AmiMoJo writes: Google announced an extension of the deadline to remove support for Manifest V2 extensions in the company's Chrome browser and the open source Chromium core. The change does not impact the core decision of removing support for Manifest V2 extensions in favor of Manifest V3. Dubbed, the adblocker killer initially, due to limitations imposed on content blocking and other types of browser extensions, Google made concessions that allows content blockers to run on Chrome after the final switch is made. Extensions are still limited in comparison to Manifest V2, especially if multiple that use filtering functionality are run simultaneously, or if lots of filters are activated in a single extension. Google's initial plan was to stop supporting Manifest V2 extensions in Chrome by June 2023. For most users, support would run out in January 2023, but an Enterprise policy would enable users to extend the deadline by six months.

Ahead of its Connect conference in October, Cloudflare this week announced an ambitious new project called Turnstile, which seeks to do away with the CAPTCHAs used throughout the web to verify people are who they say they are. From a report: Available to site owners at no charge, Cloudflare customers or no, Turnstile chooses from a rotating suite of "browser challenges" to check that visitors to a webpage aren't, in fact, bots. CAPTCHAs, the challenge-response tests most of us have encountered when filling out forms, have been around for decades, and they've been relatively successfully at keeping bot traffic at bay. But the rise of cheap labor, bugs in various CAPTCHA flavors and automated solvers have begun to poke holes in the system. Several websites offer human- and AI-backed CAPTCHA-solving services for as low as $0.50 per thousand solved CAPTCHAs, and some researchers claim AI-based attacks can successfully solve CAPTCHAs used by the world's most popular websites.

Cloudflare itself was once a CAPTCHA user. But according to CTO John Graham-Cumming, the company was never quite satisfied with it -- if Cloudflare's public rallying cries hadn't made that clear. In a conversation with TechCrunch, Graham-Cumming listed what he sees as the many downsides of CAPTCHA technology, including poor accessibility (visual disabilities can make it impossible to solve a CAPTCHA), cultural bias (CAPTCHAs assume familiarity with objects like U.S. taxis) and the strains that CAPTCHAs place on mobile data plans. [...] Turnstile automatically chooses a browser challenge based on "telemetry and client behavior exhibited during a session," Cloudflare says, rather than factors like login cookies. After running non-interactive JavaScript challenges to gather signals about the visitor and browser environment and using AI models to detect features and visitors who've passed a challenge before, Turnstile fine-tunes the difficulty of the challenge to the specific request -- avoiding having users solve a puzzle.

An anonymous reader quotes a report from Bloomberg: Meta was sued for allegedly building a secret work-around to safeguards that Apple launched last year to protect iPhone users from having their internet activity tracked. In a proposed class-action complaint filed Wednesday in San Francisco federal court, two Facebook users accused the company of skirting Apple's 2021 privacy rules and violating state and federal laws limiting the unauthorized collection of personal data. A similar complaint was filed in the same court last week. The suits are based on a report by data privacy researcher Felix Krause, who said that Meta's Facebook and Instagram apps for Apple's iOS inject JavaScript code onto websites visited by users. Krause said the code allowed the apps to track "anything you do on any website," including typing passwords.

According to the suits, Meta's collection of user data from the Facebook app helps it circumvent rules instituted by Apple in 2021 requiring all third-party apps to obtain consent from users before tracking their activities, online or off. Meta has said it expected to miss out on $10 billion in ad revenue in 2022 because of Apple's changes. The Facebook app gets around Apple privacy rules by opening web links in an in-app browser, rather than the user's default browser, according to Wednesday's complaint. "This allows Meta to intercept, monitor and record its users' interactions and communications with third parties, providing data to Meta that it aggregates, analyzes, and uses to boost its advertising revenue," according to the suit. A Meta spokesperson said the allegations are "without merit" and the company will defend itself. "We have designed our in-app browser to respect users' privacy choices, including how data may be used for ads," the company said in an emailed statement.

