"Google has released security updates for Google Chrome browser for Windows, Mac and Linux, addressing vulnerabilities that could allow a remote attacker to take control of systems," reports ZDNet: There are 11 fixes in total, including five that are classed as high-severity. As a result, CISA has issued an alert encouraging IT administrators and regular users to install the updates as soon as possible to ensure their systems are not vulnerable to the flaws.

Among the most severe vulnerabilities that are patched by the Google Chrome update is CVE-2022-2477, a vulnerability caused by a use-after-free flaw in Guest View, which could allow a remote attacker to execute arbitrary code on systems or crash them... Another of the vulnerabilities, CVE-2022-2480, relates to a use-after-free flaw in the Service Worker API, which which acts as a proxy server that sit between web applications, the browser and the network in order to improve offline experiences, among other things.

After over a decade as a mobile-only service, Snapchat is coming to your desktop. CNBC reports: Snap, the parent of the popular photo and messaging app, said Monday that it's debuting Snapchat for Web, allowing users to send messages and make video calls to their contacts from their computers. The new desktop version of Snapchat will at first only be available to Australian and New Zealand users, in addition to Snapchat+ subscribers in the U.S., U.K. and Canada. Snap launched Snapchat+ in June, allowing users to pay $3.99 a month for more advanced features, like changing the style of their app icon and seeing who's viewed their content.

The web offering will be a more stripped-down version of the mobile app, primarily focusing on the app's messaging feature as opposed to its Stories feature. Like the core Snap app, messages will disappear after 24 hours, and any Snaps users watch from their desktop computers will delete right after viewing. Eventually, Snap says it will bring more features of the app to desktop version, including the ability for users to liven up their video calls with the use of Lenses. Currently, people will have to access Snapchat for Web via the Chrome browser, but the company said that it would soon support other browsers and could release a desktop app in the future.

"Facebook has started to use a different URL scheme for site links," writes the technology blog Ghacks, "to combat URL stripping technologies that browsers such as Firefox or Brave use to improve privacy and prevent user tracking." Some sites, including Facebook, add parameters to the web address for tracking purposes. These parameters have no functionality that is relevant to the user, but sites rely on them to track users across pages and properties. Mozilla introduced support for URL stripping in Firefox 102, which it launched in June 2022. Firefox removes tracking parameters from web addresses automatically, but only in private browsing mode or when the browser's Tracking Protection feature is set to strict. Firefox users may enable URL stripping in all Firefox modes, but this requires manual configuration. Brave Browser strips known tracking parameters from web addresses as well....

It is no longer possible to remove the tracking part of the URL, as Facebook merged it with part of the required web address.

An anonymous reader quotes a report from Wired: [R]esearchers from the New Jersey Institute of Technology are warning this week about a novel technique attackers could use to de-anonymize website visitors and potentially connect the dots on many components of targets' digital lives. The findings (PDF), which NJIT researchers will present at the Usenix Security Symposium in Boston next month, show how an attacker who tricks someone into loading a malicious website can determine whether that visitor controls a particular public identifier, like an email address or social media account, thus linking the visitor to a piece of potentially personal data.

When you visit a website, the page can capture your IP address, but this doesn't necessarily give the site owner enough information to individually identify you. Instead, the hack analyzes subtle features of a potential target's browser activity to determine whether they are logged into an account for an array of services, from YouTube and Dropbox to Twitter, Facebook, TikTok, and more. Plus the attacks work against every major browser, including the anonymity-focused Tor Browser. "If you're an average internet user, you may not think too much about your privacy when you visit a random website," says Reza Curtmola, one of the study authors and a computer science professor at NJIT. "But there are certain categories of internet users who may be more significantly impacted by this, like people who organize and participate in political protest, journalists, and people who network with fellow members of their minority group. And what makes these types of attacks dangerous is they're very stealthy. You just visit the website and you have no idea that you've been exposed."

