Users have found a major bug in Apple's iOS 14 iPhone software. The free software upgrade, which Apple made publicly available last week, includes features many users had long asked for, such as better ways to organize apps, living programs called widgets on the home screen, and the ability to change which default apps the phone uses to browse the web or send an email. That last one doesn't appear to work. From a report: A growing chorus of Twitter users has been posting about the bug in Apple's default email and default web browser options. What happens is that whenever they set the default browser to Google's Chrome, for example, it works as expected, and tapping any link in an app or browser will open Chrome on the iPhone. But then if they restart the phone, iOS 14 changes that default back to Apple's Safari. "We are aware of an issue that can impact default email and browser settings in iOS 14 and iPadOS 14. A fix will be available to users in a software update," Apple said in a statement.

Slashdot reader Hmmmmmm quotes Ghacks: Raymond Hill, known online as gorhill, has set the status of the uMatrix GitHub repository to archived; this means that it is read-only at the time and that no updates will become available.

The uMatrix extension is available for several browsers including Firefox, Google Chrome, and most Firefox and Chromium-based browsers. It is a privacy and security extensions for advanced users that provides firewall-like capabilities when it is installed...

Hill suggests that developers could fork the extension to continue development under a new name. There is also the chance that Hill might resume development in the future but there is no guarantee that this is going to happen.

For now, uMatrix is no longer in active development.

How-To Geek has discovered three of the world's most popular web browsers contain Easter Eggs: It seems like every browser has a hidden game these days. Chrome has a dinosaur game, Edge has surfing, and Firefox has . . . unicorn pong? Yep, you read that right — here's how to play it.

First, open Firefox. Click the hamburger menu (the three horizontal lines) at the upper right, and then click "Customize." On the "Customize Firefox" tab, you'll see a list of interface elements to configure the toolbar. Click and drag all the toolbar items except "Flexible Space" into the "Overflow Menu" on the right.

Click the Unicorn button that appears at the bottom of the window....
There's screenshots in the article illustrating all of the steps — and the result.

This week Krebs on Security reported that Microsoft "released updates to remedy nearly 130 security vulnerabilities in its Windows operating system and supported software." None of the flaws are known to be currently under active exploitation, but 23 of them could be exploited by malware or malcontents to seize complete control of Windows computers with little or no help from users. The majority of the most dangerous or "critical" bugs deal with issues in Microsoft's various Windows operating systems and its web browsers, Internet Explorer and Edge. September marks the seventh month in a row Microsoft has shipped fixes for more than 100 flaws in its products, and the fourth month in a row that it fixed more than 120.

Among the chief concerns for enterprises this month is CVE-2020-16875, which involves a critical flaw in the email software Microsoft Exchange Server 2016 and 2019. An attacker could leverage the Exchange bug to run code of his choosing just by sending a booby-trapped email to a vulnerable Exchange server. "That doesn't quite make it wormable, but it's about the worst-case scenario for Exchange servers," said Dustin Childs, of Trend Micro's Zero Day Initiative. "We have seen the previously patched Exchange bug CVE-2020-0688 used in the wild, and that requires authentication. We'll likely see this one in the wild soon. This should be your top priority."

Also not great for companies to have around is CVE-2020-1210, which is a remote code execution flaw in supported versions of Microsoft Sharepoint document management software that bad guys could attack by uploading a file to a vulnerable Sharepoint site. Security firm Tenable notes that this bug is reminiscent of CVE-2019-0604, another Sharepoint problem that's been exploited for cybercriminal gains since April 2019.
The article points out that Google also shipped a critical update for Chrome this week "that resolves at least five security flaws that are rated high severity."

Mozilla will add a new security feature to Firefox in October that will make it harder for malicious web pages to initiate automatic downloads and plant malware-laced files on a user's computer. From a report: Called a drive-by download, this type of attack has been around for two decades and usually takes place when users visit a website that contains malicious code placed there by an attacker. The role of the malicious code is to abuse legitimate features in browsers and web standards to initiate an automatic file download or download prompt, in the hopes of tricking the user into running a malicious file. There are multiple forms of drive-by downloads, depending on the browser feature attackers decide to use. Browsers like Chrome, Firefox, and Internet Explorer have, across the years, gradually deployed various forms of protections against automatic drive-by downloads, but 100% protection can't be fully achieved because browser makers can't fully block legitimate web features and also because of the shifting landscape of web attacks, with attackers always finding a new hole to poke at.