As antitrust regulators around the world dial up scrutiny of platform power, Mozilla has published a piece of research digging into the at times subtle yet always insidious ways operating systems exert influence to keep consumers locked to using their own-brand browsers rather than seeking out and switching to independent options -- while simultaneously warning that competition in the browser market is vital to ensure innovation and choice for consumers and, more broadly, protect the vitality of the open web against the commercial giants trying to wall it up. TechCrunch: "Billions of people across the globe are dependent on operating systems from the largest technology companies. Amazon, Apple, Google, Microsoft and Meta each provide their own browser on their operating systems and each of them uses their gatekeeper position provider to preference their own browsers over independent rivals. Whether it is Microsoft pushing Firefox users to switch their default on Windows computers, Apple restricting the functionality of rival browsers on iOS smartphones or Google failing to apply default browser settings across Android, there are countless examples of independent browsers being inhibited by the operating systems on which they are dependent," Mozilla writes in a summary of its findings. "This matters because American consumers and society as a whole suffer. Not only do people lose the ability to determine their own online experiences but they also receive less innovative and lower quality products. In addition, they can be forced to accept poorer privacy outcomes and even unfair contracts. By contrast, competition from independent browsers can help to drive new features, as well as innovation in areas like privacy and security."

AmiMoJo shares a report from the Mozilla Foundation: YouTube's user controls -- buttons like "Dislike " and "Not interested" -- largely fail to help users avoid unwanted recommendations like misinformation and violent content, according to new research by Mozilla. An accompanying survey also found that YouTube's controls routinely frustrate and confuse users. Indeed, Mozilla's research found that people who are experiencing unwanted recommendations and turn to the platform's user controls for assistance prevent less than half of unwanted recommendations.

This is especially troubling because Mozilla's past research shows that YouTube recommends videos that violate its very own community guidelines, like misinformation, violent content, hate speech, and spam. For example, one user in this most recent research asked YouTube to stop recommending war footage from Ukraine -- but shortly after was recommended even more grisly content from the region. The study, titled "Does This Button Work? Investigating YouTube's ineffective user controls" is the culmination of months of rigorous qualitative and quantitative research. The study was made possible by the data of more than 20,000 participants who used Mozilla's RegretsReporter browser extension, and by data about more than 500 million YouTube videos. These are the top findings, as highlighted in the report: People don't trust YouTube's user controls. More than a third (39.3%) of people surveyed felt YouTube's user controls did not impact their recommendations at all, and 23% felt the controls had a mixed response. Said one interviewee: "Nothing changed. Sometimes I would report things as misleading and spam and the next day it was back in [...] Even when you block certain sources they eventually return."

People take matters into their own hands. Our study found that people did not always understand how YouTube's controls affect their recommendations, and so took a jury rigged approach instead. People will log out, create new accounts, or use privacy tools just to manage their YouTube recommendations. Said one user: "When the Superbowl came around ... if someone recommended a particular commercial, I used to log out of YouTube, watch the commercial, and then log back in."

The data confirms people are right. The most "effective" user control was "Don't recommend channel," but compared to users who do not make use of YouTube's user controls, only 43% of unwanted recommendations are prevented -- and recommendations from the unwanted channel sometimes persist. Other controls were even less effective: The "Not Interested" tool prevented only 11% of unwanted recommendations.

YouTube can fix this problem. YouTube has the power to confront this issue and do a better job at enabling people to control their recommendations. Our research outlines several concrete suggestions to put people back into the driver's seat, like making YouTube's controls more proactive, allowing users to shape their own experience; and giving researchers increased access to YouTube's API and other tools. Further reading: YouTube Targets TikTok With Revenue Sharing For Shorts, Partner Program Expansion

An anonymous reader shares a report: When ArsTechnica reviewed Windows 11 last fall, one of its biggest concerns was that it would need to wait until the fall of 2022 to see changes or improvements to its new -- and sometimes rough -- user interface. Nearly a year later, it's become abundantly clear that Microsoft isn't holding back changes and new apps for the operating system's yearly feature update. One notable smattering of additions was released back in February alongside a commitment to "continuous innovation." Other, smaller updates before and since (not to mention the continuously-updated Microsoft Edge browser) have also emphasized Microsoft's commitment to putting out new Windows features whenever they're ready.

