Goodbye again, Flash—Microsoft makes removal from Windows 10 mandatory

Found on Ars Technica on Wednesday, 19 May 2021
Browse Software

Microsoft, Apple, Google, Mozilla, and even Adobe itself have all deprecated Adobe Flash technology, which reached end of life on January 1 of this year. This July, Microsoft is taking things one step further—KB4577586, aka Update for Removal of Adobe Flash Player, will become mandatory for all versions of Windows 10.

Not one day too late.

Signal Founder Cracks Cellebrite Phone Hacking Device, Finds It Full Of Vulns

Found on Techdirt on Monday, 17 May 2021
Browse Software

"By a truly unbelievable coincidence, I was recently out for a walk when I saw a small package fall off a truck ahead of me. As I got closer, the dull enterprise typeface slowly came into focus: Cellebrite. Inside, we found the latest versions of the Cellebrite software, a hardware dongle designed to prevent piracy (tells you something about their customers I guess!), and a bizarrely large number of cable adapters."

One DLL used to handle extracted video content hasn't been updated since 2012, ignoring more than 100 patches that have been made available since then.

Further inspection of Cellebrite's software also shows the company has ported over chunks of Apple's proprietary code intact and is using it to assist in iPhone extractions.

Very strange coincidences can happen sometimes.

Firefox 88 Enables JavaScript Embedded In PDFs By Default 100

Found on Slashdot on Saturday, 15 May 2021
Browse Software

In addition to the other weird things PDF files can contain, one of them is JavaScript. Putatively offered as a way to create self-validating forms, this scripting capability has been abused over the decades in just about every way you can imagine. Firefox's built-in viewer, although it has apparently had the ability to execute embedded JS for some time, never turned that feature on, making it a safe(r) way to open PDFs... Until now.

To turn off JavaScript execution in PDFs: Enter about:config in the address bar; click "I'll be careful." In the search box near the top, enter pdfjs.enableScripting. Change the setting to False. Close the page.

Sweet. Quietly opening a security hole. Thank you Mozilla.

CloudLinux Launches AlmaLinux, CentOS Linux clone

Found on ZD Net on Saturday, 24 April 2021
Browse Software

CentOS co-founder, Gregory Kurtzer, announced he'd create his own RHEL clone and CentOS replacement: Rocky Linux. Then, on Rocky's heels, commercial CentOS distributor CloudLinux announced it would create its own new CentOS clone, Lenix. Now, under a new name, AlmaLinux OS is here with its first release.

Now let's hope for Rocky.

Free software becomes a standard in Dortmund, Germany

Found on Document Foundation on Wednesday, 21 April 2021
Browse Software

With this resolution, city policy takes on the shaping of municipal digital sovereignty and digital participation. The resolution means a reversal of the burden of proof in favor of open source software – and at the expense of proprietary software. In the future, the administration will have to justify why open source software cannot be used for every proprietary software application. Based on the report of the Dortmund city administration on the investigation of the potentials of free software and open standards, open source software is understood in the sense of free software.

Let's hope that works better than Munich's Limux.

Critical Flaw Found In Widely Used Netmask Open Source Module

Found on Security Ledger on Monday, 19 April 2021
Browse Software

The vulnerability was discovered while doing work to fix another vulnerability in a widely used NPM library known as Private IP. That module, which was also widely used by open source developers, enables applications to block request forgery attacks by filtering out attempts to access private IP4 addresses and other restricted IP4 address ranges, as defined by ARIN.

The IP4 address 0127.0.0.01 should be evaluated as the public IP address as the octal string “0127” is the same as the integer “87.” However, netmask reads the address as, a trusted, localhost address. Treating an untrusted public IP address as a trusted private IP address opens the door to local- and remote file inclusion (LFI/RFI) attacks, in which a remote authenticated or unauthenticated attacker can bypass packages that rely on netmask to filter IP address blocks.

They used NPM, that's already the first problem.

Ministry of Health launches sweeping review of Covid-19 vaccine booking systems

Found on Stuff on Sunday, 18 April 2021
Browse Software

The whistle-blower, who uncovered a privacy breach within the Canterbury District Health Board (DHB) system, has told Stuff the issue was not a “coding error” but incompetence.

“It is not a coding error. It is incompetence. The developer who developed this is incompetent ... This is basic stuff.”

Sadly, a lot of sourcecode is like that. Quickly cobbled together with virtual duct-tape by self-proclaimed developers.

The JavaScript ecosystem is 'hopelessly fragmented'... so here is another runtime: Deno

Found on The Register on Tuesday, 13 April 2021
Browse Software

Dahl and Belder claimed the server-side JavaScript ecosystem (which is dominated by Node.js) is "hopelessly fragmented, deeply tied to bad infrastructure, and irrevocably ruled by committees without the incentive to innovate." Server-side JavaScript has not kept pace with the browser platform, they said.

Michael Dawson, Node.js lead for Red Hat and IBM and a member of the Technical Steering Committee, told us in October: "All projects are going to end up with some legacy, it's the price of success that you can't go back and just change all those things." As you would expect, though, Dawson takes the line that Node should be improved rather than replaced.

It's all just a useless pile of junk; unless you want to have code from random people somewhere on this planet to be included in your business critical projects.

Mozilla Firefox tweaks Referrer Policy to shore up user privacy

Found on ZD Net on Wednesday, 07 April 2021
Browse Software

Firefox 87, due to ship on March 23, will cut back on path and query string information from referrer headers "to prevent sites from accidentally leaking sensitive user data."

"Firefox will apply the new default Referrer Policy to all navigational requests, redirected requests, and subresource (image, style, script) requests, thereby providing a significantly more private browsing experience," Firefox says.

If only Firefox would stop collecting more and more information itself.

This developer created the fake programming language MOVA to catch out naughty recruiters

Found on The Register on Thursday, 25 March 2021
Browse Software

MOVA was intended to be vaporware. Its reason for being, back during the dot-com boom of the late 1990s, was to weed out recruiters and job applicants, who were overabundant at the time.

"We got a couple [people who mentioned MOVA]," said Holden. "It wasn't necessarily in writing. Sometimes a headhunter or candidate would mention it. They'd say they dabbled in MOVA but I didn't know it that well."

They shuld have asked for a "Hello World" example in MOVA.