This Week in Tech 617: Ask for the Camel With TWO Humps

WWDC is tomorrow! What will Apple announce? A Siri Speaker, perhaps? Google will updat Chrome to block annoying ads, but what will count as “annoying?” Where did Microsoft go wrong? One word: Vista. The US Supreme Court decides that patent rights end at sale.


Google kills the Chrome app launcher on Windows, Mac, and Linux | PCWorld

By   | PCWorld

Google’s attempted invasion of the Windows desktop is now officially over. The Chrome-maker recently announced that the Chrome app launcher will be removed from Windows, Mac, and Linux in July, though it’ll stick around in Chrome OS. Google says it’s dumping the app launcher in the name of streamlining the browser after discovering that most Chrome users “prefer to launch their apps from within Chrome.”

The app launcher was one of three Chrome browser features that appeared to be specifically designed to turn Chrome into a “platform within a platform” on Windows. In addition to the app launcher—which sat in the taskbar and allowed users to fire up Chrome apps just like a normal desktop program, miming Windows Start menu functionality—Google killed Chrome’s notification center in October. That feature was replaced with native web push notifications, a standardized feature that sites can use across all browsers.

Beyond those two features, Google also created a modern UI version of the browser for Windows 8 that essentially put Chrome OS inside Windows. Microsoft’s decision to do away with Windows 8’s ill-advised dual UI for a more traditional desktop in Windows 10 killed Google’s attempt at “Chrome OS for Windows.”

The impact on you at home: If you’re one of the few fans of Chrome’s app launcher, Google may still provide a way for you to launch Chrome apps from the taskbar. Right now, you can create a desktop shortcut for Chrome apps by typing chrome://apps into the Omnibox, right-clicking an app, and then selecting Create shortcuts. The shortcut can then be dragged from the desktop onto the taskbar. We’re confirming with Google that this functionality will remain once the app launcher goes away and will update this story should the company respond.

Chrome to drop support for Windows XP, Windows Vista, and older Mac OS X versions in 2016

By | Neowin

Google Chrome, by some estimates the world’s third most popular desktop web browser, will cease to support older versions of Microsoft’s Windows and Apple’s OS X operating systems.

In a recent blog post, Google announced that it intends to discontinue support for Chrome on Windows XP, Windows Vista, and Mac OS X versions 10.6, 10.7, and 10.8 by April 2016 because “these platforms are no longer actively supported by Microsoft and Apple.” Google did not release a specific date when for when it intends to discontinue support.

The recent blog post follows the company’s previous announcement made earlier this year that it would continue to support Windows XP by providing updates to its Chrome web browser in spite of Microsoft’s discontinuation of support for that operating system in 2014. Google stated that this was because Windows XP had substantial market share.

While Microsoft intends to support Windows Vista until April 11, 2017, Google’s previous reprieve for Windows XP clarifies its recent decision to discontinue support for Chrome on Windows Vista before that date: the operating system does not have substantial market share.

Google notes that current versions of Chrome “will continue to function on these platforms” after support for Chrome is discontinued, but the company encourages users to upgrade to newer operating systems so that they may continue to use the latest versions of the web browser.

Chrome 42 is out now, includes push notifications that can ping you even after you close the browser

Chrome 42 has graduated to a stable release and is now available to download for Windows, Mac and Linux. In addition to the usual list of security fixes (45 in total) and under-the-hood changes for stability and performance, Google’s latest release includes its new Push API and Notifications API.

Together, these two new APIs allow websites to send notifications to web surfers even after they’ve closed or navigated away from said site. Obviously, there’s a fine line between being useful and obtrusive when dealing with notifications. Fortunately, Google mandates that developers must acquire consent for permission to use the Push API.

Once permission has been granted, developers are free to use Google Cloud Messaging to use a service worker to display said notification.

As an example of how the new APIs could be used, imagine you’ve bid on something on eBay. Afterwards, you navigate away or close the browser window completely. If you are outbid on the item, you could get a notification on your desktop letting you know right away.

A number of the security fixes in Chrome 42 were found by security researchers through Google’s bounty program. Their awards (when applicable) are listed alongside the security fixes on the Chrome Release Blog if you want to check them out.