How this de-anonymization attack works is difficult to explain but relatively easy to grasp once you have the gist. Someone carrying out the attack needs a few things to get started: a website they control, a list of accounts tied to people they want to identify as having visited that site, and content posted to the platforms of the accounts on their target list that either allows the targeted accounts to view that content or blocks them from viewing it -- the attack works both ways. Next, the attacker embeds the aforementioned content on the malicious website. Then they wait to see who clicks. If anyone on the targeted list visits the site, the attackers will know who they are by analyzing which users can (or cannot) view the embedded content. [...] Complicated as it may sound, the researchers warn that it would be simple to carry out once attackers have done the prep work. It would only take a couple of seconds to potentially unmask each visitor to the malicious site -- and it would be virtually impossible for an unsuspecting user to detect the hack. The researchers developed a browser extension that can thwart such attacks, and it is available for Chrome and Firefox. But they note that it may impact performance and isn't available for all browsers.

An anonymous reader quotes a report from BleepingComputer: The Tor Project team has announced the release of Tor Browser 11.5, a major release that brings new features to help users fight censorship easier. [...] The updates in Tor Browser 11.5 focus on circumventing censorship, a process that started a year ago in version 10.5 with improving the Tor connection experience. In the new version, users no longer have to manually try out bridge configurations to unblock Tor.

Tor Browser version 11.5 comes with a new feature called "Connection Assist," which assigns automatically the bridge configuration known to work best for the user's location. "Connection Assist works by looking up and downloading an up-to-date list of country-specific options to try using your location (with your consent)," explains the release announcement. "It manages to do so without needing to connect to the Tor Network first by utilizing moat – the same domain-fronting tool that Tor Browser uses to request a bridge from torproject.org." Since Connection Assist is still in an early stage of development (v1.0), the Tor team welcomes user feedback and reports, which would help them iron out any kinks and improve on the system.

Another important new feature in version 11.5 is making 'HTTPS-Only Mode' the default browsing mode, so that the connection is through a secure tunnel. This ensures that all data exchange between the user and the server hosting the website will be encrypted, to defend against man-in-the-middle (MitM) attacks and to protect users from SSL stripping on malicious exit relays. [...] The third significant improvement in Tor Browser 11.5 is a heavily revamped Network Settings menu, now called "Connection Settings," which should make it easier to find and understand specific settings. Most notably, bridge configuration and connection options have been redesigned to enable quick and easy review and management. Using emojis on the saved Bridges, the new interface offers visualization for the configuration for the first time, making it easy to identify the right bridge and select it when needed. You can download the latest Tor Browser from the official download portal.

Google is testing a method to boost the battery life of Chromebooks by changing how they work with the Chrome web browser. It's shaping up to be a potentially attractive update for users who leave a lot of tabs open on their Chromebooks. From a report: Google Chrome currently cuts the CPU time and throttles the CPU load for any tab you haven't touched or looked at for five minutes. Google calls this "intensive throttling of JavaScript timer wake up," and it's supposed to help conserve system battery life. The feature also makes the page wake up once every 60 seconds to check if you're actively using the tab again. It seems Google is interested in pushing the idea even further, at least for Chromebook users. About Chromebooks this week spotted a new flag in Chrome OS 105, currently being tested in the dev channel, that changes this five-minute period to 10 seconds.

As noted by a Reddit user and confirmed by Ars Technica, Microsoft's xCloud game streaming looks noticeable worse when running on Linux than Windows. From the report: With the Linux User-Agent, edges are generally less sharp and colors are a little more washed out. The difference is even more apparent if you zoom in on the Forza logo and menu text, which shows a significant reduction in clarity. Interestingly, the dip in quality seems to go away if you enable "Clarity Boost, an Edge-exclusive feature that "provid[es] the optimal look and feel while playing Xbox games from the cloud," according to Microsoft. That's great for Linux users who switched over to Microsoft Edge when it launched on Linux last November. But Linux users who stick with Firefox, Chrome, or other browsers are currently stuck with apparently reduced streaming quality.

