darthcamaro writes "Though IE, Chrome and Safari were all attacked and all were exploited, no single web browser was exploited at this year's Pwn2own hacking challenge as Mozilla Firefox. A fully patched version of Firefox was exploited four different times by attackers, each revealing new zero-day vulnerabilities in the open-source web browser. When asked why Mozilla was attacked so much this year, Sid Stamm, senior engineering manager of security and privacy said, 'Pwn2Own offers very large financial incentives to researchers to expose vulnerabilities, and that may have contributed in part to the researchers' decision to wait until now to share their work and help protect Firefox users.' The Pwn2own event paid researchers $50,000 for each Firefox vulnerability. Mozilla now pays researcher only $3,000 per vulnerability."
Catch up on stories from the past week (and beyond) at the Slashdot story archive
theodp writes "A conversation with an angry young developer prompts Microsoft Program Manager Scott Hanselman to blog about 'Microsoft Haters: The Next Generation.' 'The ones I find the most interesting,' says Hanselman, are the 'Microsoft killed my Pappy' people, angry with generational anger. My elders hated Microsoft so I hate them. Why? Because, you wronged me.' The U.S. and Japan managed to get over the whole World War II thing, Hanselman notes, so why can't people manage to get past the Microsoft antitrust thing, which was initiated in 1998 for actions in 1994? 'At some point you let go,' he suggests, 'and you start again with fresh eyes.' Despite the overall good-humored, why-can't-we-get-along tone of his post, Hanselman can't resist one dig that seems aimed at putting things into perspective for those who would still Slashdot like it's 1999: 'I wonder if I can swap out Chrome from Chrome OS or Mobile Safari in iOS.'"
darthcamaro writes "The annual Pwn2own hacking competition has always made short work of all browser vendors' security, shredding perception of safety by hacking IE, Firefox, Safari and Chrome in minutes. This year the competition is adding a twist — for IE on Windows 8.1, hackers will also have to bypass Microsoft EMET, which is a seemingly bulletproof type of sandbox. The competition is calling this the 'Unicorn Exploit' and the first researcher to successful exploit it will pocket $150,000."
mikejuk writes "Google and Opera split from WebKit to create Blink, their own HTML rendering engine, and everyone was worried about the effect on standards. Now we have the first big example of a split in the form of CSS Regions support. Essentially Regions are used to provide the web equivalent of text flow, a concept very familiar to anyone who has used a desktop publishing program. The basic idea is that you define containers for a text stream which is then flowed from one container to another to provide a complex multicolumn layout. The W3C standard for Regions has mostly been created by Adobe — a long time DTP company. Now the Blink team has proposed removing Regions support to save 10,000 lines of code in 350,000 in the name of efficiency. If Google does remove the Regions code, which looks highly likely, this would leave Safari and IE 10/11 as the only two major browsers to support Regions. Both Apple and Microsoft have an interest in ensuring that their hardware can be used to create high quality magazine style layouts — Google and Opera aren't so concerned. I thought standards were there to implement not argue with." Although mikejuk thinks this is a bad thing, a lot of people think CSS Regions are awful. Mozilla has never intended to implement them, instead offering the CSS Fragmentation proposal as an alternative. One major flaw of CSS Regions is its reliance upon markup that is used solely for layout, violating the separation of content and style that CSS is intended to enforce.
judgecorp writes "In the latest twist to the saga of Google's tracking of Safari users, the tech giant has asked to have a U.K. lawsuit dismissed. Google says it is bound by California laws, so plaintiffs will have to come to the U.S. and sue there. Law firm Olswang is bringing the suit on behalf of British users whose Safari browser settings were overridden to help Google target ads; it argues that international organizations should respect the laws that apply where their customers live."
msm1267 writes "Users of Apple's Safari browser are at risk for information loss because of a feature common to most browsers that restores previous sessions. The problem with Safari is that it stores session information including authentication credentials used in previous HTTPS sessions in a plaintext XML file called a Property list, or plist, file. The plist files, a researcher with Kaspersky Lab's Global Research and Analysis Team said, are stored in a hidden folder, but hiding them in plain sight isn't much of a hurdle for a determined attacker. 'The complete authorized session on the site is saved in the plist file in full view despite the use of https,' said researcher Vyacheslav Zakorzhevsky on the Securelist blog. 'The file itself is located in a hidden folder, but is available for anyone to read.'"
