Microsoft appears to be porting its Edge browser to Linux, reports ZDNet: "We on the MS Edge Dev team are fleshing out requirements to bring Edge to Linux, and we need your help with some assumptions," wrote Sean Larkin, a member of Microsoft's Edge team....

Chrome, of course, is already available for Linux, so Microsoft should be able to deliver Chromium-based Edge to Linux distributions with minimal fuss.... [I]n June Microsoft Edge developers said there are "no technical blockers to keep us from creating Linux binaries" and that it is "definitely something we'd like to do down the road". Despite Chrome's availability on Linux, the Edge team noted there is still work to be done on the installer, updaters, user sync, and bug fixes, before it could be something to commit to properly.
Slashdot reader think_nix shared a link to the related survey that the Edge team has announced on Twitter. "If you're a dev who depends on Linux for dev, testing, personal browsing, please take a second to fill out this survey."

"Attackers are exploiting a zero-day vulnerability in Google's Android mobile operating system that can give them full control of at least 18 different phone models," reports Ars Technica, "including four different Pixel models, a member of Google's Project Zero research group said on Thursday night." The post also says there's evidence the vulnerability is being actively exploited.

An anonymous reader quotes Ars Technica: Exploits require little or no customization to fully root vulnerable phones. The vulnerability can be exploited two ways: (1) when a target installs an untrusted app or (2) for online attacks, by combining the exploit with a second exploit targeting a vulnerability in code the Chrome browser uses to render content. "The bug is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device," Stone wrote. "If the exploit is delivered via the Web, it only needs to be paired with a renderer exploit, as this vulnerability is accessible through the sandbox...."

Google representatives wrote in an email: "Pixel 3 and 3a devices are not vulnerable to this issue, and Pixel 1 and 2 devices will be protected with the October Security Release, which will be delivered in the coming days. Additionally, a patch has been made available to partners in order to ensure the Android ecosystem is protected against this issue."

The use-after-free vulnerability originally appeared in the Linux kernel and was patched in early 2018 in version 4.14, without the benefit of a tracking CVE. That fix was incorporated into versions 3.18, 4.4, and 4.9 of the Android kernel. For reasons that weren't explained in the post, the patches never made their way into Android security updates.

A faulty Google Chrome update is likely to blame for the issue Monday that resulted in Mac Pro workstations being rendered unusable at a number of Hollywood studios. "We recently discovered that a Chrome update may have shipped with a bug that damages the file system on MacOS machines," the company wrote in a forum post. "We've paused the release while we finalize a new update that addresses the problem." Variety reports: Reports of Mac Pro workstations refusing to reboot started to circulate among video editors late Monday. At the time, the common denominator among impacted machines seemed to be the presence of Avid's Media Composer software. The issue apparently knocked out dozens of machines at multiple studios, with one "Modern Family" reporting that the show's entire editing team was affected. Avid's leadership updated users of its software throughout the day, advising them to back up their work and not to reboot their machines.

The real culprit was apparently a recent release of Google's Keystone software, which is included in its Chrome browser to automatically download updates of the browser. On computers that had Apple's System Integrity Protection disabled, the update corrupted the computer's file system, making it impossible to reboot. System Integrity Protection is an Apple technology that is meant to ensure that malicious software doesn't corrupt core system files. Google advised affected users on how to uninstall the Chrome update, and also suggested that most users may not be at risk at all. "If you have not taken steps to disable System Integrity Protection and your computer is on OS X 10.9 or later, this issue cannot affect you," the forum post reads. A possible connection to Chrome was first detailed on the Mr. Macintosh blog Tuesday afternoon. As for why several Hollywood studios were hit the hardest, one theory suggests it's because many of the video editors had to disable System Integrity Protection in order to work with external audio and video devices that are common in professional editing setups.

Variety also suggests that the hardware dongles used for licensing Avid may have played some role in the shut-downs.