That Linux quality dip has led some to speculate that Microsoft is trying to reserve the best xCloud streaming performance for Windows machines in an attempt to attract more users to its own operating system. But using a Macintosh User-Agent string provides streaming performance similar to that on Windows, which would seem to be a big omission if that theory were true. Microsoft also hasn't published any kind of "best on Windows"-style marketing in promoting xCloud streaming, which would seemingly be a key component of trying to attract new Windows users. (The quality difference could be a roundabout attempt to get Linux users to switch to the Edge browser, where Clarity Boost offers the best possible quality. But that still wouldn't fully explain why Windows users on other browsers, without Clarity Boost, also get better streaming quality than their Linux brethren.)

Others have suggested that the downgrade could simply be a bug caused by Microsoft's naive parsing of the User-Agent strings. That's because the User-Agent strings for Android browsers generally identify themselves as some version of Linux ("Linux; Android 11; HD1905," for example). Microsoft's xCloud code might simply see the "Linux" in that string, assume the user is running Android, then automatically throttle the streaming quality to account for the (presumably) reduced screen size of an Android phone or tablet.

Apple introduced a security tool for iPhone, iPad and Mac devices that is designed to prevent targeted cyberattacks on high-profile users such as activists, journalists and government officials. From a report: The optional feature, called Lockdown Mode, will offer "extreme" protection for a "very small number of users who face grave, targeted attacks," Apple said Wednesday in a statement. The tool vastly reduces the number of physical and digital ways for an attacker to hack a user's device. Apple said the feature is aimed primarily at trying to combat attacks from "spyware" sold by NSO Group and other companies, particularly to state-sponsored groups.

[...] Lockdown Mode will affect the Messages app, FaceTime, Apple online services, configuration profiles, the Safari web browser and wired connections. With the tool in place, the Messages app will block attachments other than images and disable link previews. Those are two common mechanisms that hackers use to infiltrate devices remotely. The web browser, another frequent conduit for hackers, will also be severely limited, with restrictions on certain fonts, web languages and features involving reading PDFs and previewing content. In FaceTime, users won't be able to receive calls from an individual that they haven't previously called within the preceding 30 days.

T-Mobile has just officially launched its new ad platform, known as T-Mobile Advertising Solutions. That innocuous name hides a rather sketchy business model -- it aggregates your mobile application usage and sells it to advertisers. Android Police reports: The specifics of the program will sound familiar to anyone who has followed the ebb and flow of browser tracking. T-Mobile uses network-level tools to track the apps that people use on their phones, and it then anonymizes and aggregates that data to lump you into various "personas," or "cohorts" as other platforms would call it. For example, if you regularly use Expensify and airline apps on your phone, T-Mobile could identify you as a business traveler for advertising purposes. This program has been in testing for the past year as "T-Mobile Marketing Solutions," according to The Verge, but it is now live with its new name.

There is some good news (but less of it for Android fans). T-Mobile does not currently collect app data on iOS users, fearing it could run afoul of Apple's privacy rules. But we Android users are fair game, apparently. However, you can opt-out of T-Mobile's program using its official "Magenta Marketing Platform Choices" app. Alternatively, the Digital Advertising Alliance offers an app that lets you opt-out of numerous trackers, including T-Mobile Advertising Solutions, which is listed under its old name of T-Mobile Marketing Solutions.

An anonymous reader quotes a report from TechCrunch: The co-founder and CEO of Solana, Anatoly Yakovenko, had a Steve Jobs moment when he stood in front of an auditorium in New York City and announced the launch of Saga, an Android web3-focused smartphone. "This is something that I fundamentally believe the industry needs to do," Yakovenko said. "We didn't see a single crypto feature at the Apple developer conference 13 years after Bitcoin was alive." People will pull out their laptops in the middle of dates so they don't miss an NFT minting opportunity, Yakovenko joked. "So I think it's time for crypto to go mobile," Yakovenko added.