In the event your browser doesn’t automatically download and install Chrome 42 via the automatic update mechanism, you can snag the Windows version by clicking here (Mac and Linux versions here and here, respectively).

via Chrome 42 is out now, includes push notifications that can ping you even after you close the browser – TechSpot.

Fully patched versions of Firefox, Chrome, IE 11 and Safari exploited at Pwn2Own hacking competition

As in years past, the latest patched versions of the most popular web browsers around stood little chance against those competing in the annual Pwn2Own hacking competition. The usual suspects – Apple Safari, Google Chrome, Mozilla Firefox and Microsoft Internet Explorer – all went down during the two-day competition, earning researchers a collective total of $557,500 in prize money.

The event, which took place at the CanSecWest conference in Vancouver, was sponsored by the Hewlett-Packard Zero Day Initiative. During the first day, HP awarded $317,500 to researchers that exploited flaws in Adobe Flash, Adobe Reader, Internet Explorer and Firefox.

eWeek notes that the first reward, paid to a hacker by the name of ilxu1a, was for an out-of-bounds memory vulnerability in Firefox. It took less than a second to execute which earned him a cool $15,000.

Firefox was exploited twice during the event. Daniel Veditz, principal security engineer at Mozilla, said the foundation was on hand during the event to get the bug details from HP. Engineers are already working on a fix back at home, he added, that could be ready as early as today.

Another security researcher, JungHoon Lee, managed to demonstrate exploits against Chrome, IE 11 and Safari. As you can imagine, he walked away with quite a bit of money: $75,000 for the Chrome bug, $65,000 for IE and $50,000 for the Safari vulnerability. He also received two bonuses totaling $35,000.


via Fully patched versions of Firefox, Chrome, IE 11 and Safari exploited at Pwn2Own hacking competition – TechSpot.

Chrome security update warns against sneaky software downloads as well as malware

Google is adding a new warning to Chrome in its continuing efforts to protect users from harmful actors on the web. The new red flag for Google’s browser warns you when you’re about to visit a site that encourages users to download harmful and unwanted software.

Chrome isn’t the only site sending out warnings. Other browsers, such as Firefox, also warn about potentially harmful sites.

Google’s definition of unwanted programs isn’t just about malware, but also tricky programs that try to sneak onto your system. The search giant defines unwanted software as anything with dishonest behavior, such as piggybacking on the installation of another program, apps that are difficult to remove, and software that fails to live up to its advertised functionality. Even software that changes your homepage—a not uncommon occurrence—can qualify as unwanted software from Google’s point of view.

Chrome’s new harmful programs warning

The impact on you at home: Chrome users with the latest updates should start seeing the warnings pop up in Chrome when navigating to a site with harmful software downloads. The new pop-up is similar to warnings you get for sites that are malicious: a large red screen that tells you the site you’re about to visit might try and trick you into installing unwanted software. Users then have the choice to get more details (and presumably carry on aware of the risks) or return “to safety” at the Google homepage.

More than just browsers

In addition to the changes to Chrome, Google is also tackling unwanted software with other parts of its business. Google is working to filter deceptive sites from its search results. The company is also disabling ads that lead to sites offering unwanted software.

That last bit is particularly important, because advertising can often be a weak spot for malware delivery or leading people to questionable sites. In January, a ”malvertising” attack using Google’s AdSense program automatically redirected users to bogus websites selling anti-aging and supposed “brain-enhancing” products.

The new Chrome security warnings join other security features, such as warnings about potentially harmful programs you’re about to download and sites known to deliver malware.


via Chrome security update warns against sneaky software downloads as well as malware | PCWorld.

‘Super cookies’ can track you even in private browsing mode, researcher says

If there’s one thing websites love to do it’s track their users. Now, it looks like some browsers can even be tracked when they’re in private or incognito mode. Sam Greenhalgh of U.K.-based RadicalResearch recently published a blog post with a proof-of-concept called “HSTS Super Cookies.” Greenhalgh shows how a crafty website could still track users online even if they’ve enabled a privacy-cloaking setting.

The key to the exploit is to use HTTP Strict Transport Security (HSTS) for something it wasn’t intended for. HSTS is a modern web feature that allows a website to tell a browser it should only connect to the site over an encrypted connection.

