Windows 10 May 2019 update blocked for anyone using USB or SD storage

Found on Ars Technica on Wednesday, 24 April 2019
Browse Software

Because of an issue that's frankly remarkable, Microsoft is blocking the update for anyone using USB storage or SD storage. That is to say: if you have a USB hard disk or thumb drive, or an SD card in an SD card reader, the update won't install.

As with so many Windows 10 bugs, the real question here is how on Earth this was only detected at this late stage in development. USB storage is not esoteric or unusual, and a problem like this is going to affect a large proportion of Windows 10 users.

It's getting more and more ridiculous. It's as if Microsoft tries to look incompetent.

Microsoft going to extreme lengths to ensure May update avoids mistakes of 1809

Found on Ars Technica on Thursday, 04 April 2019
Browse Software

It's going to be the May 2019 update, because Microsoft is being a great deal more cautious about this release. Next week, a build will be pushed to the Release Preview ring, which should provide around a month of testing before its expected release date.

If Microsoft sticks with its plan to leave the feature update optional until it becomes a prerequisite for support, many Windows 10 users may not find themselves upgrading for more than a year after its release.

It cannot really get any worse than 1809. Well, probably not...

Google: Play Protect cut harmful Android app installs by 20% in 2018

Found on Venturebeat on Friday, 29 March 2019
Browse Software

Google says that Google Play Protect, Android’s AI-driven built-in defense mechanism that scans over 50 billion apps every day on-device and upwards of 500,000 in the cloud, substantially cut down on the number of Potentially Harmful Applications (PHAs) in Google Play.

The question is, where is the difference between malware and apps that monetize your private data. Software requires access to all sorts of data, for what it does not have any reason but to collect and sell it.

Windows 7 end-of-life nag messages will start showing up next month

Found on Ars Technica on Wednesday, 13 March 2019
Browse Software

Starting next month, the operating system will show users a "courtesy reminder" to tell them that security updates will cease and that Windows 10 (and hardware to run it on) exists. Microsoft promises that the message will only appear a "handful of times" during 2019 and that there will be a "do not notify me again" checkbox that will definitely suppress any future messages.

Update reminders are well-remembered from the times when Microsoft tried to force everybody onto Windows 10; even against their will.

Windows 7 Extended Security Updates will double in price each year

Found on Ars Technica on Thursday, 07 February 2019
Browse Software

For organizations already subscribing to Windows Enterprise, the first year of updates will cost an additional $25 per device. This doubles to $50 for the second year and $100 for the third year.

For companies sticking with Windows 7 Pro instead of subscribing to Windows Enterprise, the first year will cost $50 per device and will double each subsequent year to $100 and then $200.

Or just migrate to Linux.

LibreOffice patches malicious code-execution bug, Apache OpenOffice – wait for it, wait for it – doesn't

Found on The Register on Wednesday, 06 February 2019
Browse Software

When he published on February 1, in conjunction with the LibreOffice fix notification, OpenOffice still had not been patched. Inführ says he reconfirmed that he could go ahead with disclosure even though OpenOffice 4.16 has yet to be fixed.

His proof-of-concept exploit doesn't work with OpenOffice out-of-the-box because the software doesn't allow parameters to be passed in the same way as the unpatched version of LibreOffice did. However, he says that the path traversal issue can still be abused to execute a local Python file and cause further mischief and damage.

Oracle does not have much interest in products it can't use to make money. Otherwise LibreOffice wouldn't have been forked.

Google Play apps with >4.3 million downloads stole pics and pushed porn ads

Found on Ars Technica on Friday, 01 February 2019
Browse Software

Google has banned dozens of Android apps downloaded millions of times from the official Play Store after researchers discovered they were being used to display phishing and scam ads or perform other malicious acts.

Trend Micro researchers discovered another batch of apps that falsely promised to allow users to “beautify” their pictures by uploading them to a designated server. Instead of delivering an edited photo, however, the server provided a picture with a fake update prompt in nine different languages. The apps made it possible for the developers to collect the uploaded photos, possibly for use in fake profile pics or for other malicious purposes. The developers took pains to prevent users from detecting what was happening.

Hopefully that help to teach users the lesson not to install random software just because it is in some official store. On the other hand, when looking at users in general, there is not much hope.

The D in SystemD stands for Danger, Will Robinson! Defanged exploit code for security holes now out in the wild

Found on The Register on Thursday, 31 January 2019
Browse Software

Those who haven't already patched a trio of recent vulnerabilities in the Linux world's SystemD have an added incentive to do so: security biz Capsule8 has published exploit code for the holes.

Exploitation of these code flaws allows an attacker to alter system memory in order to commandeer systemd-journal, which permits privilege escalation to the root account of the system running the software.

Let's stuff everything into an init-system, they said. There's nothing wrong with that, they said.

Firefox to remove UI dark pattern from Screenshot tool after months of complaints

Found on ZD Net on Friday, 18 January 2019
Browse Software

The issue is that the Save button doesn't save the screenshot to the PC, as most users would naturally expect, but uploads the image to a Mozilla server.

This is both a privacy violation, as some users don't appreciate being tricked into uploading sensitive images saved on remote servers, but also an incovenience as users would still have to download the image locally, but in multiple steps afterward.

You have to admit that Mozilla is working as best as it can to totally ruin what is left from the userbase of Firefox. In the past years it has removed features the users liked, added features users don't like while generally trying hard to be a clone of Chrome.

Red Hat gets heebie-jeebies over MongoDB's T&Cs squeeze: NoSQL database dropped

Found on The Register on Thursday, 17 January 2019
Browse Software

Under section 4.7, the release notes say, "Note that the NoSQL MongoDB database server is not included in RHEL 8.0 Beta because it uses the Server Side Public License (SSPL)."

The SSPL differs from other software licenses in that it requires anyone making SSPL software available as a service to publish not only source code and modifications, but also the source code of the infrastructure applications that run SSPL code. This includes, as the license states, "management software, user interfaces, application program interfaces, automation software, monitoring software, backup software, storage software and hosting software, all such that a user could run an instance of the service using the Service Source Code you make available."

That's one way to kill yourself. Not that anything of value will be lost.