Saga aims to implement digital asset products and services, so users can easily transact with their cryptocurrency through the device, opposed to a laptop browser. In addition to the announcement of Saga, Yakovenko shared the launch of the Solana Mobile Stack, or SMS, which is a web3 layer for Solana built on the phone. SMS will consist of a number of products including a seed vault, a custody solution, a mobile wallet adapter, Solana Pay for Android and its decentralized application (dApp) store. It "provides a new set of libraries for wallets and apps, allowing developers to create rich mobile experiences on Solana," a press release said.

A number of crypto companies including FTX, Phantom and Magic Eden will partner with SMS and there is also a $10 million developer fund for people who build apps on it. "The builders are coming and they are higher quality than before," Raj Gokal, COO at Solana Labs said. "They're ready for the next leg of user growth." The $1,000 device will have 512 GB of storage with a 6.67-inch OLED display and is available for preorder with a $100 deposit and deliveries will occur in Q1 2023, Yakovenko said.

RISC OS, the operating system of the original Arm computer, the Acorn Archimedes, is still very much alive -- and doing relatively well for its age. The Register reports: In June 1987, Acorn launched the Archimedes A305 and A310, starting at $982 and running a new operating system called Arthur. At the time, it was a radical and very fast computer. In his review (PDF) for Personal Computer World, Dick Pountain memorably said: "It loads huge programs with a faint burping noise, in the time it takes to blink an eye." Arthur was loosely related to Acorn's earlier MOS, the BBC Micro operating system but looked very different thanks to a prototype graphical desktop, implemented in BBC BASIC, that could charitably be called "technicolor." Renamed RISC OS, version 2 followed in 1989 -- the same year that Sun started selling its new SPARCstation 1 (a snip at $9,200) and DEC launched the MIPS R2000-chipset-based DECstation 3100 (for $10,800).

RISC OS has had a rather convoluted history, partly due to Acorn spinning out Arm, eventually pulling out of the computer market, rebranding as Element 14 and being acquired by Broadcom, where Arm co-designer Sophie Wilson still works today. And partly due to drama over the ownership of the OS post-Acorn at one point. One fork of RISC OS still supports Acorn-era Arm's odd 26-bit mode, meaning that today it mostly runs on the commercial Virtual Acorn emulator. The other branch, designed for the 32-bit mode of more recent Arm chips, is now owned by RISC OS Developments, which made it fully open source back in 2018. Development and maintenance is done by the team at RISC OS Open Ltd -- ROOL for short -- which offers downloads for a variety of current Arm hardware, such as the Titanium desktops. [...]

RISC OS Developments are still working on new functionality for the OS. Notably, it recently released a new TCP/IP stack, derived from OpenBSD. Right now, the main benefit is IPv6 support. A feature more significant to most users is still in development: Wi-Fi support. Also still under development, but available to paid backers, is a new RISC OS web browser, Iris. RISC OS does come with a choice of browsers -- NetSurf and Otter -- but the plan is that the new Iris browser will be a native app, with the RISC OS look and feel, but using the WebKit engine for better compatibility with the modern web. The main remaining limitation is SMP. As an OS from the 1980s, long before the 21st-century technology of mainstream multicore processors, RISC OS practically only supports a single CPU core. Various experimental efforts are under way to address this. One has got NetBSD running on another core, and another has the experimental Genode OS running alongside RISC OS. Another effort is working on adding SMP support into the RISC OS kernel itself.

At the end of 2008, Firefox was flying high. Twenty percent of the 1.5 billion people online were using Mozilla's browser to navigate the web. In Indonesia, Macedonia, and Slovenia, more than half of everyone going online was using Firefox. "Our market share in the regions above has been growing like crazy," Ken Kovash, Mozilla's data analytics team manager at the time, wrote in a blog post. Almost 15 years later, things aren't so rosy. From a report: Across all devices, the browser has slid to less than 4 percent of the market -- on mobile it's a measly half a percent. "Looking back five years and looking at our market share and our own numbers that we publish, there's no denying the decline," says Selena Deckelmann, senior vice president of Firefox. Mozilla's own statistics show a drop of around 30 million monthly active users from the start of 2019 to the start of 2022. "In the last couple years, what we've seen is actually a pretty substantial flattening," Deckelmann adds.

