More than three million internet users are believed to have installed 15 Chrome, and 13 Edge extensions that contain malicious code, reports ZDNet, citing an announcement from cybersecurity company Avast: Avast researchers said they believe the primary objective of this campaign was to hijack user traffic for monetary gains. "For every redirection to a third party domain, the cybercriminals would receive a payment," the company said.

Avast said it discovered the extensions last month and found evidence that some had been active since at least December 2018, when some users first started reporting issues with being redirected to other sites. Jan Rubín, Malware Researcher at Avast, said they couldn't identify if the extensions had been created with malicious code from the beginning or if the code was added via an update when each extension passed a level of popularity. And many extensions did become very popular, with tens of thousands of installs. Most did so by posing as add-ons meant to help users download multimedia content from various social networks, such as Facebook, Instagram, Vimeo, or Spotify.

Avast said it reported its findings to both Google and Microsoft and that both companies are still investigating the extensions.
ZDNet's article includes Avast's lists of the 28 extensions which they're recommending be uninstalled by users.

ZDNet also notes that "A day after Avast published its findings, only three of the 15 Chrome extensions were removed, while all the Edge add-ons were still available for download. A source familiar with the investigation told ZDNet that Microsoft has not been able to confirm the Avast report."

The Verge reports: Firefox's latest update brings native support for Macs that run on Apple's Arm-based silicon, Mozilla announced on Tuesday. Mozilla claims that native Apple silicon support brings significant performance improvements: the browser apparently launches 2.5 times faster and web apps are twice as responsive than they were on the previous version of Firefox, which wasn't native to Apple's chips...

Firefox's support of Apple's Arm-based processors follows Chrome, which added support for Apple's new chips shortly after the M1-equipped MacBook Pro, MacBook Air, and Mac mini were released in November.
Firefox 84 will also be the very last release to support Adobe Flash, notes ZDNet, calling both developments "a reminder of the influence Apple co-founder Steve Jobs has had and continues to exert on software and hardware nine years after his death." Jobs wrote off Flash in 2010 as successful Adobe software but one that was a 'closed' product "created during the PC era — for PCs and mice" and not suitable for the then-brand-new iPad, nor any of its prior iPhones. Instead, Jobs said the future of the web was HTML5, JavaScript and CSS.

At the end of this year Google Chrome, Microsoft Edge and Apple Safari also drop support for Flash.

Senior Apple execs recently reflected in an interview with Om Malik what the M1 would have meant to Jobs had been alive today. "Steve used to say that we make the whole widget," Greg Joswiak, Apple's senior vice president of Worldwide Marketing told Malik.

"We've been making the whole widget for all our products, from the iPhone, to the iPads, to the watch. This was the final element to making the whole widget on the Mac."
ZDNet also notes that Firefox 84 offers WebRender, "Mozilla's faster GPU-based 2D rendering engine" for MacOS Big Sur, Windows devices with Intel Gen 6 GPUs, and Intel laptops running Windows 7 and 8. "Mozilla promises it will ship an accelerated rendering pipeline for Linux/GNOME/X11 users for the first time."

Firefox now also uses "more modern techniques for allocating shared memory on Linux," writes Mozilla, "improving performance and increasing compatibility with Docker."

And Firefox 85 will include a new network partitioning feature to make it harder for companies to track your web surfing.

As many as 3 million people have been infected by Chrome and Edge browser extensions that steal personal data and redirect users to ad or phishing sites, a security firm said on Wednesday. Ars Technica reports: In all, researchers from Prague-based Avast said they found 28 extensions for the Google Chrome and Microsoft Edge browsers that contained malware. The add-ons billed themselves as a way to download pictures, videos, or other content from sites including Facebook, Instagram, Vimeo, and Spotify. At the time this post went live, some, but not all, of the malicious extensions remained available for download from Google and Microsoft. Avast researchers found malicious code in the JavaScript-based extensions that allows them to download malware onto an infected computer.

In a post, the researchers wrote: "Users have also reported that these extensions are manipulating their internet experience and redirecting them to other websites. Anytime a user clicks on a link, the extensions send information about the click to the attacker's control server, which can optionally send a command to redirect the victim from the real link target to a new hijacked URL before later redirecting them to the actual website they wanted to visit. User's privacy is compromised by this procedure since a log of all clicks is being sent to these third party intermediary websites. The actors also exfiltrate and collect the user's birth dates, email addresses, and device information, including first sign in time, last login time, name of the device, operating system, used browser and its version, even IP addresses (which could be used to find the approximate geographical location history of the user)."