Apple is warning users of a bug in iOS 13 and iPadOS involving third-party keyboards. From a report: In a brief advisory posted Tuesday, the tech giant said the bug impacts third-party keyboards which have the ability to request "full access" permissions. iOS 13 was released last week. Both iOS 13.1 and iPadOS 13.1, the new software version for iPads, are out today. Third-party keyboards can either run as standalone, or with "full access" they can talk to other apps or get internet access for additional features, like spell check. But "full access" also allows the keyboard maker to capture to its servers keystroke data or anything you type -- like emails, messages or passwords. This bug, however, may allow third-party keyboards to gain full access permissions -- even if it was not approved.

An anonymous reader quotes a report from The New York Times: AgriProtein is among a small number of start-ups that are using insect larvae to produce protein-rich ingredients for animal feed. This nascent industry could help feed a growing human population in a way that's less damaging to the environment. Protix opened one of the world's largest insect farms in June in the Netherlands, while other producers, including Enviroflight, Ynsect and AgriProtein, are building large facilities to turn billions of insects into animal protein every month. Large farming companies like Cargill and Wilbur-Ellis are also investing in this sector. By breeding insects in vertical farms, these companies can produce large amounts of feed in less space than traditional farms, their proponents say. Proponents say this industry makes sense from a biological standpoint because insects are part of the natural diet of many animals, especially chicken and fish.

Despite the possibilities, the insect protein industry faces many challenges. Regulatory hurdles have hampered its growth in Europe and the United States, where black soldier fly products can be used to feed poultry and some fish species but not other animals, and there is no regulatory approval for the use of other insect species for this purpose. But companies are confident that regulators in the United States will lift those restrictions soon. The report notes that black soldier fly larvae is favored by the "insect protein" industry because it "can become 200 times bigger after eating organic waste for 10 days."

This week Stack Overflow's CEO/founder Joel Spolsky spoke to Clive Thompson, the tech journalist who just published the new book Coders: the Making of a New Tribe and the Remaking of the World . "It's a sort of ethnographic history of this particular tribe," explains a blog post at Stack Overflow, "examining how software developers fit into the world of business and culture and how their role in society has shifted in recent decades.

"The official conversation kicked off after a 15-minute tangent on Joel's collection of Omni magazine and the formative role this publication had for both men." Some excerpts: Clive: The question in my mind is, who is interested in this? What gets them bit by the bug so they are willing to crawl over all the broken glass that is the daily work.

Joel: In my time, it was the absolute control. Whatever code you wrote, that's what executed. There was no translation. It wasn't like, well the flour was kind of old, and I tried to make the souffle but it collapsed. Unlike so many things you will try to accomplish as a child or an adult, where you work on something but it doesn't turn out as you expect it to, with code it will do exactly what you told it. Even if that's not what you meant. You might suddenly realize you're obeying me to the point of making me angry.

Clive: The monkey's paw thing. I shouldn't have wished for that.

Joel: But the computer is still being completely obedient.

Clive: That thrill is a common thread I found in my research, from the 1960s through today. I will talk to people in their 80s who worked on machines the size of an entire room, and it's the same damn thing talking to a 15-year-old girl at an afterschool program working on a raspberry pi or P5. There is something unique about the micro-world that is inside the machine, qualitatively different from our real world.

Joel: It's sort of utopian. Things behave as they are supposed to. The reason I put a question mark on that, as programmers move higher and higher up the abstraction tree, that kinda goes away.

Clive: I think the rise of machine learning is an interesting challenge to the traditional craft of software development. Some of the people I spoke with for the book aren't interested in it because they don't like the idea of working with these indeterminate training systems... there is something unsettling about not really knowing what's going on with what you're building.