In the two decades since Firefox launched from the shadows of Netscape, it has been key to shaping the web's privacy and security, with staff pushing for more openness online and better standards. But its market share decline was accompanied by two rounds of layoffs at Mozilla during 2020. Next year, its lucrative search deal with Google -- responsible for the vast majority of its revenue -- is set to expire. A spate of privacy-focused browsers now compete on its turf, while new-feature misfires have threatened to alienate its base. All that has left industry analysts and former employees concerned about Firefox's future. Its fate also has larger implications for the web as a whole. For years, it was the best contender for keeping Google Chrome in check, offering a privacy-forward alternative to the world's most dominant browser.

Brave CEO Brendan Eich took aim at rival DuckDuckGo on Wednesday by challenging the web search engine's efforts to brush off revelations that its Android, iOS, and macOS browsers gave, to a degree, Microsoft Bing and LinkedIn trackers a pass versus other trackers. The Register reports: Eich drew attention to one of DuckDuckGo's defenses for exempting Microsoft's Bing and LinkedIn domains, a condition of its search contract with Microsoft: that its browsers blocked third-party cookies anyway. "For non-search tracker blocking (e.g. in our browser), we block most third-party trackers," explained DuckDuckGo CEO Gabriel Weinberg last month. "Unfortunately our Microsoft search syndication agreement prevents us from doing more to Microsoft-owned properties. However, we have been continually pushing and expect to be doing more soon."

However, Eich argues this is disingenuous because DuckDuckGo also includes exceptions that allow Microsoft trackers to circumvent third-party cookie blocking via appended URL parameters. "Trackers try to get around cookie blocking by appending identifiers to URL query parameters, to ID you across sites," he explained. DuckDuckGo is aware of this, Eich said, because its browser prevents Google, Facebook, and others from appending identifiers to URLs in order to bypass third-party cookie blocking. "[DuckDuckGo] removes Google's 'gclid' and Facebook's 'fbclid'," Eich said. "Test it yourself by visiting https://example.org/?fbclid=sample in [DuckDuckGo]'s macOS browser. The 'fbclid' value is removed." "However, [DuckDuckGo] does not apply this protection to Microsoft's 'msclkid' query parameter," Eich continued. "[Microsoft's] documentation specifies that 'msclkid' exists to circumvent third-party cookie protections in browsers (including in Safari's browser engine used by DDG on Apple OSes)." Eich concluded by arguing that privacy-focused brands need to prioritize privacy. "Brave categorically does not and will not harm user privacy to satisfy partners," he said.

A spokesperson for DuckDuckGo characterized Eich's conclusion as misleading. "What Brendan seems to be referring to here is our ad clicks only, which is protected in our agreement with Microsoft as strictly non-profiling (private)," a company spokesperson told The Register in an email. "That is these ads are privacy protected and how he's framed it is ultimately misleading. Brendan, of course, kept the fact that our ads are private out and there is really nothing new here given everything has already been disclosed." In other words, allowing Bing to append its identifier to URLs enables Bing advertisers to tell whether their ad produced a click (a conversion), but not to target DuckDuckGo browser users based on behavior or identity.

DuckDuckGo's spokesperson pointed to Weinberg's attempt to address the controversy on Reddit and argued that DuckDuckGo provides very strong privacy protections. "This is talking about link tracking which no major browser protects against (see https://privacytests.org/), however we've started protecting against link tracking, and started with the primary offenders (Google and Facebook)," DuckDuckGo's spokesperson said. "To note, we are planning on expanding this to more companies, including Twitter, Microsoft, and more. We are not restricted from this and will be doing so."

Mozilla: Starting today, Firefox is rolling out Total Cookie Protection by default to all Firefox users worldwide, making Firefox the most private and secure major browser available across Windows and Mac. Total Cookie Protection is Firefox's strongest privacy protection to date, confining cookies to the site where they were created, thus preventing tracking companies from using these cookies to track your browsing from site to site. Whether it's applying for a student loan, seeking treatment or advice through a health site, or browsing an online dating app, massive amounts of your personal information is online -- and this data is leaking all over the web.