The researchers don't yet know if the extensions came with the malicious code preinstalled or if the developers waited for the extensions to gain a critical mass of users and only then pushed a malicious update. It's also possible that legitimate developers created the add-ons and then unknowingly sold them to someone who intended to use them maliciously. [...] The list Avast provides in its blog post includes links to download locations for both Chrome and Edge. Anyone who has downloaded one of these add-ons should remove it immediately and run a virus scan.

This week, Google acquired a company called Neverware that allows users to turn their old PCs and Macs into a Chromebook with its CloudReady software. Now, Google is planning to make CloudReady into an official Chrome OS release. Engadget reports: When that happens, Neverware says its existing users will be able to seamlessly upgrade to the updated software. Moreover, once that transition is complete, Google will support CloudReady in the same way that it currently does Chrome OS. In the immediate future, Neverware says it's business as usual. The Home Edition of CloudReady isn't changing, and the company says it's committed to supporting its existing education and enterprise customers. Moreover, there's no plan to change pricing at the moment, and Google will honor any current multi-year licenses.

Not only does this acquisition make a lot of sense from Google's perspective, but it's hard to see a downside for CloudReady users. The fact the operating system wasn't officially supported by Google was one of the few downsides to the software. It meant you couldn't install Android apps on CloudReady devices, even though it's based on Chromium OS. With this acquisition, support for Android apps becomes much more likely. Direct support from Google will also make the software more appealing to schools and businesses since they can get help directly from the company if they have any technical issues.

CNET reports: With the next version of Chrome, Google is moving ahead with a plan to improve privacy and security by reining in some abilities of extensions used to customize the browser. The move had angered some developers who expected earlier it would cripple ad blockers. Manifest v3, the programming interface behind Google's security plans, will arrive with Chrome 88 in mid-January, Google said Wednesday at the Chrome Dev Summit. Extensions using the earlier Manifest v2 will still work for at least a year...

Among other things, Manifest v3 limits the number of "rules" that extensions may apply to a web page as it loads. Rules are used, for example, to check if a website element comes from an advertiser's server and should therefore be blocked. Google announced the changes two years ago. Reducing the number of rules allowed angered creators of extensions like the uBlock Origin ad blocker and the Ghostery tracking blocker. They said the rules limits will stop their extensions from running their full lists of actions to screen ads or block tracking. That could let websites bypass extensions — and the preferences of people who installed them...

The shift brought on by Manifest V3 will spread to all browsers, to the detriment of ad blocking software, predicted Andrey Meshkov, co-founder and chief technology officer of AdGuard, an ad-blocking extension... Ghostery is working to update its extension for Manifest V3 but would rather spend its time on "real privacy innovations," President Jeremy Tillman said in a statement Wednesday. "We still have real misgivings that these changes have more to do with Google protecting its bottom line than it does with improving security for Chrome users...."

The importance of the Chrome team's choices are magnified by the fact that other browsers, including Microsoft Edge, Vivaldi , Opera and Brave, are built on its Chromium open-source foundation. Microsoft said it will embrace Manifest v3, too.
"Another Manifest v3 change is that extensions no longer may update their abilities by downloading code from third-party sites.

"The entire extension now must be distributed through the Chrome Web Store, a measure Google says improves security screens and speeds reviews."

Microsoft has raised the alarm today about a new malware strain that infects users' devices and then proceeds to modify browsers and their settings in order to inject ads into search results pages. From a report: Named Adrozek, the malware has been active since at least May 2020 and reached its absolute peak in August this year when it controlled more than 30,000 browsers each day. But in a report today, the Microsoft 365 Defender Research Team believes the number of infected users is much, much higher. Microsoft researchers said that between May and September 2020, they observed "hundreds of thousands" of Adrozek detections all over the globe. Based on internal telemetry, the highest concentration of victims appears to be located in Europe, followed by South and Southeast Asia. Microsoft says that, currently, the malware is distributed via classic drive-by download schemes. Users are typically redirected from legitimate sites to shady domains where they are tricked into installing malicious software. The boobytrapped software installs the Androzek malware, which then proceeds to obtain reboot persistence with the help of a registry key.