An anonymous reader shares a report: The Chromium browser -- open source, upstream parent to both Google Chrome and the new Microsoft Edge -- is getting some serious negative attention for a well-intentioned feature that checks to see if a user's ISP is "hijacking" non-existent domain results. The Intranet Redirect Detector, which makes spurious queries for random "domains" statistically unlikely to exist, is responsible for roughly half of the total traffic the world's root DNS servers receive. Verisign engineer Matt Thomas wrote a lengthy APNIC blog post outlining the problem and defining its scope. DNS, or the Domain Name System, is how computers translate relatively memorable domain names like arstechnica.com into far less memorable IP addresses, like 3.128.236.93.

Without DNS, the Internet couldn't exist in a human-usable form -- which means unnecessary load on its top-level infrastructure is a real problem. Loading a single modern webpage can require a dizzying number of DNS lookups. When we analyzed ESPN's front page, we counted 93 separate domain names -- from a.espncdn.com to z.motads.com -- which needed to be performed in order to fully load the page! In order to keep the load manageable for a lookup system that must service the entire world, DNS is designed as a many-stage hierarchy. At the top of this pyramid are the root servers -- each top-level domain, such as .com, has its own family of servers that are the ultimate authority for every domain beneath it. One step above those are the actual root servers, a.root-servers.net through m.root-servers.net.

Google today launched Chrome 85 for Windows, Mac, Linux, Android, and iOS. Chrome 85 brings tab management changes, 10% faster page loads, PDF improvements, and a slew of developer features. From a report: Google is promising under-the-hood performance improvements with Chrome 85. You can expect two types of speed gains: Profile Guided Optimization, which delivers up to 10% faster page loads, and Tab Throttling, which helps reduce the impact of idle background tabs. The latter, however, is coming to the Beta channel meaning it's not yet ready. Profile Guided Optimization is a compiler optimization technique where the most performance-critical parts of the code can run faster. Profile Guided Optimization prioritizes the most common tasks using real usage scenarios that match the workflows of Chrome users around the world.

Last October, Microsoft unveiled a transcription feature -- Transcribe in Word -- that is designed to let users leverage the power of the cloud to transcribe audio. After nearly a year in development, Transcribe in Word is now generally available in U.S. English at no cost to existing Microsoft 365 subscribers. It will come to Android and iOS later this year. From a report: You could say Microsoft is late to the party -- speech-to-text is hardly novel, after all. But Microsoft project manager Dan Parish says the company is "uniquely positioned" to provide a one-stop shop for transcription. "You don't have to worry about fussing around with different Windows apps," he said during a briefing with reporters. "What we're trying to do with all of our investments in the natural user interface space -- whether they have touch or voice, you name it -- is enable everyone to work in the way that's best for them so that they can be more effective, they can spend less time and energy creating the best work, and they can really focus on what matters most." Microsoft 365 subscribers using Edge or Chrome will now see a Dictate menu under the Home tab when they create a new Word document from Office.com. Selecting Transcribe will start a recording, which can be paused at any time, while hitting the "Save and transcribe now" button will send the recording to the Azure cloud for transcription. Prerecorded files in .wav, .mp4, .m4a, and .mp3 formats can be uploaded via the new Upload audio option.

ZDNet reports: In an effort to detect whether a network will hijack DNS queries, Google's Chrome browser and its Chromium-based brethren randomly conjures up three domain names between 7 and 15 characters to test, and if the response of two domains returns the same IP, the browser believes the network is capturing and redirecting nonexistent domain requests. This test is completed on startup, and whenever a device's IP or DNS settings change.

Due to the way DNS servers will pass locally unknown domain queries up to more authoritative name servers, the random domains used by Chrome find their way up to the root DNS servers, and according to Verisign principal engineer at CSO applied research division Matthew Thomas, those queries make up half of all queries to the root servers. Data presented by Thomas showed that as Chrome's market share increased after the feature was introduced in 2010, queries matching the pattern used by Chrome similarly increased.

"In the 10-plus years since the feature was added, we now find that half of the DNS root server traffic is very likely due to Chromium's probes," Thomas said in an APNIC blog post. "That equates to about 60 billion queries to the root server system on a typical day."

Thomas added that half the DNS traffic of the root servers is being used to support a single browser function, and with DNS interception being "certainly the exception rather than the norm", the traffic would be a distributed denial of service attack in any other scenario.

