and networking (Ethernet and Wireless) drivers. Of course, this being the last maintenance update in the series, you are urged to move to a newer LTS branch, such as Linux kernel 4.9 or 4.4, which are far more secure and efficient than Linux 3.18 was. But Linux 3.18 appears to be used by Google and other vendors on a bunch of Android-powered devices, and even some Chromebooks use Linux kernel 3.18 on Chrome OS, so here's what the kernel developer suggests you do if you can't upgrade. "If you are _stuck_ on 3.18 (/me eyes his new phone), well, I might have a plan for you, that first involves you yelling very loudly at your hardware vendor and refusing to buy from them again unless they cut this crap out. After you properly vent to them, drop me an email and let's see what we can come up with, you aren't in this sinking ship alone, and it's obvious your vendor isn't going to help out," said Greg Kroah-Hartman in the mailing list announcement.

Slashdot Top Deals