Joel: I just picked up Arduino a year ago and that was enormously fun because it was like going back to C, instead of all these fancy high-level languages where you don't know what they are going to do. It offered a really detailed level of control. If something doesn't work, you can figure it out, because everything is tractable.
They also discussed the future of coding -- and took a fond look back at its past. Spolsky remembers his first exposure to computers was an interactive terminal system connected to a mainframe that ran FORTRAN, BASIC, and PL/I programs. "Many, many years later I realized there was no way they had enough memory for three compilers and in fact what they had was a very simple pre-processsor that made Basic, FORTRAN, and PL/I all look like the same mush.

"It was a very crappy subset of each of those three languages."

"Debian Project Leader Sam Hartman has shared his August 2019 notes where he outlines the frustrations and issues that have come up as a result of init system diversity with some developers still aiming to viably support systemd alternatives within Debian," reports Phoronix: Stemming from elogind being blocked from transitioning to testing and the lack of clarity into that, Hartman was pulled in to try to help mediate the matter and get to the bottom of the situation with a lack of cooperation between the elogind and systemd maintainers for Debian as well as the release team. Elogind is used by some distributions as an implementation of systemd's logind, well, outside of systemd as a standalone daemon. Elogind is one of the pieces to the puzzle for trying to maintain a modern, systemd-free Linux distribution.

Various issues were raised that are trying to be worked through albeit many Debian developers face time limitations and other factors like emotional exhaustion. Hartman noted in his August notes, "I think we may be approaching a point where we need to poll the project -- to have a GR and ask ourselves how committed we are to the different parts of this init diversity discussion. Reaffirming our support for sysvinit and elogind would be one of the options in any such GR. If that option passed, we'd expect all the maintainers involved to work together or to appoint and empower people who could work on this issue. It would be fine for maintainers not to be involved so long as they did not block progress. And of course we would hold the discussions to the highest standards of respect."

MojoKid writes: Lakka with RetroArch is one of the most comprehensive open-source retro-gaming console front ends available, with support for a wide array of single-board computers and multiple operating systems. Although the more powerful Raspberry Pi 4 was released months ago, the developers of Lakka had a number of bugs to contend with that prevented an official stable release, until yesterday. Lakka 2.3 (with RetroArch 1.7.8) is available now though, and it appears to leverage the additional horsepower of the Pi 4 quite well. It's even able to play some of the more demanding Sega Dreamcast and Saturn games -- among many other retro-consoles, like the Atari 2600, SuperNES, and many others. In addition to the Pi 4, this latest Lakka release also adds support for the ROCKPro64 and incorporates a wide range of bug fixes and feature enhancements.

An anonymous reader quotes a report from Ars Technica: Apple released iOS 13 with a bunch of new features. But it also released the new OS with something else: a bug disclosed seven days ago that exposes contact details without requiring a passcode or biometric identification first. Independent researcher Jose Rodriguez published a video demonstration of the flaw exactly one week ago. It can be exploited by receiving a FaceTime call and then using the voiceover feature from Siri to access the contact list. From there, an unauthorized person could get names, phone numbers, email addresses, and any other information stored in the phone's contacts list. An Apple representative told Ars the bypass will be fixed in iOS 13.1, scheduled for release on Sept. 24.

Apple's latest iPhone software, iOS 13, is now available -- but on Tuesday, you'll already be able to download the first update, iOS 13.1. And you'll be able to revitalize your iPad with Apple's software created for its tablets. From a report: Apple may be best known for its hardware, but it's really the seamless integration of its devices with its software that's set it apart from rivals. The company's ability to control every aspect of its products -- something that began when Steve Jobs and Steve Wozniak founded Apple in 1976 -- has been key in making Apple the most powerful company in tech. The company's mobile software, iOS, gets revamped every year and launches when its latest phones hit the market. Starting Tuesday, you'll also be able to download the first update to the software, as well as the new iPadOS software tailored for Apple's tablets. iOS 13 brings a dedicated dark mode, a new swipe keyboard and a revamped Photos app (complete with video editing tools). iOS 13.1 will bring bug fixes and will let you share your ETA with friends and family members through Apple Maps. Siri shortcuts can be added to automations, and you can set up triggers to run any shortcut automatically.