While there's wide HTTPS adoption today, HTTP content on secure pages still persists. Google has been working to stamp that out, and Chrome is now turning its attention to and warning about insecure forms. "These 'mixed forms' (forms on HTTPS sites that do not submit on HTTPS) are a risk to users' security and privacy," says Google in a blog post. "Information submitted on these forms can be visible to eavesdroppers, allowing malicious parties to read or change sensitive form data." 9to5Google reports: The Google browser today removes the address bar's lock icon from sites with mixed forms. However, this proved to deliver an "unclear" experience that "did not effectively communicate the risks associated with submitting data in insecure forms." Starting in version 86, due to hit stable in October, Chrome will provide a more aggressive warning about insecure forms. Autofill will be disabled, but the built-in password manager will continue to offer "unique passwords." The company argues it's safer than reusing credentials. Next, the form will show red warning text underneath the field: "This form is not secure. Autofill has been turned off. The last measure will throw up a full-page warning communicating the potential risks. It gives users an option to cancel the action, but there will be a "Send anyway" button.

The website of Notepad++ is banned in China as of Monday, "obviously due to" its release of editions named "Free Uyghur" and "Stand with Hong Kong," the source code and text editor announced on Twitter. TechCrunch reports: First released in 2003 by France-based developer Don Ho, free-to-use Notepad++ operates on Windows and supports some 90 languages. In his release notices for the two editions, Ho openly voiced his concerns over "human rights" conditions, respectively in the Xinjiang autonomous region and Hong Kong. Tests by TechCrunch found that the Notepad++ ban only applies to its Download page -- which showcases the special editions and thus politically sensitive language -- when one tries to reach it from Chinese browsers developed by Tencent (QQ Browser and WeChat's built-in browser), Alibaba (UC Browser), 360 and Sogou. These services flag the page as containing content "prohibited" by local regulators.

Notepad++'s home page, on the other hand, remains unblocked through these local browsers. One can still access the full site from Chrome and DuckDuckGo in China. The ban began as early as August 12 when a user notified Ho of the ban, the developer told TechCrunch. He has never been contacted by any Chinese government authority and does not plan to take measures to cope with the website restriction.

An anonymous reader writes: Google today announced Chrome for Android's context menu will show "Fast page" labels for webpages deemed to have good performance. The label will be determined using Google's Web Vitals, an initiative the company announced in May to provide web developers and website owners with a unified set of metrics for building websites with user experience and performance in mind. Core Web Vitals, Google's attempt to spell out the metrics it considers critical for all web experiences, will measure a webpage's responsiveness and visual stability.

"Even with another infusion of cash from Google, you have to wonder just how long Firefox will survive as a viable, mainstream web browser," argues ZDNet contributing editor Steven J. Vaughan-Nichols: I've been using Mozilla's Firefox browser since it was still in beta. In 2004, for a while, it was my favorite web browser. Not because it was open-source, but because it was so much better and more secure than Internet Explorer. That was then. This is now. Firefox is in real danger of dying off...

Mozilla and Firefox still produced important work. You need to look no further than the JavaScript, Rust, and WebAssembly languages. They were also champions of security and privacy. Projects such as embracing DNS-over-HTTPS (DoH) and overall security improvements were great, but users didn't care. With the arrival of Google's Chrome browser, users turned from Firefox to Chrome as their favorite browser...

Firefox is on its way to irrelevance. Making matters even worse, Mozilla's just had its second round of layoffs... As technology writer Matthew MacDonald put it, "Mozilla "." Firefox's security and development teams have also been hard hit. This is bad. In January. Mitchell Baker, Mozilla Corporation CEO and Mozilla Foundation chairperson, said it let people go because of declining interest in Firefox, and thus reduced earnings, and that Mozilla was looking for more revenue from "sources outside of search" but "this did not happen." It still isn't happening. According to Mozilla's latest annual report, the majority of its revenue is still generated from global browser search partnerships. This includes the deal negotiated with Google in 2017... Baker assured onlookers that Mozilla would "ship new products faster and develop new revenue streams." These include its bookmarking app Pocket; its virtual rooms Hubs; and its $4.99-a-month Firefox VPN. Excuse me if I don't buy any of these new revenue sources....

Firefox will live on in one way or the other. It's open source after all. But Firefox as an important browser, or Mozilla as a significant open-source developer hub? No. I can't see it. Those days are done. Firefox is officially on my endangered species list.
Technology writer Matthew MacDonald ended his Medium essay on a more hopeful note. "If you have the skills and time, the best possible support is to join the Mozilla community and contribute to their code base."