There's been speculation that Microsoft could be planning yet another major shake-up to Windows' update model, moving away from yearly updates that would be replaced by once-per-quarter feature drops, allegedly called "Moments" internally. These would be punctuated by larger Windows version updates every three years or so. As part of the PR around the Windows 11 2022 Update (aka Windows 11 22H2), the company has made clear that none of this is happening. "Windows 11 will continue to have an annual feature update cadence, released in the second half of the calendar year that marks the start of the support lifecycle," writes Microsoft VP John Cable, "with 24 months of support for Home and Pro editions and 36 months of support for Enterprise and Education editions." These updates will include their own new features and changes, as the 2022 Update does, but you'll also need to have the latest yearly update installed to continue to get additional feature updates via Windows Update and the Microsoft Store. As for the Windows 12 rumors, Microsoft simply told Ars it has "no plans to share today." This stance leaves the company plenty of room to change its plans tomorrow or any day after that. But we can safely say that a new numbered version of Windows won't happen in the near future. For smaller changes that aren't delivered as part of a yearly feature update or via a Microsoft Store update, Microsoft will use something called Controlled Feature Rollout (CFR) to test features with a subset of Windows users rather than delivering them to everyone all at once.

Security analysts have found a severe security vulnerability in the desktop app for Microsoft Teams that gives threat actors access to authentication tokens and accounts with multi-factor authentication (MFA) turned on. BleepingComputer reports: "This attack does not require special permissions or advanced malware to get away with major internal damage," Connor Peoples at cybersecurity company Vectra explains in a report this week. The researcher adds that by taking "control of critical seats -- like a company's Head of Engineering, CEO, or CFO -- attackers can convince users to perform tasks damaging to the organization." Vectra researchers discovered the problem in August 2022 and reported it to Microsoft. However, Microsoft did not agree on the severity of the issue and said that it doesn't meet the criteria for patching.

With a patch unlikely to be released, Vectra's recommendation is for users to switch to the browser version of the Microsoft Teams client. By using Microsoft Edge to load the app, users benefit from additional protections against token leaks. The researchers advise Linux users to move to a different collaboration suite, especially since Microsoft announced plans to stop supporting the app for the platform by December.

Google has released Chrome 105.0.5195.102 for Windows, Mac, and Linux users to address a single high-severity security flaw, the sixth Chrome zero-day exploited in attacks patched this year. From a report: "Google is aware of reports that an exploit for CVE-2022-3075 exists in the wild," the company said in a security advisory published on Friday. This new version is rolling out in the Stable Desktop channel, with Google saying that it will reach the entire user base within a matter of days or weeks. It was available immediately when BleepingComputer checked for new updates by going into the Chrome menu > Help > About Google Chrome. The web browser will also auto-check for new updates and automatically install them after the next launch.

Google has removed browser extensions with more than 1.4 million downloads from the Chrome Web Store after third-party researchers reported they were surreptitiously tracking users' browsing history and inserting tracking code into specific ecommerce sites they visited. ArsTechnica: The five extensions flagged by McAfee purport to offer various services, including the ability to stream Netflix videos to groups of people, take screenshots, and automatically find and apply coupon codes. Behind the scenes, company researchers said, the extensions kept a running list of each site a user visited and took additional actions when users landed on specific sites. The extensions sent the name of each site visited to the developer-designated site d.langhort.com, along with a unique identifier and the country, city, and zip code of the visiting device. If the site visited matched a list of ecommerce sites, the developer domain instructed the extensions to insert JavaScript into the visited page. The code modified the cookies for the site so that the extension authors receive affiliate payment for any items purchased. To help keep the activity covert, some of the extensions were programmed to wait 15 days after installation before beginning the data collection and code injection.

An anonymous reader quotes a report from Road to VR: NVIDIA, one of the tech sector's power players, is pushing the Universal Scene Description protocol as the foundation of interoperable content and experiences in the metaverse. In a recent post the company explains why it believes the protocol, originally invented by Pixar, fits the needs of the coming metaverse. Though the word metaverse is presently being used as a catchall for pretty much any multi-user application these days, the truth is that the vast majority of such platforms are islands unto themselves that have no connectivity to virtual spaces, people, or objects on other platforms. The 'real' metaverse, most seem to agree, must have at least some elements of interoperability, allowing users to seamlessly move from one virtual space to the next, much like we do today on the web. To that end, Nvidia is pushing Universal Scene Description (USD) as the "HTML of the metaverse," the company described in a recent post.