Google, Dell, Intel and a handful of other major tech companies in the IT and cloud computing industries have banded together to tackle joint problems around security, remote work, and other enterprise issues that have only become more important during the coronavirus pandemic. From a report: The consortium these companies have formed is called the Modern Computing Alliance, and its founding members also include Box, Cirtrix, Imprivata, Okta, RingCentral, Slack, VMWare, and Zoom. The Modern Computing Alliance will initially be focused on four areas: performance; security and identity; remote work, productivity, and collaboration; and health care. The goal is to pool knowledge and resources toward solving shared problems around how companies perform work in the cloud and the tools they use to do so. The alliance will focus on developing new standards and interoperable technologies that can be used by any company that relies on one of the partners' platforms or products. In particular, Google is engaged in the effort with its Chrome browser and Chrome OS teams, as well as the division responsible for Google Workplace. "Today, we're excited to announce Google's membership in the Modern Computing Alliance -- to address the biggest IT challenges facing companies today with integration from silicon to cloud," says John Solomon, Google's vice president of Chrome OS. "Working with a group of forward-thinking industry leaders, we're aligning standards and technologies to provide companies with the choice of high-performance, cloud-first computing solutions from the vendor of their choice who provide modern solutions for the modern era of business."

At Chrome Dev Summit 2020 today, Google announced it will change how extensions access data and how extension permissions work in 2021. On January 18, a day before the release of Chrome 88, Google will require that every extension publicly display its privacy practices and will limit what developers can do with the data they collect. From a report: The first change means that Chrome users next year will determine which websites an extension can access when they browse the web. Once you grant an extension permission to access a website's data, that preference can be saved for that domain. Today, the extension makes that call. In 2021, you will still be able to grant an extension access to all the websites you visit, but that won't be the default. Google outlined the second change last month: "each extension's detail page in the Chrome Web Store will show developer-provided information about the data collected by the extension, in clear and easy to understand language." The company also updated its user data privacy policy with an addition to how extension developers use data they collect.

Engadget reports: The Wall Street Journal has learned that Google is considering "severe penalties" against internet giant IAC (InterActive Corp) over allegedly deceptive practices in its Chrome extensions. The browser extras reportedly promise features that never materialize, point users toward additional ads, or even trick users into installing them.

A Google audit reportedly found that some of IAC's voting ads not only didn't take users to voter info, but installed the Ask.com toolbar and changed users' default home pages. IAC kept running those ads even after Google told the company to stop.

The full range of potential punishments isn't clear, but Google is considering banning them, according to WSJ sources and leaked documents

Chrome OS 87 starting rolling out on Thursday, adding the ability to search tabs, view the battery levels of your Bluetooth devices, and more. 9to5Google reports: Tab Groups help people better manage (and collapse/hide) tabs, but it doesn't always reduce the number open. Google is now introducing Tab Search to let users find what pages they have open across all windows. Tapping the circular dropdown button in the top-right corner -- also accessible with Ctrl+Shift+A -- first shows a list of everything open. It includes the favicon, page name, and domain, as well as an individual close button. This feature is first rolling out to Chromebooks before coming to desktop browsers.

Chrome OS 87 will list the Bluetooth battery levels of accessories in Settings and Quick Settings. Just navigate to the Bluetooth menu. This feature is primarily meant for wireless headphones and will show a notification with the current level in the bottom-right corner of your screen upon connection. Chrome OS 87 also adds 36 new backgrounds created by four different artists. To set, right-click on the desktop or shelf and select "Set wallpaper."

Other features in this release include:
- Saving to Google Drive has been updated with the ability to rename the file and selecting what folder to store it in
- Chrome OS devices now support switch accessibility devices
- Google has updated language settings to be easier for multilingual users to navigate
- The Alt+Tab window switcher now supports mouse, touch screen, and stylus input
- Version 87 makes visual improvements when renaming Virtual Desks and Launcher folders

A change made in the Google Chrome browser in October has impacted the performance of the Google Fonts service for millions of websites. From a report: The change is an update to Chrome's internal cache system. A browser's cache system works by serving as a temporary storage system for images, CSS, and JavaScript files used by websites. Files stored in the cache are typically reused across multiple sites instead of having the browser re-download each file for every page/tab load. But with the release of Chrome 86 in early October 2020, Google has overhauled how Chrome's entire caching system works. Instead of using one big cache for all websites, Google has "partitioned" the Chrome cache, which will now be storing resources on a per-website and per-resource basis. While this is a big win for user security, preventing some forms of web attacks, this change has affected web services designed around the old cache system.