A reporter for Medium's tech site OneZero recently spotted an especially bizarre ad on Instagram: The ad features a GIF of a person wearing a Fitbit-style wristband, with the text "Eliminate Cravings." Across the frame from their hand sits a giant slice of cake. As the person reaches towards the cake, the wristband turns red and zaps them with electricity. You can tell it's zapping them because the whole frame vibrates, and little lightning bolts shoot out of the wristband, like in an old-school Batman movie. All that's missing is an animated "POW!"

At first, I thought it must be either a joke or a metaphor...

Nope. It turns out the Pavlok is exactly what the ad suggests: a Bluetooth-connected, wearable wristband that uses accelerometers, a connected app, and a "snap circuit" to shock its users with 450 volts of electricity when they do something undesirable. The device costs $149.99 and is available on Amazon. The company says it has over 100,000 customers who use the device to help kill food cravings, quit smoking, and to stop touching their face... I immediately saw two fundamental truths at the exact same time. Firstly, the mere existence of an automated self-flagellation wristband is proof that we've reached Peak Wearables. And second, this is the perfect device for Our Times...

Pavlok's founder says he came up with the idea for the company after paying an assistant to slap him every time he went on Facebook.... Through a Chrome extension, it can also (Doom scrollers rejoice) automatically punish actions like spending too much time on Facebook, Twitter, and other potentially time-wasting websites. It can zap you when you open too many Chrome tabs — a use case I'd love to recommend to several programmer friends... But perhaps the most relevant feature for today's world is the ability to program the device to shock you every time you touch your face. This is something which humans do alarmingly often — up to 16 times per hour. The practice has been implicated in spreading coronavirus, or at least contaminating face masks and leading to wasted PPE...

Pavlok may sound bizarre, but it's just the logical extension of an overall trend toward using tech to tweak and prod our brains into new ways of thinking... Pavlok acts as the metaphorical stick to these apps' carrots, giving you the option to beat your brain into submission instead of just tweaking it.
In 2016 Mark Cuban called Pavlok "everything but a legitimate product" in what was probably one of the least-success Shark Tank appearances ever. But Medium's reporter seems convinced it's the appropriate response to this moment in time. "I only need to look at Twitter to feel that I'm being jolted awake with a powerful electrical shock...

"The real thing feels kind of appropriate."

At the Black Hat security conference, researchers from the Taiwanese cybersecurity firm CyCraft revealed at least seven Taiwanese chip firms have been breached over the past two years, reports Wired: The series of deep intrusions — called Operation Skeleton Key due to the attackers' use of a "skeleton key injector" technique — appeared aimed at stealing as much intellectual property as possible, including source code, software development kits, and chip designs. And while CyCraft has previously given this group of hackers the name Chimera, the company's new findings include evidence that ties them to mainland China and loosely links them to the notorious Chinese state-sponsored hacker group Winnti, also sometimes known as Barium, or Axiom. "This is very much a state-based attack trying to manipulate Taiwan's standing and power," says Chad Duffy, one of the CyCraft researchers who worked on the company's long-running investigation...

The researchers found that, in at least some cases, the hackers appeared to gain initial access to victim networks by compromising virtual private networks, though it wasn't clear if they obtained credentials for that VPN access or if they directly exploited vulnerabilities in the VPN servers. The hackers then typically used a customized version of the penetration testing tool Cobalt Strike, disguising the malware they planted by giving it the same name as a Google Chrome update file. They also used a command-and-control server hosted on Google's or Microsoft's cloud services, making its communications harder to detect as anomalous....

Perhaps the most remarkable of those new clues came from essentially hacking the hackers. CyCraft researchers observed the Chimera group exfiltrating data from a victim's network and were able to intercept an authentication token from their communications to a command-and-control server. Using that same token, CyCraft's analysts were able browse the contents of the cloud server, which included what they describe as a "cheat sheet" for the hackers, outlining their standard operating procedure for typical intrusions. That document was notably written in simplified Chinese characters, used in mainland China but not Taiwan...
"It's possible that what they're seeing is just a small fragment of a larger picture," says the director of Kaspersky's Global Research & Analysis Team, who tells Wired the group has also attacked telecoms, tech firms, and a broad range of other Taiwanese companies.

But in the same article one of CyCraft's researchers argues the group could be looking for even more exploits. "If you have a really deep understanding of these chips at a schematic level, you can run all sorts of simulated attacks on them and find vulnerabilities before they even get released."

An anonymous reader shares a report: Google has tried on and off for years to hide full URLs in Chrome's address bar, because apparently long web addresses are scary and evil. Despite the public backlash that came after every previous attempt, Google is pressing on with new plans to hide all parts of web addresses except the domain name in Chrome 86, this time accompanied by an admittedly hover animation. The new look builds upon the animation-less hover reveal that's already in testing, but in contrast to that method, the improved variant also displays the protocol and the subdomain, which remain invisible in the older version. That's achieved with a neat sliding animation that moves over the visible part of the URL to make space for the strings preceding it.