Much like HTML forms a description of a webpage -- which can be hosted anywhere on the internet -- and is retrieved and rendered locally by a web browser, USD is a protocol for describing complex virtual scenes which can be retrieved and rendered to varying degrees depending upon local hardware capabilities. With a 'USD browser' of sorts, Nvidia is suggesting that USD could be the common method by which virtual spaces are defined in a way that's easy for anyone to decipher and render. "[USD] includes features necessary for scaling to large data sets like lazy loading and efficient retrieval of time-sampled data," [writes Nvidia's Rev Lebaredian and Michael Kass]. "It is tremendously extensible, allowing users to customize data schemas, input and output formats, and methods for finding assets. In short, USD covers the very broad range of requirements that Pixar found necessary to make its feature films."

Indeed, CGI pioneer Pixar created USD to make collaboration on complex 3D animation projects easier. The company open-sourced the protocol back in 2015. USD is more than just a file format for 3D geometry. Not only can USD describe a complex scene with various objects, textures, and lighting, it can also include references to assets hosted elsewhere, property inheritance, and layering functionality which allows non-destructive editing of a single scene with efficient asset re-use. While Nvidia thinks USD is the right starting point for an interoperable platform, the company also acknowledges that "USD will need to evolve to meet the needs of the metaverse." On that front the company laid out a fairly extensive roadmap of features that it's working on for USD to successfully serve as the foundation of the metaverse. The newly formed Metaverse Standards Forum, of which Nvidia and thousands of other companies are members, has also pointed to USD as a promising foundation for interoperable virtual spaces and experiences.

An anonymous reader quotes a story from the Linux/Open Source news site It's FOSS: While Firefox is still the default web browser in Debian, you can find the Chromium browser in the repositories. Chromium is the open source project upon which Google has built its Chrome web browser. It is also preferred by many Linux users as it provides almost the same features as Google Chrome.

Earlier, Chromium used Google as the default search engine in Debian. However, Debian is going to use DuckDuckGo as the default search engine for Chromium.

It all started when bug report #956012 was filed in April 2020, stating to use DuckDuckGo as the default search engine for the Chromium package. You can see the decision was not taken in any hurry, as the maintainers took more than two years to close the bug report.

The reason for the change goes as stated in the official package update announcement.

Change default search engine to DuckDuckGo for privacy reasons. Set a different search engine under Settings -> Search Engine (closes: #956012).

New research claims that of five major Big Tech firms, Google tracks more private data about users than any other -- and Apple tracks the least. AppleInsider reports: Apple has previously introduced App Tracking Transparency specifically to protect the privacy of users from other companies. However, a new report says that Apple is also avoiding doing any more tracking itself than is needed to run its services. According to StockApps.com, Apple "is the most privacy-conscious firm out there." "Apple only stores the information that is necessary to maintain users' accounts," it continues. "This is because their website is not as reliant on advertising revenue as are Google, Twitter, and Facebook."

The StockApps.com report does not list what it describes as the "data points" that Big Tech firms collect for every user. However, it says they include location details, browser history, activity on third-party websites, and in Google's case, also emails in Gmail. It also doesn't detail its methodology, but does say that it used marketing firm digitalinformationworld to investigate Apple, Amazon, Facebook, Google, and Twitter. Of these five, Google reportedly tracks 39 separate data points per user, while Apple tracks only 12. Unexpectedly, Facebook is stated as tracking only 14 data points, while Amazon tracks 23, and Twitter tracks 24.

Slashdot reader storagedude writes: Hackers are stealing cookies from current or recent web sessions to bypass multi-factor authentication (MFA), according to an eSecurity Planet report.

The attack method, reported by Sophos researchers, is already growing in use. The "cookie-stealing cybercrime spectrum" is broad, the researchers wrote, ranging from "entry-level criminals" to advanced adversaries, using various techniques.

Cybercriminals collect cookies or buy stolen credentials "in bulk" on dark web forums. Ransomware groups also harvest cookies and "their activities may not be detected by simple anti-malware defenses because of their abuse of legitimate executables, both already present and brought along as tools," the researchers wrote.

Browsers allow users to maintain authentication, remember passwords and autofill forms. That might seem convenient, but attackers can exploit this functionality to steal credentials and skip the login challenge.

Behind the scenes, browsers use SQLite database files that contain cookies. These cookies are composed of key-value pairs, and the values often contain critical information such as tokens and expiration dates.

