By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy

Microsoft's Edge web browser comes with a hidden whitelist file designed to allow Facebook to circumvent the built-in click-to-play security policy to autorun Flash content without having to ask for user consent. According to the initial bug report filed by Google Project Zero's Ivan Fratric on November 26: In Microsoft Windows, there is a file edgehtmlpluginpolicy.bin that contains the default whitelist of domains that can bypass Flash click2play and load Flash content without getting user confirmation in Microsoft Edge. The current version of the previously secret Edge whitelist will only allow Facebook to bypass the Flash click-to-play policy on its facebook.com and apps.facebook.com domains, a policy which is currently enforced for all other domains not present on this list. In his bug report, the security researcher also highlighted the security implications of having a Flash autorun whitelist bundled with a web browser, especially given the number of Flash security patches issued by Adobe almost every month. However, back in November, the security researcher initially found in the whitelist the sha256 hashes of 58 domains on Windows 10 v1803, which he was able to decrypt and obtain the names of 56 sites. The choice to encrypt the entries added to the whitelist and the decision to keep Facebook's domains whitelisted even after this month's Patch Tuesday are two other questions that only Microsoft can answer. While Microsoft managed to get around to partially address the issue reported by Fratric back in November 2018, the security researcher is still dumbfounded by Redmond's choice to use a Flash whitelist in the first place. We have the contents of the hidden whitelist posted on OUR FORUM.

At the Galaxy Unpacked event, the South Korean smartphone maker Samsung announced the highly anticipated foldable phone, the Galaxy Fold. Samsung Galaxy Fold packs a large 7.3-inch Infinity Flex Display that allows the device to switch between the tablet and phone mode. At the event, Samsung showed off the Galaxy Fold switching flawlessly between phone and tablet mode. The foldable device can run three apps at once and Samsung’s app continuity system will adjust these apps when you unfold or fold the device. Samsung has worked with Google and the community developers to optimize the apps for its foldable phone. At the event, Samsung revealed that its Galaxy Fold device is configured to work with all popular apps and even the Microsoft Office suite. The software and hardware have been optimized to work with apps like Google Maps WhatsApp, as well as the Microsoft Office productivity suite. Microsoft Office apps have been specially adapted to work with the 7.3-inch display and it will be able to adjust the interface quickly when you move between the two form factors. Samsung’s first foldable is simply called the Galaxy Fold. It has a 7.3-inch Infinity Flex screen when opened and it switches to a 4.6-inch screen when it’s folded. The resolution of the giant display is 1536 x 2152 and it reduces to 840 x 1960 when it’s folded. Samsung Galaxy Fold uses two batteries and while they are separated by the fold, they are combined when you boot the operating system. Full details can be found on OUR FORUM.

Microsoft will begin rolling out SHA-2 standalone updates for Windows 7 and Windows Server 2008 in March in preparation for its July 16 implementation deadline. Windows 7 and Windows Server 2008 users need to have SHA-2 code-signing installed by July 16, 2019, in order to continue to get Windows updates after that date. Microsoft issued that warning on February 15 via a Support article. Windows operating system updates are dual-signed using both the SHA-1 and SHA-2 hash algorithms to prove authenticity. A bug going forward, due to "weaknesses" in SHA-1, Microsoft officials have said previously that Windows updates will be using the more secure SHA-2 algorithm exclusively. Customers running Windows 7 SP1, Windows Server 2008 R2 SP1 and Windows Server 2008 SP2 must have SHA-2 code-signing support installed by July 2019, Microsoft officials have said. Microsoft has published a timeline for migrating these operating systems to SHA-2, with support for the algorithm coming in standalone updates. On March 12, Microsoft is planning a standalone update with SHA-2 code sign support for Windows 7 SP1 and Windows Server 2008 R2 SP1. It also will deliver to WSUS 3.0 SP2 the required support for delivering SHA-2 updates. Microsoft will make available a standalone update with SHA-2 code sign support for Windows Server 2008 SP2 on April 9, 2019. Learn more by visiting OUR FORUM.