Google today launched ChromeOS.dev, a new site that aims to help developers get started with building Android apps for the company's Linux-based operating system. With today's update, Google is also making it easier to build and test Android applications on Chromebooks. From a report: The new ChromeOS.dev site, which is available in English and Spanish for now, is meant to "help developers maximize their capabilities on the platform through technical resources/tutorials, product announcements, code samples and more," a Google spokesperson told us. As Google notes in today's announcement, in the last quarter, Chromebook unit sales were up 127% year-over-year in the last quarter, compared to 40% for notebook sales in general. To help Android developers do all of their work on a Chromebook if they so desire, Google now offers the full Android Emulator on Chrome OS to test apps right on their Chromebooks. The team also made deploying apps on Chrome OS (M81 and newer) much easier. Developers can now deploy and test apps directly without having to use developer mode or connect devices via USB.

An anonymous reader writes: More than 80 million Chrome users have installed one of 295 Chrome extensions that have been identified to hijack and insert ads inside Google and Bing search results. The malicious extensions were discovered by AdGuard, a company that provides ad-blocking solutions, while the company's staff was looking into a series of fake ad-blocking extensions that were available on the official Chrome Web Store. AdGuard says that most of the extensions (245 out of the 295 extensions) were simplistic utilities that had no other function than to apply a custom background for Chrome's "new tab" page. In addition to the 295 cluster, AdGuard also found a large number of copycat extensions that cloned popular add-ons to capitalize on their brands, and then load malicious code that performed ad fraud or cookie stuffing. ZDNet has the full list of 295 Chrome extensions embedded in their article.

An anonymous reader shares a report: For years now, Google Chrome has been an absolute dominant force in the world of web browsers, but since the relaunch of Microsoft Edge based on Google's Chromium, that position has been challenged. Now, Google is preparing to drive more Android owners back to using Chrome through targeted notifications. Over the admittedly brief history of the Internet, there have been a number of fierce competitions, commonly called "browser wars," between companies, in an effort to get more people to use their particular web browser. Mozilla and Netscape waged war against Internet Explorer, and Chrome fought and won against Firefox. Most recently, Microsoft Edge and Samsung Internet have begun to wage war against Chrome on desktop and Android respectively. Now, we've found that Google is preparing to try and win back some of those who have left Chrome for other browsers, starting on Android. Based on our reading of a series of code changes, we believe Google Chrome for Android will send you a notification if you haven't used Chrome in a while.

July's statistics from web analytics firm Net Applications showed continuing changes in the most frequently-used web browsers. Softpedia reports: Last month, Google Chrome increased its market share from 70.19% to 71.00%, while Microsoft Edge jumped from 8.07% to 8.46%... The migration to the Chromium engine allowed Microsoft to turn Edge into a cross-platform browser, and this is one of the reasons that contributed to the growth of the new app. Edge is now available not only on Windows 10, but also on Windows 7, Windows 8, Windows 8.1, and even macOS. At the same time, Microsoft is also working on a Linux version of the browser, and a preview build is expected by the end of the year.

But what made Microsoft Edge the second most-used desktop browser out there so fast after the switch to Chromium is definitely Microsoft offering it as the default browser in Windows 10.
But what about Firefox? And Opera, and Apple's Safari? Computerworld reports: A decade ago, Mozilla's browser may have dreamed of upsetting the then-order of things, taking its April 2010 share of 25.1% and parlaying it into victory over IE — down to 61.2% by then... But that was Firefox's peak.

At the end of July, Firefox stood at 7.3%, down three-tenths of a percentage point from the previous month... Firefox let its second-place spot (far, far behind Chrome) slip away in March, when Edge snatched it. That did not change in July. The gap between the two more than doubled, in fact, to 1.2 points. On almost every browser share metric, Firefox is in trouble... Since the end of January, Firefox has been stuck in the 7s; for the eight months before that, it was mired in the 8s; and between May 2018 and March 2019, Firefox floundered in the 9s. The trend is crystal clear...

Elsewhere in Net Applications' numbers, Apple's Safari plunged to 3%, a loss of six-tenths of a point, its lowest mark since late 2008. Opera software's Opera also took a dive, ending July at 0.8%, a decline of three-tenths of a point. Those numbers have to be frightening to both those browsers' makers.