Adversaries know the exact name and location of these files for all major browsers such as Chrome, Firefox, and even Brave, on various operating systems. That's why the attack can be scripted. It's not uncommon to find such scripts along with other modules in info-stealing and other malware.

For example, the latest version of the Emotet botnet targets cookies and credentials stored by browsers, which include saved credit cards. According to the Sophos researchers, "Google's Chrome browser uses the same encryption method to store both multi-factor authentication cookies and credit card data."

To gain initial access, attackers can also perform phishing and spear-phishing campaigns to implant droppers that can deploy cookie-stealer malware stealthily.

The cookies are then used for post-exploitation and lateral movements. Cybercriminals can use them to change passwords and emails associated with user accounts, or trick the victims into downloading additional malware, or even deploy other exploitation tools such as Cobalt Strike and Impacket kit.

Users should not use built-in features to save passwords unless the browser encrypts them with, at least, a master password. It's recommended that users uncheck the setting called "remember passwords," and users should probably not allow persistent sessions as well.

Developers can be part of the problem if they don't secure authentication cookies properly. Such cookies must have a short expiration date. Otherwise, the persistent authentication could turn into a persistent threat. You can have great security processes and still get hacked because the cookies do not have the necessary flags (e.g., HttpOnly, Secure attribute). For example, authentication cookies must be sent using SSL/TLS channels. Otherwise the data could be sent in plain text and attackers would only have to sniff traffic to intercept credentials.

Apple is advising iOS and iPadOS users to update to the latest software version to patch two security holes that could allow an application to execute arbitrary code with kernel privileges. They also issued a patch for WebKit, the browser that powers Safari and all third-party browsers on iOS. For this vulnerability, Apple says that "processing maliciously crafted web content may lead to arbitrary code execution."

"With two major security fixes, we recommend all iPhone users update to iOS 15.6.1 immediately and all iPad users update to iPadOS 15.6.1," writes Chance Miller via 9to5Mac. "You can do so by heading to the Settings app, choosing General, then choosing Software Update."

An anonymous reader shares a report: 'Beware in-app browsers' is a good rule of thumb for any privacy conscious mobile app user -- given the potential for an app to leverage its hold on user attention to snoop on what you're looking at via browser software it also controls. But eyebrows are being raised over the behavior of TikTok's in-app browser after independent privacy research by developer Felix Krause found the social network's iOS app injecting code that could enable it to monitor all keyboard inputs and taps. Aka, keylogging.

"TikTok iOS subscribes to every keystroke (text inputs) happening on third party websites rendered inside the TikTok app. This can include passwords, credit card information and other sensitive user data," warns Krause in a blog post detailing the findings. "We can't know what TikTok uses the subscription for, but from a technical perspective, this is the equivalent of installing a keylogger on third party websites." [emphasis his]

After publishing a report last week -- focused on the potential for Meta's Facebook and Instagram iOS apps to track users of their in-app browsers -- Krause followed up by launching a tool, called InAppBrowser.com, that lets mobile app users get details of code that's being injected by in-app browsers by listing JavaScript commands executed by the app as it renders the page. (NB: He warns the tool does not necessarily list all JavaScript commands executed nor can it pick up tracking an app might be doing using native code -- so at best it's offering a glimpse of potentially sketchy activities.)

Earlier this week, Samsung unveiled their new Z Fold 4 and Z Flip 4 -- two of the most refined and polished foldable smartphones on the market. However, what Samsung hasn't done (or any other phone manufacturer for that matter) "is make the case for why you'd actually want a foldable phone," writes David Pierce via The Verge. "And until it can explain why it's worth all the extra cost and tradeoffs, I'm having a hard time figuring out why you'd be willing to give up the phone you know and love to get one." From the report: What Samsung needs to do with the Galaxy Fold (and the rest of the industry will eventually need to do with their own foldables) is convince people that it's worth buying a phone that's more expensive, more fragile, and takes up more room in your pocket. Right now, the worst thing about foldables is that they force you to make significant sacrifices on the most important device you own: your smartphone. The new Fold 4 is a little shorter, about an ounce heavier, and about twice as thick as the Galaxy S22 Ultra. It's also $600 more expensive. The Ultra has a bigger battery, better camera specs, and a 6.8-inch screen that supports an S Pen. The Fold 4, when opened, is noticeably larger, but the candy bar phones still get plenty big. And Fold makes a lot of sacrifices for some more real estate.