Windows Central reports: Microsoft is working on a software solution that would allow app developers to bring their Android apps to Windows 10 with little to no code changes by packaging them as an MSIX and allowing developers to submit them to the Microsoft Store. According to sources familiar with the matter, the project is codenamed 'Latte' and I'm told it could show up as soon as next year. The company has toyed with the idea of bringing Android apps to Windows 10 before via a project codenamed Astoria that never saw the light of day. Project Latte aims to deliver a similar product, and is likely powered by the Windows Subsystem for Linux (WSL.) Microsoft will need to provide its own Android subsystem for Android apps to actually run, however.

Microsoft has announced that WSL will soon get support for GUI Linux applications, as well as GPU acceleration which should aid the performance of apps running through WSL. It's unlikely that Project Latte will include support for Play Services, as Google doesn't allow Play Services to be installed on anything other than native Android devices and Chrome OS. This means that apps which require Play Services APIs will need to be updated to remove those dependencies before they can be submitted on Windows 10.

Google is loosening control over the core of its Chrome browser, a move that helps Microsoft, Samsung and Brave build competitors while advancing the search giant's vision of the web. From a report: Over the past six months, Google welcomed a new outside developer into the leadership of its Chromium project, the software that powers the similarly named browser. The Alphabet subsidiary is also granting outsiders access to its previously proprietary software development system and allows outside features even when Google doesn't incorporate them into the flagship Chrome browser.

Chromium is open-source software, which means anyone can modify and use it. Even with open source projects, however, outsiders can have trouble convincing organizers to accept their changes and additions, making it harder to contribute and benefit. Google took pains to draw attention to the changes at the BlinkOn conference earlier this week. "It's really cool to see so many people and groups with different priorities coming together and finding solutions that not only meet their individual agendas but also advance the common goal of improving the web," said Danyao Wang, a Chrome engineer at Google.

Rudra Saraswat is the creator of the Ubuntu Unity distro (which uses the Unity interface in place of Ubuntu's GNOME shell).

But this week they released Ubuntu Web Remix, "a privacy-focused, open source alternative to Google Chrome OS/Chromium OS" using Firefox instead of Google Chrome/Chromium. Liliputing reports: If the name didn't give it away, this operating system is based on Ubuntu, but it's designed to offer a Chrome OS-like experience thanks to a simplified user interface and a set of pre-installed apps including the Firefox web browser, some web apps from /e/, and Anbox, a tool that allows you to run Android apps in Linux...

You don't get the long battery life, cloud backup, and many other features that make Chromebooks different from other laptops (especially other cheap laptops). But if you're looking for a simple, web-centric operating system that isn't made by a corporate giant? Then I guess it's nice to have the option.
Rudra Saraswat writes: An easy web-app (wapp) format has been created to package web-apps for the desktop. You can now create your own web apps using web technologies, package them for the desktop and install them easily.

An experimental wapp store can be found at store.ubuntuweb.co, for distributing web apps. Developers and packagers can do pull requests at gitlab.com/ubuntu-web/ubuntu-web.gitlab.io to contribute wapps.

According to Chrome product manager Mark Chang, Google's version of Chrome that support ARM Macs is now available to download. The Verge reports: In theory, a native version of the notoriously resource-hungry browser might run more efficiently on Apple's Arm-based computers. In our reviews of the MacBook Air, MacBook Pro, and Mac mini equipped with the new M1 chip, though, we found that the version of Chrome built for Intel chips already runs well on Apple's new Macs, so hopefully this native version runs even better. You'll be able to pick which version of Chrome to download from the browser's website.

Google began rolling out a new version of Chrome on Tuesday, touting the "the largest gain in Chrome performance in years" thanks to some under-the-hood changes. The company's blog about the new release didn't mention anything about a version optimized for Apple's Arm-based Macs.

Google said today it plans to add a new section on the Chrome Web Store where extension developers will disclose what user data they're collecting from users and what they plan to do with the information. From a report: The new section is set to go into effect on January 18, 2021, and will appear as a "Privacy practices" button on each extension's Web Store listing. To aid the process, Google has added a new section today in the Web Store dashboard where extension developers will be able to disclose what data they collect from their users and for what purposes.

Google has released today version 87 of its Chrome browser, a release that comes with a security fix for the NAT Slipstream attack technique and a broader deprecation of the FTP protocol. From a report: Todays' release is available for Windows, Mac, Linux, Chrome OS, Android, and iOS. Users can update to the new version via Chrome's built-in update utility. While in previous versions, Google has shipped some changes to Chrome settings and UI elements, almost all the major new Chrome 87 features are aimed at web developers. In Chrome 87, we have new APIs and updates to Chrome's built-in Developer Tools, such as: Support for the new Cookie Store API; new features to allow easier modification of web fonts via CSS; a new feature to let websites enumerate all the locally installed fonts; support for pan, tilt, and zoom controls on webcam streams; and, support for debugging WebAuthn operations via the Chrome DevTools.