The hyper-specific-to-you ads you so often see online are made possible by cookies that are used to track your behavior across sites and build an extremely sophisticated profile of who you are. Recent stories (including an excellent Last Week Tonight episode) have shown how robust, yet under-the-radar, the data selling economy is and how easy it is for anyone to buy your data, combine it with more data about you and use it for a variety of purposes, even beyond advertising. It's an alarming reality -- the possibility that your every move online is being watched, tracked and shared -- and one that's antithetical to the open web we at Mozilla have strived to build. That's why we developed Total Cookie Protection to help keep you safe online.

Total Cookie Protection works by creating a separate "cookie jar" for each website you visit. Instead of allowing trackers to link up your behavior on multiple sites, they just get to see behavior on individual sites. Any time a website, or third-party content embedded in a website, deposits a cookie in your browser, that cookie is confined to the cookie jar assigned to only that website. No other websites can reach into the cookie jars that don't belong to them and find out what the other websites' cookies know about you -- giving you freedom from invasive ads and reducing the amount of information companies gather about you. This approach strikes the balance between eliminating the worst privacy properties of third-party cookies -- in particular the ability to track you -- and allowing those cookies to fulfill their less invasive use cases (e.g. to provide accurate analytics). With Total Cookie Protection in Firefox, people can enjoy better privacy and have the great browsing experience they've come to expect.

Browser maker Vivaldi's email client has finally hit version 1.0, seven years after it was first announced. From a report: Vivaldi Mail, which includes a calendar and feed reader as well as an email client, first arrived in technical preview in 2020. A slightly wobbly beta arrived last year alongside version 4 of the Chromium-based browser. After another year of polish and tidying of loose ends, the company has declared the client ready.

As before, the client is built into the browser, meaning it is unlikely to appeal to many beyond Vivaldi's existing user base. Enabling it is a simple matter of dropping into Settings pages and wading through until the option to enable Mail, Calendar, and Feeds can be selected. Vivaldi has a lot of settings -- delightfully customizable for some and downright baffling for others. That said, for users still pining for a good old-fashioned email client that doesn't require wading through a web page festooned with adverts, there's a lot to like. It supports multiple accounts, will sort messages and create folders automatically (locally, rather than on a mystery server in the cloud), and permits searching (with indexing performed offline). IMAP and POP3 are supported, making adding a provider relatively straightforward, and the company also claims that users can log into their Google accounts from Mail and Calendar.

Crayta, a platform that lets players create, share, and play games with friends, is coming to Facebook Gaming's cloud-streaming service. The Verge reports: The collaborative game-building platform is built on Unreal Engine 4 and features a library of thousands of player-made games users can browse or add to with their own creations. While Crayta shares the element of game creation with Roblox, it also takes some cues from Fortnite, with the most obvious being its bright and cartoonish art. It also has rotating seasons, offers a battle pass, and lets users customize their own avatars. But probably one of the coolest -- and most unique -- things about Crayta is that it lets you share a game with just a single link, allowing your friend to hop right in from their browser. "A lot of times today, people think about the metaverse as 3D experiences you can have in virtual and augmented reality, but I think what Crayta shows is that you can both build and enjoy these kind of experiences really easily on all kinds of 2D environments including just within the Facebook App on phones and on computers," Mark Zuckerberg said in a video showing off Crayta's addition to its cloud gaming platform.

As expected, Apple has used the stage at its WWDC 2022 keynote to reveal the features and changes coming to macOS in the next major software update for the platform, macOS 13 Ventura. From a report: Ventura's headlining feature is a new multitasking interface called Stage Manager. It's being billed as a way to fight window clutter on a busy desktop -- enter Stage Manager mode, and one of your windows floats to the center of the screen, pushing your other windows into a compressed navigation column on the left of the screen. Click a different app window on the left, and it will fly to the center of the screen, knocking the app you were using before into the navigation column. Spotlight also gets some handy quality-of-life updates, adding the ability to Quick Look search results directly from the Spotlight window, and the ability to run Shortcuts from within Spotlight.

