Windows 7 end-of-life nag messages will start showing up next month

Found on Ars Technica on Wednesday, 13 March 2019
Browse Software

Starting next month, the operating system will show users a "courtesy reminder" to tell them that security updates will cease and that Windows 10 (and hardware to run it on) exists. Microsoft promises that the message will only appear a "handful of times" during 2019 and that there will be a "do not notify me again" checkbox that will definitely suppress any future messages.

Update reminders are well-remembered from the times when Microsoft tried to force everybody onto Windows 10; even against their will.

Windows 7 Extended Security Updates will double in price each year

Found on Ars Technica on Thursday, 07 February 2019
Browse Software

For organizations already subscribing to Windows Enterprise, the first year of updates will cost an additional $25 per device. This doubles to $50 for the second year and $100 for the third year.

For companies sticking with Windows 7 Pro instead of subscribing to Windows Enterprise, the first year will cost $50 per device and will double each subsequent year to $100 and then $200.

Or just migrate to Linux.

LibreOffice patches malicious code-execution bug, Apache OpenOffice – wait for it, wait for it – doesn't

Found on The Register on Wednesday, 06 February 2019
Browse Software

When he published on February 1, in conjunction with the LibreOffice fix notification, OpenOffice still had not been patched. Inführ says he reconfirmed that he could go ahead with disclosure even though OpenOffice 4.16 has yet to be fixed.

His proof-of-concept exploit doesn't work with OpenOffice out-of-the-box because the software doesn't allow parameters to be passed in the same way as the unpatched version of LibreOffice did. However, he says that the path traversal issue can still be abused to execute a local Python file and cause further mischief and damage.

Oracle does not have much interest in products it can't use to make money. Otherwise LibreOffice wouldn't have been forked.

Google Play apps with >4.3 million downloads stole pics and pushed porn ads

Found on Ars Technica on Friday, 01 February 2019
Browse Software

Google has banned dozens of Android apps downloaded millions of times from the official Play Store after researchers discovered they were being used to display phishing and scam ads or perform other malicious acts.

Trend Micro researchers discovered another batch of apps that falsely promised to allow users to “beautify” their pictures by uploading them to a designated server. Instead of delivering an edited photo, however, the server provided a picture with a fake update prompt in nine different languages. The apps made it possible for the developers to collect the uploaded photos, possibly for use in fake profile pics or for other malicious purposes. The developers took pains to prevent users from detecting what was happening.

Hopefully that help to teach users the lesson not to install random software just because it is in some official store. On the other hand, when looking at users in general, there is not much hope.

The D in SystemD stands for Danger, Will Robinson! Defanged exploit code for security holes now out in the wild

Found on The Register on Thursday, 31 January 2019
Browse Software

Those who haven't already patched a trio of recent vulnerabilities in the Linux world's SystemD have an added incentive to do so: security biz Capsule8 has published exploit code for the holes.

Exploitation of these code flaws allows an attacker to alter system memory in order to commandeer systemd-journal, which permits privilege escalation to the root account of the system running the software.

Let's stuff everything into an init-system, they said. There's nothing wrong with that, they said.

Firefox to remove UI dark pattern from Screenshot tool after months of complaints

Found on ZD Net on Friday, 18 January 2019
Browse Software

The issue is that the Save button doesn't save the screenshot to the PC, as most users would naturally expect, but uploads the image to a Mozilla server.

This is both a privacy violation, as some users don't appreciate being tricked into uploading sensitive images saved on remote servers, but also an incovenience as users would still have to download the image locally, but in multiple steps afterward.

You have to admit that Mozilla is working as best as it can to totally ruin what is left from the userbase of Firefox. In the past years it has removed features the users liked, added features users don't like while generally trying hard to be a clone of Chrome.

Red Hat gets heebie-jeebies over MongoDB's T&Cs squeeze: NoSQL database dropped

Found on The Register on Thursday, 17 January 2019
Browse Software

Under section 4.7, the release notes say, "Note that the NoSQL MongoDB database server is not included in RHEL 8.0 Beta because it uses the Server Side Public License (SSPL)."

The SSPL differs from other software licenses in that it requires anyone making SSPL software available as a service to publish not only source code and modifications, but also the source code of the infrastructure applications that run SSPL code. This includes, as the license states, "management software, user interfaces, application program interfaces, automation software, monitoring software, backup software, storage software and hosting software, all such that a user could run an instance of the service using the Service Source Code you make available."

That's one way to kill yourself. Not that anything of value will be lost.

Mozilla: Firefox 69 will disable Adobe Flash plugin by default

Found on ZD Net on Wednesday, 16 January 2019
Browse Software

Firefox 69 will be Mozilla's third last step to completely dropping support for the historically buggy plugin, which will reach end of life on December 31, 2020. Flash is the last remaining NPAPI plugin that Firefox supports.

As of Chrome 69, users need to give permission for each site to use Flash every time the browser is restarted.

It's about time. Flash has always been the biggest security issue in any browser. It's amazing how bad and extremely buggy a single plugin can be.

Microsoft: Windows 10 to grab 7GB of your storage so big updates don't fail

Found on ZD Net on Tuesday, 08 January 2019
Browse Software

In the next major release of Windows 10, Microsoft will reserve 7GB of your device's storage to resolve a Windows 10 bug thrown up by Windows Update not checking whether a PC has enough storage space before launching after big updates.

That happens because Windows doesn't check if a device has enough space before initializing. Microsoft's current solution is for users to manually delete unnecessary temporary files and temporarily move important files like photos and videos to external storage devices to make enough space for the update.

Microsoft estimates that reserved storage will start at about 7GB, but notes it could need more depending on how a device is used.

So Microsoft basically admits that they are unable to figure out before trying to update if enough free space is available? Really now? Plus, they call this a bugfix?

Mozilla Looks to Improve Email With 2019 Thunderbird Roadmap

Found on eWEEK on Friday, 04 January 2019
Browse Software

In July 2012 after nearly a decade of trying to get traction for Thunderbird, Mozilla Chief Mitchell Baker announced that Mozilla would pull back its focus and funding from Thunderbird. At that point, many assumed that Thunderbird was done, but that's not quite how things have turned out.

"So here we are, in 2019. Looking into the future, this year looks bright for the Thunderbird project," Ryan Sipes, community manager for the Thunderbird project, wrote in a blog post.

If Mozilla handles Thunderbird like they do Firefox, then there is nothing to look forward to.