According to Windows Latest, "Microsoft is A/B testing a new feature that is designed to nag users with fullscreen window-less Microsoft Edge recommendations in the OOBE screen." From the report: The nag will appear when users set up their PC, sign in to their system after applying updates, or when they click on a new ad banner within the Settings. [...] Microsoft is trying to convince users of rival browsers who are visiting Windows Settings of the benefits of trying the Chromium Edge. In the Settings app, there's a new banner that appears to be rolling out to non-Insiders. As you can see in the above screenshot, the advert appears across the top of the Settings app window, just above the settings options.

The banner states that you can "get even more out of Windows" and it surprisingly launches the OOBE (out of the box experience) screen. [...] This ad appeared only when our devices were set to use Google Chrome and Firefox as the default web browser. The user can easily close the advert by clicking the second option "Don't update your browser settings." If you try to skip the setup, the pop-up will appear again in future. Unfortunately, you cannot permanently disable these recommendations in Windows 10.

"[I]n the coming weeks," Google will show a new blanket setting to "turn off smart features" which will disable features like Smart Compose, Smart Reply, in apps like Gmail; the second half of the same prompt will disable whether additional Google products -- like Maps or Assistant, for example -- are allowed to be personalized based on data from Gmail, Meet, and Chat. Gizmodo reports: Google writes in its blog post about the new-ish settings that humans are not looking at your emails to enable smart features, and Google ads are "not based on your personal data in Gmail," something CEO Sundar Pichai has likewise said time and again. Google claims to have stopped that practice in 2017, although the following year the Wall Street Journal reported that third-party app developers had freely perused inboxes with little oversight. (When asked whether this is still a problem, the spokesperson pointed us to Google's 2018 effort to tighten security.)

A Google spokesperson emphasized that the company only uses email contents for security purposes like filtering spam and phishing attempts. These personalization changes aren't so much about tightening security as they are another informed consent defense which Google can use to repel the current regulatory siege being waged against it by lawmakers. [...] Inquiries in the U.S. and EU have found that Google's privacy settings have historically presented the appearance of privacy, rather than privacy itself. [...] So this is nice, and also Google's announcement reads as a letter to regulators. "This new setting is designed to reduce the work of understanding and managing [a choice over how data is processed], in view of what we've learned from user experience research and regulators' emphasis on comprehensible, actionable user choices over data."

A Slashdot reader shared this report from the Register: Google on Thursday was sued for allegedly stealing Android users' cellular data allowances though unapproved, undisclosed transmissions to the web giant's servers...

The complaint contends that Google is using Android users' limited cellular data allowances without permission to transmit information about those individuals that's unrelated to their use of Google services... What concerns the plaintiffs is data sent to Google's servers that isn't the result of deliberate interaction with a mobile device — we're talking passive or background data transfers via cell network, here. "Google designed and implemented its Android operating system and apps to extract and transmit large volumes of information between Plaintiffs' cellular devices and Google using Plaintiffs' cellular data allowances," the complaint claims...

Android users have to accept four agreements to participate in the Google ecosystem: Terms of Service; the Privacy Policy; the Managed Google Play Agreement; and the Google Play Terms of Service. None of these, the court filing contends, disclose that Google spends users' cellular data allowances for these background transfers. To support the allegations, the plaintiff's counsel tested a new Samsung Galaxy S7 phone running Android, with a signed-in Google Account and default setting, and found that when left idle, without a Wi-Fi connection, the phone "sent and received 8.88 MB/day of data, with 94 per cent of those communications occurring between Google and the device." The device, stationary, with all apps closed, transferred data to Google about 16 times an hour, or about 389 times in 24 hours. Assuming even half of that data is outgoing, Google would receive about 4.4MB per day or 130MB per month in this manner per device subject to the same test conditions...

An iPhone with Apple's Safari browser open in the background transmits only about a tenth of that amount to Apple, according to the complaint... Vanderbilt University Professor Douglas C. Schmidt performed a similar study in 2018 — except that the Chrome browser was open — and found that Android devices made 900 passive transfers in 24 hours...

The complaint charges that Google conducts these undisclosed data transfers for further its advertising business, sending "tokens" that identify users for targeted advertising and preload ads that generate revenue even if they're never displayed.