Facebook deliberately broke privacy and competition law and should urgently be subject to statutory regulation, according to a devastating parliamentary report denouncing the company and its executives as “digital gangsters”. The final report of the Digital, Culture, Media and Sport select committee’s 18-month investigation into disinformation and fake news accused Facebook of purposefully obstructing its inquiry and failing to tackle attempts by Russia to manipulate elections. “Democracy is at risk from the malicious and relentless targeting of citizens with disinformation and personalized ‘dark adverts’ from unidentifiable sources, delivered through the major social media platforms we use every day,” warned the committee’s chairman, Damian Collins. Labour moved quickly to endorse the committee’s findings, with the party’s deputy leader, Tom Watson, announcing: “Labour agrees with the committee’s ultimate conclusion – the era of self-regulation for tech companies must end immediately. “We need new independent regulation with tough powers and sanctions regime to curb the worst excesses of surveillance capitalism and the forces trying to use technology to subvert our democracy.” The culture secretary, Jeremy Wright, who is to meet Zuckerberg this week to discuss harms resulting from social media, will likely come under pressure to raise the committee’s concerns with the Facebook chief executive directly. Launched in 2017 as concern grew about the influence of false information and its ability to spread unscrutinized on social media, the inquiry was turbocharged in March the following year, with the Cambridge Analytica data-harvesting scandal. There's more posted on OUR FORUM.

New York resident Jay Brodsky has filed a class action lawsuit against Apple, claiming that the company forces users into a two-factor authentication (2FA) straitjacket that they can’t shrug off, that it takes up to five minutes each time users have to enter a 2FA code, and that the time suck is causing “economic losses” to him and other Apple customers. The lawsuit, filed on Friday in Newport Beach, California, is accusing Apple of “trespass,” based on Apple’s “locking [Brodsky] out” of his devices by requiring 2FA that allegedly can’t be disabled after two weeks. The reference to two weeks comes from support email that Apple sometimes sends out to Apple ID owners after it enables 2FA. That email contains what the lawsuit claims, with italicized emphasis, is an unobtrusive last line that says that owners have two weeks to opt out of 2FA and go back to their previous security settings. The suit claims that around September 2015, Brodsky’s Apple devices – including an iPhone and two MacBooks – were updated to have 2FA turned on, “without [his] knowledge or consent,” thus “[locking] up access” to Brodsky’s own devices and making them “inaccessible for intermittent periods of time.” Apple is causing injury to class members by “intermeddling” with the use of their devices and not letting them choose their own security level or “freely enjoy and use” their gadgets, the suit claims. Also, by “injecting itself in the process by requiring extra logging steps,” Apple is allegedly violating California’s Invasion of Privacy Act – Section 637.2 of the California Penal Code. A third count is allegedly violating California Penal Code section 502: California’s Computer Crime Law (CCL). A fourth count is that Apple allegedly violates the Computer Fraud and Abuse Act (CFAA) by accessing people’s devices without authorization. Follow this on OUR FORUM.

It’s time to step up your boom, Agents! Crackdown 3 is now available with Xbox Game Pass on both Xbox One and Windows 10 PC. In the latest entry in the Crackdown franchise, longtime fans will feel right at home in the quest to take back New Providence from the cruel and corrupt TerraNova Corporation. Crackdown 3 is all about over-the-top fun, tons of explosions, and punching the baddies right in the face. You’ll need to deploy everything in your arsenal, whether it’s collecting those iconic green agility orbs to run faster and jump higher, knocking some heads together to increase strength, or causing an endless amount of mayhem and destruction against your enemies with unique and bombastic weapons at your disposal to build your firearm skill. Did we mention Oblivion? Just a fun little gadget that shoots a black hole at enemies. No big deal. Crackdown has always been about freedom and this holds especially true in Crackdown 3. Right from the start, you choose how you want to free the city. There are 21 playable Agents to select from – including the man, the myth the legend, the one, and only Terry Crews as Commander Isaiah Jaxon. If you feel lucky, you can take on final boss Elizabeth Niemand right from the start or soften up her defenses by eliminating her lieutenants. That sense of freedom applies to choose your Agent as well. Each Agent has specific attributes that boost skills faster. Want to quickly unlock all of the Agency Vehicle forms? Pick an Agent who specializes in Driving and sideswipe your foes off the road. And with Agent saves separate from world saves, you can switch out your Agent based on the challenge at hand. Agents can take on TerraNova alone or jump in with a friend in two-player co-op via Xbox Live for double the trouble! There is more posted on OUR FORUM.

 

GTranslate