Hugh Pickens DOT Com writes "BBC reports that Chinese web users are criticizing Apple after the company pulled a free iPhone app called OpenDoor, which enables users to bypass firewalls and access restricted internet sites. The developers of OpenDoor — who wish to remain anonymous — told Radio Netherlands that Apple removed the app because it 'includes content that is illegal in China.' 'It is unclear to us how a simple browser app could include illegal contents, since it's the user's own choosing of what websites to view,' say the developers. 'Using the same definition, wouldn't all browser apps, including Apple's own Safari and Google's Chrome, include illegal contents?' Chinese internet users were disappointed by the move by Apple. Zhou Shuguang, a prominent Chinese blogger and citizen journalist, told U.S.-based Radio Free Asia that Apple had taken away one of the tools which internet users in China relied on to circumvent the country's great firewall. 'Apple is determined to have a share of the huge cake which is the Chinese internet market. Without strict self-censorship, it cannot enter the Chinese market,' says one Chinese user disappointed by the move by Apple."
jones_supa writes "One day web developer Elliott Kember decided to switch from Safari to Chrome and in the process, discovered possibly a serious weakness with local password management in Chrome. The settings import tool forced the passwords to be always imported, which lead Kember to further investigate how the data can be accessed. For those who actually bother to look at the 'Saved passwords' page, it turns out that anyone with physical access can peek all the passwords in clear text very easily with a couple of mouse clicks. This spurred a lengthy discussion featuring Justin Schuh, the head of Chrome security, who says Kember is wrong and that this behavior of Chrome has been evaluated for years and is not going to change."
An anonymous reader writes "A new piece of malware is targeting OS X to extort money from victims by accusing them of illegally accessing pornography. Ransomware typically uses claims of breaking the law and names law enforcement (such as the CIA or FBI) to scare victims, but it is usually aimed at Windows users, not Mac users. The security firm Malwarebytes first spotted this latest threat, noting that criminals have ported the ransomware scheme to OS X and are even exploiting a Safari-specific feature. The ransomware page in question gets pushed onto unsuspecting users browsing high-trafficked sites as well as when searching for popular keywords."
CowboyRobot writes "Despite strong advertising industry opposition, Mozilla is advancing plans to have the Firefox browser block, by default, many types of tracking used by numerous websites, and especially advertisers. 'We're trying to change the dynamic so that trackers behave better,' Brendan Eich, CTO of Firefox developer Mozilla, told The Washington Post. According to NetMarketShare, 21% of the world's computers run Firefox. Eich said the blocking technology, which is still being refined, will go live in the next few months. The blocking technology is based on that used by Apple's Safari browser, which blocks all third-party cookies. Advertisers use these types of cookies to track users across multiple websites. Mozilla's cookie-blocking efforts follow a Do Not Track capability being adopted by all major browsers. But the DNT effort stalled in November 2012, after advertisers stopped participating in the program, following Microsoft making DNT active by default in Internet Explorer 10. Advertisers wanted the feature to be not active by default."
First time accepted submitter carlypage3 writes "Benefits claimants in the UK are being forced to use Microsoft's now obsolete Windows XP and Internet Explorer 6 software. The Department of Work and Pensions (DWP) states that its online forms are not compatible with Internet Explorer 7, 8, 9 and 10, Safari, Google Chrome or Firefox. As if that wasn't unnerving enough, the Gov.UK website says that users cannot submit claims using Mac OS X or Linux operating systems, either." (Note: as we noted not long ago, it's not just the DWP that's stuck using IE6.)
AmiMoJo writes "It looks like Mozilla are finally going to remove the much hated blink tag from the Gecko rendering engine that powers Firefox. Work to remove support for the tag, which was always non-standard and is not supported by the most popular HTML layout engines WebKit and Blink (Chrome, Safari, Opera, Android), is progressing and should show up in a future version of the browser." A comment attached to the discussion of this (not completed) move points out the odd possibility that Google's new Blink rendering engine may feature the blink tag via CSS animation, which would be "hilarious/awesome."
An anonymous reader writes "A new trojan specifically for Macs has been discovered that installs an adware plugin. The malware attempts to monetize its attack by injecting ads into Chrome, Firefox, and Safari (the most popular browsers on Apple's desktop platform) in the hopes that users will generate money for its creators by viewing (and maybe even clicking) them. The threat, detected as "Trojan.Yontoo.1" by Russian security firm Doctor Web, is part of a wider scheme of adware for OS X that has "been increasing in number since the beginning of 2013," according to the company."