Independent Security Evaluators (ISE) discovered a total of 125 different security vulnerabilities across 13 IoT devices, likely affecting millions of consumers. Help Net Security reports: In nearly all the devices (12 of the 13), ISE achieved its goal of obtaining remote root-level access. The table below shows the types of vulnerabilities that ISE identified in the targets. All 13 of the devices evaluated by ISE had at least one web application vulnerability such as cross-site scripting (XSS), operating system command injection (OS CMDi), or SQL injection (SQLi) that could be leveraged by an attacker to get remote access to the device's shell or gain access to the device's administrative panel. ISE obtained root shells on 12 of the devices, allowing complete control over the device.

Six of them can be remotely exploited without authentication: the Asustor AS-602T, Buffalo TeraStation TS5600D1206, TerraMaster F2-420, Drobo 5N2, Netgear Nighthawk R9000, and TOTOLINK A3002RU. "We found that many of these issues were trivial to exploit and should have been discovered even in a rudimentary vulnerability assessment," says ISE founder Stephen Bono. "This indicates that these manufacturers likely undergo no such assessment whatsoever, that the bug bounty programs they employ are ineffective, that vulnerability disclosures sent to them are not addressed, or more likely, all of the above."

Who should be responsible for maintaining and troubleshooting open-source projects? From a report: When you buy a product like Philips Hue's smart lights or an iPhone, you probably assume the people who wrote their code are being paid. While that's true for those who directly author a product's software, virtually every tech company also relies on thousands of bits of free code, made available through "open-source" projects on sites like GitHub and GitLab. Often these developers are happy to work for free. Writing open-source software allows them to sharpen their skills, gain perspectives from the community, or simply help the industry by making innovations available at no cost. According to Google, which maintains hundreds of open-source projects, open source "enables and encourages collaboration and the development of technology, solving real-world problems."

But when software used by millions of people is maintained by a community of people, or a single person, all on a volunteer basis, sometimes things can go horribly wrong. The catastrophic Heartbleed bug of 2014, which compromised the security of hundreds of millions of sites, was caused by a problem in an open-source library called OpenSSL, which relied on a single full-time developer not making a mistake as they updated and changed that code, used by millions. Other times, developers grow bored and abandon their projects, which can be breached while they aren't paying attention. It's hard to demand that programmers who are working for free troubleshoot problems or continue to maintain software that they've lost interest in for whatever reason -- though some companies certainly try. Not adequately maintaining these projects, on the other hand, makes the entire tech ecosystem weaker. So some open-source programmers are asking companies to pay, not for their code, but for their support services. Daniel Stenberg is one of those programmers. He created cURL, one of the world's most popular open-source projects.

Developers of the LastPass password manager have patched a vulnerability that made it possible for websites to steal credentials for the last account the user logged into using the Chrome or Opera extension. Ars Technica reports: The vulnerability was discovered late last month by Google Project Zero researcher Tavis Ormandy, who privately reported it to LastPass. In a write-up that became public on Sunday, Ormandy said the flaw stemmed from the way the extension generated popup windows. In certain situations, websites could produce a popup by creating an HTML iframe that linked to the Lastpass popupfilltab.html window, rather than through the expected procedure of calling a function called do_popupregister(). In some cases, this unexpected method caused the popups to open with a password of the most recently visited site. "Because do_popupregister() is never called, ftd_get_frameparenturl() just uses the last cached value in g_popup_url_by_tabid for the current tab," Ormandy wrote. "That means via some clickjacking, you can leak the credentials for the previous site logged in for the current tab."