Say, for example, John types into his browser with HSTS enabled. SecureSite’s servers can then reply to John’s browser that it should only connect to SecureSite over HTTPS. From that point on, all connections to SecureSite from John’s browser will use HTTPS by default.

The problem, according to Greenhalgh, is that for HSTS to work your browser has to store the data about which sites it must connect to over HTTPS. But that data can be manipulated to fingerprint a specific browser. And because HSTS is a security feature most browsers maintain it whether you’re in private or normal mode—meaning that after your browser has been fingerprinted, you can be tracked even if your browser is in incognito mode.


Even under cover of incognito mode, HSTS Super Cookies still make browsers trackable.

When in private browsing or incognito mode (sometimes called as “porn mode”) your browser won’t store data such as cookies and browsing history once the private browsing session has ended—unless it’s tricked into doing so by a Super Cookie.

The story behind the story: Although Greenhalgh’s blog post is gaining traction, people have been talking about the privacy and security trade-offs of HSTS for some time. The Chromium team, which creates the open source browser that Chrome is based on, discussed the issue as early as 2011. In 2012, security firm Leviathan published a blog post raising similar concerns, and Robert “RSnake” Hansen raised the issue on his blog in 2010.

Protecting yourself

Although this issue has been known for some time it’s not clear if any sites are actually using this weakness to track users. Regardless, you can protect yourself on Chrome by erasing your cookies before going into incognito mode. Chrome automatically flushes the HSTS database whenever you delete your cookies. Firefox does something similar, but Greenhalgh says the latest version of Firefox solved this issue by preventing HSTS settings from carrying over to private browsing modes.

Safari is a bigger problem, however, as there is apparently no obvious way to delete the HSTS database on Apple devices like the iPad or iPhone, Greenhalgh says. HSTS flags are also synced with iCloud, making HSTS Super Cookie tracking even more persistent (at least in theory) when using Apple hardware.

HSTS Super Cookies only appear to work if you first visit a site in a non-private mode. Anyone visiting a site for the first time in private mode will not carry over an HSTS super cookie to their regular browsing.

As for Internet Explorer users, the good news is you are completely protected from this type of tracking! Now for the bad news: It’s because IE doesn’t support HSTS at all.

via ‘Super cookies’ can track you even in private browsing mode, researcher says | PCWorld.

Android passes iOS on the Web, Windows 8 still plateaued


Windows 8 and Internet Explorer, especially version 11, have been growing steadily since their release. But that growth came to a halt in June, and it didn’t pick up in July, with Microsoft’s new operating system in fact declining ever so slightly. But one battle that’s been raging for years has quietly seen a big change: Android’s presence on the Web has passed iOS’s.



The big desktop mover in July was Chrome, which is now up past 20 percent usage share. It gained a substantial 1.03 points, making big gains for two months in a row. Internet Explorer and Firefox both lost out, dropping 0.37 and 0.46 points respectively. Safari and Opera were also slightly down, falling by 0.12 and 0.06 points.



Safari has been on a downward trajectory for the better part of a year, as Android is making its presence felt on the Web. While Android has been consistently outselling iOS, this hasn’t been well reflected in Web data, suggesting perhaps a different usage pattern among Android buyers. But all those sales count for something. Apple’s browser is down 1.24 points. Android Browser is also down, falling 0.81 points, but Chrome is up a whopping 1.36 points, and the cross-platform Opera Mini is also up, gaining 0.8 points. Mobile Internet Explorer reached a new high, too, gaining 0.49 points in July.

The mobile operating system share (not graphed) is closely aligned with these browser numbers. iOS sits at 44.19 percent, compared to Android’s 44.62 percent, marking the firsts time (according to Net Market Share, the provider of the data we use) that Google’s operating system has passed Apple’s. Windows Phone is also at a new high, at 2.49 percent.




