Steam Windows Client Local Privilege Escalation 0day

Found on Amonitoring on Thursday, 08 August 2019
Browse Software

45 days have gone since the initial report, so I want to publicly disclose the vulnerability. I hope this will bring Steam developers to make some security improvements.

This article was ready for publication by July 30 (this date was chosen due to 45 days deadline since initial vulnerability report was sent). So, two weeks after my message, which was sent on July 20, a person appears, who tells me that my report was marked as not applicable, they closed the discussion and wouldn’t offer any explanation to me. Moreover, they didn't want me to disclose the vulnerability. At the same time, there was not even a single word from Valve. No, guys, that's not how it works. You didn’t respect my work, and that's the reason why I won’t respect yours — I see no reason why I shouldn't publish this report.

Ff it is a vulnerability, Steam should acknowledge it, fix it and rewards the guy. If it is not a vulnerability, then there cannot be any harm done by the discloser, because, well, it is not a bug.

Microsoft changes Windows 10’s update model

Found on Ars Technica on Thursday, 25 July 2019
Browse Software

Fast Ring subscribers are the first to get new features and updates. Slow Ring subscribers get those features before they're public but not until after the Fast Ring folks have had a while to flush out the worst of the bugs.

If Microsoft continues in the vein that it has begun with 20H1 and 19H2, the Fast Ring will get longer periods of time to test the biggest and potentially more problematic major feature upgrades, and the Slow Ring will get the first crack at—and more time to test—the smaller incremental updates aimed at fixing long-term problems in performance and stability.

With all the endless bugs, problems and angry customers it sounds like Fast and Slow Ring are the end users.

Microsoft tells resellers: 'We listened to you, and we have acted' – please keep making us money

Found on The Register on Friday, 12 July 2019
Browse Software

Faced with continued rumbles of discontent from its reseller network on the eve of its Inspire conference, Microsoft has climbed down from plans to pull free software licences from its channel chums.

The crux of the proposed changes was the removal of the free licences that Microsoft granted to resellers to allow them to run their businesses. With many being relatively small businesses, the proposed wholesale removal of those licences triggered shrieks of pain.

Mircosoft licensing is just horrid. It must be the Tenth Circle of Hell.

Firefox 68 arrives with darker reader view, recommended extensions, and IT customizations

Found on Venturebeat on Wednesday, 10 July 2019
Browse Software

Mozilla today launched Firefox 68 for Windows, Mac, Linux, Android, and iOS. Firefox 68 includes a darker reader view, recommended extensions, IT Pro customizations, and more.

As part of this release, Mozilla has curated a list of recommended extensions “that have been thoroughly reviewed for security, usability, and usefulness.”

It's always funny how companies seem to know exactly what is useful to you. Recommendations on Firefox will be probably just as bad as those on Youtube.

More than 1,000 Android apps harvest data even after you deny permissions

Found on CNet News on Monday, 08 July 2019
Browse Software

If you don't want a flashlight app to be able to read through your call logs, you should be able to deny that access. But even when you say no, many apps find a way around: Researchers discovered more than 1,000 apps that skirted restrictions, allowing them to gather precise geolocation data and phone identifiers behind your back.

Lawmakers are attempting to reel that in with privacy regulation, and app permissions are supposed to control what data you give up. Apple and Google have released new features to improve people's privacy, but apps continue to find hidden ways to get around these protections.

No surprise if users install every single app they can possibly find, only to get some questionable feature, or a totally pointless game. The less brain required, the more installs.

Microsoft Issues Warning For 800M Windows 10 Users

Found on Forbes on Monday, 01 July 2019
Browse Software

What Microsoft confirms it did was quietly switch off Registry backups in Windows 10 eight months ago, despite giving users the impression this crucial safeguarding system was still working. As Ghacks spotted at the time, Registry backups would show “The operation completed successfully", despite no backup file being created.

So why has Microsoft done this? In the company’s own words: “to help reduce the overall disk footprint size of Windows”. And how big is a registry backup? Typically 50-100MB.

This makes you wonder if Microsoft runs monthly "Make the dumbest possible decisions" competition. To save space, turn off backups. There's hardly anything more stupid you can do. At the same time they preinstall useless gaming apps nobody needs.

CERN Ditches Microsoft to ‘Take Back Control’ with Open Source Software

Found on omg! ubuntu! on Friday, 14 June 2019
Browse Software

Microsoft recently revoked the organisations status as an academic institution, instead pricing access to its services on users. This bumps the cost of various software licenses 10x, which is just too much for CERN’s budget.

“MAlt’s objective is to put us back in control using open software. It is now time to present more widely this project and to explain how it will shape our computing environment,” CERN’s Emmanuel Ormancey explains in a blog post.

Microsoft licensing is an absolute nightmare and in some cases flat out ridiculous. Let's not forget the privacy nightmare either. The more moving away from that software, the better.

Google Says It Isn't Killing Ad Blockers. Ad Blockers Disagree

Found on Wired on Thursday, 13 June 2019
Browse Software

Over the past 18 months, Google has pushed to improve Chrome extension security—a welcome goal given the sketchy morass of extensions that have been out there for years. But one proposed change related to this effort threatens to hobble ad blocking extensions.

Its new iteration, the company says, will better protects users' data and help ad blockers work more more efficiently. But ad blocker developers argue the new arrangement will hinder their ability to quickly and correctly identify ads, without necessarily providing the benefits touted by Google.

A company who makes billions from online advertising is looking for excuses to mess with adblockers. How shocking and surprising.

238 Google Play apps with >440 million installs made phones nearly unusable

Found on Ars Technica on Thursday, 06 June 2019
Browse Software

Carefully concealed adware installed in Google-approved apps with more than 440 million installations was so aggressive that it rendered mobile devices nearly unusable, researchers from mobile security provider Lookout said Tuesday.

Once installed, the apps initially behaved normally. Then, after a delay of anywhere between 24 hours and 14 days, the obfuscated BeiTaAd plugin would begin delivering what are known as out-of-app ads. These ads appeared on users' lock screens and triggered audio and video at seemingly random times or even when a phone was asleep.

There's no indication that CooTek will be banned or otherwise punished for breaching Play terms of service on such a mass scale and for taking the steps it did to hide the violation.

Remember, back in the days, where marketing folks told everybody who wanted to hear (and those who didn't too) that walled gardens appstores are a perfect way to keep malware away?

Google to restrict modern ad blocking Chrome extensions to enterprise users

Found on 9to5 Google on Thursday, 30 May 2019
Browse Software

With the Manifest V3 proposal, Google deprecates the webRequest API’s ability to block a particular request before it’s loaded.

Google is essentially saying that Chrome will still have the capability to block unwanted content, but this will be restricted to only paid, enterprise users of Chrome. This is likely to allow enterprise customers to develop in-house Chrome extensions, not for ad blocking usage.

For the rest of us, Google hasn’t budged on their changes to content blockers, meaning that ad blockers will need to switch to a less effective, rules-based system, called “declarativeNetRequest.”

Blocked ads are a loss of money for Google. It's not much of a surprise that Google does not like them. Floods of ads and popups could be just what is needed to anger the Chrome users so Google rethinks its decision.