On Friday, LastPass published a post that said the bugs had been fixed and described the "limited set of circumstances" required for the flaws to be exploited. "To exploit this bug, a series of actions would need to be taken by a LastPass user including filling a password with the LastPass icon, then visiting a compromised or malicious site and finally being tricked into clicking on the page several times," LastPass representative Ferenc Kun wrote. "This exploit may result in the last site credentials filled by LastPass to be exposed. We quickly worked to develop a fix and verified the solution was comprehensive with Tavis."

Password manager LastPass has released an update last week to fix a security bug that exposes credentials entered on a previously visited site. From a report: The bug was discovered last month by Tavis Ormandy, a security researcher with Project Zero, Google's elite security and bug-hunting team. LastPass, believed to be the most popular password manager app today, fixed the reported issue in version 4.33.0, released last week, on September 12. If users have not enabled an auto-update mechanism for their LastPass browser extensions or mobile apps, they're advised to perform a manual update as soon as possible. This is because yesterday, Ormandy published details about the security flaw he found. The security researcher's bug report walks an attacker through the steps necessary to reproduce the bug.

Mozilla has quietly launched a new product for enterprise customers: Ability to buy paid premium support for Firefox. From a report: The premium enterprise support for Firefox costs $10 per supported installation and offers customers the ability to submit bugs privately, get critical security bug fixes, get access to a private customer portal, get access to the enterprise critical issues distribution list, and have the ability to contribute to Firefox and its roadmap. According to Mozilla, it will support Firefox installations as long as they are running on machines that meet the system requirements. Windows, Mac, and Linux based operating systems are listed in the systems requirements so all platforms should be covered by the premium support.

An anonymous reader quotes MS Poweruser: Microsoft's latest Cumulative Update KB4512941 for Windows 10 May 2019 Update(1903) may be Microsoft's buggiest yet, with the update already known for being plagued with high CPU usage bugs* and crippled search.

Now reports of a new bug are filtering in, with users reporting that their screenshots all have an orange tint, no matter which method or app they use to take them.

The issue appears to be related to older video drivers, as updating drivers (or uninstalling KB4512941) appears to fix this problem.
* Microsoft has told Forbes that the spike in CPU usage "only occurs on devices that have disabled searching the web using Windows Desktop Search" -- and that they're planning to release a fix for this update-related bug in mid-September.

An anonymous reader quotes 9to5Google: Like it or not, Chromebooks do have something of an expiration date when you purchase them, namely that one day they'll stop receiving updates. Thankfully, that date is typically over five years after the Chromebook's original release. For some, however, Chrome OS has been wrongly indicating this week that their Chromebook has received its "final update" many years too early.

Just like the Chrome browser on desktop and Android, Chrome OS has four different update "channels" -- Stable, Beta, Dev, and Canary. Each one of these after Stable trades a level of stability for more rapid updates, with Canary receiving highly unstable updates almost every day. People who are bold enough to put their Chromebook on Dev or Canary have been facing an interesting new issue for the past few days. Upon restarting their device, Chrome OS immediately displays a notification warning that "this is the last automatic software and security update for this Chromebook." Of course, if you're seeing this message this week, there's a decent chance that this is not actually the case.

Instead, these final update warnings are caused by a bug in the most recent versions of Chrome OS.

The electric utility non-profit NERC has posted a "Lessons Learned" document detailing a March 5th incident that Environment & Energy News calls "a first-of-its-kind cyberattack on the U.S. grid". While it didn't cause any blackouts -- it was at a "low-impact" control center -- NERC is now warning power utilities to "have as few internet facing devices as possible" and to use more than just a firewall for defense.

puddingebola shared this report from Environment & Energy News: The cyberthreat appears to have been simpler and far less dangerous than the hacks in Ukraine. The March 5 attack hit web portals for firewalls in use at the undisclosed utility. The hacker or hackers may not have even realized that the online interface was linked to parts of the power grid in California, Utah and Wyoming. "So far, I don't see any evidence that this was really targeted," said Reid Wightman, senior vulnerability analyst at industrial cybersecurity firm Dragos Inc. "This was probably just an automated bot that was scanning the internet for vulnerable devices, or some script kiddie," he said, using a term for an unskilled hacker...