It's not even clear to me that Samsung knows why you should make all of those sacrifices. On its website, one of the first selling points the company offers is that you can prop up the screen on a table by opening it halfway for watching or taking videos hands-free. Here in reality, we call that a kickstand, and this is an awfully expensive one. In this mode, you're also only using half the screen, which sort of defeats the whole purpose. So far, multitasking seems to be the foldable's one actual advantage. Open up your Galaxy Fold, and you can run two apps side by side or even three or four on the screen at once! This, I agree, is a delightful thing. Being able to use my browser and my notes app side by side or see my calendar and my email together is much better than constantly swiping between two full-screen apps. And seeing two pages at a time in the Kindle app is the best. And you know what? Big screens are just good -- good for games, good for reading, good for watching Netflix.

But these aren't just arguments for foldables; they're arguments for tablets. And so far, the arguments for Android tablets don't seem to be convincing many users. While Android has gotten better as a large-screen operating system, and the Fold 4's software being based on Android 12L is a good sign, too many apps that are "optimized" for foldables are actually just sticking a giant sidebar onto one side, which doesn't accomplish much. Others just streeeetch everything to fit the larger screen. Don't even get me started on how the vast majority of apps deal with Microsoft's approach of two separate screens attached with a hinge. Samsung has done an admirable job of wrangling all of Android's weirdness onto the Fold's screen, and in general, it's not that the Fold doesn't work; it's that there's nothing about the Fold that is dramatically better than the phone or tablet you might already be carrying around. And shoving them into a single device actually makes them both a little worse.

Meta, the owner of Facebook and Instagram, has been rewriting websites its users visit, letting the company follow them across the web after they click links in its apps, according to new research from an ex-Google engineer. The Guardian reports: The two apps have been taking advantage of the fact that users who click on links are taken to webpages in an "in-app browser," controlled by Facebook or Instagram, rather than sent to the user's web browser of choice, such as Safari or Firefox. "The Instagram app injects their tracking code into every website shown, including when clicking on ads, enabling them [to] monitor all user interactions, like every button and link tapped, text selections, screenshots, as well as any form inputs, like passwords, addresses and credit card numbers," says Felix Krause, a privacy researcher who founded an app development tool acquired by Google in 2017.

Krause discovered the code injection by building a tool that could list all the extra commands added to a website by the browser. For normal browsers, and most apps, the tool detects no changes, but for Facebook and Instagram it finds up to 18 lines of code added by the app. Those lines of code appear to scan for a particular cross-platform tracking kit and, if not installed, instead call the Meta Pixel, a tracking tool that allows the company to follow a user around the web and build an accurate profile of their interests. The company does not disclose to the user that it is rewriting webpages in this way. No such code is added to the in-app browser of WhatsApp, according to Krause's research. [...] It is unclear when Facebook began injecting code to track users after clicking links. "We intentionally developed this code to honor people's [Ask to track] choices on our platforms," a Meta spokesperson told The Guardian in a statement. "The code allows us to aggregate user data before using it for targeted advertising or measurement purposes. We do not add any pixels. Code is injected so that we can aggregate conversion events from pixels."

They added: "For purchases made through the in-app browser, we seek user consent to save payment information for the purposes of autofill."

DNSFilter, a Washington, D.C.-based provider of DNS-based web content filtering and threat protection, has announced it's acquiring Guardian, a privacy-protecting firewall for iOS. Financial terms of the deal were not disclosed. From a report: Guardian was founded in 2013 by Will Strafach, a security researcher and former iPhone jailbreaker who in 2017 discovered that AccuWeather was secretly sending precise location data to a third-party company without a user's permission. The company's "smart firewall" iPhone app blocks apps from sharing users' personal information with third-parties, such as IP addresses and location data, by funneling data through an encrypted virtual private network (VPN). The startup, which claims to have so far blocked more than 5 billion data trackers and 1 billion location trackers, recently joined forces with Brave to integrate its firewall and VPN functionality into its eponymous non-tracking browser.

