Microsoft, Apple, Google, Mozilla, and even Adobe itself have all deprecated Adobe Flash technology, which reached end of life on January 1 of this year. This July, Microsoft is taking things one step further—KB4577586, aka Update for Removal of Adobe Flash Player, will become mandatory for all versions of Windows 10.

"By a truly unbelievable coincidence, I was recently out for a walk when I saw a small package fall off a truck ahead of me. As I got closer, the dull enterprise typeface slowly came into focus: Cellebrite. Inside, we found the latest versions of the Cellebrite software, a hardware dongle designed to prevent piracy (tells you something about their customers I guess!), and a bizarrely large number of cable adapters."

One DLL used to handle extracted video content hasn't been updated since 2012, ignoring more than 100 patches that have been made available since then.

Further inspection of Cellebrite's software also shows the company has ported over chunks of Apple's proprietary code intact and is using it to assist in iPhone extractions.

In addition to the other weird things PDF files can contain, one of them is JavaScript. Putatively offered as a way to create self-validating forms, this scripting capability has been abused over the decades in just about every way you can imagine. Firefox's built-in viewer, although it has apparently had the ability to execute embedded JS for some time, never turned that feature on, making it a safe(r) way to open PDFs... Until now.

To turn off JavaScript execution in PDFs: Enter about:config in the address bar; click "I'll be careful." In the search box near the top, enter pdfjs.enableScripting. Change the setting to False. Close the page.

CentOS co-founder, Gregory Kurtzer, announced he'd create his own RHEL clone and CentOS replacement: Rocky Linux. Then, on Rocky's heels, commercial CentOS distributor CloudLinux announced it would create its own new CentOS clone, Lenix. Now, under a new name, AlmaLinux OS is here with its first release.

With this resolution, city policy takes on the shaping of municipal digital sovereignty and digital participation. The resolution means a reversal of the burden of proof in favor of open source software – and at the expense of proprietary software. In the future, the administration will have to justify why open source software cannot be used for every proprietary software application. Based on the report of the Dortmund city administration on the investigation of the potentials of free software and open standards, open source software is understood in the sense of free software.

The vulnerability was discovered while doing work to fix another vulnerability in a widely used NPM library known as Private IP. That module, which was also widely used by open source developers, enables applications to block request forgery attacks by filtering out attempts to access private IP4 addresses and other restricted IP4 address ranges, as defined by ARIN.

The IP4 address 0127.0.0.01 should be evaluated as the public IP address 87.0.0.1 as the octal string “0127” is the same as the integer “87.” However, netmask reads the address as 127.0.0.1, a trusted, localhost address. Treating an untrusted public IP address as a trusted private IP address opens the door to local- and remote file inclusion (LFI/RFI) attacks, in which a remote authenticated or unauthenticated attacker can bypass packages that rely on netmask to filter IP address blocks.

The whistle-blower, who uncovered a privacy breach within the Canterbury District Health Board (DHB) system, has told Stuff the issue was not a “coding error” but incompetence.

“It is not a coding error. It is incompetence. The developer who developed this is incompetent ... This is basic stuff.”

Dahl and Belder claimed the server-side JavaScript ecosystem (which is dominated by Node.js) is "hopelessly fragmented, deeply tied to bad infrastructure, and irrevocably ruled by committees without the incentive to innovate." Server-side JavaScript has not kept pace with the browser platform, they said.

Michael Dawson, Node.js lead for Red Hat and IBM and a member of the Technical Steering Committee, told us in October: "All projects are going to end up with some legacy, it's the price of success that you can't go back and just change all those things." As you would expect, though, Dawson takes the line that Node should be improved rather than replaced.

Firefox 87, due to ship on March 23, will cut back on path and query string information from referrer headers "to prevent sites from accidentally leaking sensitive user data."

"Firefox will apply the new default Referrer Policy to all navigational requests, redirected requests, and subresource (image, style, script) requests, thereby providing a significantly more private browsing experience," Firefox says.

MOVA was intended to be vaporware. Its reason for being, back during the dot-com boom of the late 1990s, was to weed out recruiters and job applicants, who were overabundant at the time.

"We got a couple [people who mentioned MOVA]," said Holden. "It wasn't necessarily in writing. Sometimes a headhunter or candidate would mention it. They'd say they dabbled in MOVA but I didn't know it that well."