Safari picks up the ability to share groups of tabs with other users, letting all users add and remove tabs. The browser is also adding a FIDO-compliant security technology called PassKeys, which aim to replace passwords with cryptographically generated keys that sync between devices using iCloud Keychain. Sites that support PassKeys can be opened using TouchID or FaceID. Apple's cross-device Continuity features were also updated. FaceTime calls can be handed off seamlessly between different Macs and iDevices, while Continuity Camera allows you to use an iPhone as a webcam (your iPhone's LED can even be used as a makeshift ring light). Continuity Camera supports Center Stage and Portrait Mode effects, too, though presumably they will require newer iPhones with hardware that supports those features.

An anonymous reader quotes a report from Ars Technica: Apple's Safari web browser has more than 1 billion users, according to an estimate by Atlas VPN. Only one other browser has more than a billion users, and that's Google's Chrome. But at nearly 3.4 billion, Chrome still leaves Safari in the dust. It's important to note that these numbers include mobile users, not just desktop users. Likely, Safari's status as the default browser for both the iPhone and iPad plays a much bigger role than its usage on the Mac. Still, it's impressive given that Safari is the only major web browser not available on Android, which is the world's most popular mobile operating system, or Windows, the most popular desktop OS. "The statistics are based on the GlobalStats browser market share percentage, which was then converted into numbers using the Internet World Stats internet user metric to retrieve the exact numbers," explains Atlas VPN in a blog post.

This week Google began a rolling release for stable Chrome version 102 "with 32 security fixes for browser on Windows, Mac and Linux," reports ZDNet: Chrome 102 for the desktop includes 32 security fixes reported to Google by external researchers. There's one critical flaw, while eight are high severity, nine are medium severity, and seven are low severity. Google also creates other fixes for issues found through internal testing...

The critical flaw, labelled as CVE-2022-1853, is a 'use after free in IndexedDB', an interface for applications to store data in a user's browser.... "My guess is that an attacker could construct a specially crafted website and take over the visitor's browser by manipulating the IndexedDB," says Pieter Arntz, a malware intelligence researcher at Malwarebytes. None of the flaws fixed in this Chrome 102 stable release were zero days, meaning flaws that were exploited before Google released a patch for it.

Google's Project Zero (GPZ) team last year counted 58 zero-day exploits for popular software in 2021. Twenty-five of these were in browsers, of which 14 affected Chrome. Google engineers argue zero-day counts are rising because vendors are improving detection, fixes and disclosure. However, GPZ researchers argue the industry as a whole is not making zero days hard enough for attackers, who often rely on tweaking existing flaws rather than being forced to conjure up entirely new exploitation methods.
Linux/Mac/Windows users of Chrome can check Help/About to see if the update has already rolled out to their system — or if they need to update manually.

Microsoft Dev Box is intended to simplify the process of getting new developer workstations up and running quickly, with all necessary tools and dependencies installed and working out-of-the-box (so to speak), along with access to up-to-date source code and fresh copies of any nightly builds. Ars Technica reports: Dev Box is built on Windows 365, a service that IT admins can use to provide preconfigured virtual PCs to users. Admins can build operating system images and offer hardware configurations with different amounts of CPU power, storage, and RAM based on what particular users (or workloads) need. Windows 365 virtual machines, including but not limited to Dev Box VMs, can be accessed from other Windows PCs, or devices running macOS, iOS, Android, Linux, or ChromeOS.

"Microsoft Dev Box supports any developer IDE, SDK, or internal tool that runs on Windows," writes Microsoft product manager Anthony Cangialosi [in a blog post introducing the service]. "Dev Boxes can target any development workload you can build from a Windows desktop and are particularly well-suited for desktop, mobile, IoT, and gaming. You can even build cross-platform apps using Windows Subsystem for Linux." Dev Box is currently available in a private preview. If you're interested in testing it when the preview goes public, you can sign up to learn more here.