After a revelation in May that DuckDuckGo's (DDG) privacy-focused web browser allows Microsoft tracking scripts on third-party websites, the company now says it will start blocking those too. From a report: DuckDuckGo's browser had third-party tracker loading protection by default that already blocked scripts embedded on websites from Facebook, Google, and others, but until now Microsoft's scripts from the Bing and LinkedIn domains (but not its third-party cookies) had a pass.

A security researcher named Zach Edwards pointed out the exclusion that he apparently uncovered while auditing the browser's privacy claims, and noted it is especially curious because Microsoft is the partner that delivers ads in DDG's search engine (while promising not to use that data to create a monitored profile of users to target ads, instead relying on context to decide which ones it should show). DuckDuckGo CEO Gabe Weinberg said at the time that the reason for it was a search syndication agreement with Microsoft, and that more updates on third-party tracker preventions were coming. A backlash ensued, with some seizing on DuckDuckGo's own words that "tracking is tracking," a phrase the company used against Google's cookie-replacing "privacy sandbox" ad technology. Now Weinberg writes in a blog post, "I've heard from a number of users and understand that we didn't meet their expectations around one of our browser's web tracking protections." DuckDuckGo is vowing to be more transparent about what trackers its browser and extensions are protecting users from, making its tracker blocklists available and offering users more information on how its tracking protections with a new help page.

Longtime Slashdot reader HnT shares a report from Ars Technica: Microsoft said on Wednesday that an Austria-based company named DSIRF used multiple Windows and Adobe Reader zero-days to hack organizations located in Europe and Central America. Members of the Microsoft Threat Intelligence Center, or MSTIC, said they have found Subzero malware infections spread through a variety of methods, including the exploitation of what at the time were Windows and Adobe Reader zero-days, meaning the attackers knew of the vulnerabilities before Microsoft and Adobe did. Targets of the attacks observed to date include law firms, banks, and strategic consultancies in countries such as Austria, the UK, and Panama, although those aren't necessarily the countries in which the DSIRF customers who paid for the attack resided.

"MSTIC has found multiple links between DSIRF and the exploits and malware used in these attacks," Microsoft researchers wrote. "These include command-and-control infrastructure used by the malware directly linking to DSIRF, a DSIRF-associated GitHub account being used in one attack, a code signing certificate issued to DSIRF being used to sign an exploit, and other open source news reports attributing Subzero to DSIRF." Referring to DSIRF using the work KNOTWEED, Microsoft researchers wrote: In May 2022, MSTIC found an Adobe Reader remote code execution (RCE) and a 0-day Windows privilege escalation exploit chain being used in an attack that led to the deployment of Subzero. The exploits were packaged into a PDF document that was sent to the victim via email. Microsoft was not able to acquire the PDF or Adobe Reader RCE portion of the exploit chain, but the victim's Adobe Reader version was released in January 2022, meaning that the exploit used was either a 1-day exploit developed between January and May, or a 0-day exploit. Based on KNOTWEED's extensive use of other 0-days, we assess with medium confidence that the Adobe Reader RCE is a 0-day exploit. The Windows exploit was analyzed by MSRC, found to be a 0-day exploit, and then patched in July 2022 as CVE-2022-22047. Interestingly, there were indications in the Windows exploit code that it was also designed to be used from Chromium-based browsers, although we've seen no evidence of browser-based attacks.

The CVE-2022-22047 vulnerability is related to an issue with activation context caching in the Client Server Run-Time Subsystem (CSRSS) on Windows. At a high level, the vulnerability could enable an attacker to provide a crafted assembly manifest, which would create a malicious activation context in the activation context cache, for an arbitrary process. This cached context is used the next time the process spawned.

CVE-2022-22047 was used in KNOTWEED related attacks for privilege escalation. The vulnerability also provided the ability to escape sandboxes (with some caveats, as discussed below) and achieve system-level code execution. The exploit chain starts with writing a malicious DLL to disk from the sandboxed Adobe Reader renderer process. The CVE-2022-22047 exploit was then used to target a system process by providing an application manifest with an undocumented attribute that specified the path of the malicious DLL. Then, when the system process next spawned, the attribute in the malicious activation context was used, the malicious DLL was loaded from the given path, and system-level code execution was achieved. Microsoft recommends a number of security considerations to help mitigate this attack, including patching CVE-2022-22047, updating Microsoft Defender Antivirus to update 1.371.503.0 or later, and enabling multifactor authentication (MFA).