In the March episode, a flaw in the victim utility's firewalls allowed "an unauthenticated attacker" to reboot them over and over again, effectively breaking them. The firewalls served as traffic cops for data flowing between generation sites and the utility's control center, so operators lost contact with those parts of the grid each time the devices winked off and on. The glitches persisted for about 10 hours, according to NERC, and the fact that there were issues at multiple sites "raised suspicion." After an initial investigation, the utility decided to ask its firewall manufacturer to review what happened, according to NERC, which led to the discovery of "an external entity" -- a hacker or hackers -- interfering with the devices. NERC stressed that "there was no impact to generation...."

Wightman said the "biggest problem" was the fact that hackers were able to successfully take advantage of a known flaw in the firewall's interface. "The advisory even goes on to say that there were public exploits available for the particular bug involved," he said. "Why didn't somebody say, 'Hey, we have these firewalls and they're exposed to the internet -- we should be patching?'"

Large power utilities are required to check for and apply fixes to sensitive grid software that could offer an entry point for hackers.

Long-time Slashdot reader AmiMoJo quotes VentureBeat: Google, which has already paid security researchers over $15 million since launching its bug bounty program in 2010, today increased the scope of its Google Play Security Reward Program (GPSRP). Security researchers will now be rewarded for finding bugs across all apps in Google Play with 100 million or more installs. At the same time, the company launched the Developer Data Protection Reward Program (DDPRP) in collaboration with [bug bounty platform] HackerOne. That program is for data abuses in Android apps, OAuth projects, and Chrome extensions....

Google also uses this vulnerability data to create automated checks that scan all Google Play apps for similar vulnerabilities. Affected app developers are notified via the Play Console. The App Security Improvement (ASI) program provides them with information on the vulnerability and how to fix it. In February, Google revealed that ASI has helped over 300,000 developers fix over 1,000,000 apps on Google Play.
The article also notes that Android apps and Chrome extensions found to be abusing data "will be removed from Google Play and the Chrome Web Store."

An anonymous reader quotes a report from Ars Technica: For months, security practitioners have worried about the public release of attack code exploiting BlueKeep, the critical vulnerability in older versions of Microsoft Windows that's "wormable," meaning it can spread from computer to computer the way the WannaCry worm did two years ago. On Friday, that dreaded day arrived when the Metasploit framework -- an open source tool used by white hat and black hat hackers alike -- released just such an exploit into the wild. The module, which was published as a work in progress on Github, doesn't yet have the polish and reliability of the EternalBlue exploit that was developed by the NSA and later used in WannaCry. For instance, if the people using the new module specify the wrong version of Windows they want to attack, they'll likely wind up with a blue-screen crash. Getting the exploit to work on server machines also requires a change to default settings in the form of a registry modification that turns on audio sharing.

The latest flaw, which is indexed as CVE-2019-0708 but is better known by the name BlueKeep, resides in earlier versions of the Remote Desktop Services, which help provide a graphical interface for connecting to Windows computers over the Internet. It affects Windows 2003 and XP, Vista 7, Server 2008 R2, and Server 2008. When Microsoft patched the vulnerability in May, it warned that computers that failed to install the fix could suffer a similar fate if reliable attack code ever becomes available. The reason: like the flaw that EternalBlue exploited, BlueKeep allowed for self-replicating attacks. Like a falling line of dominoes, a single exploit could spread from vulnerable machine to vulnerable machine with no interaction required of end users. "The release of this exploit is a big deal because it will put a reliable exploit in the hands of both security professionals and malicious actors," Ryan Hanson, principal research consultant at Atredis Partners and a developer who helped work on the release, told Ars. "I'm hoping the exploit will be primarily used by offensive teams to demonstrate the importance of security patches, but we will likely see criminal groups modifying it to deliver ransomware as well."