Freshly Exhumed writes with an "inconvenient truth" as reported at Internet News: "Google Chrome running Chrome OS was hailed as being a survivor in the Pwnium/Pwn2own event that hacked IE, Firefox and Chrome browsers on Windows. Apple's Safari running on Mac OS X was not hacked and neither (apparently) was Chrome on Chrome OS. Google disclosed [Monday] morning that Chrome on Chrome OS had in fact been exploited — albeit, unreliably. The same researcher that took Google's money last year for exploiting Chrome, known publicly only as 'PinkiePie' was awarded $40,000 for exploiting Chrome/Chrome OS via a Linux kernel bug, config file error and a video parsing flaw." Asks Freshly Exhumed: "So, was it really Google Chrome, or was Linux to blame?"
New submitter jgb writes "WebKit is, now that Opera decided to join the project, in the core of three of the five major web browsers: Apple's Safari, Google's Chromium and Opera. Therefore, WebKit is also a melting pot for many corporate interests, since several competing companies (not only Google and Apple, but also Samsung, RIM, Nokia, Intel and many others) are finding ways of collaborating in the project. All of this makes fascinating the study of how they are contributing to the project. Some weeks ago, a study showed how they were submitting contributions to the code base. Now another one uncovers how they are reviewing those submitted contributions. As expected, most of the reviews during the whole life of the project were done by Apple, with Google as a close second. But things have changed dramatically during the last few years. In 2012, Google is a clear first, reviewing about twice as much (50%) as Apple (25%). RIM (7%) and Nokia (5%) are also relevant reviewers. Code review is very important in WebKit's development process, with reviewers acting as a sort of gatekeepers, deciding which changes make sense, and when they are conforming to the project practices and quality standards. In some sense, review activity reflects the responsibility each company is taking on how WebKit evolves. In some sense, the evolution over time for this activity by the different companies tells the history of how they have been shaping the project."
Dystopian Rebel writes "A Stanford comp-sci student has found a serious bug in Chromium, Safari, Opera, and MSIE. Feross Aboukhadijeh has demonstrated that these browsers allow unbounded local storage. 'The HTML5 Web Storage standard was developed to allow sites to store larger amounts of data (like 5-10 MB) than was previously allowed by cookies (like 4KB). ... The current limits are: 2.5 MB per origin in Google Chrome, 5 MB per origin in Mozilla Firefox and Opera, 10 MB per origin in Internet Explorer. However, what if we get clever and make lots of subdomains like 1.filldisk.com, 2.filldisk.com, 3.filldisk.com, and so on? Should each subdomain get 5MB of space? The standard says no. ... However, Chrome, Safari, and IE currently do not implement any such "affiliated site" storage limit.' Aboukhadijeh has logged the bug with Chromium and Apple, but couldn't do so for MSIE because 'the page is broken" (see http://connect.microsoft.com/IE). Oops. Firefox's implementation of HTML5 local storage is not vulnerable to this exploit."
Orome1 writes "Adobe has pushed out an emergency Flash update that solves two critical vulnerabilities (CVE-2013-0633 and CVE-2013-0634) that are being actively exploited to target Windows and OS X users, and is urging users to implement it as soon as possible. According to a security bulletin released on Thursday, the OS X exploit targets Flash Player in Firefox or Safari via malicious Flash content hosted on websites, while Windows users are targeted with Microsoft Word documents delivered as an email attachments which contain malicious Flash content. Adobe has also announced its intention of adding new protections against malicious Flash content embedded in Microsoft Office documents to its next feature release of Flash Player."
theodp writes "Earlier this week, hackers gained access to Twitter's internal systems and stole information, compromising 250,000 Twitter accounts before the breach was stopped. Reporting the incident on the company's official blog, Twitter's manager of network security did not specify the method by which hackers penetrated its system, but mentioned vulnerabilities related to Java in Safari and Firefox, and echoed Homeland Security's advisory that users disable Java in their browsers. Sure, blame everything on Larry Ellison. Looks like bad things do happen in threes — Twitter's report comes on the heels of disclosures of hacking attacks on the WSJ and NY Times."
Dupple writes "After settling with the FTC, Google is under pressure again regarding user privacy. From the BBC: 'A group of Apple's Safari web browser users has launched a campaign against Google over privacy concerns. They claim that Google bypassed Safari's security settings to install cookies which tracked their movements on the internet. Between summer 2011 and spring 2012 they were assured by Google this was not the case, and believed Safari's settings to be secure. Judith Vidal-Hall, former editor of Index On Censorship magazine, is the first person in the UK to begin legal action. 'Google claims it does not collect personal data but doesn't say who decides what information is "personal,"' she said. 'Whether something is private or not should be up to the internet surfer, not Google. We are best placed to decide, not them.'"