Internet Explorer 11’s growth seems to be well and truly at an end. In June it saw a negligible 0.02 point decline, but in July it was a little more pronounced, dropping 0.23 points. Internet Explorer 8, however, was up 0.31 points. While it does look as if every Internet Explorer 10 user who wants to upgrade to 11 has indeed made that switch, the decline likely represents a shift in Windows usage: Internet Explorer 8 is the version that’s preinstalled in Windows 7, and the newest version that’s available in the obsolete, unsupported, and insecure Windows XP…



… and as we can see, Windows 7 ticked upwards in July, and Windows XP refuses to disappear. More alarmingly, Windows 8.1 was very marginally down, dropping 0.05 points, and Windows 8.0 fell 0.01 points. Windows 7 was up 0.67 points, in contrast. Windows XP fell 0.49 points, so still a long way to go before that magnet for malware is off the Internet.


via: ArsTechnica

Google bets $2.7 million in Chrome hacking contest

Google says it will again host its Pwnium hacking contest at a Canadian security conference in March, putting $2.7 million at stake to draw researchers who can hack its browser-based operating system, Chrome OS.

Dubbed Pwnium 4, the challenge will again pit researchers against Chrome OS, but this year will let them choose between Intel- or ARM-powered laptops. In 2013, hackers had to try to crack a Chromebook with an Intel processor.

Prizes of $110,000 and $150,000 will again be rewarded to individuals or teams who can hack the operating system, with the top dollar handed to those who deliver an exploit able to persistently compromise a Hewlett-Packard or Acer Chromebook—in other words, hijack the device so that it remains under their control even after a reboot.

Google capped the total up for grabs at $2.71828 million, giving multiple researchers a chance at prize money. The “2.71828” comes from a mathematical constant that is the base of the natural logarithm.

Mixed results last year

Last year Google put $3.14159 million in the pot—another nod to mathematics, as those are the first six digits of the value of Pi—but paid out just $40,000 to a prolific hacker who goes by “Pinkie Pie,” the contest’s sole participant, for what Google later called a partial exploit.

Google also said it would consider larger bonuses this year to researchers who demonstrated what it called a “particularly impressive or surprising exploit,” such as one that could circumvent kASLR, (kernel Address Space Layout Randomization), a relatively new variant of the better-known ASLR anti-exploit technology used by Apple’s iOS and OS X, Microsoft’s Windows 8 and Chrome OS.

Even with bonuses in play, it’s unlikely that Google will end up spending anywhere close to $2.7 million this year.

To qualify for the prizes or bonuses, winners must provide functional exploit code and details on all the vulnerabilities put into play, as was the case last year.

Pwnium 4 will take place March 12 at CanSecWest, the Vancouver, British Columbia security conference known for another hacking contest, Pwn2Own, which last year was co-sponsored by HP’s Zero Day Initiative (ZDI) bug bounty program and Google. HP has not yet announced the details of its 2014 challenge.

The official rules for Pwnium 4 can be found on Google’s Chromium Security page.

via Google bets $2.7 million in Chrome hacking contest | PCWorld.

Chrome bug allows websites to continue listening to conversations after you close the tab


Do you use speech recognition in Google Chrome? If yes, here’s something to worry about. Developer Tal Ater has discovered a bug in Google’s popular browser that malicious websites, enabled for voice-recognition, could exploit to listen in on the conversation taking place around the computer without your knowledge.

The problem lies in Chrome’s microphone permissions policy. Once you allow an HTTPS website to access your microphone, every instance of the website (including pop-ups) has the same permission. To a user, it may seem as though a pop-up window is not doing anything evil, but in reality it could be transcribing everything they say.

In the demo, Alter closed the tab and continued talking, while a pop-up behind the main Chrome window kept on transcribing whatever he said. This pop-up was just for demonstration purposes. In reality, a pop-up could be disguised as a banner ad for example, and since Chrome does not show any visual indication that Speech Recognition is turned on in such windows, you might never know what’s actually happening.

Alter first reported the bug in September last year. Google acknowledged the loophole, nominated the bug for Chromium’s Reward Panel, and even fixed it. But the fix never made it to users’ desktops, which means that your Chrome browser is still vulnerable.

When asked, a Google spokesperson told The Verge: “we’ve re-investigated and still believe there is no immediate threat, since a user must first enable speech recognition for each site that requests it. The feature is in compliance with the current W3C standard, and we continue to work on improvements.\”

This is yet another example of how technology is threatening privacy. Last month we reported research which revealed that it is possible for an individual or a government agency to remotely activate a built-in laptop webcam without the user knowing about it.

via Chrome bug allows websites to continue listening to conversations after you close the tab – TechSpot.